├── CODEOWNERS
├── terraform
├── lambda
│ ├── modules
│ │ └── test
│ │ │ ├── fixtures
│ │ │ └── python3.8-app1
│ │ │ │ ├── requirements.txt
│ │ │ │ ├── dir1
│ │ │ │ └── dir2
│ │ │ │ │ └── ignore2.txt
│ │ │ │ ├── ignore_please.txt
│ │ │ │ ├── index.py
│ │ │ │ └── docker
│ │ │ │ └── automake-1.13-to-1.16-spec.patch
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ └── variables.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── ec2
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ ├── network-interface.tf
│ │ │ ├── variables.tf
│ │ │ └── dedicated-host.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── ecs
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ ├── clusters.tf
│ │ │ └── variables.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── glue
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── s3_bucket.tf
│ │ │ ├── terraform.tf
│ │ │ ├── workflow.tf
│ │ │ ├── job.tf
│ │ │ ├── trigger.tf
│ │ │ └── variables.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── iot
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ └── variables.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── mq
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ └── variables.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── qldb
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ ├── ledger.tf
│ │ │ └── variables.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── rds
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ └── variables.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── s3
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ ├── s3.tf
│ │ │ └── variables.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── ses
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ ├── template.tf
│ │ │ └── variables.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── sns
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ ├── variables.tf
│ │ │ └── sns.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── sqs
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ ├── sqs.tf
│ │ │ └── variables.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── ssm
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ └── variables.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── waf
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ └── variables.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── xray
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── groups.tf
│ │ │ ├── terraform.tf
│ │ │ ├── encryption-config.tf
│ │ │ ├── variables.tf
│ │ │ └── sampling_rule.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── appsync
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── appsync.tf
│ │ │ ├── terraform.tf
│ │ │ └── variables.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── athena
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ ├── variables.tf
│ │ │ └── database.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── backup
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ └── variables.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── redshift
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ └── variables.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── sagemaker
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ └── variables.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── wafv2
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ └── variables.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── accessanalyzer
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── access_analyzers.tf
│ │ │ ├── terraform.tf
│ │ │ └── variables.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── apigateway2
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ ├── variables.tf
│ │ │ └── vpc.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── cloudformation
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ └── variables.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── codepipeline
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ ├── variables.tf
│ │ │ └── webhook.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── eventbridge
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ ├── eventbridge.tf
│ │ │ └── variables.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── wafregional
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ └── variables.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── workspaces
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ └── variables.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── autoscaling
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ └── variables.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── elasticbeanstalk
│ ├── modules
│ │ └── test
│ │ │ ├── provider.tf
│ │ │ ├── terraform.tf
│ │ │ └── variables.tf
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ └── local
│ │ ├── main.tf
│ │ └── variables.tf
├── lightsail
│ ├── prod
│ │ ├── main.tf
│ │ └── terraform.tf
│ ├── local
│ │ ├── main.tf
│ │ └── variables.tf
│ └── modules
│ │ └── test
│ │ ├── domains.tf
│ │ ├── static_ips.tf
│ │ ├── provider.tf
│ │ ├── key_pairs.tf
│ │ ├── buckets.tf
│ │ ├── lb.tf
│ │ ├── certificate.tf
│ │ ├── disk.tf
│ │ ├── terraform.tf
│ │ ├── database.tf
│ │ └── variables.tf
└── resourcegroups
│ ├── modules
│ └── test
│ │ ├── provider.tf
│ │ ├── terraform.tf
│ │ ├── variables.tf
│ │ └── resourcegroups.tf
│ └── local
│ ├── main.tf
│ └── variables.tf
├── .github
├── workflows
│ ├── README
│ └── ok_to_test.yml
├── renovate.json5
├── release.yml
└── .kodiak.toml
├── views
├── views.go
└── README.md
├── dashboards
└── grafana
│ ├── compliance.png
│ ├── aws_asset_inventory.png
│ └── aws_ec2_public_private.png
├── resources
├── forks
│ └── doc.go
├── services
│ ├── ses
│ │ └── types.go
│ └── lightsail
│ │ └── types.go
└── provider
│ └── views_test.go
├── policies
├── foundational_security
│ ├── dms.sql
│ ├── acm.sql
│ ├── awsconfig.sql
│ ├── elbv2.sql
│ ├── waf.sql
│ ├── guardduty.sql
│ ├── sns.sql
│ ├── sqs.sql
│ ├── autoscaling.sql
│ ├── emr.sql
│ ├── sagemaker.sql
│ ├── ecs.sql
│ ├── efs.sql
│ ├── codebuild.sql
│ ├── lambda.sql
│ ├── elastic_beanstalk.sql
│ ├── kms.sql
│ ├── dynamodb.sql
│ ├── cloudtrail.sql
│ └── ssm.sql
├── create_aws_policy_results.sql
├── queries
│ ├── cloudfront
│ │ ├── all_distributions.sql
│ │ ├── associated_with_waf.sql
│ │ ├── access_logs_enabled.sql
│ │ ├── default_root_object_configured.sql
│ │ ├── distributions_disabled.sql
│ │ └── origin_failover_enabled.sql
│ ├── ec2
│ │ ├── eips_unused.sql
│ │ ├── public_ips.sql
│ │ ├── get_unused_public_ips.sql
│ │ ├── not_imdsv2_instances.sql
│ │ ├── unencrypted_ebs_volumes.sql
│ │ ├── instances_with_public_ip.sql
│ │ ├── subnets_that_assign_public_ips.sql
│ │ ├── flow_logs_enabled_in_all_vpcs.sql
│ │ ├── ebs_encryption_by_default_disabled.sql
│ │ ├── stopped_more_thant_30_days_ago_instances.sql
│ │ ├── default_sg_no_access.sql
│ │ └── hosts_unused.sql
│ ├── cloudtrail-trail-logs-encrypted-with-kms-keys.sql
│ ├── kms
│ │ ├── rotation_enabled_for_customer_key.sql
│ │ └── cmk_not_scheduled_for_deletion.sql
│ ├── apigateway
│ │ ├── api_gw_v2_publicly_accessible.sql
│ │ ├── api_gw_associated_with_waf.sql
│ │ ├── api_keys_disabled.sql
│ │ ├── api_gw_ssl_enabled.sql
│ │ ├── api_gw_publicly_accessible.sql
│ │ └── api_gw_xray_enabled.sql
│ ├── elb
│ │ ├── elbv2_internet_facing.sql
│ │ ├── elbv1_internet_facing.sql
│ │ ├── target_groups_unused.sql
│ │ └── elbv1_conn_draining_enabled.sql
│ ├── iam
│ │ ├── password_policy_min_one_symbol.sql
│ │ ├── password_policy_min_length.sql
│ │ ├── password_policy_min_number.sql
│ │ ├── password_policy_min_uppercase.sql
│ │ ├── password_policy_prevent_reuse.sql
│ │ ├── password_policy_expire_old_passwords.sql
│ │ ├── password_policy_min_lowercase.sql
│ │ ├── mfa_enabled_for_console_access.sql
│ │ ├── root_user_no_access_keys.sql
│ │ ├── mfa_enabled_for_root.sql
│ │ ├── old_access_keys.sql
│ │ ├── avoid_root_usage.sql
│ │ └── policies_attached_to_groups_roles.sql
│ ├── rds
│ │ ├── rds_instances_should_be_deployed_in_a_vpc.sql
│ │ ├── rds_clusters_should_have_deletion_protection_enabled.sql
│ │ ├── rds_db_instances_should_have_encryption_at_rest_enabled.sql
│ │ ├── rds_db_instances_should_have_deletion_protection_enabled.sql
│ │ ├── rds_automatic_minor_version_upgrades_should_be_enabled.sql
│ │ ├── rds_db_clusters_should_be_configured_for_multiple_availability_zones.sql
│ │ ├── iam_authentication_should_be_configured_for_rds_clusters.sql
│ │ ├── rds_db_clusters_should_be_configured_to_copy_tags_to_snapshots.sql
│ │ ├── rds_db_instances_should_be_configured_to_copy_tags_to_snapshots.sql
│ │ ├── rds_db_instances_should_be_configured_with_multiple_availability_zones.sql
│ │ ├── iam_authentication_should_be_configured_for_rds_instances.sql
│ │ ├── rds_db_instances_should_prohibit_public_access.sql
│ │ ├── enhanced_monitoring_should_be_configured_for_rds_db_instances_and_clusters.sql
│ │ ├── amazon_aurora_clusters_should_have_backtracking_enabled.sql
│ │ └── snapshots_should_prohibit_public_access.sql
│ ├── lambda
│ │ ├── lambda_function_in_vpc.sql
│ │ └── lambda_functions_should_use_supported_runtimes.sql
│ ├── lightsail
│ │ ├── disks_unused.sql
│ │ ├── static_ips_unused.sql
│ │ └── distributions_unused.sql
│ ├── efs
│ │ ├── filesystems_unused.sql
│ │ ├── efs_filesystems_with_disabled_backups.sql
│ │ └── unencrypted_efs_filesystems.sql
│ ├── redshift
│ │ ├── cluster_publicly_accessible.sql
│ │ ├── clusters_should_use_enhanced_vpc_routing.sql
│ │ ├── clusters_should_have_automatic_snapshots_enabled.sql
│ │ └── clusters_should_have_automatic_upgrades_to_major_versions_enabled.sql
│ ├── acm
│ │ ├── certificates_unused.sql
│ │ └── certificates_should_be_renewed.sql
│ ├── cloudtrail
│ │ ├── logs_encrypted.sql
│ │ └── log_file_validation_enabled.sql
│ ├── elasticsearch
│ │ ├── elasticsearch_domains_should_be_in_vpc.sql
│ │ ├── elasticsearch_domains_should_have_encryption_at_rest_enabled.sql
│ │ ├── elasticsearch_domains_should_encrypt_data_sent_between_nodes.sql
│ │ └── connections_to_elasticsearch_domains_should_be_encrypted_using_tls_1_2.sql
│ ├── dynamodb
│ │ ├── tables_unused.sql
│ │ ├── dax_encrypted_at_rest.sql
│ │ └── point_in_time_recovery.sql
│ ├── ssm
│ │ └── documents_should_not_be_public.sql
│ ├── route53
│ │ └── hosted_zones_unused.sql
│ ├── sns
│ │ ├── sns_topics_should_be_encrypted_at_rest_using_aws_kms.sql
│ │ └── topics_unused.sql
│ ├── sqs
│ │ └── sqs_queues_should_be_encrypted_at_rest_using_aws_kms.sql
│ ├── dms
│ │ └── replication_not_public.sql
│ ├── cloudwatch
│ │ ├── alarm_actions_disabled.sql
│ │ └── alarm_console_no_mfa.sql
│ ├── secretsmanager
│ │ └── secrets_should_have_automatic_rotation_enabled.sql
│ ├── waf
│ │ └── waf_web_acl_logging_should_be_enabled.sql
│ ├── sagemaker
│ │ └── sagemaker_notebook_instance_direct_internet_access_disabled.sql
│ ├── autoscaling
│ │ └── autoscaling_groups_elb_check.sql
│ ├── elasticbeanstalk
│ │ └── advanced_health_reporting_enabled.sql
│ └── directconnect
│ │ └── connections_down.sql
└── cis_v1.2.0
│ └── section_4.sql
├── .pre-commit-config.yaml
├── tools
└── tool.go
├── docs
├── tables
│ ├── aws_lambda_runtimes.md
│ ├── aws_ec2_vpc_attachment.md
│ ├── aws_route53_reusable_delegation_sets.md
│ ├── aws_kinesis_stream_enhanced_monitoring.md
│ ├── aws_ec2_ebs_volume_attachments.md
│ ├── aws_ec2_instance_product_codes.md
│ ├── aws_ec2_route_table_propagating_vgws.md
│ ├── aws_ec2_vpc_endpoint_dns_entries.md
│ ├── aws_ec2_instance_network_interface_ipv6_addresses.md
│ ├── aws_ec2_instance_security_groups.md
│ ├── aws_ec2_vpc_endpoint_groups.md
│ ├── aws_ec2_vpn_gateways.md
│ ├── aws_route53_domain_nameservers.md
│ ├── aws_waf_rules.md
│ ├── aws_iot_stream_files.md
│ ├── aws_lambda_layer_version_policies.md
│ ├── aws_redshift_cluster_security_groups.md
│ ├── aws_ec2_transit_gateway_route_tables.md
│ ├── aws_iam_user_attached_policies.md
│ ├── aws_redshift_cluster_parameter_groups.md
│ ├── aws_redshift_cluster_vpc_security_groups.md
│ ├── aws_regions.md
│ ├── aws_codepipeline_pipeline_stages.md
│ ├── aws_ec2_internet_gateway_attachments.md
│ ├── aws_ec2_instance_type_instance_storage_info_disks.md
│ ├── aws_ec2_network_acl_associations.md
│ ├── aws_eks_cluster_encryption_configs.md
│ ├── aws_elbv2_listener_certificates.md
│ ├── aws_mq_broker_configuration_revisions.md
│ ├── aws_elasticache_cluster_security_groups.md
│ ├── aws_directconnect_virtual_gateways.md
│ ├── aws_rds_cluster_vpc_security_groups.md
│ ├── aws_elasticache_cluster_cache_security_groups.md
│ ├── aws_elasticbeanstalk_environment_links.md
│ ├── aws_ec2_transit_gateway_vpc_attachments.md
│ ├── aws_waf_subscribed_rule_groups.md
│ ├── aws_athena_data_catalog_databases.md
│ ├── aws_access_analyzer_analyzer_finding_sources.md
│ ├── aws_ec2_transit_gateway_attachments.md
│ ├── aws_backup_global_settings.md
│ ├── aws_athena_data_catalog_database_table_columns.md
│ ├── aws_ec2_instance_network_interface_groups.md
│ ├── aws_glue_database_table_columns.md
│ ├── aws_xray_encryption_config.md
│ ├── aws_ec2_security_group_ip_permission_prefix_list_ids.md
│ ├── aws_ecs_cluster_service_events.md
│ ├── aws_eks_cluster_loggings.md
│ ├── aws_rds_instance_option_group_memberships.md
│ ├── aws_waf_rule_groups.md
│ ├── aws_backup_region_settings.md
│ ├── aws_glue_crawler_targets_jdbc_targets.md
│ ├── aws_athena_data_catalog_database_table_partition_keys.md
│ ├── aws_codebuild_project_environment_variables.md
│ ├── aws_glue_database_table_partition_keys.md
│ ├── aws_lightsail_load_balancer_tls_certificate_summaries.md
│ ├── aws_redshift_cluster_nodes.md
│ ├── aws_ec2_regional_config.md
│ ├── aws_elbv1_load_balancer_policies.md
│ ├── aws_rds_instance_db_parameter_groups.md
│ ├── aws_lightsail_database_log_events.md
│ ├── aws_ecs_cluster_attachments.md
│ ├── aws_ec2_host_instances.md
│ ├── aws_ec2_transit_gateway_multicast_domains.md
│ ├── aws_ec2_internet_gateways.md
│ ├── aws_redshift_cluster_endpoint_vpc_endpoints.md
│ ├── aws_cloudformation_stack_outputs.md
│ ├── aws_ecs_cluster_task_attachments.md
│ ├── aws_shield_attack_sub_resources.md
│ ├── aws_codepipeline_webhook_filters.md
│ ├── aws_dms_replication_instance_vpc_security_groups.md
│ ├── aws_ec2_route_tables.md
│ ├── aws_ec2_security_group_ip_permission_ip_ranges.md
│ ├── aws_elbv2_listener_default_action_forward_config_target_groups.md
│ ├── aws_redshift_snapshot_accounts_with_restore_access.md
│ ├── aws_apigatewayv2_domain_name_rest_api_mappings.md
│ ├── aws_autoscaling_group_tags.md
│ ├── aws_elbv1_load_balancer_backend_server_descriptions.md
│ ├── aws_glue_security_configuration_s3_encryption.md
│ ├── aws_rds_instance_vpc_security_groups.md
│ ├── aws_elbv2_load_balancer_availability_zones.md
│ └── aws_s3_bucket_grants.md
└── docs.go
├── main.go
├── scripts
├── terraform-apply-all.sh
├── terraform-validate-all.sh
├── regenerate-changed-directories.sh
├── terraform-fmt-change-only.sh
├── terraform-init-change-only.sh
└── terraform-validate-change-only.sh
└── test
└── policy_cq_config.yml
/CODEOWNERS:
--------------------------------------------------------------------------------
1 | * @cloudquery/cloudquery-opensource
2 |
--------------------------------------------------------------------------------
/terraform/lambda/modules/test/fixtures/python3.8-app1/requirements.txt:
--------------------------------------------------------------------------------
1 | colorful
2 |
--------------------------------------------------------------------------------
/terraform/ec2/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/ecs/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/glue/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/iot/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/mq/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/qldb/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/rds/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/s3/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/ses/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/sns/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/sqs/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/ssm/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/waf/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/xray/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/appsync/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/athena/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/backup/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/lambda/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/redshift/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/sagemaker/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/wafv2/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/.github/workflows/README:
--------------------------------------------------------------------------------
1 | All files in this folder were created and synced from cloudquery/.github
--------------------------------------------------------------------------------
/terraform/accessanalyzer/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/apigateway2/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/cloudformation/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/codepipeline/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/eventbridge/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/wafregional/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/workspaces/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
--------------------------------------------------------------------------------
/terraform/athena/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/autoscaling/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
4 |
--------------------------------------------------------------------------------
/terraform/backup/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/ec2/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/ecs/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/glue/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/iot/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/lambda/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/mq/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/qldb/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/rds/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/s3/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/ses/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/sns/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/sqs/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/ssm/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/waf/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/wafv2/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/xray/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/apigateway2/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/appsync/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/ec2/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/ecs/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/elasticbeanstalk/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
4 |
--------------------------------------------------------------------------------
/terraform/eventbridge/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/glue/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/iot/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/lightsail/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/mq/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/qldb/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/rds/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/redshift/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/resourcegroups/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
4 |
--------------------------------------------------------------------------------
/terraform/s3/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/sagemaker/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/ses/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/sns/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/sqs/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/ssm/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/waf/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/wafregional/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/workspaces/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/xray/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/accessanalyzer/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/appsync/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/athena/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/autoscaling/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
5 |
--------------------------------------------------------------------------------
/terraform/backup/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/cloudformation/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/codepipeline/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
--------------------------------------------------------------------------------
/terraform/lambda/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/lambda/modules/test/fixtures/python3.8-app1/dir1/dir2/ignore2.txt:
--------------------------------------------------------------------------------
1 | This file should be ignored...
2 |
--------------------------------------------------------------------------------
/terraform/lightsail/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/redshift/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/sagemaker/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/wafv2/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/accessanalyzer/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/apigateway2/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/cloudformation/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/codepipeline/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/elasticbeanstalk/prod/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = "cq"
4 | }
5 |
--------------------------------------------------------------------------------
/terraform/eventbridge/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/wafregional/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/workspaces/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
--------------------------------------------------------------------------------
/terraform/autoscaling/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
5 |
--------------------------------------------------------------------------------
/views/views.go:
--------------------------------------------------------------------------------
1 | package views
2 |
3 | import _ "embed"
4 |
5 | //go:embed resources.sql
6 | var ResourcesView string
7 |
--------------------------------------------------------------------------------
/dashboards/grafana/compliance.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cloudquery/cq-provider-aws/HEAD/dashboards/grafana/compliance.png
--------------------------------------------------------------------------------
/terraform/elasticbeanstalk/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
5 |
--------------------------------------------------------------------------------
/terraform/lambda/modules/test/fixtures/python3.8-app1/ignore_please.txt:
--------------------------------------------------------------------------------
1 | This file should not be included in archive.
2 |
3 |
--------------------------------------------------------------------------------
/terraform/resourcegroups/local/main.tf:
--------------------------------------------------------------------------------
1 | module "demo" {
2 | source = "../modules/test"
3 | prefix = var.prefix
4 | }
5 |
--------------------------------------------------------------------------------
/resources/forks/doc.go:
--------------------------------------------------------------------------------
1 | // This package contains client forks to workaround issues with upstream dependencies.
2 |
3 | package forks
4 |
--------------------------------------------------------------------------------
/terraform/lightsail/modules/test/domains.tf:
--------------------------------------------------------------------------------
1 | resource "awslightsail_domain" "awslightsail_domain" {
2 | domain_name = "mydomain.com"
3 | }
--------------------------------------------------------------------------------
/dashboards/grafana/aws_asset_inventory.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cloudquery/cq-provider-aws/HEAD/dashboards/grafana/aws_asset_inventory.png
--------------------------------------------------------------------------------
/policies/foundational_security/dms.sql:
--------------------------------------------------------------------------------
1 | \set check_id 'DMS.1'
2 | \echo "Executing check DMS.1"
3 | \ir ../queries/dms/replication_not_public.sql
4 |
--------------------------------------------------------------------------------
/dashboards/grafana/aws_ec2_public_private.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cloudquery/cq-provider-aws/HEAD/dashboards/grafana/aws_ec2_public_private.png
--------------------------------------------------------------------------------
/terraform/lightsail/modules/test/static_ips.tf:
--------------------------------------------------------------------------------
1 | resource "aws_lightsail_static_ip" "aws_lightsail_static_ip" {
2 | name = "${var.prefix}_static_ip"
3 | }
--------------------------------------------------------------------------------
/policies/foundational_security/acm.sql:
--------------------------------------------------------------------------------
1 | \set check_id 'ACM.1'
2 | \echo "Executing check ACM.1"
3 | \ir ../queries/acm/certificates_should_be_renewed.sql
4 |
--------------------------------------------------------------------------------
/policies/foundational_security/awsconfig.sql:
--------------------------------------------------------------------------------
1 | \set check_id 'Config.1'
2 | \echo "Executing check Config.1"
3 | \ir ../queries/config/enabled_all_regions.sql
4 |
--------------------------------------------------------------------------------
/policies/foundational_security/elbv2.sql:
--------------------------------------------------------------------------------
1 | \set check_id 'ELBv2.1'
2 | \echo "Executing check ELBv2.1"
3 | \ir ../queries/elb/elbv2_redirect_http_to_https.sql
4 |
--------------------------------------------------------------------------------
/policies/foundational_security/waf.sql:
--------------------------------------------------------------------------------
1 | \set check_id 'WAF.1'
2 | \echo "Executing check WAF.1"
3 | \ir ../queries/waf/waf_web_acl_logging_should_be_enabled.sql
4 |
--------------------------------------------------------------------------------
/terraform/lambda/modules/test/fixtures/python3.8-app1/index.py:
--------------------------------------------------------------------------------
1 | def lambda_handler(event, context):
2 | print("Hello from app1!")
3 |
4 | return event
5 |
--------------------------------------------------------------------------------
/terraform/lightsail/modules/test/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
4 | provider "awslightsail" {
5 | region = "us-east-1"
6 | }
7 |
--------------------------------------------------------------------------------
/policies/foundational_security/guardduty.sql:
--------------------------------------------------------------------------------
1 | \set check_id 'GuardDuty.1'
2 | \echo "Executing check GuardDuty.1"
3 | \ir ../queries/guardduty/detector_enabled.sql
4 |
--------------------------------------------------------------------------------
/terraform/glue/modules/test/s3_bucket.tf:
--------------------------------------------------------------------------------
1 | resource "aws_s3_bucket" "aws_s3_bucket" {
2 | bucket = "${var.prefix}-glue-target-bucket"
3 | force_destroy = true
4 | }
--------------------------------------------------------------------------------
/policies/foundational_security/sns.sql:
--------------------------------------------------------------------------------
1 | \set check_id 'SNS.1'
2 | \echo "Executing check SNS.1"
3 | \ir ../queries/sns/sns_topics_should_be_encrypted_at_rest_using_aws_kms.sql
4 |
--------------------------------------------------------------------------------
/policies/foundational_security/sqs.sql:
--------------------------------------------------------------------------------
1 | \set check_id 'SQS.1'
2 | \echo "Executing check SQS.1"
3 | \ir ../queries/sqs/sqs_queues_should_be_encrypted_at_rest_using_aws_kms.sql
4 |
--------------------------------------------------------------------------------
/.pre-commit-config.yaml:
--------------------------------------------------------------------------------
1 | repos:
2 | - repo: https://github.com/dnephin/pre-commit-golang
3 | rev: v0.5.0
4 | hooks:
5 | # - id: go-mod-tidy
6 | - id: golangci-lint
7 |
--------------------------------------------------------------------------------
/policies/foundational_security/autoscaling.sql:
--------------------------------------------------------------------------------
1 | \set check_id 'AutoScaling.1'
2 | \echo "Executing check AutoScaling.1"
3 | \ir ../queries/autoscaling/autoscaling_groups_elb_check.sql
4 |
--------------------------------------------------------------------------------
/policies/foundational_security/emr.sql:
--------------------------------------------------------------------------------
1 | \set check_id 'EMR.1'
2 | \echo "Executing check EMR.1"
3 | \ir ../queries/emr/emr_cluster_master_nodes_should_not_have_public_ip_addresses.sql
4 |
--------------------------------------------------------------------------------
/terraform/eventbridge/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "eventbridge"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/lightsail/modules/test/key_pairs.tf:
--------------------------------------------------------------------------------
1 | # Create a new Lightsail Key Pair
2 | resource "aws_lightsail_key_pair" "aws_lightsail_key_pair" {
3 | name = "${var.prefix}_key_pair"
4 | }
--------------------------------------------------------------------------------
/terraform/accessanalyzer/modules/test/access_analyzers.tf:
--------------------------------------------------------------------------------
1 | resource "aws_accessanalyzer_analyzer" "example" {
2 | analyzer_name = "${var.prefix}-accessanalyzer"
3 | tags = var.tags
4 | }
5 |
--------------------------------------------------------------------------------
/terraform/lightsail/modules/test/buckets.tf:
--------------------------------------------------------------------------------
1 | resource "awslightsail_bucket" "awslightsail_bucket" {
2 | name = "${lower(var.prefix)}-lightsail-bucket"
3 | bundle_id = "small_1_0"
4 | }
--------------------------------------------------------------------------------
/terraform/ec2/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "ec2"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/ecs/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "ecs"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/elasticbeanstalk/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "elasticbeanstalk"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/glue/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "glue"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/iot/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "iot"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/mq/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "mq"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/qldb/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "qldb"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/rds/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "rds"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/s3/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "s3"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/ses/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "ses"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/sns/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "sns"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/sqs/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "sqs"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/ssm/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "ssm"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/waf/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "waf"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/xray/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "xray"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/athena/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "athena"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/backup/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "backup"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/lambda/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "lambda"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/wafv2/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "wafv2"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/.github/renovate.json5:
--------------------------------------------------------------------------------
1 | {
2 | extends: [
3 | "github>cloudquery/.github//.github/renovate-go-default.json5",
4 | "github>cloudquery/.github//.github/renovate-node-default.json5",
5 | ],
6 | }
7 |
--------------------------------------------------------------------------------
/terraform/appsync/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "appsync"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/lightsail/modules/test/lb.tf:
--------------------------------------------------------------------------------
1 | resource "awslightsail_lb" "awslightsail_lb" {
2 | name = "${var.prefix}_load_balancer"
3 | health_check_path = "/"
4 | instance_port = "80"
5 | }
--------------------------------------------------------------------------------
/terraform/lightsail/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "lightsail"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/redshift/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "redshift"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/sagemaker/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "sagemaker"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/policies/foundational_security/sagemaker.sql:
--------------------------------------------------------------------------------
1 | \set check_id 'SageMaker.1'
2 | \echo "Executing check SageMaker.1"
3 | \ir ../queries/sagemaker/sagemaker_notebook_instance_direct_internet_access_disabled.sql
4 |
--------------------------------------------------------------------------------
/terraform/apigateway2/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "apigatewayv2"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/appsync/modules/test/appsync.tf:
--------------------------------------------------------------------------------
1 | module "appsync" {
2 | source = "terraform-aws-modules/appsync/aws"
3 | version = "1.5.2"
4 | name = "${var.prefix}-appsync"
5 | tags = var.tags
6 | }
7 |
--------------------------------------------------------------------------------
/terraform/autoscaling/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "autoscaling"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/wafregional/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "wafregional"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/workspaces/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "workspaces"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/accessanalyzer/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "accessanalyzer"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/cloudformation/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "cloudformation"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/codepipeline/prod/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | backend "s3" {
3 | bucket = "cq-provider-aws-tf"
4 | key = "codepipeline"
5 | region = "us-east-1"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/terraform/athena/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/backup/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/ec2/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/ecs/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/glue/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/iot/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/lambda/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/mq/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/qldb/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/rds/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/s3/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/ses/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/sns/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/sqs/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/ssm/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/waf/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/wafv2/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/apigateway2/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/appsync/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/eventbridge/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/qldb/modules/test/ledger.tf:
--------------------------------------------------------------------------------
1 |
2 | resource "aws_qldb_ledger" "cq-ledger" {
3 | name = "${var.prefix}-ledger"
4 | permissions_mode = "STANDARD"
5 | deletion_protection = false
6 | tags = var.tags
7 | }
--------------------------------------------------------------------------------
/terraform/redshift/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/sagemaker/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/wafregional/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/accessanalyzer/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/cloudformation/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/codepipeline/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/tools/tool.go:
--------------------------------------------------------------------------------
1 | //go:build tools
2 | // +build tools
3 |
4 | package main
5 |
6 | import (
7 | _ "github.com/cloudquery/cq-gen"
8 | _ "github.com/golang/mock/mockgen"
9 | _ "github.com/golang/mock/mockgen/model"
10 | )
11 |
--------------------------------------------------------------------------------
/terraform/autoscaling/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
10 |
--------------------------------------------------------------------------------
/terraform/glue/modules/test/workflow.tf:
--------------------------------------------------------------------------------
1 | resource "aws_glue_workflow" "workflow" {
2 | name = "${var.prefix}-workflow"
3 | description = "Test workflow"
4 | max_concurrent_runs = 1
5 | tags = {
6 | "key" = "value"
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/s3/modules/test/s3.tf:
--------------------------------------------------------------------------------
1 | module "cq_provider_aws_s3" {
2 | source = "terraform-aws-modules/s3-bucket/aws"
3 | version = "~> 2.14"
4 | bucket = "${var.prefix}-s3-cq-provider-aws"
5 | force_destroy = true
6 | }
--------------------------------------------------------------------------------
/docs/tables/aws_lambda_runtimes.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_lambda_runtimes
3 | All known values for Runtime
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |name|text|Runtime name|
8 |
--------------------------------------------------------------------------------
/terraform/elasticbeanstalk/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
10 |
--------------------------------------------------------------------------------
/terraform/sqs/modules/test/sqs.tf:
--------------------------------------------------------------------------------
1 | // https://github.com/terraform-aws-modules/terraform-aws-sqs
2 |
3 | module "sqs" {
4 | source = "terraform-aws-modules/sqs/aws"
5 | version = "~> 2.0"
6 |
7 | name = "${var.prefix}-sqs-cq-provider"
8 | }
--------------------------------------------------------------------------------
/terraform/resourcegroups/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | }
9 | }
10 |
--------------------------------------------------------------------------------
/terraform/ec2/modules/test/network-interface.tf:
--------------------------------------------------------------------------------
1 | resource "aws_network_interface" "nif" {
2 | subnet_id = element(module.vpc.private_subnets, 1)
3 | tags = merge(
4 | {
5 | Name = "${var.prefix}-nif",
6 | },
7 | var.tags
8 | )
9 | }
--------------------------------------------------------------------------------
/docs/tables/aws_ec2_vpc_attachment.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ec2_vpc_attachment
3 |
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |vpn_gateway_cq_id|uuid||
8 | |state|text||
9 | |vpc_id|text||
10 |
--------------------------------------------------------------------------------
/terraform/xray/modules/test/groups.tf:
--------------------------------------------------------------------------------
1 | resource "aws_xray_group" "xray-group" {
2 | group_name = "${var.prefix}-xray-group"
3 | filter_expression = "responsetime > 5"
4 |
5 | tags = merge(
6 | { Name = "${var.prefix}-xray-group" },
7 | var.tags
8 | )
9 | }
--------------------------------------------------------------------------------
/policies/foundational_security/ecs.sql:
--------------------------------------------------------------------------------
1 | \set check_id 'ECS.1'
2 | \echo "Executing check ECS.1"
3 | \ir ../queries/ecs/task_definitions_secure_networking.sql
4 |
5 | \set check_id 'ECS.2'
6 | \echo "Executing check ECS.2"
7 | \ir ../queries/ecs/ecs_services_with_public_ips.sql
8 |
--------------------------------------------------------------------------------
/policies/foundational_security/efs.sql:
--------------------------------------------------------------------------------
1 | \set check_id 'EFS.1'
2 | \echo "Executing check EFS.1"
3 | \ir ../queries/efs/unencrypted_efs_filesystems.sql
4 |
5 | \set check_id 'EFS.2'
6 | \echo "Executing check EFS.2"
7 | \ir ../queries/efs/efs_filesystems_with_disabled_backups.sql
8 |
--------------------------------------------------------------------------------
/terraform/glue/modules/test/job.tf:
--------------------------------------------------------------------------------
1 | resource "aws_glue_job" "example" {
2 | name = "${var.prefix}-glue-job"
3 | role_arn = aws_iam_role.aws_iam_role.arn
4 |
5 | command {
6 | script_location = "s3://${aws_s3_bucket.aws_s3_bucket.bucket}/scripts/example.py"
7 | }
8 | }
--------------------------------------------------------------------------------
/resources/services/ses/types.go:
--------------------------------------------------------------------------------
1 | package ses
2 |
3 | import (
4 | "time"
5 |
6 | "github.com/aws/aws-sdk-go-v2/service/sesv2/types"
7 | )
8 |
9 | type Template struct {
10 | TemplateName *string
11 | *types.EmailTemplateContent
12 | CreatedTimestamp *time.Time
13 | }
14 |
--------------------------------------------------------------------------------
/terraform/mq/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/s3/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/appsync/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/athena/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/backup/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/ec2/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/ecs/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/glue/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/iot/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/lambda/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/lightsail/modules/test/certificate.tf:
--------------------------------------------------------------------------------
1 | resource "awslightsail_certificate" "awslightsail_certificate" {
2 | name = "${var.prefix}_awslightsail_certificate"
3 | domain_name = "example.com"
4 | subject_alternative_names = ["www.example.com"]
5 | }
--------------------------------------------------------------------------------
/terraform/qldb/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/rds/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/ses/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/sns/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/sqs/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/ssm/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/waf/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/wafv2/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/xray/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/apigateway2/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/autoscaling/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/codepipeline/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/eventbridge/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/lightsail/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/lightsail/modules/test/disk.tf:
--------------------------------------------------------------------------------
1 | resource "awslightsail_disk" "awslightsail_disk" {
2 | name = "${var.prefix}_awslightsail_disk"
3 | size_in_gb = 8
4 | availability_zone = "us-east-1b"
5 | tags = {
6 | foo1 = "bar1"
7 | foo2 = ""
8 | }
9 | }
--------------------------------------------------------------------------------
/terraform/redshift/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/sagemaker/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/wafregional/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/workspaces/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/main.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | "github.com/cloudquery/cq-provider-aws/resources/provider"
5 | "github.com/cloudquery/cq-provider-sdk/serve"
6 | )
7 |
8 | func main() {
9 | serve.Serve(&serve.Options{
10 | Name: "aws",
11 | Provider: provider.Provider(),
12 | })
13 | }
14 |
--------------------------------------------------------------------------------
/terraform/accessanalyzer/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/cloudformation/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/elasticbeanstalk/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/terraform/resourcegroups/local/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/policies/foundational_security/codebuild.sql:
--------------------------------------------------------------------------------
1 | \set check_id 'CodeBuild.1'
2 | \echo "Executing check CodeBuild.1"
3 | \ir ../queries/codebuild/check_oauth_usage_for_sources.sql
4 |
5 | \set check_id 'CodeBuild.2'
6 | \echo "Executing check CodeBuild.2"
7 | \ir ../queries/codebuild/check_environment_variables.sql
8 |
--------------------------------------------------------------------------------
/policies/create_aws_policy_results.sql:
--------------------------------------------------------------------------------
1 | create table if not exists aws_policy_results (
2 | execution_time timestamp with time zone,
3 | framework varchar(255),
4 | check_id varchar(255),
5 | title text,
6 | account_id varchar(1024),
7 | resource_id varchar(1024),
8 | status varchar(16)
9 | )
--------------------------------------------------------------------------------
/terraform/lightsail/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | awslightsail = {
9 | source = "deyoungtech/awslightsail"
10 | }
11 | }
12 | }
--------------------------------------------------------------------------------
/policies/foundational_security/lambda.sql:
--------------------------------------------------------------------------------
1 | \set check_id 'Lambda.1'
2 | \echo "Executing check Lambda.1"
3 | \ir ../queries/lambda/lambda_function_prohibit_public_access.sql
4 |
5 | \set check_id 'Lambda.2'
6 | \echo "Executing check Lambda.2"
7 | \ir ../queries/lambda/lambda_functions_should_use_supported_runtimes.sql
8 |
--------------------------------------------------------------------------------
/terraform/autoscaling/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 |
5 | validation {
6 | condition = length(var.prefix) == 2
7 | error_message = "The prefix should be exactly two characters."
8 | }
9 | }
10 |
--------------------------------------------------------------------------------
/terraform/xray/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | random = {
9 | source = "hashicorp/random"
10 | version = ">= 2.0"
11 | }
12 | }
13 | }
--------------------------------------------------------------------------------
/scripts/terraform-apply-all.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | set -e
4 |
5 | for f in terraform/*; do
6 | if [ -d $f ]; then
7 | cd $f/prod
8 | echo "Running terraform init,apply in $f"
9 | terraform init -no-color
10 | terraform apply -no-color
11 | cd -
12 | fi
13 | done
14 |
--------------------------------------------------------------------------------
/terraform/workspaces/modules/test/terraform.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15"
3 | required_providers {
4 | aws = {
5 | source = "hashicorp/aws"
6 | version = ">= 3.74.0"
7 | }
8 | random = {
9 | source = "hashicorp/random"
10 | version = ">= 2.0"
11 | }
12 | }
13 | }
--------------------------------------------------------------------------------
/terraform/xray/modules/test/encryption-config.tf:
--------------------------------------------------------------------------------
1 | resource "aws_kms_key" "example" {
2 | description = "${var.prefix}-xray-kms-key"
3 | deletion_window_in_days = 7
4 |
5 | }
6 |
7 | resource "aws_xray_encryption_config" "xray-enc-conf" {
8 | type = "KMS"
9 | key_id = aws_kms_key.example.arn
10 | }
11 |
--------------------------------------------------------------------------------
/scripts/terraform-validate-all.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | set -e
4 |
5 | for f in terraform/*; do
6 | if [ -d $f ]; then
7 | cd $f/prod
8 | echo "Running terraform init,validate in $f"
9 | terraform init -no-color
10 | terraform validate -no-color
11 | cd -
12 | fi
13 | done
14 |
--------------------------------------------------------------------------------
/terraform/ses/modules/test/template.tf:
--------------------------------------------------------------------------------
1 | resource "aws_ses_template" "ses-template" {
2 | name = "${var.prefix}-ses-template"
3 | subject = "Greetings, {{name}}!"
4 | html = "Hello {{name}},
Your favorite animal is {{favoriteanimal}}.
"
5 | text = "Hello {{name}},\r\nYour favorite animal is {{favoriteanimal}}."
6 | }
--------------------------------------------------------------------------------
/terraform/glue/modules/test/trigger.tf:
--------------------------------------------------------------------------------
1 | resource "aws_glue_trigger" "example" {
2 | name = "${var.prefix}-glue-trigger"
3 | type = "CONDITIONAL"
4 |
5 | actions {
6 | job_name = aws_glue_job.example.name
7 | }
8 |
9 | predicate {
10 | conditions {
11 | job_name = aws_glue_job.example.name
12 | state = "SUCCEEDED"
13 | }
14 | }
15 | }
--------------------------------------------------------------------------------
/policies/foundational_security/elastic_beanstalk.sql:
--------------------------------------------------------------------------------
1 | \set check_id 'ElasticBeanstalk.1'
2 | \echo "Executing check ElasticBeanstalk.1"
3 | \ir ../queries/elasticbeanstalk/advanced_health_reporting_enabled.sql
4 |
5 | \set check_id 'ElasticBeanstalk.2'
6 | \echo "Executing check ElasticBeanstalk.2"
7 | \ir ../queries/elasticbeanstalk/elastic_beanstalk_managed_updates_enabled.sql
8 |
--------------------------------------------------------------------------------
/policies/queries/cloudfront/all_distributions.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Find all Cloudfront distributions' AS title,
7 | account_id,
8 | arn as resource_id,
9 | 'fail' as status
10 | from
11 | aws_cloudfront_distributions
12 |
--------------------------------------------------------------------------------
/docs/tables/aws_route53_reusable_delegation_sets.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_route53_reusable_delegation_sets
3 |
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |account_id|text||
8 | |arn|text|The Amazon Resource Name (ARN) for the resource.|
9 | |name_servers|text[]||
10 | |caller_reference|text||
11 | |id|text||
12 |
--------------------------------------------------------------------------------
/docs/tables/aws_kinesis_stream_enhanced_monitoring.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_kinesis_stream_enhanced_monitoring
3 | Represents enhanced metrics types
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |stream_cq_id|uuid|Unique CloudQuery ID of aws_kinesis_streams table (FK)|
8 | |shard_level_metrics|text[]|List of shard-level metrics|
9 |
--------------------------------------------------------------------------------
/policies/queries/ec2/eips_unused.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select :'execution_time' as execution_time,
3 | :'framework' as framework,
4 | :'check_id' as check_id,
5 | 'Unused EC2 EIP' as title,
6 | account_id,
7 | allocation_id as resource_id,
8 | 'fail' as status
9 | from aws_ec2_eips
10 | where instance_id is null
--------------------------------------------------------------------------------
/terraform/ecs/modules/test/clusters.tf:
--------------------------------------------------------------------------------
1 | module "ecs" {
2 | source = "terraform-aws-modules/ecs/aws"
3 | version = "~> 3.4"
4 |
5 | name = "${var.prefix}-ecs"
6 |
7 | container_insights = true
8 |
9 | capacity_providers = ["FARGATE", "FARGATE_SPOT"]
10 |
11 | default_capacity_provider_strategy = [
12 | {
13 | capacity_provider = "FARGATE_SPOT"
14 | }
15 | ]
16 | }
--------------------------------------------------------------------------------
/docs/tables/aws_ec2_ebs_volume_attachments.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ec2_ebs_volume_attachments
3 |
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |ebs_volume_cq_id|uuid||
8 | |attach_time|timestamp without time zone||
9 | |delete_on_termination|boolean||
10 | |device|text||
11 | |instance_id|text||
12 | |state|text||
13 | |volume_id|text||
14 |
--------------------------------------------------------------------------------
/policies/foundational_security/kms.sql:
--------------------------------------------------------------------------------
1 | \set check_id 'KMS.1'
2 | \echo "Executing check KMS.1"
3 | \ir ../queries/kms/customer_policy_blocked_kms_actions.sql
4 |
5 | \set check_id 'KMS.2'
6 | \echo "Executing check KMS.2"
7 | \ir ../queries/kms/inline_policy_blocked_kms_actions.sql
8 |
9 | \set check_id 'KMS.3'
10 | \echo "Executing check KMS.3"
11 | \ir ../queries/kms/cmk_not_scheduled_for_deletion.sql
12 |
--------------------------------------------------------------------------------
/views/README.md:
--------------------------------------------------------------------------------
1 | # Views
2 |
3 | This directory contains useful aggregated views that you can create against the CloudQuery schema manually and then run queries and visualizations.
4 |
5 | Those views are also tests in CI to make sure it works with the latest schema.
6 |
7 | For dashboard examples that reuse those views take a look at [https://github.com/cloudquery/dashboards](https://github.com/cloudquery/dashboards).
--------------------------------------------------------------------------------
/docs/tables/aws_ec2_instance_product_codes.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ec2_instance_product_codes
3 | Describes a product code.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |instance_cq_id|uuid|Unique CloudQuery ID of aws_ec2_instances table (FK)|
8 | |product_code_id|text|The product code.|
9 | |product_code_type|text|The type of product code.|
10 |
--------------------------------------------------------------------------------
/docs/tables/aws_ec2_route_table_propagating_vgws.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ec2_route_table_propagating_vgws
3 | Describes a virtual private gateway propagating route.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |route_table_cq_id|uuid|Unique CloudQuery ID of aws_ec2_route_tables table (FK)|
8 | |gateway_id|text|The ID of the virtual private gateway.|
9 |
--------------------------------------------------------------------------------
/terraform/eventbridge/modules/test/eventbridge.tf:
--------------------------------------------------------------------------------
1 | module "eventbridge" {
2 | source = "terraform-aws-modules/eventbridge/aws"
3 | bus_name = "${var.prefix}-bus"
4 | create_targets = false
5 | tags = var.tags
6 |
7 | rules = {
8 | logs = {
9 | description = "Capture log data"
10 | event_pattern = jsonencode({ "source" : ["my.app.logs"] })
11 | }
12 | }
13 | }
--------------------------------------------------------------------------------
/docs/tables/aws_ec2_vpc_endpoint_dns_entries.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ec2_vpc_endpoint_dns_entries
3 | Describes a DNS entry.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |vpc_endpoint_cq_id|uuid|Unique CloudQuery ID of aws_ec2_vpc_endpoints table (FK)|
8 | |dns_name|text|The DNS name.|
9 | |hosted_zone_id|text|The ID of the private hosted zone.|
10 |
--------------------------------------------------------------------------------
/policies/queries/cloudtrail-trail-logs-encrypted-with-kms-keys.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | '' as title,
7 | account_id,
8 | arn as resource_id,
9 | case when
10 | kms_key_id is null
11 | then 'fail' else 'pass' end as status
12 | from aws_cloudtrail_trails
13 |
--------------------------------------------------------------------------------
/policies/queries/kms/rotation_enabled_for_customer_key.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time',
4 | :'framework',
5 | :'check_id',
6 | 'Ensure rotation for customer created CMKs is enabled (Scored)',
7 | account_id,
8 | arn,
9 | case when
10 | rotation_enabled is FALSE and manager = 'CUSTOMER'
11 | then 'fail'
12 | else 'pass'
13 | end
14 | from aws_kms_keys
15 |
--------------------------------------------------------------------------------
/terraform/ec2/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/terraform/ecs/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/terraform/iot/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/terraform/lightsail/modules/test/database.tf:
--------------------------------------------------------------------------------
1 | resource "awslightsail_database" "awslightsail_database" {
2 | name = "${var.prefix}-lightsail-database"
3 | availability_zone = "us-east-1a"
4 | master_database_name = "testdatabasename"
5 | master_password = "testdatabasepassword"
6 | master_username = "test"
7 | blueprint_id = "mysql_8_0"
8 | bundle_id = "micro_2_0"
9 | }
--------------------------------------------------------------------------------
/terraform/mq/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/terraform/rds/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/terraform/s3/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/terraform/ses/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/terraform/sns/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/terraform/sqs/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/terraform/ssm/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/terraform/waf/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/terraform/xray/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 | variable "tags" {
11 | type = map
12 | default = {
13 | Environment = "cq-provider-aws"
14 | }
15 | }
--------------------------------------------------------------------------------
/docs/docs.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | "fmt"
5 | "os"
6 |
7 | "github.com/cloudquery/cq-provider-aws/resources/provider"
8 | "github.com/cloudquery/cq-provider-sdk/provider/docs"
9 | )
10 |
11 | func main() {
12 | outputPath := "./docs"
13 | if err := docs.GenerateDocs(provider.Provider(), outputPath, true); err != nil {
14 | fmt.Fprintf(os.Stderr, "Failed to generate docs: %s\n", err)
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/docs/tables/aws_ec2_instance_network_interface_ipv6_addresses.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ec2_instance_network_interface_ipv6_addresses
3 | Describes an IPv6 address.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |instance_network_interface_cq_id|uuid|Unique CloudQuery ID of aws_ec2_instance_network_interfaces table (FK)|
8 | |ipv6_address|text|The IPv6 address.|
9 |
--------------------------------------------------------------------------------
/docs/tables/aws_ec2_instance_security_groups.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ec2_instance_security_groups
3 | Describes a security group.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |instance_cq_id|uuid|Unique CloudQuery ID of aws_ec2_instances table (FK)|
8 | |group_id|text|The ID of the security group.|
9 | |group_name|text|The name of the security group.|
10 |
--------------------------------------------------------------------------------
/docs/tables/aws_ec2_vpc_endpoint_groups.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ec2_vpc_endpoint_groups
3 | Describes a security group.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |vpc_endpoint_cq_id|uuid|Unique CloudQuery ID of aws_ec2_vpc_endpoints table (FK)|
8 | |group_id|text|The ID of the security group.|
9 | |group_name|text|The name of the security group.|
10 |
--------------------------------------------------------------------------------
/policies/foundational_security/dynamodb.sql:
--------------------------------------------------------------------------------
1 | \set check_id 'DynamoDB.1'
2 | \echo "Executing check DynamoDB.1"
3 | \ir ../queries/dynamodb/autoscale_or_ondemand.sql
4 |
5 | \set check_id 'DynamoDB.2'
6 | \echo "Executing check DynamoDB.2"
7 | \ir ../queries/dynamodb/point_in_time_recovery.sql
8 |
9 | \set check_id 'DynamoDB.3'
10 | \echo "Executing check DynamoDB.3"
11 | \ir ../queries/dynamodb/dax_encrypted_at_rest.sql
12 |
--------------------------------------------------------------------------------
/resources/provider/views_test.go:
--------------------------------------------------------------------------------
1 | package provider
2 |
3 | import (
4 | _ "embed"
5 | "testing"
6 |
7 | "github.com/cloudquery/cq-provider-aws/views"
8 | providertest "github.com/cloudquery/cq-provider-sdk/provider/testing"
9 | )
10 |
11 | func TestViews(t *testing.T) {
12 | providertest.HelperTestView(t, providertest.ViewTestCase{
13 | Provider: Provider(),
14 | SQLView: views.ResourcesView,
15 | })
16 | }
17 |
--------------------------------------------------------------------------------
/terraform/athena/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/terraform/backup/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/terraform/glue/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/terraform/lambda/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/terraform/qldb/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/terraform/redshift/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/terraform/wafv2/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/terraform/workspaces/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 | variable "tags" {
11 | type = map
12 | default = {
13 | Environment = "cq-provider-aws"
14 | }
15 | }
--------------------------------------------------------------------------------
/docs/tables/aws_ec2_vpn_gateways.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ec2_vpn_gateways
3 |
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |account_id|text||
8 | |region|text||
9 | |arn|text|The Amazon Resource Name (ARN) for the resource.|
10 | |amazon_side_asn|bigint||
11 | |availability_zone|text||
12 | |state|text||
13 | |tags|jsonb||
14 | |type|text||
15 | |id|text||
16 |
--------------------------------------------------------------------------------
/policies/queries/ec2/public_ips.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Find all instances with a public IP address' AS title,
7 | account_id,
8 | arn as resource_id,
9 | case when public_ip_address is not null then 'fail' else 'pass' end as status
10 | from
11 | aws_ec2_instances
12 |
--------------------------------------------------------------------------------
/terraform/apigateway2/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/terraform/appsync/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 | variable "tags" {
11 | type = map(any)
12 | default = {
13 | Environment = "cq-provider-aws"
14 | }
15 | }
16 |
--------------------------------------------------------------------------------
/terraform/codepipeline/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/terraform/lightsail/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/terraform/sagemaker/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/terraform/wafregional/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/policies/queries/apigateway/api_gw_v2_publicly_accessible.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Find all API Gateway V2 instances (HTTP and Webhook) that are publicly accessible' AS title,
7 | account_id,
8 | arn as resource_id,
9 | 'fail' as status
10 | from
11 | aws_apigatewayv2_apis
12 |
--------------------------------------------------------------------------------
/terraform/accessanalyzer/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/terraform/cloudformation/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
--------------------------------------------------------------------------------
/terraform/eventbridge/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 | variable "tags" {
11 | type = map(any)
12 | default = {
13 | Environment = "cq-provider-aws"
14 | }
15 | }
16 |
--------------------------------------------------------------------------------
/policies/queries/elb/elbv2_internet_facing.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Find all ELB V2s that are Internet Facing' AS title,
7 | account_id,
8 | arn as resource_id,
9 | case when scheme = 'internet-facing' then 'fail' else 'pass' end as status
10 | from
11 | aws_elbv2_load_balancers
12 |
--------------------------------------------------------------------------------
/terraform/elasticbeanstalk/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 |
11 | variable "tags" {
12 | type = map
13 | default = {
14 | Environment = "cq-provider-aws"
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/test/policy_cq_config.yml:
--------------------------------------------------------------------------------
1 | cloudquery:
2 | providers:
3 | - name: aws
4 | version: latest
5 | connection:
6 | type: postgres
7 | username: postgres
8 | password: pass
9 | host: localhost
10 | port: 5432
11 | database: postgres
12 | sslmode: disable
13 | providers:
14 | - name: aws
15 | configuration:
16 | max_retries: 10
17 | max_backoff: 90
18 | resources:
19 | - "*"
20 |
--------------------------------------------------------------------------------
/policies/queries/elb/elbv1_internet_facing.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Find all Classic ELBs that are Internet Facing' AS title,
7 | account_id,
8 | arn as resource_id,
9 | case when scheme = 'internet-facing' then 'fail' else 'pass' end as status
10 | from
11 | aws_elbv1_load_balancers
12 |
--------------------------------------------------------------------------------
/policies/queries/iam/password_policy_min_one_symbol.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time',
4 | :'framework',
5 | :'check_id',
6 | 'Ensure IAM password policy requires at least one symbol',
7 | account_id,
8 | account_id,
9 | case when
10 | require_symbols = false or policy_exists = false
11 | then 'fail'
12 | else 'pass'
13 | end as status
14 | from
15 | aws_iam_password_policies
16 |
--------------------------------------------------------------------------------
/policies/queries/rds/rds_instances_should_be_deployed_in_a_vpc.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'RDS instances should be deployed in a VPC' as title,
7 | account_id,
8 | arn AS resource_id,
9 | case when subnet_group_vpc_id is null then 'fail' else 'pass' end as status
10 | from aws_rds_instances
11 |
--------------------------------------------------------------------------------
/policies/queries/iam/password_policy_min_length.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time',
4 | :'framework',
5 | :'check_id',
6 | 'Ensure IAM password policy requires minimum length of 14 or greater',
7 | account_id,
8 | account_id,
9 | case when
10 | (minimum_password_length < 14) or policy_exists = FALSE
11 | then 'fail'
12 | else 'pass'
13 | end
14 | from
15 | aws_iam_password_policies
16 |
--------------------------------------------------------------------------------
/policies/queries/iam/password_policy_min_number.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time',
4 | :'framework',
5 | :'check_id',
6 | 'Ensure IAM password policy requires at least one number',
7 | account_id,
8 | account_id,
9 | case when
10 | require_numbers = FALSE or policy_exists = FALSE
11 | then 'fail'
12 | else 'pass'
13 | end as status
14 | from
15 | aws_iam_password_policies
16 |
17 |
--------------------------------------------------------------------------------
/policies/queries/lambda/lambda_function_in_vpc.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Lambda functions should be in a VPC' AS title,
7 | account_id,
8 | arn as resource_id,
9 | case when vpc_config_vpc_id is null or vpc_config_vpc_id = '' then 'fail' else 'pass' end as status
10 | from aws_lambda_functions
11 |
--------------------------------------------------------------------------------
/policies/queries/lightsail/disks_unused.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select :'execution_time' as execution_time,
3 | :'framework' as framework,
4 | :'check_id' as check_id,
5 | 'Unused Lightsail disks' as title,
6 | account_id,
7 | arn as resource_id,
8 | 'fail' as status
9 | from aws_lightsail_disks
10 | where is_attached = false
--------------------------------------------------------------------------------
/terraform/resourcegroups/modules/test/variables.tf:
--------------------------------------------------------------------------------
1 | variable "prefix" {
2 | description = "Prefix to use for all name resources"
3 | type = string
4 | validation {
5 | condition = length(var.prefix) == 2
6 | error_message = "The prefix should be exactly two characters."
7 | }
8 | }
9 |
10 | variable "tags" {
11 | type = map(any)
12 | default = {
13 | Environment = "cq-provider-aws"
14 | }
15 | }
16 |
--------------------------------------------------------------------------------
/policies/queries/efs/filesystems_unused.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select :'execution_time' as execution_time,
3 | :'framework' as framework,
4 | :'check_id' as check_id,
5 | 'Unused EFS filesystem' as title,
6 | account_id,
7 | arn as resource_id,
8 | 'fail' as status
9 | from aws_efs_filesystems
10 | where number_of_mount_targets = 0
--------------------------------------------------------------------------------
/policies/queries/redshift/cluster_publicly_accessible.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Amazon Redshift clusters should prohibit public access' as title,
7 | account_id,
8 | arn AS resource_id,
9 | case when publicly_accessible is TRUE then 'fail' else 'pass' end as status
10 | from aws_redshift_clusters
11 |
--------------------------------------------------------------------------------
/docs/tables/aws_route53_domain_nameservers.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_route53_domain_nameservers
3 | Nameserver includes the following elements.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |domain_cq_id|uuid|Unique CloudQuery ID of aws_route53_domains table (FK)|
8 | |name|text|The fully qualified host name of the name server|
9 | |glue_ips|text[]|Glue IP address of a name server entry|
10 |
--------------------------------------------------------------------------------
/policies/queries/ec2/get_unused_public_ips.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Unused EC2 EIPs should be removed' as title,
7 | account_id,
8 | public_ip as resource_id,
9 | case when
10 | instance_id is null
11 | then 'fail'
12 | else 'pass'
13 | end as status
14 | from aws_ec2_eips
15 |
--------------------------------------------------------------------------------
/scripts/regenerate-changed-directories.sh:
--------------------------------------------------------------------------------
1 | set -x
2 | set -e
3 |
4 | for d in ./resources/services/*/ ; do
5 | # check whether directory changed in this branch
6 | if git diff --quiet origin/main HEAD -- $d; then
7 | echo "no changes in $d";
8 | continue;
9 | fi
10 |
11 | # regenerate if //check-for-changes is present in an .hcl file
12 | if grep -s -q '//check-for-changes' "$d"*.hcl; then
13 | (cd $d && go generate);
14 | fi
15 | done
--------------------------------------------------------------------------------
/terraform/resourcegroups/modules/test/resourcegroups.tf:
--------------------------------------------------------------------------------
1 | resource "aws_resourcegroups_group" "test" {
2 | name = "${var.prefix}-group"
3 | description = "Test resource group"
4 |
5 | resource_query {
6 | query = < 24)
11 | or policy_exists = FALSE
12 | then 'fail'
13 | else 'pass'
14 | end
15 | from
16 | aws_iam_password_policies
17 |
--------------------------------------------------------------------------------
/policies/queries/rds/rds_automatic_minor_version_upgrades_should_be_enabled.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'RDS automatic minor version upgrades should be enabled' as title,
7 | account_id,
8 | arn AS resource_id,
9 | case when auto_minor_version_upgrade is not TRUE then 'fail' else 'pass' end as status
10 | from aws_rds_instances
11 |
--------------------------------------------------------------------------------
/docs/tables/aws_redshift_cluster_parameter_groups.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_redshift_cluster_parameter_groups
3 | Describes the status of a parameter group.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |cluster_cq_id|uuid|Unique CloudQuery ID of aws_redshift_clusters table (FK)|
8 | |parameter_apply_status|text|The status of parameter updates.|
9 | |parameter_group_name|text|The name of the cluster parameter group.|
10 |
--------------------------------------------------------------------------------
/docs/tables/aws_redshift_cluster_vpc_security_groups.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_redshift_cluster_vpc_security_groups
3 | Describes the members of a VPC security group.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |cluster_cq_id|uuid|Unique CloudQuery ID of aws_redshift_clusters table (FK)|
8 | |status|text|The status of the VPC security group.|
9 | |vpc_security_group_id|text|The identifier of the VPC security group.|
10 |
--------------------------------------------------------------------------------
/policies/queries/cloudtrail/log_file_validation_enabled.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Ensure CloudTrail log file validation is enabled' as title,
7 | account_id,
8 | arn as resource_id,
9 | case
10 | when log_file_validation_enabled = false then 'fail'
11 | else 'pass'
12 | end as status
13 | from aws_cloudtrail_trails
14 |
--------------------------------------------------------------------------------
/policies/queries/iam/password_policy_expire_old_passwords.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time',
4 | :'framework',
5 | :'check_id',
6 | 'Ensure IAM password policy expires passwords within 90 days or less' as title,
7 | account_id,
8 | account_id,
9 | case when
10 | (max_password_age is null or max_password_age < 90) or policy_exists = false
11 | then 'fail'
12 | else 'pass'
13 | end
14 | from
15 | aws_iam_password_policies
16 |
--------------------------------------------------------------------------------
/policies/queries/iam/password_policy_min_lowercase.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time',
4 | :'framework',
5 | :'check_id',
6 | 'Ensure IAM password policy requires at least one lowercase letter' as title,
7 | account_id,
8 | account_id,
9 | case when
10 | require_lowercase_characters = false or policy_exists = false
11 | then 'fail'
12 | else 'pass'
13 | end as status
14 | from
15 | aws_iam_password_policies
16 |
17 |
--------------------------------------------------------------------------------
/policies/queries/lightsail/static_ips_unused.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select :'execution_time' as execution_time,
3 | :'framework' as framework,
4 | :'check_id' as check_id,
5 | 'Unused Lightsail static IPs' as title,
6 | account_id,
7 | arn as resource_id,
8 | 'fail' as status
9 | from aws_lightsail_static_ips
10 | where is_attached = false
--------------------------------------------------------------------------------
/policies/queries/rds/rds_db_clusters_should_be_configured_for_multiple_availability_zones.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'RDS DB clusters should be configured for multiple Availability Zones' as title,
7 | account_id,
8 | arn AS resource_id,
9 | case when multi_az is not TRUE then 'fail' else 'pass' end as status
10 | from aws_rds_clusters
11 |
--------------------------------------------------------------------------------
/docs/tables/aws_regions.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_regions
3 | Describes a Region.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |account_id|text|The AWS Account ID of the resource.|
8 | |enabled|boolean|Defines if region is enabled stated or not.|
9 | |endpoint|text|The Region service endpoint.|
10 | |opt_in_status|text|The Region opt-in status|
11 | |region|text|The name of the Region.|
12 | |partition|text|AWS partition|
13 |
--------------------------------------------------------------------------------
/policies/queries/acm/certificates_should_be_renewed.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'certificate has less than 30 days to be renewed' as title,
7 | account_id,
8 | arn AS resource_id,
9 | case when
10 | not_after < NOW() AT TIME ZONE 'UTC' + INTERVAL '30' DAY
11 | then 'fail'
12 | else 'pass'
13 | end as status
14 | FROM aws_acm_certificates
15 |
--------------------------------------------------------------------------------
/policies/queries/ec2/subnets_that_assign_public_ips.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'EC2 subnets should not automatically assign public IP addresses' as title,
7 | account_id,
8 | arn as resource_id,
9 | case when
10 | map_public_ip_on_launch is true
11 | then 'fail'
12 | else 'pass'
13 | end
14 | from aws_ec2_subnets
15 |
--------------------------------------------------------------------------------
/policies/queries/iam/mfa_enabled_for_console_access.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Ensure MFA is enabled for all IAM users that have a console password (Scored)' as title,
7 | account_id,
8 | arn as resource_id,
9 | case when
10 | password_enabled and not mfa_active
11 | then 'fail'
12 | else 'pass'
13 | end as status
14 | from aws_iam_users
15 |
--------------------------------------------------------------------------------
/policies/queries/iam/root_user_no_access_keys.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time',
4 | :'framework',
5 | :'check_id',
6 | 'Ensure no root account access key exists (Scored)',
7 | account_id,
8 | arn,
9 | case when
10 | user_name = ''
11 | then 'fail'
12 | else 'pass'
13 | end
14 | from aws_iam_users
15 | inner join
16 | aws_iam_user_access_keys on
17 | aws_iam_users.cq_id = aws_iam_user_access_keys.user_cq_id
18 |
--------------------------------------------------------------------------------
/policies/queries/rds/iam_authentication_should_be_configured_for_rds_clusters.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'IAM authentication should be configured for RDS clusters' as title,
7 | account_id,
8 | arn AS resource_id,
9 | case when iam_database_authentication_enabled is not TRUE then 'fail' else 'pass' end as status
10 | from aws_rds_clusters
11 |
--------------------------------------------------------------------------------
/policies/queries/rds/rds_db_clusters_should_be_configured_to_copy_tags_to_snapshots.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'RDS DB clusters should be configured to copy tags to snapshots' as title,
7 | account_id,
8 | arn AS resource_id,
9 | case when copy_tags_to_snapshot is not TRUE then 'fail' else 'pass' end as status
10 | from aws_rds_clusters
11 |
--------------------------------------------------------------------------------
/policies/queries/rds/rds_db_instances_should_be_configured_to_copy_tags_to_snapshots.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'RDS DB instances should be configured to copy tags to snapshots' as title,
7 | account_id,
8 | arn AS resource_id,
9 | case when copy_tags_to_snapshot is not TRUE then 'fail' else 'pass' end as status
10 | from aws_rds_instances
11 |
--------------------------------------------------------------------------------
/policies/queries/rds/rds_db_instances_should_be_configured_with_multiple_availability_zones.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'RDS DB instances should be configured with multiple Availability Zones' as title,
7 | account_id,
8 | arn AS resource_id,
9 | case when multi_az is not TRUE then 'fail' else 'pass' end as status
10 | from aws_rds_instances
11 |
--------------------------------------------------------------------------------
/scripts/terraform-fmt-change-only.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | set -e
4 |
5 | for f in terraform/*; do
6 | if [ -d $f ]; then
7 | cd $f/prod
8 | CHANGES=$(git diff --name-only HEAD..origin/main ../)
9 | # if there are any changes run terraform apply
10 | if [ "$CHANGES" != "" ]; then
11 | echo "detected changes in $f. Running terraform fmt..."
12 | terraform fmt -no-color
13 | fi
14 | cd -
15 | fi
16 | done
17 |
--------------------------------------------------------------------------------
/terraform/apigateway2/modules/test/vpc.tf:
--------------------------------------------------------------------------------
1 | module "vpc" {
2 | source = "terraform-aws-modules/vpc/aws"
3 | version = "~> 3.0"
4 |
5 | name = "${var.prefix}-apigatewayv2"
6 | cidr = "10.0.0.0/16"
7 |
8 | azs = ["us-east-1a", "us-east-1b"]
9 | private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
10 | public_subnets = ["10.0.101.0/24", "10.0.102.0/24"]
11 | enable_ipv6 = true
12 | enable_nat_gateway = false
13 | create_egress_only_igw = false
14 | }
--------------------------------------------------------------------------------
/docs/tables/aws_codepipeline_pipeline_stages.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_codepipeline_pipeline_stages
3 | Represents information about a stage and its definition
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |pipeline_cq_id|uuid|Unique CloudQuery ID of aws_codepipeline_pipelines table (FK)|
8 | |stage_order|bigint|The stage order in the pipeline.|
9 | |name|text|The name of the stage|
10 | |blockers|jsonb|Reserved for future use|
11 |
--------------------------------------------------------------------------------
/docs/tables/aws_ec2_internet_gateway_attachments.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ec2_internet_gateway_attachments
3 | Describes the attachment of a VPC to an internet gateway or an egress-only internet gateway.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |internet_gateway_cq_id|uuid|Unique CloudQuery ID of aws_ec2_internet_gateways table (FK)|
8 | |state|text|The current state of the attachment.|
9 | |vpc_id|text|The ID of the VPC.|
10 |
--------------------------------------------------------------------------------
/policies/queries/rds/iam_authentication_should_be_configured_for_rds_instances.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'IAM authentication should be configured for RDS instances' as title,
7 | account_id,
8 | arn AS resource_id,
9 | case when iam_database_authentication_enabled is not TRUE then 'fail' else 'pass' end as status
10 | from aws_rds_instances
11 |
--------------------------------------------------------------------------------
/scripts/terraform-init-change-only.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | set -e
4 |
5 | for f in terraform/*; do
6 | if [ -d $f ]; then
7 | cd $f/prod
8 | CHANGES=$(git diff --name-only HEAD..origin/main ..)
9 | # if there are any changes run terraform apply
10 | if [ "$CHANGES" != "" ]; then
11 | echo "detected changes in $f. Running terraform apply..."
12 | terraform init -no-color
13 | fi
14 | cd -
15 | fi
16 | done
17 |
--------------------------------------------------------------------------------
/docs/tables/aws_ec2_instance_type_instance_storage_info_disks.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ec2_instance_type_instance_storage_info_disks
3 | Describes a disk.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |instance_type_cq_id|uuid|Unique CloudQuery ID of aws_ec2_instance_types table (FK)|
8 | |count|bigint|The number of disks with this configuration.|
9 | |size_in_gb|bigint|The size of the disk in GB.|
10 | |type|text|The type of disk.|
11 |
--------------------------------------------------------------------------------
/docs/tables/aws_ec2_network_acl_associations.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ec2_network_acl_associations
3 | Describes an association between a network ACL and a subnet.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |network_acl_cq_id|uuid|Unique CloudQuery ID of aws_ec2_network_acls table (FK)|
8 | |network_acl_association_id|text|The ID of the association between a network ACL and a subnet.|
9 | |subnet_id|text|The ID of the subnet.|
10 |
--------------------------------------------------------------------------------
/docs/tables/aws_eks_cluster_encryption_configs.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_eks_cluster_encryption_configs
3 | The encryption configuration for the cluster.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |cluster_cq_id|uuid|Unique CloudQuery ID of aws_eks_clusters table (FK)|
8 | |provider_key_arn|text|Amazon Resource Name (ARN) or alias of the customer master key (CMK).|
9 | |resources|text[]|Specifies the resources to be encrypted.|
10 |
--------------------------------------------------------------------------------
/docs/tables/aws_elbv2_listener_certificates.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_elbv2_listener_certificates
3 | Information about an SSL server certificate.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |listener_cq_id|uuid|Unique CloudQuery ID of aws_elbv2_listeners table (FK)|
8 | |certificate_arn|text|The Amazon Resource Name (ARN) of the certificate.|
9 | |is_default|boolean|Indicates whether the certificate is the default certificate|
10 |
--------------------------------------------------------------------------------
/docs/tables/aws_mq_broker_configuration_revisions.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_mq_broker_configuration_revisions
3 |
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |broker_configuration_cq_id|uuid|Unique CloudQuery ID of aws_mq_broker_configurations table (FK)|
8 | |configuration_id|text|Required|
9 | |created|timestamp without time zone|Required|
10 | |data|jsonb|Required|
11 | |description|text|The description of the configuration.|
12 |
--------------------------------------------------------------------------------
/policies/queries/dynamodb/dax_encrypted_at_rest.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'DynamoDB Accelerator (DAX) clusters should be encrypted at rest' as title,
7 | account_id,
8 | arn as resource_id,
9 | case when
10 | sse_description_status is distinct from 'ENABLED'
11 | then 'fail'
12 | else 'pass'
13 | end as status
14 | from aws_dax_clusters
15 |
--------------------------------------------------------------------------------
/policies/queries/iam/mfa_enabled_for_root.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Ensure MFA is enabled for the "root" account' as title,
7 | account_id,
8 | arn as resource_id,
9 | case
10 | when user_name = '' and not mfa_active then 'fail'
11 | when user_name = '' and mfa_active then 'pass'
12 | end as status
13 | from aws_iam_users
14 |
--------------------------------------------------------------------------------
/policies/queries/ssm/documents_should_not_be_public.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'SSM documents should not be public' as title,
7 | account_id,
8 | arn as resource_id,
9 | case when
10 | 'all' = ANY(account_ids)
11 | then 'fail' else 'pass' end as status
12 | from aws_ssm_documents
13 | where owner in (select account_id from aws_accounts)
14 |
--------------------------------------------------------------------------------
/docs/tables/aws_elasticache_cluster_security_groups.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_elasticache_cluster_security_groups
3 | Represents a single cache security group and its status.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |cluster_cq_id|uuid|Unique CloudQuery ID of aws_elasticache_clusters table (FK)|
8 | |security_group_id|text|The identifier of the cache security group.|
9 | |status|text|The status of the cache security group membership|
10 |
--------------------------------------------------------------------------------
/policies/queries/apigateway/api_gw_ssl_enabled.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'API Gateway REST API stages should be configured to use SSL certificates for backend authentication' as title,
7 | account_id,
8 | arn as resource_id,
9 | case
10 | when cert is null then 'fail'
11 | else 'pass'
12 | end as status
13 | from
14 | view_aws_apigateway_method_settings
15 |
--------------------------------------------------------------------------------
/policies/queries/iam/old_access_keys.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time',
4 | :'framework',
5 | :'check_id',
6 | 'Ensure access keys are rotated every 90 days or less',
7 | account_id,
8 | arn,
9 | case when
10 | last_rotated < (now() - '90 days'::INTERVAL)
11 | then 'fail'
12 | else 'pass'
13 | end
14 | from aws_iam_users
15 | inner join
16 | aws_iam_user_access_keys on
17 | aws_iam_users.cq_id = aws_iam_user_access_keys.user_cq_id
18 |
--------------------------------------------------------------------------------
/policies/queries/rds/rds_db_instances_should_prohibit_public_access.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'RDS DB instances should prohibit public access, determined by the PubliclyAccessible configuration' as title,
7 | account_id,
8 | arn AS resource_id,
9 | case when publicly_accessible is not TRUE then 'fail' else 'pass' end as status
10 | from aws_rds_instances
11 |
--------------------------------------------------------------------------------
/policies/queries/route53/hosted_zones_unused.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select :'execution_time' as execution_time,
3 | :'framework' as framework,
4 | :'check_id' as check_id,
5 | 'Unused Route 53 hosted zones' as title,
6 | account_id,
7 | arn as resource_id,
8 | 'fail' as status
9 | from aws_route53_hosted_zones
10 | where resource_record_set_count = 0
--------------------------------------------------------------------------------
/policies/queries/sns/sns_topics_should_be_encrypted_at_rest_using_aws_kms.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'SNS topics should be encrypted at rest using AWS KMS' as title,
7 | account_id,
8 | arn as resource_id,
9 | case when
10 | kms_master_key_id is null or kms_master_key_id = ''
11 | then 'fail' else 'pass' end as status
12 | from aws_sns_topics
13 |
--------------------------------------------------------------------------------
/policies/queries/sqs/sqs_queues_should_be_encrypted_at_rest_using_aws_kms.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'SQS queues should be encrypted at rest using AWS KMS' as title,
7 | account_id,
8 | arn as resource_id,
9 | case when
10 | kms_master_key_id is null or kms_master_key_id = ''
11 | then 'fail' else 'pass' end as status
12 | from aws_sqs_queues
13 |
--------------------------------------------------------------------------------
/scripts/terraform-validate-change-only.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | set -e
4 |
5 | for f in terraform/*; do
6 | if [ -d $f ]; then
7 | cd $f/prod
8 | CHANGES=$(git diff --name-only HEAD..origin/main ..)
9 | # if there are any changes run terraform apply
10 | if [ "$CHANGES" != "" ]; then
11 | echo "detected changes in $f. Running terraform apply..."
12 | terraform validate -no-color
13 | fi
14 | cd -
15 | fi
16 | done
17 |
--------------------------------------------------------------------------------
/docs/tables/aws_directconnect_virtual_gateways.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_directconnect_virtual_gateways
3 | Information about a virtual private gateway for a private virtual interface.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |account_id|text|The AWS Account ID of the resource.|
8 | |region|text|The AWS Region of the resource.|
9 | |id|text|The ID of the virtual private gateway.|
10 | |state|text|The state of the virtual private gateway.|
11 |
--------------------------------------------------------------------------------
/docs/tables/aws_rds_cluster_vpc_security_groups.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_rds_cluster_vpc_security_groups
3 | This data type is used as a response element for queries on VPC security group membership.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |cluster_cq_id|uuid|Unique CloudQuery ID of aws_rds_clusters table (FK)|
8 | |status|text|The status of the VPC security group.|
9 | |vpc_security_group_id|text|The name of the VPC security group.|
10 |
--------------------------------------------------------------------------------
/policies/queries/cloudfront/default_root_object_configured.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'CloudFront distributions should have a default root object configured' as title,
7 | account_id,
8 | arn as resource_id,
9 | case
10 | when default_root_object = '' then 'fail'
11 | else 'pass'
12 | end as status
13 | from aws_cloudfront_distributions
14 |
--------------------------------------------------------------------------------
/policies/queries/ec2/flow_logs_enabled_in_all_vpcs.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time',
4 | :'framework',
5 | :'check_id',
6 | 'VPC flow logging should be enabled in all VPCs',
7 | aws_ec2_vpcs.account_id,
8 | aws_ec2_vpcs.arn,
9 | case when
10 | aws_ec2_flow_logs.resource_id is null
11 | then 'fail'
12 | else 'pass'
13 | end
14 | from aws_ec2_vpcs
15 | left join aws_ec2_flow_logs on
16 | aws_ec2_vpcs.id = aws_ec2_flow_logs.resource_id
17 |
--------------------------------------------------------------------------------
/docs/tables/aws_elasticache_cluster_cache_security_groups.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_elasticache_cluster_cache_security_groups
3 | Represents a cluster's status within a particular cache security group.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |cluster_cq_id|uuid|Unique CloudQuery ID of aws_elasticache_clusters table (FK)|
8 | |name|text|The name of the cache security group.|
9 | |status|text|The membership status in the cache security group|
10 |
--------------------------------------------------------------------------------
/docs/tables/aws_elasticbeanstalk_environment_links.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_elasticbeanstalk_environment_links
3 | A link to another environment, defined in the environment's manifest
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |environment_cq_id|uuid|Unique CloudQuery ID of aws_elasticbeanstalk_environments table (FK)|
8 | |environment_name|text|The name of the linked environment (the dependency).|
9 | |link_name|text|The name of the link.|
10 |
--------------------------------------------------------------------------------
/policies/queries/dms/replication_not_public.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'AWS Database Migration Service replication instances should not be public' as title,
7 | account_id,
8 | arn as resource_id,
9 | case when
10 | publicly_accessible is true
11 | then 'fail'
12 | else 'pass'
13 | end as status
14 | from aws_dms_replication_instances
15 |
--------------------------------------------------------------------------------
/policies/queries/ec2/ebs_encryption_by_default_disabled.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'EBS default encryption should be enabled' as title,
7 | account_id,
8 | concat(account_id,':',region) as resource_id,
9 | case when
10 | ebs_encryption_enabled_by_default is distinct from true
11 | then 'fail'
12 | else 'pass'
13 | end as status
14 | from aws_ec2_regional_config
15 |
--------------------------------------------------------------------------------
/policies/queries/efs/unencrypted_efs_filesystems.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Amazon EFS should be configured to encrypt file data at rest using AWS KMS' as title,
7 | account_id,
8 | arn as resource_id,
9 | case when
10 | encrypted is distinct from TRUE
11 | or kms_key_id is null
12 | then 'fail'
13 | else 'pass'
14 | end as status
15 | from aws_efs_filesystems
16 |
--------------------------------------------------------------------------------
/policies/queries/iam/avoid_root_usage.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Avoid the use of "root" account. Show used in last 30 days (Scored)' as title,
7 | account_id,
8 | arn as resource_id,
9 | case when
10 | user_name = '' and password_last_used > (now() - '30 days'::INTERVAL)
11 | then 'fail'
12 | else 'pass'
13 | end as status
14 | from aws_iam_users
15 |
--------------------------------------------------------------------------------
/docs/tables/aws_ec2_transit_gateway_vpc_attachments.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ec2_transit_gateway_vpc_attachments
3 |
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |transit_gateway_cq_id|uuid||
8 | |creation_time|timestamp without time zone||
9 | |appliance_mode_support|text||
10 | |dns_support|text||
11 | |ipv6_support|text||
12 | |state|text||
13 | |tags|jsonb||
14 | |transit_gateway_attachment_id|text||
15 | |vpc_id|text||
16 | |vpc_owner_id|text||
17 |
--------------------------------------------------------------------------------
/docs/tables/aws_waf_subscribed_rule_groups.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_waf_subscribed_rule_groups
3 | This is AWS WAF Classic documentation
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |account_id|text|The AWS Account ID of the resource.|
8 | |metric_name|text|A friendly name or description for the metrics for this RuleGroup|
9 | |name|text|A friendly name or description of the RuleGroup|
10 | |rule_group_id|text|A unique identifier for a RuleGroup.|
11 |
--------------------------------------------------------------------------------
/policies/queries/cloudwatch/alarm_actions_disabled.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select :'execution_time' as execution_time,
3 | :'framework' as framework,
4 | :'check_id' as check_id,
5 | 'Disabled Cloudwatch alarm' as title,
6 | account_id,
7 | arn as resource_id,
8 | 'fail' as status
9 | from aws_cloudwatch_alarms
10 | where actions_enabled = false
11 | or array_length(actions, 1) = 0
--------------------------------------------------------------------------------
/policies/queries/lightsail/distributions_unused.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select :'execution_time' as execution_time,
3 | :'framework' as framework,
4 | :'check_id' as check_id,
5 | 'Disabled Lightsail distributions' as title,
6 | account_id,
7 | arn as resource_id,
8 | 'fail' as status
9 | from aws_lightsail_distributions
10 | where is_enabled = false
--------------------------------------------------------------------------------
/policies/queries/rds/enhanced_monitoring_should_be_configured_for_rds_db_instances_and_clusters.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Enhanced monitoring should be configured for RDS DB instances and clusters' as title,
7 | account_id,
8 | arn AS resource_id,
9 | case when enhanced_monitoring_resource_arn is null then 'fail' else 'pass' end as status
10 | from aws_rds_instances
11 |
--------------------------------------------------------------------------------
/policies/queries/redshift/clusters_should_use_enhanced_vpc_routing.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Amazon Redshift clusters should use enhanced VPC routing' as title,
7 | account_id,
8 | arn as resource_id,
9 | case when
10 | enhanced_vpc_routing is FALSE or enhanced_vpc_routing is null
11 | then 'fail' else 'pass' end as status
12 | from aws_redshift_clusters
13 |
--------------------------------------------------------------------------------
/policies/queries/secretsmanager/secrets_should_have_automatic_rotation_enabled.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Secrets Manager secrets should have automatic rotation enabled' as title,
7 | account_id,
8 | arn as resource_id,
9 | case when
10 | rotation_enabled is distinct from TRUE
11 | then 'fail' else 'pass' end as status
12 | from aws_secretsmanager_secrets
13 |
--------------------------------------------------------------------------------
/terraform/codepipeline/modules/test/webhook.tf:
--------------------------------------------------------------------------------
1 | resource "aws_codepipeline_webhook" "codepipeline_webhook" {
2 | name = "${var.prefix}-codepipeline-webhook"
3 | authentication = "UNAUTHENTICATED"
4 | target_action = "Source"
5 | target_pipeline = aws_codepipeline.codepipeline.name
6 |
7 | filter {
8 | json_path = "$.ref"
9 | match_equals = "refs/heads/{Branch}"
10 | }
11 |
12 | tags = merge(
13 | {Name = "${var.prefix}-codepipeline-webhook"},
14 | var.tags
15 | )
16 | }
17 |
--------------------------------------------------------------------------------
/docs/tables/aws_athena_data_catalog_databases.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_athena_data_catalog_databases
3 | Contains metadata information for a database in a data catalog
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |data_catalog_cq_id|uuid|Unique CloudQuery ID of aws_athena_data_catalogs table (FK)|
8 | |name|text|The name of the database|
9 | |description|text|An optional description of the database|
10 | |parameters|jsonb|A set of custom key/value pairs|
11 |
--------------------------------------------------------------------------------
/policies/cis_v1.2.0/section_4.sql:
--------------------------------------------------------------------------------
1 | \echo "Executing CIS V1.2.0 Section 4"
2 | \echo "Creating view_aws_security_group_ingress_rules"
3 | \ir ../views/security_group_ingress_rules.sql
4 | \set check_id '4.1'
5 | \echo "Executing check 4.1"
6 | \ir ../queries/ec2/no_broad_public_ingress_on_port_22.sql
7 | \set check_id '4.2'
8 | \echo "Executing check 4.2"
9 | \ir ../queries/ec2/no_broad_public_ingress_on_port_3389.sql
10 | \set check_id '4.3'
11 | \echo "Executing check 4.3"
12 | \ir ../queries/ec2/default_sg_no_access.sql
13 |
--------------------------------------------------------------------------------
/policies/queries/cloudfront/distributions_disabled.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select :'execution_time' as execution_time,
3 | :'framework' as framework,
4 | :'check_id' as check_id,
5 | 'Disabled CloudFront distribution' as title,
6 | account_id,
7 | arn as resource_id,
8 | 'fail' as status
9 | from aws_cloudfront_distributions
10 | where enabled = false
--------------------------------------------------------------------------------
/policies/queries/waf/waf_web_acl_logging_should_be_enabled.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | -- WAF Classic
3 | select
4 | :'execution_time' as execution_time,
5 | :'framework' as framework,
6 | :'check_id' as check_id,
7 | 'AWS WAF Classic global web ACL logging should be enabled' as title,
8 | account_id,
9 | arn as resource_id,
10 | case when
11 | logging_configuration is null or logging_configuration = '{}'
12 | then 'fail' else 'pass' end as status
13 | from aws_waf_web_acls
14 |
--------------------------------------------------------------------------------
/terraform/sns/modules/test/sns.tf:
--------------------------------------------------------------------------------
1 | // https://github.com/terraform-aws-modules/terraform-aws-sns/blob/master/examples/complete/main.tf
2 |
3 | resource "aws_kms_key" "sns_kms_key" {}
4 |
5 | module "sns" {
6 | source = "terraform-aws-modules/sns/aws"
7 | version = "~> 3.0"
8 |
9 | name_prefix = "${var.prefix}-sns-cq-provider"
10 | display_name = "${var.prefix}-sns-cq-provider"
11 | kms_master_key_id = aws_kms_key.sns_kms_key.id
12 | tags = {
13 | tag1 = "foo"
14 | tag2 = "bar"
15 | }
16 | }
--------------------------------------------------------------------------------
/docs/tables/aws_access_analyzer_analyzer_finding_sources.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_access_analyzer_analyzer_finding_sources
3 | The source of the finding
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |analyzer_finding_cq_id|uuid|Unique CloudQuery ID of aws_access_analyzer_analyzer_findings table (FK)|
8 | |type|text|Indicates the type of access that generated the finding|
9 | |detail_access_point_arn|text|The ARN of the access point that generated the finding|
10 |
--------------------------------------------------------------------------------
/docs/tables/aws_ec2_transit_gateway_attachments.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ec2_transit_gateway_attachments
3 |
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |transit_gateway_cq_id|uuid||
8 | |association_state|text||
9 | |association_route_table_id|text||
10 | |creation_time|timestamp without time zone||
11 | |resource_id|text||
12 | |resource_owner_id|text||
13 | |resource_type|text||
14 | |state|text||
15 | |tags|jsonb||
16 | |transit_gateway_owner_id|text||
17 |
--------------------------------------------------------------------------------
/policies/queries/elasticsearch/elasticsearch_domains_should_have_encryption_at_rest_enabled.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Elasticsearch domains should have encryption at rest enabled' as title,
7 | account_id,
8 | arn as resource_id,
9 | case when
10 | encryption_at_rest_enabled is not true
11 | then 'fail'
12 | else 'pass'
13 | end as status
14 | from aws_elasticsearch_domains
15 |
--------------------------------------------------------------------------------
/policies/queries/elb/elbv1_conn_draining_enabled.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Classic Load Balancers should have connection draining enabled' as title,
7 | account_id,
8 | aws_elbv1_load_balancers.arn as resource_id,
9 | case when
10 | attributes_connection_draining_enabled is not true
11 | then 'fail'
12 | else 'pass'
13 | end as status
14 | from
15 | aws_elbv1_load_balancers
16 |
--------------------------------------------------------------------------------
/policies/queries/rds/amazon_aurora_clusters_should_have_backtracking_enabled.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Amazon Aurora clusters should have backtracking enabled' as title,
7 | account_id,
8 | arn AS resource_id,
9 | case when backtrack_window is null then 'fail' else 'pass' end as status
10 | from aws_rds_clusters
11 | where
12 | engine in ('aurora', 'aurora-mysql', 'mysql')
13 |
--------------------------------------------------------------------------------
/docs/tables/aws_backup_global_settings.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_backup_global_settings
3 |
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |account_id|text|The AWS Account ID of the resource.|
8 | |global_settings|jsonb|The status of the flag isCrossAccountBackupEnabled.|
9 | |last_update_time|timestamp without time zone|The date and time that the flag isCrossAccountBackupEnabled was last updated. This update is in Unix format and Coordinated Universal Time (UTC)|
10 |
--------------------------------------------------------------------------------
/policies/queries/apigateway/api_gw_publicly_accessible.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time'::timestamp as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Find all API Gateway instances that are publicly accessible' AS title,
7 | account_id,
8 | arn as resource_id,
9 | case
10 | when NOT '{PRIVATE}' = endpoint_configuration_types then 'fail'
11 | else 'pass'
12 | end as status
13 | from
14 | aws_apigateway_rest_apis
15 |
--------------------------------------------------------------------------------
/policies/queries/elasticsearch/elasticsearch_domains_should_encrypt_data_sent_between_nodes.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Elasticsearch domains should encrypt data sent between nodes' as title,
7 | account_id,
8 | arn as resource_id,
9 | case when
10 | node_to_node_encryption_enabled is not true
11 | then 'fail'
12 | else 'pass'
13 | end as status
14 | from aws_elasticsearch_domains
15 |
--------------------------------------------------------------------------------
/.github/workflows/ok_to_test.yml:
--------------------------------------------------------------------------------
1 | name: Dispatch Test Command
2 |
3 | on:
4 | issue_comment:
5 | types: [created]
6 |
7 | jobs:
8 | manual-approve:
9 | runs-on: ubuntu-latest
10 | steps:
11 | - name: Trigger AWS provider integration tests
12 | uses: peter-evans/slash-command-dispatch@v3
13 | with:
14 | token: ${{ secrets.GH_CQ_BOT }}
15 | reaction-token: ${{ secrets.GITHUB_TOKEN }}
16 | issue-type: pull-request
17 | commands: test
18 | permission: write
--------------------------------------------------------------------------------
/docs/tables/aws_athena_data_catalog_database_table_columns.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_athena_data_catalog_database_table_columns
3 | Contains metadata for a column in a table
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |data_catalog_database_table_cq_id|uuid|Unique CloudQuery ID of aws_athena_data_catalog_database_tables table (FK)|
8 | |name|text|The name of the column|
9 | |comment|text|Optional information about the column|
10 | |type|text|The data type of the column|
11 |
--------------------------------------------------------------------------------
/docs/tables/aws_ec2_instance_network_interface_groups.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ec2_instance_network_interface_groups
3 | Describes a security group.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |instance_network_interface_cq_id|uuid|Unique CloudQuery ID of aws_ec2_instance_network_interfaces table (FK)|
8 | |network_interface_id|text|The ID of the network interface.|
9 | |group_id|text|The ID of the security group.|
10 | |group_name|text|The name of the security group.|
11 |
--------------------------------------------------------------------------------
/docs/tables/aws_glue_database_table_columns.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_glue_database_table_columns
3 | A column in a Table
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |database_table_cq_id|uuid|Unique CloudQuery ID of aws_glue_database_tables table (FK)|
8 | |name|text|The name of the Column|
9 | |comment|text|A free-form text comment|
10 | |parameters|jsonb|These key-value pairs define properties associated with the column|
11 | |type|text|The data type of the Column|
12 |
--------------------------------------------------------------------------------
/docs/tables/aws_xray_encryption_config.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_xray_encryption_config
3 | A configuration document that specifies encryption configuration settings.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |account_id|text|The AWS Account ID of the resource.|
8 | |region|text|The AWS Region of the resource.|
9 | |key_id|text|The ID of the KMS key used for encryption, if applicable.|
10 | |status|text|The encryption status|
11 | |type|text|The type of encryption|
12 |
--------------------------------------------------------------------------------
/policies/queries/sagemaker/sagemaker_notebook_instance_direct_internet_access_disabled.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Amazon SageMaker notebook instances should not have direct internet access' as title,
7 | account_id,
8 | arn as resource_id,
9 | case when
10 | direct_internet_access is TRUE
11 | then 'fail' else 'pass' end as status
12 | from aws_sagemaker_notebook_instances
13 |
--------------------------------------------------------------------------------
/docs/tables/aws_ec2_security_group_ip_permission_prefix_list_ids.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ec2_security_group_ip_permission_prefix_list_ids
3 | Describes a prefix list ID.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |security_group_ip_permission_cq_id|uuid|Unique CloudQuery ID of aws_ec2_security_group_ip_permissions table (FK)|
8 | |description|text|A description for the security group rule that references this prefix list ID.|
9 | |prefix_list_id|text|The ID of the prefix.|
10 |
--------------------------------------------------------------------------------
/docs/tables/aws_ecs_cluster_service_events.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ecs_cluster_service_events
3 | The details for an event that's associated with a service.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |cluster_service_cq_id|uuid|Unique CloudQuery ID of aws_ecs_cluster_services table (FK)|
8 | |created_at|timestamp without time zone|The Unix timestamp for the time when the event was triggered.|
9 | |id|text|The ID string for the event.|
10 | |message|text|The event message.|
11 |
--------------------------------------------------------------------------------
/docs/tables/aws_eks_cluster_loggings.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_eks_cluster_loggings
3 | An object representing the enabled or disabled Kubernetes control plane logs for your cluster.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |cluster_cq_id|uuid|Unique CloudQuery ID of aws_eks_clusters table (FK)|
8 | |enabled|boolean|If a log type is enabled, that log type exports its control plane logs to CloudWatch Logs.|
9 | |types|text[]|The available cluster control plane log types.|
10 |
--------------------------------------------------------------------------------
/docs/tables/aws_rds_instance_option_group_memberships.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_rds_instance_option_group_memberships
3 | Provides information on the option groups the DB instance is a member of.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |instance_cq_id|uuid|Unique CloudQuery ID of aws_rds_instances table (FK)|
8 | |option_group_name|text|The name of the option group that the instance belongs to.|
9 | |status|text|The status of the DB instance's option group membership|
10 |
--------------------------------------------------------------------------------
/docs/tables/aws_waf_rule_groups.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_waf_rule_groups
3 | This is AWS WAF Classic documentation
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |account_id|text|The AWS Account ID of the resource.|
8 | |arn|text||
9 | |rule_ids|text[]||
10 | |tags|jsonb||
11 | |id|text|A unique identifier for a RuleGroup|
12 | |metric_name|text|A friendly name or description for the metrics for this RuleGroup|
13 | |name|text|The friendly name or description for the RuleGroup|
14 |
--------------------------------------------------------------------------------
/policies/queries/lambda/lambda_functions_should_use_supported_runtimes.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Lambda functions should use supported runtimes' as title,
7 | account_id,
8 | arn AS resource_id,
9 | case when r.name is null then 'fail'
10 | else 'pass' end AS status
11 | from aws_lambda_functions f
12 | left join aws_lambda_runtimes r on r.name=f.runtime
13 | where package_type != 'Image'
14 |
--------------------------------------------------------------------------------
/docs/tables/aws_backup_region_settings.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_backup_region_settings
3 |
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |account_id|text|The AWS Account ID of the resource.|
8 | |region|text|The AWS Region of the resource.|
9 | |resource_type_management_preference|jsonb|Returns whether Backup fully manages the backups for a resource type|
10 | |resource_type_opt_in_preference|jsonb|Returns a list of all services along with the opt-in preferences in the Region.|
11 |
--------------------------------------------------------------------------------
/docs/tables/aws_glue_crawler_targets_jdbc_targets.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_glue_crawler_targets_jdbc_targets
3 | Specifies a JDBC data store to crawl
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |crawler_cq_id|uuid|Unique CloudQuery ID of aws_glue_crawlers table (FK)|
8 | |connection_name|text|The name of the connection to use to connect to the JDBC target|
9 | |exclusions|text[]|A list of glob patterns used to exclude from the crawl|
10 | |path|text|The path of the JDBC target|
11 |
--------------------------------------------------------------------------------
/docs/tables/aws_athena_data_catalog_database_table_partition_keys.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_athena_data_catalog_database_table_partition_keys
3 | Contains metadata for a column in a table
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |data_catalog_database_table_cq_id|uuid|Unique CloudQuery ID of aws_athena_data_catalog_database_tables table (FK)|
8 | |name|text|The name of the column|
9 | |comment|text|Optional information about the column|
10 | |type|text|The data type of the column|
11 |
--------------------------------------------------------------------------------
/docs/tables/aws_codebuild_project_environment_variables.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_codebuild_project_environment_variables
3 | Information about an environment variable for a build project or a build.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |project_cq_id|uuid|Unique CloudQuery ID of aws_codebuild_projects table (FK)|
8 | |name|text|The name or key of the environment variable.|
9 | |value|text|The value of the environment variable|
10 | |type|text|The type of environment variable|
11 |
--------------------------------------------------------------------------------
/docs/tables/aws_glue_database_table_partition_keys.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_glue_database_table_partition_keys
3 | A column in a Table
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |database_table_cq_id|uuid|Unique CloudQuery ID of aws_glue_database_tables table (FK)|
8 | |name|text|The name of the Column|
9 | |comment|text|A free-form text comment|
10 | |parameters|jsonb|These key-value pairs define properties associated with the column|
11 | |type|text|The data type of the Column|
12 |
--------------------------------------------------------------------------------
/docs/tables/aws_lightsail_load_balancer_tls_certificate_summaries.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_lightsail_load_balancer_tls_certificate_summaries
3 | Provides a summary of SSL/TLS certificate metadata
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |load_balancer_cq_id|uuid|Unique CloudQuery ID of aws_lightsail_load_balancers table (FK)|
8 | |is_attached|boolean|When true, the SSL/TLS certificate is attached to the Lightsail load balancer|
9 | |name|text|The name of the SSL/TLS certificate|
10 |
--------------------------------------------------------------------------------
/docs/tables/aws_redshift_cluster_nodes.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_redshift_cluster_nodes
3 | The identifier of a node in a cluster.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |cluster_cq_id|uuid|Unique CloudQuery ID of aws_redshift_clusters table (FK)|
8 | |node_role|text|Whether the node is a leader node or a compute node.|
9 | |private_ip_address|text|The private IP address of a node within a cluster.|
10 | |public_ip_address|text|The public IP address of a node within a cluster.|
11 |
--------------------------------------------------------------------------------
/policies/queries/cloudwatch/alarm_console_no_mfa.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | '' as title,
7 | account_id,
8 | cloud_watch_logs_log_group_arn as resource_id,
9 | case
10 | when pattern = '{ ($.errorCode = "ConsoleLogin") '
11 | || '|| ($.additionalEventData.MFAUsed != "Yes") }' then 'pass'
12 | else 'fail'
13 | end as status
14 | from view_aws_log_metric_filter_and_alarm
15 |
--------------------------------------------------------------------------------
/resources/services/lightsail/types.go:
--------------------------------------------------------------------------------
1 | package lightsail
2 |
3 | import (
4 | "github.com/aws/aws-sdk-go-v2/service/lightsail"
5 | "github.com/aws/aws-sdk-go-v2/service/lightsail/types"
6 | )
7 |
8 | type LogEventWrapper struct {
9 | types.LogEvent
10 | // An object describing the result of your get relational database log streams request.
11 | LogStreamName string
12 | }
13 |
14 | type DistributionWrapper struct {
15 | *types.LightsailDistribution
16 | *lightsail.GetDistributionLatestCacheResetOutput
17 | }
18 |
19 | const MaxGoroutines = 10
20 |
--------------------------------------------------------------------------------
/docs/tables/aws_ec2_regional_config.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ec2_regional_config
3 | Ec2 Regional Config defines common default configuration for ec2 service
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |account_id|text||
8 | |region|text||
9 | |ebs_encryption_enabled_by_default|boolean|Indicates whether EBS encryption by default is enabled for your account in the current Region.|
10 | |ebs_default_kms_key_id|text|The Amazon Resource Name (ARN) of the default CMK for encryption by default.|
11 |
--------------------------------------------------------------------------------
/docs/tables/aws_elbv1_load_balancer_policies.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_elbv1_load_balancer_policies
3 | Information about a policy.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |load_balancer_cq_id|uuid|Unique CloudQuery ID of aws_elbv1_load_balancers table (FK)|
8 | |load_balance_name|text|The name of the load balancer.|
9 | |policy_attribute_descriptions|jsonb|The policy attributes.|
10 | |policy_name|text|The name of the policy.|
11 | |policy_type_name|text|The name of the policy type.|
12 |
--------------------------------------------------------------------------------
/docs/tables/aws_rds_instance_db_parameter_groups.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_rds_instance_db_parameter_groups
3 | The status of the DB parameter group
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |instance_cq_id|uuid|Unique CloudQuery ID of aws_rds_instances table (FK)|
8 | |instance_id|text|The AWS Region-unique, immutable identifier for the DB instance|
9 | |db_parameter_group_name|text|The name of the DB parameter group.|
10 | |parameter_apply_status|text|The status of parameter updates.|
11 |
--------------------------------------------------------------------------------
/policies/queries/apigateway/api_gw_xray_enabled.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'API Gateway REST API stages should have AWS X-Ray tracing enabled' as title,
7 | account_id,
8 | arn as resource_id,
9 | case
10 | when (stage_data_trace_enabled is not true or caching_enabled is not true) then 'fail'
11 | else 'pass'
12 | end as status
13 | from
14 | view_aws_apigateway_method_settings
15 |
--------------------------------------------------------------------------------
/policies/queries/ec2/stopped_more_thant_30_days_ago_instances.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Stopped EC2 instances should be removed after a specified time period' as title,
7 | account_id,
8 | id as resource_id,
9 | case when
10 | state_name = 'stopped'
11 | AND NOW() - state_transition_reason_time >
12 | INTERVAL '30' DAY
13 | then 'fail'
14 | else 'pass'
15 | end
16 | from aws_ec2_instances
17 |
--------------------------------------------------------------------------------
/policies/queries/redshift/clusters_should_have_automatic_snapshots_enabled.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Amazon Redshift clusters should have automatic snapshots enabled' as title,
7 | account_id,
8 | arn as resource_id,
9 | case when
10 | automated_snapshot_retention_period < 7 or automated_snapshot_retention_period is null
11 | then 'fail' else 'pass' end as status
12 | from aws_redshift_clusters
13 |
--------------------------------------------------------------------------------
/docs/tables/aws_lightsail_database_log_events.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_lightsail_database_log_events
3 |
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |database_cq_id|uuid|Unique CloudQuery ID of aws_lightsail_databases table (FK)|
8 | |created_at|timestamp without time zone|The timestamp when the database log event was created|
9 | |message|text|The message of the database log event|
10 | |log_stream_name|text|An object describing the result of your get relational database log streams request|
11 |
--------------------------------------------------------------------------------
/policies/queries/redshift/clusters_should_have_automatic_upgrades_to_major_versions_enabled.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Amazon Redshift should have automatic upgrades to major versions enabled' as title,
7 | account_id,
8 | arn as resource_id,
9 | case when
10 | allow_version_upgrade is FALSE or allow_version_upgrade is null
11 | then 'fail' else 'pass' end as status
12 | from aws_redshift_clusters
13 |
--------------------------------------------------------------------------------
/.github/release.yml:
--------------------------------------------------------------------------------
1 | # DONT EDIT. This file is synced from https://github.com/cloudquery/.github/.github
2 | changelog:
3 | exclude:
4 | labels:
5 | - ignore-for-release
6 | categories:
7 | - title: Breaking Changes
8 | labels:
9 | - breaking
10 | - title: Added
11 | labels:
12 | - enhancement
13 | - docs
14 | - feat
15 | - title: Fixed
16 | labels:
17 | - fix
18 | - title: Other Changes
19 | labels:
20 | - refactor
21 | - chore
22 | - ci
23 | - test
--------------------------------------------------------------------------------
/docs/tables/aws_ecs_cluster_attachments.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ecs_cluster_attachments
3 | An object representing a container instance or task attachment.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |cluster_cq_id|uuid|Unique CloudQuery ID of aws_ecs_clusters table (FK)|
8 | |details|jsonb|Details of the attachment|
9 | |id|text|The unique identifier for the attachment.|
10 | |status|text|The status of the attachment|
11 | |type|text|The type of the attachment, such as ElasticNetworkInterface.|
12 |
--------------------------------------------------------------------------------
/policies/queries/autoscaling/autoscaling_groups_elb_check.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Auto Scaling groups associated with a load balancer should use health checks' as title,
7 | account_id,
8 | arn as resource_id,
9 | case
10 | when ARRAY_LENGTH(load_balancer_names, 1) > 0 and health_check_type is distinct from 'ELB' then 'fail'
11 | else 'pass'
12 | end as status
13 | from aws_autoscaling_groups
14 |
--------------------------------------------------------------------------------
/policies/queries/elasticbeanstalk/advanced_health_reporting_enabled.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Elastic Beanstalk environments should have enhanced health reporting enabled' as title,
7 | account_id,
8 | arn as resource_id,
9 | case when
10 | health_status is null
11 | or health is null
12 | then 'fail'
13 | else 'pass'
14 | end as status
15 | from aws_elasticbeanstalk_environments
16 |
--------------------------------------------------------------------------------
/docs/tables/aws_ec2_host_instances.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ec2_host_instances
3 | Describes an instance running on a Dedicated Host.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |host_cq_id|uuid|Unique CloudQuery ID of aws_ec2_hosts table (FK)|
8 | |instance_id|text|The ID of instance that is running on the Dedicated Host.|
9 | |instance_type|text|The instance type (for example, m3.medium) of the running instance.|
10 | |owner_id|text|The ID of the Amazon Web Services account that owns the instance.|
11 |
--------------------------------------------------------------------------------
/docs/tables/aws_ec2_transit_gateway_multicast_domains.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ec2_transit_gateway_multicast_domains
3 |
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |transit_gateway_cq_id|uuid||
8 | |creation_time|timestamp without time zone||
9 | |auto_accept_shared_associations|text||
10 | |igmpv2_support|text||
11 | |static_sources_support|text||
12 | |owner_id|text||
13 | |state|text||
14 | |tags|jsonb||
15 | |transit_gateway_multicast_domain_arn|text||
16 | |transit_gateway_multicast_domain_id|text||
17 |
--------------------------------------------------------------------------------
/policies/queries/iam/policies_attached_to_groups_roles.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select distinct
3 | :'execution_time'::timestamp,
4 | :'framework',
5 | :'check_id',
6 | 'IAM users should not have IAM policies attached',
7 | aws_iam_users.account_id,
8 | arn AS resource_id,
9 | case when
10 | aws_iam_user_attached_policies.user_cq_id is not null
11 | then 'fail' else 'pass' end as status
12 | from aws_iam_users
13 | left join aws_iam_user_attached_policies on aws_iam_users.cq_id = aws_iam_user_attached_policies.user_cq_id
14 |
--------------------------------------------------------------------------------
/policies/queries/sns/topics_unused.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | with subscription as (select distinct topic_arn from aws_sns_subscriptions)
3 | select :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Unused SNS topic' as title,
7 | topic.account_id,
8 | topic.arn as resource_id,
9 | 'fail' as status
10 | from aws_sns_topics topic
11 | left join subscription on subscription.topic_arn = topic.arn
12 | where subscription.topic_arn is null
--------------------------------------------------------------------------------
/docs/tables/aws_ec2_internet_gateways.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ec2_internet_gateways
3 | Describes an internet gateway.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |account_id|text|The AWS Account ID of the resource.|
8 | |region|text|The AWS Region of the resource.|
9 | |arn|text|The Amazon Resource Name (ARN) for the resource.|
10 | |id|text|The ID of the internet gateway.|
11 | |owner_id|text|The ID of the AWS account that owns the internet gateway.|
12 | |tags|jsonb|Any tags assigned to the internet gateway.|
13 |
--------------------------------------------------------------------------------
/docs/tables/aws_redshift_cluster_endpoint_vpc_endpoints.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_redshift_cluster_endpoint_vpc_endpoints
3 | The connection endpoint for connecting to an Amazon Redshift cluster through the proxy.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |cluster_cq_id|uuid|Unique CloudQuery ID of aws_redshift_clusters table (FK)|
8 | |vpc_endpoint_id|text|The connection endpoint ID for connecting an Amazon Redshift cluster through the proxy.|
9 | |vpc_id|text|The VPC identifier that the endpoint is associated.|
10 |
--------------------------------------------------------------------------------
/terraform/athena/modules/test/database.tf:
--------------------------------------------------------------------------------
1 | resource "aws_s3_bucket" "athenabucket" {
2 | bucket = "${var.prefix}athenabkt${var.prefix}"
3 | force_destroy = true
4 | }
5 |
6 | resource "aws_athena_database" "aws_athena_database" {
7 | name = "${var.prefix}athenadatabase"
8 | bucket = aws_s3_bucket.athenabucket.bucket
9 | force_destroy = true
10 | }
11 |
12 | resource "aws_glue_catalog_table" "aws_athena_database_table" {
13 | name = "${var.prefix}aws_athena_databasetable"
14 | database_name = aws_athena_database.aws_athena_database.name
15 | }
--------------------------------------------------------------------------------
/docs/tables/aws_cloudformation_stack_outputs.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_cloudformation_stack_outputs
3 | The Output data type.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |stack_cq_id|uuid|Unique CloudQuery ID of aws_cloudformation_stacks table (FK)|
8 | |description|text|User defined description associated with the output.|
9 | |export_name|text|The name of the export associated with the output.|
10 | |output_key|text|The key associated with the output.|
11 | |output_value|text|The value associated with the output.|
12 |
--------------------------------------------------------------------------------
/docs/tables/aws_ecs_cluster_task_attachments.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ecs_cluster_task_attachments
3 | An object representing a container instance or task attachment.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |cluster_task_cq_id|uuid|Unique CloudQuery ID of aws_ecs_cluster_tasks table (FK)|
8 | |details|jsonb|Details of the attachment|
9 | |id|text|The unique identifier for the attachment.|
10 | |status|text|The status of the attachment|
11 | |type|text|The type of the attachment, such as ElasticNetworkInterface.|
12 |
--------------------------------------------------------------------------------
/docs/tables/aws_shield_attack_sub_resources.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_shield_attack_sub_resources
3 | The attack information for the specified SubResource
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |attack_cq_id|uuid|Unique CloudQuery ID of aws_shield_attacks table (FK)|
8 | |attack_vectors|jsonb|The list of attack types and associated counters|
9 | |counters|jsonb|The counters that describe the details of the attack|
10 | |id|text|The unique identifier (ID) of the SubResource|
11 | |type|text|The SubResource type|
12 |
--------------------------------------------------------------------------------
/policies/foundational_security/cloudtrail.sql:
--------------------------------------------------------------------------------
1 | \set check_id 'CloudTrail.1'
2 | \echo "Executing check CloudTrail.1"
3 | \ir ../queries/cloudtrail/enabled_in_all_regions.sql
4 |
5 | \set check_id 'CloudTrail.2'
6 | \echo "Executing check CloudTrail.2"
7 | \ir ../queries/cloudtrail/logs_encrypted.sql
8 |
9 | \set check_id 'CloudTrail.4'
10 | \echo "Executing check CloudTrail.4"
11 | \ir ../queries/cloudtrail/log_file_validation_enabled.sql
12 |
13 | \set check_id 'CloudTrail.5'
14 | \echo "Executing check CloudTrail.5"
15 | \ir ../queries/cloudtrail/integrated_with_cloudwatch_logs.sql
16 |
--------------------------------------------------------------------------------
/policies/queries/directconnect/connections_down.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select :'execution_time' as execution_time,
3 | :'framework' as framework,
4 | :'check_id' as check_id,
5 | 'Direct Connect connections in "down" state' as title,
6 | account_id,
7 | arn as resource_id,
8 | 'fail' as status
9 | from aws_directconnect_connections
10 | where connection_state = 'down'
--------------------------------------------------------------------------------
/policies/queries/elasticsearch/connections_to_elasticsearch_domains_should_be_encrypted_using_tls_1_2.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Connections to Elasticsearch domains should be encrypted using TLS 1.2' as title,
7 | account_id,
8 | arn as resource_id,
9 | case when
10 | domain_endpoint_tls_security_policy is distinct from 'Policy-Min-TLS-1-2-2019-07'
11 | then 'fail'
12 | else 'pass'
13 | end as status
14 | from aws_elasticsearch_domains
15 |
--------------------------------------------------------------------------------
/policies/queries/rds/snapshots_should_prohibit_public_access.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'RDS snapshots should be private' as title,
7 | account_id,
8 | arn AS resource_id,
9 | case when
10 | (attrs ->> 'AttributeName' is not distinct from 'restore')
11 | and (attrs -> 'AttributeValues') ? 'all'
12 | then 'fail' else 'pass' end as status
13 | from aws_rds_cluster_snapshots, jsonb_array_elements(attributes) as attrs
14 |
--------------------------------------------------------------------------------
/terraform/lambda/modules/test/fixtures/python3.8-app1/docker/automake-1.13-to-1.16-spec.patch:
--------------------------------------------------------------------------------
1 | --- SPECS/automake.spec.orig 2020-05-06 02:48:47.840620663 +0000
2 | +++ SPECS/automake.spec 2020-05-06 05:25:16.474955530 +0000
3 | @@ -2 +2 @@
4 | -%global api_version 1.13
5 | +%global api_version 1.16
6 | @@ -6,2 +6,2 @@
7 | -Version: %{api_version}.4
8 | -Release: 3%{?_rebuild}%{?dist}
9 | +Version: %{api_version}.2
10 | +Release: 0%{?_rebuild}.mtf
11 | @@ -72,2 +72,2 @@
12 | -%patch0 -p1 -b .disable_tests
13 | -autoreconf -iv
14 | +#%patch0 -p1 -b .disable_tests
15 | +#autoreconf -iv
16 |
--------------------------------------------------------------------------------
/.github/.kodiak.toml:
--------------------------------------------------------------------------------
1 |
2 | version = 1
3 |
4 | [approve]
5 | auto_approve_usernames = ["cq-bot"]
6 |
7 | [merge.message]
8 | body = "pull_request_body"
9 | cut_body_after = "Use the following steps to ensure your PR is ready to be reviewed"
10 | cut_body_and_text = true
11 | cut_body_before = ""
12 | title = "pull_request_title"
13 |
14 | [merge.automerge_dependencies]
15 | usernames = ["cq-bot"]
16 | versions = ["patch"]
17 |
18 | [merge]
19 | blocking_labels = ["wip", "no automerge"]
20 | notify_on_conflict = false
21 |
--------------------------------------------------------------------------------
/docs/tables/aws_codepipeline_webhook_filters.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_codepipeline_webhook_filters
3 | The event criteria that specify when a webhook notification is sent to your URL
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |webhook_cq_id|uuid|Unique CloudQuery ID of aws_codepipeline_webhooks table (FK)|
8 | |json_path|text|A JsonPath expression that is applied to the body/payload of the webhook|
9 | |match_equals|text|The value selected by the JsonPath expression must match what is supplied in the MatchEquals field|
10 |
--------------------------------------------------------------------------------
/docs/tables/aws_dms_replication_instance_vpc_security_groups.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_dms_replication_instance_vpc_security_groups
3 | Describes the status of a security group associated with the virtual private cloud (VPC) hosting your replication and DB instances.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |replication_instance_cq_id|uuid|Unique CloudQuery ID of aws_dms_replication_instances table (FK)|
8 | |status|text|The status of the VPC security group.|
9 | |vpc_security_group_id|text|The VPC security group ID.|
10 |
--------------------------------------------------------------------------------
/docs/tables/aws_ec2_route_tables.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ec2_route_tables
3 | Describes a route table.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |account_id|text|The AWS Account ID of the resource.|
8 | |region|text|The AWS Region of the resource.|
9 | |arn|text|The Amazon Resource Name (ARN) for the resource.|
10 | |owner_id|text|The ID of the AWS account that owns the route table.|
11 | |id|text|The ID of the route table.|
12 | |tags|jsonb|Any tags assigned to the route table.|
13 | |vpc_id|text|The ID of the VPC.|
14 |
--------------------------------------------------------------------------------
/docs/tables/aws_ec2_security_group_ip_permission_ip_ranges.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_ec2_security_group_ip_permission_ip_ranges
3 | Details of a cidr range associated with a security group rule
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |security_group_ip_permission_cq_id|uuid|Unique CloudQuery ID of aws_ec2_security_group_ip_permissions table (FK)|
8 | |cidr|text|The CIDR range.|
9 | |description|text|A description for the security group rule that references this address range.|
10 | |cidr_type|text|IP Type: ipv4, or ipv6|
11 |
--------------------------------------------------------------------------------
/docs/tables/aws_elbv2_listener_default_action_forward_config_target_groups.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_elbv2_listener_default_action_forward_config_target_groups
3 | Information about how traffic will be distributed between multiple target groups in a forward rule.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |listener_default_action_cq_id|uuid|Unique CloudQuery ID of aws_elbv2_listener_default_actions table (FK)|
8 | |target_group_arn|text|The Amazon Resource Name (ARN) of the target group.|
9 | |weight|integer|The weight|
10 |
--------------------------------------------------------------------------------
/docs/tables/aws_redshift_snapshot_accounts_with_restore_access.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_redshift_snapshot_accounts_with_restore_access
3 | Describes an AWS customer account authorized to restore a snapshot.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |snapshot_cq_id|uuid|Unique CloudQuery ID of aws_redshift_snapshots table (FK)|
8 | |account_alias|text|The identifier of an AWS support account authorized to restore a snapshot|
9 | |account_id|text|The identifier of an AWS customer account authorized to restore a snapshot.|
10 |
--------------------------------------------------------------------------------
/policies/foundational_security/ssm.sql:
--------------------------------------------------------------------------------
1 | \set check_id 'SSM.1'
2 | \echo "Executing check SSM.1"
3 | \ir ../queries/ssm/ec2_instances_should_be_managed_by_ssm.sql
4 |
5 | \set check_id 'SSM.2'
6 | \echo "Executing check SSM.2"
7 | \ir ../queries/ssm/instances_should_have_patch_compliance_status_of_compliant.sql
8 |
9 | \set check_id 'SSM.3'
10 | \echo "Executing check SSM.3"
11 | \ir ../queries/ssm/instances_should_have_association_compliance_status_of_compliant.sql
12 |
13 | \set check_id 'SSM.4'
14 | \echo "Executing check SSM.4"
15 | \ir ../queries/ssm/documents_should_not_be_public.sql
16 |
--------------------------------------------------------------------------------
/policies/queries/cloudfront/origin_failover_enabled.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'CloudFront distributions should have origin failover configured' as title,
7 | d.account_id,
8 | d.arn as resource_id,
9 | case
10 | when members_origin_ids is null then 'fail'
11 | else 'pass'
12 | end as status
13 | from aws_cloudfront_distribution_origin_groups o
14 | inner join aws_cloudfront_distributions d on d.cq_id = o.distribution_cq_id
15 |
--------------------------------------------------------------------------------
/policies/queries/ec2/default_sg_no_access.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time',
4 | :'framework',
5 | :'check_id',
6 | 'The VPC default security group should not allow inbound and outbound traffic',
7 | account_id,
8 | arn,
9 | case when
10 | group_name = 'default'
11 | then 'fail'
12 | else 'pass'
13 | end
14 | from
15 | aws_ec2_security_groups
16 | inner join
17 | aws_ec2_security_group_ip_permissions on
18 | aws_ec2_security_groups.cq_id
19 | = aws_ec2_security_group_ip_permissions.security_group_cq_id
20 |
--------------------------------------------------------------------------------
/policies/queries/ec2/hosts_unused.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | with instance as (select distinct host_cq_id from aws_ec2_host_instances)
3 | select :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'Unused dedicated host' as title,
7 | host.account_id,
8 | host.arn as resource_id,
9 | 'fail' as status
10 | from aws_ec2_hosts host
11 | left join instance on instance.host_cq_id = host.cq_id
12 | where instance.host_cq_id is null
--------------------------------------------------------------------------------
/docs/tables/aws_apigatewayv2_domain_name_rest_api_mappings.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_apigatewayv2_domain_name_rest_api_mappings
3 | Represents an API mapping.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |domain_name_cq_id|uuid|Unique CloudQuery ID of aws_apigatewayv2_domain_names table (FK)|
8 | |api_id|text|The API identifier.|
9 | |arn|text|The Amazon Resource Name (ARN) for the resource.|
10 | |stage|text|The API stage.|
11 | |api_mapping_id|text|The API mapping identifier.|
12 | |api_mapping_key|text|The API mapping key.|
13 |
--------------------------------------------------------------------------------
/docs/tables/aws_autoscaling_group_tags.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_autoscaling_group_tags
3 | Describes a tag for an Auto Scaling group.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |group_cq_id|uuid|Unique CloudQuery ID of aws_autoscaling_groups table (FK)|
8 | |key|text|The tag key.|
9 | |propagate_at_launch|boolean|Determines whether the tag is added to new instances as they are launched in the group.|
10 | |resource_id|text|The name of the group.|
11 | |resource_type|text|The type of resource|
12 | |value|text|The tag value.|
13 |
--------------------------------------------------------------------------------
/docs/tables/aws_elbv1_load_balancer_backend_server_descriptions.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_elbv1_load_balancer_backend_server_descriptions
3 | Information about the configuration of an EC2 instance.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |load_balancer_cq_id|uuid|Unique CloudQuery ID of aws_elbv1_load_balancers table (FK)|
8 | |name|text|The name of the load balancer.|
9 | |instance_port|integer|The port on which the EC2 instance is listening.|
10 | |policy_names|text[]|The names of the policies enabled for the EC2 instance.|
11 |
--------------------------------------------------------------------------------
/docs/tables/aws_glue_security_configuration_s3_encryption.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_glue_security_configuration_s3_encryption
3 | Specifies how Amazon Simple Storage Service (Amazon S3) data should be encrypted
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |security_configuration_cq_id|uuid|Unique CloudQuery ID of aws_glue_security_configurations table (FK)|
8 | |kms_key_arn|text|The Amazon Resource Name (ARN) of the KMS key to be used to encrypt the data|
9 | |s3_encryption_mode|text|The encryption mode to use for Amazon S3 data|
10 |
--------------------------------------------------------------------------------
/docs/tables/aws_rds_instance_vpc_security_groups.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_rds_instance_vpc_security_groups
3 | This data type is used as a response element for queries on VPC security group membership.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |instance_cq_id|uuid|Unique CloudQuery ID of aws_rds_instances table (FK)|
8 | |instance_id|text|The AWS Region-unique, immutable identifier for the DB instance|
9 | |status|text|The status of the VPC security group.|
10 | |vpc_security_group_id|text|The name of the VPC security group.|
11 |
--------------------------------------------------------------------------------
/policies/queries/dynamodb/point_in_time_recovery.sql:
--------------------------------------------------------------------------------
1 | insert into aws_policy_results
2 | select
3 | :'execution_time' as execution_time,
4 | :'framework' as framework,
5 | :'check_id' as check_id,
6 | 'DynamoDB tables should have point-in-time recovery enabled' as title,
7 | t.account_id,
8 | t.arn as resource_id,
9 | case when
10 | b.point_in_time_recovery_status is distinct from 'ENABLED'
11 | then 'fail'
12 | else 'pass'
13 | end as status
14 | FROM aws_dynamodb_tables t
15 | LEFT JOIN aws_dynamodb_table_continuous_backups b ON b.table_cq_id = t.cq_id
16 |
--------------------------------------------------------------------------------
/terraform/xray/modules/test/sampling_rule.tf:
--------------------------------------------------------------------------------
1 | resource "aws_xray_sampling_rule" "xray_sampling_rule" {
2 | rule_name = "${var.prefix}-xray-sampling-rule"
3 | priority = 100
4 | version = 1
5 | reservoir_size = 1
6 | fixed_rate = 0.05
7 | url_path = "*"
8 | host = "*"
9 | http_method = "*"
10 | service_type = "*"
11 | service_name = "*"
12 | resource_arn = "*"
13 |
14 | attributes = {
15 | Hello = "Tris"
16 | }
17 |
18 | tags = merge(
19 | { Name = "${var.prefix}-xray-sampling-rule" },
20 | var.tags
21 | )
22 | }
--------------------------------------------------------------------------------
/docs/tables/aws_elbv2_load_balancer_availability_zones.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_elbv2_load_balancer_availability_zones
3 | Information about an Availability Zone.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |load_balancer_cq_id|uuid|Unique CloudQuery ID of aws_elbv2_load_balancers table (FK)|
8 | |load_balance_name|text|The name of the load balancer.|
9 | |outpost_id|text|[Application Load Balancers on Outposts] The ID of the Outpost.|
10 | |subnet_id|text|The ID of the subnet|
11 | |zone_name|text|The name of the Availability Zone.|
12 |
--------------------------------------------------------------------------------
/docs/tables/aws_s3_bucket_grants.md:
--------------------------------------------------------------------------------
1 |
2 | # Table: aws_s3_bucket_grants
3 | Container for grant information.
4 | ## Columns
5 | | Name | Type | Description |
6 | | ------------- | ------------- | ----- |
7 | |bucket_cq_id|uuid|Unique CloudQuery ID of aws_s3_buckets table (FK)|
8 | |type|text|Type of grantee|
9 | |display_name|text|Screen name of the grantee.|
10 | |email_address|text|Email address of the grantee|
11 | |grantee_id|text|The canonical user ID of the grantee.|
12 | |uri|text|URI of the grantee group.|
13 | |permission|text|Specifies the permission given to the grantee.|
14 |
--------------------------------------------------------------------------------