Resource Query Language (RQL) is a unified tool that facilitates you to gain information about your cloud resources. You can use RQL to investigate resource information, identify misconfigurations, compliance violations, cloud identity, password management policies, etc, in your cloud environment. For example, you can find answers to the following questions:
- Do I have IAM users with MFA disabled?
- Do I have Security Groups that are directly accessible from the internet?
- Who uses a root account to manage day-to-day administrative activities on my network?
To investigate configuration issues, use the RQL query in the search box on the Investigate tab of the Cloud Safe web application console.
1. RQL Query Structure
FROM <api-name> WHERE <conditions>;
A RQL query contains two keywords FROM and WHERE as in a basic SQL query and two components <api-name> and <conditions>.
- api-name
AWS, Azure and GCP provide many APIs for users to gain insights and manage your cloud services without logging the web application console.
After FROM keyword, you can use these APIs name to represent cloud resources data and you can search or filter data from these sources. The data and its structure is identical to which you receive when calling these APIs directly from cloud providers’ APIs. List of supported cloud APIs are shown in Section 6. For example, you can list Virtual Machines on Azure:
FROM "az-vm-list";
conditions
SoraTrust ingests API data in the JSON format.
After WHERE keyword, you can add several conditions to narrow your search criteria and get more specific filter on your cloud resources. Because JSON has a nested structure, you can search for elements at the root level, inside the JSON tree, or in an array object.
For example, you can list all Azure Linux Virtual Machines where password authentication is disabled:
FROM "az-vm-list" WHERE
(properties.osProfile.linuxConfiguration.disablePasswordAuthentication is true);
2. RQL Operators
RQL Operators are symbols or keywords that you can use to compare two sides in RQL <conditions>. List of RQL operators is shown below:
Operator | Description | RQL Example |
> | The left-hand side is greater than the right-hand side | FROM “aws-iam-get-account-password-policy” AND WHERE maxPasswordAge > 20 |
< | The left-hand side is lower than the right-hand side | FROM “aws-iam-get-account-password-policy” WHERE maxPasswordAge < 100 |
== | The left-hand side is equal to the right-hand side | FROM “aws-iam-get-account-password-policy” WHERE maxPasswordAge == 90 |
!= | The left-hand side is not equal to the right-hand side | FROM “aws-iam-get-account-password-policy” WHERE maxPasswordAge != 90 |
starts with | The left-hand side must be a string and start with right-hand side. | FROM “aws-iam-list-users” WHERE userName starts with y |
not start with | Left-hand side must be a string and not start with right-hand side. | FROM “aws-iam-list-users” WHERE userName not start with y |
contains | The left-hand side contains the right-hand side. | FROM “azure-network-nsg-list” AND WHERE defaultSecurityRules[*].direction contains outbound |
not contain | The left-hand side does not contain the right-hand side. | FROM “azure-vm-list” WHERE powerState not contain allocated |
is empty | The left-hand side must be a string and be empty. | FROM “aws-ec2-describe-instances” WHERE publicIpAddress is empty |
is not empty | The left-hand side must be a string and not be empty. | FROM “aws-ec2-describe-instances” WHERE publicIpAddress is not empty |
exists | The left-hand side must be existed (not a null string or empty array). | FROM “aws-ec2-describe-network-interfaces” WHERE association.publicIp exists |
not exist | The left-hand side must not be existed (a null string or empty array). | FROM “gcloud-compute-instances-list” WHERE metadata.kind not exist |
@ | @ is expression used to filter arrays. @ represents the current item being processed. It is used to hold in on a particular block in the json object so that you are only matching that block and no others. | FROM “aws-ec2-describe-security-groups” WHERE ipPermissions[(@.fromPort==0)].ipRanges[*] contains 0.0.0.0/0 |
&& | AND operator (use with @ operator) | FROM “aws-s3api-get-bucket-acl” WHERE policy.Statement exists and policy.Statement(@.Action == s3:ListBucket && @.Effect == Allow)].Principal = * |
|| | OR operator (use with @ operator) | FROM “aws-s3api-get-bucket-acl” WHERE policy.Statement exists and policy.Statement[(@.Effect == Allow || @.Action == s3:ListBucket && @.Effect == Allow)].Principal contains * |
null | The left-hand side is null (a null string or an empty array) | FROM “aws-ec2-describe-instances” WHERE vpcId is null |
not null | The left-hand side is not null (a null string or an empty array) | FROM “aws-ec2-describe-instances” WHERE vpcId is not null |
in | The left-hand side is one of the right-hand side values | FROM "aws-s3api-get-bucket-acl" WHERE grants[*].permission IN ("READ","WRITE","READ_ACP","WRITE_ACP") |
not in | The left-hand side is not one of the right-hand side values | FROM "aws-s3api-get-bucket-acl" WHERE grants[*].permission NOT IN ("READ","WRITE","READ_ACP","WRITE_ACP") |
join - output | To correlate data from two different API | FROM "aws-kinesis-describe-stream" WHERE keyId is not null as X; FROM "aws-kms-list-aliases" WHERE aliasName == "alias/aws/kinesis" as Y; JOIN X.keyId contains Y.targetKeyId; OUTPUT X; |
3. RQL function
RQL Functions are keywords that you can use in RQL <conditions>. List of RQL functions is shown below:
Function | Description | RQL Example |
CountDaysToNow | Return number of days from a specific time to now | FROM "aws-iam-get-credential-report" WHERE DateTime.CountDaysToNow(passwordLastUsed) > 90; |
CountHoursToNow | Return number of hours from a specific time to now | FROM "aws-iam-list-ssh-public-keys" WHERE (DateTime. CountHoursToNow (uploadDate) > 91) and (status.value == Active); |
CountMinutesToNow | Return number of minutes from a specific time to now | |
CountSecondsToNow | Return number of seconds from a specific time to now |
4. RQL Query examples
Use this section for some examples that show you how to use Config Query Attributes in RQL for investigating issues on each cloud platform:
AWS Examples
DESCRIPTION | SoraTrust RQL |
View users who enabled console access with both access keys and passwords | FROM "aws-iam-get-credential-report" WHERE (passwordEnabled == true) and (accessKey1Active == true or accessKey2Active == true); |
View EBS volumes are not encrypted | FROM "aws-ec2-describe-volumes" WHERE(encrypted == false); |
View ACM certificates will be expired in 30 days or less | FROM "aws-acm-describe-certificate" WHERE (DateTime.CountDaysToNow(notAfter) > -31); |
View CloudFront distributions that have origin protocol policy does not enforce HTTPS only | FROM "aws-cloudfront-get-distribution" WHERE(origins.items[@.customOriginConfig is not null].customOriginConfig.originProtocolPolicy.value != https-only); |
View default Security Groups does not restrict all traffic | FROM "aws-ec2-describe-security-groups" WHERE (groupName == default) and ((ipPermissions[*].ipv4Ranges[*].cidrIp contains 0.0.0.0/0) or (ipPermissionsEgress[*].ipv4Ranges[*].cidrIp contains 0.0.0.0/0) or (ipPermissions[*].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissionsEgress[*].ipv6Ranges[*].cidrIpv6 contains ::/0)); |
Azure Examples
Description | SoraTrust RQL Query |
View SQL databases have auditing set to off | FROM "az-sql-db" WHERE (auditingSettings[*].properties.state == Disabled or auditingSettings[*] not exist); |
View App Service web applications have authentication is off | FROM "az-webapp" AND WHERE (config.properties.siteAuthEnabled == false); |
View Key Vaults are not recoverable | FROM "az-keyvault-list" WHERE (properties.enableSoftDelete not exist or properties.enablePurgeProtection not exist); |
View Network Security Groups allow SSH traffic from internet | FROM "az-network-nsg-list" WHERE properties.securityRules[@.access == "Allow" & @.direction == "Inbound" & @.sourceAddressPrefix == "*"].properties.destinationPortRange contains Port.GetRange(22,22) or properties.securityRules[@.access == "Allow" & @.direction == "Inbound" & @.sourceAddressPrefix == "Internet"].properties.destinationPortRange contains Port.GetRange(22,22) or properties.securityRules[@.access == "Allow" & @.direction == "Inbound" & @.sourceAddressPrefix == "*"].properties.destinationPortRanges contains Port.GetRange(22,22) or properties.securityRules[@.access == "Allow" & @.direction == "Inbound" & @.sourceAddressPrefix == "Internet"].properties.destinationPortRanges contains Port.GetRange(22,22) or properties.securityRules[@.access == "Allow" & @.direction == "Inbound" & @.sourceAddressPrefix == "*"].properties.destinationPortRange contains "*" or properties.securityRules[@.access == "Allow" & @.direction == "Inbound" & @.sourceAddressPrefix == "Internet"].properties.destinationPortRange contains "*"; |
Check Security Center JIT network access monitoring is set to disabled | FROM "az-policy-assignments" WHERE (name == SecurityCenterBuiltIn and properties.parameters.jitNetworkAccessMonitoringEffect.value == Disabled) or (name == SecurityCenterBuiltIn and properties.parameters is null and properties.displayName not start with "ASC Default"); |
GCP Examples
Description | SoraTrust RQL Query |
Check if Deletion Protection feature is enabled for VM Instances or not | FROM "gcloud-compute-instances-describe" WHERE deletionProtection== false |
Check if network traffic egress metering is enabled in GCP Kubernetes Engine Clusters or not | FROM "gcloud-container-clusters-describe" WHERE (resourceUsageExportConfig.enableNetworkEgressMetering not exist) or (resourceUsageExportConfig.enableNetworkEgressMetering is false); |
Check if GCP Storage buckets are publicly accessible to all users or not | FROM "gcloud-storage-iam-get" WHERE bindings[*].members[*] contains allUsers; |
Check if Inbound rules allows unrestricted access (ICMP) or not | FROM "gcloud-compute-firewall-rules-list" WHERE disabled == false and direction == INGRESS and sourceRanges == 0.0.0.0/0 and allowed[*].IPProtocol == icmp |
Check if Cloud SQL Database Instances are publicly accessible or not | FROM "gcloud-sql-instances-describe" WHERE settings.ipConfiguration.authorizedNetworks[*].value contains "0.0.0.0/0" or settings.ipConfiguration.authorizedNetworks[*].value contains "::/0" ; |
5. API ingested by Cloud Safe
Service | API |
API Gateway | aws-apigateway-get-stages |
AWS Certificate Manager | aws-acm-describe-certificate |
Amazon Elastic Container Service | aws-ecs-describe-clusters aws-ecs-list-task-definitions aws-ecs-describe-task-definition |
AWS CloudFormation | aws-cloudformation-describe-stacks |
AWS CloudFront | aws-cloudfront-list-distributions aws-cloudfront-get-distribution aws-cloudfront-describe-stacks |
AWS CloudTrail | aws-cloudtrail-describe-trails aws-cloudtrail-get-event-selectors aws-cloudtrail-get-trail-status |
AWS CloudWatch | aws-cloudwatch-get-metric-statistics |
Amazon EC2 | aws-ec2-describe-instances aws-ec2-describe-security-groups aws-ec2-describe-vpn-gateways aws-ec2-describe-vpn-gateways-summary aws-ec2-describe-route-tables aws-ec2-describe-snapshots aws-ec2-describe-snapshot-attribute aws-ec2-describe-vpcs aws-ec2-describe-volumes aws-ec2-describe-images aws-ec2-describe-network-acls aws-ec2-describe-subnets aws-ec2-describe-nat-gateways aws-ec2-describe-addresses aws-ec2-describe-reserved-instances |
AWS Config | aws-configservice-describe-configuration-recorders aws-configservice-describe-delivery-channel-status aws-configservice-describe-configuration-recorder-status |
Amazon DynamoDB | aws-dynamodb-describe-table |
Amazon Elastic Container Registry (ECR) | aws-ecr-get-repository-policy aws-ecr-describe-repositories |
AWS Elastic File System (EFS) | aws-describe-mount-targets aws-efs-describe-file-systems |
Amazon Elastic Container Service for Kubernetes (EKS) | aws-eks-describe-cluster |
ElastiCache | aws-elasticache-cache-clusters aws-elasticache-describe-replication-groups aws-elasticache-reserved-cache-nodes |
Amazon Elastic Load Balancing | aws-elb-describe-load-balancers aws-elb-describe-load-balancer-policies aws-elb-describe-load-balancer-attributes aws-elbv2-describe-load-balancers aws-elbv2-describe-load-balancer-attributes aws-elbv2-describe-listeners |
Amazon ElasticSearch Service | aws-es-describe-elasticsearch-domain aws-es-describe-elasticsearch-domain-config aws-es-describe-reserved-elasticsearch-instances |
Amazon Elastic MapReduce (EMR) | aws-emr-describe-cluster |
AWS Identity and Access Management (IAM) | aws-iam-list-users aws-iam-get-policy-version aws-iam-list-ssh-public-keys aws-iam-list-attached-user-policies aws-iam-list-attached-group-policies aws-iam-list-attached-role-policies aws-iam-list-groups aws-iam-list-roles aws-iam-list-policies aws-iam-list-access-keys aws-iam-get-account-summary aws-iam-list-server-certificates aws-iam-get-credential-report aws-iam-list-mfa-devices aws-iam-list-virtual-mfa-devices aws-iam-list-user-policies aws-iam-list-entities-for-policy aws-iam-get-account-password-policy |
AWS Key Management Service (KMS) | aws-kms-get-key-rotation-status aws-kms-describe-key |
Amazon Kinesis | aws-kinesis-list-streams |
AWS Lambda | aws-lambda-list-functions aws-lambda-get-account-settings aws-lambda-get-region-summary |
Amazon Relational Database Service (RDS) | aws-rds-describe-db-instances aws-rds-describe-db-clusters aws-rds-describe-db-snapshots aws-rds-describe-db-snapshot-attributes aws-rds-describe-event-subscriptions aws-rds-describe-reserved-db-instances |
Amazon RedShift | aws-redshift-describe-clusters aws-redshift-describe-logging-status aws-redshift-describe-cluster-parameters aws-redshift-describe-reserved-nodes |
AWS Route53 | aws-route53-list-hosted-zones |
AWS Systems Manager | aws-ssm-parameters |
Amazon S3 | aws-s3api-get-bucket-acl aws-s3api-list-buckets aws-s3api-get-bucket-encryption aws-s3api-get-bucket-logging aws-s3api-get-bucket-website aws-s3api-get-bucket-versioning aws-s3api-get-bucket-policy |
Amazon Simple Notification Service (SNS) | aws-sns-list-subscriptions aws-sns-get-subscription-attributes aws-sns-list-topics aws-sns-get-topic-attributes |
Amazon Simple Queue Service (SQS) | aws-sqs-get-queue-attributes |
Service | API |
Azure Kubernetes Service (AKS) | az-aks-list The API contains value of: Private Link Resources - ListPrivate Endpoint Connections - List |
Azure Web Apps | az-webapp The API contains value of: az webapp listaz webapp config list |
Azure Authorization | az-policy-assignments The API contains value of: az policy assignment list az-role-definition-list az-role-assignment-list |
Azure Compute | az-vm-list The API contains value of: az vm listaz vm extension list az-disk-list az-vm-availability-set-list az-disk-encryption-set-list az-image-list az-snapshot-list az-ssh-public-key-list |
Azure Container Registry | az-acr The API contains value of: az acr listaz acr webhook list |
Azure Key Vault | az-keyvault-list az-keyvault-secret-list az-keyvault-certificate-list az-keyvault-key-list |
Azure Monitor Service | az-monitor-log-profiles-list |
Azure Network | az-network-nsg-list az-network-application-gateway-list az-network-firewall-policy-list az-network-nic-list az-network-vnet-subnet-list az-network-vpn-gateway-list az-network-vnet-list az-network-ip-group-list az-network-ip-allocation-list az-network-nat-gateway-list az-network-private-endpoint-list az-network-public-ip-list az-network-public-ip-prefix-list az-network-route-table-list az-network-route-table-route-list az-network-vnet-peering-list az-network-asg-list az-network-bastion-list az-network-firewall-list az-network-dns-zone-list az-network-private-dns-zone-list az-network-private-dns-link-vnet-list |
Azure Database for PostgreSQL | az-postgres-server The API contains value of: az postgres server listaz postgres server configuration list |
Azure Resource Management | az-group The API contains value of: az group list az lock list |
Azure Security Center | az-security The API contains value of: az security setting list az security contact listaz security auto-provisioning-setting listaz security pricing list |
Azure SQL | az-sql-server The API contains value of: az sql server list az sql server tde-key show az sql server ad-admin listaz sql server audit-policy showGet-AzSqlServerThreatDetectionPolicy az-sql-database The API contains value of: az sql db listaz sql db threat-policy showaz sql db audit-policy showaz sql db tde show |
Azure Storage Accounts | az-storage-account-list The API contains value of: az storage account listaz storage account encryption-scope list |
Azure SQL VM | az-sql-vm -list |
Azure Load Balancer | az-load-balancer-list az-network-lb-inbound-nat-rule-list az-network-lb-frontend-ip-list az-network-lb-address-pool-list az-network-lb-rule-list az-network-lb-outbound-rule-list az-network-lb-probe-list |
Azure Blueprint | az-blueprint-list az-blueprint-artifact-list az-blueprint-assignment-list az-blueprint-version-list |
Service | API |
BigQuery | gcloud-bigquery-dataset-get |
Cloud Load Balancing | gcloud compute ssl-policies describe gcloud compute target-https-proxies describe |
Cloud SQL | gcloud-sql-instances-describe gcloud compute firewall-rules list gcloud-sql-instances-list gcloud-storage-versioning-get gcloud-storage-logging-get |
Cloud Storage | gcloud-storage-iam-get gcloud-storage-uniformbucketlevelaccess-get gcloud-storage-buckets-list |
Cloud Key Management Service (KMS) | gcloud kms keys get-iam-policy gcloud kms keys describe |
Compute Engine | gcloud compute instances describe gcloud compute disks describe |
IAM | gcloud iam service-accounts keys list gcloud projects get-iam-policy |
VPC | gcloud dns managed-zones describe gcloud compute firewall-rules list gcloud compute networks list gcloud compute networks subnets list |
DNS | gcloud dns managed-zones describe |
GCP Kubernetes Engine Clusters | gcloud container clusters describe |