steampipe plugin install aws

Table: aws_securitylake_subscriber - Query AWS Security Lake Subscriber using SQL

The AWS Security Lake Subscriber is a component of AWS Lake Formation, a service that makes it easy to set up, secure, and manage your data lake. It helps in subscribing to data access events in the data lake, enabling granular control over who has access to specific data. It allows monitoring, auditing, and receiving notifications about specific activities in your AWS data lake.

Table Usage Guide

The aws_securitylake_subscriber table in Steampipe provides you with information about subscribers within the AWS Security Lake service. This table allows you, as a DevOps engineer, security analyst, or other technical professional, to query subscriber-specific details, including the subscriber's status, endpoint type, and subscription creation time. You can utilize this table to gather insights on subscribers, such as their current status, the type of endpoint they are subscribed to, and when they were created. The schema outlines the various attributes of the AWS Security Lake Subscriber for you, including the subscriber ARN, endpoint type, status, and creation time.

Examples

Basic info

Determine the areas in which subscribers are interacting with your AWS security system. This query provides insights into the creation time, subscription endpoints, and associated roles of each subscriber, allowing you to better understand your user base and their access levels.

select
subscriber_name,
subscription_id,
created_at,
role_arn,
s3_bucket_arn,
subscription_endpoint
from
aws_securitylake_subscriber;
select
subscriber_name,
subscription_id,
created_at,
role_arn,
s3_bucket_arn,
subscription_endpoint
from
aws_securitylake_subscriber;

List subscribers older than 30 days

Identify subscribers who have been part of the system for over a month. This is useful to understand user retention and recognize long-term subscribers.

select
subscriber_name,
subscription_id,
created_at,
role_arn,
s3_bucket_arn,
subscription_endpoint
from
aws_securitylake_subscriber
where
created_at <= created_at - interval '30' day;
select
subscriber_name,
subscription_id,
created_at,
role_arn,
s3_bucket_arn,
subscription_endpoint
from
aws_securitylake_subscriber
where
created_at <= datetime(created_at, '-30 day');

Get IAM role details for each subscriber

Analyze the access policies of each subscriber's IAM role. This helps in auditing security and access controls.

select
s.subscriber_name,
s.subscription_id,
r.arn,
r.inline_policies,
r.attached_policy_arns,
r.assume_role_policy
from
aws_securitylake_subscriber as s,
aws_iam_role as r
where
s.role_arn = r.arn;
select
s.subscriber_name,
s.subscription_id,
r.arn,
r.inline_policies,
r.attached_policy_arns,
r.assume_role_policy
from
aws_securitylake_subscriber as s
join aws_iam_role as r on s.role_arn = r.arn;

Get S3 bucket details for each subscriber

Review the configuration of the S3 bucket linked to each subscriber. This aids in ensuring proper storage setup and security measures.

select
s.subscriber_name,
s.subscription_id,
b.arn,
b.event_notification_configuration,
b.server_side_encryption_configuration,
b.acl
from
aws_securitylake_subscriber as s,
aws_s3_bucket as b
where
s.s3_bucket_arn = b.arn;
select
s.subscriber_name,
s.subscription_id,
b.arn,
b.event_notification_configuration,
b.server_side_encryption_configuration,
b.acl
from
aws_securitylake_subscriber as s
join aws_s3_bucket as b on s.s3_bucket_arn = b.arn;

List subscribers that are not active

Discover subscribers who aren't currently active. This can assist in identifying potential issues or areas for improvement in user engagement.

select
subscriber_name,
created_at,
subscription_status,
s3_bucket_arn,
sns_arn
from
aws_securitylake_subscriber
where
subscription_status <> 'ACTIVE';
select
subscriber_name,
created_at,
subscription_status,
s3_bucket_arn,
sns_arn
from
aws_securitylake_subscriber
where
subscription_status != 'ACTIVE';

Schema for aws_securitylake_subscriber

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
access_typesjsonbYou can choose to notify subscribers of new objects with an Amazon Simple Queue Service (Amazon SQS) queue or through messaging to an HTTPS endpoint provided by the subscriber. Subscribers can consume data by directly querying Lake Formation tables in your S3 bucket via services like Amazon Athena. This subscription type is defined as LAKEFORMATION.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
created_attimestamp with time zoneThe date and time when the subscription was created.
external_idtextThe external ID of the subscriber.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
regiontextThe AWS Region in which the resource is located.
role_arntextThe Amazon Resource Name (ARN) specifying the role of the subscriber.
s3_bucket_arntextThe Amazon Resource Name (ARN) for the Amazon S3 bucket.
sns_arntextThe Amazon Resource Name (ARN) for the Amazon Simple Notification Service.
source_typesjsonbAmazon Security Lake supports logs and events collection for the natively-supported Amazon Web Services services.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
subscriber_descriptiontextThe subscriber descriptions for a subscriber account.
subscriber_nametextThe name of your Amazon Security Lake subscriber account.
subscription_endpointtextThe subscription endpoint to which exception messages are posted.
subscription_idtext=The subscription ID of the Amazon Security Lake subscriber account.
subscription_protocoltextThe subscription protocol to which exception messages are posted.
subscription_statustextSubscription status of the Amazon Security Lake subscriber account.
titletextTitle of the resource.
updated_attimestamp with time zoneThe date and time when the subscription was updated.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_securitylake_subscriber