Using Steampipe Relationship Graphs to Navigate Cloud Resources on Amazon Web Services

by Tom Callaway and Bob Tordella | on

Relationship graphs in Steampipe are helpful visualizations to provide quick context of your cloud environments which highlight important information about your resources.

In our last posts we showed how the open source Steampipe tool can be used to query Amazon Web Services with SQL with the Steampipe Amazon Web Services plugin .  You can also use Steampipe to run compliance benchmarks with the Steampipe Amazon Web Services Compliance mod and leverage dashboards-as-code with Amazon Web Services Insights mod to gain insights on your Amazon Web Services inventory across regions and accounts.

In today’s post we’ll show you how you can navigate between resources using the new relationship graph capabilities added to Steampipe Amazon Web Services Insights dashboards. These new graphs help:

  • Understand relationships and dependencies at a glance: What services log to this Amazon Simple Storage Service (Amazon S3) bucket? What instances are targeted by this load balancer? What identity access management (IAM) role is used by this Lambda function? Does this Amazon Virtual Private Cloud (Amazon VPC) use peering?
  • Review architecture and topology: What is the network structure of this VPC? Is this application balanced across availability zones? Is my Amazon Relational Database Service (Amazon RDS) instance in the database subnet?
  • Identity and permissions: What users are in this group? What resources use this IAM role? What permissions are granted by this principal?

To get started and to see your own Amazon Web Services accounts in these dashboards, here are the prerequisites:

  • Install Steampipe
  • Install/configure the Amazon Web Services plugin

Here’s the setup:

git clone
cd steampipe-mod-aws-insights
steampipe dashboard

Now visit localhost:9194 in your browser to view and interact with the dashboards, as shown here.

Steampipe dashboard

Let’s take a closer look at some dashboard examples of how Steampipe relationship graphs can help you navigate and manage your Amazon Web Services infrastructure across accounts.

VPC Dashboard

We can start with the VPC Detailed Report. In this environment, we see the four subnets and the availability zones. For example, in the public_1 subnet, we find an Amazon Elastic Compute Cloud (Amazon EC2) Instance and its associated network interface. You can also navigate the Security Groups created in this VPC.

VPC dashboard

Amazon EC2 Instance

We can click on the WordPress instance to see more details about it. Here we see the WordPress instance has a disk and a network interface. In addition, we can see the instance role. The SSH keys are often a way to see who created a machine.

Wordpress instance on EC2

IAM Role

The IAM Role allows us to see what permissions the WordPress instance has. The instance has the AmazonSSMManagedInstanceCore role.

Additionally, both the Amazon EC2 instance and the Amazon Web Services Lambda services can assume this IAM role, as shown in the diagram. As this role is for Amazon EC2, that is something a DevOps engineer should investigate.

IAM user

User Detail

The IAM User Detail dashboard shows the relationship between a user, their access keys, and the attached policies. For example, this diagram shows what the Steampipe Cloud IAM user looks like. The spc user has an access key and attaches ReadOnlyAccess and ViewOnlyAccess.

IAM user details dashboard

Uncover hidden details in your Amazon Web Services footprint

These graphs work hand-in-hand with their dashboards’ infocards, charts, and tables to help you understand your Amazon Web Services cloud in a whole new way. Which of these seem most useful to you? What other kinds of relationships will help you understand your cloud environments and manage them more effectively?

We’re excited to learn more about your experience using the Amazon Web Services Insights Mod. Our Slack community is a great place to share your feedback and connect with other Amazon Web Services users.


  • Install Steampipe
  • Install/configure the Amazon Web Services plugin
  • Install the Amazon Web Services Insights mod