title | description |
---|---|
Steampipe Table: aws_securityhub_finding_aggregator - Query AWS Security Hub Finding Aggregator using SQL |
Allows users to query AWS Security Hub Finding Aggregator to gather information about the findings that are generated by the integrated third-party products and AWS services. |
The AWS Security Hub Finding Aggregator is a feature of AWS Security Hub that consolidates findings across multiple AWS accounts into a single AWS account. It enables centralized management and analysis of security findings, enhancing visibility into your security and compliance status. It uses SQL for querying, allowing you to filter and analyze security findings efficiently.
The aws_securityhub_finding_aggregator
table in Steampipe provides you with information about the findings generated by the integrated third-party products and AWS services. This table allows you, as a security analyst or DevOps engineer, to query findings-specific details, including severity, resource details, and associated metadata. You can utilize this table to gather insights on findings, such as the types of findings, the resources involved, and the severity of the findings. The schema outlines the various attributes of the findings for you, including the finding ARN, creation date, compliance status, and associated tags.
Explore the settings of AWS Security Hub's finding aggregator to understand the linking mode between different regions and the region where findings are aggregated. This is useful for assessing the configuration of your security alerts and understanding how your security data is being managed across different geographical locations.
select
arn,
finding_aggregation_region,
region_linking_mode
from
aws_securityhub_finding_aggregator;
select
arn,
finding_aggregation_region,
region_linking_mode
from
aws_securityhub_finding_aggregator;
Identify the instances where all regions are linked to a specific finding aggregator in AWS SecurityHub. This can be useful for understanding how security findings are aggregated across different regions.
select
arn,
finding_aggregation_region,
region_linking_mode
from
aws_securityhub_finding_aggregator
where
region_linking_mode = 'ALL_REGIONS';
select
arn,
finding_aggregation_region,
region_linking_mode
from
aws_securityhub_finding_aggregator
where
region_linking_mode = 'ALL_REGIONS';
Determine the areas in which specific regions are included by aggregators in AWS Security Hub. This is useful for understanding the scope of your security findings and ensuring that relevant regions are not overlooked.
select
arn,
region_linking_mode,
r as linked_region
from
aws_securityhub_finding_aggregator,
jsonb_array_elements_text(regions) as r
where
region_linking_mode = 'SPECIFIED_REGIONS';
select
arn,
region_linking_mode,
json_extract(r.value, '$') as linked_region
from
aws_securityhub_finding_aggregator,
json_each(regions) as r
where
region_linking_mode = 'SPECIFIED_REGIONS';
Determine the areas in which specific regions are excluded from the scope of AWS SecurityHub finding aggregators. This is useful in identifying any potential security blind spots in your regional coverage.
select
arn,
a.name as linked_region
from
aws_securityhub_finding_aggregator as f,
aws_region as a,
jsonb_array_elements_text(f.regions) as r
where
region_linking_mode = 'ALL_REGIONS_EXCEPT_SPECIFIED'
and
a.name <> r;
select
arn,
a.name as linked_region
from
aws_securityhub_finding_aggregator as f,
aws_region as a,
json_each(f.regions) as r
where
region_linking_mode = 'ALL_REGIONS_EXCEPT_SPECIFIED'
and a.name <> json_extract(r.value, '$');