Skip to main content

Policies Overview

Prerequisites

This tutorial uses examples from an AWS deployment. To start, follow our Getting Started with AWS guide to install cloudquery, authenticate with AWS, and fetch your cloud deployment into a PostgreSQL database. If you are using a different cloud provider, you can see our Getting Started with GCP and Getting Started with Azure guides, and try to follow along.

Overview

CloudQuery allows you to use SQL to check various conditions about your cloud deployment. For instance, the following SQL query allows you to test whether you have any AWS EC2 instances that were stopped more than 30 days ago, but were not deleted.

SELECT account_id, region, id
FROM aws_ec2_instances
WHERE state_name = 'stopped'
AND NOW() - state_transition_reason_time >
INTERVAL '30' DAY

CloudQuery Policies allow you to run pre-written queries (and sets of queries) with cloudquery policy run.

The CloudQuery team and community already implemented many different policies for many different providers. Among them are the AWS CIS Benchmark, the PCI DSS, and the AWS Foundational Security Best Practices.

You can find the full list of existing policies on

For instance, you can run the previous query (that is taken from our AWS Foundational Security Best Practices policy) with

cloudquery policy run aws//foundational_security/ec2/EC2.4

that will return a pass/fail result, and, if the check failed, the ids of the offending resources.

policy run result examples
📋 aws Results:

⚠️ Policy finished with warnings

❌ EC2.4 Stopped EC2 instances should be removed after a specified time period failed
❌ i-XXXXXXXXXXXX

You can get a .json report instead if you use the --output-dir flag, or, you can get the policy results written to your postgreSQL database with --enable-db-persistence. You can find the schema for the postgreSQL policy results here.

cloudquery policy run aws//foundational_security/ec2/EC2.4 --output-dir /path/to/output_dir
cloudquery policy run aws//foundational_security/ec2/EC2.4 --enable-db-persistence

You can also run the entire Foundational Security policy with:

cloudquery policy run aws//foundational_security

or just the EC2 section with:

cloudquery policy run aws//foundational_security/ec2
info

Cloudquery Policies are consisted of SQL queries that are executed against the PostgreSQL database configured in your cloudquery.yml file. This means that before running policies, you must run cloudquery fetch to populate this database with information from your cloud.

Keep reading on the next page to learn how to write your own CloudQuery policies.