AWS Top 10 Mod

The AWS Top 10 mod provides curated sets of benchmarks and controls for security, cost, operations, and more.


AWS provides on-demand cloud computing platforms and APIs to authenticated customers on a metered pay-as-you-go basis.

Steampipe is an open source CLI to instantly query cloud APIs using SQL.

Steampipe Mods are collections of named queries, and codified controls that can be used to test current configuration of your cloud resources against a desired configuration.


Getting started


Download and install Steampipe (https://steampipe.io/downloads). Or use Brew:

brew tap turbot/tap
brew install steampipe

Install the AWS plugin with Steampipe:

steampipe plugin install aws


git clone https://github.com/turbot/steampipe-mod-aws-top-10.git
cd steampipe-mod-aws-top-10

Install mod dependencies:

steampipe mod install


Before running any benchmarks, it's recommended to generate your AWS credential report:

aws iam generate-credential-report

Start your dashboard server to get started:

steampipe dashboard

By default, the dashboard interface will then be launched in a new browser window at http://localhost:9194. From here, you can run benchmarks by selecting one or searching for a specific one.

Instead of running benchmarks in a dashboard, you can also run them within your terminal with the steampipe check command:

Run all benchmarks:

steampipe check all

Run a single benchmark:

steampipe check benchmark.account_security

Run a benchmark for a specific item:

steampipe check benchmark.account_security_accurate_account_info

Different output formats are also available, for more information please see Output Formats.


This mod uses the credentials configured in the Steampipe AWS plugin.


No extra configuration is required.

Common and Tag Dimensions

The benchmark queries use common properties (like account_id, connection_name and region) and tags that are defined in the dependent AWS Compliance mod and AWS Perimeter mod . These properties can be executed in the following ways:

  • Copy and rename the steampipe.spvars.example file to steampipe.spvars, and then modify the variable values inside that file

  • Pass in a value on the command line:

    steampipe check benchmark.account_security_limit_security_groups --var 'common_dimensions=["account_id", "connection_name", "region"]'
    steampipe check benchmark.account_security_limit_security_groups --var 'tag_dimensions=["Environment", "Owner"]'
  • Set an environment variable:

    SP_VAR_common_dimensions='["account_id", "connection_name", "region"]' steampipe check benchmark.account_security_limit_security_groups
    SP_VAR_tag_dimensions='["Environment", "Owner"]' steampipe check benchmark.account_security_limit_security_groups


If you have an idea for additional controls or just want to help maintain and extend this mod (or others) we would love you to join the community and start contributing.

Please see the contribution guidelines and our code of conduct. All contributions are subject to the Apache 2.0 open source license.

Want to help but not sure where to start? Pick up one of the help wanted issues: