AWS Cloud Operations Blog

Simplify query authoring in AWS Config advanced queries with natural language query generation

AWS Config advanced queries provide a SQL-based querying interface to retrieve resource configuration metadata of AWS resources and identify resource compliance state. You can use AWS Config advanced queries in a single AWS Account and Region or in a multi-account and cross-region setup with AWS Config configuration aggregators. Writing queries requires you to know SQL and understand the underlying configuration properties and relationships of resources. As your AWS environment grows in size and complexity, writing SQL statements for your queries could become more complex and time consuming.

AWS Config recently launched generative AI-powered natural language querying (Preview) that allows users to query AWS resources, configurations or compliance state using queries written as simple commands or questions in natural language. Writing these same queries as statements, commands or questions in natural language reduces the need to learn SQL or understand the underlying resource configuration properties and relationships.

In this post, we will show you how to get started with natural language queries in AWS Config advanced queries. We will show you how to start with a statement and refine it to ultimately find the answer to your question.

Prerequisites

For this post, you should be familiar with AWS Config advanced queries and AWS Config aggregator. Additionally, you will need to have AWS Config set up in at least 2 Regions as well as an AWS Config aggregator for your account. To test the queries, you need encrypted and unencrypted EBS volumes across Regions. If you need to create EBS volumes, please refer to the documentation.

Getting started

The goal is to view all EBS volumes across your AWS environment along with their encryption status. You’ll start by looking at all volumes and then filter on encrypted volumes.

1. In the AWS console and navigate to AWS Config. Select Advanced queries in the left navigation pane (fig. 1)

Image showing AWS Config console screens showing “Advanced queries” with “Preview” annotation in the left navigation pane

Fig. 1

2. Select new query. Change the query scope to your aggregator. In the natural language query processor, enter “List volumes” and select Generate (fig. 2)

Natural language query processor screen with “list volumes” filled and automated generated SQL statement showing on the right-hand side

Fig. 2

3. Notice that the resulting query will provide you a list of EBS volumes, but results only include resourceId and resourceType fields but not the encryption status (Fig. 3). So, you will try again by expanding your prompt a bit more in the next step.

Output screen showing all the EBS volumes

Fig. 3

4. Back in the Natural language query processor, enter the following text “List EBS volumes. show volume ID, AZ, resource type and encryption status”, (Fig. 4) then select Generate again.

Natural language query processor screen with a refined query specifying additional search field and corresponding generated SQL query on the right-hand side

Fig. 4

5. Notice that the updated query now includes configuration.encrypted field, which is exactly what you need to get the encryption status of each volume.

6. Select Populate to editor and run the query in the editor.

7. Now you can see 4 EBS volumes listed along with the encryption status for each volume (Fig. 5)

Results of refined query, showing additional data fields include “configuration.encrypted”

Fig. 5

8. Let’s try something different. Return to the Natural language query processor and enter “List encrypted EBS volumes. show volume ID, AZ, resource type and encryption status” and select Generate.

9. Select Populate to editor and run the generated query to see the following results (Fig. 6)

Results of a more complex natural language query showing only the EBS volume where configuration.encrypted field is set to true

Fig. 6

As with many other generative AI applications, getting your prompts to produce the expected SQL query may take a bit of a trial and error, so please feel free to experiment and try out any prompts to fit your needs.

Conclusion

In this blog post, you’ve seen you how you can leverage generative AI based natural language queries in AWS Config. This new feature is available in preview in US East (N. Virginia) and US West (Oregon) AWS Regions. To get started, visit AWS Config advanced queries in the AWS console.

About the Authors

Faraz Rehman author photo

Faraz Rehman

Faraz Rehman is senior Solutions Architect at AWS based in the San Francisco Bay Area. For the past few years he has been focused on helping ISV customers build and operate business critical, production scale workloads on AWS. His expertise includes cloud operations, management and governance.

Avi Harari author photo

Avi Harari

Avi is a Senior Technical Account Manager at AWS supporting Enterprise customers with the adoption and use of AWS services. He is part of the AWS Cloud Operations technical community, focusing on Configuration, Compliance and Auditing on AWS. Outside of work, he enjoys spending time with his family and mixology.