Config Query Examples

Some examples for Config Query for all cloud types.
Use this section for some examples that show you how to use Config Query Attributes in RQL for investigating issues on each cloud platform:

AWS—Config Query Examples

DESCRIPTION
RQL
View users who enabled console access with both access keys and passwords.
config from cloud.resource where api.name = 'aws-iam-get-credential-report' AND json.rule = access_key_1_active is true or access_key_2_active is true and password_enabled is true
List root accounts that do not have MFA enabled.
config from cloud.resource where api.name = 'aws-iam-get-account-summary' AND json.rule='not AccountMFAEnabled equals 1'
List active access keys.
config from cloud.resource where api.name = 'aws-iam-list-access-keys' AND json.rule = status equals Active
View all S3 buckets that are accessible to the public through bucket ACLs.
config from cloud.resource where api.name='aws-s3api-get-bucket-acl' AND json.rule="(acl.grants[?(@.grantee=='AllUsers')] size > 0)"
View all S3 buckets that are accessible to the public through bucket policy.
config from cloud.resource where api.name = 'aws-s3api-get-bucket-acl' and json.rule = "policy.Statement exists and policy.Statement[?(@.Action=='s3:GetObject' && @.Effect=='Allow')].Principal contains *"
Displays the number of VPCs that do not have subnets associated only when there are more than 2 VPCs.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-vpcs' as X; config from cloud.resource where api.name = 'aws-ec2-describe-subnets' as Y; filter 'not $.X.vpcId equals $.Y.vpcId'; show X; count(X) > 2
Check for S3:GetObject operations.
You can include other operations related to S3 buckets, such as s3:PutObject, s3:*, s3:GetBucketAcl, s3:ListBucket, s3:ListAllMyBuckets, s3:PutObjectAcl, s3:GetObjectAcl, and s3:GetObjectVersion.
config from cloud.resource where api.name = 'aws-s3api-get-bucket-acl' and json.rule = "policy.Statement exists and policy.Statement[?(@.Action=='s3:GetObject' && @.Effect=='Allow' || @.Action=='s3:ListBucket' && @.Effect=='Allow' || @.Action=='s3:*' && @.Effect=='Allow' || @.Action=='s3:GetBucketAcl' && @.Effect=='Allow' || @.Action=='s3:PutObject' && @.Effect=='Allow' || @.Action=='s3:GetObjectAcl' && @.Effect=='Allow' || @.Action=='s3:GetObjectVersion' && @.Effect=='Allow')].Principal contains *"

Azure—Config Query Examples

DESCRIPTION
RQL
View SQL Server firewall rules that allow access to any Azure internal resources.
config from cloud.resource where api.name = 'azure-sql-server-list' AND json.rule = "firewallRules.[*] size > 0 and firewallRules.[*].['endIpAddress'] contains 0.0.0.0 and firewallRules.[*].['startIpAddress'] contains 0.0.0.0"
List security center resource groups in Azure that do not specify a security contact email address.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center' AND json.rule = 'name == default and (properties.securityContactConfiguration.securityContactEmails !isEmpty or properties.securityContactConfiguration exists)'
View SQL databases where encryption is disabled.
config from cloud.resource where api.name = 'azure-sql-db-list' AND json.rule=’transparentDataEncryption is false’
List Azure VNETs that are peered successfully.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-network-vnet-list' AND json.rule = " ['properties.virtualNetworkPeerings'][*]. ['properties.provisioningState'] contains Succeeded "
Display a count of the number of Azure Activity log alerts if the total number is less than one.
config from cloud.resource where api.name = 'azure-activity-log-alerts' as X; count(X) < 1
Display Azure hosts that match the queried private IP address.
config from cloud.resource where api.name = 'azure-vm-list' AND json.rule = ['properties.networkProfile'].networkInterfaces[*].privateIpAddress contains "1"

GCP—Config Query Examples

DESCRIPTION
RQL
View firewall rules that allow internet traffic through the MongoDB port (27017).
config from cloud.resource where api.name='gcloud-compute-firewall-rules-list' AND json.rule='sourceRanges[*] contains 0.0.0.0/0 and allowed[*].ports[*] == 27017'
List SQL Instances where SSL is not configured.
config from cloud.resource where api.name='gcloud-sql-instances-list' and json.rule = 'settings.ipConfiguration.requireSsl is true'
List virtual machine (VM) instances where preemptive termination is enabled.
config from cloud.resource where api.name = 'gcloud-compute-instances-list' AND json.rule = 'scheduling.preemptible is true'
View all storage buckets or objects that are publicly accessible.
config from cloud.resource where cloud.type = 'gcp' AND cloud.service = 'Google Cloud Storage' AND api.name = 'gcloud-storage-buckets-list' AND json.rule = 'acl[*].entity contains allUsers or acl[*].entity contains allAuthenticatedUsers'

Recommended For You