Apono Query Language

Learn the key concepts of the Apono Query Language

The Apono Query Language (AQL) provides a simple, intuitive syntax for filtering cloud resources, integrations, and permissions.

AQL query on the Inventory page

This reference documents query construction, available components, and common filtering examples.


Syntax

The following is a basic AQL query.

resource_type = "aws-rds-mysql"

AQL uses a simple field-operator-value pattern.

field operator "value"
Component
Description

Attribute or tag to query

Comparative logic

value

Expected value for the field

field

The field component specifies the attribute of your cloud resources to query.

Field
Description
Example

resource_type

Resource type

resource_type = "aws-rds-mysql"

resource_name

Resource name

resource_name contains "prod"

resource_path

Resource Path

resource_path contains "us-east-1"

resource

Resource identifier

resource = "res_12345"

resource_status

Current status

resource_status = "active"

resource_risk_level

Associated risk level

resource_risk_level = "high"

operator

The operator component defines how to evaluate the field against the specified value.

Basic operators that test for equality and inequality between values

Logic
Description
Example

=

Checks if values are the same

resource_type = "aws-account-dynamodb-table"

!=

Checks if values are different

integration != "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"


Common Queries

The following AQL queries demonstrate how to efficiently locate, audit, and manage cloud resources and permissions. They cover common use cases such as identifying high-risk assets, tracking access levels, and enforcing security policies.

Use these queries as a foundation and customize them to fit your specific environment and compliance requirements.

Resource Queries

Queries focused on locating and filtering cloud infrastructure resources

# Find production databases
resource_type = "aws-rds-mysql" and resource_name contains "prod"

# Find high-risk resources in specific region
resource_risk_level = "high" and resource_context["region"] = "us-east-1"

# Find resources by team ownership
resource_tag["team"] = "platform" and resource_tag["environment"] = "prod"

Permission Queries

Queries that manage and audit access control settings

# Find critical write permissions
permission_risk_level = "critical" and permission_context["access"] = "write"

# Find temporary access permissions
permission_tag["type"] = "temporary" and permission_status = "active"

# Find elevated permissions
permission_risk_level in ("high","critical") and not permission_name contains "readonly"

Combined Queries

Advanced patterns that merge resource and permission conditions for precise access control

# Find high-risk prod resources with write permissions
resource_name contains "prod"
and resource_risk_level = "high"
and permission_context["access"] = "write"

# Find temporary access to critical resources
resource_risk_level = "critical"
and permission_tag["type"] = "temporary"
and permission_status = "active"

Best Practices

Follow these best practices to write AQL queries that are clear, efficient, and easy to modify. These guidelines improve readability, execution speed, and adaptability.

Start with a specific condition

AQL processes conditions from left to right. Starting with a specific filter improves efficiency.

# Effective
resource_type = "aws-rds-mysql" and resource_name contains "prod"

# Less Efficient
resource_name contains "prod" and resource_type = "aws-rds-mysql"

Use lists instead of multiple OR conditions

When checking multiple values, in (...) is more concise and performs better than chaining multiple or conditions.

# Effective
resource_type in ("aws-rds-mysql", "aws-account-s3", "aws-ec2-ssh")

# Less efficient
resource_type = "aws-rds-mysql" or resource_type = "aws-account-s3" or resource_type = "aws-ec2-ssh"

Use parentheses to avoid ambiguity

Without parentheses, complex conditions can be misinterpreted and return unexpected results. Grouping conditions explicitly ensures the query evaluates as intended.

(resource_type = "aws-rds-mysql" and resource_name contains "prod")
or (resource_type = "aws-account-s3" and resource_name contains "backup")

Last updated

Was this helpful?