Table: aws_ssm_document - Query AWS SSM Documents using SQL
The AWS Systems Manager Document (SSM Document) is a resource that defines the actions that Systems Manager performs on your managed instances. These documents can be used to automate tasks and ensure they are done consistently across multiple instances. SSM Documents support multiple types of actions, including running scripts, applying patches, and more, enabling you to manage your AWS resources effectively.
Table Usage Guide
The aws_ssm_document
table in Steampipe provides you with information about SSM documents within AWS Systems Manager (SSM). This table enables you, as a DevOps engineer, to query document-specific details, including the document name, version, owner, status, and permissions, among others. You can utilize this table to gather insights on SSM documents, such as their current status, the document format, and the permissions associated with each document. The schema outlines for you the various attributes of the SSM document, including the document name, document version, owner, permissions, and associated tags.
Examples
Basic info
This query allows you to explore and understand the status, owner, and platform details of documents within your AWS Simple Systems Manager. It helps in identifying where potential changes or updates may be necessary, providing insights for better system management.
select name, document_version, status, owner, document_format, document_type, platform_types, regionfrom aws_ssm_document;
select name, document_version, status, owner, document_format, document_type, platform_types, regionfrom aws_ssm_document;
List documents owned by the AWS account
Determine the areas in which your AWS account owns documents. This can help you understand your resource ownership and manage your AWS resources more effectively.
select name, owner, document_version, status, document_format, document_typefrom aws_ssm_documentwhere owner_type = 'Self';
select name, owner, document_version, status, document_format, document_typefrom aws_ssm_documentwhere owner_type = 'Self';
List documents not owned by Amazon
Determine the areas in which documents within the AWS SSM service are not owned by Amazon. This can be useful to identify potential security risks or to audit ownership of documents.
select name, owner, document_version, status, document_format, document_typefrom aws_ssm_documentwhere owner_type != 'Amazon';
select name, owner, document_version, status, document_format, document_typefrom aws_ssm_documentwhere owner_type <> 'Amazon';
List documents that are shared publicly
Discover the segments that consist of documents which are shared publicly. This query is handy in identifying potential security risks by pinpointing documents that are open to all, thus allowing for appropriate action to be taken.
with ssm_documents as ( select name, owner, region, account_id from aws_ssm_document where owner_type = 'Self' order by name)select d.name, d.owner, p.account_idsfrom ssm_documents as d left join aws_ssm_document_permission as p on p.document_name = d.name and p.region = d.region and p.account_id = d.account_idwhere p.account_ids :: jsonb ? 'all';
with ssm_documents as ( select name, owner, region, account_id from aws_ssm_document where owner_type = 'Self' order by name)select d.name, d.owner, p.account_idsfrom ssm_documents as d left join aws_ssm_document_permission as p on p.document_name = d.name and p.region = d.region and p.account_id = d.account_idwhere json_extract(account_ids, '$.all') is not null;
Get a specific document
This query allows users to pinpoint the specific details of a document within the AWS Simple Systems Manager (SSM), particularly useful for those needing to assess a document's approved version or creation date. It's particularly beneficial when managing or auditing AWS resources.
select name, arn, approved_version, created_date, document_typefrom aws_ssm_documentwhere arn = 'arn:aws:ssm:ap-south-1:112233445566:document/AWS-ASGEnterStandby';
select name, arn, approved_version, created_date, document_typefrom aws_ssm_documentwhere arn = 'arn:aws:ssm:ap-south-1:112233445566:document/AWS-ASGEnterStandby';
Schema for aws_ssm_document
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
approved_version | text | The version of the document currently approved for use in the organization. | |
arn | text | = | The Amazon Resource Name (ARN) of the document. |
attachments_information | jsonb | Details about the document attachments, including names, locations, sizes,and so on. | |
author | text | The user in your organization who created the document. | |
category | jsonb | The classification of a document to help you identify and categorize its use. | |
category_enum | jsonb | The value that identifies a document's category. | |
created_date | timestamp with time zone | The date when the document was created. | |
default_version | text | The default version. | |
description | text | A description of the document. | |
display_name | text | The friendly name of the SSM document. | |
document_format | text | The document format, either JSON or YAML. | |
document_type | text | = | The type of document. |
document_version | text | The document version. | |
hash | text | The Sha256 or Sha1 hash created by the system when the document was created. | |
hash_type | text | The hash type of the document. | |
latest_version | text | The latest version of the document. | |
name | text | The name of the Systems Manager document. | |
owner | text | The AWS user account that created the document. | |
owner_type | text | = | The AWS user account type to filter the documents. Possible values: Self, Amazon, Public, Private, ThirdParty, All, Default. |
parameters | jsonb | A description of the parameters for a document. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
pending_review_version | text | The version of the document that is currently under review. | |
platform_types | jsonb | The operating system platform. | |
region | text | The AWS Region in which the resource is located. | |
requires | jsonb | A list of SSM documents required by a document. | |
review_information | jsonb | Details about the review of a document. | |
review_status | text | The current status of the review. | |
schema_version | text | The schema version. | |
sha1 | text | The SHA1 hash of the document, which you can use for verification. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
status | text | The user in your organization who created the document. | |
status_information | text | A message returned by AWS Systems Manager that explains the Status value. | |
tags | jsonb | A map of tags for the resource. | |
tags_src | jsonb | A list of tags associated with document | |
target_type | text | The target type which defines the kinds of resources the document can run on. | |
title | text | Title of the resource. | |
version_name | text | The version of the artifact associated with the document. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_ssm_document