steampipe plugin install aws

Table: aws_ssm_document - Query AWS SSM Documents using SQL

The AWS Systems Manager Document (SSM Document) is a resource that defines the actions that Systems Manager performs on your managed instances. These documents can be used to automate tasks and ensure they are done consistently across multiple instances. SSM Documents support multiple types of actions, including running scripts, applying patches, and more, enabling you to manage your AWS resources effectively.

Table Usage Guide

The aws_ssm_document table in Steampipe provides you with information about SSM documents within AWS Systems Manager (SSM). This table enables you, as a DevOps engineer, to query document-specific details, including the document name, version, owner, status, and permissions, among others. You can utilize this table to gather insights on SSM documents, such as their current status, the document format, and the permissions associated with each document. The schema outlines for you the various attributes of the SSM document, including the document name, document version, owner, permissions, and associated tags.

Examples

Basic info

This query allows you to explore and understand the status, owner, and platform details of documents within your AWS Simple Systems Manager. It helps in identifying where potential changes or updates may be necessary, providing insights for better system management.

select
name,
document_version,
status,
owner,
document_format,
document_type,
platform_types,
region
from
aws_ssm_document;
select
name,
document_version,
status,
owner,
document_format,
document_type,
platform_types,
region
from
aws_ssm_document;

List documents owned by the AWS account

Determine the areas in which your AWS account owns documents. This can help you understand your resource ownership and manage your AWS resources more effectively.

select
name,
owner,
document_version,
status,
document_format,
document_type
from
aws_ssm_document
where
owner_type = 'Self';
select
name,
owner,
document_version,
status,
document_format,
document_type
from
aws_ssm_document
where
owner_type = 'Self';

List documents not owned by Amazon

Determine the areas in which documents within the AWS SSM service are not owned by Amazon. This can be useful to identify potential security risks or to audit ownership of documents.

select
name,
owner,
document_version,
status,
document_format,
document_type
from
aws_ssm_document
where
owner_type != 'Amazon';
select
name,
owner,
document_version,
status,
document_format,
document_type
from
aws_ssm_document
where
owner_type <> 'Amazon';

List documents that are shared publicly

Discover the segments that consist of documents which are shared publicly. This query is handy in identifying potential security risks by pinpointing documents that are open to all, thus allowing for appropriate action to be taken.

with ssm_documents as (
select
name,
owner,
region,
account_id
from
aws_ssm_document
where
owner_type = 'Self'
order by
name
)
select
d.name,
d.owner,
p.account_ids
from
ssm_documents as d
left join aws_ssm_document_permission as p on p.document_name = d.name
and p.region = d.region
and p.account_id = d.account_id
where
p.account_ids :: jsonb ? 'all';
with ssm_documents as (
select
name,
owner,
region,
account_id
from
aws_ssm_document
where
owner_type = 'Self'
order by
name
)
select
d.name,
d.owner,
p.account_ids
from
ssm_documents as d
left join aws_ssm_document_permission as p on p.document_name = d.name
and p.region = d.region
and p.account_id = d.account_id
where
json_extract(account_ids, '$.all') is not null;

Get a specific document

This query allows users to pinpoint the specific details of a document within the AWS Simple Systems Manager (SSM), particularly useful for those needing to assess a document's approved version or creation date. It's particularly beneficial when managing or auditing AWS resources.

select
name,
arn,
approved_version,
created_date,
document_type
from
aws_ssm_document
where
arn = 'arn:aws:ssm:ap-south-1:112233445566:document/AWS-ASGEnterStandby';
select
name,
arn,
approved_version,
created_date,
document_type
from
aws_ssm_document
where
arn = 'arn:aws:ssm:ap-south-1:112233445566:document/AWS-ASGEnterStandby';

Schema for aws_ssm_document

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
approved_versiontextThe version of the document currently approved for use in the organization.
arntext=The Amazon Resource Name (ARN) of the document.
attachments_informationjsonbDetails about the document attachments, including names, locations, sizes,and so on.
authortextThe user in your organization who created the document.
categoryjsonbThe classification of a document to help you identify and categorize its use.
category_enumjsonbThe value that identifies a document's category.
created_datetimestamp with time zoneThe date when the document was created.
default_versiontextThe default version.
descriptiontextA description of the document.
display_nametextThe friendly name of the SSM document.
document_formattextThe document format, either JSON or YAML.
document_typetext=The type of document.
document_versiontextThe document version.
hashtextThe Sha256 or Sha1 hash created by the system when the document was created.
hash_typetextThe hash type of the document.
latest_versiontextThe latest version of the document.
nametextThe name of the Systems Manager document.
ownertextThe AWS user account that created the document.
owner_typetext=The AWS user account type to filter the documents. Possible values: Self, Amazon, Public, Private, ThirdParty, All, Default.
parametersjsonbA description of the parameters for a document.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
pending_review_versiontextThe version of the document that is currently under review.
platform_typesjsonbThe operating system platform.
regiontextThe AWS Region in which the resource is located.
requiresjsonbA list of SSM documents required by a document.
review_informationjsonbDetails about the review of a document.
review_statustextThe current status of the review.
schema_versiontextThe schema version.
sha1textThe SHA1 hash of the document, which you can use for verification.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
statustextThe user in your organization who created the document.
status_informationtextA message returned by AWS Systems Manager that explains the Status value.
tagsjsonbA map of tags for the resource.
tags_srcjsonbA list of tags associated with document
target_typetextThe target type which defines the kinds of resources the document can run on.
titletextTitle of the resource.
version_nametextThe version of the artifact associated with the document.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_ssm_document