Skip to content

Are AWS Well-Architected best practices being followed? Use Powerpipe and Steampipe to check if your AWS accounts are following best practices from each lens and pillar.

License

Notifications You must be signed in to change notification settings

turbot/steampipe-mod-aws-well-architected

AWS Well-Architected Mod for Powerpipe

200+ checks covering AWS Well-Architected Framework defined best practices across all AWS regions.

Run checks in a dashboard: image

Or in a terminal: image

Getting Started

Installation

Install Powerpipe (https://powerpipe.io/downloads), or use Brew:

brew install turbot/tap/powerpipe

This mod also requires Steampipe with the AWS plugin as the data source. Install Steampipe (https://steampipe.io/downloads), or use Brew:

brew install turbot/tap/steampipe
steampipe plugin install aws

Steampipe will automatically use your default AWS credentials. Optionally, you can setup multiple accounts or customize AWS credentials.

Finally, install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/steampipe-mod-aws-well-architected

Browsing Dashboards

Start Steampipe as the data source:

steampipe service start

Start the dashboard server:

powerpipe server

Browse and view your dashboards at http://localhost:9033.

Running Checks in Your Terminal

Instead of running benchmarks in a dashboard, you can also run them within your terminal with the powerpipe benchmark command:

List available benchmarks:

powerpipe benchmark list

Run a benchmark:

powerpipe benchmark run well_architected_framework

Run a benchmark for a specific pillar:

powerpipe benchmark run well_architected_framework_security

Run a benchmark for a specific question:

powerpipe benchmark run well_architected_framework_sec01

Run a benchmark for a specific best practice:

powerpipe benchmark run well_architected_framework_sec01_bp01

Different output formats are also available, for more information please see Output Formats.

Common and Tag Dimensions

The benchmark queries use common properties (like account_id, connection_name and region) and tags that are defined in the dependent AWS Compliance mod These properties can be executed in the following ways:

It's easiest to setup your vars file, starting with the sample:

cp powerpipe.ppvars.example powerpipe.ppvars
vi powerpipe.ppvars

Alternatively you can pass variables on the command line:

powerpipe benchmark run well_architected_framework_security --var 'common_dimensions=["account_id", "connection_name", "region"]'

Or through environment variables:

export PP_VAR_common_dimensions='["account_id", "connection_name", "region"]'
export PP_VAR_tag_dimensions='["Environment", "Owner"]'
powerpipe benchmark run well_architected_framework_security

Open Source & Contributing

This repository is published under the Apache 2.0 license. Please see our code of conduct. We look forward to collaborating with you!

Steampipe and Powerpipe are products produced from this open source software, exclusively by Turbot HQ, Inc. They are distributed under our commercial terms. Others are allowed to make their own distribution of the software, but cannot use any of the Turbot trademarks, cloud services, etc. You can learn more in our Open Source FAQ.

Get Involved

Join #powerpipe on Slack →

Want to help but don't know where to start? Pick up one of the help wanted issues:

Credits