steampipe plugin install awssteampipe plugin install aws

Table: aws_docdb_cluster_instance - Query Amazon DocumentDB Cluster Instances using SQL

The Amazon DocumentDB Cluster Instance is a part of Amazon DocumentDB, a fast, scalable, highly available, and fully managed document database service that supports MongoDB workloads. It provides the performance, scalability, and availability you need when operating mission-critical MongoDB workloads at scale. With DocumentDB, you can store, query, and index JSON data.

Table Usage Guide

The aws_docdb_cluster_instance table in Steampipe provides you with information about Amazon DocumentDB Cluster Instances. This table allows you as a DevOps engineer, database administrator, or other technical professional to query detailed information about each cluster instance, such as its identifier, associated cluster identifier, instance class, availability zone, engine version, and other relevant metadata. You can utilize this table to gather insights on the configuration, performance, and status of your DocumentDB cluster instances. The schema outlines the various attributes of the DocumentDB cluster instance, including instance ARN, creation time, instance status, and associated tags for you.

Examples

Basic info

Gain insights into the specifics of your AWS DocumentDB Cluster instances, such as the engine type, version, and instance class. This can be useful for assessing your current configuration and identifying potential areas for optimization or upgrade.

select
  db_instance_identifier,
  db_cluster_identifier,
  engine,
  engine_version,
  db_instance_class,
  availability_zone
from
  aws_docdb_cluster_instance;

select
  db_instance_identifier,
  db_cluster_identifier,
  engine,
  engine_version,
  db_instance_class,
  availability_zone
from
  aws_docdb_cluster_instance;

List instances which are publicly accessible

Identify instances that are accessible to the public, allowing you to review and manage your data's exposure and security. This query is useful for maintaining control over your data privacy and ensuring that only authorized users have access.

select
  db_instance_identifier,
  db_cluster_identifier,
  engine,
  engine_version,
  db_instance_class,
  availability_zone
from
  aws_docdb_cluster_instance
where
  publicly_accessible;

select
  db_instance_identifier,
  db_cluster_identifier,
  engine,
  engine_version,
  db_instance_class,
  availability_zone
from
  aws_docdb_cluster_instance
where
  publicly_accessible = 1;

Get DB subnet group information of each instance

Explore the status and details of your database subnet groups across instances to understand their configuration and ensure optimal database management. This is beneficial for maintaining network efficiency and security in your AWS DocumentDB clusters.

select
  db_subnet_group_arn,
  db_subnet_group_name,
  db_subnet_group_description,
  db_subnet_group_status
from
  aws_docdb_cluster_instance;

select
  db_subnet_group_arn,
  db_subnet_group_name,
  db_subnet_group_description,
  db_subnet_group_status
from
  aws_docdb_cluster_instance;

Get VPC and subnet information of each instance

Determine the areas in which each instance of your database is connected to a VPC and its associated subnet. This is useful for understanding your database's network configuration and ensuring it aligns with your security and performance requirements.

select
  db_instance_identifier as attached_vpc,
  vsg ->> 'VpcSecurityGroupId' as vpc_security_group_id,
  vsg ->> 'Status' as status,
  sub -> 'SubnetAvailabilityZone' ->> 'Name' as subnet_availability_zone,
  sub ->> 'SubnetIdentifier' as subnet_identifier,
  sub -> 'SubnetOutpost' ->> 'Arn' as subnet_outpost,
  sub ->> 'SubnetStatus' as subnet_status
from
  aws_docdb_cluster_instance
  cross join jsonb_array_elements(vpc_security_groups) as vsg
  cross join jsonb_array_elements(subnets) as sub;

select
  db_instance_identifier as attached_vpc,
  json_extract(vsg.value, '$.VpcSecurityGroupId') as vpc_security_group_id,
  json_extract(vsg.value, '$.Status') as status,
  json_extract(
    json_extract(sub.value, '$.SubnetAvailabilityZone'),
    '$.Name'
  ) as subnet_availability_zone,
  json_extract(sub.value, '$.SubnetIdentifier') as subnet_identifier,
  json_extract(
    json_extract(sub.value, '$.SubnetOutpost'),
    '$.Arn'
  ) as subnet_outpost,
  json_extract(sub.value, '$.SubnetStatus') as subnet_status
from
  aws_docdb_cluster_instance,
  json_each(vpc_security_groups) as vsg,
  json_each(subnets) as sub;

List instances with unecrypted storage

Identify instances where storage is not encrypted to understand potential vulnerabilities in your database security. This is crucial for ensuring data protection and compliance with security regulations.

select
  db_instance_identifier,
  db_cluster_identifier,
  db_instance_class
from
  aws_docdb_cluster_instance
where
  not storage_encrypted;

select
  db_instance_identifier,
  db_cluster_identifier,
  db_instance_class
from
  aws_docdb_cluster_instance
where
  storage_encrypted = 0;

List instances with cloudwatch logs disabled

Identify instances where DocumentDB clusters in AWS might be vulnerable due to disabled CloudWatch logs. This query is beneficial for improving security and compliance by ensuring that all instances have logging enabled.

select
  db_instance_identifier,
  db_cluster_identifier,
  db_instance_class
from
  aws_docdb_cluster_instance
where
  enabled_cloudwatch_logs_exports is null;

select
  db_instance_identifier,
  db_cluster_identifier,
  db_instance_class
from
  aws_docdb_cluster_instance
where
  enabled_cloudwatch_logs_exports is null;

Get network endpoint information of each instance

Gain insights into the network connectivity of each instance by identifying the network endpoint details. This can be beneficial in diagnosing connectivity issues or planning network configurations.

select
  db_instance_identifier,
  endpoint_address,
  endpoint_hosted_zone_id,
  endpoint_port
from
  aws_docdb_cluster_instance;

select
  db_instance_identifier,
  endpoint_address,
  endpoint_hosted_zone_id,
  endpoint_port
from
  aws_docdb_cluster_instance;

Control examples

Schema for aws_docdb_cluster_instance

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form.
account_id	text	=, !=, ~~, ~~, !~~, !~~	The AWS Account ID in which the resource is located.
akas	jsonb		Array of globally unique identifier strings (also known as) for the resource.
availability_zone	text		Specifies the name of the availability zone the instance is located in.
backup_retention_period	bigint		Specifies the number of days for which automatic snapshots are retained.
ca_certificate_identifier	text		The identifier of the CA certificate for this DB instance.
copy_tags_to_snapshot	boolean		Specifies whether tags are copied from the DB instance to snapshots of the DB instance, or not.
db_cluster_identifier	text	=	Contains the name of the cluster that the instance is a member of if the instance is a member of a cluster.
db_instance_arn	text	=	The Amazon Resource Name (ARN) for the instance.
db_instance_class	text		Contains the name of the compute and memory capacity class of the instance.
db_instance_identifier	text	=	Contains a user-provided database identifier. This identifier is the unique key that identifies an instance.
db_instance_status	text		Specifies the current state of this database.
db_subnet_group_arn	text		The Amazon Resource Name (ARN) for the DB subnet group.
db_subnet_group_description	text		Provides the description of the DB subnet group.
db_subnet_group_name	text		The name of the DB subnet group.
db_subnet_group_status	text		Provides the status of the DB subnet group.
dbi_resource_id	text		The Amazon Web Services Region-unique, immutable identifier for the instance.
enabled_cloudwatch_logs_exports	jsonb		A list of log types that this instance is configured to export to CloudWatch Logs.
endpoint_address	text		Specifies the DNS address of the instance.
endpoint_hosted_zone_id	text		Specifies the ID that Amazon Route 53 assigns when you create a hosted zone.
endpoint_port	bigint		Specifies the port that the database engine is listening on.
engine	text		The name of the database engine to be used for this instance.
engine_version	text		Indicates the database engine version.
instance_create_time	timestamp with time zone		Provides the date and time the instance was created.
kms_key_id	text		If StorageEncrypted is true, the KMS key identifier for the encrypted instance.
latest_restorable_time	timestamp with time zone		Specifies the latest time to which a database can be restored with point-in-time restore.
partition	text		The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
pending_modified_values	jsonb		Specifies that changes to the instance are pending.
preferred_backup_window	text		Specifies the daily time range during which automated backups are created.
preferred_maintenance_window	text		Specifies the weekly time range during which system maintenance can occur.
promotion_tier	bigint		A value that specifies the order in which an Amazon DocumentDB replica is promoted to the primary instance after a failure of the existing primary instance.
publicly_accessible	boolean		Specifies the accessibility options for the DB instance.
region	text		The AWS Region in which the resource is located.
sp_connection_name	text	=, !=, ~~, ~~, !~~, !~~	Steampipe connection name.
sp_ctx	jsonb		Steampipe context in JSON form.
status_infos	jsonb		The status of a read replica.
storage_encrypted	boolean		Specifies whether or not the instance is encrypted.
subnets	jsonb		A list of subnet elements.
tags	jsonb		A map of tags for the resource.
tags_src	jsonb		A list of tags attached to the Instance.
title	text		Title of the resource.
vpc_id	text		Provides the VpcId of the DB subnet group.
vpc_security_groups	jsonb		A list of VPC security group elements that the instance belongs to.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_docdb_cluster_instance