Resources
Resources
Filtering Resources
You can use the resources filter to search and filter Resources in the Turbot Guardrails
Console or GraphQL.
- The
resourcesfilter supports the standardsortandlimitkeywords - You can search
Standard Guardrails metadata properties
such as
timestamp,title, etc. Note that you cannot searchactorIdentityIdinresourcesqueries. - You can use Full Text Search to search/filter resources.
- You can use
$.to Search and filter resources on any property of the object. - You can use Tag Filters to filter resources.
- You can filter the scope with Hierarchy Scope Filters. Note that these are implicitly set when filtering the controls page in the Guardrails Console
Examples
| Aim | Filter text |
|---|---|
| Resources that contain "foo" in any aka | resource:foo level:self |
| AWS account 876515858155 | resource:arn:aws:::876515858155 level:self |
| Resources in AWS account 876515858155 | resource:arn:aws:::876515858155 level:descendant |
| Resources with a "department" tag of "sales" | tags:department=/^sales$/i |
| Resources created in the last week | createTimestamp:>T-7d |
| Resources created or updated in the last 15 minutes | timestamp:>T-15m |
| Resources last updated by the user with profile id 170668258072293 | actorIdentityId:170668258072293 |
| EC2 Instances with private IP in the 172.31.6.0/24 range | resourceType:instance $.PrivateIpAddress:<172.31.6.0/24 |
| Volumes larger than 1000MB | resourceType:volume $.Size:>=1000 |
| Unattached Volumes | resourceType:volume $.Attachments.*.State:!attached |
| All compute and storage resources of any type | resourceCategory:compute,storage |
| resources with a data protection control | controlType:dataProtection |
Resources that have an Approved > Public IP policy |
policyType:approvedPublicIp |
Searching resources with $.
You can search/filter resources using ANY property of the object using $. and
then indexing into the object with dotted path. You can search arrays using the
+ or * splats (1 level only). For example, this single level splat will
work: $.IpPermissions.*.ToPort:22. This multi-splat search will not:
$.IpPermissions.*.IpRanges.*.CidrIp:192.168.1.54/32
Example: Search/filter S3 Buckets
Acl:
Grants:
- Grantee:
DisplayName: aws+account+aaa
ID: 9999999999999999999999999999999999999999999999999999999999999999
Type: CanonicalUser
Permission: FULL_CONTROL
Owner:
DisplayName: aws+account+aaa
ID: 9999999999999999999999999999999999999999999999999999999999999999
CreationDate: "2019-05-23T11:32:27.000Z"
Encryption:
ServerSideEncryptionConfiguration:
Rules:
- ApplyServerSideEncryptionByDefault:
SSEAlgorithm: AES256
Name: mybucket-aws-account-aaa-s3-1
Payer: BucketOwner
PublicAccessBlock:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
Tags: []
Versioning:
Status: Enabled
turbot:
akas:
- "arn:aws:s3:::mybucket-aws-account-aaa-s3-1"
custom:
aws:
accountId: "876515858155"
regionName: us-east-1
createTimestamp: "2019-05-23T11:32:27.000Z"
id: "170962917356427"
title: mybucket-aws-account-aaa-s3-1
| Aim | Filter text |
|---|---|
| Buckets with SSE Default Encryption | resourceType:bucket $.Encryption.ServerSideEncryptionConfiguration.Rules.*.ApplyServerSideEncryptionByDefault.SSEAlgorithm:AES256 |
| Buckets that dont block public ACLs | resourceType:bucket $.PublicAccessBlock.BlockPublicAcls:!true |
| Buckets with versioning not enabled | resourceType:bucket $.Versioning.Status:!Enabled |