steampipe plugin install aws

Table: aws_config_rule - Query AWS Config Rules using SQL

AWS Config Rules is a service that enables you to automate the evaluation of recorded configurations against the desired configurations. With Config Rules, you can review changes to configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting.

Table Usage Guide

The aws_config_rule table in Steampipe provides you with information about Config Rules within the AWS Config service. This table allows you, as a DevOps engineer, to query rule-specific details, including the rule name, ARN, description, scope, and compliance status. You can utilize this table to gather insights on Config Rules, such as rules that are non-compliant, rules applied to specific resources, and more. The schema outlines the various attributes of the Config Rule for you, including the rule ARN, creation date, input parameters, and associated tags.

Examples

Basic info

Explore which AWS configuration rules are in place to gain insights into the current security and compliance state of your AWS resources. This can help identify potential areas of risk or non-compliance.

select
name,
rule_id,
arn,
rule_state,
created_by,
scope
from
aws_config_rule;
select
name,
rule_id,
arn,
rule_state,
created_by,
scope
from
aws_config_rule;

List inactive rules

Discover the segments that consist of inactive rules within your AWS configuration to help identify potential areas for optimization or deletion. This could be useful in maintaining a clean and efficient system by removing or updating unused elements.

select
name,
rule_id,
arn,
rule_state
from
aws_config_rule
where
rule_state <> 'ACTIVE';
select
name,
rule_id,
arn,
rule_state
from
aws_config_rule
where
rule_state != 'ACTIVE';

List active rules for S3 buckets

Discover the segments that contain active rules for your S3 buckets to better manage and monitor your AWS resources. This is particularly useful for ensuring compliance and security within your cloud storage environment.

select
name,
rule_id,
tags
from
aws_config_rule
where
name Like '%s3-bucket%';
select
name,
rule_id,
tags
from
aws_config_rule
where
name Like '%s3-bucket%';

List complaince details by config rule

Determine the compliance status of a specific AWS Config rule. This is useful to ensure that your AWS resources are following the set rules for approved Amazon Machine Images (AMIs), thereby maintaining a secure and compliant environment.

select
jsonb_pretty(compliance_by_config_rule) as compliance_info
from
aws_config_rule
where
name = 'approved-amis-by-id';
select
compliance_by_config_rule
from
aws_config_rule
where
name = 'approved-amis-by-id';

List complaince types by config rule

Determine the areas in which your AWS configuration rules are compliant or non-compliant. This can help you identify potential issues and ensure your configurations align with best practices.

select
name as config_rule_name,
compliance_status -> 'Compliance' -> 'ComplianceType' as compliance_type
from
aws_config_rule,
jsonb_array_elements(compliance_by_config_rule) as compliance_status;
select
name as config_rule_name,
json_extract(
compliance_status.value,
'$.Compliance.ComplianceType'
) as compliance_type
from
aws_config_rule,
json_each(compliance_by_config_rule) as compliance_status;

List config rules that run in proactive mode

Identify instances where configuration rules are set to operate in proactive mode, which allows for continuous monitoring and automated compliance checks of your system.

select
name as config_rule_name,
c ->> 'Mode' as evaluation_mode
from
aws_config_rule,
jsonb_array_elements(evaluation_modes) as c
where
c ->> 'Mode' = 'PROACTIVE';
select
name as config_rule_name,
json_extract(c.value, '$.Mode') as evaluation_mode
from
aws_config_rule,
json_each(evaluation_modes) as c
where
json_extract(c.value, '$.Mode') = 'PROACTIVE';

Schema for aws_config_rule

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form, e.g. connection_name.
account_idtextThe AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
arntextThe Amazon Resource Name (ARN) of the AWS Config rule.
compliance_by_config_rulejsonbThe compliance information of the config rule.
created_bytextService principal name of the service that created the rule.
descriptiontextThe description that you provide for the AWS Config rule.
evaluation_modesjsonbThe modes the Config rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only.
input_parametersjsonbA string, in JSON format, that is passed to the AWS Config rule Lambda function.
maximum_execution_frequencytextThe maximum frequency with which AWS Config runs evaluations for a rule.
nametext=The name that you assign to the AWS Config rule.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
regiontextThe AWS Region in which the resource is located.
rule_idtextThe ID of the AWS Config rule.
rule_statetextIt indicate the evaluation status for the AWS Config rule.
scopejsonbDefines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes.
sourcejsonbProvides the rule owner (AWS or customer), the rule identifier, and the notifications that cause the function to evaluate your AWS resources.
tagsjsonbA map of tags for the resource.
tags_srcjsonbA list of tags assigned to the rule.
titletextTitle of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_config_rule