1 - https://steampipe.io 2 - https://hub.steampipe.io/mods/turbot/aws_compliance 3 - https://hub.steampipe.io/plugins/turbot/trivy
Searching / filtering for resources in AWS SDK has always been cludgy and limited, sometimes requiring querying and then filtering locally to find specific records.
Also love the pro-SQL approach.
Shout out to steampipe bellow as a similar project though that takes a more real-time approach rather then ELT which has it's use-cases as well.
You do pay for it (~$30 a month for my job) but you quite literally check a box and have no setup.
My main issue with it is the standards, PCI, AWS Foundations. These all have "Versions" which aren't controllable. For example AWS Foundations has been at 1.0.0 for over two years, despite receiving several updates and changes over time.
If it works then it can solve a big problem in security scanning which is different tools applying different rules, which causes frustration as it reduces the risk of "it passed in dev, why is is failing in prod"
(full disclosure, I used to work for Aqua who make Trivy)
./trivy aws --region us-east-1
panic: runtime error: invalid memory address or nil pointer dereference
Posted a Github issue as well
Whereas container scanning in ECR, who knows when someone will actually fix the issue.
That said, I really like Trivy. It has native output template support meaning you can plug it in where licensing gets trick (looking at you, Palo Alto Networking).