Turbot v3.59.0 Commercial & Gov Cloud Release

Important Note: The OnDemand flag is not required or recommended for new installs, but if an upgrade is performed without the flag in an environment where OnDemand is enabled, CloudFormation will revert the DynamoDB tables to provisioned. When performing the update to 3.59.0, be sure to add the OnDemand flag to the Flag field in CloudFormation.


Add IAM permissions for AWS > Service Quotes. Other fixes and improvements.



Release Date



AWS Services

  • Added: AWS > EC2 > Volume Default Encryption At Rest guardrail to be able to manage default EBS encyption settings.
  • Added: AWS > IAM > SAML Provider Management and updated the SAML Provider permissions to be contigent on the policy settings instead of always being denied.
  • Added: AWS > Lake Formation IAM permissions.
  • Added: AWS > WorkSpaces > Workspace to the Turbot CMDB.
  • Added: Real-time event handling for create and delete tag events for AWS > VPC Route Tables, Subnets, and VPCs.
  • Fixed: AWS > EKS > Cluster Control Plane Logging guardrail should not go into an error state if no logging is set.
  • Fixed: AWS > VPC > Transit Gateway fanning targets to fix timeout errors.
  • Fixed: Turbot URNs for AWS > SQS > Queue should support periods in order to support FIFO queues.
  • Updated: AWS > EC2 IAM permissions with EC2 Fleet, EBS default encrpytion, and miscellaneous new actions (such as SendDiagnosticInterrupt).
  • Updated: AWS > RDS IAM permissions with Batch Execute Statement, Transaction, Connect, Global Cluster, and Activity Stream actions.
  • Updated: AWS > VPC IAM permissions with Transit Gateway, Traffic Mirror, and Client VPN actions.
  • Updated: When running a guardrail manually, the cached information for the resource should be refreshed.

Policy Changes

  • Added: AWS > EC2 > Volume Default Encryption At Rest
  • Added: AWS > IAM > SAML Provider Management
  • Added: AWS > Lake Formation > Enabled
  • Added: AWS > Lake Formation > Regions
  • Added: AWS > Lake Formation > Rights
  • Added: Turbot > Internal > Turbot Backup
  • Updated: Deprecated Turbot > Internal > Resource Connection Optimization in favor of making this the default behavior of Turbot.

Other fixes & improvements

  • Added: Turbot SAML directories now support IdP-Initiated SSO. To enable, select the Edit button for the directory from the directories page. Expand the Advanced section, check the checkbox next to Allow IdP-Initiated SSO, then select the Update button.
  • Fixed: Turbot > Environment > Status should not be stored in memory on Turbot workers.
  • Updated: Turbot backup logic to be able to skip the backup of Turbot DynamoDB data tables and to only take S3 backups if native DynamoDB backups aren’t being used.
  • Updated: Policies tab at the Turbot or cluster level should load policies for level:self instead of level:self,descendant.
Was this article helpful?
0 out of 0 found this helpful