Table: aws_ebs_snapshot - Query AWS Elastic Block Store (EBS) using SQL
The AWS Elastic Block Store (EBS) provides durable, block-level storage volumes for use with Amazon EC2 instances. These snapshots are point-in-time copies of your data that are used for enabling disaster recovery, migrating data across regions or accounts, improving backup compliance, or creating dev/test environments. EBS snapshots are incremental, meaning that only the blocks on the device that have changed after your most recent snapshot are saved.
Table Usage Guide
The aws_ebs_snapshot
table in Steampipe provides you with information about EBS snapshots within AWS Elastic Block Store (EBS). This table allows you, as a DevOps engineer, to query snapshot-specific details, including snapshot ID, description, status, volume size, and associated metadata. You can utilize this table to gather insights on snapshots, such as snapshots with public permissions, snapshots by volume, and more. The schema outlines the various attributes of the EBS snapshot for you, including the snapshot ID, creation time, volume ID, and associated tags.
Important Notes
- The
aws_ebs_snapshot
table lists all private snapshots by default. - You can specify an owner alias, owner ID or snapshot ID** in the
where
clause (where owner_alias=''
), (where owner_id=''
) or (where snapshot_id=''
) to list public or shared snapshots from a specific AWS account.
Examples
List of snapshots which are not encrypted
Discover the segments that include unencrypted snapshots in your AWS EBS environment. This is beneficial for enhancing your security measures by identifying potential vulnerabilities.
select snapshot_id, arn, encryptedfrom aws_ebs_snapshotwhere not encrypted;
select snapshot_id, arn, encryptedfrom aws_ebs_snapshotwhere encrypted = 0;
List of EBS snapshots which are publicly accessible
Determine the areas in which EBS snapshots are publicly accessible to identify potential security risks. This query is used to uncover instances where EBS snapshots may be exposed to all users, which could lead to unauthorized data access.
select snapshot_id, arn, volume_id, perm ->> 'UserId' as userid, perm ->> 'Group' as groupfrom aws_ebs_snapshot cross join jsonb_array_elements(create_volume_permissions) as permwhere perm ->> 'Group' = 'all';
select snapshot_id, arn, volume_id, json_extract(perm, '$.UserId') as userid, json_extract(perm, '$.Group') as groupfrom aws_ebs_snapshot, json_each(create_volume_permissions) as permwhere json_extract(perm, '$.Group') = 'all';
Find the Account IDs with which the snapshots are shared
Determine the accounts that have access to specific snapshots in your AWS EBS setup. This can be useful for auditing purposes, ensuring that only authorized accounts have access to your data.
select snapshot_id, volume_id, perm ->> 'UserId' as account_idsfrom aws_ebs_snapshot cross join jsonb_array_elements(create_volume_permissions) as perm;
select snapshot_id, volume_id, json_extract(perm.value, '$.UserId') as account_idsfrom aws_ebs_snapshot cross join json_each(create_volume_permissions) as perm;
Find the snapshot count per volume
Assess the elements within each volume to determine the number of snapshots associated with it. This can be useful for understanding the backup frequency and data recovery potential for each volume.
select volume_id, count(snapshot_id) as snapshot_idfrom aws_ebs_snapshotgroup by volume_id;
select volume_id, count(snapshot_id) as snapshot_idfrom aws_ebs_snapshotgroup by volume_id;
List snapshots owned by a specific AWS account
Determine the areas in which specific AWS accounts own snapshots. This can be useful for managing and tracking resources across different accounts in a cloud environment.
select snapshot_id, arn, encrypted, owner_idfrom aws_ebs_snapshotwhere owner_id = '859788737657';
select snapshot_id, arn, encrypted, owner_idfrom aws_ebs_snapshotwhere owner_id = '859788737657';
Get a specific snapshot by ID
Discover the specific details of a particular snapshot using its unique identifier. This can be useful for auditing purposes, such as confirming the owner or checking if the snapshot is encrypted.
select snapshot_id, arn, encrypted, owner_idfrom aws_ebs_snapshotwhere snapshot_id = 'snap-07bf4f91353ad71ae';
select snapshot_id, arn, encrypted, owner_idfrom aws_ebs_snapshotwhere snapshot_id = 'snap-07bf4f91353ad71ae';
List snapshots owned by Amazon (Note: This will attempt to list ALL public snapshots)
Discover the segments that are owned by Amazon, specifically focusing on public snapshots. This is particularly useful for gaining insights into the distribution and ownership of snapshots within the Amazon ecosystem.
select snapshot_id, arn, encrypted, owner_idfrom aws_ebs_snapshotwhere owner_alias = 'amazon'
select snapshot_id, arn, encrypted, owner_idfrom aws_ebs_snapshotwhere owner_alias = 'amazon'
Schema for aws_ebs_snapshot
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
arn | text | The Amazon Resource Name (ARN) specifying the snapshot. | |
create_volume_permissions | jsonb | The users and groups that have the permissions for creating volumes from the snapshot. | |
data_encryption_key_id | text | The data encryption key identifier for the snapshot. This value is a unique identifier that corresponds to the data encryption key that was used to encrypt the original volume or snapshot copy. Because data encryption keys are inherited by volumes created from snapshots, and vice versa, if snapshots share the same data encryption key identifier, then they belong to the same volume/snapshot lineage. | |
description | text | = | The description for the snapshot. |
encrypted | boolean | = | Indicates whether the snapshot is encrypted. |
kms_key_id | text | The Amazon Resource Name (ARN) of the AWS Key Management Service (AWS KMS) customer master key (CMK) that was used to protect the volume encryption key for the parent volume. | |
outpost_arn | text | The ARN of the Outpost on which the snapshot is stored. | |
owner_alias | text | = | The AWS owner alias, from an Amazon-maintained list (amazon). This is not the user-configured AWS account alias set using the IAM console. |
owner_id | text | = | The AWS account ID of the EBS snapshot owner. |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
progress | text | = | The progress of the snapshot, as a percentage. |
region | text | The AWS Region in which the resource is located. | |
restore_expiry_time | timestamp with time zone | Only for archived snapshots that are temporarily restored. Indicates the date and time when a temporarily restored snapshot will be automatically re-archived. | |
snapshot_id | text | = | The ID of the snapshot. Each snapshot receives a unique identifier when it is created. |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
start_time | timestamp with time zone | The time stamp when the snapshot was initiated. | |
state | text | = | The snapshot state. |
state_message | text | Encrypted Amazon EBS snapshots are copied asynchronously. If a snapshot copy operation fails this field displays error state details to help you diagnose why the error occurred. | |
storage_tier | text | The storage tier in which the snapshot is stored. | |
tags | jsonb | A map of tags for the resource. | |
tags_src | jsonb | A list of tags assigned to the snapshot. | |
title | text | Title of the resource. | |
volume_id | text | = | The ID of the volume that was used to create the snapshot. Snapshots created by the CopySnapshot action have an arbitrary volume ID that should not be used for any purpose. |
volume_size | bigint | = | The size of the volume, in GiB. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_ebs_snapshot