Cloud Safe – RQL Reference

Resource Query Language (RQL) is a unified tool that facilitates you to gain information about your cloud resources. You can use RQL to investigate resource information, identify misconfigurations, compliance violations, cloud identity, password management policies, etc, in your cloud environment. For example, you can find answers to the following questions:

  • Do I have IAM users with MFA disabled?
  • Do I have Security Groups that are directly accessible from the internet?
  • Who uses a root account to manage day-to-day administrative activities on my network?

To investigate configuration issues, use the RQL query in the search box on the Investigate tab of the Cloud Safe web application console.

1. RQL Query Structure

FROM <api-name> WHERE <conditions>;

A RQL query contains two keywords FROM and WHERE as in a basic SQL query and two components <api-name> and <conditions>.

  • api-name

AWS, Azure and GCP provide many APIs for users to gain insights and manage your cloud services without logging the web application console.

After FROM keyword, you can use these APIs name to represent cloud resources data and you can search or filter data from these sources. The data and its structure is identical to which you receive when calling these APIs directly from cloud providers’ APIs. List of supported cloud APIs are shown in Section 6. For example, you can list Virtual Machines on Azure:

FROM "az-vm-list";

conditions

SoraTrust ingests API data in the JSON format.

After WHERE keyword, you can add several conditions to narrow your search criteria and get more specific filter on your cloud resources. Because JSON has a nested structure, you can search for elements at the root level, inside the JSON tree, or in an array object.

For example, you can list all Azure Linux Virtual Machines where password authentication is disabled:

FROM "az-vm-list" WHERE

(properties.osProfile.linuxConfiguration.disablePasswordAuthentication is true);

2. RQL Operators

RQL Operators are symbols or keywords that you can use to compare two sides in RQL <conditions>. List of RQL operators is shown below:

OperatorDescriptionRQL Example
The left-hand side is greater than the right-hand sideFROM “aws-iam-get-account-password-policy” AND WHERE maxPasswordAge > 20
The left-hand side is lower than the right-hand sideFROM “aws-iam-get-account-password-policy” WHERE maxPasswordAge < 100
==The left-hand side is equal to the right-hand sideFROM “aws-iam-get-account-password-policy” WHERE maxPasswordAge == 90
!=The left-hand side is not equal to the right-hand sideFROM “aws-iam-get-account-password-policy” WHERE maxPasswordAge != 90
starts withThe left-hand side must be a string and start with right-hand side.FROM “aws-iam-list-users” WHERE userName starts with y
not start withLeft-hand side must be a string and not start with right-hand side.FROM “aws-iam-list-users” WHERE userName not start with y
containsThe left-hand side contains the right-hand side.FROM “azure-network-nsg-list” AND WHERE defaultSecurityRules[*].direction contains outbound
not containThe left-hand side does not contain the right-hand side.FROM “azure-vm-list” WHERE powerState not contain allocated
is emptyThe left-hand side must be a string and be empty.FROM “aws-ec2-describe-instances” WHERE publicIpAddress is empty
is not emptyThe left-hand side must be a string and not be empty.FROM “aws-ec2-describe-instances” WHERE publicIpAddress is not empty
existsThe left-hand side must be existed (not a null string or empty array).FROM “aws-ec2-describe-network-interfaces” WHERE association.publicIp exists
not existThe left-hand side must not be existed (a null string or empty array).FROM “gcloud-compute-instances-list” WHERE metadata.kind not exist
@@ is expression used to filter arrays. @ represents the current item being processed. It is used to hold in on a particular block in the json object so that you are only matching that block and no others.  FROM “aws-ec2-describe-security-groups” WHERE ipPermissions[(@.fromPort==0)].ipRanges[*] contains 0.0.0.0/0
&&AND operator (use with @ operator)FROM “aws-s3api-get-bucket-acl” WHERE policy.Statement exists and policy.Statement(@.Action == s3:ListBucket && @.Effect == Allow)].Principal = *
||OR operator (use with @ operator)FROM “aws-s3api-get-bucket-acl” WHERE policy.Statement exists and policy.Statement[(@.Effect == Allow  || @.Action == s3:ListBucket && @.Effect == Allow)].Principal contains *
nullThe left-hand side is null (a null string or an empty array)FROM “aws-ec2-describe-instances” WHERE vpcId is null
not nullThe left-hand side is not null (a null string or an empty array)FROM “aws-ec2-describe-instances” WHERE vpcId is not null
inThe left-hand side is one of the right-hand side valuesFROM "aws-s3api-get-bucket-acl" WHERE grants[*].permission IN ("READ","WRITE","READ_ACP","WRITE_ACP")
not inThe left-hand side is not one of the right-hand side valuesFROM "aws-s3api-get-bucket-acl" WHERE grants[*].permission NOT IN ("READ","WRITE","READ_ACP","WRITE_ACP")
join - outputTo correlate data from two different APIFROM "aws-kinesis-describe-stream" WHERE keyId is not null as X; FROM "aws-kms-list-aliases" WHERE aliasName == "alias/aws/kinesis" as Y; JOIN X.keyId contains Y.targetKeyId; OUTPUT X;

3. RQL function

RQL Functions are keywords that you can use in RQL <conditions>. List of RQL functions is shown below:

FunctionDescriptionRQL Example
CountDaysToNowReturn number of days from a specific time to nowFROM "aws-iam-get-credential-report" WHERE DateTime.CountDaysToNow(passwordLastUsed) > 90;
CountHoursToNowReturn number of hours from a specific time to nowFROM "aws-iam-list-ssh-public-keys" WHERE (DateTime. CountHoursToNow (uploadDate) > 91) and (status.value == Active);
CountMinutesToNowReturn number of minutes from a specific time to now 
CountSecondsToNowReturn number of seconds from a specific time to now 

4. RQL Query examples

Use this section for some examples that show you how to use Config Query Attributes in RQL for investigating issues on each cloud platform:

AWS Examples

DESCRIPTIONSoraTrust RQL
View users who enabled console access with both access keys and passwordsFROM "aws-iam-get-credential-report" WHERE (passwordEnabled == true) and (accessKey1Active == true or accessKey2Active == true);
View EBS volumes are not encryptedFROM "aws-ec2-describe-volumes" WHERE(encrypted == false);
View ACM certificates will be expired in 30 days or lessFROM "aws-acm-describe-certificate" WHERE (DateTime.CountDaysToNow(notAfter) > -31);
View CloudFront distributions that have origin protocol policy does not enforce HTTPS onlyFROM "aws-cloudfront-get-distribution" WHERE(origins.items[@.customOriginConfig is not null].customOriginConfig.originProtocolPolicy.value != https-only);
View default Security Groups does not restrict all trafficFROM "aws-ec2-describe-security-groups" WHERE (groupName == default) and ((ipPermissions[*].ipv4Ranges[*].cidrIp contains 0.0.0.0/0) or (ipPermissionsEgress[*].ipv4Ranges[*].cidrIp contains 0.0.0.0/0) or (ipPermissions[*].ipv6Ranges[*].cidrIpv6 contains ::/0) or (ipPermissionsEgress[*].ipv6Ranges[*].cidrIpv6 contains ::/0));

Azure Examples

DescriptionSoraTrust RQL Query
View SQL databases have auditing set to offFROM "az-sql-db" WHERE (auditingSettings[*].properties.state == Disabled or auditingSettings[*] not exist);
View App Service web applications have authentication is offFROM "az-webapp" AND WHERE (config.properties.siteAuthEnabled == false);
View Key Vaults are not recoverableFROM "az-keyvault-list" WHERE (properties.enableSoftDelete not exist or properties.enablePurgeProtection not exist);
View Network Security Groups allow SSH traffic from internetFROM "az-network-nsg-list" WHERE properties.securityRules[@.access == "Allow" & @.direction == "Inbound" & @.sourceAddressPrefix == "*"].properties.destinationPortRange contains Port.GetRange(22,22) or properties.securityRules[@.access == "Allow" & @.direction == "Inbound" & @.sourceAddressPrefix == "Internet"].properties.destinationPortRange contains Port.GetRange(22,22) or properties.securityRules[@.access == "Allow" & @.direction == "Inbound" & @.sourceAddressPrefix == "*"].properties.destinationPortRanges contains Port.GetRange(22,22) or properties.securityRules[@.access == "Allow" & @.direction == "Inbound" & @.sourceAddressPrefix == "Internet"].properties.destinationPortRanges contains Port.GetRange(22,22) or properties.securityRules[@.access == "Allow" & @.direction == "Inbound" & @.sourceAddressPrefix == "*"].properties.destinationPortRange contains "*" or properties.securityRules[@.access == "Allow" & @.direction == "Inbound" & @.sourceAddressPrefix == "Internet"].properties.destinationPortRange contains "*";
Check Security Center JIT network access monitoring is set to disabledFROM "az-policy-assignments" WHERE (name == SecurityCenterBuiltIn and properties.parameters.jitNetworkAccessMonitoringEffect.value == Disabled) or (name == SecurityCenterBuiltIn and properties.parameters is null and properties.displayName not start with "ASC Default");

GCP Examples

DescriptionSoraTrust RQL Query
Check if Deletion Protection feature is enabled for VM Instances or notFROM "gcloud-compute-instances-describe" WHERE deletionProtection== false
Check if network traffic egress metering is enabled in GCP Kubernetes Engine Clusters or notFROM "gcloud-container-clusters-describe" WHERE (resourceUsageExportConfig.enableNetworkEgressMetering not exist) or (resourceUsageExportConfig.enableNetworkEgressMetering is false);
Check if GCP Storage buckets are publicly accessible to all users or notFROM "gcloud-storage-iam-get" WHERE bindings[*].members[*] contains allUsers;
Check if Inbound rules allows unrestricted access (ICMP) or notFROM "gcloud-compute-firewall-rules-list" WHERE disabled == false and direction == INGRESS and sourceRanges == 0.0.0.0/0 and allowed[*].IPProtocol == icmp
Check if Cloud SQL Database Instances are publicly accessible or notFROM "gcloud-sql-instances-describe" WHERE settings.ipConfiguration.authorizedNetworks[*].value contains "0.0.0.0/0" or settings.ipConfiguration.authorizedNetworks[*].value contains "::/0" ;

5. API ingested by Cloud Safe

Amazon Web Services APIs

ServiceAPI
API Gatewayaws-apigateway-get-stages
AWS Certificate Manageraws-acm-describe-certificate
Amazon Elastic Container Serviceaws-ecs-describe-clusters aws-ecs-list-task-definitions aws-ecs-describe-task-definition
AWS CloudFormationaws-cloudformation-describe-stacks
AWS CloudFrontaws-cloudfront-list-distributions aws-cloudfront-get-distribution aws-cloudfront-describe-stacks
AWS CloudTrailaws-cloudtrail-describe-trails aws-cloudtrail-get-event-selectors aws-cloudtrail-get-trail-status
AWS CloudWatchaws-cloudwatch-get-metric-statistics
Amazon EC2aws-ec2-describe-instances aws-ec2-describe-security-groups aws-ec2-describe-vpn-gateways aws-ec2-describe-vpn-gateways-summary aws-ec2-describe-route-tables aws-ec2-describe-snapshots aws-ec2-describe-snapshot-attribute aws-ec2-describe-vpcs aws-ec2-describe-volumes aws-ec2-describe-images aws-ec2-describe-network-acls aws-ec2-describe-subnets aws-ec2-describe-nat-gateways aws-ec2-describe-addresses aws-ec2-describe-reserved-instances
AWS Configaws-configservice-describe-configuration-recorders aws-configservice-describe-delivery-channel-status aws-configservice-describe-configuration-recorder-status
Amazon DynamoDBaws-dynamodb-describe-table
Amazon Elastic Container Registry (ECR)aws-ecr-get-repository-policy aws-ecr-describe-repositories
AWS Elastic File System (EFS)aws-describe-mount-targets aws-efs-describe-file-systems  
Amazon Elastic Container Service for Kubernetes (EKS)aws-eks-describe-cluster
ElastiCacheaws-elasticache-cache-clusters aws-elasticache-describe-replication-groups aws-elasticache-reserved-cache-nodes
Amazon Elastic Load Balancingaws-elb-describe-load-balancers aws-elb-describe-load-balancer-policies aws-elb-describe-load-balancer-attributes aws-elbv2-describe-load-balancers aws-elbv2-describe-load-balancer-attributes aws-elbv2-describe-listeners
Amazon ElasticSearch Serviceaws-es-describe-elasticsearch-domain aws-es-describe-elasticsearch-domain-config aws-es-describe-reserved-elasticsearch-instances
Amazon Elastic MapReduce (EMR)aws-emr-describe-cluster
AWS Identity and Access Management (IAM)aws-iam-list-users aws-iam-get-policy-version aws-iam-list-ssh-public-keys aws-iam-list-attached-user-policies aws-iam-list-attached-group-policies aws-iam-list-attached-role-policies aws-iam-list-groups aws-iam-list-roles aws-iam-list-policies aws-iam-list-access-keys aws-iam-get-account-summary aws-iam-list-server-certificates aws-iam-get-credential-report aws-iam-list-mfa-devices aws-iam-list-virtual-mfa-devices aws-iam-list-user-policies aws-iam-list-entities-for-policy aws-iam-get-account-password-policy
AWS Key Management Service (KMS)aws-kms-get-key-rotation-status aws-kms-describe-key
Amazon Kinesisaws-kinesis-list-streams
AWS Lambdaaws-lambda-list-functions aws-lambda-get-account-settings aws-lambda-get-region-summary
Amazon Relational Database Service (RDS)aws-rds-describe-db-instances aws-rds-describe-db-clusters aws-rds-describe-db-snapshots aws-rds-describe-db-snapshot-attributes aws-rds-describe-event-subscriptions aws-rds-describe-reserved-db-instances
Amazon RedShiftaws-redshift-describe-clusters aws-redshift-describe-logging-status aws-redshift-describe-cluster-parameters aws-redshift-describe-reserved-nodes
AWS Route53aws-route53-list-hosted-zones
AWS Systems Manageraws-ssm-parameters
Amazon S3aws-s3api-get-bucket-acl aws-s3api-list-buckets aws-s3api-get-bucket-encryption aws-s3api-get-bucket-logging aws-s3api-get-bucket-website aws-s3api-get-bucket-versioning aws-s3api-get-bucket-policy
Amazon Simple Notification Service (SNS)aws-sns-list-subscriptions aws-sns-get-subscription-attributes aws-sns-list-topics aws-sns-get-topic-attributes
Amazon Simple Queue Service (SQS)aws-sqs-get-queue-attributes

Microsoft Azure APIs

ServiceAPI
Azure Kubernetes Service (AKS)az-aks-list The API contains value of: Private Link Resources - ListPrivate Endpoint Connections - List
Azure Web Appsaz-webapp The API contains value of: az webapp listaz webapp config list
Azure Authorizationaz-policy-assignments The API contains value of: az policy assignment list az-role-definition-list az-role-assignment-list
Azure Computeaz-vm-list The API contains value of: az vm listaz vm extension list az-disk-list az-vm-availability-set-list az-disk-encryption-set-list az-image-list az-snapshot-list az-ssh-public-key-list
Azure Container Registryaz-acr The API contains value of: az acr listaz acr webhook list
Azure Key Vaultaz-keyvault-list az-keyvault-secret-list az-keyvault-certificate-list az-keyvault-key-list
Azure Monitor Serviceaz-monitor-log-profiles-list
Azure Networkaz-network-nsg-list az-network-application-gateway-list az-network-firewall-policy-list az-network-nic-list az-network-vnet-subnet-list az-network-vpn-gateway-list az-network-vnet-list az-network-ip-group-list az-network-ip-allocation-list az-network-nat-gateway-list az-network-private-endpoint-list az-network-public-ip-list az-network-public-ip-prefix-list az-network-route-table-list az-network-route-table-route-list az-network-vnet-peering-list az-network-asg-list az-network-bastion-list az-network-firewall-list az-network-dns-zone-list az-network-private-dns-zone-list az-network-private-dns-link-vnet-list
Azure Database for PostgreSQLaz-postgres-server The API contains value of: az postgres server listaz postgres server configuration list
Azure Resource Managementaz-group The API contains value of: az group list az lock list
Azure Security Centeraz-security The API contains value of: az security setting list az security contact listaz security auto-provisioning-setting listaz security pricing list
Azure SQLaz-sql-server The API contains value of: az sql server list az sql server tde-key show az sql server ad-admin listaz sql server audit-policy showGet-AzSqlServerThreatDetectionPolicy az-sql-database The API contains value of: az sql db listaz sql db threat-policy showaz sql db audit-policy showaz sql db tde show
Azure Storage Accountsaz-storage-account-list The API contains value of: az storage account listaz storage account encryption-scope list
Azure SQL VMaz-sql-vm -list
Azure Load Balanceraz-load-balancer-list az-network-lb-inbound-nat-rule-list az-network-lb-frontend-ip-list az-network-lb-address-pool-list az-network-lb-rule-list az-network-lb-outbound-rule-list az-network-lb-probe-list
Azure Blueprintaz-blueprint-list az-blueprint-artifact-list az-blueprint-assignment-list az-blueprint-version-list

GCP APIs

ServiceAPI
BigQuerygcloud-bigquery-dataset-get
Cloud Load Balancinggcloud compute ssl-policies describe gcloud compute target-https-proxies describe
Cloud SQLgcloud-sql-instances-describe gcloud compute firewall-rules list gcloud-sql-instances-list gcloud-storage-versioning-get gcloud-storage-logging-get
Cloud Storagegcloud-storage-iam-get gcloud-storage-uniformbucketlevelaccess-get gcloud-storage-buckets-list
Cloud Key Management Service (KMS)gcloud kms keys get-iam-policy gcloud kms keys describe
Compute Enginegcloud compute instances describe gcloud compute disks describe
IAMgcloud iam service-accounts keys list gcloud projects get-iam-policy
VPCgcloud dns managed-zones describe gcloud compute firewall-rules list gcloud compute networks list gcloud compute networks subnets list
DNSgcloud dns managed-zones describe
GCP Kubernetes Engine Clustersgcloud container clusters describe