LogoLogo
Documentation and Guides
Documentation and Guides
  • ABOUT APONO
    • Why Choose Apono
    • Security and Architecture
    • Glossary
  • GETTING STARTED
    • How Apono Works
    • Getting started
    • Access Discovery
    • Integrating with Apono
  • CONNECTORS AND SECRETS
    • Apono Integration Secret
    • High Availability for Connectors
    • Installing a connector with Docker
    • Manage integrations
    • Manage connectors
  • AWS ENVIRONMENT
    • AWS Overview
    • Apono Connector for AWS
      • Installing a connector on EKS Using Terraform
      • Updating a connector in AWS
      • Installing a connector on AWS ECS using Terraform
    • AWS Integrations
      • Integrate an AWS account or organization
        • Auto Discover AWS RDS Instances
        • AWS Best Practices
      • Amazon Redshift
      • RDS PostgreSQL
      • AWS RDS MySQL
      • Integrate with EKS
      • AWS Lambda Custom Integration
      • EC2 via Systems Manager Agent (SSM)
  • AZURE ENVIRONMENT
    • Apono Connector for Azure
      • Install an Azure connector on ACI using Azure CLI
      • Install an Azure connector on ACI using PowerShell
      • Install an Azure connector on ACI using Terraform
      • Updating a connector in Azure
    • Azure Integrations
      • Integrate with Azure Management Group or Subscription
        • Auto Discover Azure SQL Databases
      • Azure MySQL
      • Azure PostgreSQL
      • Integrate with AKS
  • GCP ENVIRONMENT
    • Apono Connector for GCP
      • Installing a GCP connector on Cloud Run using CLI
      • Installing a GCP connector on GKE using CLI (Helm)
      • Installing a GCP connector on GKE using Terraform
      • Updating a connector in Google Cloud
    • GCP Integrations
      • Integrate a GCP organization or project
      • CloudSQL - MySQL
      • CloudSQL - PostgreSQL
      • Google Cloud Functions
      • Integrate with GKE
      • AlloyDB
  • KUBERNETES ENVIRONMENT
    • Apono Connector for Kubernetes
      • Installing a connector on Kubernetes with AWS permissions
      • Updating a Kubernetes connector
    • Kubernetes Integrations
      • Integrate with Self-Managed Kubernetes
  • ADDITIONAL INTEGRATIONS
    • Databases and Data Repositories
      • Microsoft SQL Server
      • MongoDB
      • MongoDB Atlas
      • MongoDB Atlas Portal
      • MySQL
      • Oracle Database
      • PostgreSQL
      • Redis Cloud (Redislabs)
      • Snowflake
      • Vertica
      • MariaDB
    • Network Management
      • SSH Servers
      • RDP Servers
      • Windows Domain Controller
      • AWS EC2 SSH Servers
      • Azure VM SSH Servers
      • Installing the Apono HTTP Proxy
    • Development Tools
      • GitHub
      • Rancher
    • Identity Providers
      • Okta SCIM
      • Okta Groups
      • Okta SSO for Apono logins
      • Google Workspace (Gsuite)
      • Google Workspace (GSuite) Groups
      • Azure Active Directory (Microsoft Entra ID)
      • Azure Active Directory (Entra ID) Groups
      • Jumpcloud
      • JumpCloud Groups
      • OneLogin
      • OneLogin Group
      • LDAP Groups
      • The Manager Attribute in Access Flows
      • HiBob
      • Ping Identity SSO
    • Incident Response Integrations
      • Opsgenie
      • PagerDuty
      • VictorOps (Splunk On-Call)
      • Zenduty
    • ChatOps Integrations
      • Slack integration
      • Teams integration
      • Backstage Integration
  • WEBHOOK INTEGRATIONS
    • Webhooks Overview
    • Anomaly Webhook
    • Audit Log Webhook
    • Request Webhook
      • Custom Webhooks
      • Communications and Notifications
        • Slack Outbound Webhooks
        • Teams
        • Outlook and Gmail (Using Azure Logic App)
      • ITSM
        • Freshdesk
        • Jira
        • ServiceNow
        • Zendesk
        • Freshservice
        • ServiceDesk Plus
      • Logs and SIEMs
        • Coralogix
        • Datadog
        • Logz.io
        • Grafana
        • New Relic
        • SolarWinds
        • Sumo Logic
        • Cortex
        • Logpoint
        • Splunk
        • Microsoft Sentinel
      • Orchestration and workflow builders
        • Okta Workflows
        • Torq
    • Integration Webhook
    • Webhook Payload References
      • Audit Log Webhook Payload Schema Reference
      • Webhook Payload Schema Reference
    • Manage webhooks
    • Troubleshoot a webhook
    • Manual Webhook
      • ITSM
        • PagerDuty
  • ACCESS FLOWS
    • Access Flows
      • What are Access Flows?
    • Create Access Flows
      • Self Serve Access Flows
      • Automatic Access Flows
      • Access Duration
    • Manage Access Flows
      • Right Sizing
    • Revoke Access
    • Dynamic Access Management
      • Resource and Integration Owners
    • Common Use Cases
      • Ensuring SLA
      • Protecting PII and Customer Data
      • Production Stability and Management
      • Break Glass Protocol
    • Create Bundles
    • Manage Bundles
  • ACCESS REQUESTS AND APPROVALS
    • Slack
      • Requesting Access with Slack
      • Approving Access with Slack
    • Teams
      • Requesting Access with Teams
      • Approving Access with Teams
    • CLI
      • Install and manage the Apono CLI
      • Requesting Access with CLI
    • Web Portal
      • Requesting Access with the Web Portal
      • Approving Access with the Web Portal
      • Reviewing historical requests with the Web Portal
    • Freshservice
    • Favorites
  • Inventory
    • Inventory Overview
    • Inventory
    • Access Scopes
    • Risk Scores
    • Apono Query Language
  • AUDITS AND REPORTS
    • Activity Overview
      • Activity
      • Create Reports
      • Manage Reports
    • Compliance: Audit and Reporting
    • Auditing Access in Apono
    • Admin Audit Log (Syslog)
  • HELP AND DEBUGGING
    • Integration Status Page
    • Troubleshooting Errors
  • ARCHITECTURE AND SECURITY
    • Anomaly Detection
    • Multi-factor Authentication
    • Credentials Rotation Policy
    • Periodic User Cleanup & Deletion
    • End-user Authentication
    • Personal API Tokens
  • User Administration
    • Role-Based Access Control (RBAC) Reference
    • Create Identities
    • Manage Identities
Powered by GitBook
On this page
  • Syntax
  • Common Queries
  • Best Practices

Was this helpful?

Export as PDF
  1. Inventory

Apono Query Language

Learn the key concepts of the Apono Query Language

PreviousRisk ScoresNextActivity Overview

Last updated 28 days ago

Was this helpful?

The Apono Query Language (AQL) provides a simple, intuitive syntax for filtering cloud resources, integrations, and permissions.

This reference documents query construction, available components, and common filtering examples.

When you are first starting to build queries, you can quickly learn how to build them by following these steps:

  1. On the page, click Basic.

  2. .

  3. Click AQL. The AQL syntax will appear in the code box.


Syntax

The following is a basic AQL query.

resource_type = "aws-rds-mysql"

AQL uses a simple field-operator-value pattern.

field operator "value"
Component
Description

Attribute or tag to query

Comparative logic

value

Expected value for the field

field

The field component specifies the attribute of your cloud resources to query.

Field
Description
Example

resource_type

Resource type

resource_type = "aws-rds-mysql"

resource_name

Resource name

resource_name contains "prod"

resource_path

Resource Path

resource_path contains "us-east-1"

resource

Resource identifier

resource = "res_12345"

resource_status

Current status

resource_status = "active"

resource_risk_level

Associated risk level

resource_risk_level = "high"

Field
Description
Example

permission_name

Permission name

permission_name = "ReadOnly"

permission

Permission identifier

permission = "perm_12345"

permission_risk_level

Permission risk level

permission_risk_level = "critical"

Field
Description
Example

integration_name

Integration name

integration_name = "AWS-Prod"

integration

Integration identifier

integration = "int_12345"

Field
Description
Example

resource_tag["key"]

Resource tags

resource_tag["environment"] = "prod"

resource_context["key"]

Resource context

resource_context["region"] = "us-east-1"

permission_tag["key"]

Permission tags

permission_tag["type"] = "temporary"

permission_context["key"]

Permission context

permission_context["access"] = "write"

operator

The operator component defines how to evaluate the field against the specified value.

Basic operators that test for equality and inequality between values

Logic
Description
Example

=

Checks if values are the same

resource_type = "aws-account-dynamodb-table"

!=

Checks if values are different

integration != "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

Operators that perform text-based comparisons ranging from exact matches to pattern matching

Logic
Description
Example

contains

Checks if a value contains another value as a substring or pattern

(resource_tag["aws:cloudformation:stack-name"] contains "apono-cloudtrail")

not_contains

Checks if a value does NOT contain another value as a substring or pattern

permission_name not_contains "admin"

starts_with

Checks if a value begins with a specific value or pattern

resource_name starts_with "aws"

ends_with

Checks if a value ends with a specific value or pattern

(resource_tag["env"] ends_with "dev")

Operators that check if values exist within defined sets of options

Logic
Description
Example

in

Checks if the value is one of a list

resource_type in ("aws-account-dynamodb-table", "aws-account-s3", "aws-account-sns-topic")

not_in

Checks if the value is NOT one of a list

(resource_tag["aws:cloudformation:stack-name"] not_in ("apono-cloudtrail", "apono-doxy-dev"))

Operators that combine multiple conditions to create complex queries

Logic
Description
Example

and

Checks if both conditions are true

resource_type = "aws-account-s3" AND permission_name = "admin"

or

Checks if either condition is true

resource_type = "aws-account-s3" OR resource_name contains "playground"

not

Negates a condition

integration = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" and not resource_type = "aws-account-sns-topic"


Common Queries

The following AQL queries demonstrate how to efficiently locate, audit, and manage cloud resources and permissions. They cover common use cases such as identifying high-risk assets, tracking access levels, and enforcing security policies.

Use these queries as a foundation and customize them to fit your specific environment and compliance requirements.

Resource Queries

Queries focused on locating and filtering cloud infrastructure resources

# Find production databases
resource_type = "aws-rds-mysql" and resource_name contains "prod"

# Find high-risk resources in specific region
resource_risk_level = "high" and resource_context["region"] = "us-east-1"

# Find resources by team ownership
resource_tag["team"] = "platform" and resource_tag["environment"] = "prod"

Permission Queries

Queries that manage and audit access control settings

# Find critical write permissions
permission_risk_level = "critical" and permission_context["access"] = "write"

# Find temporary access permissions
permission_tag["type"] = "temporary" and permission_status = "active"

# Find elevated permissions
permission_risk_level in ("high","critical") and not permission_name contains "readonly"

Combined Queries

Advanced patterns that merge resource and permission conditions for precise access control

# Find high-risk prod resources with write permissions
resource_name contains "prod"
and resource_risk_level = "high"
and permission_context["access"] = "write"

# Find temporary access to critical resources
resource_risk_level = "critical"
and permission_tag["type"] = "temporary"
and permission_status = "active"

Best Practices

Follow these best practices to write AQL queries that are clear, efficient, and easy to modify. These guidelines improve readability, execution speed, and adaptability.

Start with a specific condition

AQL processes conditions from left to right. Starting with a specific filter improves efficiency.

# Effective
resource_type = "aws-rds-mysql" and resource_name contains "prod"

# Less Efficient
resource_name contains "prod" and resource_type = "aws-rds-mysql"

Use lists instead of multiple OR conditions

When checking multiple values, in (...) is more concise and performs better than chaining multiple or conditions.

# Effective
resource_type in ("aws-rds-mysql", "aws-account-s3", "aws-ec2-ssh")

# Less efficient
resource_type = "aws-rds-mysql" or resource_type = "aws-account-s3" or resource_type = "aws-ec2-ssh"

Use parentheses to avoid ambiguity

Without parentheses, complex conditions can be misinterpreted and return unexpected results. Grouping conditions explicitly ensures the query evaluates as intended.

(resource_type = "aws-rds-mysql" and resource_name contains "prod")
or (resource_type = "aws-account-s3" and resource_name contains "backup")

field
operator
Inventory
AQL query on the Inventory page
Filter the resources