v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Steampipe logo 
Hub
Plugins
turbot/aws
Overview
496Tables
Versions
PowerpipeMods
GitHub
steampipe plugin install aws

Table: aws_ssm_document_permission - Query AWS SSM Document Permissions using SQL

The AWS SSM Document Permission is a component of AWS Systems Manager that allows you to manage access permissions to your SSM documents. These documents define the actions that Systems Manager performs on your managed instances. With document permissions, you can specify which AWS Identity and Access Management (IAM) users and roles can use these documents, providing a secure way to distribute commands or configurations to your servers.

Table Usage Guide

The aws_ssm_document_permission table in Steampipe provides you with information about the permissions associated with AWS Systems Manager (SSM) documents. This table allows you, as a DevOps engineer, security analyst, or system administrator, to query document-specific permission details, including the type of permission, the account IDs that the permissions apply to, and the document version. You can utilize this table to gather insights on document permissions, such as identifying the accounts that have access to specific SSM documents, verifying the type of access granted, and more. The schema outlines the various attributes of the SSM document permission for you, including the document name, permission type, account IDs, and the document version.

Important Notes

  • You must specify the document_name column in the where clause to query the table.

Examples

Basic info

Explore which AWS accounts have permission to the 'ConfigureS3BucketLogging' document. This can be useful to ensure only the intended accounts have access, enhancing security and compliance.

select
  document_name,
  shared_account_id,
  shared_document_version,
  account_ids,
  title
from
  aws_ssm_document_permission
where
  document_name = 'ConfigureS3BucketLogging';
select
  document_name,
  shared_account_id,
  shared_document_version,
  account_ids,
  title
from
  aws_ssm_document_permission
where
  document_name = 'ConfigureS3BucketLogging';

Get document details for the permissions

This query is useful for exploring the permissions and versions of a specific document in the AWS SSM service, in this case 'ConfigureS3BucketLogging'. It helps you understand who has access to the document and what versions of the document are approved, providing insights into document management and control.

select
  p.document_name,
  p.shared_account_id,
  p.shared_document_version,
  d.approved_version,
  d.attachments_information,
  d.created_date,
  d.default_version
from
  aws_ssm_document_permission as p,
  aws_ssm_document as d
where
  p.document_name = 'ConfigureS3BucketLogging';
select
  p.document_name,
  p.shared_account_id,
  p.shared_document_version,
  d.approved_version,
  d.attachments_information,
  d.created_date,
  d.default_version
from
  aws_ssm_document_permission as p,
  aws_ssm_document as d
where
  p.document_name = 'ConfigureS3BucketLogging';

Schema for aws_ssm_document_permission

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
account_idsjsonbThe account IDs that have permission to use this document. The ID can be either an AWS account or All.
document_nametext=The name of the Systems Manager document.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
regiontextThe AWS Region in which the resource is located.
shared_account_idtextThe Amazon Web Services account ID where the current document is shared.
shared_document_versiontextThe version of the current document shared with the account.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
titletextTitle of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_ssm_document_permission