website logo
HomeGithubSlack
⌘K
Overview
Quick Start
Supported Services
Running CloudGraph in EKS
Compliance
Rules Engine
AWS
Querying AWS Data
AWS Policy Packs
Billing Data
Services
Azure
Querying Azure Data
Azure Policy Packs
Services
GCP
Querying GCP Data
GCP Policy Packs
Services
K8s
Querying Kubernetes Data
Services
Docs powered by archbee 

S3

19min

Note: if you are running CloudGraph locally you can view the interactive, automatically generated documentation in either GraphQL Playground or Altair by clicking the docs button on the right-hand side of the screen. After reading the below information we highly suggest you use one of these tools to test your queries as they will autocomplete fields for you and let you know if your queries are valid before you even submit them.

Overview

You can currently query the following attributes and connections on an AWS S3 Bucket

GraphQL
|
query {
  queryawsS3 {
    id
    accountId
    arn
    access
    bucketOwnerName
    region
    requesterPays
    size
    totalNumberOfObjectsInBucket
    transferAcceleration
    corsConfiguration
    encrypted
    lifecycle
    logging
    blockPublicAcls
    ignorePublicAcls
    blockPublicPolicy
    restrictPublicBuckets
    crossRegionReplication
    mfa
    versioning
    staticWebsiteHosting
    bucketPolicies {
      id
      # Other fields and connections here...
    }
    kinesisFirehose {
      arn
      # Other fields and connections here...
    }
    tags {
      id
      key
      value
    }
    cloudfrontDistribution {
      arn
      # Other fields and connections here...
    }
    cloudtrail {
      arn
      # Other fields and connections here...
    }
  }
}


Filtering

Get data for a single AWS S3 Bucket that you know the ID for:

GraphQL
|
query {
  getawsS3(id: "12345") {
    arn
    # Other fields and connections here...
  }
}


Get data for a single S3 Bucket that you know the ARN for:

GraphQL
|
query {
  getawsS3(arn: "arn:12345") {
    arn
    # Other fields and connections here...
  }
}


Get data for all of the S3 Buckets in a certain AWS account:

GraphQL
|
query {
  queryawsS3(filter: { accountId: { eq: "12345" } }) {
    arn
    # Other fields and connections here...
  }
}

# Note that in addition to "accountId" you can
# Filter based on any of the following attributes:

# id
# accountId
# arn
# access
# bucketOwnerName
# region
# requesterPays
# size
# totalNumberOfObjectsInBucket
# transferAcceleration
# corsConfiguration
# encrypted
# lifecycle
# logging
# blockPublicAcls
# ignorePublicAcls
# blockPublicPolicy
# restrictPublicBuckets
# crossRegionReplication
# mfa
# versioning
# staticWebsiteHosting

# And the following Dgraph filters can also be applied:

# has
# and
# or
# not
# regexp (regular expressions)

# fulltext filters

# alloftext
# anyoftext


Get data for all of the S3 Buckets that are NOT in a certain AWS account:

GraphQL
|
query {
  queryawsS3(filter: { not: { accountId: { eq: "12345" } } }) {
    arn
    # Other fields and connections here...
  }
}


Advanced Filtering

Get data for all of the S3 Buckets that have Policies:

GraphQL
|
query {
  queryawsS3(filter: { has: bucketPolicies }) {
    arn
    # Other fields and connections here...
  }
}

# Note that in addition to "elasticIps" you can filter
# Using "has" based on any of the following attributes:

# id
# accountId
# arn
# access
# bucketOwnerName
# region
# requesterPays
# size
# totalNumberOfObjectsInBucket
# transferAcceleration
# corsConfiguration
# encrypted
# lifecycle
# logging
# blockPublicAcls
# ignorePublicAcls
# blockPublicPolicy
# restrictPublicBuckets
# crossRegionReplication
# mfa
# versioning
# staticWebsiteHosting
# kinesisFirehose
# tags
# cloudfrontDistribution
# cloudtrail


Use multiple filter selectors, (i.e. has, and, not, or) to get data for all of the S3 Buckets that have Policies AND a are fronted by CloudFront OR that do not have Tags. Note that you can use has, and, not, or completely independently of each other:

GraphQL
|
query {
  queryawsS3(
    filter: {
      has: bucketPolicies
      and: { has: cloudfrontDistribution }
      or: { not: { has: tags } }
    }
  ) {
    arn
    # Other fields and connections here...
  }
}


You may also filter using a regex when filtering on a string field like, access if you want to look for a value that contains the word, public (case insensitive):

GraphQL
|
query {
  queryawsS3(filter: { access: { regexp: "/.*public.*/i" } }) {
    arn
    access
    # Other fields and connections here...
  }
}


Ordering

You can order the results you get back either asc or desc depending on your preference:

GraphQL
|
query {
  queryawsS3(order: { desc: region }) {
    region
    # Other fields and connections here...
  }
}

# Note that in addition to "size" you can filter
# Using "asc" or "desc" based on any of the following attributes:

# id
# accountId
# arn
# access
# bucketOwnerName
# requesterPays
# totalNumberOfObjectsInBucket
# transferAcceleration
# corsConfiguration
# encrypted
# lifecycle
# logging
# blockPublicAcls
# ignorePublicAcls
# blockPublicPolicy
# restrictPublicBuckets
# crossRegionReplication
# mfa
# size
# versioning
# staticWebsiteHosting


Only select and return the first two S3 Buckets that are found:

GraphQL
|
query {
  queryawsS3(first: 2, order: { desc: region }) {
    region
    # Other fields and connections here...
  }
}


Only select and return the first two S3 Buckets that are found, but offset by one so S3 Buckets two & three are returned:

GraphQL
|
query {
  queryawsS3(first: 2, order: { desc: region }, offset: 1) {
    region
    # Other fields and connections here...
  }
}


Aggregation

Count the number of S3 Buckets across all scanned AWS accounts:

GraphQL
|
query {
  aggregateawsS3 {
    count
    # Other fields and connections here...
  }
}

# Note that in addition to "count" you can request the
# Following min and max values based on attributes of your S3 Buckets:

# idMin
# idMax
# accountIdMin
# accountIdMax
# arnMin
# arnMax
# accessMin
# accessMax
# bucketOwnerNameMin
# bucketOwnerNameMax
# regionMin
# regionMax
# requesterPaysMin
# requesterPaysMax
# sizeMin
# sizeMax
# totalNumberOfObjectsInBucketMin
# totalNumberOfObjectsInBucketMax
# transferAccelerationMin
# transferAccelerationMax
# corsConfigurationMin
# corsConfigurationMax
# encryptedMin
# encryptedMax
# lifecycleMin
# lifecycleMax
# loggingMin
# loggingMax
# blockPublicAclsMin
# blockPublicAclsMax
# ignorePublicAclsMin
# ignorePublicAclsMax
# blockPublicPolicyMin
# blockPublicPolicyMax
# restrictPublicBucketsMin
# restrictPublicBucketsMax
# crossRegionReplicationMin
# crossRegionReplicationMax
# mfaMin
# mfaMax
# versioningMin
# versioningMax
# staticWebsiteHostingMin
# staticWebsiteHostingMax


Count the number of S3 Buckets in a single account. Note that you can apply all of the same filters that are listed above to aggregate queries:

GraphQL
|
query {
  aggregateawsS3(filter: { accountId: { eq: "12345" } }) {
    count
    # Other fields and connections here...
  }
}


Examples

Find all the S3 Buckets that are themselves public or that can have Objects that are public in them:

GraphQL
|
query {
  queryawsS3(filter: { not: { access: { eq: "Private" } } }) {
    arn
    access
     # Other fields and connections here...
  }
}


Find all the S3 Buckets in account 12345 in the us-east-1 region:

GraphQL
|
query {
  queryawsS3(
    filter: { accountId: { eq: "12345" }, region: { eq: "us-east-1" } }
  ) {
    arn
     # Other fields and connections here...
  }
}


Find all of the S3 Buckets that have a tag of Environment:Production for a single AWS Account:

GraphQL
|
query {
  queryawsTag(
    filter: { key: { eq: "Environment" }, value: { eq: "Production" } }
  ) {
    s3(filter: { accountId: { eq: "12345" } }) {
      arn
      # Other fields and connections here...
    }
  }
}


With CloudGraph you can run multiple queries at the same time so you can combine the above two queries if you like:

GraphQL
|
query {
  queryawsS3(
    filter: { accountId: { eq: "12345" }, region: { eq: "us-east-1" } }
  ) {
    arn
     # Other fields and connections here...
  }
  queryawsTag(
    filter: { key: { eq: "Environment" }, value: { eq: "Production" } }
  ) {
    s3(filter: { accountId: { eq: "12345" } }) {
      arn
      # Other fields and connections here...
    }
  }
}


Kitchen Sink

Putting it all together; get all data for all S3 Buckets across all regions for all scanned AWS accounts in a single query. For the purposes of this example we will only get direct children of the S3 Buckets but if you want to it's easy to go from say, S3 Bucket -> Subnet -> VPC...etc:

GraphQL
|
query {
  queryawsS3 {
    id
    accountId
    arn
    access
    bucketOwnerName
    region
    requesterPays
    size
    totalNumberOfObjectsInBucket
    transferAcceleration
    corsConfiguration
    encrypted
    lifecycle
    logging
    blockPublicAcls
    ignorePublicAcls
    blockPublicPolicy
    restrictPublicBuckets
    crossRegionReplication
    mfa
    versioning
    staticWebsiteHosting
    bucketPolicies {
      id
      policy {
        id
        # Other fields and connections here...
      }
    }
    kinesisFirehose {
      id
      accountId
      arn
      name
      deliveryStreamStatus
      failureDescriptionType
      failureDescriptionDetails
      encryptionConfig {
        keyARN
        # Other fields and connections here...
      }
      deliveryStreamType
      versionId
      createTimestamp
      lastUpdateTimestamp
      source {
        roleARN
        # Other fields and connections here...
      }
      region
      kinesisStream {
        arn
        # Other fields and connections here...
      }
      s3 {
        arn
        # Other fields and connections here...
      }
      tags {
        id
        key
        value
      }
    }
    tags {
      id
      key
      value
    }
    cloudfrontDistribution {
      id
      accountId
      arn
      etag
      status
      enabled
      priceClass
      domainName
      httpVersion
      lastModified
      callerReference
      ipv6Enabled
      defaultRootObject
      webAclId
      geoRestrictions
      customErrorResponses {
        errorCode
        # Other fields and connections here...
      }
      defaultCacheBehavior {
        id
        # Other fields and connections here...
      }
      orderedCacheBehaviors {
        id
        # Other fields and connections here...
      }
      viewerCertificate {
        iamCertificateId
        # Other fields and connections here...
      }
      origins {
        originId
        # Other fields and connections here...
      }
      elb {
        arn
        # Other fields and connections here...
      }
      s3 {
        arn
        # Other fields and connections here...
      }
      tags {
        id
        key
        value
      }
    }
    cloudtrail {
      id
      arn
      accountId
      name
      s3BucketName
      s3KeyPrefix
      sns {
        id
        # Other fields and connections here...
      }
      includeGlobalServiceEvents
      isMultiRegionTrail
      homeRegion
      logFileValidationEnabled
      cloudWatchLogsLogGroupArn
      cloudWatchLogsRoleArn
      kmsKeyId
      hasCustomEventSelectors
      hasInsightSelectors
      isOrganizationTrail
      tags {
        id
        key
        value
      }
      region
      s3 {
        arn
        # Other fields and connections here...
      }
      kms {
        arn
        # Other fields and connections here...
      }
    }
  }
}


References

Dgraph documentation on querying

AWS S3 documentation

Updated 03 Mar 2023
Did this page help you?
Yes
No
PREVIOUS
RDS Db Instance
NEXT
Security Group
Docs powered by archbee 
TABLE OF CONTENTS
Overview
Filtering
Advanced Filtering
Ordering
Aggregation
Examples
Kitchen Sink
References