Get Involved
Edit on GitHubResources
Filtering Resources
You can use the resources filter to search and filter Resources in the Turbot Guardrails
Console or GraphQL.
- The
resourcesfilter supports the standardsortandlimitkeywords - You can search
Standard Guardrails metadata properties
such as
timestamp,title, etc. Note that you cannot searchactorIdentityIdinresourcesqueries. - You can use Full Text Search to search/filter resources.
- You can use
$.to Search and filter resources on any property of the object. - You can use Tag Filters to filter resources.
- You can filter the scope with Hierarchy Scope Filters. Note that these are implicitly set when filtering the controls page in the Guardrails Console
Examples
| Aim | Filter text |
|---|---|
| Resources that contain "foo" in any aka | resource:foo level:self |
| AWS account 876515858155 | resource:arn:aws:::876515858155 level:self |
| Resources in AWS account 876515858155 | resource:arn:aws:::876515858155 level:descendant |
| Resources with a "department" tag of "sales" | tags:department=/^sales$/i |
| Resources created in the last week | createTimestamp:>T-7d |
| Resources created or updated in the last 15 minutes | timestamp:>T-15m |
| Resources last updated by the user with profile id 170668258072293 | actorIdentityId:170668258072293 |
| EC2 Instances with private IP in the 172.31.6.0/24 range | resourceType:instance $.PrivateIpAddress:<172.31.6.0/24 |
| Volumes larger than 1000MB | resourceType:volume $.Size:>=1000 |
| Unattached Volumes | resourceType:volume $.Attachments.*.State:!attached |
| All compute and storage resources of any type | resourceCategory:compute,storage |
| resources with a data protection control | controlType:dataProtection |
Resources that have an Approved > Public IP policy | policyType:approvedPublicIp |
Searching resources with $.
You can search/filter resources using ANY property of the object using $. and
then indexing into the object with dotted path. You can search arrays using the
+ or * splats (1 level only). For example, this single level splat will
work: $.IpPermissions.*.ToPort:22. This multi-splat search will not:
$.IpPermissions.*.IpRanges.*.CidrIp:192.168.1.54/32
Example: Search/filter S3 Buckets
Acl: Grants: - Grantee: DisplayName: aws+account+aaa ID: 9999999999999999999999999999999999999999999999999999999999999999 Type: CanonicalUser Permission: FULL_CONTROL Owner: DisplayName: aws+account+aaa ID: 9999999999999999999999999999999999999999999999999999999999999999CreationDate: "2019-05-23T11:32:27.000Z"Encryption: ServerSideEncryptionConfiguration: Rules: - ApplyServerSideEncryptionByDefault: SSEAlgorithm: AES256Name: mybucket-aws-account-aaa-s3-1Payer: BucketOwnerPublicAccessBlock: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: trueTags: []Versioning: Status: Enabledturbot: akas: - "arn:aws:s3:::mybucket-aws-account-aaa-s3-1" custom: aws: accountId: "876515858155" regionName: us-east-1 createTimestamp: "2019-05-23T11:32:27.000Z" id: "170962917356427" title: mybucket-aws-account-aaa-s3-1| Aim | Filter text |
|---|---|
| Buckets with SSE Default Encryption | resourceType:bucket $.Encryption.ServerSideEncryptionConfiguration.Rules.*.ApplyServerSideEncryptionByDefault.SSEAlgorithm:AES256 |
| Buckets that dont block public ACLs | resourceType:bucket $.PublicAccessBlock.BlockPublicAcls:!true |
| Buckets with versioning not enabled | resourceType:bucket $.Versioning.Status:!Enabled |