steampipe plugin install aws

Table: aws_glue_security_configuration - Query AWS Glue Security Configurations using SQL

The AWS Glue Security Configuration is a feature within AWS Glue service that allows you to specify the security settings that are used for Glue ETL jobs. This includes settings for data encryption, Amazon CloudWatch Logs encryption, and job bookmark encryption. It helps in maintaining the security and privacy of your data during the ETL (extract, transform, and load) process.

Table Usage Guide

The aws_glue_security_configuration table in Steampipe provides you with information about security configurations within AWS Glue. This table allows you, as a DevOps engineer, to query security configuration-specific details, including encryption settings, CloudWatch encryption settings, Job Bookmarks encryption settings, and S3 encryption settings. You can utilize this table to gather insights on security configurations, such as the status of encryption settings, the type of encryption used, and more. The schema outlines the various attributes of the Glue security configuration for you, including the name, creation time, and encryption settings.

Examples

Basic info

Explore the security configurations of your AWS Glue service to assess the encryption status of different components such as Cloud Watch, job bookmarks, and S3. This can be useful in maintaining data security and compliance by ensuring appropriate encryption is in place.

select
name,
created_time_stamp,
cloud_watch_encryption,
job_bookmarks_encryption,
s3_encryption
from
aws_glue_security_configuration;
select
name,
created_time_stamp,
cloud_watch_encryption,
job_bookmarks_encryption,
s3_encryption
from
aws_glue_security_configuration;

List cloud watch encryption details

Explore the encryption details of your CloudWatch logs to ensure data security. This is particularly useful for identifying instances where encryption has not been disabled, thereby providing an additional layer of security for your data.

select
name,
cloud_watch_encryption ->> 'CloudWatchEncryptionMode' as encyption_mode,
cloud_watch_encryption ->> 'KmsKeyArn' as kms_key_arn
from
aws_glue_security_configuration
where
cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED';
select
name,
json_extract(
cloud_watch_encryption,
'$.CloudWatchEncryptionMode'
) as encyption_mode,
json_extract(cloud_watch_encryption, '$.KmsKeyArn') as kms_key_arn
from
aws_glue_security_configuration
where
json_extract(
cloud_watch_encryption,
'$.CloudWatchEncryptionMode'
) != 'DISABLED';

List job bookmarks encryption details

Explore the encryption status of job bookmarks in AWS Glue Security Configurations, focusing on those with active encryption modes. This can be useful for maintaining data security and compliance by ensuring sensitive information is properly encrypted.

select
name,
job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' as encyption_mode,
job_bookmarks_encryption ->> 'KmsKeyArn' as kms_key_arn
from
aws_glue_security_configuration
where
job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED';
select
name,
json_extract(
job_bookmarks_encryption,
'$.JobBookmarksEncryptionMode'
) as encyption_mode,
json_extract(job_bookmarks_encryption, '$.KmsKeyArn') as kms_key_arn
from
aws_glue_security_configuration
where
json_extract(
job_bookmarks_encryption,
'$.JobBookmarksEncryptionMode'
) != 'DISABLED';

List s3 encryption details

Discover the segments that are using encryption within your AWS S3 storage. This is useful for maintaining security standards and ensuring sensitive data is properly protected.

select
name,
e ->> 'S3EncryptionMode' as encyption_mode,
e ->> 'KmsKeyArn' as kms_key_arn
from
aws_glue_security_configuration,
jsonb_array_elements(s3_encryption) e
where
e ->> 'S3EncryptionMode' != 'DISABLED';
select
name,
json_extract(e.value, '$.S3EncryptionMode') as encyption_mode,
json_extract(e.value, '$.KmsKeyArn') as kms_key_arn
from
aws_glue_security_configuration,
json_each(s3_encryption) as e
where
json_extract(e.value, '$.S3EncryptionMode') != 'DISABLED';

Schema for aws_glue_security_configuration

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form, e.g. connection_name.
account_idtextThe AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
cloud_watch_encryptionjsonbThe encryption configuration for Amazon CloudWatch.
created_time_stamptimestamp with time zoneThe time at which this security configuration was created.
job_bookmarks_encryptionjsonbThe encryption configuration for job bookmarks.
nametext=The name of the security configuration.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
regiontextThe AWS Region in which the resource is located.
s3_encryptionjsonbThe encryption configuration for Amazon Simple Storage Service (Amazon S3) data.
titletextTitle of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_glue_security_configuration