✨ Add config aggregators, ECR repo policy, and EC2 launch templates (#7052)

* ✨ Add aws.config.aggregators, aws.ecr.repository.policy, and aws.ec2.launchTemplates

Add three new AWS provider resources/fields to unblock security checks:

- aws.config.aggregators: List configuration aggregators with typed
  sub-resources for account and organization aggregation sources,
  including IAM role references on org sources.

- aws.ecr.repository.policy: Lazy-loaded repository access policy
  (parsed JSON dict) on private ECR repositories. Returns null for
  public repos or when no policy is set.

- aws.ec2.launchTemplates: New launch template resource with lazy-loaded
  userData field that base64-decodes the default version's user data,
  enabling secret scanning in launch template configurations.

All implementations follow existing patterns: jobpool for multi-region
listing, access-denied graceful degradation, proper StateIsNull handling
for nullable resource returns, and lazy loading for expensive fields.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* 🧹 Bump AWS provider to 13.5.0 and add launchtemplate to spell check

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: tas50

.github/actions/spelling/expect.txt

@@ -126,6 +126,7 @@ junos
 kqueue
 KSK
 labelmatchstatement
+launchtemplate
 lfs
 limitrange
 linuxefi

providers/aws/config/config.go

@@ -14,7 +14,7 @@ import (
 var Config = plugin.Provider{
 	Name:            "aws",
 	ID:              "go.mondoo.com/cnquery/v9/providers/aws",
-	Version:         "13.4.0",
+	Version:         "13.5.0",
 	ConnectionTypes: []string{provider.DefaultConnectionType, string(awsec2ebsconn.EBSConnectionType)},
 	Connectors: []plugin.Connector{
 		{

providers/aws/resources/aws.lr

@@ -5111,6 +5111,8 @@ private aws.ecr.repository @defaults("uri region") {
   createdAt time
   // Scanning frequency for the repository: SCAN_ON_PUSH, CONTINUOUS_SCAN, or MANUAL
   scanningFrequency() string
+  // Access policy for the repository (parsed JSON; private repositories only)
+  policy() dict
   // Lifecycle policy for the repository
   lifecyclePolicy() aws.ecr.lifecyclePolicy
   // About text from catalog data (public repositories only)
@@ -5624,6 +5626,8 @@ aws.ec2 {
   images() []aws.ec2.image
   // List of transit gateways
   transitGateways() []aws.ec2.transitgateway
+  // List of launch templates
+  launchTemplates() []aws.ec2.launchtemplate
 }
 
 // Amazon Elastic IP (EIP)
@@ -5873,6 +5877,30 @@ private aws.ec2.transitgateway @defaults("arn id state") {
   propagationDefaultRouteTableId string
 }
 
+// Amazon EC2 launch template
+private aws.ec2.launchtemplate @defaults("name region") {
+  // Launch template ID
+  id string
+  // ARN of the launch template
+  arn string
+  // Name of the launch template
+  name string
+  // Region for the launch template
+  region string
+  // Time the launch template was created
+  createdAt time
+  // Principal that created the launch template
+  createdBy string
+  // Default version number
+  defaultVersion int
+  // Latest version number
+  latestVersion int
+  // Tags for the launch template
+  tags map[string]string
+  // User data from the default version (base64-decoded)
+  userData() string
+}
+
 // Amazon EC2 (EBS) snapshot
 private aws.ec2.snapshot @defaults("id region volumeSize state") {
   // ARN for the snapshot
@@ -6500,6 +6528,8 @@ aws.config {
   rules() []aws.config.rule
   // List of delivery channels for each region in the account
   deliveryChannels() []aws.config.deliverychannel
+  // List of configuration aggregators
+  aggregators() []aws.config.aggregator
 }
 
 // AWS Config rule
@@ -6556,6 +6586,44 @@ private aws.config.deliverychannel @defaults("name region") {
   region string
 }
 
+// AWS Config aggregator
+private aws.config.aggregator @defaults("name region") {
+  // ARN of the configuration aggregator
+  arn string
+  // Name of the configuration aggregator
+  name string
+  // Region for the configuration aggregator
+  region string
+  // Account aggregation sources
+  accountAggregationSources []aws.config.aggregator.accountAggregationSource
+  // Organization aggregation source
+  organizationAggregationSource() aws.config.aggregator.organizationAggregationSource
+  // Time the aggregator was created
+  createdAt time
+  // Time the aggregator was last updated
+  lastUpdatedAt time
+}
+
+// AWS Config aggregator account aggregation source
+private aws.config.aggregator.accountAggregationSource {
+  // List of account IDs included in the aggregation
+  accountIds []string
+  // Whether all AWS regions are included
+  allAwsRegions bool
+  // List of AWS regions included in the aggregation
+  awsRegions []string
+}
+
+// AWS Config aggregator organization aggregation source
+private aws.config.aggregator.organizationAggregationSource {
+  // IAM role used for organization aggregation
+  iamRole() aws.iam.role
+  // Whether all AWS regions are included
+  allAwsRegions bool
+  // List of AWS regions included in the aggregation
+  awsRegions []string
+}
+
 // Amazon Elastic Kubernetes Service (EKS)
 aws.eks {
   // EKS clusters

providers/aws/resources/aws.lr.go

@@ -587,6 +587,22 @@ aws.cognito.userPool.tags 11.16.1
 aws.cognito.userPool.updatedAt 11.16.1
 aws.cognito.userPools 11.16.1
 aws.config 11.15.2
+aws.config.aggregator 13.5.0
+aws.config.aggregator.accountAggregationSource 13.5.0
+aws.config.aggregator.accountAggregationSource.accountIds 13.5.0
+aws.config.aggregator.accountAggregationSource.allAwsRegions 13.5.0
+aws.config.aggregator.accountAggregationSource.awsRegions 13.5.0
+aws.config.aggregator.accountAggregationSources 13.5.0
+aws.config.aggregator.arn 13.5.0
+aws.config.aggregator.createdAt 13.5.0
+aws.config.aggregator.lastUpdatedAt 13.5.0
+aws.config.aggregator.name 13.5.0
+aws.config.aggregator.organizationAggregationSource 13.5.0
+aws.config.aggregator.organizationAggregationSource.allAwsRegions 13.5.0
+aws.config.aggregator.organizationAggregationSource.awsRegions 13.5.0
+aws.config.aggregator.organizationAggregationSource.iamRole 13.5.0
+aws.config.aggregator.region 13.5.0
+aws.config.aggregators 13.5.0
 aws.config.deliveryChannels 11.15.2
 aws.config.deliverychannel 11.15.2
 aws.config.deliverychannel.name 11.15.2
@@ -1002,6 +1018,18 @@ aws.ec2.keypair.region 11.15.2
 aws.ec2.keypair.tags 11.15.2
 aws.ec2.keypair.type 11.15.2
 aws.ec2.keypairs 11.15.2
+aws.ec2.launchTemplates 13.5.0
+aws.ec2.launchtemplate 13.5.0
+aws.ec2.launchtemplate.arn 13.5.0
+aws.ec2.launchtemplate.createdAt 13.5.0
+aws.ec2.launchtemplate.createdBy 13.5.0
+aws.ec2.launchtemplate.defaultVersion 13.5.0
+aws.ec2.launchtemplate.id 13.5.0
+aws.ec2.launchtemplate.latestVersion 13.5.0
+aws.ec2.launchtemplate.name 13.5.0
+aws.ec2.launchtemplate.region 13.5.0
+aws.ec2.launchtemplate.tags 13.5.0
+aws.ec2.launchtemplate.userData 13.5.0
 aws.ec2.networkAcls 11.15.2
 aws.ec2.networkacl 11.15.2
 aws.ec2.networkacl.arn 11.15.2
@@ -1172,6 +1200,7 @@ aws.ecr.repository.images 11.15.2
 aws.ecr.repository.lifecyclePolicy 11.15.2
 aws.ecr.repository.name 11.15.2
 aws.ecr.repository.operatingSystems 11.16.1
+aws.ecr.repository.policy 13.5.0
 aws.ecr.repository.public 11.15.2
 aws.ecr.repository.region 11.15.2
 aws.ecr.repository.registryId 11.15.2

providers/aws/resources/aws.lr.versions

@@ -1,7 +1,7 @@
 {
   "provider": "aws",
-  "version": "13.3.0",
-  "generated_at": "2026-03-25T10:56:42-07:00",
+  "version": "13.4.1",
+  "generated_at": "2026-03-27T09:44:53+01:00",
   "permissions": [
     "access-analyzer:ListAnalyzers",
     "access-analyzer:ListFindingsV2",
@@ -63,6 +63,7 @@
     "cognito-idp:GetUserPoolMfaConfig",
     "cognito-idp:ListUserPools",
     "config:DescribeConfigRules",
+    "config:DescribeConfigurationAggregators",
     "config:DescribeConfigurationRecorders",
     "config:DescribeDeliveryChannels",
     "dms:DescribeReplicationInstances",
@@ -91,6 +92,8 @@
     "ec2:DescribeInstances",
     "ec2:DescribeInternetGateways",
     "ec2:DescribeKeyPairs",
+    "ec2:DescribeLaunchTemplateVersions",
+    "ec2:DescribeLaunchTemplates",
     "ec2:DescribeNatGateways",
     "ec2:DescribeNetworkAcls",
     "ec2:DescribeNetworkInterfaces",
@@ -112,6 +115,7 @@
     "ecr:DescribeImages",
     "ecr:DescribeRepositories",
     "ecr:GetLifecyclePolicy",
+    "ecr:GetRepositoryPolicy",
     "ecrpublic:DescribeImages",
     "ecrpublic:DescribeRepositories",
     "ecrpublic:GetRepositoryCatalogData",
@@ -140,6 +144,7 @@
     "eks:ListClusters",
     "eks:ListNodegroups",
     "elasticache:DescribeCacheClusters",
+    "elasticache:DescribeReplicationGroups",
     "elasticache:DescribeServerlessCaches",
     "elasticbeanstalk:DescribeApplications",
     "elasticbeanstalk:DescribeEnvironments",
@@ -738,6 +743,12 @@
       "action": "DescribeConfigRules",
       "source_file": "aws_config.go"
     },
+    {
+      "permission": "config:DescribeConfigurationAggregators",
+      "service": "config",
+      "action": "DescribeConfigurationAggregators",
+      "source_file": "aws_config.go"
+    },
     {
       "permission": "config:DescribeConfigurationRecorders",
       "service": "config",
@@ -912,6 +923,18 @@
       "action": "DescribeKeyPairs",
       "source_file": "aws_ec2.go"
     },
+    {
+      "permission": "ec2:DescribeLaunchTemplateVersions",
+      "service": "ec2",
+      "action": "DescribeLaunchTemplateVersions",
+      "source_file": "aws_ec2.go"
+    },
+    {
+      "permission": "ec2:DescribeLaunchTemplates",
+      "service": "ec2",
+      "action": "DescribeLaunchTemplates",
+      "source_file": "aws_ec2.go"
+    },
     {
       "permission": "ec2:DescribeNatGateways",
       "service": "ec2",
@@ -1062,6 +1085,12 @@
       "action": "GetLifecyclePolicy",
       "source_file": "aws_ecr.go"
     },
+    {
+      "permission": "ecr:GetRepositoryPolicy",
+      "service": "ecr",
+      "action": "GetRepositoryPolicy",
+      "source_file": "aws_ecr.go"
+    },
     {
       "permission": "ecrpublic:DescribeImages",
       "service": "ecrpublic",
@@ -1230,6 +1259,12 @@
       "action": "DescribeCacheClusters",
       "source_file": "aws_elasticache.go"
     },
+    {
+      "permission": "elasticache:DescribeReplicationGroups",
+      "service": "elasticache",
+      "action": "DescribeReplicationGroups",
+      "source_file": "aws_elasticache.go"
+    },
     {
       "permission": "elasticache:DescribeServerlessCaches",
       "service": "elasticache",
@@ -1704,6 +1739,12 @@
       "action": "ListTagsForStream",
       "source_file": "aws_kinesis.go"
     },
+    {
+      "permission": "kms:DescribeKey",
+      "service": "kms",
+      "action": "DescribeKey",
+      "source_file": "aws_kinesis.go"
+    },
     {
       "permission": "kms:DescribeKey",
       "service": "kms",