v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Steampipe logo 
Hub
Plugins
turbot/aws
Overview
496Tables
Versions
PowerpipeMods
GitHub
steampipe plugin install aws

Table: aws_securityhub_standards_subscription - Query AWS Security Hub Standards Subscriptions using SQL

The AWS Security Hub Standards Subscriptions is a feature of AWS Security Hub that allows you to manage and implement security standards in your AWS environments. It provides a comprehensive view of your high-priority security alerts and compliance status across AWS accounts. This enables you to quickly assess your security and compliance status, identify potential issues, and take necessary actions to maintain a secure and compliant environment.

Table Usage Guide

The aws_securityhub_standards_subscription table in Steampipe provides you with information about standards subscriptions within AWS Security Hub. This table allows you, as a DevOps engineer, to query subscription-specific details, including the standard's ARN, name, description, and compliance status. You can utilize this table to gather insights on standards, such as their status, updates, and the regions in which they are enabled. The schema outlines the various attributes of the standards subscription for you, including the standards ARN, status, and enabled timestamp.

Examples

Basic info

Explore which security standards are currently subscribed to within your AWS SecurityHub across different regions. This can help you assess your security posture and ensure compliance with necessary standards.

select
  name,
  standards_arn,
  description,
  region
from
  aws_securityhub_standards_subscription;
select
  name,
  standards_arn,
  description,
  region
from
  aws_securityhub_standards_subscription;

List enabled security hub standards

Discover the segments that are automatically safeguarded by identifying the activated security standards within AWS Security Hub. This is beneficial for understanding which areas of your system are already protected by default settings, helping to inform decisions on additional security measures.

select
  name,
  standards_arn,
  enabled_by_default
from
  aws_securityhub_standards_subscription
where
  enabled_by_default;
select
  name,
  standards_arn,
  enabled_by_default
from
  aws_securityhub_standards_subscription
where
  enabled_by_default = 1;

List standards whose status is not ready

Explore which security standards are not in a 'ready' state. This is useful to identify potential issues or delays in your security configuration.

select
  name,
  standards_arn,
  standards_subscription_arn,
  standards_status,
  standards_status_reason_code
from
  aws_securityhub_standards_subscription
where
  standards_status <> 'READY';
select
  name,
  standards_arn,
  standards_subscription_arn,
  standards_status,
  standards_status_reason_code
from
  aws_securityhub_standards_subscription
where
  standards_status != 'READY';

List standards that are not managed by AWS

Determine the areas in which security standards are not managed by AWS, allowing you to pinpoint specific locations where alternative management strategies are in effect.

select
  name,
  standards_arn,
  standards_managed_by ->> 'Company' as standards_managed_by_company
from
  aws_securityhub_standards_subscription
where
  standards_managed_by ->> 'Company' <> 'AWS';
select
  name,
  standards_arn,
  json_extract(standards_managed_by, '$.Company') as standards_managed_by_company
from
  aws_securityhub_standards_subscription
where
  json_extract(standards_managed_by, '$.Company') <> 'AWS';

Schema for aws_securityhub_standards_subscription

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
descriptiontextThe description of the standard.
enabled_by_defaultbooleanIndicates whether the standard is enabled by default.
nametextThe name of the standard.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
regiontextThe AWS Region in which the resource is located.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
standards_arntextThe ARN of a standard.
standards_inputjsonbA key-value pair of input for the standard.
standards_managed_byjsonbProvides details about the management of a security standard.
standards_statustextThe status of the standard subscription.
standards_status_reason_codetextThe reason code that represents the reason for the current status of a standard subscription.
standards_subscription_arntextThe ARN of a resource that represents your subscription to a supported standard.
titletextTitle of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_securityhub_standards_subscription