Table: guardrails_notification - Query Guardrails Notifications using SQL
Guardrails is a service that provides continuous compliance and security for cloud infrastructure. It offers real-time detection of potential threats and violations, and automatically sends notifications when such events occur. These notifications contain crucial information about the identified issues, including their type, status, and related metadata.
Table Usage Guide
The guardrails_notification table provides insights into the notifications generated by Guardrails. As a security analyst, you can explore notification-specific details through this table, including the type of violation, its status, and related metadata. Utilize it to understand the security posture of your cloud infrastructure, identify potential threats, and take necessary remedial actions.
Important Notes
- When querying this table, we recommend using at least one of these columns (usually in the
whereclause):idresource_idnotification_typecontrol_idcontrol_type_idcontrol_type_uriresource_type_idresource_type_uripolicy_setting_type_idpolicy_setting_type_uriactor_identity_idcreate_timestampfilter
For more information on how to construct a filter, please see Notifications examples.
Examples
Find all Turbot grants activations in last 1 week using filter
Explore recent Turbot grant activations from the past week. This is useful for keeping track of security permissions and understanding who has been given access to what within your system.
select active_grant_id, notification_type, active_grant_type_title, active_grant_level_title, create_timestamp, actor_identity_trunk_title, active_grant_identity_trunk_title, active_grant_valid_to_timestamp, active_grant_identity_profile_id, resource_titlefrom guardrails_notificationwhere filter = 'notificationType:activeGrant createTimestamp:>T-1w' and active_grant_type_title = 'Turbot'order by create_timestamp desc, notification_type, actor_identity_trunk_title, resource_title;select active_grant_id, notification_type, active_grant_type_title, active_grant_level_title, create_timestamp, actor_identity_trunk_title, active_grant_identity_trunk_title, active_grant_valid_to_timestamp, active_grant_identity_profile_id, resource_titlefrom guardrails_notificationwhere filter = 'notificationType:activeGrant createTimestamp:>T-1w' and active_grant_type_title = 'Turbot'order by create_timestamp desc, notification_type, actor_identity_trunk_title, resource_title;Find all AWS grants activations in last 7 days
Discover the segments that have been granted AWS access in the past week. This can be useful for auditing purposes and to ensure that all access grants align with your organization's security policy.
select active_grant_id, notification_type, active_grant_type_title, active_grant_level_title, create_timestamp, actor_identity_trunk_title, active_grant_identity_trunk_title, active_grant_valid_to_timestamp, active_grant_identity_profile_id, resource_titlefrom guardrails_notificationwhere notification_type = 'active_grants_created' and create_timestamp >= (current_date - interval '7' day) and active_grant_type_title = 'AWS'order by create_timestamp desc, notification_type, actor_identity_trunk_title, resource_title;select active_grant_id, notification_type, active_grant_type_title, active_grant_level_title, create_timestamp, actor_identity_trunk_title, active_grant_identity_trunk_title, active_grant_valid_to_timestamp, active_grant_identity_profile_id, resource_titlefrom guardrails_notificationwhere notification_type = 'active_grants_created' and create_timestamp >= date('now', '-7 day') and active_grant_type_title = 'AWS'order by create_timestamp desc, notification_type, actor_identity_trunk_title, resource_title;Find all AWS S3 buckets created notifications in last 7 days
Discover the recent activities related to AWS S3 bucket creation. This query is useful for gaining insights into new resources, helping you monitor and manage your AWS S3 bucket inventory effectively.
select create_timestamp, resource_id, resource_title, resource_trunk_title, actor_identity_trunk_titlefrom guardrails_notificationwhere notification_type = 'resource_created' and create_timestamp >= (current_date - interval '120' day) and resource_type_uri = 'tmod:@turbot/aws-s3#/resource/types/bucket'order by create_timestamp desc;select create_timestamp, resource_id, resource_title, resource_trunk_title, actor_identity_trunk_titlefrom guardrails_notificationwhere notification_type = 'resource_created' and create_timestamp >= date('now', '-120 day') and resource_type_uri = 'tmod:@turbot/aws-s3#/resource/types/bucket'order by create_timestamp desc;All policy settings notifications on a given resource or below in last 90 days
This example helps you to monitor all policy settings notifications related to a specific resource or its descendants over the past 90 days. It is useful for tracking changes and updates in policy settings, aiding in resource management and security compliance.
select notification_type, create_timestamp, policy_setting_id, policy_setting_type_trunk_title, policy_setting_type_uri, resource_trunk_title, resource_type_trunk_title, policy_setting_type_read_only, policy_setting_type_secret, policy_setting_valuefrom guardrails_notificationwhere resource_id = 191382256916538 and create_timestamp >= (current_date - interval '90' day) and filter = 'notificationType:policySetting level:self,descendant'order by create_timestamp desc;select notification_type, create_timestamp, policy_setting_id, policy_setting_type_trunk_title, policy_setting_type_uri, resource_trunk_title, resource_type_trunk_title, policy_setting_type_read_only, policy_setting_type_secret, policy_setting_valuefrom guardrails_notificationwhere resource_id = 191382256916538 and create_timestamp >= date('now', '-90 day') and filter = 'notificationType:policySetting level:self,descendant'order by create_timestamp desc;All policy settings notifications for AWS > Account > Regions policy
Explore the notifications related to policy settings for your AWS account's regional policies. This is particularly useful for keeping track of policy changes and ensuring compliance with your organization's standards.
select notification_type, create_timestamp, policy_setting_id, resource_id, resource_trunk_title, jsonb_pretty(policy_setting_value :: jsonb) as policy_setting_valuefrom guardrails_notificationwhere policy_setting_type_uri = 'tmod:@turbot/aws#/policy/types/regionsDefault' and filter = 'notificationType:policySetting level:self'order by create_timestamp desc;select notification_type, create_timestamp, policy_setting_id, resource_id, resource_trunk_title, policy_setting_valuefrom guardrails_notificationwhere policy_setting_type_uri = 'tmod:@turbot/aws#/policy/types/regionsDefault' and filter = 'notificationType:policySetting level:self'order by create_timestamp desc;All notifications for AWS > Account > Budget > Budget control
Determine the areas in which budget controls have been notified for your AWS account. This allows you to assess the state and reason for each control, providing insights for better financial management.
select notification_type, create_timestamp, control_id, resource_trunk_title, control_state, control_reasonfrom guardrails_notificationwhere control_type_uri = 'tmod:@turbot/aws#/control/types/budget' and filter = 'notificationType:control level:self'order by resource_id, create_timestamp desc;select notification_type, create_timestamp, control_id, resource_trunk_title, control_state, control_reasonfrom guardrails_notificationwhere control_type_uri = 'tmod:@turbot/aws#/control/types/budget' and filter = 'notificationType:control level:self'order by resource_id, create_timestamp desc;Schema for guardrails_notification
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| active_grant_id | bigint | Active grant ID for this notification. | |
| active_grant_identity_profile_id | text | The identity of profile id for this active grant. | |
| active_grant_identity_trunk_title | text | This is the title of hierarchy from the root down to this identity (i.e. Identity whoes access got revoked/permiited) for this active grant. | |
| active_grant_level_title | text | The name of the active grant level. | |
| active_grant_new_version_id | bigint | Active grant version ID of the grant after the notification. | |
| active_grant_old_version_id | bigint | Version ID of the active grant before the event. | |
| active_grant_permission_level_id | bigint | The unique identifier for the active grant permission level. | |
| active_grant_permission_type_id | bigint | The unique identifier for the active grant permission type. | |
| active_grant_role_name | text | Optional custom roleName for this active grant, when using existing roles rather than Turbot-managed ones. | |
| active_grant_type_title | text | The name of the active grant type. | |
| active_grant_valid_to_timestamp | timestamp with time zone | Optional end date for the active grant to expire. | |
| actor_identity_id | bigint | = | Identity ID of the actor that performed this event. |
| actor_identity_trunk_title | text | Title hierarchy of the actor from the root down to the actor of this event. | |
| control_details | jsonb | Optional details provided at the last state update of this control. | |
| control_id | bigint | = | ID of the control for this notification. |
| control_new_version_id | bigint | Version ID of the control after the event. | |
| control_old_version_id | bigint | Version ID of the control before the event. | |
| control_reason | text | Optional reason provided at the last state update of this control. | |
| control_state | text | The current state of the control. | |
| control_type_id | bigint | = | ID of the control type for this control. |
| control_type_trunk_title | text | This is the title of hierarchy from the root down to this control type. | |
| control_type_uri | text | = | URI of the control type for this control. |
| create_timestamp | timestamp with time zone | >, >=, =, <, <= | When the resource was first discovered by Turbot. (It may have been created earlier.) |
| filter | text | = | Filter used to search for notifications. |
| grant_id | bigint | ID of the grant for this notification. | |
| grant_identity_profile_id | text | The identity profile id for this grant. | |
| grant_identity_trunk_title | text | This is the title of hierarchy from the root down to this identity (i.e. Identity whoes access got revoked/permiited) for this grant. | |
| grant_level_title | text | The name of the permission level. | |
| grant_new_version_id | bigint | Version ID of the grant after the event. | |
| grant_old_version_id | bigint | Version ID of the grant before the event. | |
| grant_permission_level_id | bigint | The unique identifier for the permission level. | |
| grant_permission_type_id | bigint | The unique identifier for the permission type. | |
| grant_role_name | text | Optional custom roleName for this grant, when using existing roles rather than Turbot-managed ones. | |
| grant_type_title | text | The name of the permission type. | |
| grant_valid_to_timestamp | timestamp with time zone | Optional end date for the grant. | |
| icon | text | Icon for this notification type. | |
| id | bigint | = | Unique identifier of the notification. |
| message | text | Message for the notification. | |
| notification_type | text | = | Type of the notification: resource, action, policySetting, control, grant, activeGrant. |
| policy_setting_default_template | text | The Nunjucks template if this setting is for a calculated value. | |
| policy_setting_default_template_input | text | The GraphQL Input query if this setting is for a calculated value. | |
| policy_setting_id | bigint | ID of the policy setting for this notification. | |
| policy_setting_is_calculated | boolean | If true this setting contains calculated inputs e.g. templateInput and template. | |
| policy_setting_new_version_id | bigint | Version ID of the policy setting after the event. | |
| policy_setting_old_version_id | bigint | Version ID of the policy setting before the event. | |
| policy_setting_type_id | bigint | = | ID of the policy setting type for this notification. |
| policy_setting_type_read_only | boolean | If true user-defined policy settings are blocked from being created. | |
| policy_setting_type_secret | boolean | If true policy value will be encrypted. | |
| policy_setting_type_trunk_title | text | This is the title of hierarchy from the root down to this policy type. | |
| policy_setting_type_uri | text | = | URI of the policy setting type for this notification. |
| policy_setting_value | text | The value of the policy setting after this event. | |
| process_id | bigint | ID of the process that created this notification. | |
| resource_akas | jsonb | The globally-unique akas for this resource. | |
| resource_data | jsonb | The data for this resource | |
| resource_id | bigint | = | ID of the resource for this notification. |
| resource_new_version_id | bigint | Version ID of the resource after the event. | |
| resource_object | jsonb | More detailed and extensive resource data | |
| resource_old_version_id | bigint | Version ID of the resource before the event. | |
| resource_parent_id | bigint | The id of the parent resource of this resource. | |
| resource_path | text | The string of resource ids separated by "." from root down to this resource. | |
| resource_tags | jsonb | Tags attached to this resource. | |
| resource_title | text | Title of the resource. | |
| resource_trunk_title | text | Title of the resource hierarchy from the root down to this resource. | |
| resource_type_id | bigint | = | ID of the resource type for this notification. |
| resource_type_trunk_title | text | Title of the resource type hierarchy from the root down to this resource. | |
| resource_type_uri | text | = | URI of the resource type for this notification. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- guardrailsYou can pass the configuration to the command with the --config argument:
steampipe_export_guardrails --config '<your_config>' guardrails_notification