A YAML list of [service tags](https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview#available-service-tags) that are allowed for egress in custom security groups. If this list is empty, no service tags are permitted.<br /><br />Applies to non-Guardrails managed Security Groups.<br /><br />Examples: ```   - VirtualNetwork   - Storage ``` 

Azure > Management Group

Azure > Subscription

Azure > Tenant

Turbot > Folder

Turbot

Turbot > IAM > Turbot Identity

Turbot > IAM > Unidentified Identity

Azure > Active Directory > Directory

Kubernetes > Cluster

GCP > Project

AWS > Account

ServiceNow > Instance

GitHub > Repository

GCP > Kubernetes Engine > Region Cluster

GCP > Kubernetes Engine > Zone Cluster

GCP > BigQuery > Dataset

GCP > BigQuery > Table

GCP > SQL > Instance

GCP > Bigtable > Instance

GCP > Dataplex > Lake

GCP > Dataplex > Task

GCP > Dataplex > Zone

GCP > Memorystore > Instance

GCP > App Engine > Service

GCP > Vertex AI > Endpoint

GCP > Pub/Sub > Snapshot

GCP > Pub/Sub > Subscription

GCP > Pub/Sub > Topic

GCP > Spanner > Instance

GCP > DNS > Managed Zone

GCP > KMS > Crypto Key

GCP > Composer > Environment

GCP > Secret Manager > Secret

GCP > Network > Forwarding Rule

GCP > Network > Global Forwarding Rule

GCP > Network > VPN Tunnel

GCP > Storage > Bucket

GCP > Compute Engine > Disk

GCP > Compute Engine > Image

GCP > Compute Engine > Instance

GCP > Compute Engine > Region Disk

GCP > Compute Engine > Snapshot

GCP > Dataproc > Cluster

GCP > Dataproc > Job

GCP > Dataproc > Workflow Template

AWS > Lambda > Function

AWS > VPC > Flow Log

AWS > VPC > Network ACL

AWS > VPC > Security Group

AWS > VPC > Security Group Rule

AWS > Route 53 Resolver > Resolver Rule

AWS > Route 53 Resolver > Resolver Endpoint

AWS > Route 53 > Hosted Zone

AWS > Logs > Log Group

AWS > Batch > Compute Environment

AWS > Batch > Job Queue

AWS > Elasticsearch > Domain

AWS > CodeCommit > Repository

AWS > GuardDuty > Detector

AWS > GuardDuty > IPSet

AWS > GuardDuty > ThreatIntelSet

AWS > Neptune > DB Instance

AWS > Neptune > DB Cluster

AWS > SNS > Topic

AWS > SNS > Topic Policy

AWS > EKS > Cluster

AWS > EKS > Node Group

AWS > Direct Connect > Connection

AWS > Direct Connect > Lag

AWS > Direct Connect > Virtual Interface

AWS > CloudTrail > Trail

AWS > Lightsail > Relational Database

AWS > Lightsail > Instance

AWS > Lightsail > Load Balancer

AWS > RDS > DB Cluster

AWS > RDS > DB Cluster Parameter Group

AWS > RDS > DB Cluster Snapshot [Manual]

AWS > RDS > DB Instance

AWS > RDS > DB Parameter Group

AWS > RDS > DB Snapshot [Manual]

AWS > RDS > Option Group

AWS > RDS > Subnet Group

AWS > WAF > Rule Group v2 Global

AWS > WAF > Web ACL [Deprecated]

AWS > WAF > Web ACL v2 Regional

AWS > WAF > Web ACL v2 Global

AWS > WAF > Regex Pattern Set v2 Regional

AWS > WAF > Rule Group v2 Regional

AWS > WAF > Regex Pattern Set v2 Global

AWS > WAF > IP Set v2 Regional

AWS > WAF > IP Set v2 Global

AWS > ACM > Certificate

AWS > Inspector > Assessment Template

AWS > Amazon MQ > Broker

AWS > Amazon MQ > Configuration

AWS > KMS > Key

AWS > Config > Rule

AWS > Storage Gateway > File Share

AWS > Storage Gateway > Gateway

AWS > Storage Gateway > Tape Pool

AWS > Storage Gateway > Tape

AWS > Storage Gateway > Volume

AWS > WorkSpaces > WorkSpace

AWS > CodeBuild > Project

AWS > CodeBuild > Source Credential

AWS > App Mesh > Mesh

AWS > Amplify > App

AWS > VPC > VPC

AWS > VPC > Subnet

AWS > VPC > Route Table

AWS > VPC > DHCP Options

AWS > EFS > FileSystem

GCP > Folder

AWS > Region

AWS > EC2 > Instance

Azure > Resource Group

A YAML list of [service tags](https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview#available-service-tags) that are allowed for egress&#92;nin custom security groups. If this list is empty, no service tags are permitted.&#92;n&#92;nApplies to non-Guardrails managed Security Groups.&#92;n&#92;nExamples:&#92;n```&#92;n  - VirtualNetwork&#92;n  - Storage&#92;n```&#92;n

Azure > Network > Network Security Group > Ingress Rules > Approved

Azure > Network > Network Security Group

Azure > Network > Network Security Group > Ingress Rules > Approved > Service Tags

Schema Type	`array`
Default	`- '*'`

Policy: Azure > Network > Network Security Group > Ingress Rules > Approved > Service Tags

Targets

Primary Policy

Policy Specification

Category

In Your Workspace

Developers