v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Steampipe logo 
Hub
Plugins
turbot/aws
Overview
496Tables
Versions
PowerpipeMods
GitHub
steampipe plugin install aws

Table: aws_backup_vault - Query AWS Backup Vaults using SQL

The AWS Backup Vault is a secured place where AWS Backup stores backup data. It provides a scalable, fully managed, policy-based resource for managing and protecting data across AWS services. It is designed to simplify data protection, enable regulatory compliance, and save costs by eliminating the need to create and manage custom scripts and manual processes.

Table Usage Guide

The aws_backup_vault table in Steampipe provides you with information about backup vaults within AWS Backup. This table allows you, as a DevOps engineer, to query vault-specific details, including the vault name, ARN, number of recovery points, and associated metadata. You can utilize this table to gather insights on backup vaults, such as the number of recovery points for each vault, the creation date of each vault, and more. The schema outlines the various attributes of the backup vault for you, including the vault name, ARN, creation date, last resource backup time, and associated tags.

Examples

Basic Info

Uncover the details of your AWS backup vaults, including their names, unique identifiers, and the dates they were created. This can be particularly useful for auditing purposes, allowing you to keep track of your resources and their creation timelines.

select
  name,
  arn,
  creation_date
from
  aws_backup_vault;
select
  name,
  arn,
  creation_date
from
  aws_backup_vault;

List vaults older than 90 days

Identify backup vaults that have been established for over 90 days. This can be beneficial in assessing long-standing storage resources that may require maintenance or review.

select
  name,
  arn,
  creation_date
from
  aws_backup_vault
where
  creation_date <= (current_date - interval '90' day)
order by
  creation_date;
select
  name,
  arn,
  creation_date
from
  aws_backup_vault
where
  creation_date <= date('now', '-90 day')
order by
  creation_date;

List vaults that do not prevent the deletion of backups in the backup vault

Determine the areas in which your backup vaults may be at risk, specifically those that do not have policies in place to prevent the deletion of backups. This query is useful in identifying potential vulnerabilities and ensuring the safety of your data.

select
  name
from
  aws_backup_vault,
  jsonb_array_elements(policy -> 'Statement') as s
where
  s ->> 'Principal' = '*'
  and s ->> 'Effect' != 'Deny'
  and s ->> 'Action' like '%DeleteBackupVault%';
select
  name
from
  aws_backup_vault
where
  json_extract(policy, '$.Statement[*].Principal') = '*'
  and json_extract(policy, '$.Statement[*].Effect') != 'Deny'
  and json_extract(policy, '$.Statement[*].Action') like '%DeleteBackupVault%';

List policy details for backup vaults

Determine the areas in which your AWS backup vault policies are applied. This helps in understanding the security measures in place for your backup vaults, assisting in maintaining data integrity and safety.

select
  name,
  jsonb_pretty(policy) as policy,
  jsonb_pretty(policy_std) as policy_std
from
  aws_backup_vault;
select
  name,
  policy,
  policy_std
from
  aws_backup_vault;

Query examples

Control examples

Schema for aws_backup_vault

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
arntextAn Amazon Resource Name (ARN) that uniquely identifies a backup vault.
backup_vault_eventsjsonbAn array of events that indicate the status of jobs to back up resources to the backup vault.
creation_datetimestamp with time zoneThe date and time a resource backup is created.
creator_request_idtextAn unique string that identifies the request and allows failed requests to be retried without the risk of running the operation twice.
encryption_key_arntextThe server-side encryption key that is used to protect your backups.
lock_datetimestamp with time zoneThe date and time when Backup Vault Lock configuration cannot be changed or deleted.
lockedbooleanA Boolean that indicates whether Backup Vault Lock is currently protecting the backup vault. True means that Vault Lock causes delete or update operations on the recovery points stored in the vault to fail.
max_retention_daysbigintThe Backup Vault Lock setting that specifies the maximum retention period that the vault retains its recovery points.
min_retention_daysbigintThe Backup Vault Lock setting that specifies the minimum retention period that the vault retains its recovery points.
nametext=The name of a logical container where backups are stored.
number_of_recovery_pointsdouble precisionThe number of recovery points that are stored in a backup vault.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
policyjsonbThe backup vault access policy document in JSON format.
policy_stdjsonbContains the backup vault access policy document in a canonical form for easier searching.
regiontextThe AWS Region in which the resource is located.
sns_topic_arntextAn ARN that uniquely identifies an Amazon Simple Notification Service.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
tagsjsonbA map of tags for the resource.
titletextTitle of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_backup_vault