Note: if you are running CloudGraph locally you can view the interactive, automatically generated documentation in either GraphQL Playground or Altair by clicking the docs button on the right-hand side of the screen. After reading the below information we highly suggest you use one of these tools to test your queries as they will autocomplete fields for you and let you know if your queries are valid before you even submit them.
You can currently query the following attributes and connections on an AWS S3 Bucket
query {
queryawsS3 {
id
accountId
arn
access
bucketOwnerName
region
requesterPays
size
totalNumberOfObjectsInBucket
transferAcceleration
corsConfiguration
encrypted
lifecycle
logging
blockPublicAcls
ignorePublicAcls
blockPublicPolicy
restrictPublicBuckets
crossRegionReplication
mfa
versioning
staticWebsiteHosting
bucketPolicies {
id
}
kinesisFirehose {
arn
}
tags {
id
key
value
}
cloudfrontDistribution {
arn
}
cloudtrail {
arn
}
}
}
Get data for a single AWS S3 Bucket that you know the ID for:
query {
getawsS3(id: "12345") {
arn
}
}
Get data for a single S3 Bucket that you know the ARN for:
query {
getawsS3(arn: "arn:12345") {
arn
}
}
Get data for all of the S3 Buckets in a certain AWS account:
query {
queryawsS3(filter: { accountId: { eq: "12345" } }) {
arn
}
}
Get data for all of the S3 Buckets that are NOT in a certain AWS account:
query {
queryawsS3(filter: { not: { accountId: { eq: "12345" } } }) {
arn
}
}
Get data for all of the S3 Buckets that have Policies:
query {
queryawsS3(filter: { has: bucketPolicies }) {
arn
}
}
Use multiple filter selectors, (i.e. has, and, not, or) to get data for all of the S3 Buckets that have Policies AND a are fronted by CloudFront OR that do not have Tags. Note that you can use has, and, not, or completely independently of each other:
query {
queryawsS3(
filter: {
has: bucketPolicies
and: { has: cloudfrontDistribution }
or: { not: { has: tags } }
}
) {
arn
}
}
You may also filter using a regex when filtering on a string field like, access if you want to look for a value that contains the word, public (case insensitive):
query {
queryawsS3(filter: { access: { regexp: "/.*public.*/i" } }) {
arn
access
}
}
You can order the results you get back either asc or desc depending on your preference:
query {
queryawsS3(order: { desc: region }) {
region
}
}
Only select and return the first two S3 Buckets that are found:
query {
queryawsS3(first: 2, order: { desc: region }) {
region
}
}
Only select and return the first two S3 Buckets that are found, but offset by one so S3 Buckets two & three are returned:
query {
queryawsS3(first: 2, order: { desc: region }, offset: 1) {
region
}
}
Count the number of S3 Buckets across all scanned AWS accounts:
query {
aggregateawsS3 {
count
}
}
Count the number of S3 Buckets in a single account. Note that you can apply all of the same filters that are listed above to aggregate queries:
query {
aggregateawsS3(filter: { accountId: { eq: "12345" } }) {
count
}
}
Find all the S3 Buckets that are themselves public or that can have Objects that are public in them:
query {
queryawsS3(filter: { not: { access: { eq: "Private" } } }) {
arn
access
}
}
Find all the S3 Buckets in account 12345 in the us-east-1 region:
query {
queryawsS3(
filter: { accountId: { eq: "12345" }, region: { eq: "us-east-1" } }
) {
arn
}
}
Find all of the S3 Buckets that have a tag of Environment:Production for a single AWS Account:
query {
queryawsTag(
filter: { key: { eq: "Environment" }, value: { eq: "Production" } }
) {
s3(filter: { accountId: { eq: "12345" } }) {
arn
}
}
}
With CloudGraph you can run multiple queries at the same time so you can combine the above two queries if you like:
query {
queryawsS3(
filter: { accountId: { eq: "12345" }, region: { eq: "us-east-1" } }
) {
arn
}
queryawsTag(
filter: { key: { eq: "Environment" }, value: { eq: "Production" } }
) {
s3(filter: { accountId: { eq: "12345" } }) {
arn
}
}
}
Putting it all together; get all data for all S3 Buckets across all regions for all scanned AWS accounts in a single query. For the purposes of this example we will only get direct children of the S3 Buckets but if you want to it's easy to go from say, S3 Bucket -> Subnet -> VPC...etc:
query {
queryawsS3 {
id
accountId
arn
access
bucketOwnerName
region
requesterPays
size
totalNumberOfObjectsInBucket
transferAcceleration
corsConfiguration
encrypted
lifecycle
logging
blockPublicAcls
ignorePublicAcls
blockPublicPolicy
restrictPublicBuckets
crossRegionReplication
mfa
versioning
staticWebsiteHosting
bucketPolicies {
id
policy {
id
}
}
kinesisFirehose {
id
accountId
arn
name
deliveryStreamStatus
failureDescriptionType
failureDescriptionDetails
encryptionConfig {
keyARN
}
deliveryStreamType
versionId
createTimestamp
lastUpdateTimestamp
source {
roleARN
}
region
kinesisStream {
arn
}
s3 {
arn
}
tags {
id
key
value
}
}
tags {
id
key
value
}
cloudfrontDistribution {
id
accountId
arn
etag
status
enabled
priceClass
domainName
httpVersion
lastModified
callerReference
ipv6Enabled
defaultRootObject
webAclId
geoRestrictions
customErrorResponses {
errorCode
}
defaultCacheBehavior {
id
}
orderedCacheBehaviors {
id
}
viewerCertificate {
iamCertificateId
}
origins {
originId
}
elb {
arn
}
s3 {
arn
}
tags {
id
key
value
}
}
cloudtrail {
id
arn
accountId
name
s3BucketName
s3KeyPrefix
sns {
id
}
includeGlobalServiceEvents
isMultiRegionTrail
homeRegion
logFileValidationEnabled
cloudWatchLogsLogGroupArn
cloudWatchLogsRoleArn
kmsKeyId
hasCustomEventSelectors
hasInsightSelectors
isOrganizationTrail
tags {
id
key
value
}
region
s3 {
arn
}
kms {
arn
}
}
}
}
