turbot/guardrails
steampipe plugin install guardrails

Table: guardrails_policy_setting - Query Guardrails Policy Settings using SQL

Guardrails is a policy-as-code service that helps you manage and enforce your cloud security, compliance, and operational policies. It allows you to define your own policies, or use pre-built ones, to continuously monitor and remediate security and compliance issues. Guardrails Policy Settings are a key component of this service, defining the specific configurations for each policy.

Table Usage Guide

The guardrails_policy_setting table provides insights into policy settings within Guardrails. As a Security Engineer, explore policy-specific details through this table, including policy configurations, associated metadata, and the status of each policy. Utilize it to uncover information about policies, such as those which are currently active, the specific configurations of each policy, and the potential impact of these policies on your cloud resources.

Important Notes

  • When querying this table, we recommend using at least one of these columns (usually in the where clause):
    • id
    • resource_id
    • exception
    • orphan
    • policy_type_id
    • policy_type_uri
    • filter

Examples

Find all policy settings that are exceptions to another policy

Discover the segments that constitute exceptions to other policies, enabling you to assess the elements within your system that deviate from the standard protocol. This is useful in identifying instances where modifications may be necessary to ensure consistency and compliance.

select
policy_type_uri,
resource_id,
is_calculated,
exception,
value
from
guardrails_policy_setting
where
exception;
select
policy_type_uri,
resource_id,
is_calculated,
exception,
value
from
guardrails_policy_setting
where
exception = 1;

List policy settings with full resource and policy type information

Explore the configuration of policy settings, including their associated resources and policy types. This can help in identifying any exceptions and understanding the calculated values, aiding in effective policy management.

select
r.trunk_title as resource,
pt.trunk_title as policy_type,
ps.value,
ps.is_calculated,
ps.exception
from
guardrails_policy_setting as ps
left join guardrails_policy_type as pt on pt.id = ps.policy_type_id
left join guardrails_resource as r on r.id = ps.resource_id;
select
r.trunk_title as resource,
pt.trunk_title as policy_type,
ps.value,
ps.is_calculated,
ps.exception
from
guardrails_policy_setting as ps
left join guardrails_policy_type as pt on pt.id = ps.policy_type_id
left join guardrails_resource as r on r.id = ps.resource_id;

All policy settings set on a given resource

Explore which policy settings are applied to a specific resource to understand the current configuration and its calculated status. This can aid in identifying potential security gaps or compliance issues.

select
r.trunk_title as resource,
ps.resource_id,
pt.trunk_title as policy_type,
ps.value,
ps.is_calculated
from
guardrails_policy_setting as ps
left join guardrails_policy_type as pt on pt.id = ps.policy_type_id
left join guardrails_resource as r on r.id = ps.resource_id
where
ps.resource_id = 173434983560398;
select
r.trunk_title as resource,
ps.resource_id,
pt.trunk_title as policy_type,
ps.value,
ps.is_calculated
from
guardrails_policy_setting as ps
left join guardrails_policy_type as pt on pt.id = ps.policy_type_id
left join guardrails_resource as r on r.id = ps.resource_id
where
ps.resource_id = 173434983560398;

All policy settings set on a given resource or below

This query is used to identify all the policy settings applied to a specific resource or its sublevels. This is useful in managing and understanding the security measures in place for that resource.

select
r.trunk_title as resource,
ps.resource_id,
pt.trunk_title as policy_type,
ps.value,
ps.is_calculated
from
guardrails_policy_setting as ps
left join guardrails_policy_type as pt on pt.id = ps.policy_type_id
left join guardrails_resource as r on r.id = ps.resource_id
where
ps.filter = 'resourceId:173434983560398 level:self,descendant';
select
r.trunk_title as resource,
ps.resource_id,
pt.trunk_title as policy_type,
ps.value,
ps.is_calculated
from
guardrails_policy_setting as ps
left join guardrails_policy_type as pt on pt.id = ps.policy_type_id
left join guardrails_resource as r on r.id = ps.resource_id
where
ps.filter = 'resourceId:173434983560398 level:self,descendant';

Discover the segments that have specific policy settings related to AWS S3 Buckets. This allows for a comprehensive overview of policy types and their respective values, useful for security audits and compliance checks.

select
r.trunk_title as resource,
ps.resource_id,
pt.trunk_title as policy_type,
ps.value,
ps.is_calculated
from
guardrails_policy_setting as ps
left join guardrails_policy_type as pt on pt.id = ps.policy_type_id
left join guardrails_resource as r on r.id = ps.resource_id
where
ps.filter = 'resourceTypeId:"tmod:@turbot/aws-s3#/resource/types/bucket"';
select
r.trunk_title as resource,
ps.resource_id,
pt.trunk_title as policy_type,
ps.value,
ps.is_calculated
from
guardrails_policy_setting as ps
left join guardrails_policy_type as pt on pt.id = ps.policy_type_id
left join guardrails_resource as r on r.id = ps.resource_id
where
ps.filter = 'resourceTypeId:"tmod:@turbot/aws-s3#/resource/types/bucket"';

Query examples

Schema for guardrails_policy_setting

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
create_timestamptimestamp with time zoneWhen the policy setting was first discovered by Turbot. (It may have been created earlier.)
defaultbooleanTrue if this policy setting is the default.
exceptionboolean=True if this setting is an exception to a higher level setting.
filtertext=Filter used for this policy setting list.
idbigint=Unique identifier of the policy setting.
inputtextFor calculated policy settings, this is the input GraphQL query.
is_calculatedbooleanTrue if this is a policy setting will be calculated for each value.
notetextOptional note or comment for the setting.
orphanboolean=True if this setting is orphaned by a higher level setting.
policy_type_idbigint=ID of the policy type for this policy setting.
policy_type_trunk_titletextFull title (including ancestor trunk) of the policy type.
policy_type_uritext=URI of the policy type for this policy setting.
precedencetextPrecedence of the setting: REQUIRED or RECOMMENDED.
resource_idbigint=ID of the resource this policy setting is associated with.
resource_trunk_titletextFull title (including ancestor trunk) of the resource.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
templatetextFor a calculated policy setting, this is the nunjucks template string defining a YAML string which is parsed to get the value.
template_inputtextFor calculated policy settings, this GraphQL query is run and used as input to the template.
timestamptimestamp with time zoneTimestamp when the policy setting was last modified (created, updated or deleted).
update_timestamptimestamp with time zoneWhen the policy setting was last updated in Turbot.
valid_from_timestamptimestamp with time zoneTimestamp when the policy setting becomes valid.
valid_to_timestamptimestamp with time zoneTimestamp when the policy setting expires.
valuetextValue of the policy setting (for non-calculated policy settings).
value_sourcetextThe raw value in YAML format. If the setting was made via YAML template including comments, these will be included here.
version_idbigintUnique identifier for this version of the policy setting.
workspacetextSpecifies the workspace URL.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- guardrails

You can pass the configuration to the command with the --config argument:

steampipe_export_guardrails --config '<your_config>' guardrails_policy_setting