Apono Query Language

Learn the key concepts of the Apono Query Language

The Apono Query Language (AQL) provides a simple, intuitive syntax for filtering cloud resources, integrations, and permissions.

This reference documents query construction, available components, and common filtering examples.

When you are first starting to build queries, you can quickly learn how to build them by following these steps:

On the Inventory page, click Basic.
Filter the resources.
Click AQL. The AQL syntax will appear in the code box.

Syntax

The following is a basic AQL query.

resource_type = "aws-rds-mysql"

AQL uses a simple field-operator-value pattern.

field operator "value"

Component

Description

field

Attribute or tag to query

operator

Comparative logic

value

Expected value for the field

field

The field component specifies the attribute of your cloud resources to query.

Field

Description

Example

resource_type

Resource type

resource_type = "aws-rds-mysql"

resource_name

Resource name

resource_name contains "prod"

resource_path

Resource Path

resource_path contains "us-east-1"

resource

Resource identifier

resource = "res_12345"

resource_status

Current status

resource_status = "active"

resource_risk_level

Associated risk level

resource_risk_level = "high"

Field

Description

Example

permission_name

Permission name

permission_name = "ReadOnly"

permission

Permission identifier

permission = "perm_12345"

permission_risk_level

Permission risk level

permission_risk_level = "critical"

Field

Description

Example

integration_name

Integration name

integration_name = "AWS-Prod"

integration

Integration identifier

integration = "int_12345"

Field

Description

Example

resource_tag["key"]

Resource tags

resource_tag["environment"] = "prod"

resource_context["key"]

Resource context

resource_context["region"] = "us-east-1"

permission_tag["key"]

Permission tags

permission_tag["type"] = "temporary"

permission_context["key"]

Permission context

permission_context["access"] = "write"

operator

The operator component defines how to evaluate the field against the specified value.

Basic operators that test for equality and inequality between values

Logic

Description

Example

Checks if values are the same

resource_type = "aws-account-dynamodb-table"

Checks if values are different

integration != "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

Operators that perform text-based comparisons ranging from exact matches to pattern matching

Logic

Description

Example

contains

Checks if a value contains another value as a substring or pattern

(resource_tag["aws:cloudformation:stack-name"] contains "apono-cloudtrail")

not_contains

Checks if a value does NOT contain another value as a substring or pattern

permission_name not_contains "admin"

starts_with

Checks if a value begins with a specific value or pattern

resource_name starts_with "aws"

ends_with

Checks if a value ends with a specific value or pattern

(resource_tag["env"] ends_with "dev")

Operators that check if values exist within defined sets of options

Logic

Description

Example

Checks if the value is one of a list

resource_type in ("aws-account-dynamodb-table", "aws-account-s3", "aws-account-sns-topic")

not_in

Checks if the value is NOT one of a list

(resource_tag["aws:cloudformation:stack-name"] not_in ("apono-cloudtrail", "apono-doxy-dev"))

Operators that combine multiple conditions to create complex queries

Logic

Description

Example

and

Checks if both conditions are true

resource_type = "aws-account-s3" AND permission_name = "admin"

Checks if either condition is true

resource_type = "aws-account-s3" OR resource_name contains "playground"

not

Negates a condition

integration = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" and not resource_type = "aws-account-sns-topic"

Common Queries

The following AQL queries demonstrate how to efficiently locate, audit, and manage cloud resources and permissions. They cover common use cases such as identifying high-risk assets, tracking access levels, and enforcing security policies.

Use these queries as a foundation and customize them to fit your specific environment and compliance requirements.

Resource Queries

Queries focused on locating and filtering cloud infrastructure resources

# Find production databases
resource_type = "aws-rds-mysql" and resource_name contains "prod"

# Find high-risk resources in specific region
resource_risk_level = "high" and resource_context["region"] = "us-east-1"

# Find resources by team ownership
resource_tag["team"] = "platform" and resource_tag["environment"] = "prod"

Permission Queries

Queries that manage and audit access control settings

# Find critical write permissions
permission_risk_level = "critical" and permission_context["access"] = "write"

# Find temporary access permissions
permission_tag["type"] = "temporary" and permission_status = "active"

# Find elevated permissions
permission_risk_level in ("high","critical") and not permission_name contains "readonly"

Combined Queries

Advanced patterns that merge resource and permission conditions for precise access control

# Find high-risk prod resources with write permissions
resource_name contains "prod"
and resource_risk_level = "high"
and permission_context["access"] = "write"

# Find temporary access to critical resources
resource_risk_level = "critical"
and permission_tag["type"] = "temporary"
and permission_status = "active"

Best Practices

Follow these best practices to write AQL queries that are clear, efficient, and easy to modify. These guidelines improve readability, execution speed, and adaptability.

Start with a specific condition

AQL processes conditions from left to right. Starting with a specific filter improves efficiency.

# Effective
resource_type = "aws-rds-mysql" and resource_name contains "prod"

# Less Efficient
resource_name contains "prod" and resource_type = "aws-rds-mysql"

Use lists instead of multiple OR conditions

When checking multiple values, in (...) is more concise and performs better than chaining multiple or conditions.

# Effective
resource_type in ("aws-rds-mysql", "aws-account-s3", "aws-ec2-ssh")

# Less efficient
resource_type = "aws-rds-mysql" or resource_type = "aws-account-s3" or resource_type = "aws-ec2-ssh"

Use parentheses to avoid ambiguity

Without parentheses, complex conditions can be misinterpreted and return unexpected results. Grouping conditions explicitly ensures the query evaluates as intended.

(resource_type = "aws-rds-mysql" and resource_name contains "prod")
or (resource_type = "aws-account-s3" and resource_name contains "backup")

PreviousRisk Scores NextActivity Overview

Last updated 2 months ago

Was this helpful?