Learn the key concepts of the Apono Query Language
The Apono Query Language (AQL) provides a simple, intuitive syntax for filtering cloud resources, integrations, and permissions.
This reference documents query construction, available components, and common filtering examples.
When you are first starting to build queries, you can quickly learn how to build them by following these steps:
On the page, click Basic.
.
Click AQL. The AQL syntax will appear in the code box.
The following is a basic AQL query.
AQL uses a simple field-operator-value pattern.
The field component specifies the attribute of your cloud resources to query.
The operator component defines how to evaluate the field against the specified value.
Basic operators that test for equality and inequality between values
Operators that perform text-based comparisons ranging from exact matches to pattern matching
The following AQL queries demonstrate how to efficiently locate, audit, and manage cloud resources and permissions. They cover common use cases such as identifying high-risk assets, tracking access levels, and enforcing security policies.
Use these queries as a foundation and customize them to fit your specific environment and compliance requirements.
Queries focused on locating and filtering cloud infrastructure resources
Queries that manage and audit access control settings
Advanced patterns that merge resource and permission conditions for precise access control
Follow these best practices to write AQL queries that are clear, efficient, and easy to modify. These guidelines improve readability, execution speed, and adaptability.
AQL processes conditions from left to right. Starting with a specific filter improves efficiency.
When checking multiple values, in (...) is more concise and performs better than chaining multiple or conditions.
Without parentheses, complex conditions can be misinterpreted and return unexpected results. Grouping conditions explicitly ensures the query evaluates as intended.
resource_status
Current status
resource_status = "active"
resource_risk_level
Associated risk level
resource_risk_level = "high"
permission_name
Permission name
permission_name = "ReadOnly"
permission
Permission identifier
permission = "perm_12345"
permission_risk_level
Permission risk level
permission_risk_level = "critical"
integration_name
Integration name
integration_name = "AWS-Prod"
integration
Integration identifier
integration = "int_12345"
resource_tag["key"]
Resource tags
resource_tag["environment"] = "prod"
resource_context["key"]
Resource context
resource_context["region"] = "us-east-1"
permission_tag["key"]
Permission tags
permission_tag["type"] = "temporary"
permission_context["key"]
Permission context
contains
Checks if a value contains another value as a substring or pattern
(resource_tag["aws:cloudformation:stack-name"] contains "apono-cloudtrail")
not_contains
Checks if a value does NOT contain another value as a substring or pattern
permission_name not_contains "admin"
starts_with
Checks if a value begins with a specific value or pattern
resource_name starts_with "aws"
ends_with
Checks if a value ends with a specific value or pattern
(resource_tag["env"] ends_with "dev")
Operators that check if values exist within defined sets of options
in
Checks if the value is one of a list
resource_type in ("aws-account-dynamodb-table", "aws-account-s3", "aws-account-sns-topic")
not_in
Checks if the value is NOT one of a list
(resource_tag["aws:cloudformation:stack-name"] not_in ("apono-cloudtrail", "apono-doxy-dev"))
Operators that combine multiple conditions to create complex queries
and
Checks if both conditions are true
resource_type = "aws-account-s3" AND permission_name = "admin"
or
Checks if either condition is true
resource_type = "aws-account-s3" OR resource_name contains "playground"
not
Negates a condition
integration = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" and not resource_type = "aws-account-sns-topic"
Attribute or tag to query
Comparative logic
value
Expected value for the field
resource_type
Resource type
resource_type = "aws-rds-mysql"
resource_name
Resource name
resource_name contains "prod"
resource_path
Resource Path
resource_path contains "us-east-1"
resource
Resource identifier
=
Checks if values are the same
resource_type = "aws-account-dynamodb-table"
!=
Checks if values are different
integration != "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
resource = "res_12345"
resource_type = "aws-rds-mysql"field operator "value"# Find production databases
resource_type = "aws-rds-mysql" and resource_name contains "prod"
# Find high-risk resources in specific region
resource_risk_level = "high" and resource_context["region"] = "us-east-1"
# Find resources by team ownership
resource_tag["team"] = "platform" and resource_tag["environment"] = "prod"# Find critical write permissions
permission_risk_level = "critical" and permission_context["access"] = "write"
# Find temporary access permissions
permission_tag["type"] = "temporary" and permission_status = "active"
# Find elevated permissions
permission_risk_level in ("high","critical") and not permission_name contains "readonly"# Find high-risk prod resources with write permissions
resource_name contains "prod"
and resource_risk_level = "high"
and permission_context["access"] = "write"
# Find temporary access to critical resources
resource_risk_level = "critical"
and permission_tag["type"] = "temporary"
and permission_status = "active"# Effective
resource_type = "aws-rds-mysql" and resource_name contains "prod"
# Less Efficient
resource_name contains "prod" and resource_type = "aws-rds-mysql"# Effective
resource_type in ("aws-rds-mysql", "aws-account-s3", "aws-ec2-ssh")
# Less efficient
resource_type = "aws-rds-mysql" or resource_type = "aws-account-s3" or resource_type = "aws-ec2-ssh"(resource_type = "aws-rds-mysql" and resource_name contains "prod")
or (resource_type = "aws-account-s3" and resource_name contains "backup")permission_context["access"] = "write"