aws_accessanalyzer_analyzeraws_accessanalyzer_findingaws_accountaws_account_alternate_contactaws_account_contactaws_acm_certificateaws_acmpca_certificate_authorityaws_amplify_appaws_api_gateway_api_keyaws_api_gateway_authorizeraws_api_gateway_domain_nameaws_api_gateway_methodaws_api_gateway_rest_apiaws_api_gateway_stageaws_api_gateway_usage_planaws_api_gatewayv2_apiaws_api_gatewayv2_domain_nameaws_api_gatewayv2_integrationaws_api_gatewayv2_routeaws_api_gatewayv2_stageaws_app_runner_serviceaws_appautoscaling_policyaws_appautoscaling_targetaws_appconfig_applicationaws_appstream_fleetaws_appstream_imageaws_appsync_graphql_apiaws_athena_query_executionaws_athena_workgroupaws_auditmanager_assessmentaws_auditmanager_controlaws_auditmanager_evidenceaws_auditmanager_evidence_folderaws_auditmanager_frameworkaws_availability_zoneaws_backup_frameworkaws_backup_jobaws_backup_legal_holdaws_backup_planaws_backup_protected_resourceaws_backup_recovery_pointaws_backup_report_planaws_backup_selectionaws_backup_vaultaws_cloudcontrol_resourceaws_cloudformation_stackaws_cloudformation_stack_resourceaws_cloudformation_stack_setaws_cloudfront_cache_policyaws_cloudfront_distributionaws_cloudfront_functionaws_cloudfront_origin_access_identityaws_cloudfront_origin_request_policyaws_cloudfront_response_headers_policyaws_cloudsearch_domainaws_cloudtrail_channelaws_cloudtrail_event_data_storeaws_cloudtrail_importaws_cloudtrail_lookup_eventaws_cloudtrail_queryaws_cloudtrail_trailaws_cloudtrail_trail_eventaws_cloudwatch_alarmaws_cloudwatch_log_eventaws_cloudwatch_log_groupaws_cloudwatch_log_metric_filteraws_cloudwatch_log_resource_policyaws_cloudwatch_log_streamaws_cloudwatch_log_subscription_filteraws_cloudwatch_metricaws_cloudwatch_metric_data_pointaws_cloudwatch_metric_statistic_data_pointaws_codeartifact_domainaws_codeartifact_repositoryaws_codebuild_buildaws_codebuild_projectaws_codebuild_source_credentialaws_codecommit_repositoryaws_codedeploy_appaws_codedeploy_deployment_configaws_codedeploy_deployment_groupaws_codepipeline_pipelineaws_codestar_notification_ruleaws_cognito_identity_poolaws_cognito_identity_provideraws_cognito_user_poolaws_config_aggregate_authorizationaws_config_configuration_recorderaws_config_conformance_packaws_config_retention_configurationaws_config_ruleaws_cost_by_account_dailyaws_cost_by_account_monthlyaws_cost_by_record_type_dailyaws_cost_by_record_type_monthlyaws_cost_by_service_dailyaws_cost_by_service_monthlyaws_cost_by_service_usage_type_dailyaws_cost_by_service_usage_type_monthlyaws_cost_by_tagaws_cost_forecast_dailyaws_cost_forecast_monthlyaws_cost_usageaws_dax_clusteraws_dax_parameteraws_dax_parameter_groupaws_dax_subnet_groupaws_directory_service_certificateaws_directory_service_directoryaws_directory_service_log_subscriptionaws_directory_servicelog_subscriptionaws_dlm_lifecycle_policyaws_dms_certificateaws_dms_endpointaws_dms_replication_instanceaws_dms_replication_taskaws_docdb_clusteraws_docdb_cluster_instanceaws_docdb_cluster_snapshotaws_drs_jobaws_drs_recovery_instanceaws_drs_recovery_snapshotaws_drs_source_serveraws_dynamodb_backupaws_dynamodb_global_tableaws_dynamodb_metric_account_provisioned_read_capacity_utilaws_dynamodb_metric_account_provisioned_write_capacity_utilaws_dynamodb_tableaws_dynamodb_table_exportaws_ebs_snapshotaws_ebs_volumeaws_ebs_volume_metric_read_opsaws_ebs_volume_metric_read_ops_dailyaws_ebs_volume_metric_read_ops_hourlyaws_ebs_volume_metric_write_opsaws_ebs_volume_metric_write_ops_dailyaws_ebs_volume_metric_write_ops_hourlyaws_ec2_amiaws_ec2_ami_sharedaws_ec2_application_load_balanceraws_ec2_application_load_balancer_metric_request_countaws_ec2_application_load_balancer_metric_request_count_dailyaws_ec2_autoscaling_groupaws_ec2_capacity_reservationaws_ec2_classic_load_balanceraws_ec2_client_vpn_endpointaws_ec2_gateway_load_balanceraws_ec2_instanceaws_ec2_instance_availabilityaws_ec2_instance_metric_cpu_utilizationaws_ec2_instance_metric_cpu_utilization_dailyaws_ec2_instance_metric_cpu_utilization_hourlyaws_ec2_instance_typeaws_ec2_key_pairaws_ec2_launch_configurationaws_ec2_launch_templateaws_ec2_launch_template_versionaws_ec2_load_balancer_listeneraws_ec2_load_balancer_listener_ruleaws_ec2_managed_prefix_listaws_ec2_managed_prefix_list_entryaws_ec2_network_interfaceaws_ec2_network_load_balanceraws_ec2_network_load_balancer_metric_net_flow_countaws_ec2_network_load_balancer_metric_net_flow_count_dailyaws_ec2_regional_settingsaws_ec2_reserved_instanceaws_ec2_spot_priceaws_ec2_ssl_policyaws_ec2_target_groupaws_ec2_transit_gatewayaws_ec2_transit_gateway_routeaws_ec2_transit_gateway_route_tableaws_ec2_transit_gateway_vpc_attachmentaws_ecr_imageaws_ecr_image_scan_findingaws_ecr_registry_scanning_configurationaws_ecr_repositoryaws_ecrpublic_repositoryaws_ecs_clusteraws_ecs_cluster_metric_cpu_utilizationaws_ecs_cluster_metric_cpu_utilization_dailyaws_ecs_cluster_metric_cpu_utilization_hourlyaws_ecs_container_instanceaws_ecs_serviceaws_ecs_taskaws_ecs_task_definitionaws_efs_access_pointaws_efs_file_systemaws_efs_mount_targetaws_eks_addonaws_eks_addon_versionaws_eks_clusteraws_eks_fargate_profileaws_eks_identity_provider_configaws_eks_node_groupaws_elastic_beanstalk_applicationaws_elastic_beanstalk_application_versionaws_elastic_beanstalk_environmentaws_elasticache_clusteraws_elasticache_parameter_groupaws_elasticache_redis_metric_cache_hits_hourlyaws_elasticache_redis_metric_curr_connections_hourlyaws_elasticache_redis_metric_engine_cpu_utilization_dailyaws_elasticache_redis_metric_engine_cpu_utilization_hourlyaws_elasticache_redis_metric_get_type_cmds_hourlyaws_elasticache_redis_metric_list_based_cmds_hourlyaws_elasticache_redis_metric_new_connections_hourlyaws_elasticache_replication_groupaws_elasticache_reserved_cache_nodeaws_elasticache_subnet_groupaws_elasticsearch_domainaws_emr_block_public_access_configurationaws_emr_clusteraws_emr_cluster_metric_is_idleaws_emr_instanceaws_emr_instance_fleetaws_emr_instance_groupaws_emr_security_configurationaws_eventbridge_busaws_eventbridge_ruleaws_fms_app_listaws_fms_policyaws_fsx_file_systemaws_glacier_vaultaws_globalaccelerator_acceleratoraws_globalaccelerator_endpoint_groupaws_globalaccelerator_listeneraws_glue_catalog_databaseaws_glue_catalog_tableaws_glue_connectionaws_glue_crawleraws_glue_data_catalog_encryption_settingsaws_glue_data_quality_rulesetaws_glue_dev_endpointaws_glue_jobaws_glue_security_configurationaws_guardduty_detectoraws_guardduty_filteraws_guardduty_findingaws_guardduty_ipsetaws_guardduty_memberaws_guardduty_publishing_destinationaws_guardduty_threat_intel_setaws_health_affected_entityaws_health_eventaws_iam_access_advisoraws_iam_access_keyaws_iam_account_password_policyaws_iam_account_summaryaws_iam_actionaws_iam_credential_reportaws_iam_groupaws_iam_open_id_connect_provideraws_iam_policyaws_iam_policy_attachmentaws_iam_policy_simulatoraws_iam_roleaws_iam_saml_provideraws_iam_server_certificateaws_iam_service_specific_credentialaws_iam_useraws_iam_virtual_mfa_deviceaws_identitystore_groupaws_identitystore_group_membershipaws_identitystore_useraws_inspector2_coverageaws_inspector2_coverage_statisticsaws_inspector2_findingaws_inspector2_memberaws_inspector_assessment_runaws_inspector_assessment_targetaws_inspector_assessment_templateaws_inspector_exclusionaws_inspector_findingaws_iot_fleet_metricaws_iot_thingaws_iot_thing_groupaws_iot_thing_typeaws_kinesis_consumeraws_kinesis_firehose_delivery_streamaws_kinesis_streamaws_kinesis_video_streamaws_kinesisanalyticsv2_applicationaws_kms_aliasaws_kms_keyaws_kms_key_rotationaws_lambda_aliasaws_lambda_event_source_mappingaws_lambda_functionaws_lambda_function_metric_duration_dailyaws_lambda_function_metric_errors_dailyaws_lambda_function_metric_invocations_dailyaws_lambda_layeraws_lambda_layer_versionaws_lambda_versionaws_lightsail_bucketaws_lightsail_instanceaws_macie2_classification_jobaws_media_store_containeraws_memorydb_clusteraws_mgn_applicationaws_mq_brokeraws_msk_clusteraws_msk_serverless_clusteraws_neptune_db_clusteraws_neptune_db_cluster_snapshotaws_networkfirewall_firewallaws_networkfirewall_firewall_policyaws_networkfirewall_rule_groupaws_oam_linkaws_oam_sinkaws_opensearch_domainaws_organizations_accountaws_organizations_organizational_unitaws_organizations_policyaws_organizations_policy_targetaws_organizations_rootaws_pinpoint_appaws_pipes_pipeaws_pricing_productaws_pricing_service_attributeaws_ram_principal_associationaws_ram_resource_associationaws_rds_db_clusteraws_rds_db_cluster_parameter_groupaws_rds_db_cluster_snapshotaws_rds_db_engine_versionaws_rds_db_event_subscriptionaws_rds_db_instanceaws_rds_db_instance_automated_backupaws_rds_db_instance_metric_connectionsaws_rds_db_instance_metric_connections_dailyaws_rds_db_instance_metric_connections_hourlyaws_rds_db_instance_metric_cpu_utilizationaws_rds_db_instance_metric_cpu_utilization_dailyaws_rds_db_instance_metric_cpu_utilization_hourlyaws_rds_db_instance_metric_read_iopsaws_rds_db_instance_metric_read_iops_dailyaws_rds_db_instance_metric_read_iops_hourlyaws_rds_db_instance_metric_write_iopsaws_rds_db_instance_metric_write_iops_dailyaws_rds_db_instance_metric_write_iops_hourlyaws_rds_db_option_groupaws_rds_db_parameter_groupaws_rds_db_proxyaws_rds_db_recommendationaws_rds_db_snapshotaws_rds_db_subnet_groupaws_rds_reserved_db_instanceaws_redshift_clusteraws_redshift_cluster_metric_cpu_utilization_dailyaws_redshift_event_subscriptionaws_redshift_parameter_groupaws_redshift_snapshotaws_redshift_subnet_groupaws_redshiftserverless_namespaceaws_redshiftserverless_workgroupaws_regionaws_resource_explorer_indexaws_resource_explorer_searchaws_resource_explorer_supported_resource_typeaws_route53_domainaws_route53_health_checkaws_route53_query_logaws_route53_recordaws_route53_resolver_endpointaws_route53_resolver_query_log_configaws_route53_resolver_ruleaws_route53_traffic_policyaws_route53_traffic_policy_instanceaws_route53_vpc_association_authorizationaws_route53_zoneaws_s3_access_pointaws_s3_account_settingsaws_s3_bucketaws_s3_bucket_intelligent_tiering_configurationaws_s3_multi_region_access_pointaws_s3_objectaws_s3_object_versionaws_sagemaker_appaws_sagemaker_domainaws_sagemaker_endpoint_configurationaws_sagemaker_modelaws_sagemaker_notebook_instanceaws_sagemaker_training_jobaws_secretsmanager_secretaws_securityhub_action_targetaws_securityhub_enabled_product_subscriptionaws_securityhub_findingaws_securityhub_finding_aggregatoraws_securityhub_hubaws_securityhub_insightaws_securityhub_memberaws_securityhub_productaws_securityhub_standards_controlaws_securityhub_standards_subscriptionaws_securitylake_data_lakeaws_securitylake_subscriberaws_serverlessapplicationrepository_applicationaws_service_discovery_instanceaws_service_discovery_namespaceaws_service_discovery_serviceaws_servicecatalog_portfolioaws_servicecatalog_productaws_servicecatalog_provisioned_productaws_servicequotas_default_service_quotaaws_servicequotas_serviceaws_servicequotas_service_quotaaws_servicequotas_service_quota_change_requestaws_ses_domain_identityaws_ses_email_identityaws_sfn_state_machineaws_sfn_state_machine_executionaws_sfn_state_machine_execution_historyaws_simspaceweaver_simulationaws_sns_subscriptionaws_sns_topicaws_sns_topic_subscriptionaws_sqs_queueaws_ssm_associationaws_ssm_documentaws_ssm_document_permissionaws_ssm_inventoryaws_ssm_inventory_entryaws_ssm_maintenance_windowaws_ssm_managed_instanceaws_ssm_managed_instance_complianceaws_ssm_managed_instance_patch_stateaws_ssm_parameteraws_ssm_patch_baselineaws_ssmincidents_response_planaws_ssoadmin_account_assignmentaws_ssoadmin_instanceaws_ssoadmin_managed_policy_attachmentaws_ssoadmin_permission_setaws_sts_caller_identityaws_tagging_resourceaws_timestreamwrite_databaseaws_timestreamwrite_tableaws_transfer_serveraws_transfer_useraws_trusted_advisor_check_summaryaws_vpcaws_vpc_customer_gatewayaws_vpc_dhcp_optionsaws_vpc_egress_only_internet_gatewayaws_vpc_eipaws_vpc_eip_address_transferaws_vpc_endpointaws_vpc_endpoint_serviceaws_vpc_flow_logaws_vpc_flow_log_eventaws_vpc_internet_gatewayaws_vpc_nat_gatewayaws_vpc_nat_gateway_metric_bytes_out_to_destinationaws_vpc_network_aclaws_vpc_peering_connectionaws_vpc_routeaws_vpc_route_tableaws_vpc_security_groupaws_vpc_security_group_ruleaws_vpc_subnetaws_vpc_verified_access_endpointaws_vpc_verified_access_groupaws_vpc_verified_access_instanceaws_vpc_verified_access_trust_provideraws_vpc_vpn_connectionaws_vpc_vpn_gatewayaws_waf_rate_based_ruleaws_waf_ruleaws_waf_rule_groupaws_waf_web_aclaws_wafregional_ruleaws_wafregional_rule_groupaws_wafregional_web_aclaws_wafv2_ip_setaws_wafv2_regex_pattern_setaws_wafv2_rule_groupaws_wafv2_web_aclaws_wellarchitected_answeraws_wellarchitected_check_detailaws_wellarchitected_check_summaryaws_wellarchitected_consolidated_reportaws_wellarchitected_lensaws_wellarchitected_lens_reviewaws_wellarchitected_lens_review_improvementaws_wellarchitected_lens_review_reportaws_wellarchitected_lens_shareaws_wellarchitected_milestoneaws_wellarchitected_notificationaws_wellarchitected_share_invitationaws_wellarchitected_workloadaws_wellarchitected_workload_shareaws_workspaces_directoryaws_workspaces_workspace
Table: aws_account - Query AWS Accounts using SQL
The AWS Account is a container for AWS resources. It is used to sign up for, organize, and manage AWS services, and it provides administrative control access to resources. An AWS Account contains its own data, with its own settings, including billing and payment information.
Table Usage Guide
The aws_account table in Steampipe provides you with information about your AWS Account. This table allows you, as a DevOps engineer, to query account-specific details, including the account status, owner, and associated resources. You can utilize this table to gather insights on your AWS account, such as the account's ARN, creation date, email address, and more. The schema outlines the various attributes of your AWS account, including the account ID, account alias, and whether your account is a root account.
Examples
Basic AWS account info
Discover the segments that are associated with your AWS account, including details about the organization and the master account. This can help you manage and understand the relationships within your AWS structure.This query provides a snapshot of basic details about your AWS account, including its alias and associated organization details. It's useful for quickly accessing key information about your account, particularly in larger organizations where multiple accounts may be in use.
select alias, arn, organization_id, organization_master_account_email, organization_master_account_idfrom aws_account cross join jsonb_array_elements(account_aliases) as alias;select alias.value as alias, arn, organization_id, organization_master_account_email, organization_master_account_idfrom aws_account, json_each(account_aliases) as alias;Organization policy of aws account
This query allows you to delve into the various policies within your AWS account, particularly focusing on the type and status of each policy. It's useful for managing and tracking policy configurations across your organization, ensuring compliance and efficient resource utilization.This query is used to understand the types and status of policies available for an AWS organization. This can be beneficial for auditing purposes, ensuring policy compliance across all accounts within the organization.
select organization_id, policy ->> 'Type' as policy_type, policy ->> 'Status' as policy_statusfrom aws_account cross join jsonb_array_elements(organization_available_policy_types) as policy;select organization_id, json_extract(policy.value, '$.Type') as policy_type, json_extract(policy.value, '$.Status') as policy_statusfrom aws_account, json_each(organization_available_policy_types) as policy;Query examples
- account_count
- account_table
- acm_certificate_by_account
- api_gatewayv2_api_by_account
- api_gatewayv2_api_table
- cloudfront_distribution_by_account
- cloudtrail_trail_encryption_table
- cloudtrail_trail_logging_table
- codebuild_project_age_table
- codebuild_project_by_account
- codecommit_repository_age_table
- codecommit_repository_by_account
- codepipeline_pipeline_age_table
- codepipeline_pipeline_by_account
- dynamodb_table_by_account
- dynamodb_table_encryption_table
- dynamodb_table_item_count_by_account
- ebs_snapshot_age_table
- ebs_snapshot_by_account
- ebs_snapshot_public_table
- ebs_snapshot_storage_by_account
- ebs_volume_age_table
- ebs_volume_by_account
- ebs_volume_encryption_table
- ebs_volume_storage_by_account
- ec2_instance_age_table
- ec2_instance_by_account
- ec2_instance_public_access_table
- ecr_repository_age_table
- ecr_repository_by_account
- ecs_cluster_by_account
- efs_file_system_by_account
- efs_file_system_table
- eks_cluster_by_account
- elasticache_cluster_node_by_account
- emr_cluster_by_account
- iam_groups_by_account
- iam_roles_by_account
- iam_root_access_keys_table
- iam_user_excessive_permissions_report
- iam_user_mfa_table
- iam_users_by_account
- kms_cmk_lifecycle_table
- kms_key_age_table
- kms_key_by_account
- lambda_function_by_account
- lambda_function_code_size_by_account
- lambda_function_encryption_table
- lambda_function_memory_size_by_account
- lambda_function_public_access_table
- rds_db_cluster_by_account
- rds_db_cluster_encryption_table
- rds_db_cluster_logging_table
- rds_db_cluster_snapshot_by_account
- rds_db_cluster_snapshot_encryption_table
- rds_db_instance_by_account
- rds_db_instance_encryption_table
- rds_db_instance_logging_table
- rds_db_instance_snapshot_by_account
- rds_db_instance_snapshot_encryption_table
- redshift_cluster_by_account
- redshift_cluster_encryption_table
- s3_bucket_age_table
- s3_bucket_by_account
- s3_bucket_lifecycle_table
- s3_bucket_logging_table
- s3_bucket_public_access_table
- sns_topic_by_account
- sns_topic_encryption_table
- sqs_queue_by_account
- sqs_queue_encryption_table
- vpc_by_account
- vpc_security_group_by_acount
Control examples
- All Controls > Account > Security contact information should be provided for an AWS account
- All Controls > CloudTrail > At least one CloudTrail trail should be enabled in the AWS account
- All Controls > CloudWatch > CloudWatch should not allow cross-account sharing
- All Controls > CloudWatch > Ensure AWS Organizations changes are monitored
- All Controls > IAM > IAM Security Audit role should be created to conduct security audits
- All Controls > IAM > Password policies for IAM users should have strong configurations with minimum length of 8 or greater
- All Controls > VPC > VPCs should exist in multiple regions
- At least one multi-region AWS CloudTrail should be present in an account
- AWS Account Security Top 10 > 10. Be involved in the dev cycle > Manual verification required
- AWS account should be part of AWS Organizations
- AWS Foundational Security Best Practices > Account > 1 Security contact information should be provided for an AWS account
- AWS Foundational Security Best Practices > CloudTrail > 1 CloudTrail should be enabled and configured with at least one multi-Region trail
- AWS Foundational Security Best Practices > IAM > 7 Password policies for IAM users should have strong configurations
- CIS AWS Compute Services Benchmark v1.0.0 > 10 AWS App Runner > 10.1 Ensure you are using VPC Endpoints for source code access
- CIS AWS Compute Services Benchmark v1.0.0 > 11 AWS SimSpace Weaver > 11.1 Ensure communications between your applications and clients is encrypted
- CIS AWS Compute Services Benchmark v1.0.0 > 2 Elastic Cloud Compute (EC2) > 2.1 Amazon Machine Images (AMI) > 2.1.1 Ensure Consistent Naming Convention is used for Organizational AMI
- CIS AWS Compute Services Benchmark v1.0.0 > 2 Elastic Cloud Compute (EC2) > 2.1 Amazon Machine Images (AMI) > 2.1.3 Ensure Only Approved AMIs (Images) are Used
- CIS AWS Compute Services Benchmark v1.0.0 > 2 Elastic Cloud Compute (EC2) > 2.4 Ensure an Organizational EC2 Tag Policy has been created
- CIS AWS Compute Services Benchmark v1.0.0 > 3 Lightsail > 3.1 Apply updates to any apps running in Lightsail
- CIS AWS Compute Services Benchmark v1.0.0 > 3 Lightsail > 3.10 Enable storage bucket access logging
- CIS AWS Compute Services Benchmark v1.0.0 > 3 Lightsail > 3.11 Ensure your Windows Server based lightsail instances are updated with the latest security patches
- CIS AWS Compute Services Benchmark v1.0.0 > 3 Lightsail > 3.12 Change the auto-generated password for Windows based instances
- CIS AWS Compute Services Benchmark v1.0.0 > 3 Lightsail > 3.2 Change default Administrator login names and passwords for applications
- CIS AWS Compute Services Benchmark v1.0.0 > 3 Lightsail > 3.7 Ensure you are using an IAM policy to manage access to buckets in Lightsail
- CIS AWS Compute Services Benchmark v1.0.0 > 3 Lightsail > 3.8 Ensure Lightsail instances are attached to the buckets
- CIS AWS Compute Services Benchmark v1.0.0 > 3 Lightsail > 3.9 Ensure that your Lightsail buckets are not publicly accessible
- CIS AWS Compute Services Benchmark v1.0.0 > 4 Lambda > 4.1 Ensure AWS Config is enabled for Lambda and serverless
- CIS AWS Compute Services Benchmark v1.0.0 > 4 Lambda > 4.10 Ensure Lambda functions do not allow unknown cross account access via permission policies
- CIS AWS Compute Services Benchmark v1.0.0 > 4 Lambda > 4.11 Ensure that the runtime environment versions used for your Lambda functions do not have end of support dates
- CIS AWS Compute Services Benchmark v1.0.0 > 4 Lambda > 4.3 Ensure AWS Secrets manager is configured and being used by Lambda for databases
- CIS AWS Compute Services Benchmark v1.0.0 > 4 Lambda > 4.4 Ensure least privilege is used with Lambda function access
- CIS AWS Compute Services Benchmark v1.0.0 > 4 Lambda > 4.5 Ensure every Lambda function has its own IAM Role
- CIS AWS Compute Services Benchmark v1.0.0 > 4 Lambda > 4.7 Ensure Lambda functions are referencing active execution
- CIS AWS Compute Services Benchmark v1.0.0 > 4 Lambda > 4.8 Ensure that Code Signing is enabled for Lambda functions
- CIS AWS Compute Services Benchmark v1.0.0 > 4 Lambda > 4.9 Ensure there are no Lambda functions with admin privileges within your AWS account
- CIS AWS Compute Services Benchmark v1.0.0 > 5 Batch > 5.1 Ensure AWS Batch is configured with AWS Cloudwatch Logs
- CIS AWS Compute Services Benchmark v1.0.0 > 5 Batch > 5.2 Ensure Batch roles are configured for cross-service confused deputy prevention
- CIS AWS Compute Services Benchmark v1.0.0 > 6 Elastic Beanstalk > 6.1 Ensure Managed Platform updates is configured
- CIS AWS Compute Services Benchmark v1.0.0 > 6 Elastic Beanstalk > 6.3 Ensure access logs are enabled
- CIS AWS Compute Services Benchmark v1.0.0 > 6 Elastic Beanstalk > 6.4 Ensure that HTTPS is enabled on load balancer
- CIS v1.2.0 > 1 Identity and Access Management > 1.1 Avoid the use of the "root" account
- CIS v1.2.0 > 1 Identity and Access Management > 1.10 Ensure IAM password policy prevents password reuse
- CIS v1.2.0 > 1 Identity and Access Management > 1.11 Ensure IAM password policy expires passwords within 90 days or less
- CIS v1.2.0 > 1 Identity and Access Management > 1.15 Ensure security questions are registered in the AWS account
- CIS v1.2.0 > 1 Identity and Access Management > 1.17 Maintain current contact details
- CIS v1.2.0 > 1 Identity and Access Management > 1.18 Ensure security contact information is registered
- CIS v1.2.0 > 1 Identity and Access Management > 1.19 Ensure IAM instance roles are used for AWS resource access from instances
- CIS v1.2.0 > 1 Identity and Access Management > 1.20 Ensure a support role has been created to manage incidents with AWS Support
- CIS v1.2.0 > 1 Identity and Access Management > 1.5 Ensure IAM password policy requires at least one uppercase letter
- CIS v1.2.0 > 1 Identity and Access Management > 1.6 Ensure IAM password policy require at least one lowercase letter
- CIS v1.2.0 > 1 Identity and Access Management > 1.7 Ensure IAM password policy require at least one symbol
- CIS v1.2.0 > 1 Identity and Access Management > 1.8 Ensure IAM password policy require at least one number
- CIS v1.2.0 > 1 Identity and Access Management > 1.9 Ensure IAM password policy requires minimum length of 14 or greater
- CIS v1.2.0 > 2 Logging > 2.1 Ensure CloudTrail is enabled in all regions
- CIS v1.2.0 > 3 Monitoring > 3.1 Ensure a log metric filter and alarm exist for unauthorized API calls
- CIS v1.2.0 > 3 Monitoring > 3.10 Ensure a log metric filter and alarm exist for security group changes
- CIS v1.2.0 > 3 Monitoring > 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
- CIS v1.2.0 > 3 Monitoring > 3.12 Ensure a log metric filter and alarm exist for changes to network gateways
- CIS v1.2.0 > 3 Monitoring > 3.13 Ensure a log metric filter and alarm exist for route table changes
- CIS v1.2.0 > 3 Monitoring > 3.14 Ensure a log metric filter and alarm exist for VPC changes
- CIS v1.2.0 > 3 Monitoring > 3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
- CIS v1.2.0 > 3 Monitoring > 3.3 Ensure a log metric filter and alarm exist for usage of "root" account
- CIS v1.2.0 > 3 Monitoring > 3.4 Ensure a log metric filter and alarm exist for IAM policy changes
- CIS v1.2.0 > 3 Monitoring > 3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes
- CIS v1.2.0 > 3 Monitoring > 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- CIS v1.2.0 > 3 Monitoring > 3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
- CIS v1.2.0 > 3 Monitoring > 3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes
- CIS v1.2.0 > 3 Monitoring > 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes
- CIS v1.2.0 > 4 Networking > 4.4 Ensure routing tables for VPC peering are "least access"
- CIS v1.3.0 > 1 Identity and Access Management > 1.1 Maintain current contact details
- CIS v1.3.0 > 1 Identity and Access Management > 1.17 Ensure a support role has been created to manage incidents with AWS Support
- CIS v1.3.0 > 1 Identity and Access Management > 1.18 Ensure IAM instance roles are used for AWS resource access from instances
- CIS v1.3.0 > 1 Identity and Access Management > 1.2 Ensure security contact information is registered
- CIS v1.3.0 > 1 Identity and Access Management > 1.22 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
- CIS v1.3.0 > 1 Identity and Access Management > 1.3 Ensure security questions are registered in the AWS account
- CIS v1.3.0 > 1 Identity and Access Management > 1.8 Ensure IAM password policy requires minimum length of 14 or greater
- CIS v1.3.0 > 1 Identity and Access Management > 1.9 Ensure IAM password policy prevents password reuse
- CIS v1.3.0 > 3 Logging > 3.1 Ensure CloudTrail is enabled in all regions
- CIS v1.3.0 > 4 Monitoring > 4.1 Ensure a log metric filter and alarm exist for unauthorized API calls
- CIS v1.3.0 > 4 Monitoring > 4.10 Ensure a log metric filter and alarm exist for security group changes
- CIS v1.3.0 > 4 Monitoring > 4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
- CIS v1.3.0 > 4 Monitoring > 4.12 Ensure a log metric filter and alarm exist for changes to network gateways
- CIS v1.3.0 > 4 Monitoring > 4.13 Ensure a log metric filter and alarm exist for route table changes
- CIS v1.3.0 > 4 Monitoring > 4.14 Ensure a log metric filter and alarm exist for VPC changes
- CIS v1.3.0 > 4 Monitoring > 4.15 Ensure a log metric filter and alarm exists for AWS Organizations changes
- CIS v1.3.0 > 4 Monitoring > 4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
- CIS v1.3.0 > 4 Monitoring > 4.3 Ensure a log metric filter and alarm exist for usage of "root" account
- CIS v1.3.0 > 4 Monitoring > 4.4 Ensure a log metric filter and alarm exist for IAM policy changes
- CIS v1.3.0 > 4 Monitoring > 4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes
- CIS v1.3.0 > 4 Monitoring > 4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- CIS v1.3.0 > 4 Monitoring > 4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
- CIS v1.3.0 > 4 Monitoring > 4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes
- CIS v1.3.0 > 4 Monitoring > 4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes
- CIS v1.3.0 > 5 Networking > 5.4 Ensure routing tables for VPC peering are 'least access'
- CIS v1.4.0 > 1 Identity and Access Management > 1.1 Maintain current contact details
- CIS v1.4.0 > 1 Identity and Access Management > 1.17 Ensure a support role has been created to manage incidents with AWS Support
- CIS v1.4.0 > 1 Identity and Access Management > 1.18 Ensure IAM instance roles are used for AWS resource access from instances
- CIS v1.4.0 > 1 Identity and Access Management > 1.2 Ensure security contact information is registered
- CIS v1.4.0 > 1 Identity and Access Management > 1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
- CIS v1.4.0 > 1 Identity and Access Management > 1.3 Ensure security questions are registered in the AWS account
- CIS v1.4.0 > 1 Identity and Access Management > 1.8 Ensure IAM password policy requires minimum length of 14 or greater
- CIS v1.4.0 > 1 Identity and Access Management > 1.9 Ensure IAM password policy prevents password reuse
- CIS v1.4.0 > 3 Logging > 3.1 Ensure CloudTrail is enabled in all regions
- CIS v1.4.0 > 4 Monitoring > 4.1 Ensure a log metric filter and alarm exist for unauthorized API calls
- CIS v1.4.0 > 4 Monitoring > 4.10 Ensure a log metric filter and alarm exist for security group changes
- CIS v1.4.0 > 4 Monitoring > 4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
- CIS v1.4.0 > 4 Monitoring > 4.12 Ensure a log metric filter and alarm exist for changes to network gateways
- CIS v1.4.0 > 4 Monitoring > 4.13 Ensure a log metric filter and alarm exist for route table changes
- CIS v1.4.0 > 4 Monitoring > 4.14 Ensure a log metric filter and alarm exist for VPC changes
- CIS v1.4.0 > 4 Monitoring > 4.15 Ensure a log metric filter and alarm exists for AWS Organizations changes
- CIS v1.4.0 > 4 Monitoring > 4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
- CIS v1.4.0 > 4 Monitoring > 4.3 Ensure a log metric filter and alarm exist for usage of 'root' account
- CIS v1.4.0 > 4 Monitoring > 4.4 Ensure a log metric filter and alarm exist for IAM policy changes
- CIS v1.4.0 > 4 Monitoring > 4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes
- CIS v1.4.0 > 4 Monitoring > 4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- CIS v1.4.0 > 4 Monitoring > 4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
- CIS v1.4.0 > 4 Monitoring > 4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes
- CIS v1.4.0 > 4 Monitoring > 4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes
- CIS v1.4.0 > 5 Networking > 5.4 Ensure routing tables for VPC peering are "least access"
- CIS v1.5.0 > 1 Identity and Access Management > 1.1 Maintain current contact details
- CIS v1.5.0 > 1 Identity and Access Management > 1.17 Ensure a support role has been created to manage incidents with AWS Support
- CIS v1.5.0 > 1 Identity and Access Management > 1.18 Ensure IAM instance roles are used for AWS resource access from instances
- CIS v1.5.0 > 1 Identity and Access Management > 1.2 Ensure security contact information is registered
- CIS v1.5.0 > 1 Identity and Access Management > 1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
- CIS v1.5.0 > 1 Identity and Access Management > 1.3 Ensure security questions are registered in the AWS account
- CIS v1.5.0 > 1 Identity and Access Management > 1.8 Ensure IAM password policy requires minimum length of 14 or greater
- CIS v1.5.0 > 1 Identity and Access Management > 1.9 Ensure IAM password policy prevents password reuse
- CIS v1.5.0 > 3 Logging > 3.1 Ensure CloudTrail is enabled in all regions
- CIS v1.5.0 > 4 Monitoring > 4.1 Ensure a log metric filter and alarm exist for unauthorized API calls
- CIS v1.5.0 > 4 Monitoring > 4.10 Ensure a log metric filter and alarm exist for security group changes
- CIS v1.5.0 > 4 Monitoring > 4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
- CIS v1.5.0 > 4 Monitoring > 4.12 Ensure a log metric filter and alarm exist for changes to network gateways
- CIS v1.5.0 > 4 Monitoring > 4.13 Ensure a log metric filter and alarm exist for route table changes
- CIS v1.5.0 > 4 Monitoring > 4.14 Ensure a log metric filter and alarm exist for VPC changes
- CIS v1.5.0 > 4 Monitoring > 4.15 Ensure a log metric filter and alarm exists for AWS Organizations changes
- CIS v1.5.0 > 4 Monitoring > 4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
- CIS v1.5.0 > 4 Monitoring > 4.3 Ensure a log metric filter and alarm exist for usage of 'root' account
- CIS v1.5.0 > 4 Monitoring > 4.4 Ensure a log metric filter and alarm exist for IAM policy changes
- CIS v1.5.0 > 4 Monitoring > 4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes
- CIS v1.5.0 > 4 Monitoring > 4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- CIS v1.5.0 > 4 Monitoring > 4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
- CIS v1.5.0 > 4 Monitoring > 4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes
- CIS v1.5.0 > 4 Monitoring > 4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes
- CIS v1.5.0 > 5 Networking > 5.5 Ensure routing tables for VPC peering are "least access"
- CIS v2.0.0 > 1 Identity and Access Management > 1.1 Maintain current contact details
- CIS v2.0.0 > 1 Identity and Access Management > 1.17 Ensure a support role has been created to manage incidents with AWS Support
- CIS v2.0.0 > 1 Identity and Access Management > 1.18 Ensure IAM instance roles are used for AWS resource access from instances
- CIS v2.0.0 > 1 Identity and Access Management > 1.2 Ensure security contact information is registered
- CIS v2.0.0 > 1 Identity and Access Management > 1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
- CIS v2.0.0 > 1 Identity and Access Management > 1.3 Ensure security questions are registered in the AWS account
- CIS v2.0.0 > 1 Identity and Access Management > 1.8 Ensure IAM password policy requires minimum length of 14 or greater
- CIS v2.0.0 > 1 Identity and Access Management > 1.9 Ensure IAM password policy prevents password reuse
- CIS v2.0.0 > 3 Logging > 3.1 Ensure CloudTrail is enabled in all regions
- CIS v2.0.0 > 4 Monitoring > 4.1 Ensure unauthorized API calls are monitored
- CIS v2.0.0 > 4 Monitoring > 4.10 Ensure security group changes are monitored
- CIS v2.0.0 > 4 Monitoring > 4.11 Ensure Network Access Control Lists (NACL) changes are monitored
- CIS v2.0.0 > 4 Monitoring > 4.12 Ensure changes to network gateways are monitored
- CIS v2.0.0 > 4 Monitoring > 4.13 Ensure route table changes are monitored
- CIS v2.0.0 > 4 Monitoring > 4.14 Ensure VPC changes are monitored
- CIS v2.0.0 > 4 Monitoring > 4.15 Ensure AWS Organizations changes are monitored
- CIS v2.0.0 > 4 Monitoring > 4.2 Ensure management console sign-in without MFA is monitored
- CIS v2.0.0 > 4 Monitoring > 4.3 Ensure usage of 'root' account is monitored
- CIS v2.0.0 > 4 Monitoring > 4.4 Ensure IAM policy changes are monitored
- CIS v2.0.0 > 4 Monitoring > 4.5 Ensure CloudTrail configuration changes are monitored
- CIS v2.0.0 > 4 Monitoring > 4.6 Ensure AWS Management Console authentication failures are monitored
- CIS v2.0.0 > 4 Monitoring > 4.7 Ensure disabling or scheduled deletion of customer created CMKs is monitored
- CIS v2.0.0 > 4 Monitoring > 4.8 Ensure S3 bucket policy changes are monitored
- CIS v2.0.0 > 4 Monitoring > 4.9 Ensure AWS Config configuration changes are monitored
- CIS v2.0.0 > 5 Networking > 5.5 Ensure routing tables for VPC peering are "least access"
- CIS v3.0.0 > 1 Identity and Access Management > 1.1 Maintain current contact details
- CIS v3.0.0 > 1 Identity and Access Management > 1.17 Ensure a support role has been created to manage incidents with AWS Support
- CIS v3.0.0 > 1 Identity and Access Management > 1.18 Ensure IAM instance roles are used for AWS resource access from instances
- CIS v3.0.0 > 1 Identity and Access Management > 1.2 Ensure security contact information is registered
- CIS v3.0.0 > 1 Identity and Access Management > 1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
- CIS v3.0.0 > 1 Identity and Access Management > 1.3 Ensure security questions are registered in the AWS account
- CIS v3.0.0 > 1 Identity and Access Management > 1.8 Ensure IAM password policy requires minimum length of 14 or greater
- CIS v3.0.0 > 1 Identity and Access Management > 1.9 Ensure IAM password policy prevents password reuse
- CIS v3.0.0 > 3 Logging > 3.1 Ensure CloudTrail is enabled in all regions
- CIS v3.0.0 > 4 Monitoring > 4.1 Ensure unauthorized API calls are monitored
- CIS v3.0.0 > 4 Monitoring > 4.10 Ensure security group changes are monitored
- CIS v3.0.0 > 4 Monitoring > 4.11 Ensure Network Access Control Lists (NACL) changes are monitored
- CIS v3.0.0 > 4 Monitoring > 4.12 Ensure changes to network gateways are monitored
- CIS v3.0.0 > 4 Monitoring > 4.13 Ensure route table changes are monitored
- CIS v3.0.0 > 4 Monitoring > 4.14 Ensure VPC changes are monitored
- CIS v3.0.0 > 4 Monitoring > 4.15 Ensure AWS Organizations changes are monitored
- CIS v3.0.0 > 4 Monitoring > 4.2 Ensure management console sign-in without MFA is monitored
- CIS v3.0.0 > 4 Monitoring > 4.3 Ensure usage of 'root' account is monitored
- CIS v3.0.0 > 4 Monitoring > 4.4 Ensure IAM policy changes are monitored
- CIS v3.0.0 > 4 Monitoring > 4.5 Ensure CloudTrail configuration changes are monitored
- CIS v3.0.0 > 4 Monitoring > 4.6 Ensure AWS Management Console authentication failures are monitored
- CIS v3.0.0 > 4 Monitoring > 4.7 Ensure disabling or scheduled deletion of customer created CMKs is monitored
- CIS v3.0.0 > 4 Monitoring > 4.8 Ensure S3 bucket policy changes are monitored
- CIS v3.0.0 > 4 Monitoring > 4.9 Ensure AWS Config configuration changes are monitored
- CIS v3.0.0 > 5 Networking > 5.5 Ensure routing tables for VPC peering are "least access"
- CloudTrail trails should be enabled in all regions
- Ensure a log metric filter and alarm exist for AWS Config configuration changes
- Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA
- Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
- Ensure a log metric filter and alarm exist for changes to network gateways
- Ensure a log metric filter and alarm exist for CloudTrail configuration changes
- Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys
- Ensure a log metric filter and alarm exist for IAM policy changes
- Ensure a log metric filter and alarm exist for route table changes
- Ensure a log metric filter and alarm exist for S3 bucket policy changes
- Ensure a log metric filter and alarm exist for security group changes
- Ensure a log metric filter and alarm exist for unauthorized API calls
- Ensure a log metric filter and alarm exist for usage of 'root' account
- Ensure a log metric filter and alarm exist for VPC changes
- Ensure a support role has been created to manage incidents with AWS Support
- Ensure IAM password policy expires passwords within 90 days or less
- Ensure IAM password policy prevents password reuse
- Ensure IAM password policy requires a minimum length of 14 or greater
- Ensure IAM password policy requires at least one lowercase letter
- Ensure IAM password policy requires at least one number
- Ensure IAM password policy requires at least one symbol
- Ensure IAM password policy requires at least one uppercase letter
- IAM password policies for users should have strong configurations
Schema for aws_account
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| account_aliases | jsonb | A list of aliases associated with the account, if applicable. | |
| account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| arn | text | The Amazon Resource Name (ARN) specifying the account. | |
| organization_arn | text | The Amazon Resource Name (ARN) of an organization. | |
| organization_available_policy_types | jsonb | The Region opt-in status. The possible values are opt-in-not-required, opted-in, and not-opted-in | |
| organization_feature_set | text | Specifies the functionality that currently is available to the organization. If set to "ALL", then all features are enabled and policies can be applied to accounts in the organization. If set to "CONSOLIDATED_BILLING", then only consolidated billing functionality is available. | |
| organization_id | text | The unique identifier (ID) of an organization, if applicable. | |
| organization_master_account_arn | text | The Amazon Resource Name (ARN) of the account that is designated as the management account for the organization | |
| organization_master_account_email | text | The email address that is associated with the AWS account that is designated as the management account for the organization | |
| organization_master_account_id | text | The unique identifier (ID) of the management account of an organization | |
| partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
| region | text | The AWS Region in which the resource is located. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| title | text | Title of the resource. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- awsYou can pass the configuration to the command with the --config argument:
steampipe_export_aws --config '<your_config>' aws_account