CloudQuery Platform
  • Introduction
    • Welcome to CloudQuery Platform
    • Getting Help
  • Quickstart
    • Creating a New Account
    • Platform Activation
  • Core Concepts
    • Integrations
    • Syncs
    • Filters & Queries
    • SQL Console
    • Reports
      • Built-in Report Templates
      • Reports Yaml Documentation with Examples
        • Full Report Example
  • Integration Guides
    • Setting up an AWS Integration
    • Setting up an AWS Cost and Usage Integration
    • Setting up a GCP Integration
    • Setting up an Azure Integration
    • Setting up a GitHub Integration
    • Setting up a K8s Integration
      • Using AWS EKS
      • Using Azure AKS
      • Using GCP GKE
    • General Integration Setup Guide
    • General Destination Setup Guide
  • Syncs
    • Setting up a Sync
    • Monitoring Sync Status
  • Cloud insights
    • From cloud asset inventory to insights
      • Security-focused queries
      • Compliance-focused queries
      • FinOps-focused queries
  • Production Deployment
    • Enabling Single Sign-on (SSO)
      • Single Sign-On with Google
      • Single Sign-On with Microsoft
      • Single Sign-On with Okta
  • User Management
    • Platform Roles Overview
    • Workspace Roles Overview
  • Advanced Topics
    • Custom Columns
    • Understanding Platform Views
    • Performance Tuning
  • Reference
    • Search & Filter Query Syntax
  • API Reference
  • CLI Docs
  • CloudQuery Hub
Powered by GitBook
On this page
  • Ensure cloud compliance with SQL
  • Compliance queries in action
  • Want more?

Was this helpful?

  1. Cloud insights
  2. From cloud asset inventory to insights

Compliance-focused queries

Ensure cloud compliance effortlessly with CloudQuery’s SQL-powered auditing.

Ensure cloud compliance with SQL

Maintaining compliance across cloud environments requires continuous monitoring and enforcement of policies. CloudQuery enables you to run SQL queries on your cloud asset inventory, allowing you to quickly verify compliance with regulatory standards like CIS, ISO 27001, and NIST.

Compliance queries in action

Here are some essential queries to help you maintain compliance and avoid costly violations.

Find untagged resources (AWS, GCP, Azure)

Why it matters: Lack of tagging makes compliance tracking and cost allocation difficult.

SELECT
    cloud, account, name, region, resource_type
FROM
    cloud_assets
WHERE
    tags = '{}' OR tags IS NULL;
Identify inconsistent tagging formats (AWS, GCP, Azure)

Why it matters: Tag inconsistency prevents automated cost allocation and policy enforcement.

SELECT
    cloud, account, name, region, resource_type
FROM
    cloud_assets
WHERE
    tags LIKE '%Environment%'
    OR tags LIKE '%ENV%'
    OR tags LIKE '%Env%'
    OR tags LIKE '%env%'
    OR tags LIKE '%ENVIRONMENT%';
Identify resources not tagged according to a governance policy (AWS, GCP, Azure)

Why it matters: Proper tagging helps track resources for compliance, auditing, and cost allocation.

SELECT
    cloud, account, name, region, resource_type, tags
FROM
    cloud_assets
WHERE
    tags NOT LIKE '%cost_center%'
    OR tags NOT LIKE '%owner%'
    OR tags NOT LIKE '%environment%';
Identify resources running in unauthorized regions (AWS, GCP, Azure)

Why it matters: Regulatory restrictions prevent companies from deploying workloads in unauthorized regions.

SELECT
    cloud, account, name, region, resource_type
FROM
    cloud_assets
WHERE
    region NOT IN ('us-east-1', 'us-west-1', 'eu-west-1');
Find AWS RDS instances lacking automated backups (AWS)

Why it matters: Without backups, organizations risk permanent data loss.

SELECT
    db_instance_arn, backup_retention_period, region
FROM
    aws_rds_instances
WHERE
    backup_retention_period = 0;
Identify databases without SSL encryption (AWS)

Why it matters: Unsecured database connections expose data to attacks.

SELECT
	*
FROM
	aws_rds_instances
WHERE
	empty(ca_certificate_identifier);
List RDS instances not using encryption at rest (AWS)

Why it matters: Unencrypted databases violate compliance and security policies.

SELECT
	*
FROM
	aws_rds_instances
WHERE
	storage_encrypted=false;
Find IAM users without MFA enabled (AWS)

Why it matters: Lack of MFA increases the risk of account compromise.

SELECT
	u.*
FROM
	aws_iam_users AS u
LEFT JOIN
	aws_iam_mfa_devices AS m
ON
	u.user_name = m.user_name
WHERE
	m.user_name IS NULL;

Want more?

These are just a few examples of how CloudQuery turns your cloud into an instantly queryable database—giving you unparalleled visibility into compliance risks.

Check out the main query examples page for more ways to audit, secure, and optimize your cloud—all with SQL!

PreviousSecurity-focused queriesNextFinOps-focused queries

Last updated 3 months ago

Was this helpful?