Table: aws_ssm_managed_instance_compliance - Query AWS SSM Managed Instance Compliance using SQL
The AWS Systems Manager Managed Instance Compliance is a resource that enables you to check the compliance of your managed instances. It uses SQL queries to assess the configuration compliance of your instances according to the policies you've defined. This allows you to ensure your instances are running in accordance with your organization's security and operational best practices.
Table Usage Guide
The aws_ssm_managed_instance_compliance
table in Steampipe provides you with information about managed instance compliance within AWS Systems Manager (SSM). This table allows you, as a DevOps engineer, to query compliance-specific details, including compliance status, compliance type, and associated metadata. You can utilize this table to gather insights on compliance, such as instances that are non-compliant, compliance with specific standards, and more. The schema outlines the various attributes of the managed instance compliance for you, including the instance ID, compliance type, compliance status, and compliance severity.
Important Notes
- You must specify an Managed Instance ID in a
where
orjoin
clause (where resource_id='
) to query this table.
Examples
Basic info
Determine the compliance status and severity level of a specific AWS SSM managed instance. This is useful to identify potential security risks and ensure adherence to compliance standards.
select id, name, resource_id, status, compliance_type, severityfrom aws_ssm_managed_instance_compliancewhere resource_id = 'i-2a3dc8b11ed9d37a';
select id, name, resource_id, status, compliance_type, severityfrom aws_ssm_managed_instance_compliancewhere resource_id = 'i-2a3dc8b11ed9d37a';
List non-compliant associations for a managed instance
Determine the areas in which a managed instance is non-compliant. This query is beneficial in identifying instances where the compliance type is 'Association' and the status is not 'COMPLIANT', providing insights into potential areas for improvement.
select id, name, resource_id as instance_id, status, compliance_type, severityfrom aws_ssm_managed_instance_compliancewhere resource_id = 'i-2a3dc8b11ed9d37a' and compliance_type = 'Association' and status <> 'COMPLIANT';
select id, name, resource_id as instance_id, status, compliance_type, severityfrom aws_ssm_managed_instance_compliancewhere resource_id = 'i-2a3dc8b11ed9d37a' and compliance_type = 'Association' and status != 'COMPLIANT';
List non-compliant patches for a managed instance
Determine the areas in which patches for a managed instance are non-compliant. This can assist in identifying potential vulnerabilities and ensuring system security.
select id, name, resource_id as instance_id, status, compliance_type, severityfrom aws_ssm_managed_instance_compliancewhere resource_id = 'i-2a3dc8b11ed9d37a' and compliance_type = 'Patch' and status <> 'COMPLIANT';
select id, name, resource_id as instance_id, status, compliance_type, severityfrom aws_ssm_managed_instance_compliancewhere resource_id = 'i-2a3dc8b11ed9d37a' and compliance_type = 'Patch' and status != 'COMPLIANT';
List compliance statuses for all managed instances
Determine the compliance status of all managed instances to ensure adherence to standards and regulations. This is useful in maintaining system integrity and mitigating potential risks.
select c.resource_id as instance_id, id, statusfrom aws_ssm_managed_instance i, aws_ssm_managed_instance_compliance cwhere i.instance_id = c.resource_id;
select c.resource_id as instance_id, id, statusfrom aws_ssm_managed_instance i, aws_ssm_managed_instance_compliance cwhere i.instance_id = c.resource_id;
Schema for aws_ssm_managed_instance_compliance
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
compliance_type | text | The compliance type. | |
details | jsonb | A key-value combination details for the compliance item. | |
execution_summary | jsonb | A summary for the compliance item. | |
id | text | An ID for the compliance item. | |
name | text | A title for the compliance item. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
region | text | The AWS Region in which the resource is located. | |
resource_id | text | = | An ID for the resource. |
resource_type | text | = | The type of resource. |
severity | text | The severity of the compliance status. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
status | text | The status of the compliance item. | |
title | text | Title of the resource. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_ssm_managed_instance_compliance