Table: aws_rds_db_instance - Query AWS RDS DB Instances using SQL
Title: AWS RDS DB Instances
Description: AWS RDS DB Instances are a part of Amazon Relational Database Service (RDS), which makes it easier to set up, operate, and scale a relational database in the cloud. They provide cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching, and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.
Table Usage Guide
The aws_rds_db_instance
table in Steampipe provides you with comprehensive information about each database instance within Amazon Relational Database Service (RDS). This table allows you, as a DevOps engineer, database administrator, or other technical professional, to query detailed information about each DB instance, including its configuration, status, performance metrics, and other associated metadata. You can leverage this table to gather insights about DB instances, such as instance specifications, security configurations, backup policies, and more. The schema outlines the various attributes of the DB instance for you, including the DB instance identifier, instance class, engine version, storage type, and associated tags.
Examples
Basic info
Explore which Amazon RDS database instances are publicly accessible, along with their identifiers, classes, engines, and versions. This information can help determine areas where security might be improved by limiting public access.
select db_instance_identifier, class, engine, engine_version, publicly_accessiblefrom aws_rds_db_instance
select db_instance_identifier, class, engine, engine_version, publicly_accessiblefrom aws_rds_db_instance
List DB instances which are publicly accessible
Determine the areas in which your database instances are publicly accessible. This is useful for identifying potential security risks and ensuring that your data is protected.
select db_instance_identifier, publicly_accessiblefrom aws_rds_db_instancewhere publicly_accessible;
select db_instance_identifier, publicly_accessiblefrom aws_rds_db_instancewhere publicly_accessible = 1;
List DB instances which are not authenticated through IAM users and roles
Identify instances where database instances are not utilizing IAM users and roles for authentication. This query is useful in highlighting potential security risks and enforcing best practices for access management.
select db_instance_identifier, iam_database_authentication_enabledfrom aws_rds_db_instancewhere not iam_database_authentication_enabled;
select db_instance_identifier, iam_database_authentication_enabledfrom aws_rds_db_instancewhere iam_database_authentication_enabled = 0;
Get VPC and subnet info for each DB instance
Determine the areas in which your database instances are located and the security measures in place. This helps ensure your databases are in the desired regions and properly secured, enhancing your data management strategy.
select db_instance_identifier as attached_vpc, vsg ->> 'VpcSecurityGroupId' as vpc_security_group_id, vsg ->> 'Status' as status, sub -> 'SubnetAvailabilityZone' ->> 'Name' as subnet_availability_zone, sub ->> 'SubnetIdentifier' as subnet_identifier, sub -> 'SubnetOutpost' ->> 'Arn' as subnet_outpost, sub ->> 'SubnetStatus' as subnet_statusfrom aws_rds_db_instance cross join jsonb_array_elements(vpc_security_groups) as vsg cross join jsonb_array_elements(subnets) as sub;
select db_instance_identifier as attached_vpc, json_extract(vsg.value, '$.VpcSecurityGroupId') as vpc_security_group_id, json_extract(vsg.value, '$.Status') as status, json_extract( json_extract(sub.value, '$.SubnetAvailabilityZone'), '$.Name' ) as subnet_availability_zone, json_extract(sub.value, '$.SubnetIdentifier') as subnet_identifier, json_extract( json_extract(sub.value, '$.SubnetOutpost'), '$.Arn' ) as subnet_outpost, json_extract(sub.value, '$.SubnetStatus') as subnet_statusfrom aws_rds_db_instance, json_each(vpc_security_groups) as vsg, json_each(subnets) as sub;
List DB instances with deletion protection disabled
Discover the segments that consist of DB instances where deletion protection is not enabled. This is useful for identifying potential security vulnerabilities within your AWS RDS DB instances.
select db_instance_identifier, class, engine, engine_version, deletion_protectionfrom aws_rds_db_instancewhere not deletion_protection;
select db_instance_identifier, class, engine, engine_version, deletion_protectionfrom aws_rds_db_instancewhere deletion_protection = 0;
List DB instances with unecrypted storage
Discover the segments that are using unencrypted storage within your database instances to assess potential vulnerabilities and improve your system's security. This query is particularly useful in identifying areas where sensitive data may be at risk due to lack of encryption.
select db_instance_identifier, class, allocated_storage, deletion_protectionfrom aws_rds_db_instancewhere not storage_encrypted;
select db_instance_identifier, class, allocated_storage, deletion_protectionfrom aws_rds_db_instancewhere storage_encrypted = 0;
Get endpoint info for each DB instance
Explore which database instances are linked to specific endpoints. This information can help assess the network connections and their respective ports, aiding in efficient database management and troubleshooting.
select db_instance_identifier, endpoint_address, endpoint_hosted_zone_id, endpoint_portfrom aws_rds_db_instance;
select db_instance_identifier, endpoint_address, endpoint_hosted_zone_id, endpoint_portfrom aws_rds_db_instance;
List SQL Server DB instances with SSL disabled in assigned parameter group
Identify instances where SQL Server database instances have SSL disabled in their assigned parameter groups. This is useful for uncovering potential security vulnerabilities related to unencrypted data transmission.
with db_parameter_group as ( select name as db_parameter_group_name, pg ->> 'ParameterName' as parameter_name, pg ->> 'ParameterValue' as parameter_value from aws_rds_db_parameter_group, jsonb_array_elements(parameters) as pg where -- The example is limited to SQL Server, this may change based on DB engine pg ->> 'ParameterName' like 'rds.force_ssl' and name not like 'default.%'),rds_associated_parameter_group as ( select db_instance_identifier as db_instance_identifier, arn, pg ->> 'DBParameterGroupName' as DBParameterGroupName from aws_rds_db_instance, jsonb_array_elements(db_parameter_groups) as pg where engine like 'sqlserve%')select rds.db_instance_identifier as name, rds.DBParameterGroupName, parameter_name, parameter_valuefrom rds_associated_parameter_group as rds left join db_parameter_group d on rds.DBParameterGroupName = d.db_parameter_group_namewhere parameter_value = '0'
with db_parameter_group as ( select name as db_parameter_group_name, json_extract(pg.value, '$.ParameterName') as parameter_name, json_extract(pg.value, '$.ParameterValue') as parameter_value from aws_rds_db_parameter_group, json_each(parameters) as pg where json_extract(pg.value, '$.ParameterName') like 'rds.force_ssl' and name not like 'default.%'),rds_associated_parameter_group as ( select db_instance_identifier as db_instance_identifier, arn, json_extract(pg.value, '$.DBParameterGroupName') as DBParameterGroupName from aws_rds_db_instance, json_each(db_parameter_groups) as pg where engine like 'sqlserve%')select rds.db_instance_identifier as name, rds.DBParameterGroupName, parameter_name, parameter_valuefrom rds_associated_parameter_group as rds left join db_parameter_group d on rds.DBParameterGroupName = d.db_parameter_group_namewhere parameter_value = '0';
List DB instance pending maintenance actions
Determine the areas in which your database instances have pending maintenance actions. This can help ensure your databases are up-to-date and avoid potential downtime or performance issues due to missed maintenance.
select actions ->> 'ResourceIdentifier' as db_instance_identifier, details ->> 'Action' as action, details ->> 'OptInStatus' as opt_in_status, details ->> 'ForcedApplyDate' as forced_apply_date, details ->> 'CurrentApplyDate' as current_apply_date, details ->> 'AutoAppliedAfterDate' as auto_applied_after_datefrom aws_rds_db_instance, jsonb_array_elements(pending_maintenance_actions) as actions, jsonb_array_elements(actions -> 'PendingMaintenanceActionDetails') as details;
select json_extract(actions.value, '$.ResourceIdentifier') as db_instance_identifier, json_extract(details.value, '$.Action') as action, json_extract(details.value, '$.OptInStatus') as opt_in_status, json_extract(details.value, '$.ForcedApplyDate') as forced_apply_date, json_extract(details.value, '$.CurrentApplyDate') as current_apply_date, json_extract(details.value, '$.AutoAppliedAfterDate') as auto_applied_after_datefrom aws_rds_db_instance, json_each(pending_maintenance_actions) as actions, json_each( json_extract( actions.value, '$.PendingMaintenanceActionDetails' ) ) as details;
List certificate details associated to the instance
Discover the segments that highlight the validity and type of certificates associated with a specific instance. This can be especially useful in managing and tracking certificate expiration dates, ensuring the security and reliability of your database instances.
select arn, certificate ->> 'CertificateArn' as certificate_arn, certificate ->> 'CertificateType' as certificate_type, certificate ->> 'ValidFrom' as valid_from, certificate ->> 'ValidTill' as valid_tillfrom aws_rds_db_instance;
select arn, json_extract(certificate, '$.CertificateArn') as certificate_arn, json_extract(certificate, '$.CertificateType') as certificate_type, json_extract(certificate, '$.ValidFrom') as valid_from, json_extract(certificate, '$.ValidTill') as valid_tillfrom aws_rds_db_instance;
List certificates valid for less than 90 days
Discover the segments that have certificates valid for less than 90 days in your AWS RDS database instances. This can help in proactive renewal of certificates, thereby avoiding any service disruption due to certificate expiry.
select arn, certificate ->> 'CertificateArn' as certificate_arn, certificate ->> 'CertificateType' as certificate_type, certificate ->> 'ValidFrom' as valid_from, certificate ->> 'ValidTill' as valid_tillfrom aws_rds_db_instancewhere (certificate ->> 'ValidTill') :: timestamp <= (current_date - interval '90' day);
select arn, json_extract(certificate, '$.CertificateArn') as certificate_arn, json_extract(certificate, '$.CertificateType') as certificate_type, json_extract(certificate, '$.ValidFrom') as valid_from, json_extract(certificate, '$.ValidTill') as valid_tillfrom aws_rds_db_instancewhere julianday('now') - julianday(json_extract(certificate, '$.ValidTill')) >= 90;
Listing RDS DB Instances with Existing Processor Features
Supports Infrastructure as Code (IaC) and Automation For organizations using IaC practices or automation in their cloud environments, such queries can help in generating reports, monitoring configurations, or triggering workflows based on the state of RDS instances.
select db_instance_identifier, class, engine, engine_version, kms_key_id, processor_featuresfrom aws_rds_db_instancewhere processor_features not null;
select db_instance_identifier, class, engine, engine_version, kms_key_id, processor_featuresfrom aws_rds_db_instancewhere processor_features not null;
Schema for aws_rds_db_instance
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
allocated_storage | bigint | Specifies the allocated storage size specified in gibibytes(GiB). | |
arn | text | The Amazon Resource Name (ARN) for the DB Instance. | |
associated_roles | jsonb | A list of AWS IAM roles that are associated with the DB instance. | |
auto_minor_version_upgrade | boolean | Specifies whether minor version patches are applied automatically, or not. | |
availability_zone | text | Specifies the name of the Availability Zone the DB instance is located in. | |
backup_retention_period | bigint | Specifies the number of days for which automatic DB snapshots are retained. | |
ca_certificate_identifier | text | The identifier of the CA certificate for this DB instance. | |
certificate | jsonb | The CA certificate associated with the DB instance. | |
character_set_name | text | Specifies the name of the character set that this instance is associated with. | |
class | text | Contains the name of the compute and memory capacity class of the DB instance. | |
copy_tags_to_snapshot | boolean | Specifies whether tags are copied from the DB instance to snapshots of the DB instance, or not. | |
create_time | timestamp with time zone | Provides the date and time the DB instance was created. | |
customer_owned_ip_enabled | boolean | Specifies whether a customer-owned IP address (CoIP) is enabled for an RDS on Outposts DB instance, or not. | |
db_cluster_identifier | text | = | The friendly name to identify the DB cluster, that the DB instance is a member of. |
db_instance_identifier | text | = | The friendly name to identify the DB Instance. |
db_name | text | Contains the name of the initial database of this instance that was provided at create time. | |
db_parameter_groups | jsonb | A list of DB parameter groups applied to this DB instance. | |
db_security_groups | jsonb | A list of DB security group associated with the DB instance. | |
db_subnet_group_arn | text | The Amazon Resource Name (ARN) for the DB subnet group. | |
db_subnet_group_description | text | Provides the description of the DB subnet group. | |
db_subnet_group_name | text | The name of the DB subnet group. | |
db_subnet_group_status | text | Provides the status of the DB subnet group. | |
deletion_protection | boolean | Specifies whether the DB instance has deletion protection enabled, or not. | |
domain_memberships | jsonb | A list of Active Directory Domain membership records associated with the DB instance. | |
enabled_cloudwatch_logs_exports | jsonb | A list of log types that this DB instance is configured to export to CloudWatch Logs. | |
endpoint_address | text | Specifies the DNS address of the DB instance. | |
endpoint_hosted_zone_id | text | Specifies the ID that Amazon Route 53 assigns when you create a hosted zone. | |
endpoint_port | bigint | Specifies the port that the database engine is listening on. | |
engine | text | = | The name of the database engine to be used for this DB instance. |
engine_version | text | Indicates the database engine version. | |
enhanced_monitoring_resource_arn | text | The ARN of the Amazon CloudWatch Logs log stream that receives the Enhanced Monitoring metrics data for the DB instance. | |
iam_database_authentication_enabled | boolean | Specifies whether the the mapping of AWS IAM accounts to database accounts is enabled, or not. | |
iops | bigint | Specifies the Provisioned IOPS (I/O operations per second) value. | |
kms_key_id | text | The AWS KMS key identifier for the encrypted DB instance. | |
latest_restorable_time | timestamp with time zone | Specifies the latest time to which a database can be restored with point-in-time restore. | |
license_model | text | License model information for this DB instance. | |
master_user_name | text | Contains the master username for the DB instance. | |
max_allocated_storage | bigint | The upper limit to which Amazon RDS can automatically scale the storage of the DB instance. | |
monitoring_interval | bigint | The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. | |
monitoring_role_arn | text | The ARN for the IAM role that permits RDS to send Enhanced Monitoring metrics to Amazon CloudWatch Logs. | |
multi_az | boolean | Specifies if the DB instance is a Multi-AZ deployment. | |
nchar_character_set_name | text | The name of the NCHAR character set for the Oracle DB instance. | |
option_group_memberships | jsonb | A list of option group memberships for this DB instance | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
pending_maintenance_actions | jsonb | A list that provides details about the pending maintenance actions for the resource. | |
performance_insights_enabled | boolean | Specifies whether Performance Insights is enabled for the DB instance, or not. | |
performance_insights_kms_key_id | text | The AWS KMS key identifier for encryption of Performance Insights data. | |
performance_insights_retention_period | bigint | The amount of time, in days, to retain Performance Insights data. | |
port | bigint | Specifies the port that the DB instance listens on. | |
preferred_backup_window | text | Specifies the daily time range during which automated backups are created. | |
preferred_maintenance_window | text | Specifies the weekly time range during which system maintenance can occur. | |
processor_features | jsonb | The number of CPU cores and the number of threads per core for the DB instance class of the DB instance. | |
promotion_tier | bigint | Specifies the order in which an Aurora Replica is promoted to the primary instance after a failure of the existing primary instance. | |
publicly_accessible | boolean | Specifies the accessibility options for the DB instance. | |
read_replica_db_cluster_identifiers | jsonb | A list of identifiers of Aurora DB clusters to which the RDS DB instance is replicated as a read replica. | |
read_replica_db_instance_identifiers | jsonb | A list of identifiers of the read replicas associated with this DB instance. | |
read_replica_source_db_instance_identifier | text | Contains the identifier of the source DB instance if this DB instance is a read replica. | |
region | text | The AWS Region in which the resource is located. | |
replica_mode | text | The mode of an Oracle read replica. | |
resource_id | text | = | The AWS Region-unique, immutable identifier for the DB instance. |
secondary_availability_zone | text | Specifies the name of the secondary Availability Zone for a DB instance with multi-AZ support. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
status | text | Specifies the current state of this database. | |
status_infos | jsonb | The status of a read replica. | |
storage_encrypted | boolean | Specifies whether the DB instance is encrypted, or not. | |
storage_throughput | bigint | Specifies the storage throughput for the DB instance. This setting applies only to the gp3 storage type. | |
storage_type | text | Specifies the storage type associated with DB instance. | |
subnets | jsonb | A list of subnet elements. | |
tags | jsonb | A map of tags for the resource. | |
tags_src | jsonb | A list of tags attached to the DB Instance. | |
tde_credential_arn | text | The ARN from the key store with which the instance is associated for TDE encryption. | |
timezone | text | The time zone of the DB instance. | |
title | text | Title of the resource. | |
vpc_id | text | Provides the VpcId of the DB subnet group. | |
vpc_security_groups | jsonb | A list of VPC security group elements that the DB instance belongs to. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_rds_db_instance