v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →

Plugins

turbot/aws

steampipe plugin install awssteampipe plugin install aws

Table: aws_inspector_finding - Query AWS Inspector Findings using SQL

The AWS Inspector Finding is a resource within AWS Inspector service that allows you to identify potential security issues and deviations from best practices. It provides detailed descriptions of the security findings and offers recommendations on how to fix them. AWS Inspector automatically assesses applications for vulnerabilities or deviations from best practices, including impacted networks, instances, and attached storage.

Table Usage Guide

The aws_inspector_finding table in Steampipe provides you with information about AWS Inspector findings. AWS Inspector is an automated security assessment service that helps you improve the security and compliance of applications deployed on AWS. This table allows you, as a security analyst, developer, or DevOps engineer, to query finding-specific details, including the finding ARN, severity, title, description, recommendation, and associated metadata. You can utilize this table to gather insights on findings, such as findings with high severity, findings associated with a specific rule package, verification of recommendations, and more. The schema outlines the various attributes of the AWS Inspector finding for you, including the finding ARN, severity, title, description, recommendation, and associated tags.

Examples

Basic info

Explore which AWS Inspector findings have been identified, focusing on their severity and confidence levels. This can help in prioritizing remediation efforts based on the severity and confidence of the findings.

select
  id,
  arn,
  agent_id as instance_id,
  asset_type,
  confidence,
  severity
from
  aws_inspector_finding;

select
  id,
  arn,
  agent_id as instance_id,
  asset_type,
  confidence,
  severity
from
  aws_inspector_finding;

List findings with high severity

Identify instances where there are high severity findings in the AWS Inspector. This is useful in prioritizing security issues that need immediate attention.

select
  id,
  arn,
  agent_id as instance_id,
  asset_type,
  confidence,
  severity
from
  aws_inspector_finding
where
  severity = 'High';

select
  id,
  arn,
  agent_id as instance_id,
  asset_type,
  confidence,
  severity
from
  aws_inspector_finding
where
  severity = 'High';

Count the number of findings by severity

Analyze the severity levels of AWS inspector findings to understand how many issues fall into each category. This can help prioritize remediation efforts by focusing on the most severe findings first.

select
  severity,
  count(severity)
from
  aws_inspector_finding
group by
  severity
order by
  severity;

select
  severity,
  count(severity)
from
  aws_inspector_finding
group by
  severity
order by
  severity;

List last 10 days findings

Identify instances where security findings have been recorded in the last 10 days. This allows you to stay updated on recent security issues and take necessary actions.

select
  title,
  id,
  confidence,
  severity
from
  aws_inspector_finding
where
  created_at >= now() - interval '10' day;

select
  title,
  id,
  confidence,
  severity
from
  aws_inspector_finding
where
  created_at >= datetime('now', '-10 days');

List attributes for each finding

Determine the characteristics of each identified issue within your AWS Inspector service. This can help in understanding the nature of the problems and strategizing appropriate solutions.

select
  title,
  id,
  jsonb_pretty(attributes) as attributes
from
  aws_inspector_finding;

select
  title,
  id,
  attributes
from
  aws_inspector_finding;

Get asset attributes for each finding

This query is used to uncover the details of each asset's attributes associated with a specific finding in AWS Inspector. This can help in identifying instances where anomalies or issues have been detected, providing insights into potential areas of risk or concern within your AWS environment.

select
  id,
  title,
  asset_attributes ->> 'AgentId' as agent_id,
  asset_attributes ->> 'AmiId' as ami_id,
  asset_attributes ->> 'Hostname' as hostname,
  asset_attributes ->> 'Tags' as tags
from
  aws_inspector_finding;

select
  id,
  title,
  json_extract(asset_attributes, '$.AgentId') as agent_id,
  json_extract(asset_attributes, '$.AmiId') as ami_id,
  json_extract(asset_attributes, '$.Hostname') as hostname,
  json_extract(asset_attributes, '$.Tags') as tags
from
  aws_inspector_finding;

List EC2 instances with high severity

Discover the segments that are operating Amazon EC2 instances with high severity findings. This is useful for identifying potential security vulnerabilities and risks in your AWS infrastructure.

select
  distinct i.instance_id,
  i.instance_state,
  i.instance_type,
  f.title,
  f.service,
  f.severity,
  f.confidence
from
  aws_ec2_instance as i,
  aws_inspector_finding as f
where
  severity = 'High'
  and i.instance_id = f.agent_id;

select
  distinct i.instance_id,
  i.instance_state,
  i.instance_type,
  f.title,
  f.service,
  f.severity,
  f.confidence
from
  aws_ec2_instance as i,
  aws_inspector_finding as f
where
  severity = 'High'
  and i.instance_id = f.agent_id;

Get service attributes for each finding

Determine the areas in which specific service attributes are linked to each finding, enabling a more comprehensive understanding of the findings in AWS Inspector. This can assist in better assessment planning and rule package selection for future inspections.

select
  id,
  title,
  service_attributes ->> 'AssessmentRunArn' as assessment_run_arn,
  service_attributes ->> 'RulesPackageArn' as rules_package_arn,
  service_attributes ->> 'SchemaVersion' as schema_version,
from
  aws_inspector_finding;

select
  id,
  title,
  json_extract(service_attributes, '$.AssessmentRunArn') as assessment_run_arn,
  json_extract(service_attributes, '$.RulesPackageArn') as rules_package_arn,
  json_extract(service_attributes, '$.SchemaVersion') as schema_version
from
  aws_inspector_finding;

Get assessment run details for findings

This query is used to analyze the details of assessment runs linked to specific findings in AWS Inspector. It's useful for identifying potential security vulnerabilities and understanding the scope of any issues identified during the assessment runs.

select
  f.id,
  r.title,
  f.service_attributes ->> 'AssessmentRunArn' as assessment_run_arn,
  r.assessment_template_arn,
  r.finding_counts
from
  aws_inspector_finding as f,
  aws_inspector_assessment_run as r
where
  f.service_attributes ->> 'AssessmentRunArn' = r.arn;

select
  f.id,
  r.title,
  json_extract(f.service_attributes, '$.AssessmentRunArn') as assessment_run_arn,
  r.assessment_template_arn,
  r.finding_counts
from
  aws_inspector_finding as f
  join aws_inspector_assessment_run as r on json_extract(f.service_attributes, '$.AssessmentRunArn') = r.arn;

List findings order by confidence

Explore which AWS Inspector findings are most reliable by sorting them according to their confidence levels. This can help prioritize remediation efforts by focusing first on findings with the highest confidence.

select
  id,
  arn,
  agent_id as instance_id,
  asset_type,
  confidence,
  severity
from
  aws_inspector_finding
order by
  confidence;

select
  id,
  arn,
  agent_id as instance_id,
  asset_type,
  confidence,
  severity
from
  aws_inspector_finding
order by
  confidence;

Control examples

All Controls > EC2 > EC2 instances high level findings should not be there in inspector scans

Schema for aws_inspector_finding

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form.
account_id	text	=, !=, ~~, ~~, !~~, !~~	The AWS Account ID in which the resource is located.
agent_id	text	=	The ID of the agent that is installed on the EC2 instance where the finding is generated.
akas	jsonb		Array of globally unique identifier strings (also known as) for the resource.
arn	text	=	The ARN that specifies the finding.
asset_attributes	jsonb		A collection of attributes of the host from which the finding is generated.
asset_type	text		The type of the host from which the finding is generated.
attributes	jsonb		The system-defined attributes for the finding.
auto_scaling_group	text	=	The Auto Scaling group of the EC2 instance where the finding is generated.
confidence	bigint		This data element is currently not used.
created_at	timestamp with time zone		The time when the finding was generated.
description	text		The description of the finding.
failed_items	jsonb		Attributes details that cannot be described. An error code is provided for each failed item.
id	text		The ID of the finding.
indicator_of_compromise	boolean		This data element is currently not used.
numeric_severity	double precision		The numeric value of the finding severity.
partition	text		The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
recommendation	text		The recommendation for the finding.
region	text		The AWS Region in which the resource is located.
schema_version	bigint		The schema version of this data type.
service	text		The data element is set to 'Inspector'.
service_attributes	jsonb		This data type is used in the Finding data type.
severity	text	=	The finding severity. Values can be set to High, Medium, Low, and Informational.
sp_connection_name	text	=, !=, ~~, ~~, !~~, !~~	Steampipe connection name.
sp_ctx	jsonb		Steampipe context in JSON form.
title	text		The name of the finding.
updated_at	timestamp with time zone		The time when AddAttributesToFindings is called.
user_attributes	jsonb		The user-defined attributes that are assigned to the finding.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_inspector_finding