steampipe plugin install awssteampipe plugin install aws

Table: aws_s3_multi_region_access_point - Query AWS S3 Multi-Region Access Point using SQL

The AWS S3 Multi-Region Access Point is a feature of AWS S3 that simplifies data access across multiple regions. It enhances performance by providing a single global endpoint to access a data set that is replicated across multiple geographies. It also offers automatic routing of requests to the bucket in the region that delivers the lowest latency.

Table Usage Guide

The aws_s3_multi_region_access_point table in Steampipe provides you with information about Multi-Region Access Points within Amazon Simple Storage Service (S3). This table allows you, as a DevOps engineer, to query Multi-Region Access Point-specific details, including the name, ARN, status, creation time, and associated policies. You can utilize this table to gather insights on Multi-Region Access Points, such as their current status, the buckets they are associated with, and the policies applied to them. The schema outlines the various attributes of the Multi-Region Access Point for you, including the ARN, alias, home region, and associated bucket details.

Amazon S3 Multi-Region Access Point provides you with a global endpoint that your applications can use to fulfill requests from S3 buckets located in multiple AWS Regions. You can use Multi-Region Access Points to build multi-region applications with the same architecture that's used in a single region, and then run those applications anywhere in the world. Instead of sending requests over the congested public internet, Multi-Region Access Points provide you with built-in network resilience with the acceleration of internet-based requests to Amazon S3.

Important Notes

You must grant the s3:ListAllMyBuckets permission to yourself, your role, or an IAM entity that makes a request to manage a Multi-Region Access Point.

Examples

Basic info

Explore which multi-region access points in AWS S3 are active or inactive and when they were created. This can be useful for auditing your AWS S3 configuration and ensuring that only necessary access points are active.

select
  alias,
  status,
  created_at
from
  aws_s3_multi_region_access_point;

select
  alias,
  status,
  created_at
from
  aws_s3_multi_region_access_point;

List multi-region access points that do not block public access

Discover the segments of multi-region access points in your AWS S3 storage that do not have public access restrictions. This can help you identify potential security risks and ensure appropriate access controls are in place.

select
  name,
  public_access_block ->> 'BlockPublicAcls' as block_public_acls,
  public_access_block ->> 'BlockPublicPolicy' as block_public_policy,
  public_access_block ->> 'IgnorePublicAcls' as ignore_public_acls,
  public_access_block ->> 'RestrictPublicBuckets' as restrict_public_buckets
from
  aws_s3_multi_region_access_point
where
  public_access_block ->> 'BlockPublicAcls' :: text = 'true'
  and public_access_block ->> 'BlockPublicPolicy' :: text = 'true'
  and public_access_block ->> 'IgnorePublicAcls' :: text = 'true'
  and public_access_block ->> 'RestrictPublicBuckets' :: text = 'true';

select
  name,
  json_extract(public_access_block, '$.BlockPublicAcls') as block_public_acls,
  json_extract(public_access_block, '$.BlockPublicPolicy') as block_public_policy,
  json_extract(public_access_block, '$.IgnorePublicAcls') as ignore_public_acls,
  json_extract(public_access_block, '$.RestrictPublicBuckets') as restrict_public_buckets
from
  aws_s3_multi_region_access_point
where
  json_extract(public_access_block, '$.BlockPublicAcls') = 'true'
  and json_extract(public_access_block, '$.BlockPublicPolicy') = 'true'
  and json_extract(public_access_block, '$.IgnorePublicAcls') = 'true'
  and json_extract(public_access_block, '$.RestrictPublicBuckets') = 'true';

Get policy details of each multi-region access point

Gain insights into the established and proposed policies for each multi-region access point in your AWS S3 service. This is useful for understanding the current and future policy configurations, helping you manage and plan your access points effectively.

select
  name,
  policy -> 'Established' -> 'Policy' as established_policy,
  policy -> 'Proposed' -> 'Policy' as proposed_policy
from
  aws_s3_multi_region_access_point;

select
  name,
  json_extract(policy, '$.Established.Policy') as established_policy,
  json_extract(policy, '$.Proposed.Policy') as proposed_policy
from
  aws_s3_multi_region_access_point;

Count the number of multi-region access points per bucket

Explore the distribution of multi-region access points across different buckets to better understand your AWS S3 usage patterns

select
  r ->> 'Bucket' as bucket_name,
  count(name) access_point_count
from
  aws_s3_multi_region_access_point,
  jsonb_array_elements(regions) as r
group by
  bucket_name;

select
  json_extract(r.value, '$.Bucket') as bucket_name,
  count(name) as access_point_count
from
  aws_s3_multi_region_access_point,
  json_each(regions) as r
group by
  bucket_name;

Get bucket details of each multi-region access point

Gain insights into the details of each multi-region access point, including bucket creation date and versioning status, to enhance your understanding of your AWS S3 configuration.

select
  a.name,
  r ->> 'Bucket' as bucket_name,
  b.creation_date as bucket_creation_date,
  b.bucket_policy_is_public,
  b.versioning_enabled
from
  aws_s3_multi_region_access_point as a,
  jsonb_array_elements(a.regions) as r,
  aws_s3_bucket as b
where
  b.name = r ->> 'Bucket';

select
  a.name,
  json_extract(r.value, '$.Bucket') as bucket_name,
  b.creation_date as bucket_creation_date,
  b.bucket_policy_is_public,
  b.versioning_enabled
from
  aws_s3_multi_region_access_point as a,
  json_each(a.regions) as r,
  aws_s3_bucket as b
where
  b.name = json_extract(r.value, '$.Bucket');

Schema for aws_s3_multi_region_access_point

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form.
account_id	text	=	The AWS Account ID in which the resource is located.
akas	jsonb		Array of globally unique identifier strings (also known as) for the resource.
alias	text		The alias for the Multi-Region Access Point.
created_at	timestamp with time zone		When the Multi-Region Access Point create request was received.
name	text	=	The name of the Multi-Region Access Point.
partition	text		The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
public_access_block	jsonb		The PublicAccessBlock configuration that you want to apply to this Amazon S3 account.
region	text		The AWS Region in which the resource is located.
regions	jsonb		A collection of the Regions and buckets associated with the Multi-Region Access Point.
sp_connection_name	text	=, !=, ~~, ~~, !~~, !~~	Steampipe connection name.
sp_ctx	jsonb		Steampipe context in JSON form.
status	text		The current status of the Multi-Region Access Point. CREATING and DELETING are temporary states that exist while the request is propagating and being completed.
title	text		Title of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_s3_multi_region_access_point