Table: aws_iam_access_advisor - Query AWS IAM Access Advisor using SQL
The AWS IAM Access Advisor is a tool that helps you view and understand the permissions granted to your IAM entities (users, groups of users, or roles). It provides you with service last accessed information to help you refine your IAM policies. This service can be queried using SQL to fetch detailed insights.
Table Usage Guide
The aws_iam_access_advisor
table in Steampipe provides you with information about the service last accessed data for IAM entities like users, groups, and roles within AWS Identity and Access Management (IAM). This table allows you, as a DevOps engineer, to query details about the services that IAM entities can access, the actions they can perform, and when they last accessed the services. You can utilize this table to gather insights on access patterns, such as identifying unused permissions or verifying least privilege policies. The schema outlines the various attributes of the IAM entity, including the entity ARN, last accessed time, and the services accessible.
Important Notes
You must specify a single
principal_arn
in awhere
orjoin
clause in order to use this table.The service last accessed data includes all your attempts to access an AWS API, not just the successful ones. This includes all attempts that you have made using the AWS Management Console, the AWS API through any of the SDKs, or any of the command line tools. An unexpected entry in the service last accessed data does not mean that your account has been compromised, because the request might have been denied. Refer to your CloudTrail logs as the authoritative source for information about all API calls and whether they were successful or denied access.
Service last accessed data does not use other policy types when determining whether a resource could access a service. These other policy types include resource-based policies, access control lists, AWS Organizations policies, IAM permissions boundaries, and AWS STS assume role policies. It only applies permissions policy logic. For more about the evaluation of policy types, see Evaluating Policies in the IAM User Guide.
Examples
Show the most recently used services for a user, role, group, or policy
Discover the segments that have recently interacted with a specific user, role, group, or policy. This helps in understanding the usage pattern and can aid in optimizing resource allocation.
select principal_arn, service_name, last_authenticated, age(last_authenticated :: date)from aws_iam_access_advisorwhere principal_arn = 'arn:aws:iam::123456789123:user/john' and last_authenticated is not nullorder by age asc;
select principal_arn, service_name, last_authenticated, julianday('now') - julianday(last_authenticated) as agefrom aws_iam_access_advisorwhere principal_arn = 'arn:aws:iam::123456789123:user/john' and last_authenticated is not nullorder by age asc;
Show unused services granted a user, role, group, or policy (unused in the last year)
This example helps to identify unused services that have been granted to a user, role, group, or policy, specifically those that have not been used in the past year. This is useful for maintaining security and efficiency by ensuring that unnecessary access permissions are revoked.
select principal_arn, service_namefrom aws_iam_access_advisorwhere principal_arn = 'arn:aws:iam::123456789123:role/turbot/admin' and last_authenticated is nullorder by service_name
select principal_arn, service_namefrom aws_iam_access_advisorwhere principal_arn = 'arn:aws:iam::123456789123:role/turbot/admin' and last_authenticated is nullorder by service_name
Show the last time a policy was used to access services, and the user, role, or group that used it
Determine the last time a specific policy was used to access services in AWS, along with the user, role, or group that used it. This can help in assessing the activity and access patterns related to your AWS resources, aiding in their management and security.
select principal_arn, service_name, last_authenticated, age(last_authenticated :: date), last_authenticated_entity, last_authenticated_regionfrom aws_iam_access_advisorwhere principal_arn = 'arn:aws:iam::aws:policy/AdministratorAccess' and last_authenticated is not nullorder by age asc;
select principal_arn, service_name, last_authenticated, julianday('now') - julianday(last_authenticated), last_authenticated_entity, last_authenticated_regionfrom aws_iam_access_advisorwhere principal_arn = 'arn:aws:iam::aws:policy/AdministratorAccess' and last_authenticated is not nullorder by julianday('now') - julianday(last_authenticated) asc;
Show unused services granted to a role, including the policy that grants access and the actions granted
Determine the areas in which services have been granted to a role but remain unused, including the specific policy that provides access and the actions permitted. This is particularly useful for identifying potential security risks and optimizing resource usage by revoking unnecessary permissions.
select adv.service_name, action as action_granted, attached as granted_in, adv.service_namespacefrom aws_iam_access_advisor as adv, aws_iam_role as r, jsonb_array_elements_text(r.attached_policy_arns) as attached, aws_iam_policy as p, jsonb_array_elements(p.policy_std -> 'Statement') as stmt, jsonb_array_elements_text(stmt -> 'Action') as actionwhere principal_arn = 'arn:aws:iam::123456789123:role/turbot/admin' and r.arn = adv.principal_arn and last_authenticated is null and attached = p.arn and stmt ->> 'Effect' = 'Allow' and action like adv.service_namespace || ':%'order by adv.service_name;
select adv.service_name, action.value as action_granted, attached.value as granted_in, adv.service_namespacefrom aws_iam_access_advisor as adv, aws_iam_role as r, json_each(r.attached_policy_arns) as attached, aws_iam_policy as p, json_each(p.policy_std, '$.Statement') as stmt, json_each(stmt.value, '$.Action') as actionwhere principal_arn = 'arn:aws:iam::123456789123:role/turbot/admin' and r.arn = adv.principal_arn and last_authenticated is null and attached.value = p.arn and json_extract(stmt.value, '$.Effect') = 'Allow' and action.value like adv.service_namespace || ':%'order by adv.service_name;
Show action-level last accessed info (currently, only supported for S3)
This query allows you to gain insights into the most recent actions taken within the S3 service for a specific user. It helps in identifying key details such as the action name, the entity accessed, the region of access, and the time of access, which can be useful for auditing and security purposes.
select principal_arn, service_name, last_authenticated, age(last_authenticated :: date), a ->> 'ActionName' as action_name, a ->> 'LastAccessedEntity' as action_last_accessed_entity, a ->> 'LastAccessedRegion' as action_last_accessed_region, a ->> 'LastAccessedTime' as action_last_accessed_timefrom aws_iam_access_advisor, jsonb_array_elements(tracked_actions_last_accessed) as awhere principal_arn = 'arn:aws:iam::123456789123:user/jane' and last_authenticated is not null and service_namespace = 's3'order by age asc;
select principal_arn, service_name, last_authenticated, julianday('now') - julianday(last_authenticated) as age, json_extract(a.value, '$.ActionName') as action_name, json_extract(a.value, '$.LastAccessedEntity') as action_last_accessed_entity, json_extract(a.value, '$.LastAccessedRegion') as action_last_accessed_region, json_extract(a.value, '$.LastAccessedTime') as action_last_accessed_timefrom aws_iam_access_advisor, json_each(tracked_actions_last_accessed) as awhere principal_arn = 'arn:aws:iam::123456789123:user/jane' and last_authenticated is not null and service_namespace = 's3'order by age asc;
For all users in the account, find unused services
This query helps you identify the services associated with each user in your account that have not been used. This is particularly useful for optimizing resource allocation and ensuring security by minimizing unnecessary access permissions.
select principal_arn, service_namefrom aws_iam_user as u, aws_iam_access_advisor as advwhere adv.principal_arn = u.arn and last_authenticated is null;
select principal_arn, service_namefrom aws_iam_user as u, aws_iam_access_advisor as advwhere adv.principal_arn = u.arn and last_authenticated is null;
Schema for aws_iam_access_advisor
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
last_authenticated | timestamp with time zone | The date and time when an authenticated entity most recently attempted to access the service. AWS does not report unauthenticated requests. | |
last_authenticated_entity | text | The ARN of the authenticated entity (user or role) that last attempted to access the service. AWS does not report unauthenticated requests. | |
last_authenticated_region | text | The Region from which the authenticated entity (user or role) last attempted to access the service. AWS does not report unauthenticated requests. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
principal_arn | text | = | The ARN of the IAM resource (user, group, role, or managed policy) used to generate information about when the resource was last used in an attempt to access an AWS service. |
region | text | The AWS Region in which the resource is located. | |
service_name | text | The name of the service in which access was attempted. | |
service_namespace | text | The namespace of the service in which access was attempted. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
total_authenticated_entities | bigint | The total number of authenticated principals (root user, IAM users, or IAM roles) that have attempted to access the service. | |
tracked_actions_last_accessed | jsonb | An array of objects that contains details about the most recent attempt to access a tracked action within the service. Currently, only S3 supports action level tracking. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_iam_access_advisor