steampipe plugin install awssteampipe plugin install aws
aws_accessanalyzer_analyzeraws_accountaws_acm_certificateaws_api_gateway_api_authorizeraws_api_gateway_api_keyaws_api_gateway_authorizeraws_api_gateway_rest_apiaws_api_gateway_stageaws_api_gateway_usage_planaws_api_gatewayv2_apiaws_api_gatewayv2_domain_nameaws_api_gatewayv2_integrationaws_api_gatewayv2_stageaws_appautoscaling_targetaws_auditmanager_assessmentaws_auditmanager_controlaws_auditmanager_evidenceaws_auditmanager_evidence_folderaws_auditmanager_frameworkaws_availability_zoneaws_backup_planaws_backup_protected_resourceaws_backup_recovery_pointaws_backup_selectionaws_backup_vaultaws_cloudcontrol_resourceaws_cloudformation_stackaws_cloudfront_cache_policyaws_cloudfront_distributionaws_cloudfront_origin_access_identityaws_cloudfront_origin_request_policyaws_cloudtrail_trailaws_cloudtrail_trail_eventaws_cloudwatch_alarmaws_cloudwatch_log_eventaws_cloudwatch_log_groupaws_cloudwatch_log_metric_filteraws_cloudwatch_log_resource_policyaws_cloudwatch_log_streamaws_codebuild_projectaws_codebuild_source_credentialaws_codecommit_repositoryaws_codepipeline_pipelineaws_config_configuration_recorderaws_config_conformance_packaws_config_ruleaws_cost_by_account_dailyaws_cost_by_account_monthlyaws_cost_by_service_dailyaws_cost_by_service_monthlyaws_cost_by_service_usage_type_dailyaws_cost_by_service_usage_type_monthlyaws_cost_forecast_dailyaws_cost_forecast_monthlyaws_cost_usageaws_dax_clusteraws_directory_service_directoryaws_dms_replication_instanceaws_dynamodb_backupaws_dynamodb_global_tableaws_dynamodb_metric_account_provisioned_read_capacity_utilaws_dynamodb_metric_account_provisioned_write_capacity_utilaws_dynamodb_tableaws_ebs_snapshotaws_ebs_volumeaws_ebs_volume_metric_read_opsaws_ebs_volume_metric_read_ops_dailyaws_ebs_volume_metric_read_ops_hourlyaws_ebs_volume_metric_write_opsaws_ebs_volume_metric_write_ops_dailyaws_ebs_volume_metric_write_ops_hourlyaws_ec2_amiaws_ec2_ami_sharedaws_ec2_application_load_balanceraws_ec2_application_load_balancer_metric_request_countaws_ec2_application_load_balancer_metric_request_count_dailyaws_ec2_autoscaling_groupaws_ec2_capacity_reservationaws_ec2_classic_load_balanceraws_ec2_gateway_load_balanceraws_ec2_instanceaws_ec2_instance_availabilityaws_ec2_instance_metric_cpu_utilizationaws_ec2_instance_metric_cpu_utilization_dailyaws_ec2_instance_metric_cpu_utilization_hourlyaws_ec2_instance_typeaws_ec2_key_pairaws_ec2_launch_configurationaws_ec2_load_balancer_listeneraws_ec2_network_interfaceaws_ec2_network_load_balanceraws_ec2_network_load_balancer_metric_net_flow_countaws_ec2_network_load_balancer_metric_net_flow_count_dailyaws_ec2_regional_settingsaws_ec2_reserved_instanceaws_ec2_ssl_policyaws_ec2_target_groupaws_ec2_transit_gatewayaws_ec2_transit_gateway_routeaws_ec2_transit_gateway_route_tableaws_ec2_transit_gateway_vpc_attachmentaws_ecr_repositoryaws_ecrpublic_repositoryaws_ecs_clusteraws_ecs_cluster_metric_cpu_utilizationaws_ecs_cluster_metric_cpu_utilization_dailyaws_ecs_cluster_metric_cpu_utilization_hourlyaws_ecs_container_instanceaws_ecs_serviceaws_ecs_taskaws_ecs_task_definitionaws_efs_access_pointaws_efs_file_systemaws_efs_mount_targetaws_eks_addonaws_eks_addon_versionaws_eks_clusteraws_eks_identity_provider_configaws_elastic_beanstalk_applicationaws_elastic_beanstalk_environmentaws_elasticache_clusteraws_elasticache_parameter_groupaws_elasticache_redis_metric_cache_hits_hourlyaws_elasticache_redis_metric_curr_connections_hourlyaws_elasticache_redis_metric_engine_cpu_utilization_hourlyaws_elasticache_redis_metric_get_type_cmds_hourlyaws_elasticache_redis_metric_list_based_cmds_hourlyaws_elasticache_redis_metric_new_connections_hourlyaws_elasticache_replication_groupaws_elasticache_subnet_groupaws_elasticsearch_domainaws_emr_clusteraws_emr_cluster_metric_is_idleaws_emr_instance_groupaws_eventbridge_busaws_eventbridge_ruleaws_fsx_file_systemaws_glacier_vaultaws_glue_catalog_databaseaws_guardduty_detectoraws_guardduty_findingaws_guardduty_ipsetaws_guardduty_threat_intel_setaws_iam_access_advisoraws_iam_access_keyaws_iam_account_password_policyaws_iam_account_summaryaws_iam_actionaws_iam_credential_reportaws_iam_groupaws_iam_policyaws_iam_policy_simulatoraws_iam_roleaws_iam_server_certificateaws_iam_useraws_iam_virtual_mfa_deviceaws_identitystore_groupaws_identitystore_useraws_inspector_assessment_targetaws_inspector_assessment_templateaws_kinesis_consumeraws_kinesis_firehose_delivery_streamaws_kinesis_streamaws_kinesis_video_streamaws_kinesisanalyticsv2_applicationaws_kms_keyaws_lambda_aliasaws_lambda_functionaws_lambda_function_metric_duration_dailyaws_lambda_function_metric_errors_dailyaws_lambda_function_metric_invocations_dailyaws_lambda_layeraws_lambda_layer_versionaws_lambda_versionaws_macie2_classification_jobaws_media_store_containeraws_organizations_accountaws_rds_db_clusteraws_rds_db_cluster_parameter_groupaws_rds_db_cluster_snapshotaws_rds_db_event_subscriptionaws_rds_db_instanceaws_rds_db_instance_metric_connectionsaws_rds_db_instance_metric_connections_dailyaws_rds_db_instance_metric_connections_hourlyaws_rds_db_instance_metric_cpu_utilizationaws_rds_db_instance_metric_cpu_utilization_dailyaws_rds_db_instance_metric_cpu_utilization_hourlyaws_rds_db_instance_metric_read_iopsaws_rds_db_instance_metric_read_iops_dailyaws_rds_db_instance_metric_read_iops_hourlyaws_rds_db_instance_metric_write_iopsaws_rds_db_instance_metric_write_iops_dailyaws_rds_db_instance_metric_write_iops_hourlyaws_rds_db_option_groupaws_rds_db_parameter_groupaws_rds_db_snapshotaws_rds_db_subnet_groupaws_redshift_clusteraws_redshift_cluster_metric_cpu_utilization_dailyaws_redshift_event_subscriptionaws_redshift_parameter_groupaws_redshift_snapshotaws_redshift_subnet_groupaws_regionaws_route53_domainaws_route53_recordaws_route53_resolver_endpointaws_route53_resolver_ruleaws_route53_zoneaws_s3_access_pointaws_s3_account_settingsaws_s3_bucketaws_sagemaker_endpoint_configurationaws_sagemaker_modelaws_sagemaker_notebook_instanceaws_sagemaker_training_jobaws_secretsmanager_secretaws_securityhub_hubaws_securityhub_productaws_securityhub_standards_subscriptionaws_serverlessapplicationrepository_applicationaws_sfn_state_machineaws_sfn_state_machine_executionaws_sfn_state_machine_execution_historyaws_sns_topicaws_sns_topic_subscriptionaws_sqs_queueaws_ssm_associationaws_ssm_documentaws_ssm_maintenance_windowaws_ssm_managed_instanceaws_ssm_managed_instance_complianceaws_ssm_parameteraws_ssm_patch_baselineaws_ssoadmin_instanceaws_ssoadmin_managed_policy_attachmentaws_ssoadmin_permission_setaws_tagging_resourceaws_vpcaws_vpc_customer_gatewayaws_vpc_dhcp_optionsaws_vpc_egress_only_internet_gatewayaws_vpc_eipaws_vpc_endpointaws_vpc_endpoint_serviceaws_vpc_flow_logaws_vpc_flow_log_eventaws_vpc_internet_gatewayaws_vpc_nat_gatewayaws_vpc_network_aclaws_vpc_routeaws_vpc_route_tableaws_vpc_security_groupaws_vpc_security_group_ruleaws_vpc_subnetaws_vpc_vpn_connectionaws_vpc_vpn_gatewayaws_waf_rate_based_ruleaws_waf_ruleaws_wafv2_ip_setaws_wafv2_regex_pattern_setaws_wafv2_rule_groupaws_wafv2_web_aclaws_wellarchitected_workloadaws_workspaces_workspace

Table: aws_lambda_function

AWS Lambda is a compute service that lets you run code without provisioning or managing servers.

Examples

List of lambda functions which are not encrypted with CMK

select
name,
kms_key_arn
from
aws_lambda_function
where
kms_key_arn is null;

Count of lambda functions by runtime engines

select
runtime,
count(*)
from
aws_lambda_function
group by
runtime;

List of lambda function whose retention period is less than 30 days

select
fn.name,
lg.name,
lg.retention_in_days
from
aws_lambda_function as fn
inner join aws_cloudwatch_log_group as lg on (
(lg.name = '/aws/lambda/')
or (lg.name = fn.name)
)
where
lg.retention_in_days < 30;

Availability zone count for each VPC lambda function

select
fn.name,
fn.region,
count (availability_zone) as zone_count
from
aws_lambda_function as fn
cross join jsonb_array_elements_text(vpc_subnet_ids) as vpc_subnet
join aws_vpc_subnet as sub on sub.subnet_id = vpc_subnet
group by
fn.name,
fn.region
order by
zone_count;

List all the actions allowed by managed policies for a Lambda execution role

select
f.name,
f.role,
a.action,
a.access_level,
a.description
from
aws_lambda_function as f,
aws_iam_role as r,
jsonb_array_elements_text(r.attached_policy_arns) as pol_arn,
aws_iam_policy as p,
jsonb_array_elements(p.policy_std -> 'Statement') as stmt,
jsonb_array_elements_text(stmt -> 'Action') as action_glob,
glob(action_glob) as action_regex
join aws_iam_action a ON a.action LIKE action_regex
where
f.role = r.arn
and pol_arn = p.arn
and stmt ->> 'Effect' = 'Allow'
and f.name = 'hellopython';

List functions not configured with a dead-letter queue

select
arn,
dead_letter_config_target_arn
from
aws_lambda_function
where
dead_letter_config_target_arn is null;

Control examples

.inspect aws_lambda_function

AWS Lambda Function

NameTypeDescription
account_idtextThe AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
arntextThe function's Amazon Resource Name (ARN).
code_sha_256textThe SHA256 hash of the function's deployment package.
code_sizebigintThe size of the function's deployment package, in bytes.
dead_letter_config_target_arntextThe Amazon Resource Name (ARN) of an Amazon SQS queue or Amazon SNS topic.
descriptiontextThe function's description.
handlertextThe function that Lambda calls to begin executing your function.
kms_key_arntextThe KMS key that's used to encrypt the function's environment variables. This key is only returned if you've configured a customer managed CMK.
last_modifiedtextThe date and time that the function was last updated.
last_update_statustextThe status of the last update that was performed on the function.
last_update_status_reasontextThe reason for the last update that was performed on the function.
last_update_status_reason_codetextThe reason code for the last update that was performed on the function.
master_arntextFor Lambda@Edge functions, the ARN of the master function.
memory_sizebigintThe memory that's allocated to the function.
nametextThe name of the function.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
policyjsonbThe resource-based iam policy of Lambda function.
policy_stdjsonbContains the policy in a canonical form for easier searching.
regiontextThe AWS Region in which the resource is located.
reserved_concurrent_executionsbigintThe number of concurrent executions that are reserved for this function.
revision_idtextThe latest updated revision of the function or alias.
roletextThe function's execution role.
runtimetextThe runtime environment for the Lambda function.
statetextThe current state of the function.
state_reasontextThe reason for the function's current state.
state_reason_codetextThe reason code for the function's current state.
tagsjsonbA map of tags for the resource.
timeouttextThe amount of time in seconds that Lambda allows a function to run before stopping it.
titletextTitle of the resource.
versiontextThe version of the Lambda function.
vpc_idtextThe VPC ID that is attached to Lambda function.
vpc_security_group_idsjsonbA list of VPC security groups IDs attached to Lambda function.
vpc_subnet_idsjsonbA list of VPC subnet IDs attached to Lambda function.