AWS Provider

The CloudQuery AWS provider extracts and transforms your AWS cloud assets configuration into PostgreSQL.

This provider also supports additional capabilities:

Install

cloudquery init aws

Authentication

To authenticate CloudQuery with your AWS account you can use any of the following options (see full documentation at AWS SDK V2):

  • Environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, AWS_PROFILE
  • Shared configuration files (via aws configure).
    • SDK defaults to credentials file under .aws folder that is placed in the home folder on your computer.
    • SDK defaults to config file under .aws folder that is placed in the home folder on your computer.
  • If your application is running on an Amazon EC2 instance, IAM role for Amazon EC2.

Configuration

The following configuration section can be automaticlly generated by cloudquery init aws:

provider "aws" { configuration { // Optional. if you want to assume role to multiple account and fetch data from them //accounts "<YOUR ID>" { // Optional. Role ARN we want to assume when accessing this account // role_arn = <YOUR_ROLE_ARN> // } // Optional. by default assumes all regions // regions = ["us-east-1", "us-west-2"] // Optional. Enable AWS SDK debug logging. aws_debug = false // The maximum number of times that a request will be retried for failures. Defaults to 5 retry attempts. // max_retries = 5 // The maximum back off delay between attempts. The backoff delays exponentially with a jitter based on the number of attempts. Defaults to 60 seconds. // max_backoff = 30 } resources = ["*"] }

By default cloudquery will fetch all configuration from all resources in all regions in the default account. You can change this behaviour with the following arguments:

Arguments

  • accounts (Optional) - Specify multiple accounts to fetch data from them concurrently and then query across accounts. The default configured account should be able AssumeRole to the specified accounts.
  • regions (Optional) - limit fetching to specific regions.
  • max_retries (Optional) - The maximum number of times that a request will be retried for failures. Defaults to 5 retry attempts.
  • max_backoff (Optional) - The maximum back off delay between attempts. The backoff delays exponentially with a jitter based on the number of attempts. Defaults to 60 seconds.
  • aws_debug (Optiona) - This will print very verbose/debug output from AWS SDK. Defaults to false.

Assume Role

CloudQuery can fetch from multiple accounts in parallel by using AssumeRole (You will need to use credentials that can AssumeRole to all other specified account. Following is an example configuration:

provider "aws" { configuration { // Optional. if you want to assume role to multiple account and fetch data from them accounts "<AccountID_1>" { Optional. Role ARN we want to assume when accessing this account role_arn = <YOUR_ROLE_ARN_1> } accounts "<AccountID_2>" { Optional. Role ARN we want to assume when accessing this account role_arn = <YOUR_ROLE_ARN_2> } } resources = ["*"] }

Query Examples

Find all public facing load balancers

SELECT * FROM aws_elbv2_load_balancers WHERE scheme = 'internet-facing';

Find all unencrypted RDS instances

SELECT * from aws_rds_clusters where storage_encrypted = 0;

Find all unencrypted buckets

SELECT * from aws_rds_clusters where storage_encrypted = 0;
Version

v0.7.0

License

MPL-2.0

Repository
Published at

Mon Nov 29 2021