Note: if you are running CloudGraph locally you can view the interactive, automatically generated documentation in either GraphQL Playground or Altair by clicking the docs button on the right-hand side of the screen. After reading the below information we highly suggest you use one of these tools to test your queries as they will autocomplete fields for you and let you know if your queries are valid before you even submit them.
You can currently query the following attributes and connections on an AWS Security Group:
query {
queryawsSecurityGroup {
id
accountId
arn
name
vpcId
description
tags {
id
key
value
}
owner
default
inboundRules {
id
}
outboundRules {
id
}
inboundRuleCount
outboundRuleCount
alb {
arn
}
lambda {
arn
}
elb {
arn
}
ec2Instance {
arn
}
asg {
arn
}
rdsCluster {
arn
}
rdsDbInstance {
arn
}
}
}
Get data for a single AWS Security Group that you know the ID for:
query {
getawsSecurityGroup(id: "12345") {
arn
}
}
Get data for a single Security Group that you know the ARN for:
query {
getawsSecurityGroup(arn: "arn:12345") {
arn
}
}
Get data for all of the Security Groups in a certain AWS account:
query {
queryawsSecurityGroup(filter: { accountId: { eq: "12345" } }) {
arn
}
}
Get data for all of the Security Groups that are NOT in a certain AWS account:
query {
queryawsSecurityGroup(filter: { not: { accountId: { eq: "12345" } } }) {
arn
}
}
Get data for all of the Security Groups that have EC2 Instances in them:
query {
queryawsSecurityGroup(filter: { has: ec2Instance }) {
arn
}
}
Use multiple filter selectors, (i.e. has, and, not, or) to get data for all of the Security Groups that have Lambdas AND RDS DB Instances associated with them OR that do not have ALBs associated in them. Note that you can use has, and, not, or completely independently of each other:
query {
queryawsSecurityGroup(
filter: {
has: lambda
and: { has: rdsDbInstance }
or: { not: { has: alb } }
}
) {
arn
}
}
You may also filter using a regex when filtering on a string field like, description if you want to look for a value that matches say, production (case insensitive):
query {
queryawsSecurityGroup(
filter: { description: { regexp: "/.*production.*/i" } }
) {
arn
}
}
You can order the results you get back either asc or desc depending on your preference:
query {
queryawsSecurityGroup(order: { desc: vpcId }) {
vpcId
}
}
Only select and return the first two Security Groups that are found:
query {
queryawsSecurityGroup(first: 2, order: { desc: vpcId }) {
vpcId
}
}
Only select and return the first two Security Groups that are found, but offset by one so Security Groups two & three are returned:
query {
queryawsSecurityGroup(first: 2, order: { desc: vpcId }, offset: 1) {
arn
}
}
Count the number of Security Groups across all scanned AWS accounts:
query {
aggregateawsSecurityGroup {
count
}
}
Count the number of Security Groups in a single account. Note that you can apply all of the same filters that are listed above to aggregate queries:
query {
aggregateawsSecurityGroup(filter: { accountId: { eq: "12345" } }) {
count
}
}
Get all of the Security Groups in VPC 12345:
query {
queryawsSecurityGroup(filter: { vpcId: { eq: "12345" } }) {
id
}
}
Find all of the Security Groups that have a tag of Environment:Production for a single AWS Account:
query {
queryawsTag(
filter: { key: { eq: "Environment" }, value: { eq: "Production" } }
) {
securityGroups(filter: { accountId: { eq: "12345" } }) {
arn
}
}
}
With CloudGraph you can run multiple queries at the same time so you can combine the above two queries if you like:
query {
queryawsSecurityGroup(filter: { vpcId: { eq: "12345" } }) {
id
}
queryawsTag(
filter: { key: { eq: "Environment" }, value: { eq: "Production" } }
) {
securityGroups(filter: { accountId: { eq: "12345" } }) {
arn
}
}
}
Putting it all together; get all data for all Security Groups across all regions for all scanned AWS accounts in a single query. For the purposes of this example we will only get direct children of the Security Groups but if you want to it's easy to go from say, Security Group -> ALB -> EC2 -> EBS...etc:
query {
queryawsSecurityGroup {
id
accountId
arn
name
vpcId
description
tags {
id
key
value
}
owner
default
inboundRules {
id
description
portRange
protocol
source
userId
groupName
peeringStatus
}
outboundRules {
id
description
destination
portRange
protocol
userId
groupName
peeringStatus
}
inboundRuleCount
outboundRuleCount
alb {
id
accountId
arn
dnsName
scheme
type
subnets
hostedZone
defaultVpc
ipAddressType
idleTimeout
deletionProtection
http2
accessLogsEnabled
dropInvalidHeaderFields
createdAt
status
tags {
id
key
value
}
securityGroups {
arn
}
ec2Instance {
arn
}
vpc {
arn
}
route53Record {
id
}
listeners {
arn
}
subnet {
arn
}
}
lambda {
id
accountId
arn
description
handler
kmsKeyArn
lastModified
memorySize
reservedConcurrentExecutions
role
runtime
sourceCodeSize
timeout
tracingConfig
version
environmentVariables {
id
key
value
}
tags {
id
key
value
}
kms {
arn
}
securityGroups {
arn
}
subnet {
arn
}
vpc {
arn
}
cognitoUserPool {
arn
}
}
elb {
id
accountId
arn
dnsName
hostedZone
createdAt
type
status
scheme
vpcId
sourceSecurityGroup {
groupName
}
securityGroupsIds
subnets
accessLogs
crossZoneLoadBalancing
idleTimeout
instances {
id
}
healthCheck {
target
}
listeners {
id
}
tags {
id
key
value
}
cloudfrontDistribution {
arn
}
securityGroups {
arn
}
vpc {
arn
}
route53Record {
id
}
subnet {
arn
}
}
ec2Instance {
id
accountId
arn
region
ami
tenancy
elasticIps
publicDns
privateDns
monitoring
privateIps
keyPair {
id
name
fingerprint
}
cpuCoreCount
hibernation
ebsOptimized
ipv4PublicIp
instanceType
ipv6Addresses
placementGroup
instanceState
sourceDestCheck
availabilityZone
cpuThreadsPerCore
iamInstanceProfile
deletionProtection
dailyCost {
cost
currency
formattedCost
}
primaryNetworkInterface
metadataOptions {
state
}
metadatasecurityGroupIdsOptions
securityGroupIds
ephemeralBlockDevices {
deviceName
}
tags {
id
key
value
}
alb {
arn
}
asg {
arn
}
ebs {
arn
}
eip {
arn
}
networkInterfaces {
arn
}
securityGroups {
arn
}
subnet {
arn
}
}
asg {
id
accountId
arn
name
region
launchConfigurationName
launchTemplateId
launchTemplateName
launchTemplateVersion
mixedInstancesPolicy {
launchTemplateId
}
minSize
maxSize
desiredCapacity
predictedCapacity
cooldown
availabilityZones
loadBalancerNames
targetGroupARNs
healthCheckType
healthCheckGracePeriod
ec2InstanceIds
suspendedProcesses {
id
}
placementGroup
vpcZoneIdentifier
enabledMetrics {
id
}
status
terminationPolicies
newInstancesProtectedFromScaleIn
serviceLinkedRoleARN
maxInstanceLifetime
capacityRebalanceEnabled
warmPoolConfigMaxGroupPreparedCapacity
warmPoolConfigMinSize
warmPoolConfigPoolState
warmPoolConfigStatus
warmPoolSize
context
tags {
id
key
value
}
launchConfiguration {
imageId
}
ec2Instance {
arn
}
securityGroups {
arn
}
ebs {
arn
}
subnet {
arn
}
}
rdsCluster {
id
accountId
arn
allocatedStorage
backupRetentionPeriod
characterSetName
databaseName
dbClusterIdentifier
subnets
status
percentProgress
readerEndpoint
multiAZ
engine
engineVersion
port
username
replicationSourceIdentifier
hostedZoneId
encrypted
kmsKey
resourceId
iamDbAuthenticationEnabled
cloneGroupId
createdTime
capacity
engineMode
deletionProtection
httpEndpointEnabled
copyTagsToSnapshot
crossAccountClone
tags {
id
key
value
}
globalWriteForwardingRequested
instances {
arn
}
securityGroups {
arn
}
}
rdsDbInstance {
id
accountId
arn
name
port
address
hostedZoneId
username
resourceId
engine
engineVersion
createdTime
copyTagsToSnapshot
deletionProtection
dBInstanceIdentifier
performanceInsightsEnabled
autoMinorVersionUpgrade
iamDbAuthenticationEnabled
optionsGroups
parameterGroup
storageType
instanceClass
allocatedStorage
multiAZ
subnetGroup
availabilityZone
publiclyAccessible
certificateAuthority
status
failoverPriority
kmsKey
encrypted
tags {
id
key
value
}
cluster {
arn
}
securityGroups {
arn
}
subnet {
arn
}
vpc {
arn
}
}
}
}
