v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Steampipe logo 
Hub
Plugins
turbot/aws
Overview
496Tables
Versions
PowerpipeMods
GitHub
steampipe plugin install aws

Table: aws_backup_legal_hold - Query AWS Backup Legal Hold using SQL

The AWS Backup Legal Hold is a feature within the AWS Backup service that helps in preserving your backup recovery points, preventing them from being accidentally or intentionally deleted. It provides an additional layer of data protection by enabling you to enforce a legal hold on backup recovery points, regardless of the retention period. This feature is particularly useful in legal and compliance scenarios where data retention is of utmost importance.

Table Usage Guide

The aws_backup_legal_hold table in Steampipe provides you with information about legal hold settings for AWS Backup resources. This table allows you, as a DevOps engineer, to query legal hold-specific details, including the backup resource ARN, the legal hold status, and the last update time. You can utilize this table to review and monitor the legal hold status of backup resources, ensuring compliance with data retention policies and legal requirements. The schema outlines for you the various attributes of the legal hold, including the backup resource ARN, the legal hold status, and the last update time.

Examples

Basic Info

Explore the instances in your AWS backup where a legal hold has been applied. This can help you understand when and where these holds were created, as well as when they were cancelled, providing valuable insights for audit or compliance purposes.

select
  legal_hold_id,
  arn,
  creation_date,
  cancellation_date
from
  aws_backup_legal_hold;
select
  legal_hold_id,
  arn,
  creation_date,
  cancellation_date
from
  aws_backup_legal_hold;

List legal holds older than 10 days

Determine the areas in which legal holds on your AWS backup have been in place for more than 10 days. This can help you manage your resources more effectively by identifying outdated holds that may no longer be necessary.

select
  legal_hold_id,
  arn,
  creation_date,
  creation_date,
  retain_record_until
from
  aws_backup_legal_hold
where
  creation_date <= current_date - interval '10' day
order by
  creation_date;
select
  legal_hold_id,
  arn,
  creation_date,
  creation_date,
  retain_record_until
from
  aws_backup_legal_hold
where
  creation_date <= date('now', '-10 day')
order by
  creation_date;

Get recovery point selection details for each legal hold

Explore the specific periods and resources associated with each legal hold in your AWS backup system. This can be useful to understand the scope and duration of your data recovery points under legal holds.

select
  title,
  legal_hold_id,
  recovery_point_selection -> 'DateRange' ->> 'ToDate' as to_date,
  recovery_point_selection -> 'DateRange' ->> 'FromDate' as from_date,
  recovery_point_selection -> 'VaultNames' as vault_names,
  recovery_point_selection ->> 'ResourceIdentifiers' as resource_identifiers
from
  aws_backup_legal_hold;
select
  title,
  legal_hold_id,
  json_extract(recovery_point_selection, '$.DateRange.ToDate') as to_date,
  json_extract(recovery_point_selection, '$.DateRange.FromDate') as from_date,
  json_extract(recovery_point_selection, '$.VaultNames') as vault_names,
  json_extract(recovery_point_selection, '$.ResourceIdentifiers') as resource_identifiers
from
  aws_backup_legal_hold;

Schema for aws_backup_legal_hold

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
arntextThis is an Amazon Resource Number (ARN) that uniquely identifies the legal hold.
cancel_descriptiontextThe reason for removing the legal hold.
cancellation_datetimestamp with time zoneThis is the time in number format when legal hold was cancelled.
creation_datetimestamp with time zoneThis is the time in number format when legal hold was created.
descriptiontextThis is the description of a legal hold.
legal_hold_idtext=ID of specific legal hold on one or more recovery points.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
recovery_point_selectionjsonbThis specifies criteria to assign a set of resources, such as resource types or backup vaults.
regiontextThe AWS Region in which the resource is located.
retain_record_untiltimestamp with time zoneThis is the date and time until which the legal hold record will be retained.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
statustextThis is the status of the legal hold. Statuses can be ACTIVE, CREATING, CANCELED, and CANCELING.
titletextTitle of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_backup_legal_hold