steampipe plugin install aws

Table: aws_iam_account_summary - Query AWS Identity and Access Management (IAM) Account Summary using SQL

The AWS Identity and Access Management (IAM) Account Summary provides an overview of your AWS security settings including users, groups, roles, and policies in your account. This service is useful for auditing and monitoring purposes, allowing you to ensure your account is secure and compliant with your organization's policies. It provides a user-friendly SQL interface for querying your IAM settings.

Table Usage Guide

The aws_iam_account_summary table in Steampipe provides you with information about the AWS IAM Account Summary. This table allows you, as a DevOps engineer, to query IAM usage and resource consumption details, including users, groups, roles, policies, and more. You can utilize this table to gather insights on IAM usage, such as the number of users, roles, and policies, and verify the usage against AWS service limits. The schema outlines the various attributes of the IAM Account Summary, including the summary map and account ID.

Important Notes

  • The number and size of IAM resources in your AWS account are limited. For more information, see IAM and STS Quotas in the IAM User Guide.

Examples

List the IAM summary for the account

Analyze the general overview of your AWS Identity and Access Management (IAM) to gain insights into user access and permissions within your account. This could be beneficial in identifying potential security risks or for general account management.

select
*
from
aws_iam_account_summary;
select
*
from
aws_iam_account_summary;

Ensure MFA is enabled for the "root" account (CIS v1.1.13)

Determine the areas in which Multi-Factor Authentication (MFA) is activated for the primary account to enhance security measures as per CIS v1.1.13 guidelines.

select
account_mfa_enabled
from
aws_iam_account_summary;
select
account_mfa_enabled
from
aws_iam_account_summary;

Summary report - Total number of IAM resources in the account by type

Determine the distribution of different types of Identity and Access Management (IAM) resources in your AWS account. This can help you understand the composition of your IAM resources and manage them more effectively.

select
users,
groups,
roles,
policies
from
aws_iam_account_summary;
select
users,
groups,
roles,
policies
from
aws_iam_account_summary;

Control examples

Schema for aws_iam_account_summary

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
access_keys_per_user_quotabigintSpecifies the allowed quota of access keys per user.
account_access_keys_presentbigintSpecifies the number of account level access keys present.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
account_mfa_enabledbooleanSpecifies whether MFA is enabled for the account.
account_signing_certificates_presentbigintSpecifies the number of account signing certificates present.
assume_role_policy_size_quotabigintSpecifies the allowed assume role policy size.
attached_policies_per_group_quotabigintSpecifies the allowed attached policies per group.
attached_policies_per_role_quotabigintSpecifies the allowed attached policies per role.
attached_policies_per_user_quotabigintSpecifies the allowed attached policies per user.
global_endpoint_token_versionbigintSpecifies the token version of the global endpoint.
group_policy_size_quotabigintSpecifies the allowed group policy size.
groupsbigintSpecifies the number of groups.
groups_per_user_quotabigintSpecifies the allowed number of groups.
groups_quotabigintSpecifies the allowed number of groups.
instance_profilesbigintSpecifies the number of groups.
instance_profiles_quotabigintSpecifies the allowed number of groups.
mfa_devicesbigintSpecifies the number of MFA devices.
mfa_devices_in_usebigintSpecifies the number of MFA devices in use.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
policiesbigintSpecifies the number of policies.
policies_quotabigintSpecifies the allowed number of policies.
policy_size_quotabigintSpecifies the allowed size of policies.
policy_versions_in_usebigintSpecifies the number of policy versions in use.
policy_versions_in_use_quotabigintSpecifies the allowed number of policy versions.
providersbigintSpecifies the number of providers.
regiontextThe AWS Region in which the resource is located.
role_policy_size_quotabigintSpecifies the allowed role policy size.
rolesbigintSpecifies the number of roles.
roles_quotabigintSpecifies the allowed number of roles.
server_certificatesbigintSpecifies the number of server certificates.
server_certificates_quotabigintSpecifies the allowed number of server certificates.
signing_certificates_per_user_quotabigintSpecifies the allowed number of signing certificates per user.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
user_policy_size_quotabigintSpecifies the allowed user policy size.
usersbigintSpecifies the number of users.
users_quotabigintSpecifies the allowed number of users.
versions_per_policy_quotabigintSpecifies the allowed number of versions per policy.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_iam_account_summary