# Apono Query Language The Apono Query Language (AQL) provides a simple, intuitive syntax for filtering cloud resources, integrations, and permissions.

This reference documents query construction, available components, and common filtering examples. {% hint style="success" %} When you are first starting to build queries, you can quickly learn how to build them by following these steps: 1. On the [**Inventory**](https://app.apono.io/inventory) page, click **Basic**. 2. [Filter the resources](https://docs.apono.io/docs/inventory#filter-resources). 3. Click **AQL**. The AQL syntax will appear in the code box. {% endhint %} *** ### **Syntax** The following is a basic AQL query. ```sql resource_type = "aws-rds-mysql" ``` AQL uses a simple **field-operator-value** pattern. ```sql field operator "value" ```

Component	Description
field	Attribute or tag to query
operator	Comparative logic
value	Expected value for the field

#### field The `field` component specifies the attribute of your cloud resources to query. {% tabs %} {% tab title="Resource" %}

Field	Description	Example
resource_type	Resource type	`resource_type = "aws-rds-mysql"`
resource_name	Resource name	`resource_name contains "prod"`
resource_path	Resource Path	`resource_path contains "us-east-1"`
resource	Resource identifier	`resource = "res_12345"`
resource_status	Current status	`resource_status = "active"`
resource_risk_level	Associated risk level	`resource_risk_level = "high"`

{% endtab %} {% tab title="Permission" %}

Field	Description	Example
permission_name	Permission name	`permission_name = "ReadOnly"`
permission	Permission identifier	`permission = "perm_12345"`
permission_risk_level	Permission risk level	`permission_risk_level = "critical"`

{% endtab %} {% tab title="Integration" %}

Field	Description	Example
integration_name	Integration name	`integration_name = "AWS-Prod"`
integration	Integration identifier	`integration = "int_12345"`

{% endtab %} {% tab title="Metadata" %}

Field	Description	Example
resource_tag["key"]	Resource tags	`resource_tag["environment"] = "prod"`
resource_context["key"]	Resource context	`resource_context["region"] = "us-east-1"`
permission_tag["key"]	Permission tags	`permission_tag["type"] = "temporary"`
permission_context["key"]	Permission context	`permission_context["access"] = "write"`

{% endtab %} {% endtabs %} #### operator The `operator` component defines how to evaluate the `field` against the specified `value`. {% tabs %} {% tab title="Comparison" %} Basic operators that test for equality and inequality between values

Logic	Description	Example
=	Checks if values are the same	`resource_type = "aws-account-dynamodb-table"`
!=	Checks if values are different	`integration != "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"`

{% endtab %} {% tab title="String Matching" %} Operators that perform text-based comparisons ranging from exact matches to pattern matching

Logic	Description	Example
contains	Checks if a value contains another value as a substring or pattern	`(resource_tag["aws:cloudformation:stack-name"] contains "apono-cloudtrail")`
not_contains	Checks if a value does NOT contain another value as a substring or pattern	`permission_name not_contains "admin"`
starts_with	Checks if a value begins with a specific value or pattern	`resource_name starts_with "aws"`
ends_with	Checks if a value ends with a specific value or pattern	`(resource_tag["env"] ends_with "dev")`

{% endtab %} {% tab title="Lists" %} Operators that check if values exist within defined sets of options

Logic	Description	Example
in	Checks if the value is one of a list	`resource_type in ("aws-account-dynamodb-table", "aws-account-s3", "aws-account-sns-topic")`
not_in	Checks if the value is NOT one of a list	`(resource_tag["aws:cloudformation:stack-name"] not_in ("apono-cloudtrail", "apono-doxy-dev"))`

{% endtab %} {% tab title="Logic" %} Operators that combine multiple conditions to create complex queries

Logic	Description	Example
and	Checks if both conditions are true	`resource_type = "aws-account-s3" AND permission_name = "admin"`
or	Checks if either condition is true	`resource_type = "aws-account-s3" OR resource_name contains "playground"`
not	Negates a condition	`integration = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" and not resource_type = "aws-account-sns-topic"`

{% endtab %} {% endtabs %} *** ### Common Queries The following AQL queries demonstrate how to efficiently locate, audit, and manage cloud resources and permissions. They cover common use cases such as identifying high-risk assets, tracking access levels, and enforcing security policies. Use these queries as a foundation and customize them to fit your specific environment and compliance requirements. #### Resource Queries Queries focused on locating and filtering cloud infrastructure resources ```sql # Find production databases resource_type = "aws-rds-mysql" and resource_name contains "prod" # Find high-risk resources in specific region resource_risk_level = "high" and resource_context["region"] = "us-east-1" # Find resources by team ownership resource_tag["team"] = "platform" and resource_tag["environment"] = "prod" ``` #### Permission Queries Queries that manage and audit access control settings {% code overflow="wrap" %} ```sql # Find critical write permissions permission_risk_level = "critical" and permission_context["access"] = "write" # Find temporary access permissions permission_tag["type"] = "temporary" and permission_status = "active" # Find elevated permissions permission_risk_level in ("high","critical") and not permission_name contains "readonly" ``` {% endcode %} #### Combined Queries Advanced patterns that merge resource and permission conditions for precise access control ```sql # Find high-risk prod resources with write permissions resource_name contains "prod" and resource_risk_level = "high" and permission_context["access"] = "write" # Find temporary access to critical resources resource_risk_level = "critical" and permission_tag["type"] = "temporary" and permission_status = "active" ``` *** ### Best Practices Follow these best practices to write AQL queries that are clear, efficient, and easy to modify. These guidelines improve readability, execution speed, and adaptability. #### Start with a specific condition AQL processes conditions from left to right. Starting with a specific filter improves efficiency. ```sql # Effective resource_type = "aws-rds-mysql" and resource_name contains "prod" # Less Efficient resource_name contains "prod" and resource_type = "aws-rds-mysql" ``` #### Use lists instead of multiple OR conditions When checking multiple values, `in (...)` is more concise and performs better than chaining multiple `or` conditions. {% code overflow="wrap" %} ```sql # Effective resource_type in ("aws-rds-mysql", "aws-account-s3", "aws-ec2-ssh") # Less efficient resource_type = "aws-rds-mysql" or resource_type = "aws-account-s3" or resource_type = "aws-ec2-ssh" ``` {% endcode %} #### Use parentheses to avoid ambiguity Without parentheses, complex conditions can be misinterpreted and return unexpected results. Grouping conditions explicitly ensures the query evaluates as intended. ```sql (resource_type = "aws-rds-mysql" and resource_name contains "prod") or (resource_type = "aws-account-s3" and resource_name contains "backup") ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.apono.io/docs/inventory/apono-query-language.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.