Table: aws_securityhub_finding_aggregator - Query AWS Security Hub Finding Aggregator using SQL
The AWS Security Hub Finding Aggregator is a feature of AWS Security Hub that consolidates findings across multiple AWS accounts into a single AWS account. It enables centralized management and analysis of security findings, enhancing visibility into your security and compliance status. It uses SQL for querying, allowing you to filter and analyze security findings efficiently.
Table Usage Guide
The aws_securityhub_finding_aggregator
table in Steampipe provides you with information about the findings generated by the integrated third-party products and AWS services. This table allows you, as a security analyst or DevOps engineer, to query findings-specific details, including severity, resource details, and associated metadata. You can utilize this table to gather insights on findings, such as the types of findings, the resources involved, and the severity of the findings. The schema outlines the various attributes of the findings for you, including the finding ARN, creation date, compliance status, and associated tags.
Examples
Basic info
Explore the settings of AWS Security Hub's finding aggregator to understand the linking mode between different regions and the region where findings are aggregated. This is useful for assessing the configuration of your security alerts and understanding how your security data is being managed across different geographical locations.
select arn, finding_aggregation_region, region_linking_modefrom aws_securityhub_finding_aggregator;
select arn, finding_aggregation_region, region_linking_modefrom aws_securityhub_finding_aggregator;
List finding aggregators linked to all regions
Identify the instances where all regions are linked to a specific finding aggregator in AWS SecurityHub. This can be useful for understanding how security findings are aggregated across different regions.
select arn, finding_aggregation_region, region_linking_modefrom aws_securityhub_finding_aggregatorwhere region_linking_mode = 'ALL_REGIONS';
select arn, finding_aggregation_region, region_linking_modefrom aws_securityhub_finding_aggregatorwhere region_linking_mode = 'ALL_REGIONS';
List regions for finding aggregators that include specific regions
Determine the areas in which specific regions are included by aggregators in AWS Security Hub. This is useful for understanding the scope of your security findings and ensuring that relevant regions are not overlooked.
select arn, region_linking_mode, r as linked_regionfrom aws_securityhub_finding_aggregator, jsonb_array_elements_text(regions) as rwhere region_linking_mode = 'SPECIFIED_REGIONS';
select arn, region_linking_mode, json_extract(r.value, '$') as linked_regionfrom aws_securityhub_finding_aggregator, json_each(regions) as rwhere region_linking_mode = 'SPECIFIED_REGIONS';
List regions for finding aggregators that exclude specific regions
Determine the areas in which specific regions are excluded from the scope of AWS SecurityHub finding aggregators. This is useful in identifying any potential security blind spots in your regional coverage.
select arn, a.name as linked_regionfrom aws_securityhub_finding_aggregator as f, aws_region as a, jsonb_array_elements_text(f.regions) as rwhere region_linking_mode = 'ALL_REGIONS_EXCEPT_SPECIFIED' and a.name <> r;
select arn, a.name as linked_regionfrom aws_securityhub_finding_aggregator as f, aws_region as a, json_each(f.regions) as rwhere region_linking_mode = 'ALL_REGIONS_EXCEPT_SPECIFIED' and a.name <> json_extract(r.value, '$');
Schema for aws_securityhub_finding_aggregator
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
arn | text | = | The Amazon Resource Name (ARN) of the finding aggregator. |
finding_aggregation_region | text | The aggregation Region. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
region | text | The AWS Region in which the resource is located. | |
region_linking_mode | text | Indicates whether to link all Regions, all Regions except for a list of excluded Regions, or a list of included Regions. | |
regions | jsonb | The list of excluded Regions or included Regions. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_securityhub_finding_aggregator