steampipe plugin install aws

Table: aws_vpc_verified_access_endpoint - Query AWS VPC Verified Access Endpoint using SQL

The AWS VPC Verified Access Endpoint is a feature within Amazon's Virtual Private Cloud (VPC) service. It enables users to verify that the traffic leaving their VPC is coming from Amazon WorkSpaces, a managed, secure Desktop-as-a-Service (DaaS). This helps in meeting compliance requirements by providing an additional layer of security and control over the network traffic.

Table Usage Guide

The aws_vpc_verified_access_endpoint table in Steampipe provides you with information about the verified access endpoints within AWS Virtual Private Cloud (VPC). This table allows you, as a DevOps engineer, to query endpoint-specific details, including the endpoint configuration, service name, and VPC ID. You can utilize this table to gather insights on endpoints, such as endpoint configurations, associated services, and the VPCs they belong to. The schema outlines the various attributes of the VPC verified access endpoint for you, including the endpoint ID, creation timestamp, attached security groups, and associated tags.

Examples

Basic info

Explore the status and validation of access endpoints within your AWS VPC to ensure security and compliance. This query allows you to identify potential vulnerabilities by examining the creation time, status, and domain certificate of each endpoint.

select
verified_access_endpoint_id,
verified_access_instance_id,
verified_access_group_id,
creation_time,
verified_access_instance_id,
domain_certificate_arn,
device_validation_domain,
status_code
from
aws_vpc_verified_access_endpoint;
select
verified_access_endpoint_id,
verified_access_instance_id,
verified_access_group_id,
creation_time,
verified_access_instance_id,
domain_certificate_arn,
device_validation_domain,
status_code
from
aws_vpc_verified_access_endpoint;

List endpoints older than 30 days

Identify instances where AWS VPC verified access endpoints have not been updated in the last 30 days. This can be useful for maintaining system security and efficiency by ensuring outdated endpoints are reviewed and updated as necessary.

select
verified_access_endpoint_id,
creation_time,
description,
status_code
from
aws_vpc_verified_access_endpoint
where
creation_time <= now() - interval '30' day;
select
verified_access_endpoint_id,
creation_time,
description,
status_code
from
aws_vpc_verified_access_endpoint
where
creation_time <= datetime('now', '-30 day');

List endpoints that are not in active state

Discover the segments that are not currently active within your AWS VPC verified access endpoints. This is useful to identify potential issues or areas of your network that may require attention or maintenance.

select
verified_access_endpoint_id,
status_code,
creation_time,
deletion_time,
description,
device_validation_domain
from
aws_vpc_verified_access_endpoint
where
status_code <> 'active';
select
verified_access_endpoint_id,
status_code,
creation_time,
deletion_time,
description,
device_validation_domain
from
aws_vpc_verified_access_endpoint
where
status_code != 'active';

Get group details of each endpoint

Explore the creation times and relationships between various access endpoints and groups within your AWS VPC. This can be beneficial for understanding the timeline and structure of your network security configurations.

select
e.verified_access_endpoint_id,
e.creation_time,
g.verified_access_group_id,
g.creation_time as group_create_time
from
aws_vpc_verified_access_endpoint as e,
aws_vpc_verified_access_group as g
where
e.verified_access_group_id = g.verified_access_group_id;
select
e.verified_access_endpoint_id,
e.creation_time,
g.verified_access_group_id,
g.creation_time as group_create_time
from
aws_vpc_verified_access_endpoint as e
join aws_vpc_verified_access_group as g on e.verified_access_group_id = g.verified_access_group_id;

Get trusted provider details of each endpoint

Explore the trusted provider details for each endpoint to understand their creation times and associated instances. This can be particularly useful in auditing and maintaining the security of your AWS VPC.

select
e.verified_access_group_id,
e.creation_time,
i.creation_time as instance_create_time,
i.verified_access_instance_id,
jsonb_pretty(i.verified_access_trust_providers) as verified_access_trust_providers
from
aws_vpc_verified_access_endpoint as e,
aws_vpc_verified_access_instance as i
where
e.verified_access_instance_id = i.verified_access_instance_id;
select
e.verified_access_group_id,
e.creation_time,
i.creation_time as instance_create_time,
i.verified_access_instance_id,
i.verified_access_trust_providers as verified_access_trust_providers
from
aws_vpc_verified_access_endpoint as e,
aws_vpc_verified_access_instance as i
where
e.verified_access_instance_id = i.verified_access_instance_id;

Count of endpoints per instance

Determine the number of endpoints associated with each instance in your AWS Virtual Private Cloud. This can help assess the complexity and potential security exposure of your network setup.

select
verified_access_instance_id,
count(verified_access_endpoint_id) as instance_count
from
aws_vpc_verified_access_endpoint
group by
verified_access_instance_id;
select
verified_access_instance_id,
count(verified_access_endpoint_id) as instance_count
from
aws_vpc_verified_access_endpoint
group by
verified_access_instance_id;

Get network interface details of each endpoint

This query is useful for gaining insights into the network interface details associated with each verified access endpoint in your AWS VPC. It can help you understand the type of interface, private IP address, and associated public IP, which is beneficial for network management and troubleshooting.

select
e.verified_access_endpoint_id,
i.network_interface_id,
i.interface_type,
i.private_ip_address,
i.association_public_ip,
jsonb_pretty(i.groups) as security_groups
from
aws_vpc_verified_access_endpoint as e,
aws_ec2_network_interface as i
where
e.network_interface_options ->> 'NetworkInterfaceId' = i.network_interface_id;
Error: The corresponding SQLite query is unavailable.

Schema for aws_vpc_verified_access_endpoint

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form, e.g. connection_name.
account_idtextThe AWS Account ID in which the resource is located.
application_domaintextThe DNS name for users to reach your application.
attachment_typetextThe type of attachment used to provide connectivity between the AWS verified access endpoint and the application.
creation_timetimestamp with time zoneThe creation time.
deletion_timetimestamp with time zoneThe deletion time.
descriptiontextA description for the AWS verified access endpoint.
device_validation_domaintextReturned if endpoint has a device trust provider attached.
domain_certificate_arntextThe ARN of a public TLS/SSL certificate imported into or created with ACM.
endpoint_domaintextA DNS name that is generated for the endpoint..
endpoint_typetextThe type of AWS verified access endpoint. Incoming application requests will be sent to an IP address, load balancer or a network interface depending on the endpoint type specified. Possible values are load-balancer or network-interface.
last_updated_timetimestamp with time zoneThe last updated time.
load_balancer_optionsjsonbThe load balancer details if creating the AWS verified access endpoint as load-balancertype.
network_interface_optionsjsonbThe options for network-interface type endpoint.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
regiontextThe AWS Region in which the resource is located.
statusjsonbThe endpoint status.
status_codetextThe endpoint status code. Possible values are pending, active, updating, deleting or deleted.
tagsjsonbA map of tags for the resource.
tags_srcjsonbA map of tags for the resource.
titletextTitle of the resource.
verified_access_endpoint_idtext=The ID of the AWS verified access endpoint.
verified_access_group_idtext=The ID of the AWS verified access group.
verified_access_instance_idtext=The ID of the AWS verified access instance.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_vpc_verified_access_endpoint