Skip to main content

Running AWS Foundational Security Best Practices with CloudQuery Policies

· 3 min read

Back in mid-2020 AWS Security Hub released a new security standard called AWS Foundational Security Best Practices. This new standard sets security controls to detect when an AWS account or deployed resources don’t match up to the best practices set out by the AWS security experts. The complete standard can be found in the AWS Security Hub documentation.

As with any security guidelines, factors such as AWS environments, requirements, and capacity of your security team, will impact how you implement those guidelines.

The new AWS Foundational Security Best Practices CloudQuery policy gives you a powerful way to automate, customize, codify, and run your cloud security & compliance continuously with HCL and SQL.

The CloudQuery AWS Foundational Security Policy covers 200+ checks - you can review them on GitHub or review them in the GitHub.


Please follow the Getting Started documentation on how to install cloudquery, and fetch your AWS configuration into a PostgreSQL database.


After fetching your AWS configuration into a PostgreSQL database, you can use SQL to check your cloud deployment for compliance!

For example, you can check for certificates that are going to expire soon and need to be renewed.



FROM aws_acm_certificates


You can also use the cloudquery command to run the entire AWS Foundational Security Best Practices policy pack. The policy is split into sections as sub-policies, so you can run either the entire policy, a sub-policy, or even one specific check.

# execute the AWS foundational-security-best-practices policy pack

cloudquery policy run aws//foundational_security

# execute the ACM section in AWS Foundational Security policy

cloudquery policy run aws//foundational_security/acm

# execute the S3 related section in AWS Foundational Security policy

cloudquery policy run aws//foundational_security/s3

# describe all available policies and sub-policies available for AWS on cloudquery

cloudquery policy describe aws

# execute the entire AWS policy pack, including other benchmarks.

cloudquery policy run aws

You can also output the results into a JSON and pass them to downstream processing for automated monitoring and alerting.

cloudquery policy run aws//foundational_security --output-dir=results

Build your own and share!

Do you have a policy that you want to codify, or that you’ve been running with python or bash scripts? You are welcome to try codifying it with CloudQuery Policies (See our github and docs for how to develop one). Feel free to visit our discord or GitHub to get help - we’ll also be happy to share your policy on CloudQuery Hub.