steampipe plugin install awssteampipe plugin install aws
aws_accessanalyzer_analyzeraws_accountaws_acm_certificateaws_api_gateway_api_keyaws_api_gateway_authorizeraws_api_gateway_rest_apiaws_api_gateway_stageaws_api_gateway_usage_planaws_api_gatewayv2_apiaws_api_gatewayv2_domain_nameaws_api_gatewayv2_integrationaws_api_gatewayv2_stageaws_appautoscaling_targetaws_auditmanager_assessmentaws_auditmanager_controlaws_auditmanager_evidenceaws_auditmanager_evidence_folderaws_auditmanager_frameworkaws_availability_zoneaws_backup_planaws_backup_selectionaws_backup_vaultaws_cloudformation_stackaws_cloudfront_cache_policyaws_cloudfront_distributionaws_cloudfront_origin_access_identityaws_cloudfront_origin_request_policyaws_cloudtrail_trailaws_cloudwatch_alarmaws_cloudwatch_log_groupaws_cloudwatch_log_metric_filteraws_cloudwatch_log_streamaws_codebuild_projectaws_codebuild_source_credentialaws_codecommit_repositoryaws_codepipeline_pipelineaws_config_configuration_recorderaws_config_conformance_packaws_config_ruleaws_cost_by_account_dailyaws_cost_by_account_monthlyaws_cost_by_service_dailyaws_cost_by_service_monthlyaws_cost_by_service_usage_type_dailyaws_cost_by_service_usage_type_monthlyaws_cost_forecast_dailyaws_cost_forecast_monthlyaws_cost_usageaws_dax_clusteraws_dms_replication_instanceaws_dynamodb_backupaws_dynamodb_global_tableaws_dynamodb_metric_account_provisioned_read_capacity_utilaws_dynamodb_metric_account_provisioned_write_capacity_utilaws_dynamodb_tableaws_ebs_snapshotaws_ebs_volumeaws_ebs_volume_metric_read_opsaws_ebs_volume_metric_read_ops_dailyaws_ebs_volume_metric_read_ops_hourlyaws_ebs_volume_metric_write_opsaws_ebs_volume_metric_write_ops_dailyaws_ebs_volume_metric_write_ops_hourlyaws_ec2_amiaws_ec2_ami_sharedaws_ec2_application_load_balanceraws_ec2_autoscaling_groupaws_ec2_classic_load_balanceraws_ec2_gateway_load_balanceraws_ec2_instanceaws_ec2_instance_availabilityaws_ec2_instance_metric_cpu_utilizationaws_ec2_instance_metric_cpu_utilization_dailyaws_ec2_instance_metric_cpu_utilization_hourlyaws_ec2_instance_typeaws_ec2_key_pairaws_ec2_launch_configurationaws_ec2_load_balancer_listeneraws_ec2_network_interfaceaws_ec2_network_load_balanceraws_ec2_regional_settingsaws_ec2_ssl_policyaws_ec2_target_groupaws_ec2_transit_gatewayaws_ec2_transit_gateway_route_tableaws_ec2_transit_gateway_vpc_attachmentaws_ecr_repositoryaws_ecrpublic_repositoryaws_ecs_clusteraws_ecs_container_instanceaws_ecs_serviceaws_ecs_task_definitionaws_efs_access_pointaws_efs_file_systemaws_efs_mount_targetaws_eks_addonaws_eks_addon_versionaws_eks_clusteraws_elastic_beanstalk_applicationaws_elastic_beanstalk_environmentaws_elasticache_clusteraws_elasticache_parameter_groupaws_elasticache_replication_groupaws_elasticache_subnet_groupaws_elasticsearch_domainaws_emr_clusteraws_eventbridge_ruleaws_glacier_vaultaws_glue_catalog_databaseaws_guardduty_detectoraws_guardduty_findingaws_guardduty_ipsetaws_guardduty_threat_intel_setaws_iam_access_advisoraws_iam_access_keyaws_iam_account_password_policyaws_iam_account_summaryaws_iam_actionaws_iam_credential_reportaws_iam_groupaws_iam_policyaws_iam_policy_simulatoraws_iam_roleaws_iam_server_certificateaws_iam_useraws_iam_virtual_mfa_deviceaws_inspector_assessment_targetaws_inspector_assessment_templateaws_kinesis_consumeraws_kinesis_firehose_delivery_streamaws_kinesis_streamaws_kinesis_video_streamaws_kinesisanalyticsv2_applicationaws_kms_keyaws_lambda_aliasaws_lambda_functionaws_lambda_versionaws_macie2_classification_jobaws_rds_db_clusteraws_rds_db_cluster_parameter_groupaws_rds_db_cluster_snapshotaws_rds_db_instanceaws_rds_db_instance_metric_connectionsaws_rds_db_instance_metric_connections_dailyaws_rds_db_instance_metric_connections_hourlyaws_rds_db_instance_metric_cpu_utilizationaws_rds_db_instance_metric_cpu_utilization_dailyaws_rds_db_instance_metric_cpu_utilization_hourlyaws_rds_db_instance_metric_read_iopsaws_rds_db_instance_metric_read_iops_dailyaws_rds_db_instance_metric_read_iops_hourlyaws_rds_db_instance_metric_write_iopsaws_rds_db_instance_metric_write_iops_dailyaws_rds_db_instance_metric_write_iops_hourlyaws_rds_db_option_groupaws_rds_db_parameter_groupaws_rds_db_snapshotaws_rds_db_subnet_groupaws_redshift_clusteraws_redshift_event_subscriptionaws_redshift_parameter_groupaws_redshift_snapshotaws_redshift_subnet_groupaws_regionaws_route53_domainaws_route53_recordaws_route53_resolver_endpointaws_route53_resolver_ruleaws_route53_zoneaws_s3_access_pointaws_s3_account_settingsaws_s3_bucketaws_sagemaker_endpoint_configurationaws_sagemaker_modelaws_sagemaker_notebook_instanceaws_sagemaker_training_jobaws_secretsmanager_secretaws_securityhub_hubaws_securityhub_productaws_sns_topicaws_sns_topic_subscriptionaws_sqs_queueaws_ssm_associationaws_ssm_documentaws_ssm_maintenance_windowaws_ssm_managed_instanceaws_ssm_managed_instance_complianceaws_ssm_parameteraws_ssm_patch_baselineaws_vpcaws_vpc_customer_gatewayaws_vpc_dhcp_optionsaws_vpc_egress_only_internet_gatewayaws_vpc_eipaws_vpc_endpointaws_vpc_endpoint_serviceaws_vpc_flow_logaws_vpc_internet_gatewayaws_vpc_nat_gatewayaws_vpc_network_aclaws_vpc_routeaws_vpc_route_tableaws_vpc_security_groupaws_vpc_security_group_ruleaws_vpc_subnetaws_vpc_vpn_connectionaws_vpc_vpn_gatewayaws_waf_rate_based_ruleaws_waf_ruleaws_wafv2_ip_setaws_wafv2_regex_pattern_setaws_wafv2_rule_groupaws_wafv2_web_aclaws_wellarchitected_workload

Table: aws_rds_db_instance

A DB instance is an isolated database environment running in the cloud.

Examples

Basic info

select
db_instance_identifier,
class,
engine,
engine_version,
publicly_accessible
from
aws_rds_db_instance

List DB instances which are publicly accessible

select
db_instance_identifier,
publicly_accessible
from
aws_rds_db_instance
where
publicly_accessible;

List DB instances which are not authenticated through IAM users and roles

select
db_instance_identifier,
iam_database_authentication_enabled
from
aws_rds_db_instance
where
not iam_database_authentication_enabled;

Get VPC and subnet info for each DB instance

select
db_instance_identifier as attached_vpc,
vsg ->> 'VpcSecurityGroupId' as vpc_security_group_id,
vsg ->> 'Status' as status,
sub -> 'SubnetAvailabilityZone' ->> 'Name' as subnet_availability_zone,
sub ->> 'SubnetIdentifier' as subnet_identifier,
sub -> 'SubnetOutpost' ->> 'Arn' as subnet_outpost,
sub ->> 'SubnetStatus' as subnet_status
from
aws_rds_db_instance
cross join jsonb_array_elements(vpc_security_groups) as vsg
cross join jsonb_array_elements(subnets) as sub;

List DB instances with deletion protection disabled

select
db_instance_identifier,
class,
engine,
engine_version,
deletion_protection
from
aws_rds_db_instance
where
not deletion_protection;

List DB instances with unecrypted storage

select
db_instance_identifier,
class,
allocated_storage,
deletion_protection
from
aws_rds_db_instance
where
not storage_encrypted;

Get endpoint info for each DB instance

select
db_instance_identifier,
endpoint_address,
endpoint_hosted_zone_id,
endpoint_port
from
aws_rds_db_instance;

.inspect aws_rds_db_instance

AWS RDS DB Instance

NameTypeDescription
account_idtextThe AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
allocated_storagebigintSpecifies the allocated storage size specified in gibibytes(GiB).
arntextThe Amazon Resource Name (ARN) for the DB Instance.
associated_rolesjsonbA list of AWS IAM roles that are associated with the DB instance.
auto_minor_version_upgradebooleanSpecifies whether minor version patches are applied automatically, or not.
availability_zonetextSpecifies the name of the Availability Zone the DB instance is located in.
backup_retention_periodbigintSpecifies the number of days for which automatic DB snapshots are retained.
ca_certificate_identifiertextThe identifier of the CA certificate for this DB instance.
character_set_nametextSpecifies the name of the character set that this instance is associated with.
classtextContains the name of the compute and memory capacity class of the DB instance.
copy_tags_to_snapshotbooleanSpecifies whether tags are copied from the DB instance to snapshots of the DB instance, or not.
create_timetimestamp without time zoneProvides the date and time the DB instance was created.
customer_owned_ip_enabledbooleanSpecifies whether a customer-owned IP address (CoIP) is enabled for an RDS on Outposts DB instance, or not.
db_cluster_identifiertextThe friendly name to identify the DB cluster, that the DB instance is a member of.
db_instance_identifiertextThe friendly name to identify the DB Instance.
db_nametextContains the name of the initial database of this instance that was provided at create time.
db_parameter_groupsjsonbA list of DB parameter groups applied to this DB instance.
db_security_groupsjsonbA list of DB security group associated with the DB instance.
db_subnet_group_arntextThe Amazon Resource Name (ARN) for the DB subnet group.
db_subnet_group_descriptiontextProvides the description of the DB subnet group.
db_subnet_group_nametextThe name of the DB subnet group.
db_subnet_group_statustextProvides the status of the DB subnet group.
deletion_protectionbooleanSpecifies whether the DB instance has deletion protection enabled, or not.
domain_membershipsjsonbA list of Active Directory Domain membership records associated with the DB instance.
enabled_cloudwatch_logs_exportsjsonbA list of log types that this DB instance is configured to export to CloudWatch Logs.
endpoint_addresstextSpecifies the DNS address of the DB instance.
endpoint_hosted_zone_idtextSpecifies the ID that Amazon Route 53 assigns when you create a hosted zone.
endpoint_portbigintSpecifies the port that the database engine is listening on.
enginetextThe name of the database engine to be used for this DB instance.
engine_versiontextIndicates the database engine version.
enhanced_monitoring_resource_arntextThe ARN of the Amazon CloudWatch Logs log stream that receives the Enhanced Monitoring metrics data for the DB instance.
iam_database_authentication_enabledbooleanSpecifies whether the the mapping of AWS IAM accounts to database accounts is enabled, or not.
iopsbigintSpecifies the Provisioned IOPS (I/O operations per second) value.
kms_key_idtextThe AWS KMS key identifier for the encrypted DB instance.
latest_restorable_timetimestamp without time zoneSpecifies the latest time to which a database can be restored with point-in-time restore.
license_modeltextLicense model information for this DB instance.
master_user_nametextContains the master username for the DB instance.
max_allocated_storagebigintThe upper limit to which Amazon RDS can automatically scale the storage of the DB instance.
monitoring_intervalbigintThe interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance.
monitoring_role_arntextThe ARN for the IAM role that permits RDS to send Enhanced Monitoring metrics to Amazon CloudWatch Logs.
multi_azbooleanSpecifies if the DB instance is a Multi-AZ deployment.
nchar_character_set_nametextThe name of the NCHAR character set for the Oracle DB instance.
option_group_membershipsjsonbA list of option group memberships for this DB instance
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
performance_insights_enabledbooleanSpecifies whether Performance Insights is enabled for the DB instance, or not.
performance_insights_kms_key_idtextThe AWS KMS key identifier for encryption of Performance Insights data.
performance_insights_retention_periodbigintThe amount of time, in days, to retain Performance Insights data.
portbigintSpecifies the port that the DB instance listens on.
preferred_backup_windowtextSpecifies the daily time range during which automated backups are created.
preferred_maintenance_windowtextSpecifies the weekly time range during which system maintenance can occur.
processor_featuresjsonbThe number of CPU cores and the number of threads per core for the DB instance class of the DB instance.
promotion_tierbigintSpecifies the order in which an Aurora Replica is promoted to the primary instance after a failure of the existing primary instance.
publicly_accessiblebooleanSpecifies the accessibility options for the DB instance.
read_replica_db_cluster_identifiersjsonbA list of identifiers of Aurora DB clusters to which the RDS DB instance is replicated as a read replica.
read_replica_db_instance_identifiersjsonbA list of identifiers of the read replicas associated with this DB instance.
read_replica_source_db_instance_identifiertextContains the identifier of the source DB instance if this DB instance is a read replica.
regiontextThe AWS Region in which the resource is located.
replica_modetextThe mode of an Oracle read replica.
resource_idtextThe AWS Region-unique, immutable identifier for the DB instance.
secondary_availability_zonetextSpecifies the name of the secondary Availability Zone for a DB instance with multi-AZ support.
statustextSpecifies the current state of this database.
status_infosjsonbThe status of a read replica.
storage_encryptedbooleanSpecifies whether the DB instance is encrypted, or not.
storage_typetextSpecifies the storage type associated with DB instance.
subnetsjsonbA list of subnet elements.
tagsjsonbA map of tags for the resource.
tags_srcjsonbA list of tags attached to the DB Instance.
tde_credential_arntext The ARN from the key store with which the instance is associated for TDE encryption.
timezonetextThe time zone of the DB instance.
titletextTitle of the resource.
vpc_idtextProvides the VpcId of the DB subnet group.
vpc_security_groupsjsonbA list of VPC security group elements that the DB instance belongs to.