Table: aws_backup_vault - Query AWS Backup Vaults using SQL
The AWS Backup Vault is a secured place where AWS Backup stores backup data. It provides a scalable, fully managed, policy-based resource for managing and protecting data across AWS services. It is designed to simplify data protection, enable regulatory compliance, and save costs by eliminating the need to create and manage custom scripts and manual processes.
Table Usage Guide
The aws_backup_vault
table in Steampipe provides you with information about backup vaults within AWS Backup. This table allows you, as a DevOps engineer, to query vault-specific details, including the vault name, ARN, number of recovery points, and associated metadata. You can utilize this table to gather insights on backup vaults, such as the number of recovery points for each vault, the creation date of each vault, and more. The schema outlines the various attributes of the backup vault for you, including the vault name, ARN, creation date, last resource backup time, and associated tags.
Examples
Basic Info
Uncover the details of your AWS backup vaults, including their names, unique identifiers, and the dates they were created. This can be particularly useful for auditing purposes, allowing you to keep track of your resources and their creation timelines.
select name, arn, creation_datefrom aws_backup_vault;
select name, arn, creation_datefrom aws_backup_vault;
List vaults older than 90 days
Identify backup vaults that have been established for over 90 days. This can be beneficial in assessing long-standing storage resources that may require maintenance or review.
select name, arn, creation_datefrom aws_backup_vaultwhere creation_date <= (current_date - interval '90' day)order by creation_date;
select name, arn, creation_datefrom aws_backup_vaultwhere creation_date <= date('now', '-90 day')order by creation_date;
List vaults that do not prevent the deletion of backups in the backup vault
Determine the areas in which your backup vaults may be at risk, specifically those that do not have policies in place to prevent the deletion of backups. This query is useful in identifying potential vulnerabilities and ensuring the safety of your data.
select namefrom aws_backup_vault, jsonb_array_elements(policy -> 'Statement') as swhere s ->> 'Principal' = '*' and s ->> 'Effect' != 'Deny' and s ->> 'Action' like '%DeleteBackupVault%';
select namefrom aws_backup_vaultwhere json_extract(policy, '$.Statement[*].Principal') = '*' and json_extract(policy, '$.Statement[*].Effect') != 'Deny' and json_extract(policy, '$.Statement[*].Action') like '%DeleteBackupVault%';
List policy details for backup vaults
Determine the areas in which your AWS backup vault policies are applied. This helps in understanding the security measures in place for your backup vaults, assisting in maintaining data integrity and safety.
select name, jsonb_pretty(policy) as policy, jsonb_pretty(policy_std) as policy_stdfrom aws_backup_vault;
select name, policy, policy_stdfrom aws_backup_vault;
Schema for aws_backup_vault
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
arn | text | An Amazon Resource Name (ARN) that uniquely identifies a backup vault. | |
backup_vault_events | jsonb | An array of events that indicate the status of jobs to back up resources to the backup vault. | |
creation_date | timestamp with time zone | The date and time a resource backup is created. | |
creator_request_id | text | An unique string that identifies the request and allows failed requests to be retried without the risk of running the operation twice. | |
encryption_key_arn | text | The server-side encryption key that is used to protect your backups. | |
lock_date | timestamp with time zone | The date and time when Backup Vault Lock configuration cannot be changed or deleted. | |
locked | boolean | A Boolean that indicates whether Backup Vault Lock is currently protecting the backup vault. True means that Vault Lock causes delete or update operations on the recovery points stored in the vault to fail. | |
max_retention_days | bigint | The Backup Vault Lock setting that specifies the maximum retention period that the vault retains its recovery points. | |
min_retention_days | bigint | The Backup Vault Lock setting that specifies the minimum retention period that the vault retains its recovery points. | |
name | text | = | The name of a logical container where backups are stored. |
number_of_recovery_points | double precision | The number of recovery points that are stored in a backup vault. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
policy | jsonb | The backup vault access policy document in JSON format. | |
policy_std | jsonb | Contains the backup vault access policy document in a canonical form for easier searching. | |
region | text | The AWS Region in which the resource is located. | |
sns_topic_arn | text | An ARN that uniquely identifies an Amazon Simple Notification Service. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
tags | jsonb | A map of tags for the resource. | |
title | text | Title of the resource. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_backup_vault