steampipe plugin install aws

Table: aws_iam_service_specific_credential - Query AWS IAM Service Specific Credentials using SQL

The AWS IAM Service Specific Credentials are a type of AWS credentials that allow you to programmatically access AWS services. These credentials are used when the access to services is from an application that is running on an EC2 instance. They provide a secure way to distribute and rotate credentials on multiple EC2 instances without having to manage the underlying AWS keys.

Table Usage Guide

The aws_iam_service_specific_credential table in Steampipe provides you with information about service-specific credentials within AWS Identity and Access Management (IAM). This table allows you, as a DevOps engineer, to query credential-specific details, including the associated user, status, creation date, and service name. You can utilize this table to gather insights on credentials, such as those associated with a specific user, the status of each credential, and the services for which they are used. The schema outlines the various attributes of service-specific credentials for you, including the username, status, creation date, and service name.

Examples

Basic info

Explore which specific AWS IAM services have associated credentials, along with their creation dates and linked user names. This can help in auditing and managing access controls in your AWS environment.

select
service_name,
service_specific_credential_id,
create_date,
user_name
from
aws_iam_service_specific_credential;
select
service_name,
service_specific_credential_id,
create_date,
user_name
from
aws_iam_service_specific_credential;

IAM user details for service specific credentials

Discover the segments that are using service-specific credentials in AWS IAM, including details like user names and whether multi-factor authentication is enabled. This query is beneficial for auditing security practices and ensuring adherence to best practices.

select
s.service_name as service_name,
s.service_specific_credential_id as service_specific_credential_id,
u.name as user_name,
u.user_id as user_id,
u.password_last_used as password_last_used,
u.mfa_enabled as mfa_enabled
from
aws_iam_service_specific_credential as s,
aws_iam_user as u
where
s.user_name = u.name;
select
s.service_name as service_name,
s.service_specific_credential_id as service_specific_credential_id,
u.name as user_name,
u.user_id as user_id,
u.password_last_used as password_last_used,
u.mfa_enabled as mfa_enabled
from
aws_iam_service_specific_credential as s
join aws_iam_user as u on s.user_name = u.name;

Service specific credentials older than 30 days

Determine the areas in which service-specific credentials in AWS IAM are older than 30 days. This can be useful for identifying potential security risks associated with outdated credentials.

select
service_name,
service_specific_credential_id,
create_date,
user_name
from
aws_iam_service_specific_credential
where
create_date <= current_date - interval '30' day;
select
service_name,
service_specific_credential_id,
create_date,
user_name
from
aws_iam_service_specific_credential
where
create_date <= date('now', '-30 day');

Schema for aws_iam_service_specific_credential

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
create_datetimestamp with time zoneThe date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601), when the service-specific credential were created.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
regiontextThe AWS Region in which the resource is located.
service_nametext=The name of the service associated with the service-specific credential.
service_specific_credential_idtextThe unique identifier for the service-specific credential.
service_user_nametextThe generated user name for the service-specific credential.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
statustextThe status of the service-specific credential. Active means that the key is valid for API calls, while Inactive means it is not.
titletextTitle of the resource.
user_nametext=The name of the IAM user associated with the service-specific credential.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_iam_service_specific_credential