PlatformCloud InsightsFrom Cloud Asset Inventory to InsightsCompliance-focused Queries

Compliance-focused queries

Ensure cloud compliance with SQL

Maintaining compliance across cloud environments requires continuous monitoring and enforcement of policies. CloudQuery enables you to run SQL queries on your cloud asset inventory, allowing you to quickly verify compliance with regulatory standards like CIS, ISO 27001, and NIST.

Compliance queries in action

Here are some essential queries to help you maintain compliance and avoid costly violations.

Find untagged resources (AWS, GCP, Azure)

Why it matters: Lack of tagging makes compliance tracking and cost allocation difficult.

SELECT
  cloud, account, name, region, resource_type
FROM
  cloud_assets
WHERE
  tags = '{}' OR tags IS NULL;
Identify inconsistent tagging formats (AWS, GCP, Azure)

Why it matters: Tag inconsistency prevents automated cost allocation and policy enforcement.

SELECT
  cloud, account, name, region, resource_type
FROM
  cloud_assets
WHERE
  tags LIKE '%Environment%'
  OR tags LIKE '%ENV%'
  OR tags LIKE '%Env%'
  OR tags LIKE '%env%'
  OR tags LIKE '%ENVIRONMENT%';
Identify resources not tagged according to a governance policy (AWS, GCP, Azure)

Why it matters: Proper tagging helps track resources for compliance, auditing, and cost allocation.

SELECT
  cloud, account, name, region, resource_type, tags
FROM
  cloud_assets
WHERE
  tags NOT LIKE '%cost_center%'
  OR tags NOT LIKE '%owner%'
  OR tags NOT LIKE '%environment%';
Identify resources running in unauthorized regions (AWS, GCP, Azure)

Why it matters: Regulatory restrictions prevent companies from deploying workloads in unauthorized regions.

SELECT
  cloud, account, name, region, resource_type
FROM
  cloud_assets
WHERE
  region NOT IN ('us-east-1', 'us-west-1', 'eu-west-1');
Find AWS RDS instances lacking automated backups (AWS)

Why it matters: Without backups, organizations risk permanent data loss.

SELECT
    db_instance_arn, backup_retention_period, region
FROM
    aws_rds_instances
WHERE
    backup_retention_period = 0;
Identify databases without SSL encryption (AWS)

Why it matters: Unsecured database connections expose data to attacks.

SELECT
	*
FROM
	aws_rds_instances
WHERE
	empty(ca_certificate_identifier);
List RDS instances not using encryption at rest (AWS)

Why it matters: Unencrypted databases violate compliance and security policies.

SELECT
  *
FROM
  aws_rds_instances
WHERE
  storage_encrypted=false;
Find IAM users without MFA enabled (AWS)

Why it matters: Lack of MFA increases the risk of account compromise.

SELECT
  u.*
FROM
  aws_iam_users AS u
LEFT JOIN
  aws_iam_mfa_devices AS m
ON
  u.user_name = m.user_name
WHERE
  m.user_name IS NULL;

Want more?

These are just a few examples of how CloudQuery turns your cloud into an instantly queryable database—giving you unparalleled visibility into compliance risks.

Check out the main query examples page for more ways to audit, secure, and optimize your cloud—all with SQL!

Security-focused QueriesFinOps-focused Queries