AWS Provider

The CloudQuery AWS provider pulls configuration out of AWS resources, normalizes them and stores them in PostgreSQL database.


cloudquery init aws


To authenticate cloudquery with your AWS account you can use any of the following options (see full documentation at AWS SDK V2):

  • Shared configuration files (via aws configure).
    • SDK defaults to credentials file under .aws folder that is placed in the home folder on your computer.
    • SDK defaults to config file under .aws folder that is placed in the home folder on your computer.
  • If your application uses an ECS task definition or RunTask API operation, IAM role for tasks.
  • If your application is running on an Amazon EC2 instance, IAM role for Amazon EC2.


The following configuration section can be automaticlly generated by cloudquery init aws:

provider "aws" { configuration { // Optional. if you want to assume role to multiple account and fetch data from them //accounts "<YOUR ID>" { // Optional. Role ARN we want to assume when accessing this account // role_arn = <YOUR_ROLE_ARN> // } // Optional. by default assumes all regions // regions = ["us-east-1", "us-west-2"] // Optional. Enable AWS SDK debug logging. aws_debug = false // The maximum number of times that a request will be retried for failures. Defaults to 5 retry attempts. // max_retries = 5 // The maximum back off delay between attempts. The backoff delays exponentially with a jitter based on the number of attempts. Defaults to 60 seconds. // max_backoff = 30 }

By default cloudquery will fetch all configuration from all resources in all regions in the default account. You can change this behaviour with the following arguments:

  • accounts (Optional) - Specify multiple accounts to fetch data from them concurrently and then query across accounts. The default configured account should be able AssumeRole to the specified accounts.
  • regions (Optional) - limit fetching to specific regions.

Query Examples

Find all public facing load balancers

SELECT * FROM aws_elbv2_load_balancers WHERE scheme = 'internet-facing';

Find all unencrypted RDS instances

SELECT * from aws_rds_clusters where storage_encrypted = 0;

Find all unencrypted buckets

SELECT * from aws_rds_clusters where storage_encrypted = 0;


Published at

Fri Jul 30 2021

  • Blog

All Rights Reserved.
Terms of ServicePrivacy Policy