The AWS Source plugin extracts information from many of the supported services by Amazon Web Services (AWS) and loads it into any supported CloudQuery destination
Loading plugin documentation
We use tracking cookies to understand how you use the product and help us improve it. Please accept cookies to help us improve. You can always opt out later via the link in the footer.
AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN environment variablescredentials and config files in ~/.aws (the credentials file takes priority)aws sso to authenticate the plugin - you can read more about it hereec2:DescribeRegions permission. If credentials you must specify the exact regions that it should sync data from.AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and
AWS_SESSION_TOKEN environment variables (AWS_SESSION_TOKEN can be optional for some accounts).
For information on obtaining credentials, see the AWS guide.export AWS_ACCESS_KEY_ID={Your AWS Access Key ID}
export AWS_SECRET_ACCESS_KEY={Your AWS secret access key}
export AWS_SESSION_TOKEN={Your AWS session token}
credentials and config files in the .aws directory in your home folder.
The contents of these files are practically interchangeable, but AWS plugin will prioritize credentials in the credentials file.credentials file:[default]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY
[myprofile]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY
AWS_PROFILE environment variable (On Linux/Mac, similar for Windows):export AWS_PROFILE=myprofile
local_profile field:accounts:
id: <account_alias>
local_profile: myprofile
aws sts get-session-token command may be used with the IAM User's long-term security credentials (Access Key and Secret Access Key).
For more information, see here.aws sts get-session-token --serial-number <YOUR_MFA_SERIAL_NUMBER> --token-code <YOUR_MFA_TOKEN_CODE> --duration-seconds 3600
export AWS_ACCESS_KEY_ID=<YOUR_ACCESS_KEY_ID>
export AWS_SECRET_ACCESS_KEY=<YOUR_SECRET_ACCESS_KEY>
export AWS_SESSION_TOKEN=<YOUR_SESSION_TOKEN>
kind: source
spec:
# Source spec section
name: aws
path: cloudquery/aws
registry: cloudquery
version: "v32.37.1"
tables: ["aws_ec2_instances"]
destinations: ["postgresql"]
# Learn more about the configuration options at https://cql.ink/aws_source
spec:
# Optional parameters
# regions: []
# accounts: []
# org: nil
# concurrency: 50000
# initialization_concurrency: 4
# aws_debug: false
# max_retries: 10
# max_backoff: 30
# custom_endpoint_url: ""
# custom_endpoint_hostname_immutable: nil # required when custom_endpoint_url is set
# custom_endpoint_partition_id: "" # required when custom_endpoint_url is set
# custom_endpoint_signing_region: "" # required when custom_endpoint_url is set
# use_paid_apis: false
# table_options: nil
# scheduler: shuffle # options are: dfs, round-robin, shuffle, or shuffle-queue
# use_nested_table_rate_limiting: false
# enable_api_level_tracing: false
kind: source
spec:
name: aws
path: cloudquery/aws
registry: cloudquery
version: "v32.37.1"
tables: ['aws_s3_buckets']
destinations: ["postgresql"]
spec:
aws_debug: false
org:
admin_account:
local_profile: "<NAMED_PROFILE>"
member_role_name: OrganizationAccountAccessRole
regions:
- '*'
# Optional parameters
# regions: []
# accounts: []
# org: nil
# concurrency: 50000
# initialization_concurrency: 4
# aws_debug: false
# max_retries: 10
# max_backoff: 30
# custom_endpoint_url: ""
# custom_endpoint_hostname_immutable: nil # required when custom_endpoint_url is set
# custom_endpoint_partition_id: "" # required when custom_endpoint_url is set
# custom_endpoint_signing_region: "" # required when custom_endpoint_url is set
# use_paid_apis: false
# table_options: nil
# scheduler: shuffle # options are: dfs, round-robin or shuffle
regions ([]string) (default: []. Will use all enabled regions)accounts ([]Account) (default: current account)org (Org) (default: not used)concurrency (integer) (default: 50000)initialization_concurrency (integer) (default: 4)scheduler (string) (default: shuffle):dfs (depth-first search), round-robin, shuffle and shuffle-queue.aws_debug (boolean) (default: false)true, will log AWS debug logs, including retries and other request/response metadata.max_retries (integer) (default: 10)max_backoff (integer in seconds) (default: 30 meaning 30s)use_nested_table_rate_limiting (boolean) (default: false)true, the plugin will limit the number of nested tables that are synced concurrently.enable_api_level_tracing (boolean) (default: false)true, the plugin will extend table level traces to include API requests to AWS Servicescustom_endpoint_url (string) (default: not used)custom_endpoint_hostname_immutable (boolean) (default: not used)true.custom_endpoint_partition_id (string) (default: not used)custom_endpoint_signing_region (string) (default: not used)use_paid_apis (boolean) (default: false)true plugin will sync data from APIs that incur a fee.true include (but not limited to):aws_costexplorer*aws_cloudwatch_metric*skip_specific_apis (map) (default: not used)List call, the plugin will persist data from the List call and skip the enriching API call.skip_specific_apis object is as follows:skip_specific_apis:
<aws_service>:
<api_action>: true
skip_specific_apis object is as follows:spec:
regions: ["us-east-1","us-east-2"]
skip_specific_apis:
lambda:
GetRuntimeManagementConfig: true
GetFunction: true
lambda:
GetRuntimeManagementConfig
GetFunction
GetFunctionCodeSigningConfig
GetFunctionConcurrency
kms:
DescribeKey
GetKeyRotationStatus
ListResourceTags
ssm:
ListTagsForResource
glacier:
ListTagsForVault
wafv2:
ListResourcesForWebACL
table_options (map) (default: not used)event_based_sync ([]Event-based sync) (default: empty)account_name (string) (optional) (default: empty)local_profile (string) (default: will use current credentials)[default]
aws_access_key_id=xxxx
aws_secret_access_key=xxxx
[user1]
aws_access_key_id=xxxx
aws_secret_access_key=xxxx
local_profile should be set to either default or user1.role_arn (string)role_session_name (string)role_arn.external_id (string)role_arn.default_region (string) (default: us-east-1)regions ([]string)regions setting.admin_account (Account)member_trusted_principal (Account)member_role_name (string) (required)member_role_session_name (string)member_external_id (string)member_regions ([]string)* character as the only argument in the array.organization_units ([]string)skip_organization_units ([]string)organization_units if there are child OUs that should be ignored.skip_member_accounts ([]string)account_name_filter (string)kinesis_stream_arn (string) (required if sqs_queue_url is not provided)sqs_queue_url (string) (required if kinesis_stream_arn is not provided)account (Account)start_time (string for RFC 3339 timestamp) (default: the time at which the sync began)2023-09-04T19:24:14Z.full_sync (boolean) (default: true)* is necessary for tables, below is a reference configuration of skip tables, where certain tables are skipped.kind: source
spec:
# Source spec section
name: aws
path: cloudquery/aws
registry: cloudquery
version: "v32.37.1"
tables: ["*"]
skip_tables:
- aws_cloudtrail_events
- aws_cloudwatchlog_logstreams
- aws_docdb_cluster_parameter_groups
- aws_docdb_engine_versions
- aws_ec2_instance_types
- aws_ec2_vpc_endpoint_services
- aws_elasticache_engine_versions
- aws_elasticache_parameter_groups
- aws_elasticache_reserved_cache_nodes_offerings
- aws_elasticache_service_updates
- aws_elasticbeanstalk_platform_versions
- aws_elasticsearch_versions
- aws_emr_release_labels
- aws_emr_supported_instance_types
- aws_iam_group_last_accessed_details
- aws_iam_policy_last_accessed_details
- aws_iam_role_last_accessed_details
- aws_iam_user_last_accessed_details
- aws_neptune_cluster_parameter_groups
- aws_neptune_db_parameter_groups
- aws_rds_cluster_parameter_groups
- aws_rds_db_parameter_groups
- aws_rds_engine_versions
- aws_servicequotas_quota_utilizations
- aws_servicequotas_services
- aws_stepfunctions_map_run_executions
- aws_stepfunctions_map_runs
destinations: ["postgresql"]
spec:
# AWS Spec section described below
skip_tables.aws cloudformation deploy --template-file ./streaming-deployment.yml --stack-name <STACK-NAME> --capabilities CAPABILITY_IAM --disable-rollback --region <DESIRED-REGION>
aws cloudformation describe-stacks --stack-name <STACK-NAME> --query "Stacks[].Outputs" --region <DESIRED-REGION>
config.yml file like the one belowkind: source
spec:
name: aws
path: cloudquery/aws
registry: cloudquery
version: "v32.37.1"
tables:
- aws_ec2_instances
- aws_ec2_internet_gateways
- aws_ec2_security_groups
- aws_ec2_subnets
- aws_ec2_vpcs
- aws_ecs_cluster_tasks
- aws_iam_groups
- aws_iam_roles
- aws_iam_users
- aws_iam_policies
- aws_rds_instances
destinations: ["postgresql"]
spec:
event_based_sync:
# account:
# local_profile: "<ROLE-NAME>"
kinesis_stream_arn: <OUTPUT-FROM-CLOUDFORMATION-STACK>
cloudquery sync config.yml
aws sqs create-queue --queue-name <REPLACE_WITH_QUEUE_NAME> bucket-notifications
sqs-policy.json:{
"Version": "2012-10-17",
"Statement": [{"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": [
"SQS:SendMessage"
],
"Resource": "arn:aws:sqs:<REGION>:<ACCOUNT_ID>:<REPLACE_WITH_QUEUE_NAME>",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:<REPLACE_WITH_BUCKET_NAME>"
},
"StringEquals": {
"aws:SourceAccount": "<REPLACE_WITH_BUCKET_OWNER_ACCOUNT_ID>"
}
}
}
]
}
aws sqs set-queue-attributes --queue-url <queue_url> --policy file://sqs-policy.json
s3-notification.json:{
"QueueConfigurations": [
{
"QueueArn": "arn:aws:sqs:<REGION>:<ACCOUNT_ID>:<REPLACE_WITH_QUEUE_NAME>",
"Events": [
"s3:ObjectCreated:*"
]
}
]
}
aws s3api put-bucket-notification-configuration --bucket <REPLACE_WITH_BUCKET_NAME> --notification-configuration file://s3-notification.json
config.yml file like the one belowkind: source
spec:
name: aws
path: cloudquery/aws
registry: cloudquery
version: "v32.37.1"
tables:
- aws_ec2_instances
- aws_ec2_internet_gateways
- aws_ec2_security_groups
- aws_ec2_subnets
- aws_ec2_vpcs
- aws_ecs_cluster_tasks
- aws_iam_groups
- aws_iam_roles
- aws_iam_users
- aws_iam_policies
- aws_rds_instances
destinations: ["postgresql"]
spec:
event_based_sync:
# account:
# local_profile: "<ROLE-NAME>"
sqs_queue_url: <OUTPUT-FROM-CREATE-QUEUE-COMMAND>
cloudquery sync config.yml
AWSTemplateFormatVersion: 2010-09-09
Description: Configures Cloudtrail Events to be piped to a Kinesis Data stream via CloudWatch Logs.
Parameters:
KinesisMessageDuration:
Type: Number
Description: Number of hours Kinesis will persist a record before it is purged.
Default: 24
ExistingS3BucketName:
Type: String
Description: Name of the S3 Bucket that CloudTrail will use to store logs.
Default: ""
Conditions:
CreateS3Bucket: !Equals [!Ref ExistingS3BucketName, ""]
Resources:
# Stream that CQ will poll for changes
CQSyncingKinesisStream:
Type: AWS::Kinesis::Stream
Properties:
ShardCount: 1
RetentionPeriodHours: !Ref KinesisMessageDuration
# IAM Role for allowing CloudWatch Log to write to Kinesis Stream
CloudWatchLogsToKinesisRole:
Type: AWS::IAM::Role
Properties:
Policies:
- PolicyName: CloudWatchLogsToKinesisPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- kinesis:PutRecord
Resource: !GetAtt CQSyncingKinesisStream.Arn
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: logs.amazonaws.com
Action:
- sts:AssumeRole
CloudTrailS3Bucket:
Type: AWS::S3::Bucket
Condition: CreateS3Bucket
Properties:
LifecycleConfiguration:
Rules:
- ExpirationInDays: 30
Status: Enabled
CloudTrailS3BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !If [CreateS3Bucket,!Ref CloudTrailS3Bucket, !Ref ExistingS3BucketName]
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AWSCloudTrailAclCheck
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:GetBucketAcl
Resource: !Sub
- arn:${AWS::Partition}:s3:::${Bucket}
- { Bucket: !If [CreateS3Bucket,!Ref CloudTrailS3Bucket, !Ref ExistingS3BucketName] }
Condition:
StringEquals:
'aws:SourceAccount': !Sub ${AWS::AccountId}
- Sid: AWSCloudTrailWrite
Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:PutObject
Resource: !Sub
- arn:${AWS::Partition}:s3:::${Bucket}/*
- { Bucket: !If [CreateS3Bucket,!Ref CloudTrailS3Bucket, !Ref ExistingS3BucketName] }
Condition:
StringEquals:
's3:x-amz-acl': bucket-owner-full-control
'aws:SourceAccount': !Sub ${AWS::AccountId}
CloudWatchLogsGroup:
Type: AWS::Logs::LogGroup
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
Properties:
LogGroupName: "CloudTrailLogGroup"
RetentionInDays: 1
# Role for allowing CLoudTrail to write to CloudWatch Logs
CloudWatchRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AssumeRole
Effect: Allow
Principal:
Service: 'cloudtrail.amazonaws.com'
Action: 'sts:AssumeRole'
Policies:
- PolicyName: 'cloudtrail-policy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: 'logs:CreateLogStream'
Resource: !GetAtt CloudWatchLogsGroup.Arn
- Effect: Allow
Action: 'logs:PutLogEvents'
Resource: !GetAtt CloudWatchLogsGroup.Arn
CloudTrailTrail:
Type: AWS::CloudTrail::Trail
DependsOn:
- CloudTrailS3BucketPolicy
Properties:
CloudWatchLogsLogGroupArn: !GetAtt CloudWatchLogsGroup.Arn
CloudWatchLogsRoleArn: !GetAtt CloudWatchRole.Arn
EventSelectors:
- IncludeManagementEvents: True
ReadWriteType: WriteOnly
IncludeGlobalServiceEvents: True
IsLogging: True
IsMultiRegionTrail: True
S3BucketName: !If [CreateS3Bucket,!Ref CloudTrailS3Bucket, !Ref ExistingS3BucketName]
SubscriptionFilter:
Type: AWS::Logs::SubscriptionFilter
Properties:
LogGroupName: !Ref CloudWatchLogsGroup
DestinationArn: !GetAtt CQSyncingKinesisStream.Arn
RoleArn: !GetAtt CloudWatchLogsToKinesisRole.Arn
FilterPattern: ""
Outputs:
KinesisStreamArn:
Description: The ARN of the Kinesis Data Stream that CloudQuery will use to listen for changes.
Value: !GetAtt CQSyncingKinesisStream.Arn
kind: source
spec:
name: aws
path: cloudquery/aws
registry: cloudquery
version: "v32.37.1-fips"
...
kind: source
spec:
name: aws
path: cloudquery/aws
registry: cloudquery
version: "v32.37.1"
tables: ['aws_s3_buckets']
destinations: ["postgresql"]
spec:
aws_debug: false
org:
admin_account:
local_profile: "<NAMED_PROFILE>"
member_role_name: cloudquery-ro
regions:
- '*'
organizations:ListAccountsorganizations:ListAccountsForParentorganizations:ListChildrenOrganizationAccountAccessRole.
The OrganizationAccountAccessRole is created by default
in AWS Accounts created as part of an AWS Organization.
We do not recommend using the OrganizationAccountAccessRole due to the level of permissions typically granted to the role,
but instead recommend for AWS plugin users to create their own IAM roles in each member account with the appropriate read-only permissions.
We also recommend ensuring that the IAM roles and policies used for AWS plugin adhere to company security standards. org:
member_role_name: cloudquery-ro
organizations permissions can be done in any of the following ways: org:
member_role_name: cloudquery-ro
org:
member_role_name: cloudquery-ro
admin_account:
local_profile: <Named-Profile>
org:
member_role_name: cloudquery-ro
admin_account:
local_profile: <Named-Profile>
role_arn: arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>
# Optional. Specify the name of the session
# role_session_name: ""
# Optional. Specify the ExternalID if required for trust policy
# external_id: ""
member_trusted_principal block: org:
member_role_name: cloudquery-ro
member_trusted_principal:
local_profile: <Named-Profile-Member>
organization_units list. org:
member_role_name: cloudquery-ro
organization_units:
- ou-<ID-1>
- ou-<ID-2>
skip_organization_units or skip_member_accounts options respectively: org:
member_role_name: cloudquery-ro
organization_units:
- ou-<ID-1>
- ou-<ID-2>
skip_organization_units:
- ou-<ID-3>
skip_member_accounts:
- <ACCOUNT_ID>
AssumeRole (you will need to use credentials that can AssumeRole to all other specified accounts).accounts:
- account_name: <AccountName_1>
role_arn: <YOUR_ROLE_ARN_1>
# Optional. Local Profile is the named profile in your shared configuration file (usually `~/.aws/config`) that you want to use for this specific account
local_profile: <NAMED_PROFILE>
# Optional. Specify the Role Session name
role_session_name: ""
- account_name: <AccountName_2>
local_profile: provider
# Optional. Role ARN we want to assume when accessing this account
role_arn: <YOUR_ROLE_ARN_2>
SELECT * FROM aws_elbv2_load_balancers WHERE scheme = 'internet-facing';
SELECT * FROM aws_rds_clusters WHERE storage_encrypted IS FALSE;
SELECT arn, region
FROM aws_s3_buckets
WHERE block_public_acls IS NOT TRUE
OR block_public_policy IS NOT TRUE
OR ignore_public_acls IS NOT TRUE
OR restrict_public_buckets IS NOT TRUE
table_options object is as follows:table_options:
<table_name>:
<api_method_name>:
- <input_object>
<input_object> objects should be provided.
The plugin will iterate through these to make multiple API calls.
This is useful for APIs like CloudTrail's LookupEvents that only supports a single event type per call. For example: table_options:
aws_cloudtrail_events:
LookupEvents:
- StartTime: 2023-05-01T20:20:52Z
EndTime: 2023-05-03T20:20:52Z
LookupAttributes:
- AttributeKey: EventName
AttributeValue: RunInstances
- StartTime: 2023-05-01T20:20:52Z
EndTime: 2023-05-03T20:20:52Z
LookupAttributes:
- AttributeKey: EventName
AttributeValue: StartInstances
- StartTime: 2023-05-01T20:20:52Z
EndTime: 2023-05-03T20:20:52Z
LookupAttributes:
- AttributeKey: EventName
AttributeValue: StopInstances
table_options:
aws_accessanalyzer_analyzer_findings:
ListFindings:
- <AccessAnalyzer.ListFindings> # NextToken & AnalyzerArn are prohibited
aws_accessanalyzer_analyzer_findings_v2:
ListFindingsV2:
- <AccessAnalyzer.ListFindingsV2> # NextToken & AnalyzerArn are prohibited
aws_cloudtrail_events:
LookupEvents:
- <CloudTrail.LookupEvents> # NextToken is prohibited
aws_cloudtrail_trails:
DescribeTrails:
- <CloudTrail.DescribeTrails>
aws_cloudwatch_metrics:
- ListMetrics: <CloudWatch.ListMetrics> # NextToken is prohibited
GetMetricData:
- <CloudWatch.GetMetricData> # MaxDatapoints, NextToken and ScanBy are prohibited
GetMetricStatistics:
- <CloudWatch.GetMetricStatistics> # Namespace, MetricName and Dimensions are prohibited
aws_cloudwatchlogs_delivery_destinations:
DescribeDeliveryDestinations:
- <CloudWatchLogs.DescribeDeliveryDestinationsInput> # NextToken is prohibited
aws_cloudwatchlogs_delivery_sources:
DescribeDeliverySources:
- <CloudWatchLogs.DescribeDeliverySourcesInput> # NextToken is prohibited
aws_cloudwatchlogs_log_groups:
- DescribeGroups: <CloudWatchLogs.DescribeLogGroupsInput> # NextToken is prohibited
DescribeStreams:
cloudwatchStreamLastEventTimeAfter: <time>
aws_costexplorer_cost_custom:
GetCostAndUsage:
- <CostExplorer.GetCostAndUsage> # NextPageToken is prohibited
aws_ec2_images:
DescribeImages:
- <EC2.DescribeImages> # NextToken and ImageIds are prohibited. MaxResults should be in range [1-1000].
aws_ec2_instances:
DescribeInstances:
- <EC2.DescribeInstances> # NextToken is prohibited. MaxResults should be in range [1-1000].
aws_ec2_internet_gateways:
DescribeInternetGateways:
- <EC2.DescribeInternetGateways> # NextToken is prohibited. MaxResults should be in range [5-1000].
aws_ec2_network_interfaces:
DescribeNetworkInterfaces:
- <EC2.DescribeNetworkInterfaces> # NextToken is prohibited. MaxResults should be in range [5-1000].
aws_ec2_route_tables:
DescribeRouteTables:
- <EC2.DescribeRouteTables> # NextToken is prohibited. MaxResults should be in range [5-100].
aws_ec2_security_groups:
DescribeSecurityGroups:
- <EC2.DescribeSecurityGroups> # NextToken is prohibited. MaxResults should be in range [5-1000].
aws_ec2_subnets:
DescribeSubnets:
- <EC2.DescribeSubnets> # NextToken is prohibited. MaxResults should be in range [5-1000].
aws_ec2_vpcs:
DescribeVpcs:
- <EC2.DescribeVpcs> # NextToken is prohibited. MaxResults should be in range [5-1000].
aws_ecs_cluster_tasks:
ListTasks:
- <ECS.ListTasks> # Cluster and NextToken are prohibited. MaxResults should be in range [1-100].
aws_guardduty_detectors:
- ListDetectors: <GuardDuty.ListDetectors> # NextToken is prohibited
ListFindings: <GuardDuty.ListFindings> # NextToken and DetectorID are prohibited
aws_iam_groups:
GetGroup:
- <IAM.GetGroup> # Marker is prohibited. MaxItems should be in range [1-1000].
aws_iam_policies:
ListPolicies:
- <IAM.ListPolicies> # Marker is prohibited. MaxItems should be in range [1-1000].
aws_iam_roles:
GetRole:
- <IAM.GetRole> # RoleName is required.
aws_iam_users:
GetUser:
- <IAM.GetUser> # UserName is required.
aws_inspector_findings:
ListFindings:
- <Inspector.ListFindings> # NextToken is prohibited. MaxResults should be in range [1-500].
aws_inspector2_covered_resources:
ListCoverage:
- <InspectorV2.ListCoverage> # NextToken is prohibited. MaxResults should be in range [1-200].
aws_inspector2_findings:
ListFindings:
- <InspectorV2.ListFindings> # NextToken is prohibited.
aws_rds_clusters:
DescribeDBClusters:
- <RDS.DescribeDBClusters> # Marker is prohibited. MaxRecords should be in range [20-100].
aws_rds_engine_versions:
DescribeDBEngineVersions:
- <RDS.DescribeDBEngineVersions> # Marker is prohibited. MaxRecords should be in range [20-100].
aws_rds_global_clusters:
DescribeGlobalClusters:
- <RDS.DescribeGlobalClusters> # Marker is prohibited. MaxRecords should be in range [20-100].
aws_rds_instances:
# Marker is prohibited. MaxRecords should be in range [20-100].
- DescribeDBInstances: <RDS.DescribeDBInstances>
# NextToken, ServiceType and Identifier are prohibited.
# StartTime, EndTime and MetricQueries are required.
# MaxResults should be in range [1-25]. PeriodInSeconds should be in range [1-86400].
GetResourceMetrics: <PI.GetResourceMetrics>
aws_route53_hosted_zones:
ListHostedZones:
# NextToken, DelegationSetId and HostedZoneType are prohibited. MaxResults should be in range [1-100].
- <Route53.GetHostedZone>
aws_securityhub_findings:
GetFindings:
- <SecurityHub.GetFindings> # NextToken is prohibited. MaxResults should be in range [1-100].
aws_servicequotas_services:
- ListServices: <ServiceQuota.ListServices> # NextToken is prohibited. MaxResults should be in range [1-100].
ListServiceQuotas:
- <ServiceQuota.ListServiceQuotas>
aws_ssm_sessions:
DescribeSessions:
- <SSM.DescribeSessions> # NextToken is prohibited. MaxResults should be in range [1-200].
aws_ssm_inventory_entries:
ListInventoryEntries:
# NextToken is prohibited. MaxResults should be in range [1-50].
# InstanceId and TypeName are required.
- <SSM.ListInventoryEntries>
Table Options section of each table in the AWS plugin tables documentation.${time:} substitution will result in incremental syncs performing a full sync on each attempt.tables: ["*"] to specify the set of tables to sync then in minor versions new resources that might require additional IAM permissions might result in errors being raised.alpha.
This indicates that future minor versions might change, break or remove functionality.
This enables the CloudQuery team to release functionality prior to it being fully stable so that the community can give feedback.
Once a feature is released as Generally Available then all of the above rules for semantic versioning will apply.Preview:aws_alpha_table_options feature