steampipe plugin install aws

Table: aws_securityhub_standards_subscription - Query AWS Security Hub Standards Subscriptions using SQL

The AWS Security Hub Standards Subscriptions is a feature of AWS Security Hub that allows you to manage and implement security standards in your AWS environments. It provides a comprehensive view of your high-priority security alerts and compliance status across AWS accounts. This enables you to quickly assess your security and compliance status, identify potential issues, and take necessary actions to maintain a secure and compliant environment.

Table Usage Guide

The aws_securityhub_standards_subscription table in Steampipe provides you with information about standards subscriptions within AWS Security Hub. This table allows you, as a DevOps engineer, to query subscription-specific details, including the standard's ARN, name, description, and compliance status. You can utilize this table to gather insights on standards, such as their status, updates, and the regions in which they are enabled. The schema outlines the various attributes of the standards subscription for you, including the standards ARN, status, and enabled timestamp.

Examples

Basic info

Explore which security standards are currently subscribed to within your AWS SecurityHub across different regions. This can help you assess your security posture and ensure compliance with necessary standards.

select
name,
standards_arn,
description,
region
from
aws_securityhub_standards_subscription;
select
name,
standards_arn,
description,
region
from
aws_securityhub_standards_subscription;

List enabled security hub standards

Discover the segments that are automatically safeguarded by identifying the activated security standards within AWS Security Hub. This is beneficial for understanding which areas of your system are already protected by default settings, helping to inform decisions on additional security measures.

select
name,
standards_arn,
enabled_by_default
from
aws_securityhub_standards_subscription
where
enabled_by_default;
select
name,
standards_arn,
enabled_by_default
from
aws_securityhub_standards_subscription
where
enabled_by_default = 1;

List standards whose status is not ready

Explore which security standards are not in a 'ready' state. This is useful to identify potential issues or delays in your security configuration.

select
name,
standards_arn,
standards_subscription_arn,
standards_status,
standards_status_reason_code
from
aws_securityhub_standards_subscription
where
standards_status <> 'READY';
select
name,
standards_arn,
standards_subscription_arn,
standards_status,
standards_status_reason_code
from
aws_securityhub_standards_subscription
where
standards_status != 'READY';

List standards that are not managed by AWS

Determine the areas in which security standards are not managed by AWS, allowing you to pinpoint specific locations where alternative management strategies are in effect.

select
name,
standards_arn,
standards_managed_by ->> 'Company' as standards_managed_by_company
from
aws_securityhub_standards_subscription
where
standards_managed_by ->> 'Company' <> 'AWS';
select
name,
standards_arn,
json_extract(standards_managed_by, '$.Company') as standards_managed_by_company
from
aws_securityhub_standards_subscription
where
json_extract(standards_managed_by, '$.Company') <> 'AWS';

Schema for aws_securityhub_standards_subscription

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
descriptiontextThe description of the standard.
enabled_by_defaultbooleanIndicates whether the standard is enabled by default.
nametextThe name of the standard.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
regiontextThe AWS Region in which the resource is located.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
standards_arntextThe ARN of a standard.
standards_inputjsonbA key-value pair of input for the standard.
standards_managed_byjsonbProvides details about the management of a security standard.
standards_statustextThe status of the standard subscription.
standards_status_reason_codetextThe reason code that represents the reason for the current status of a standard subscription.
standards_subscription_arntextThe ARN of a resource that represents your subscription to a supported standard.
titletextTitle of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_securityhub_standards_subscription