# Apono Query Language The Apono Query Language (AQL) provides a simple, intuitive syntax for filtering cloud resources, integrations, and permissions.

This reference documents query construction, available components, and common filtering examples. {% hint style="success" %} When you are first starting to build queries, you can quickly learn how to build them by following these steps: 1. On the [**Inventory**](https://app.apono.io/inventory) page, click **Basic**. 2. [Filter the resources](https://docs.apono.io/docs/inventory#filter-resources). 3. Click **AQL**. The AQL syntax will appear in the code box. {% endhint %} *** ### **Syntax** The following is a basic AQL query. ```sql resource_type = "aws-rds-mysql" ``` AQL uses a simple **field-operator-value** pattern. ```sql field operator "value" ```

Component	Description
field	Attribute or tag to query
operator	Comparative logic
value	Expected value for the field

#### field The `field` component specifies the attribute of your cloud resources to query. {% tabs %} {% tab title="Resource" %}

Field	Description	Example
resource_type	Resource type	`resource_type = "aws-rds-mysql"`
resource_name	Resource name	`resource_name contains "prod"`
resource_path	Resource Path	`resource_path contains "us-east-1"`
resource	Resource identifier	`resource = "res_12345"`
resource_status	Current status	`resource_status = "active"`
resource_risk_level	Associated risk level	`resource_risk_level = "high"`

{% endtab %} {% tab title="Permission" %}

Field	Description	Example
permission_name	Permission name	`permission_name = "ReadOnly"`
permission	Permission identifier	`permission = "perm_12345"`
permission_risk_level	Permission risk level	`permission_risk_level = "critical"`

{% endtab %} {% tab title="Integration" %}

Field	Description	Example
integration_name	Integration name	`integration_name = "AWS-Prod"`
integration	Integration identifier	`integration = "int_12345"`

{% endtab %} {% tab title="Metadata" %}

Field	Description	Example
resource_tag["key"]	Resource tags	`resource_tag["environment"] = "prod"`
resource_context["key"]	Resource context	`resource_context["region"] = "us-east-1"`
permission_tag["key"]	Permission tags	`permission_tag["type"] = "temporary"`
permission_context["key"]	Permission context	`permission_context["access"] = "write"`

{% endtab %} {% endtabs %} #### operator The `operator` component defines how to evaluate the `field` against the specified `value`. {% tabs %} {% tab title="Comparison" %} Basic operators that test for equality and inequality between values

Logic	Description	Example
=	Checks if values are the same	`resource_type = "aws-account-dynamodb-table"`
!=	Checks if values are different	`integration != "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"`

{% endtab %} {% tab title="String Matching" %} Operators that perform text-based comparisons ranging from exact matches to pattern matching

Logic	Description	Example
contains	Checks if a value contains another value as a substring or pattern	`(resource_tag["aws:cloudformation:stack-name"] contains "apono-cloudtrail")`
not_contains	Checks if a value does NOT contain another value as a substring or pattern	`permission_name not_contains "admin"`
starts_with	Checks if a value begins with a specific value or pattern	`resource_name starts_with "aws"`
ends_with	Checks if a value ends with a specific value or pattern	`(resource_tag["env"] ends_with "dev")`

{% endtab %} {% tab title="Lists" %} Operators that check if values exist within defined sets of options

Logic	Description	Example
in	Checks if the value is one of a list	`resource_type in ("aws-account-dynamodb-table", "aws-account-s3", "aws-account-sns-topic")`
not_in	Checks if the value is NOT one of a list	`(resource_tag["aws:cloudformation:stack-name"] not_in ("apono-cloudtrail", "apono-doxy-dev"))`

{% endtab %} {% tab title="Logic" %} Operators that combine multiple conditions to create complex queries

Logic	Description	Example
and	Checks if both conditions are true	`resource_type = "aws-account-s3" AND permission_name = "admin"`
or	Checks if either condition is true	`resource_type = "aws-account-s3" OR resource_name contains "playground"`
not	Negates a condition	`integration = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" and not resource_type = "aws-account-sns-topic"`

{% endtab %} {% endtabs %} *** ### Common Queries The following AQL queries demonstrate how to efficiently locate, audit, and manage cloud resources and permissions. They cover common use cases such as identifying high-risk assets, tracking access levels, and enforcing security policies. Use these queries as a foundation and customize them to fit your specific environment and compliance requirements. #### Resource Queries Queries focused on locating and filtering cloud infrastructure resources ```sql # Find production databases resource_type = "aws-rds-mysql" and resource_name contains "prod" # Find high-risk resources in specific region resource_risk_level = "high" and resource_context["region"] = "us-east-1" # Find resources by team ownership resource_tag["team"] = "platform" and resource_tag["environment"] = "prod" ``` #### Permission Queries Queries that manage and audit access control settings {% code overflow="wrap" %} ```sql # Find critical write permissions permission_risk_level = "critical" and permission_context["access"] = "write" # Find temporary access permissions permission_tag["type"] = "temporary" and permission_status = "active" # Find elevated permissions permission_risk_level in ("high","critical") and not permission_name contains "readonly" ``` {% endcode %} #### Combined Queries Advanced patterns that merge resource and permission conditions for precise access control ```sql # Find high-risk prod resources with write permissions resource_name contains "prod" and resource_risk_level = "high" and permission_context["access"] = "write" # Find temporary access to critical resources resource_risk_level = "critical" and permission_tag["type"] = "temporary" and permission_status = "active" ``` *** ### Best Practices Follow these best practices to write AQL queries that are clear, efficient, and easy to modify. These guidelines improve readability, execution speed, and adaptability. #### Start with a specific condition AQL processes conditions from left to right. Starting with a specific filter improves efficiency. ```sql # Effective resource_type = "aws-rds-mysql" and resource_name contains "prod" # Less Efficient resource_name contains "prod" and resource_type = "aws-rds-mysql" ``` #### Use lists instead of multiple OR conditions When checking multiple values, `in (...)` is more concise and performs better than chaining multiple `or` conditions. {% code overflow="wrap" %} ```sql # Effective resource_type in ("aws-rds-mysql", "aws-account-s3", "aws-ec2-ssh") # Less efficient resource_type = "aws-rds-mysql" or resource_type = "aws-account-s3" or resource_type = "aws-ec2-ssh" ``` {% endcode %} #### Use parentheses to avoid ambiguity Without parentheses, complex conditions can be misinterpreted and return unexpected results. Grouping conditions explicitly ensures the query evaluates as intended. ```sql (resource_type = "aws-rds-mysql" and resource_name contains "prod") or (resource_type = "aws-account-s3" and resource_name contains "backup") ```