CloudQuery Platform
  • Introduction
    • Welcome to CloudQuery Platform
    • Getting Help
  • Quickstart
    • Creating a New Account
    • Platform Activation
  • Core Concepts
    • Integrations
    • Syncs
    • Filters & Queries
    • SQL Console
    • Reports
  • Integration Guides
    • Setting up an AWS Integration
    • Setting up an AWS Cost and Usage Integration
    • Setting up a GCP Integration
    • Setting up an Azure Integration
    • Setting up a GitHub Integration
    • Setting up a K8s Integration
      • Using AWS EKS
      • Using Azure AKS
      • Using GCP GKE
    • General Integration Setup Guide
    • General Destination Setup Guide
  • Syncs
    • Setting up a Sync
    • Monitoring Sync Status
  • Cloud insights
    • From cloud asset inventory to insights
      • Security-focused queries
      • Compliance-focused queries
      • FinOps-focused queries
  • Production Deployment
    • Enabling Single Sign-on (SSO)
      • Single Sign-On with Google
      • Single Sign-On with Microsoft
      • Single Sign-On with Okta
  • User Management
    • Platform Roles Overview
    • Workspace Roles Overview
  • Advanced Topics
    • Custom Columns
    • Understanding Platform Views
    • Performance Tuning
  • Reference
    • Search & Filter Query Syntax
  • API Reference
  • CLI Docs
  • CloudQuery Hub
Powered by GitBook
On this page
  • Secure your cloud with SQL queries
  • Security queries in action
  • Want more?

Was this helpful?

  1. Cloud insights
  2. From cloud asset inventory to insights

Security-focused queries

Enhance your cloud security with CloudQuery’s powerful SQL queries.

Secure your cloud with SQL queries

Ensuring cloud security requires continuous monitoring and proactive detection of risks. CloudQuery allows you to run SQL queries directly on your cloud asset inventory, making it easy to spot vulnerabilities and misconfigurations in real time.

Security queries in action

Here are some powerful SQL queries to help you secure your cloud environment and eliminate risks before they become incidents.

Find public S3 buckets (AWS)

Why it matters: Public S3 buckets can expose sensitive data and lead to breaches.

SELECT 
	name, JSONExtractBool(policy_status, 'IsPublic') as is_public
FROM 
	aws_s3_buckets
WHERE 
	is_public = TRUE
Detect AWS lambda functions using deprecated runtimes (AWS)

Why it matters: Deprecated runtimes introduce security risks and compatibility issues.

SELECT
	arn, region, tags, JSONExtractString(configuration, 'Runtime') as runtime
FROM
	aws_lambda_functions
WHERE
    runtime in ('nodejs10.x', 'python2.7', 'dotnetcore2.1', 'ruby2.5', 'go1.x')
Identify expired SSL certificates (AWS)

Why it matters: Expired SSL certificates can lead to service disruptions and security vulnerabilities.

SELECT
    account_id,
    arn,
    domain_name,
    not_after AS expiry_date,
    status,
    NOW() AS current_time,
    not_after < NOW() AS is_expired
FROM
	aws_acm_certificates
ORDER BY
	not_after ASC;
List EC2 instances authorizing SSH from anywhere (AWS)

Why it matters: Exposed SSH ports allow unauthorized access and increase security risks.

SELECT 
    e.arn as instance_arn,
    e._cq_name as name,
    e.region as instance_region,
    e.account_id as account_id,
    arrayJoin(JSONExtractArrayRaw(assumeNotNull(security_groups))) AS security_group,
    JSONExtractString(security_group, 'GroupId') AS instance_group_id,
    arrayJoin(JSONExtractArrayRaw(assumeNotNull(s.ip_permissions))) as ip_permission,
    JSONExtractInt(ip_permission, 'FromPort') AS from_port,
    JSONExtractInt(ip_permission, 'ToPort') AS to_port,
    JSONExtractArrayRaw(ip_permission, 'IpRanges') AS ip_ranges,
    JSONExtractArrayRaw(ip_permission, 'Ipv6Ranges') AS ipv6_ranges,
    arrayJoin(empty(ip_ranges) ? [''] : ip_ranges) as ip_range,
    arrayJoin(empty(ipv6_ranges) ? [''] : ipv6_ranges) as ipv6_range,
    JSONExtractString(ip_range, 'CidrIp') as cidr,
    JSONExtractString(ipv6_range, 'CidrIp') as ipv6_cidr
FROM 
	aws_ec2_instances as e 
JOIN 
    aws_ec2_security_groups as s 
ON 
    instance_group_id = s.group_id
WHERE 
    from_port = 22 AND to_port = 22 AND (cidr = '0.0.0.0/0' OR ipv6_cidr = '::/0')
Find IAM users without MFA enabled (AWS)

Why it matters: Lack of MFA increases the risk of account compromise.

SELECT
	u.*
FROM
	aws_iam_users AS u
LEFT JOIN
	aws_iam_mfa_devices AS m
ON
	u.user_name = m.user_name
WHERE
	m.user_name IS NULL;

Want more?

These are just a few examples of how CloudQuery turns your cloud into an instantly queryable database—giving you unparalleled visibility into security risks.

PreviousFrom cloud asset inventory to insightsNextCompliance-focused queries

Last updated 2 months ago

Was this helpful?

Check out the for more ways to audit, secure, and optimize your cloud—all with SQL!

main query examples page