Table: aws_iam_group - Query AWS IAM Group using SQL
The AWS Identity and Access Management (IAM) Group is a feature that allows you to manage user access to AWS services and resources. With IAM Groups, you can specify permissions for multiple users, which can make it easier to manage the permissions for those users. IAM Groups are not truly identities because they cannot be identified as Principals in a resource's policy.
Table Usage Guide
The aws_iam_group
table in Steampipe provides you with information about IAM groups within AWS Identity and Access Management (IAM). This table allows you, as a DevOps engineer, to query group-specific details, including group name, path, and ARN. You can utilize this table to gather insights on groups, such as group membership, group policy attachments, and more. The schema outlines the various attributes of the IAM group for you, including the group ARN, creation date, group ID, and associated metadata.
Examples
User details associated with each IAM group
Explore which users are associated with each IAM group, including their user details such as permissions boundary, last password usage and creation date. This can be useful for auditing user access and ensuring appropriate permissions are in place.
select name as group_name, iam_user ->> 'UserName' as user_name, iam_user ->> 'UserId' as user_id, iam_user ->> 'PermissionsBoundary' as permission_boundary, iam_user ->> 'PasswordLastUsed' as password_last_used, iam_user ->> 'CreateDate' as user_create_datefrom aws_iam_group cross join jsonb_array_elements(users) as iam_user;
select name as group_name, json_extract(iam_user, '$.UserName') as user_name, json_extract(iam_user, '$.UserId') as user_id, json_extract(iam_user, '$.PermissionsBoundary') as permission_boundary, json_extract(iam_user, '$.PasswordLastUsed') as password_last_used, json_extract(iam_user, '$.CreateDate') as user_create_datefrom aws_iam_group, json_each(users) as iam_user;
List all the users in each group having Administrator access
Discover the segments that include users with Administrator access across different groups. This is beneficial for auditing purposes, allowing for a quick overview of who has high-level access and potential control within your system.
select name as group_name, iam_user ->> 'UserName' as user_name, split_part(attachments, '/', 2) as attached_policiesfrom aws_iam_group cross join jsonb_array_elements(users) as iam_user, jsonb_array_elements_text(attached_policy_arns) as attachmentswhere split_part(attachments, '/', 2) = 'AdministratorAccess';
select name as group_name, json_extract(iam_user, '$.UserName') as user_name, substr(attachments, instr(attachments, '/') + 1) as attached_policiesfrom aws_iam_group cross join json_each(users) as iam_user, json_each(attached_policy_arns) as attachmentswhere substr(attachments, instr(attachments, '/') + 1) = 'AdministratorAccess';
List the policies attached to each IAM group
Discover the segments that are associated with each IAM group in terms of their attached policies. This can be useful in understanding the permissions and access levels of different groups within your AWS environment.
select name as group_name, split_part(attachments, '/', 2) as attached_policiesfrom aws_iam_group cross join jsonb_array_elements_text(attached_policy_arns) as attachments;
select name as group_name, substr(json_each.value, instr(json_each.value, '/') + 1) as attached_policiesfrom aws_iam_group, json_each(attached_policy_arns);
Find groups that have inline policies
Determine the areas in which certain groups have inline policies in place, enabling you to better understand and manage your AWS IAM group permissions and security.
select name as group_name, inline_policiesfrom aws_iam_groupwhere inline_policies is not null;
select name as group_name, inline_policiesfrom aws_iam_groupwhere inline_policies is not null;
Schema for aws_iam_group
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
arn | text | = | The Amazon Resource Name (ARN) specifying the group. |
attached_policy_arns | jsonb | A list of managed policies attached to the group. | |
create_date | timestamp with time zone | The date and time, when the group was created. | |
group_id | text | The stable and unique string identifying the group. | |
inline_policies | jsonb | A list of policy documents that are embedded as inline policies for the group. | |
inline_policies_std | jsonb | Inline policies in canonical form for the group. | |
name | text | = | The friendly name that identifies the group. |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
path | text | = | The path to the group. |
region | text | The AWS Region in which the resource is located. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
title | text | Title of the resource. | |
users | jsonb | A list of users in the group. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_iam_group