steampipe plugin install aws

Table: aws_secretsmanager_secret - Query AWS Secrets Manager Secret using SQL

The AWS Secrets Manager Secret is a secure and scalable service that enables you to easily manage secrets throughout their lifecycle. Using Secrets Manager, you can secure, audit, and manage secrets used to access resources in the AWS Cloud, on third-party services, and on-premises. This service helps protect access to your applications, services, and IT resources without the upfront investment and on-going maintenance costs of operating your own infrastructure.

Table Usage Guide

The aws_secretsmanager_secret table in Steampipe provides you with information about secrets within AWS Secrets Manager. This table allows you, as a DevOps engineer, to query secret-specific details, including metadata, versions, rotation configuration, and more. You can utilize this table to gather insights on secrets, such as secret rotation status, associated resource policies, and more. The schema outlines the various attributes of the secret for you, including the secret ARN, name, description, rotation rules, and associated tags.

Examples

Basic info

Gain insights into the creation and last accessed dates of your AWS Secrets Manager secrets. This can help in managing secret lifecycle, ensuring secrets are regularly updated or identifying unused secrets.

select
name,
created_date,
description,
last_accessed_date
from
aws_secretsmanager_secret;
select
name,
created_date,
description,
last_accessed_date
from
aws_secretsmanager_secret;

List secrets that do not automatically rotate

Discover the segments that contain secrets which do not have an automatic rotation feature enabled. This is useful for identifying potential security risks and ensuring best practices for data safety.

select
name,
created_date,
description,
rotation_enabled
from
aws_secretsmanager_secret
where
not rotation_enabled;
select
name,
created_date,
description,
rotation_enabled
from
aws_secretsmanager_secret
where
rotation_enabled = 0;

List secrets that automatically rotate every 7 days

Identify the secrets in your AWS Secrets Manager that are set to automatically rotate more frequently than every 7 days. This can be useful for maintaining a high level of security by ensuring that secrets are updated regularly.

select
name,
created_date,
description,
rotation_enabled,
rotation_rules
from
aws_secretsmanager_secret
where
rotation_rules -> 'AutomaticallyAfterDays' > '7';
select
name,
created_date,
description,
rotation_enabled,
rotation_rules
from
aws_secretsmanager_secret
where
json_extract(rotation_rules, '$.AutomaticallyAfterDays') > 7;

List secrets that are not replicated in other regions

Determine the areas in which certain secrets are not replicated across different regions. This can be useful for ensuring data redundancy and mitigating risks associated with data loss in specific geographical locations.

select
name,
created_date,
description,
replication_status
from
aws_secretsmanager_secret
where
replication_status is null;
select
name,
created_date,
description,
replication_status
from
aws_secretsmanager_secret
where
replication_status is null;

List policy details for the secrets

Determine the specifics of policies pertaining to your secrets. This query is useful for gaining insights into your secret management policies, helping you understand and manage your security better.

select
name,
jsonb_pretty(policy) as policy,
jsonb_pretty(policy_std) as policy_std
from
aws_secretsmanager_secret;
select
name,
policy,
policy_std
from
aws_secretsmanager_secret;

Schema for aws_secretsmanager_secret

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form, e.g. connection_name.
account_idtextThe AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
arntext=The Amazon Resource Name (ARN) of the secret.
created_datetimestamp with time zoneThe date and time when a secret was created.
deleted_datetimestamp with time zoneThe date and time the deletion of the secret occurred.
descriptiontext=The user-provided description of the secret.
kms_key_idtextThe ARN or alias of the AWS KMS customer master key (CMK) used to encrypt the SecretString and SecretBinary fields in each version of the secret.
last_accessed_datetimestamp with time zoneThe last date that this secret was accessed.
last_changed_datetimestamp with time zoneThe last date and time that this secret was modified in any way.
last_rotated_datetimestamp with time zoneThe most recent date and time that the Secrets Manager rotation process was successfully completed.
nametext=The friendly name of the secret.
owning_servicetextReturns the name of the service that created the secret.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
policyjsonbA JSON-formatted string that describes the permissions that are associated with the attached secret.
policy_stdjsonbContains the permissions that are associated with the attached secret in a canonical form for easier searching.
primary_regiontext=The Region where Secrets Manager originated the secret.
regiontextThe AWS Region in which the resource is located.
replication_statusjsonbDescribes a list of replication status objects as InProgress, Failed or InSync.
rotation_enabledbooleanIndicates whether automatic, scheduled rotation is enabled for this secret.
rotation_lambda_arntextThe ARN of an AWS Lambda function invoked by Secrets Manager to rotate and expire the secret either automatically per the schedule or manually by a call to RotateSecret.
rotation_rulesjsonbA structure that defines the rotation configuration for the secret.
secret_versions_to_stagesjsonbA list of all of the currently assigned SecretVersionStage staging labels and the SecretVersionId attached to each one.
tagsjsonbA map of tags for the resource.
tags_srcjsonbThe list of user-defined tags associated with the secret.
titletextTitle of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_secretsmanager_secret