Table: aws_inspector_finding - Query AWS Inspector Findings using SQL
The AWS Inspector Finding is a resource within AWS Inspector service that allows you to identify potential security issues and deviations from best practices. It provides detailed descriptions of the security findings and offers recommendations on how to fix them. AWS Inspector automatically assesses applications for vulnerabilities or deviations from best practices, including impacted networks, instances, and attached storage.
Table Usage Guide
The aws_inspector_finding
table in Steampipe provides you with information about AWS Inspector findings. AWS Inspector is an automated security assessment service that helps you improve the security and compliance of applications deployed on AWS. This table allows you, as a security analyst, developer, or DevOps engineer, to query finding-specific details, including the finding ARN, severity, title, description, recommendation, and associated metadata. You can utilize this table to gather insights on findings, such as findings with high severity, findings associated with a specific rule package, verification of recommendations, and more. The schema outlines the various attributes of the AWS Inspector finding for you, including the finding ARN, severity, title, description, recommendation, and associated tags.
Examples
Basic info
Explore which AWS Inspector findings have been identified, focusing on their severity and confidence levels. This can help in prioritizing remediation efforts based on the severity and confidence of the findings.
select id, arn, agent_id as instance_id, asset_type, confidence, severityfrom aws_inspector_finding;
select id, arn, agent_id as instance_id, asset_type, confidence, severityfrom aws_inspector_finding;
List findings with high severity
Identify instances where there are high severity findings in the AWS Inspector. This is useful in prioritizing security issues that need immediate attention.
select id, arn, agent_id as instance_id, asset_type, confidence, severityfrom aws_inspector_findingwhere severity = 'High';
select id, arn, agent_id as instance_id, asset_type, confidence, severityfrom aws_inspector_findingwhere severity = 'High';
Count the number of findings by severity
Analyze the severity levels of AWS inspector findings to understand how many issues fall into each category. This can help prioritize remediation efforts by focusing on the most severe findings first.
select severity, count(severity)from aws_inspector_findinggroup by severityorder by severity;
select severity, count(severity)from aws_inspector_findinggroup by severityorder by severity;
List last 10 days findings
Identify instances where security findings have been recorded in the last 10 days. This allows you to stay updated on recent security issues and take necessary actions.
select title, id, confidence, severityfrom aws_inspector_findingwhere created_at >= now() - interval '10' day;
select title, id, confidence, severityfrom aws_inspector_findingwhere created_at >= datetime('now', '-10 days');
List attributes for each finding
Determine the characteristics of each identified issue within your AWS Inspector service. This can help in understanding the nature of the problems and strategizing appropriate solutions.
select title, id, jsonb_pretty(attributes) as attributesfrom aws_inspector_finding;
select title, id, attributesfrom aws_inspector_finding;
Get asset attributes for each finding
This query is used to uncover the details of each asset's attributes associated with a specific finding in AWS Inspector. This can help in identifying instances where anomalies or issues have been detected, providing insights into potential areas of risk or concern within your AWS environment.
select id, title, asset_attributes ->> 'AgentId' as agent_id, asset_attributes ->> 'AmiId' as ami_id, asset_attributes ->> 'Hostname' as hostname, asset_attributes ->> 'Tags' as tagsfrom aws_inspector_finding;
select id, title, json_extract(asset_attributes, '$.AgentId') as agent_id, json_extract(asset_attributes, '$.AmiId') as ami_id, json_extract(asset_attributes, '$.Hostname') as hostname, json_extract(asset_attributes, '$.Tags') as tagsfrom aws_inspector_finding;
List EC2 instances with high severity
Discover the segments that are operating Amazon EC2 instances with high severity findings. This is useful for identifying potential security vulnerabilities and risks in your AWS infrastructure.
select distinct i.instance_id, i.instance_state, i.instance_type, f.title, f.service, f.severity, f.confidencefrom aws_ec2_instance as i, aws_inspector_finding as fwhere severity = 'High' and i.instance_id = f.agent_id;
select distinct i.instance_id, i.instance_state, i.instance_type, f.title, f.service, f.severity, f.confidencefrom aws_ec2_instance as i, aws_inspector_finding as fwhere severity = 'High' and i.instance_id = f.agent_id;
Get service attributes for each finding
Determine the areas in which specific service attributes are linked to each finding, enabling a more comprehensive understanding of the findings in AWS Inspector. This can assist in better assessment planning and rule package selection for future inspections.
select id, title, service_attributes ->> 'AssessmentRunArn' as assessment_run_arn, service_attributes ->> 'RulesPackageArn' as rules_package_arn, service_attributes ->> 'SchemaVersion' as schema_version,from aws_inspector_finding;
select id, title, json_extract(service_attributes, '$.AssessmentRunArn') as assessment_run_arn, json_extract(service_attributes, '$.RulesPackageArn') as rules_package_arn, json_extract(service_attributes, '$.SchemaVersion') as schema_versionfrom aws_inspector_finding;
Get assessment run details for findings
This query is used to analyze the details of assessment runs linked to specific findings in AWS Inspector. It's useful for identifying potential security vulnerabilities and understanding the scope of any issues identified during the assessment runs.
select f.id, r.title, f.service_attributes ->> 'AssessmentRunArn' as assessment_run_arn, r.assessment_template_arn, r.finding_countsfrom aws_inspector_finding as f, aws_inspector_assessment_run as rwhere f.service_attributes ->> 'AssessmentRunArn' = r.arn;
select f.id, r.title, json_extract(f.service_attributes, '$.AssessmentRunArn') as assessment_run_arn, r.assessment_template_arn, r.finding_countsfrom aws_inspector_finding as f join aws_inspector_assessment_run as r on json_extract(f.service_attributes, '$.AssessmentRunArn') = r.arn;
List findings order by confidence
Explore which AWS Inspector findings are most reliable by sorting them according to their confidence levels. This can help prioritize remediation efforts by focusing first on findings with the highest confidence.
select id, arn, agent_id as instance_id, asset_type, confidence, severityfrom aws_inspector_findingorder by confidence;
select id, arn, agent_id as instance_id, asset_type, confidence, severityfrom aws_inspector_findingorder by confidence;
Schema for aws_inspector_finding
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
agent_id | text | = | The ID of the agent that is installed on the EC2 instance where the finding is generated. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
arn | text | = | The ARN that specifies the finding. |
asset_attributes | jsonb | A collection of attributes of the host from which the finding is generated. | |
asset_type | text | The type of the host from which the finding is generated. | |
attributes | jsonb | The system-defined attributes for the finding. | |
auto_scaling_group | text | = | The Auto Scaling group of the EC2 instance where the finding is generated. |
confidence | bigint | This data element is currently not used. | |
created_at | timestamp with time zone | The time when the finding was generated. | |
description | text | The description of the finding. | |
failed_items | jsonb | Attributes details that cannot be described. An error code is provided for each failed item. | |
id | text | The ID of the finding. | |
indicator_of_compromise | boolean | This data element is currently not used. | |
numeric_severity | double precision | The numeric value of the finding severity. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
recommendation | text | The recommendation for the finding. | |
region | text | The AWS Region in which the resource is located. | |
schema_version | bigint | The schema version of this data type. | |
service | text | The data element is set to 'Inspector'. | |
service_attributes | jsonb | This data type is used in the Finding data type. | |
severity | text | = | The finding severity. Values can be set to High, Medium, Low, and Informational. |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
title | text | The name of the finding. | |
updated_at | timestamp with time zone | The time when AddAttributesToFindings is called. | |
user_attributes | jsonb | The user-defined attributes that are assigned to the finding. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_inspector_finding