turbot/guardrails
steampipe plugin install guardrails

Table: guardrails_notification - Query Guardrails Notifications using SQL

Guardrails is a service that provides continuous compliance and security for cloud infrastructure. It offers real-time detection of potential threats and violations, and automatically sends notifications when such events occur. These notifications contain crucial information about the identified issues, including their type, status, and related metadata.

Table Usage Guide

The guardrails_notification table provides insights into the notifications generated by Guardrails. As a security analyst, you can explore notification-specific details through this table, including the type of violation, its status, and related metadata. Utilize it to understand the security posture of your cloud infrastructure, identify potential threats, and take necessary remedial actions.

Important Notes

  • When querying this table, we recommend using at least one of these columns (usually in the where clause):
    • id
    • resource_id
    • notification_type
    • control_id
    • control_type_id
    • control_type_uri
    • resource_type_id
    • resource_type_uri
    • policy_setting_type_id
    • policy_setting_type_uri
    • actor_identity_id
    • create_timestamp
    • filter

For more information on how to construct a filter, please see Notifications examples.

Examples

Find all Turbot grants activations in last 1 week using filter

Explore recent Turbot grant activations from the past week. This is useful for keeping track of security permissions and understanding who has been given access to what within your system.

select
active_grant_id,
notification_type,
active_grant_type_title,
active_grant_level_title,
create_timestamp,
actor_identity_trunk_title,
active_grant_identity_trunk_title,
active_grant_valid_to_timestamp,
active_grant_identity_profile_id,
resource_title
from
guardrails_notification
where
filter = 'notificationType:activeGrant createTimestamp:>T-1w'
and active_grant_type_title = 'Turbot'
order by
create_timestamp desc,
notification_type,
actor_identity_trunk_title,
resource_title;
select
active_grant_id,
notification_type,
active_grant_type_title,
active_grant_level_title,
create_timestamp,
actor_identity_trunk_title,
active_grant_identity_trunk_title,
active_grant_valid_to_timestamp,
active_grant_identity_profile_id,
resource_title
from
guardrails_notification
where
filter = 'notificationType:activeGrant createTimestamp:>T-1w'
and active_grant_type_title = 'Turbot'
order by
create_timestamp desc,
notification_type,
actor_identity_trunk_title,
resource_title;

Find all AWS grants activations in last 7 days

Discover the segments that have been granted AWS access in the past week. This can be useful for auditing purposes and to ensure that all access grants align with your organization's security policy.

select
active_grant_id,
notification_type,
active_grant_type_title,
active_grant_level_title,
create_timestamp,
actor_identity_trunk_title,
active_grant_identity_trunk_title,
active_grant_valid_to_timestamp,
active_grant_identity_profile_id,
resource_title
from
guardrails_notification
where
notification_type = 'active_grants_created'
and create_timestamp >= (current_date - interval '7' day)
and active_grant_type_title = 'AWS'
order by
create_timestamp desc,
notification_type,
actor_identity_trunk_title,
resource_title;
select
active_grant_id,
notification_type,
active_grant_type_title,
active_grant_level_title,
create_timestamp,
actor_identity_trunk_title,
active_grant_identity_trunk_title,
active_grant_valid_to_timestamp,
active_grant_identity_profile_id,
resource_title
from
guardrails_notification
where
notification_type = 'active_grants_created'
and create_timestamp >= date('now', '-7 day')
and active_grant_type_title = 'AWS'
order by
create_timestamp desc,
notification_type,
actor_identity_trunk_title,
resource_title;

Find all AWS S3 buckets created notifications in last 7 days

Discover the recent activities related to AWS S3 bucket creation. This query is useful for gaining insights into new resources, helping you monitor and manage your AWS S3 bucket inventory effectively.

select
create_timestamp,
resource_id,
resource_title,
resource_trunk_title,
actor_identity_trunk_title
from
guardrails_notification
where
notification_type = 'resource_created'
and create_timestamp >= (current_date - interval '120' day)
and resource_type_uri = 'tmod:@turbot/aws-s3#/resource/types/bucket'
order by
create_timestamp desc;
select
create_timestamp,
resource_id,
resource_title,
resource_trunk_title,
actor_identity_trunk_title
from
guardrails_notification
where
notification_type = 'resource_created'
and create_timestamp >= date('now', '-120 day')
and resource_type_uri = 'tmod:@turbot/aws-s3#/resource/types/bucket'
order by
create_timestamp desc;

All policy settings notifications on a given resource or below in last 90 days

This example helps you to monitor all policy settings notifications related to a specific resource or its descendants over the past 90 days. It is useful for tracking changes and updates in policy settings, aiding in resource management and security compliance.

select
notification_type,
create_timestamp,
policy_setting_id,
policy_setting_type_trunk_title,
policy_setting_type_uri,
resource_trunk_title,
resource_type_trunk_title,
policy_setting_type_read_only,
policy_setting_type_secret,
policy_setting_value
from
guardrails_notification
where
resource_id = 191382256916538
and create_timestamp >= (current_date - interval '90' day)
and filter = 'notificationType:policySetting level:self,descendant'
order by
create_timestamp desc;
select
notification_type,
create_timestamp,
policy_setting_id,
policy_setting_type_trunk_title,
policy_setting_type_uri,
resource_trunk_title,
resource_type_trunk_title,
policy_setting_type_read_only,
policy_setting_type_secret,
policy_setting_value
from
guardrails_notification
where
resource_id = 191382256916538
and create_timestamp >= date('now', '-90 day')
and filter = 'notificationType:policySetting level:self,descendant'
order by
create_timestamp desc;

All policy settings notifications for AWS > Account > Regions policy

Explore the notifications related to policy settings for your AWS account's regional policies. This is particularly useful for keeping track of policy changes and ensuring compliance with your organization's standards.

select
notification_type,
create_timestamp,
policy_setting_id,
resource_id,
resource_trunk_title,
jsonb_pretty(policy_setting_value :: jsonb) as policy_setting_value
from
guardrails_notification
where
policy_setting_type_uri = 'tmod:@turbot/aws#/policy/types/regionsDefault'
and filter = 'notificationType:policySetting level:self'
order by
create_timestamp desc;
select
notification_type,
create_timestamp,
policy_setting_id,
resource_id,
resource_trunk_title,
policy_setting_value
from
guardrails_notification
where
policy_setting_type_uri = 'tmod:@turbot/aws#/policy/types/regionsDefault'
and filter = 'notificationType:policySetting level:self'
order by
create_timestamp desc;

All notifications for AWS > Account > Budget > Budget control

Determine the areas in which budget controls have been notified for your AWS account. This allows you to assess the state and reason for each control, providing insights for better financial management.

select
notification_type,
create_timestamp,
control_id,
resource_trunk_title,
control_state,
control_reason
from
guardrails_notification
where
control_type_uri = 'tmod:@turbot/aws#/control/types/budget'
and filter = 'notificationType:control level:self'
order by
resource_id,
create_timestamp desc;
select
notification_type,
create_timestamp,
control_id,
resource_trunk_title,
control_state,
control_reason
from
guardrails_notification
where
control_type_uri = 'tmod:@turbot/aws#/control/types/budget'
and filter = 'notificationType:control level:self'
order by
resource_id,
create_timestamp desc;

Schema for guardrails_notification

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
active_grant_idbigintActive grant ID for this notification.
active_grant_identity_profile_idtextThe identity of profile id for this active grant.
active_grant_identity_trunk_titletextThis is the title of hierarchy from the root down to this identity (i.e. Identity whoes access got revoked/permiited) for this active grant.
active_grant_level_titletextThe name of the active grant level.
active_grant_new_version_idbigintActive grant version ID of the grant after the notification.
active_grant_old_version_idbigintVersion ID of the active grant before the event.
active_grant_permission_level_idbigintThe unique identifier for the active grant permission level.
active_grant_permission_type_idbigintThe unique identifier for the active grant permission type.
active_grant_role_nametextOptional custom roleName for this active grant, when using existing roles rather than Turbot-managed ones.
active_grant_type_titletextThe name of the active grant type.
active_grant_valid_to_timestamptimestamp with time zoneOptional end date for the active grant to expire.
actor_identity_idbigint=Identity ID of the actor that performed this event.
actor_identity_trunk_titletextTitle hierarchy of the actor from the root down to the actor of this event.
control_detailsjsonbOptional details provided at the last state update of this control.
control_idbigint=ID of the control for this notification.
control_new_version_idbigintVersion ID of the control after the event.
control_old_version_idbigintVersion ID of the control before the event.
control_reasontextOptional reason provided at the last state update of this control.
control_statetextThe current state of the control.
control_type_idbigint=ID of the control type for this control.
control_type_trunk_titletextThis is the title of hierarchy from the root down to this control type.
control_type_uritext=URI of the control type for this control.
create_timestamptimestamp with time zone>, >=, =, <, <=When the resource was first discovered by Turbot. (It may have been created earlier.)
filtertext=Filter used to search for notifications.
grant_idbigintID of the grant for this notification.
grant_identity_profile_idtextThe identity profile id for this grant.
grant_identity_trunk_titletextThis is the title of hierarchy from the root down to this identity (i.e. Identity whoes access got revoked/permiited) for this grant.
grant_level_titletextThe name of the permission level.
grant_new_version_idbigintVersion ID of the grant after the event.
grant_old_version_idbigintVersion ID of the grant before the event.
grant_permission_level_idbigintThe unique identifier for the permission level.
grant_permission_type_idbigintThe unique identifier for the permission type.
grant_role_nametextOptional custom roleName for this grant, when using existing roles rather than Turbot-managed ones.
grant_type_titletextThe name of the permission type.
grant_valid_to_timestamptimestamp with time zoneOptional end date for the grant.
icontextIcon for this notification type.
idbigint=Unique identifier of the notification.
messagetextMessage for the notification.
notification_typetext=Type of the notification: resource, action, policySetting, control, grant, activeGrant.
policy_setting_default_templatetextThe Nunjucks template if this setting is for a calculated value.
policy_setting_default_template_inputtextThe GraphQL Input query if this setting is for a calculated value.
policy_setting_idbigintID of the policy setting for this notification.
policy_setting_is_calculatedbooleanIf true this setting contains calculated inputs e.g. templateInput and template.
policy_setting_new_version_idbigintVersion ID of the policy setting after the event.
policy_setting_old_version_idbigintVersion ID of the policy setting before the event.
policy_setting_type_idbigint=ID of the policy setting type for this notification.
policy_setting_type_read_onlybooleanIf true user-defined policy settings are blocked from being created.
policy_setting_type_secretbooleanIf true policy value will be encrypted.
policy_setting_type_trunk_titletextThis is the title of hierarchy from the root down to this policy type.
policy_setting_type_uritext=URI of the policy setting type for this notification.
policy_setting_valuetextThe value of the policy setting after this event.
process_idbigintID of the process that created this notification.
resource_akasjsonbThe globally-unique akas for this resource.
resource_datajsonbThe data for this resource
resource_idbigint=ID of the resource for this notification.
resource_new_version_idbigintVersion ID of the resource after the event.
resource_objectjsonbMore detailed and extensive resource data
resource_old_version_idbigintVersion ID of the resource before the event.
resource_parent_idbigintThe id of the parent resource of this resource.
resource_pathtextThe string of resource ids separated by "." from root down to this resource.
resource_tagsjsonbTags attached to this resource.
resource_titletextTitle of the resource.
resource_trunk_titletextTitle of the resource hierarchy from the root down to this resource.
resource_type_idbigint=ID of the resource type for this notification.
resource_type_trunk_titletextTitle of the resource type hierarchy from the root down to this resource.
resource_type_uritext=URI of the resource type for this notification.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- guardrails

You can pass the configuration to the command with the --config argument:

steampipe_export_guardrails --config '<your_config>' guardrails_notification