⭐ AWS: 18 new resources, ~70 new fields on existing resources, 23 services

[tas50]

New Resources

• aws.backup.lifecycle
• aws.backup.plan
• aws.backup.plan.advancedBackupSetting
• aws.backup.plan.rule
• aws.backup.plan.rule.copyAction
• aws.ec2.transitgateway
• aws.ecr.lifecyclePolicy
• aws.ecr.lifecyclePolicy.rule
• aws.elb.listener
• aws.elb.loadbalancer.attribute
• aws.elb.targetgroup.attributes
• aws.fsx.volume
• aws.iam.instanceProfile
• aws.neptune.snapshot
• aws.redshift.snapshot
• aws.s3.bucket.encryptionRule
• aws.s3.bucket.replicationRule
• aws.vpc.routetable.route

New Fields on Existing Resources

• aws.acm.certificate: renewalEligible, signatureAlgorithm
• aws.cloudfront.distribution: comment
• aws.cloudwatch.loggroup: dataProtectionStatus, deletionProtectionEnabled
• aws.cloudwatch.metricsalarm: actionsEnabled
• aws.codebuild.project: createdAt, encryptionKey, modifiedAt, privilegedMode, projectVisibility, queuedTimeoutInMinutes, serviceRole, timeoutInMinutes
• aws.dynamodb.table: latestStreamLabel
• aws.ec2.image: description
• aws.ec2.instance: bootMode, ipv6Address, sourceDestCheck
• aws.ec2: transitGateways
• aws.ecr.repository: lifecyclePolicy (converted from dict to typed resource)
• aws.ecs.service: enableEcsManagedTags, enableExecuteCommand, healthCheckGracePeriodSeconds, platformFamily, platformVersion, schedulingStrategy
• aws.ecs.taskDefinition: cpu, memory, registeredAt
• aws.elasticache.cluster: preferredMaintenanceWindow, replicationGroupLogDeliveryEnabled
• aws.elasticache.serverlessCache: subnets
• aws.elb.loadbalancer: instances, ipAddressType, listeners
• aws.elb.targetgroup: healthyThresholdCount
• aws.fsx.backup: region
• aws.fsx.cache: region
• aws.iam.group: path
• aws.iam.role: path
• aws.iam.user: path
• aws.lambda.function: codeSize, lastUpdateStatus, state, stateReason
• aws.neptune.cluster: snapshots
• aws.rds.dbcluster: earliestRestorableTime, engineMode
• aws.rds.dbinstance: dbClusterIdentifier, dbiResourceId, dedicatedLogVolume, licenseModel, maxAllocatedStorage, storageThroughput
• aws.redshift.cluster: clusterAvailabilityStatus, ipAddressType, manualSnapshotRetentionPeriod, multiAZ, snapshots, totalStorageCapacityInMegaBytes
• aws.s3.bucket: encryptionRules, replicationRules
• aws.sagemaker.notebookinstancedetails: minimumInstanceMetadataServiceVersion, rootAccess, subnet
• aws.sns.topic: kmsMasterKey
• aws.sqs.queue: deduplicationScope, fifoThroughputLimit
• aws.ssm.instance: agentVersion, computerName, lastPingedAt
• aws.vpc.routetable: routeEntries

aws.backup.plans.first: {
  deletionDate: null
  lastExecutionDate: 2026-02-26 05:33:24.432 +0000 WET
  advancedBackupSettings: []
  region: "us-west-2"
  id: "aws/efs/12345678910"
  name: "aws/efs/automatic-backup-plan"
  versionId: "12345678910"
  arn: "arn:aws:backup:us-west-2:12345678910:backup-plan:aws/efs/12345678910"
  createdAt: 2022-02-01 20:47:51.118 +0000 WET
  rules: [
    0: aws.backup.plan.rule ruleName="aws/efs/automatic-backup-rule" targetBackupVaultName="aws/efs/automatic-backup-vault"
  ]
}

aws.vpcs.first.routeTables.first.routes: [
  0: {
    CarrierGatewayId: null
    CoreNetworkArn: null
    DestinationCidrBlock: "172.31.0.0/16"
    DestinationIpv6CidrBlock: null
    DestinationPrefixListId: null
    EgressOnlyInternetGatewayId: null
    GatewayId: "local"
    InstanceId: null
    InstanceOwnerId: null
    IpAddress: null
    LocalGatewayId: null
    NatGatewayId: null
    NetworkInterfaceId: null
    OdbNetworkArn: null
    Origin: "CreateRouteTable"
    State: "active"
    TransitGatewayId: null
    VpcPeeringConnectionId: null
  }
  1: {
    CarrierGatewayId: null
    CoreNetworkArn: null
    DestinationCidrBlock: "0.0.0.0/0"
    DestinationIpv6CidrBlock: null
    DestinationPrefixListId: null
    EgressOnlyInternetGatewayId: null
    GatewayId: "igw-1234"
    InstanceId: null
    InstanceOwnerId: null
    IpAddress: null
    LocalGatewayId: null
    NatGatewayId: null
    NetworkInterfaceId: null
    OdbNetworkArn: null
    Origin: "CreateRoute"
    State: "active"
    TransitGatewayId: null
    VpcPeeringConnectionId: null
  }
]

aws.s3.buckets.first.encryptionRules: [
  0: {
    id: "arn:aws:s3:::foo/encryption/0"
    kmsMasterKeyId: ""
    bucketKeyEnabled: true
    sseAlgorithm: "AES256"
  }
]

> aws.ec2.instances.first{bootMode sourceDestCheck ipv6Address}
aws.ec2.instances.first: {
  sourceDestCheck: true
  bootMode: "uefi-preferred"
  ipv6Address: null
}

> aws.rds.instances.first{maxAllocatedStorage dedicatedLogVolume storageThroughput}
aws.rds.instances.first: {
  storageThroughput: 0
  dedicatedLogVolume: false
  maxAllocatedStorage: 1000
}

aws.iam.roles.first.path: "/"

aws.ecr.privateRepositories: [
  0: {
    name: "mondoo-samples"
    lifecyclePolicy: {
      rules: [
        0: {
          countType: "imageCountMoreThan"
          countNumber: 30
          tagStatus: "tagged"
          description: "Keep last 30 images"
          actionType: "expire"
          rulePriority: 1
        }
      ]
      lastEvaluatedAt: 2026-02-26 14:23:34.252 +0000 WET
    }
  }
]

[github-actions]

Test Results

5 137 tests  ±0   5 133 ✅ ±0   2m 15s ⏱️ +18s
  409 suites ±0       4 💤 ±0 
   31 files   ±0       0 ❌ ±0 

Results for commit 3a04d29. ± Comparison against base commit 779ff93.

♻️ This comment has been updated with latest results.

[mondoo-code-review]

Solid expansion of AWS provider resources; minor consistency issue with pointer handling

Superseded by new review

[mondoo-code-review]

Substantial expansion of AWS provider with new typed resources and fields. Code follows existing patterns but has minor pagination and style issues.

[mondoo-code-review]

Solid additions, but critical bug in target group attributes and missing pagination

Superseded by new review

[mondoo-code-review]

Well-implemented addition of typed resources and fields. Minor improvements possible but no blocking issues.

[mondoo-code-review]

Two issues found: undefined function usage and inefficient redundant API call in encryptionKey()

[mondoo-code-review]

Solid resource additions with one efficiency issue in CodeBuild and a type inconsistency in SageMaker

[mondoo-code-review]

Solid resource additions with one efficiency issue: redundant API call in CodeBuild encryption key method

[mondoo-code-review]

IntDataDefault function may not exist; unusual pattern in init function needs verification

[mondoo-code-review]

Schema additions look comprehensive, but found style guide violations for two-state enums and a non-standard init pattern

[mondoo-code-review]

Well-structured PR with comprehensive resource additions, but CodeBuild timeout defaults need correction

Additional findings (file/line not in diff):

• 🔵 providers/aws/resources/aws.lr:1057 — Changed IAM instance profile display defaults from arn instanceProfileId to instanceProfileId instanceProfileName. While more user-friendly, this changes existing behavior. Consider noting in changelog.

[mondoo-code-review]

🔴 critical — Using 0 as default for timeoutInMinutes is incorrect. AWS CodeBuild default is 60 minutes. Use llx.IntDataDefault(project.TimeoutInMinutes, 60) or handle nil explicitly. Similarly, queuedTimeoutInMinutes defaults to 480 (8 hours), not 0.

[mondoo-code-review]

🟡 warning — Changing directInternetAccess from string to bool is a breaking change. Ensure this is documented in release notes and that the implementation correctly maps SDK string values ("Enabled"/"Disabled") to bool.

Superseded by new review

[mondoo-code-review]

Well-structured implementation with proper nil handling, pagination, and lazy-loading patterns

[mondoo-code-review]

Unable to complete the code review. Please try again or reduce the PR size.

[mondoo-code-review]

Well-structured additions with comprehensive resource definitions; two breaking changes need attention

Additional findings (file/line not in diff):

• 🟡 providers/aws/resources/aws.lr:1306 — Breaking change: directInternetAccess changed from string to bool. AWS SDK returns "Enabled"/"Disabled" strings, so the implementation must convert these. This will break existing queries expecting a string value. Confirm this is intentional for v13 and ensure the implementation handles the conversion.

[mondoo-code-review]

🟡 warning — Breaking change: The tags field was removed from aws.fsx.cache. This will break existing queries using cache.tags. Verify this removal is intentional and document in the PR if this is part of v13 breaking changes.

[mondoo-code-review]

🔵 suggestion — Implementation looks correct using llx.*DataPtr helpers for nil-safe pointer handling. Verify these fields exist in the AWS SDK's InstanceInformation type to avoid runtime panics.

[mondoo-code-review]

These compile errors are pre-existing and unrelated to the PR under review. The PR only touches providers/aws/... files, while the failing tests live in:

• providers/coordinator_test.go
• providers/runtime_test.go
• providers/os/connection/device/linux/device_manager_test.go

The root cause is that generated mock files are missing. The go:generate directives exist but the output files were never committed:

providers/coordinator.go declares:

//go:generate mockgen -source=./coordinator.go -destination=./mock_coordinator.go -package=providers
//go:generate mockgen -source=../providers-sdk/v1/plugin/interface.go -destination=./mock_plugin_interface.go -package=providers
//go:generate mockgen -source=../providers-sdk/v1/resources/schema.go -destination=./mock_schema.go -package=providers

providers/os/connection/snapshot/volumemounter.go declares:

//go:generate mockgen -source=./volumemounter.go -destination=./mock_volumemounter.go -package=snapshot

The generated files (mock_coordinator.go, mock_plugin_interface.go, mock_schema.go, mock_volumemounter.go) are absent from the repository. Running the following will fix it:

cd providers && go generate ./coordinator.go
cd providers/os/connection/snapshot && go generate ./volumemounter.go

Or from the repo root:

make mql/generate

Then commit the generated mock files. This issue exists independent of the current PR and should be addressed separately (or as a prerequisite before the next make test/go/plain run).