v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Steampipe logo 
Hub
Plugins
turbot/aws
Overview
496Tables
Versions
PowerpipeMods
GitHub
steampipe plugin install aws

Table: aws_s3_access_point - Query AWS S3 Access Point using SQL

The AWS S3 Access Point is a feature of the AWS S3 service that simplifies managing data access at scale for applications using shared data sets on S3. Access Points are unique hostnames with dedicated access policies that describe how data can be accessed using that endpoint. They offer a way to easily manage access to shared datasets by creating separate access points for specific users or roles.

Table Usage Guide

The aws_s3_access_point table in Steampipe provides you with information about Access Points within AWS Simple Storage Service (S3). This table enables you, as a DevOps engineer, developer, or data analyst, to query Access Point-specific details, including the Access Point's name, associated bucket, network origin, policy status, and creation time. You can utilize this table to gather insights on Access Points, such as their permissions, associated buckets, and more. The schema outlines the various attributes of the S3 Access Point for you, including the ARN, bucket name, creation date, and associated tags.

Examples

Basic info

Discover the segments that have been granted access to your S3 buckets. This query is useful in identifying and managing the access points to your AWS S3 resources, thereby enhancing your data security.

select
  name,
  access_point_arn,
  bucket_name
from
  aws_s3_access_point;
select
  name,
  access_point_arn,
  bucket_name
from
  aws_s3_access_point;

List access points that only accept requests from a VPC

Discover the segments that are restricted to only accept requests from a Virtual Private Cloud (VPC), allowing for increased security and control over your AWS S3 access points. This is particularly useful for organizations that want to limit their access points to specific network resources.

select
  name,
  access_point_arn,
  vpc_id
from
  aws_s3_access_point
where
  vpc_id is not null;
select
  name,
  access_point_arn,
  vpc_id
from
  aws_s3_access_point
where
  vpc_id is not null;

List access points that do not block public access

Determine the areas in which your AWS S3 access points may be allowing public access. This is useful for identifying potential security vulnerabilities and ensuring your data is adequately protected.

select
  name,
  block_public_acls,
  block_public_policy,
  ignore_public_acls,
  restrict_public_buckets
from
  aws_s3_access_point
where
  not block_public_acls
  or not block_public_policy
  or not ignore_public_acls
  or not restrict_public_buckets;
select
  name,
  block_public_acls,
  block_public_policy,
  ignore_public_acls,
  restrict_public_buckets
from
  aws_s3_access_point
where
  not block_public_acls
  or not block_public_policy
  or not ignore_public_acls
  or not restrict_public_buckets;

List buckets that allows public access through their policies

Determine the areas in which public access is permitted through policy settings. This query is useful for identifying potential security risks and ensuring proper data protection measures are in place.

select
  name,
  access_point_policy_is_public
from
  aws_s3_access_point
where
  access_point_policy_is_public;
select
  name,
  access_point_policy_is_public
from
  aws_s3_access_point
where
  access_point_policy_is_public = 1;

Count the number of access points per bucket

Discover the segments that are using various access points by counting them per storage bucket. This is beneficial in managing resources and understanding usage patterns.

select
  bucket_name,
  count(name) access_point_count
from
  aws_s3_access_point
group by
  bucket_name;
select
  bucket_name,
  count(name) as access_point_count
from
  aws_s3_access_point
group by
  bucket_name;

Control examples

Schema for aws_s3_access_point

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
access_point_arntextAmazon Resource Name (ARN) of the access point.
access_point_policy_is_publicbooleanIndicates whether this access point policy is public, or not.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
aliastextThe name or alias of the access point.
block_public_aclsbooleanSpecifies whether Amazon S3 should block public access control lists (ACLs) for buckets in this account.
block_public_policybooleanSpecifies whether Amazon S3 should block public bucket policies for buckets in this account.
bucket_nametext=The name of the bucket associated with this access point.
creation_datetimestamp with time zoneThe date and time when the specified access point was created.
endpointsjsonbThe VPC endpoint for the access point.
ignore_public_aclsbooleanSpecifies whether Amazon S3 should ignore public ACLs for buckets in this account.
nametext=Specifies the name of the access point.
network_origintextIndicates whether this access point allows access from the public internet. If VpcConfiguration is specified for this access point, then NetworkOrigin is VPC, and the access point doesn't allow access from the public internet.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
policyjsonbThe access point policy associated with the specified access point.
policy_stdjsonbContains the policy in a canonical form for easier searching.
regiontext=The AWS Region in which the resource is located.
restrict_public_bucketsbooleanSpecifies whether Amazon S3 should restrict public bucket policies for buckets in this account.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
titletextTitle of the resource.
vpc_idtextSpecifies the VPC ID from which the access point will only allow connections.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_s3_access_point