Table: aws_fms_policy - Query AWS Firewall Manager Policies using SQL

The AWS Firewall Manager Policies is a feature of AWS Firewall Manager, a security management service designed to centrally configure and manage firewall rules across your accounts and applications in AWS. It enables you to easily apply AWS WAF, AWS Shield Advanced, and VPC security group rules across your AWS resources. This centralized control effectively helps in maintaining a consistent security posture across your entire AWS environment.

Table Usage Guide

The aws_fms_policy table in Steampipe provides you with information about each AWS Firewall Manager (FMS) policy in your AWS account. This table allows you, as a DevOps engineer, security professional, or other user, to query policy-specific details, including policy ID, policy name, resource type, security service type, and more. You can utilize this table to gather insights on policies, such as identifying which resources are protected by which policies, understanding the type of security service provided by each policy, and knowing the status of each policy. The schema outlines the various attributes of the FMS policy for you, including the policy ID, policy name, resource tags, remediation enabled status, and more.

Examples

Basic info

Explore the details of your AWS Firewall Manager policies to understand their configuration and purpose. This can be beneficial for maintaining security standards and managing resources effectively.

select
  policy_name,
  policy_id,
  arn,
  policy_description,
  resource_type
from
  aws_fms_policy;

select
  policy_name,
  policy_id,
  arn,
  policy_description,
  resource_type
from
  aws_fms_policy;

List policies that has remediation enabled

Identify instances where specific policies have remediation enabled to better manage potential security threats and vulnerabilities within your AWS environment.

select
  policy_name,
  policy_id,
  arn,
  policy_description,
  resource_type,
  remediation_enabled
from
  aws_fms_policy
where
  remediation_enabled;

select
  policy_name,
  policy_id,
  arn,
  policy_description,
  resource_type,
  remediation_enabled
from
  aws_fms_policy
where
  remediation_enabled = 1;

Count policies by resource type

Discover which policies are being applied and how frequently, across various resource types within your AWS Firewall Manager, providing insights into your security configurations and their distribution.

select
  policy_name,
  resource_type,
  count(policy_id) as policy_applied
from
  aws_fms_policy
group by
  policy_name,
  resource_type;

select
  policy_name,
  resource_type,
  count(policy_id) as policy_applied
from
  aws_fms_policy
group by
  policy_name,
  resource_type;

List policies that are not active

Identify instances where certain policies are inactive to ensure all necessary measures are being enforced for optimal security management.

select
  policy_name,
  policy_id,
  policy_status
from
  aws_fms_policy
where
  policy_status <> 'ACTIVE';

select
  policy_name,
  policy_id,
  policy_status
from
  aws_fms_policy
where
  policy_status <> 'ACTIVE';

Schema for aws_fms_policy

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form.
account_id	text	=, !=, ~~, ~~, !~~, !~~	The AWS Account ID in which the resource is located.
akas	jsonb		Array of globally unique identifier strings (also known as) for the resource.
arn	text		The Amazon Resource Name (ARN) of the specified policy.
delete_unused_fm_managed_resources	boolean		The AWS account that created the file system.
exclude_map	jsonb		Specifies the Amazon Web Services account IDs and Organizations organizational units (OUs) to exclude from the policy.
exclude_resource_tags	boolean		If set to True , resources with the tags that are specified in the ResourceTag array are not in scope of the policy.
include_map	jsonb		Specifies the Amazon Web Services account IDs and Organizations organizational units (OUs) to include in the policy.
partition	text		The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
policy_description	text		The definition of the Network Firewall firewall policy.
policy_id	text	=	The ID of the specified policy.
policy_name	text		The name of the specified policy.
policy_status	text		Indicates whether the policy is in or out of an admin's policy or Region scope. The possible values ACTIVE, OUT_OF_ADMIN_SCOPE.
policy_update_token	text		A unique identifier for each update to the policy. When issuing a PutPolicy request, the PolicyUpdateToken in the request must match the PolicyUpdateToken of the current policy version.
region	text		The AWS Region in which the resource is located.
remediation_enabled	boolean		Indicates if the policy should be automatically applied to new resources.
resource_set_ids	jsonb		The unique identifiers of the resource sets used by the policy.
resource_tags	jsonb		An array of ResourceTag objects.
resource_type	text		The type of resource protected by or in scope of the policy.
resource_type_list	jsonb		An array of ResourceType objects. Use this only to specify multiple resource types.
security_service_policy_data	jsonb		Details about the security service that is being used to protect the resources.
sp_connection_name	text	=, !=, ~~, ~~, !~~, !~~	Steampipe connection name.
sp_ctx	jsonb		Steampipe context in JSON form.
title	text		Title of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_fms_policy