steampipe plugin install aws

Table: aws_cloudwatch_log_resource_policy - Query AWS CloudWatch Log Resource Policies using SQL

The AWS CloudWatch Log Resource Policy is a feature of Amazon CloudWatch that allows you to manage resource policies. These policies enable AWS services to perform tasks on your behalf without sharing your security credentials. They are crucial in controlling who can access your logs and what actions they can perform.

Table Usage Guide

The aws_cloudwatch_log_resource_policy table in Steampipe provides you with information about log resource policies within Amazon CloudWatch Logs. This table allows you, as a DevOps engineer, to query policy-specific details, including the policy name, policy document, and last updated timestamp. You can utilize this table to gather insights on policies, such as what actions are allowed or denied, the resources to which the policy applies, and the conditions under which the policy takes effect. The schema outlines for you the various attributes of the CloudWatch Logs resource policy, including the policy name, policy document, and last updated timestamp.


Basic Info

Explore the updates made to your AWS CloudWatch log resource policies. This query can be used to track policy changes over time, ensuring your settings align with your security and operational requirements.

jsonb_pretty(policy) as policy,
jsonb_pretty(policy_std) as policy_std

Schema for aws_cloudwatch_log_resource_policy

_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
last_updated_timetimestamp with time zoneTimestamp showing when this policy was last updated.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
policyjsonbThe details of the policy.
policy_nametextThe name of the resource policy.
policy_stdjsonbContains the policy document in a canonical form for easier searching.
regiontextThe AWS Region in which the resource is located.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
titletextTitle of the resource.


This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the script:

/bin/sh -c "$(curl -fsSL" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_cloudwatch_log_resource_policy