AWS Cloud Operations Blog
Query your resource configuration state using the advanced query feature of AWS Config
On March 19, AWS Config announced a new capability called advanced query. Advanced query makes it easy to query the resource configuration properties of your AWS resources for audit, compliance, or operational troubleshooting. Advanced query is available in all AWS public Regions and in AWS GovCloud (US) at no additional charge for AWS Config customers.
Advanced query can be used to perform ad hoc queries against the current configuration state of your resources using the AWS Config console or through APIs. You can run SQL style queries to help you audit for compliance, manage cost, and evaluate security requirements. For example, using this query capability, you can retrieve a list of Amazon EC2 instances of a particular size, Amazon EBS volumes that are not attached to an Amazon EC2 instance, or resources that have encryption disabled.
Benefits
Reduce throttling, unavailability, and costs: Now you don’t have to call service-specific describe API calls to retrieve configuration data that you’re interested in. Instead, use advanced query as a single query endpoint across AWS services. For example, if you need information about the configuration of Elastic Load Balancing load balancers, you typically call these APIs: describeLoadBalancers, describeLoadBalancerAttributes, describeLoadBalancerPolicies, and describeTags. But since AWS Config already captures the information typically returned through these APIs and normalizes it in a format known as a configuration item (CI), you can use advanced query to query this CI using SQL SELECT statements and retrieve the information that you need. This method is more efficient because you can select only the properties your application or use case needs. This helps reduce the throttling encountered while making service-specific describe API calls.
Consistent query interface across services: Advanced query provides a consistent interface standard by which you can query resource metadata from multiple services. As a developer, you no longer need to adapt to a new search query interface for each service they query, which hinders development.
Getting Started
It’s easy to get started with advanced query in the AWS Config console or through APIs. When you enable AWS Config in your account, AWS Config discovers and records your resource configuration state, tags, and relationships. In the AWS Config console, under Resources>Advanced query, choose a sample advanced query you want to run, or write your own using a subset of structured query language (SQL) SELECT syntax.
We have many sample queries to choose from to get you started quickly. Some of the common scenarios that benefit from advanced query are shown next:
Inventory management: Sample query to get a list of all EC2 instances running in my account
Cost management: Sample query to get a list of EBS volumes that are not in use
Security management: Sample query to get a list of all RDS instances that are publically accessible
Change management: Sample query to get a list of all resources that are related to a specific EC2 security group
You can use these sample queries or write your own query. For the list of all resource configuration properties that you can use to formulate your own queries, see the AWS Config Resource Schema GitHub repository.
Conclusion
Advanced query is a valuable capability that can help you extract intelligence out of the data captured in AWS Config. To learn more about advanced query, see the AWS Config product documentation and the AWS Config Developer Guide.
About the Author
Sid Gupta is a Sr. Product Manager for AWS Config. Sid enjoys working with customers and help them build effective cloud governance strategies in order to be successful in the cloud. In his spare time, he enjoys hiking, reading and spending time with his kids.