Table: aws_s3_access_point - Query AWS S3 Access Point using SQL
The AWS S3 Access Point is a feature of the AWS S3 service that simplifies managing data access at scale for applications using shared data sets on S3. Access Points are unique hostnames with dedicated access policies that describe how data can be accessed using that endpoint. They offer a way to easily manage access to shared datasets by creating separate access points for specific users or roles.
Table Usage Guide
The aws_s3_access_point
table in Steampipe provides you with information about Access Points within AWS Simple Storage Service (S3). This table enables you, as a DevOps engineer, developer, or data analyst, to query Access Point-specific details, including the Access Point's name, associated bucket, network origin, policy status, and creation time. You can utilize this table to gather insights on Access Points, such as their permissions, associated buckets, and more. The schema outlines the various attributes of the S3 Access Point for you, including the ARN, bucket name, creation date, and associated tags.
Examples
Basic info
Discover the segments that have been granted access to your S3 buckets. This query is useful in identifying and managing the access points to your AWS S3 resources, thereby enhancing your data security.
select name, access_point_arn, bucket_namefrom aws_s3_access_point;
select name, access_point_arn, bucket_namefrom aws_s3_access_point;
List access points that only accept requests from a VPC
Discover the segments that are restricted to only accept requests from a Virtual Private Cloud (VPC), allowing for increased security and control over your AWS S3 access points. This is particularly useful for organizations that want to limit their access points to specific network resources.
select name, access_point_arn, vpc_idfrom aws_s3_access_pointwhere vpc_id is not null;
select name, access_point_arn, vpc_idfrom aws_s3_access_pointwhere vpc_id is not null;
List access points that do not block public access
Determine the areas in which your AWS S3 access points may be allowing public access. This is useful for identifying potential security vulnerabilities and ensuring your data is adequately protected.
select name, block_public_acls, block_public_policy, ignore_public_acls, restrict_public_bucketsfrom aws_s3_access_pointwhere not block_public_acls or not block_public_policy or not ignore_public_acls or not restrict_public_buckets;
select name, block_public_acls, block_public_policy, ignore_public_acls, restrict_public_bucketsfrom aws_s3_access_pointwhere not block_public_acls or not block_public_policy or not ignore_public_acls or not restrict_public_buckets;
List buckets that allows public access through their policies
Determine the areas in which public access is permitted through policy settings. This query is useful for identifying potential security risks and ensuring proper data protection measures are in place.
select name, access_point_policy_is_publicfrom aws_s3_access_pointwhere access_point_policy_is_public;
select name, access_point_policy_is_publicfrom aws_s3_access_pointwhere access_point_policy_is_public = 1;
Count the number of access points per bucket
Discover the segments that are using various access points by counting them per storage bucket. This is beneficial in managing resources and understanding usage patterns.
select bucket_name, count(name) access_point_countfrom aws_s3_access_pointgroup by bucket_name;
select bucket_name, count(name) as access_point_countfrom aws_s3_access_pointgroup by bucket_name;
Schema for aws_s3_access_point
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
access_point_arn | text | Amazon Resource Name (ARN) of the access point. | |
access_point_policy_is_public | boolean | Indicates whether this access point policy is public, or not. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
alias | text | The name or alias of the access point. | |
block_public_acls | boolean | Specifies whether Amazon S3 should block public access control lists (ACLs) for buckets in this account. | |
block_public_policy | boolean | Specifies whether Amazon S3 should block public bucket policies for buckets in this account. | |
bucket_name | text | = | The name of the bucket associated with this access point. |
creation_date | timestamp with time zone | The date and time when the specified access point was created. | |
endpoints | jsonb | The VPC endpoint for the access point. | |
ignore_public_acls | boolean | Specifies whether Amazon S3 should ignore public ACLs for buckets in this account. | |
name | text | = | Specifies the name of the access point. |
network_origin | text | Indicates whether this access point allows access from the public internet. If VpcConfiguration is specified for this access point, then NetworkOrigin is VPC, and the access point doesn't allow access from the public internet. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
policy | jsonb | The access point policy associated with the specified access point. | |
policy_std | jsonb | Contains the policy in a canonical form for easier searching. | |
region | text | = | The AWS Region in which the resource is located. |
restrict_public_buckets | boolean | Specifies whether Amazon S3 should restrict public bucket policies for buckets in this account. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
title | text | Title of the resource. | |
vpc_id | text | Specifies the VPC ID from which the access point will only allow connections. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_s3_access_point