Table: aws_glacier_vault - Query AWS Glacier Vaults using SQL

AWS Glacier Vaults are a component of the Amazon Glacier service, designed for long-term, secure and durable storage of data for archiving and backup purposes. They provide an extremely low-cost storage solution that ensures data is kept safe for extended periods of time. Vaults also allow for the control of access through the use of resource-based policies.

Table Usage Guide

The aws_glacier_vault table in Steampipe provides you with information about Vaults within AWS Glacier. This table allows you, as a DevOps engineer, to query vault-specific details, including vault names, ARNs, creation dates, number of archives, size of archives, and more. You can utilize this table to gather insights on vaults, such as the total size of all archives in the vault, the number of archives in the vault, and the date the vault was last accessed. The schema outlines the various attributes of the Glacier Vault for you, including the vault ARN, creation date, last inventory date, number of archives, size of archives, and associated tags.

Examples

Basic info

Explore the historical data and storage size of your AWS Glacier Vaults. This query is particularly useful for tracking the growth and usage of your vaults over time.

select
  vault_name,
  creation_date,
  last_inventory_date,
  number_of_archives,
  size_in_bytes
from
  aws_glacier_vault;

select
  vault_name,
  creation_date,
  last_inventory_date,
  number_of_archives,
  size_in_bytes
from
  aws_glacier_vault;

List vaults that grant full access to the resource

Determine the areas in which full access to the resource is granted through vaults. This is useful for identifying potential security risks and ensuring appropriate access controls are in place.

select
  title,
  p as principal,
  a as action,
  s ->> 'Effect' as effect,
  s -> 'Condition' as conditions
from
  aws_glacier_vault,
  jsonb_array_elements(policy_std -> 'Statement') as s,
  jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p,
  jsonb_array_elements_text(s -> 'Action') as a
where
  s ->> 'Effect' = 'Allow'
  and a in ('*', 'glacier:*');

select
  title,
  json_extract(principal.value, '$') as principal,
  json_extract(action.value, '$') as action,
  json_extract(statement.value, '$.Effect') as effect,
  json_extract(statement.value, '$.Condition') as conditions
from
  aws_glacier_vault,
  json_each(policy_std, '$.Statement') as statement,
  json_each(json_extract(statement.value, '$.Principal.AWS')) as principal,
  json_each(json_extract(statement.value, '$.Action')) as action
where
  json_extract(statement.value, '$.Effect') = 'Allow'
  and (
    json_extract(action.value, '$') = '*'
    or json_extract(action.value, '$') = 'glacier:*'
  );

List vaults that grant anonymous access to the resource

Determine the areas in which your data vaults may be vulnerable by identifying any instances that allow anonymous access. This is particularly useful for enhancing security measures and ensuring data privacy.

select
  title,
  p as principal,
  a as action,
  s ->> 'Effect' as effect,
  s -> 'Condition' as conditions
from
  aws_glacier_vault,
  jsonb_array_elements(policy_std -> 'Statement') as s,
  jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p,
  jsonb_array_elements_text(s -> 'Action') as a
where
  p = '*'
  and s ->> 'Effect' = 'Allow';

select
  title,
  json_extract(p.value, '$') as principal,
  json_extract(a.value, '$') as action,
  json_extract(s.value, '$.Effect') as effect,
  json_extract(s.value, '$.Condition') as conditions
from
  aws_glacier_vault,
  json_each(policy_std, '$.Statement') as s,
  json_each(json_extract(s.value, '$.Principal.AWS')) as p,
  json_each(json_extract(s.value, '$.Action')) as a
where
  p.value = '*'
  and json_extract(s.value, '$.Effect') = 'Allow';

Get the archival age in days before deletion for each vault

This query is used to identify the number of days before each AWS Glacier vault is scheduled for deletion. This helps in managing data lifecycle and ensuring timely archival or deletion of data to optimize storage costs.

select
  title,
  a as action,
  s ->> 'Effect' as effect,
  s -> 'Condition' -> 'NumericLessThan' ->> 'glacier:archiveageindays' as archive_age_in_days
from
  aws_glacier_vault,
  jsonb_array_elements(vault_lock_policy_std -> 'Statement') as s,
  jsonb_array_elements_text(s -> 'Action') as a;

select
  title,
  json_extract(action.value, '$') as action,
  json_extract(statement.value, '$.Effect') as effect,
  json_extract(
    statement.value,
    '$.Condition.NumericLessThan."glacier:archiveageindays"'
  ) as archive_age_in_days
from
  aws_glacier_vault,
  json_each(vault_lock_policy_std, '$.Statement') as statement,
  json_each(json_extract(statement.value, '$.Action')) as action;

List vaults without owner tag key

Identify instances where AWS Glacier vaults lack an 'owner' tag. This can help in managing and organizing your resources effectively by ensuring every vault has an owner assigned.

select
  vault_name,
  tags
from
  aws_glacier_vault
where
  not tags :: JSONB ? 'owner';

select
  vault_name,
  tags
from
  aws_glacier_vault
where
  json_extract(tags, '$.owner') is null;

List vaults with notifications enabled

Discover the segments that have enabled notifications within your vaults. This is particularly useful for keeping track of important events and updates in real-time.

select
  vault_name,
  vault_notification_config ->> 'SNSTopic' as sns_topic,
  vault_notification_config ->> 'Events' as notification_events
from
  aws_glacier_vault
where
  vault_notification_config is not null;

select
  vault_name,
  json_extract(vault_notification_config, '$.SNSTopic') as sns_topic,
  json_extract(vault_notification_config, '$.Events') as notification_events
from
  aws_glacier_vault
where
  vault_notification_config is not null;

Control examples

All Controls > Glacier > Glacier vault should restrict public access

Schema for aws_glacier_vault

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form.
account_id	text	=, !=, ~~, ~~, !~~, !~~	The AWS Account ID in which the resource is located.
akas	jsonb		Array of globally unique identifier strings (also known as) for the resource.
creation_date	timestamp with time zone		The Universal Coordinated Time (UTC) date when the vault was created.
last_inventory_date	timestamp with time zone		The Universal Coordinated Time (UTC) date when Amazon S3 Glacier completed the last vault inventory.
number_of_archives	bigint		The number of archives in the vault as of the last inventory date.
partition	text		The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
policy	jsonb		Contains the returned vault access policy as a JSON string.
policy_std	jsonb		Contains the policy in a canonical form for easier searching.
region	text		The AWS Region in which the resource is located.
size_in_bytes	bigint		Total size, in bytes, of the archives in the vault as of the last inventory date.
sp_connection_name	text	=, !=, ~~, ~~, !~~, !~~	Steampipe connection name.
sp_ctx	jsonb		Steampipe context in JSON form.
tags	jsonb		A map of tags for the resource.
tags_src	jsonb		A list of tags associated with the vault.
title	text		Title of the resource.
vault_arn	text		The Amazon Resource Name (ARN) of the vault.
vault_lock_policy	jsonb		The vault lock policy.
vault_lock_policy_std	jsonb		Contains the policy in a canonical form for easier searching.
vault_name	text	=	The name of the vault.
vault_notification_config	jsonb		Contains the notification configuration set on the vault.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_glacier_vault