Turbot Guardrails Hub 
Hub
  • Mods
  • Policy Packs
  • Docs
  • Home
ModsPolicy PacksDocsHome
Mods
AWS
Loading policies...

Policy: AWS > VPC > Security Group > Ingress Rules > Approved > Rules

An Object Control List (OCL) with a list of filter rules to approve or reject security group rules.

Note that the Approved control does not operate directly from this policy, but from the Approved > Compiled Rules. The rules are processed in order, and any built-in Turbot rules will appear first in the list of compiled rules.

Examples: Allow HTTP and HTTPS rules for RFC1918 private space APPROVE $.turbot.fromPort:=80 $.turbot.toPort:=80 $.turbot.cidr:<=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 APPROVE $.turbot.fromPort:=443 $.turbot.toPort:=443 $.turbot.cidr:<=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16<br /><br /> Allow all rules from security groups in this account APPROVE $.UserIdGroupPairs.+.UserId:"969297701313"<br /><br /> Reject any rule from 0.0.0.0/0 REJECT $.turbot.cidr:0.0.0.0/0

Targets

This policy targets the following resource types:

  • AWS > VPC > Security Group

Primary Policy

This policy is used with the following primary policy:

  • AWS > VPC > Security Group > Ingress Rules > Approved

Policy Packs

This policy setting is used by the following policy packs:

  • AWS CIS v3.0.0 - Section 5 - Networking
  • Enforce Block Public Access for AWS VPC Security Groups
  • Enforce AWS VPC Default Security Groups Deny All Traffic
  • Enforce Unapproved Traffic is Blocked for AWS VPC Security Groups

Policy Specification

Schema Type
string
Default
# Approve unmatched rules
APPROVE *

Category

  • Resource > Approved

In Your Workspace

  • Policy Settings by Type report

Developers

    Category URI
    • tmod:@turbot/turbot#/control/categories/resourceApproved
    • Policy Type URI
    • tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedRules
    • GraphQL
    • query policyType(id: "tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedRules") { … }
    • query policySettings(filter: "policyTypeId:'tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedRules'") { … }
    • query policyValues(filter: "policyTypeId:'tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedRules'") { … }
    • CLI
    • Get Policy Type
    • turbot graphql policy-type --id "tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedRules"
      • Get Policy Settings
    • turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedRules"
Guardrails
Guardrails Hub
  • Hub
  • Docs
  • Blog
  • Changelog
Products
  • GuardrailsGuardrails
  • PipesPipes
  • SteampipeSteampipe
  • PowerpipePowerpipe
  • FlowpipeFlowpipe
  • TailpipeTailpipe
Turbot
  • Home
  • About us
  • We're hiring!
  • Contact us
Community

Our community of practitioners love to discuss cloud governance & security.

Slack logoJoin us on Slack →

System StatusLegalSecurity
Terms of UseSecurityPrivacy
180
Mods
497
Resource Types
8,691
Policies
3,362
Controls
1,833
Quick Actions
540
IAM