Table: aws_ec2_client_vpn_endpoint - Query AWS EC2 Client VPN Endpoints using SQL
The AWS EC2 Client VPN Endpoint is a scalable, end-to-end managed VPN service that enables users to securely access their AWS resources and home network. It provides secure and scalable compute capacity in the AWS Cloud, allowing users to launch virtual servers. With EC2 Client VPN, you can access your resources from any location using an OpenVPN-based VPN client.
Table Usage Guide
The aws_ec2_client_vpn_endpoint
table in Steampipe provides you with information about the Client VPN endpoints within AWS Elastic Compute Cloud (EC2). This table enables you, as a DevOps engineer, security analyst, or other IT professional, to query VPN endpoint-specific details, including the endpoint configuration, associated network details, connection logs, and associated metadata. You can utilize this table to gather insights on VPN endpoints, such as the associated VPC, Subnets, Security Groups, and more. The schema outlines the various attributes of the VPN endpoint for you, including the endpoint ID, creation time, DNS server, VPN protocol, and associated tags.
Examples
Basic Info
Explore the status and configuration details of your AWS EC2 Client VPN endpoints to understand their operational state and settings. This can be beneficial for assessing your network's security posture and troubleshooting connectivity issues.
select title, description, status, client_vpn_endpoint_id, transport_protocol, creation_time, tagsfrom aws_ec2_client_vpn_endpoint;
select title, description, status, client_vpn_endpoint_id, transport_protocol, creation_time, tagsfrom aws_ec2_client_vpn_endpoint;
List client VPN endpoints that are not in available state
Determine the areas in which your client VPN endpoints are not available. This can be useful for troubleshooting connectivity issues or managing network resources.
select title, status, client_vpn_endpoint_id, transport_protocol, tagsfrom aws_ec2_client_vpn_endpointwhere status ->> 'Code' <> 'available';
select title, status, client_vpn_endpoint_id, transport_protocol, tagsfrom aws_ec2_client_vpn_endpointwhere json_extract(status, '$.Code') <> 'available';
List client VPN endpoints created in the last 30 days
Determine the areas in which new client VPN endpoints have been established in the past month. This can help manage and monitor recent network expansions or changes.
select title, status ->> 'Code' as status, client_vpn_endpoint_id, transport_protocol, tagsfrom aws_ec2_client_vpn_endpointwhere creation_time >= now() - interval '30' day;
select title, json_extract(status, '$.Code') as status, client_vpn_endpoint_id, transport_protocol, tagsfrom aws_ec2_client_vpn_endpointwhere creation_time >= datetime('now', '-30 day');
Get the security group and the VPC details of client VPN endpoints
Determine the security setup of recently created VPN endpoints, including their associated security groups and VPC details. This is useful for reviewing and auditing the security configurations of new VPN connections in your network.
select title, status ->> 'Code' as status, client_vpn_endpoint_id, security_group_ids, vpc_id, vpn_port, vpn_protocol, transport_protocol, tagsfrom aws_ec2_client_vpn_endpointwhere creation_time >= now() - interval '30' day;
select title, json_extract(status, '$.Code') as status, client_vpn_endpoint_id, security_group_ids, vpc_id, vpn_port, vpn_protocol, transport_protocol, tagsfrom aws_ec2_client_vpn_endpointwhere creation_time >= datetime('now', '-30 day');
Get the security group and the VPC details of client VPN endpoints
Explore the security settings and network details of your client VPN endpoints. This can help in assessing the security measures in place and understanding the network configuration, which is crucial for maintaining a secure and efficient VPN service.
select title, status ->> 'Code' as status, client_vpn_endpoint_id, security_group_ids, vpc_id, vpn_port, vpn_protocol, transport_protocol, tagsfrom aws_ec2_client_vpn_endpoint;
select title, json_extract(status, '$.Code') as status, client_vpn_endpoint_id, security_group_ids, vpc_id, vpn_port, vpn_protocol, transport_protocol, tagsfrom aws_ec2_client_vpn_endpoint;
Get the logging configuration of client VPN endpoints
Determine the status of client VPN endpoints and assess whether their logging configurations are enabled. This can be useful for monitoring and troubleshooting VPN connectivity issues.
select title, status ->> 'Code' as status, client_vpn_endpoint_id, connection_log_options ->> 'Enabled' as connection_log_options_enabled, connection_log_options ->> 'CloudwatchLogGroup' as connection_log_options_cloudwatch_log_group, connection_log_options ->> 'CloudwatchLogStream' as connection_log_options_cloudwatch_log_stream, tagsfrom aws_ec2_client_vpn_endpoint;
select title, json_extract(status, '$.Code') as status, client_vpn_endpoint_id, json_extract(connection_log_options, '$.Enabled') as connection_log_options_enabled, json_extract(connection_log_options, '$.CloudwatchLogGroup') as connection_log_options_cloudwatch_log_group, json_extract(connection_log_options, '$.CloudwatchLogStream') as connection_log_options_cloudwatch_log_stream, tagsfrom aws_ec2_client_vpn_endpoint;
Get the authentication information of client VPN endpoints
This query is used to gain insights into the authentication information of client VPN endpoints within the AWS EC2 service. It's particularly useful for understanding the type of authentication being used and the details of the mutual authentication, which can help in assessing security measures and compliance requirements.
select title, status ->> 'Code' as status, client_vpn_endpoint_id, autentication ->> 'Type' as authentication_options_type, autentication -> 'MutualAuthentication' ->> 'ClientRootCertificateChain' as authentication_client_root_certificate_chain, authentication_options, tagsfrom aws_ec2_client_vpn_endpoint, jsonb_array_elements(authentication_options) as autentication;
select title, json_extract(status, '$.Code') as status, client_vpn_endpoint_id, json_extract(autentication.value, '$.Type') as authentication_options_type, json_extract( json_extract(autentication.value, '$.MutualAuthentication'), '$.ClientRootCertificateChain' ) as authentication_client_root_certificate_chain, authentication_options, tagsfrom aws_ec2_client_vpn_endpoint, json_each(authentication_options) as autentication;
Control examples
Schema for aws_ec2_client_vpn_endpoint
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
associated_target_networks | jsonb | Information about the associated target networks. A target network is a subnet in a VPC. | |
authentication_options | jsonb | Information about the authentication method used by the Client VPN endpoint. | |
client_cidr_block | cidr | The IPv4 address range, in CIDR notation, from which client IP addresses are assigned. | |
client_connect_options | jsonb | The options for managing connection authorization for new client connections. | |
client_login_banner_options | jsonb | Options for enabling a customizable text banner that will be displayed on Amazon Web Services provided clients when a VPN session is established. | |
client_vpn_endpoint_id | text | = | The ID of the client VPN endpoint. |
connection_log_options | jsonb | Information about the client connection logging options for the Client VPN endpoint. | |
creation_time | timestamp with time zone | The date and time when the Client VPN endpoint was created. | |
deletion_time | timestamp with time zone | The date and time when the Client VPN endpoint was deleted. | |
description | text | A brief description of the endpoint. | |
dns_name | text | The DNS name to be used by clients when connecting to the Client VPN endpoint. | |
dns_servers | jsonb | Information about the DNS servers to be used for DNS resolution. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
region | text | The AWS Region in which the resource is located. | |
security_group_ids | jsonb | The IDs of the security groups for the target network. | |
self_service_portal_url | text | The URL of the self-service portal. | |
server_certificate_arn | text | The ARN of the server certificate. | |
session_timeout_hours | bigint | The maximum VPN session duration time in hours. Valid values: 8, 10, 12, 24. Defaults to 24. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
split_tunnel | boolean | Indicates whether split-tunnel is enabled in the Client VPN endpoint. | |
status | jsonb | The current state of the Client VPN endpoint. | |
tags | jsonb | A map of tags for the resource. | |
tags_src | jsonb | Any tags assigned to the Client VPN endpoint. | |
title | text | Title of the resource. | |
transport_protocol | text | = | The transport protocol. |
vpc_id | text | The ID of the VPC. | |
vpn_port | bigint | The port number for the Client VPN endpoint. | |
vpn_protocol | jsonb | The protocol used by the VPN session. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_ec2_client_vpn_endpoint