steampipe plugin install aws

Table: aws_s3_access_point - Query AWS S3 Access Point using SQL

The AWS S3 Access Point is a feature of the AWS S3 service that simplifies managing data access at scale for applications using shared data sets on S3. Access Points are unique hostnames with dedicated access policies that describe how data can be accessed using that endpoint. They offer a way to easily manage access to shared datasets by creating separate access points for specific users or roles.

Table Usage Guide

The aws_s3_access_point table in Steampipe provides you with information about Access Points within AWS Simple Storage Service (S3). This table enables you, as a DevOps engineer, developer, or data analyst, to query Access Point-specific details, including the Access Point's name, associated bucket, network origin, policy status, and creation time. You can utilize this table to gather insights on Access Points, such as their permissions, associated buckets, and more. The schema outlines the various attributes of the S3 Access Point for you, including the ARN, bucket name, creation date, and associated tags.

Examples

Basic info

Discover the segments that have been granted access to your S3 buckets. This query is useful in identifying and managing the access points to your AWS S3 resources, thereby enhancing your data security.

select
name,
access_point_arn,
bucket_name
from
aws_s3_access_point;
select
name,
access_point_arn,
bucket_name
from
aws_s3_access_point;

List access points that only accept requests from a VPC

Discover the segments that are restricted to only accept requests from a Virtual Private Cloud (VPC), allowing for increased security and control over your AWS S3 access points. This is particularly useful for organizations that want to limit their access points to specific network resources.

select
name,
access_point_arn,
vpc_id
from
aws_s3_access_point
where
vpc_id is not null;
select
name,
access_point_arn,
vpc_id
from
aws_s3_access_point
where
vpc_id is not null;

List access points that do not block public access

Determine the areas in which your AWS S3 access points may be allowing public access. This is useful for identifying potential security vulnerabilities and ensuring your data is adequately protected.

select
name,
block_public_acls,
block_public_policy,
ignore_public_acls,
restrict_public_buckets
from
aws_s3_access_point
where
not block_public_acls
or not block_public_policy
or not ignore_public_acls
or not restrict_public_buckets;
select
name,
block_public_acls,
block_public_policy,
ignore_public_acls,
restrict_public_buckets
from
aws_s3_access_point
where
not block_public_acls
or not block_public_policy
or not ignore_public_acls
or not restrict_public_buckets;

List buckets that allows public access through their policies

Determine the areas in which public access is permitted through policy settings. This query is useful for identifying potential security risks and ensuring proper data protection measures are in place.

select
name,
access_point_policy_is_public
from
aws_s3_access_point
where
access_point_policy_is_public;
select
name,
access_point_policy_is_public
from
aws_s3_access_point
where
access_point_policy_is_public = 1;

Count the number of access points per bucket

Discover the segments that are using various access points by counting them per storage bucket. This is beneficial in managing resources and understanding usage patterns.

select
bucket_name,
count(name) access_point_count
from
aws_s3_access_point
group by
bucket_name;
select
bucket_name,
count(name) as access_point_count
from
aws_s3_access_point
group by
bucket_name;

Schema for aws_s3_access_point

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form, e.g. connection_name.
access_point_arntextAmazon Resource Name (ARN) of the access point.
access_point_policy_is_publicbooleanIndicates whether this access point policy is public, or not.
account_idtextThe AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
block_public_aclsbooleanSpecifies whether Amazon S3 should block public access control lists (ACLs) for buckets in this account.
block_public_policybooleanSpecifies whether Amazon S3 should block public bucket policies for buckets in this account.
bucket_nametext=The name of the bucket associated with this access point.
creation_datetimestamp with time zoneThe date and time when the specified access point was created.
ignore_public_aclsbooleanSpecifies whether Amazon S3 should ignore public ACLs for buckets in this account.
nametext=Specifies the name of the access point.
network_origintextIndicates whether this access point allows access from the public internet. If VpcConfiguration is specified for this access point, then NetworkOrigin is VPC, and the access point doesn't allow access from the public internet.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
policyjsonbThe access point policy associated with the specified access point.
policy_stdjsonbContains the policy in a canonical form for easier searching.
regiontext=The AWS Region in which the resource is located.
restrict_public_bucketsbooleanSpecifies whether Amazon S3 should restrict public bucket policies for buckets in this account.
titletextTitle of the resource.
vpc_idtextSpecifies the VPC ID from which the access point will only allow connections.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_s3_access_point