We just raised $3.5M and we are hiring!

AWS Policies

With AWS Policies, you can use CloudQuery to automatically check compliance and security of AWS-based cloud resources. AWS CIS, PCI DSS and more to come.

$ cloudquery policy run aws
Category
compliance
Version
v0.1.13
License
MPL-2.0
License
MPL-2.0

aws_publicly_available_public-ips_API-Gateway-V2.sql

aws_publicly_available_public-ips_API-Gateways.sql

aws_publicly_available_public-ips_CloudFront-Distributions.sql

aws_publicly_available_public-ips_EC2-Public-Ips.sql

aws_publicly_available_public-ips_ELB-Classic.sql

aws_publicly_available_public-ips_ELB-V2.sql

aws_publicly_available_public-ips_RDS.sql

aws_publicly_available_public-ips_Redshift.sql

queries_acm_certificates_should_be_renewed.sql

queries_apigateway_api_gw_associated_with_waf.sql

queries_apigateway_api_gw_cache_encrypted.sql

queries_apigateway_api_gw_execution_logging_enabled.sql

queries_apigateway_api_gw_ssl_enabled.sql

queries_apigateway_api_gw_xray_enabled.sql

queries_autoscaling_autoscaling_groups_elb_check.sql

queries_cloudfront_access_logs_enabled.sql

queries_cloudfront_associated_with_waf.sql

queries_cloudfront_default_root_object_configured.sql

queries_cloudfront_origin_access_identity_enabled.sql

queries_cloudfront_origin_failover_enabled.sql

queries_cloudfront_viewer_policy_https.sql

queries_cloudtrail_bucket_access_logging.sql

queries_cloudtrail_enabled_in_all_regions.sql

queries_cloudtrail_integrated_with_cloudwatch_logs.sql

queries_cloudtrail_log_file_validation_enabled.sql

queries_cloudtrail_logs_encrypted.sql

queries_cloudwatch_alarm_aws_config_changes.sql

queries_cloudwatch_alarm_cloudtrail_config_changes.sql

queries_cloudwatch_alarm_console_auth_failure.sql

queries_cloudwatch_alarm_delete_customer_cmk.sql

queries_cloudwatch_alarm_iam_policy_change.sql

queries_cloudwatch_alarm_nacl_changes.sql

queries_cloudwatch_alarm_network_gateways.sql

queries_cloudwatch_alarm_root_account.sql

queries_cloudwatch_alarm_route_table_changes.sql

queries_cloudwatch_alarm_s3_bucket_policy_change.sql

queries_cloudwatch_alarm_security_group_changes.sql

queries_cloudwatch_alarm_unauthorized_api.sql

queries_cloudwatch_alarm_vpc_changes.sql

queries_codebuild_check_environment_variables.sql

queries_codebuild_check_oauth_usage_for_sources.sql

queries_config_enabled_all_regions.sql

queries_dms_replication_not_public.sql

queries_dynamodb_autoscale_or_ondemand.sql

queries_dynamodb_dax_encrypted_at_rest.sql

queries_dynamodb_point_in_time_recovery.sql

queries_ec2_default_sg_no_access.sql

queries_ec2_ebs_encryption_by_default_disabled.sql

queries_ec2_ebs_snapshot_permissions_check.sql

queries_ec2_flow_logs_enabled_in_all_vpcs.sql

queries_ec2_get_unused_public_ips.sql

queries_ec2_instances_with_more_than_2_network_interfaces.sql

queries_ec2_instances_with_public_ip.sql

queries_ec2_no_broad_public_ingress_on_port_22.sql

queries_ec2_no_broad_public_ingress_on_port_3389.sql

queries_ec2_not_imdsv2_instances.sql

queries_ec2_public_egress_sg_and_routing_instances.sql

queries_ec2_public_egress_sg_instances.sql

queries_ec2_security_groups_with_access_to_unauthorized_ports.sql

queries_ec2_security_groups_with_open_critical_ports.sql

queries_ec2_stopped_more_thant_30_days_ago_instances.sql

queries_ec2_subnets_that_assign_public_ips.sql

queries_ec2_unencrypted_ebs_volumes.sql

queries_ec2_unused_acls.sql

queries_ec2_vpcs_without_ec2_endpoint.sql

queries_ecs_ecs_services_with_public_ips.sql

queries_ecs_task_definitions_secure_networking.sql

queries_efs_efs_filesystems_with_disabled_backups.sql

queries_efs_unencrypted_efs_filesystems.sql

queries_elasticbeanstalk_advanced_health_reporting_enabled.sql

queries_elasticbeanstalk_elastic_beanstalk_managed_updates_enabled.sql

queries_elasticsearch_connections_to_elasticsearch_domains_should_be_encrypted_using_tls_1_2.sql

queries_elasticsearch_elasticsearch_domain_error_logging_to_cloudwatch_logs_should_be_enabled.sql

queries_elasticsearch_elasticsearch_domains_should_be_configured_with_at_least_three_dedicated_master_nodes.sql

queries_elasticsearch_elasticsearch_domains_should_be_in_vpc.sql

queries_elasticsearch_elasticsearch_domains_should_encrypt_data_sent_between_nodes.sql

queries_elasticsearch_elasticsearch_domains_should_have_at_least_three_data_nodes.sql

queries_elasticsearch_elasticsearch_domains_should_have_audit_logging_enabled.sql

queries_elasticsearch_elasticsearch_domains_should_have_encryption_at_rest_enabled.sql

queries_elb_alb_deletion_protection_enabled.sql

queries_elb_alb_drop_http_headers.sql

queries_elb_alb_logging_enabled.sql

queries_elb_elbv1_cert_provided_by_acm.sql

queries_elb_elbv1_conn_draining_enabled.sql

queries_elb_elbv1_https_or_tls.sql

queries_elb_elbv1_https_predefined_policy.sql

queries_elb_elbv2_redirect_http_to_https.sql

queries_emr_emr_cluster_master_nodes_should_not_have_public_ip_addresses.sql

queries_guardduty_detector_enabled.sql

queries_iam_avoid_root_usage.sql

queries_iam_hardware_mfa_enabled_for_root.sql

queries_iam_iam_access_keys_rotated_more_than_90_days.sql

queries_iam_iam_access_keys_unused_more_than_90_days.sql

queries_iam_mfa_enabled_for_console_access.sql

queries_iam_mfa_enabled_for_root.sql

queries_iam_no_star.sql

queries_iam_old_access_keys.sql

queries_iam_password_policy_min_length.sql

queries_iam_password_policy_min_lowercase.sql

queries_iam_password_policy_min_number.sql

queries_iam_password_policy_min_one_symbol.sql

queries_iam_password_policy_min_uppercase.sql

queries_iam_password_policy_prevent_reuse.sql

queries_iam_password_policy_strong.sql

queries_iam_policies_attached_to_groups_roles.sql

queries_iam_policies_with_admin_rights.sql

queries_iam_root_user_no_access_keys.sql

queries_iam_unused_creds_disabled.sql

queries_iam_wildcard_access_policies.sql

queries_kms_cmk_not_scheduled_for_deletion.sql

queries_kms_customer_policy_blocked_kms_actions.sql

queries_kms_inline_policy_blocked_kms_actions.sql

queries_kms_rotation_enabled_for_customer_key.sql

queries_lambda_functions_with_public_egress.sql

queries_lambda_lambda_function_in_vpc.sql

queries_lambda_lambda_function_prohibit_public_access.sql

queries_lambda_lambda_functions_should_use_supported_runtimes.sql

queries_rds_amazon_aurora_clusters_should_have_backtracking_enabled.sql

queries_rds_database_logging_should_be_enabled.sql

queries_rds_enhanced_monitoring_should_be_configured_for_rds_db_instances_and_clusters.sql

queries_rds_iam_authentication_should_be_configured_for_rds_clusters.sql

queries_rds_iam_authentication_should_be_configured_for_rds_instances.sql

queries_rds_rds_automatic_minor_version_upgrades_should_be_enabled.sql

queries_rds_rds_cluster_snapshots_and_database_snapshots_should_be_encrypted_at_rest.sql

queries_rds_rds_clusters_should_have_deletion_protection_enabled.sql

queries_rds_rds_databases_and_clusters_should_not_use_a_database_engine_default_port.sql

queries_rds_rds_db_clusters_should_be_configured_for_multiple_availability_zones.sql

queries_rds_rds_db_clusters_should_be_configured_to_copy_tags_to_snapshots.sql

queries_rds_rds_db_instances_should_be_configured_to_copy_tags_to_snapshots.sql

queries_rds_rds_db_instances_should_be_configured_with_multiple_availability_zones.sql

queries_rds_rds_db_instances_should_have_deletion_protection_enabled.sql

queries_rds_rds_db_instances_should_have_encryption_at_rest_enabled.sql

queries_rds_rds_db_instances_should_prohibit_public_access.sql

queries_rds_rds_event_notifications_subscription_should_be_configured_for_critical_cluster_events.sql

queries_rds_rds_event_notifications_subscription_should_be_configured_for_critical_database_instance_events.sql

queries_rds_rds_event_notifications_subscription_should_be_configured_for_critical_database_parameter_group_events.sql

queries_rds_rds_event_notifications_subscription_should_be_configured_for_critical_database_security_group_events.sql

queries_rds_rds_instances_should_be_deployed_in_a_vpc.sql

queries_rds_snapshots_should_prohibit_public_access.sql

queries_redshift_cluster_publicly_accessible.sql

queries_redshift_clusters_should_be_encrypted_in_transit.sql

queries_redshift_clusters_should_have_audit_logging_enabled.sql

queries_redshift_clusters_should_have_automatic_snapshots_enabled.sql

queries_redshift_clusters_should_have_automatic_upgrades_to_major_versions_enabled.sql

queries_redshift_clusters_should_use_enhanced_vpc_routing.sql

queries_s3_account_level_public_access_blocks.sql

queries_s3_deny_http_requests.sql

queries_s3_publicly_readable_buckets.sql

queries_s3_publicly_writable_buckets.sql

queries_s3_restrict_cross_account_actions.sql

queries_s3_s3_cross_region_replication.sql

queries_s3_s3_server_side_encryption_enabled.sql

queries_sagemaker_sagemaker_notebook_instance_direct_internet_access_disabled.sql

queries_secretsmanager_remove_unused_secrets_manager_secrets.sql

queries_secretsmanager_secrets_configured_with_automatic_rotation_should_rotate_successfully.sql

queries_secretsmanager_secrets_should_be_rotated_within_a_specified_number_of_days.sql

queries_secretsmanager_secrets_should_have_automatic_rotation_enabled.sql

queries_sns_sns_topics_should_be_encrypted_at_rest_using_aws_kms.sql

queries_sqs_sqs_queues_should_be_encrypted_at_rest_using_aws_kms.sql

queries_ssm_documents_should_not_be_public.sql

queries_ssm_ec2_instances_should_be_managed_by_ssm.sql

queries_ssm_instances_should_have_association_compliance_status_of_compliant.sql

queries_ssm_instances_should_have_patch_compliance_status_of_compliant.sql

queries_waf_waf_web_acl_logging_should_be_enabled.sql

queries_wafv2_wafv2_web_acl_logging_should_be_enabled.sql

Query

SELECT account_id,region,api_endpoint FROM aws_apigatewayv2_apis;