Skip to main content


CloudQuery Policies brings policy-as-code to the CloudQuery ecosystem.

CQ Policies enables users to codify, version and run security, compliance and cost rules, using SQL as the query engine and HCL as the logical layer.

Key Features#

  • As-Code: Get all the benefits of using "as-code" such as collaboration, re-use, version control.
  • CloudQuery Hub: Access official and community CloudQuery policies which you can use as is or customize to your needs. Also, share your own policies with on GitHub and publish them on CloudQuery Hub to get feedback the community.

Getting Started#

First you need to make sure you run the fetch command and your database is ingested with all your cloud assets configuration.

CloudQuery policies can be stored on GitHub or locally and published on CloudQuery Hub for easy discovery and documentation.

Running Policies#

The following will run the policy hosted on as the default host is GitHub.

cloudquery policy run

Cloudquery will always download the latest tag of the policy if no specific tag/commit/branch is defined, you can set a specific branch using @ or ?ref=<tag/branch/commit-hash> to your source url. Examples:

cloudquery policy run
cloudquery policy run

To run policies from other sources check the following page.

Running sub-policies#

Some policies are built as packs and only specific sub-policies are relevant for us, we can specificy sub-policies with // path dominator in our source argument.

cloudquery policy run

You can also run a specific check for example if we want to run a iam check in cis_v1.2.0:

cloudquery policy run

Will run the 1.9 check under section 1 policy of cis v1.2.0.

Policy configuration#

To add policies to your config.hcl you can simply add policy blocks, you an either add inline policies or point to a policy by source.

# ... CloudQuery and provider blocks here ...// Policy Configurationspolicy "aws-cis" {  source = ""}

Running local-policies#

To run a local policy uses the local source you can set the policy in your config.hcl or pass the policy file path when executing policy run command as follows:

cloudquery policy run path\to\policy

You can use either a relative path or an absolute path, if you are configuring the local policy in your config.hcl it is advised to use relative paths as absolute will tend to couple your configuration to the filesystem layout of a particular computer.


Scan results will show passed/failed queries and manual queries that just prints output without a pass/fail predicate.

๐Ÿ“‹ AWS CIS v1.3.0 Results:
โš ๏ธ Policy finished with warnings
    โœ“   1.1  AWS CIS 1.1 Avoid the use of 'root' account. Show used in last 30 days (Scored)                                               passed
    โœ“   1.2  AWS CIS 1.2 Ensure MFA is enabled for all IAM users that have a console password (Scored)                                     passed
    โŒ  1.3  AWS CIS 1.3 Ensure credentials unused for 90 days or greater are disabled (Scored)                                            failed        โŒ  arn:aws:iam::XXXXXXXXXXXXXx:user/XXXXXXXXXXXXXx
        โŒ  arn:aws:iam::XXXXXXXXXXXXXx:user/XXXXXXXXXXXXXx
    โŒ  1.4  AWS CIS 1.4 Ensure access keys are rotated every 90 days or less                                                              failed        โŒ  arn:aws:iam::XXXXXXXXXXXXXx:user/XXXXXXXXXXXXXx
        โŒ  arn:aws:iam::XXXXXXXXXXXXXx:user/XXXXXXXXXXXXXXx

    manual 1.7  AWS Public ELBV2    +----------------------------+-------------------------------------------------------------------------+--------------+-----------+     |            name            |                                dns_name                                 |  account_id  |  region   |     +----------------------------+-------------------------------------------------------------------------+--------------+-----------+     | apigateway-xxx-integration | | xxxxxxxxxxxx | us-east-1 |     +----------------------------+-------------------------------------------------------------------------+--------------+-----------+     | awseb-xxxxx-1Y07H683587FY  |         | xxxxxxxxxxxx | us-east-1 |     +----------------------------+-------------------------------------------------------------------------+--------------+-----------+     | elbv2-integration          |                 | xxxxxxxxxxxx | us-east-1 |     +----------------------------+-------------------------------------------------------------------------+--------------+-----------+ 

For every failed resource the following attributes are printed if found (in that order):

  • id, identifier, resource_idnetifier, uid, uuid, arn

You can use the --output-dir /path/to/ option to get the policies results in JSON format.

What's next?#

  • Learn how to write policy.
  • Learn how to run policies from different sources.