Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-guardrails-insights
Overview
13Dashboards
10Benchmarks
60Queries
2Variables
GitHub

Control: Turbot > User Login History

Description

Check User Login activity in customer workspaces

Usage

Run the control in your terminal:

powerpipe control run guardrails_insights.control.guardrails_workspace_user_activity

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run guardrails_insights.control.guardrails_workspace_user_activity --share

SQL

This control uses a named query:

select
    g.workspace,
    g.workspace as resource,
    case
        when count(
            case
                when (n.notifications ->> 'email') not like '%@turbot.com'
                then 1
                else null
            end
        ) = 0 then 'alarm'
        else 'ok'
    end as status,
    case
        when count(
            case
                when (n.notifications ->> 'email') not like '%@turbot.com'
                then 1
                else null
            end
        ) = 0 then 'Workspace is Inactive. No User Login for 30 Days.'
        else 'Workspace is Active.'
    end as reason
from
    guardrails_query g
left join lateral
    jsonb_array_elements(g.output -> 'notifications' -> 'items') as n(notifications) ON TRUE
where
    g.query = '{
      notifications: resources(
        filter: "resourceTypeId:tmod:@turbot/turbot-iam#/resource/types/profile,tmod:@turbot/turbot-iam#/resource/types/groupProfile,tmod:@turbot/aws-iam#/resource/types/instanceProfile $.lastLoginTimestamp:>=T-30d"
      ) {
        items {
          email: get(path:"email")
          lastLoginTimestamp: get(path: "lastLoginTimestamp")
          trunk {
            title
          }
          turbot {
            akas
          }
        }
      }
    }'
group by
    g.workspace;

Tags

service = Guardrails/Workspace