Skip to main content

Mondoo Amazon Web Services (AWS) Resource Pack Reference

The Amazon Web Services (AWS) resource pack lets you use MQL to query and assess the security of your AWS cloud services.

Resources included in this pack:

awsAWS resource
aws.accessAnalyzerAWS IAM Access Analyzer resource (for assessing the configuration of AWS IAM Access Analyzer)
aws.accessanalyzer.analyzerAWS IAM Access Analyzer resource (provides an object representing an individual AWS IAM Access Analyzer configuration)
aws.accountAWS Account
aws.acmAWS Certificate Manager resource (for assessing the configuration of AWS Certificate Manager)
aws.acm.certificateAWS Certificate Manager Certificate resource (provides an object representing an individual ACM certificate)
aws.apigatewayAmazon API Gateway
aws.apigateway.restapiAmazon API Gateway REST API
aws.apigateway.stageAmazon API Gateway REST API stages
aws.applicationAutoscalingAWS Application Auto Scaling
aws.applicationautoscaling.targetAWS Application Auto Scaling target
aws.autoscalingAWS Auto Scaling
aws.autoscaling.groupAWS Auto Scaling group
aws.backupAWS Backup
aws.backup.vaultAWS Backup vault
aws.backup.vaultRecoveryPointAWS Backup vault recovery point
aws.cloudfrontAmazon CloudFront
aws.cloudfront.distributionAmazon CloudFront distribution
aws.cloudfront.distribution.originAmazon CloudFront distribution origin
aws.cloudfront.functionAmazon CloudFront function
aws.cloudtrailAWS CloudTrail
aws.cloudtrail.trailAWS CloudTrail trail
aws.cloudwatchAmazon CloudWatch
aws.cloudwatch.loggroupAmazon CloudWatch log group
aws.cloudwatch.loggroup.metricsfilterAmazon CloudWatch log group metrics filter
aws.cloudwatch.metricAmazon CloudWatch metric
aws.cloudwatch.metric.datapointAmazon CloudWatch metric datapoint
aws.cloudwatch.metricdimensionAmazon CloudWatch metric dimension
aws.cloudwatch.metricsalarmAmazon CloudWatch metrics alarm
aws.cloudwatch.metricstatisticsAmazon CloudWatch metric statistics
aws.codebuildAWS CodeBuild for building and testing code
aws.codebuild.projectAWS CodeBuild project
aws.configAWS Config
aws.config.deliverychannelAWS Config delivery channel
aws.config.recorderAWS Config recorder
aws.config.ruleAWS Config rule
aws.dmsAWS Database Migration Service (DMS)
aws.dynamodbAmazon DynamoDB
aws.dynamodb.exportAmazon DynamoDB Export
aws.dynamodb.globaltableAmazon DynamoDB global table
aws.dynamodb.limitAmazon DynamoDB limits
aws.dynamodb.tableAmazon DynamoDB table
aws.ec2Amazon EC2
aws.ec2.eipAmazon Elastic IP (EIP)
aws.ec2.imageAmazon EC2 image (AMI)
aws.ec2.instanceAmazon EC2 instance
aws.ec2.instance.deviceAmazon EC2 instance block device
aws.ec2.internetgatewayAmazon EC2 internet gateway
aws.ec2.keypairAmazon EC2 key pair
aws.ec2.networkaclAmazon EC2 network ACL
aws.ec2.networkacl.entryAmazon EC2 network ACL entry
aws.ec2.networkacl.entry.portrangeAmazon EC2 network ACL entry port range
aws.ec2.networkinterfaceAWS EC2 network interface
aws.ec2.securitygroupAmazon EC2 security group
aws.ec2.securitygroup.ippermissionAmazon EC2 security group IP permission
aws.ec2.snapshotAmazon EC2 (EBS) snapshot
aws.ec2.vgwtelemetryAmazon EC2 VPN tunnel telemetry
aws.ec2.volumeAmazon EC2 (EBS) volume
aws.ec2.vpnconnectionAmazon EC2 VPN connection
aws.ecrAWS Elastic Container Registry (ECR)
aws.ecr.imageAWS Elastic Container Registry image
aws.ecr.repositoryAWS Elastic Container Registry repository
aws.ecsAmazon Elastic Container Service (ECS)
aws.ecs.clusterAmazon ECS cluster
aws.ecs.containerAmazon ECS container
aws.ecs.instanceAWS ECS container instance
aws.ecs.taskAmazon ECS task
aws.efsAWS Elastic File System (EFS) service
aws.efs.filesystemAWS Elastic File System (EFS) file system
aws.eksAmazon Elastic Kubernetes Service (EKS)
aws.eks.addonAmazon EKS add-on
aws.eks.clusterAmazon EKS cluster
aws.eks.nodegroupAmazon EKS managed node group
aws.elasticacheAmazon ElastiCache
aws.elasticache.clusterAmazon ElastiCache cluster
aws.elbAWS Elastic Load Balancing
aws.elb.loadbalancerAWS Elastic Load Balancing load balancer
aws.elb.targetgroupAWS Elastic Load Balancer (ELB) Target Group
aws.emrAmazon EMR
aws.emr.clusterAmazon EMR cluster
aws.esAWS Elasticsearch service Elasticsearch service domain
aws.guarddutyAmazon GuardDuty for threat detection
aws.guardduty.detectorAmazon GuardDuty detector
aws.iamAWS service to create and manage permissions for users and groups
aws.iam.groupAWS IAM group
aws.iam.loginProfileAWS IAM login profile for a user
aws.iam.policyAWS IAM policy
aws.iam.policyversionAWS IAM policy version
aws.iam.roleAWS IAM role
aws.iam.userAWS IAM user
aws.iam.usercredentialreportentryEntry in AWS IAM credential report
aws.iam.virtualmfadeviceAWS IAM virtual MFA device
aws.inspectorAmazon Inspector
aws.inspector.coverageAmazon Inspector environment coverage
aws.inspector.coverage.imageAmazon Inspector container image coverage group
aws.inspector.coverage.instanceAmazon Inspector instance coverage group
aws.inspector.coverage.repositoryAmazon Inspector container registry coverage group
aws.kmsAWS Key Management Service (KMS)
aws.kms.keyAWS Key Management Service (KMS) key
aws.lambdaAWS Lambda
aws.lambda.functionAWS Lambda function
aws.organizationAWS Organization resource
aws.rdsAmazon Relational Database Service (RDS)
aws.rds.backupsettingAmazon RDS Backup Setting
aws.rds.dbclusterAmazon RDS database cluster
aws.rds.dbinstanceAmazon RDS database instance
aws.rds.snapshotAmazon RDS snapshot
aws.redshiftAmazon Redshift
aws.redshift.clusterAmazon Redshift cluster
aws.s3Amazon S3 cloud object storage
aws.s3.bucketAmazon S3 bucket
aws.s3.bucket.corsruleAmazon S3 bucket CORS rule
aws.s3.bucket.grantAmazon S3 bucket grant
aws.s3.bucket.policyAmazon S3 bucket policy
aws.s3controlAmazon S3 bucket control
aws.sagemakerAWS SageMaker
aws.sagemaker.endpointAWS SageMaker endpoint
aws.sagemaker.notebookinstanceAWS SageMaker notebook instance
aws.sagemaker.notebookinstance.detailsAWS SageMaker notebook instance details
aws.secretsmanagerAWS Secrets Manager
aws.secretsmanager.secretAWS Secrets Manager secret
aws.securityhubAWS Security Hub
aws.securityhub.hubAWS Security Hub hub
aws.snsAWS Simple Notification Service (SNS)
aws.sns.subscriptionAWS Simple Notification Service (SNS) subscription
aws.sns.topicAWS Simple Notification Service (SNS) topic
aws.sqsAmazon Simple Queue Service (SQS)
aws.sqs.queueAmazon Simple Queue Service (SQS) Queue
aws.ssmAmazon Systems Manager
aws.ssm.instanceAmazon SSM instance
aws.ssm.parameterAmazon SSM parameter
aws.vpcAmazon Virtual Private Cloud (VPC)
aws.vpc.endpointAmazon Virtual Private Cloud (VPC) endpoint
aws.vpc.flowlogAmazon Virtual Private Cloud (VPC) flow log
aws.vpc.natgatewayAmazon VPC NAT Gateway
aws.vpc.natgateway.addressAmazon VPC NAT gateway address
aws.vpc.peeringConnectionAmazon VPC Peering Connection
aws.vpc.peeringConnection.peeringVpcAmazon VPC Peering Connection Peering VPC
aws.vpc.routetableAmazon Virtual Private Cloud (VPC) route table
aws.vpc.routetable.associationAmazon Virtual Private Cloud (VPC) route table association
aws.vpc.serviceEndpointAmazon VPC Service Endpoint
aws.vpc.subnetAmazon Virtual Private Cloud (VPC) subnet
aws.wafAmazon WAF v2
aws.waf.aclAmazon WAF v2 ACL
aws.waf.ipsetAmazon WAF IP set (defining IP Ranges)
aws.waf.ruleAmazon WAF rule
aws.waf.rule.actionAction that happens if a rule statement matches
aws.waf.rule.fieldtomatchField to match
aws.waf.rule.fieldtomatch.bodyBody of the field to match
aws.waf.rule.fieldtomatch.cookieCookie of the field to match
aws.waf.rule.fieldtomatch.headerorderOrder of headers of the field to match
aws.waf.rule.fieldtomatch.headers.matchpatternThe pattern to match
aws.waf.rule.fieldtomatch.ja3fingerprintJA3 fingerprint
aws.waf.rule.fieldtomatch.jsonbodyRequest body as JSON
aws.waf.rule.fieldtomatch.jsonbody.matchpatternThe pattern to match
aws.waf.rule.fieldtomatch.singleheaderSingle header of the field to match
aws.waf.rule.fieldtomatch.singlequeryargumentSingle query argument
aws.waf.rule.statement.andstatementRule statement that matches if all of the rule statements inside it match
aws.waf.rule.statement.bytematchstatementRule statement that matches a specified sequence of bytes
aws.waf.rule.statement.geomatchstatementRule statement that checks for requests from certain countries
aws.waf.rule.statement.ipsetreferencestatementRule statement that checks for requests from IP addresses defined in an IPSet
aws.waf.rule.statement.managedrulegroupstatementRule statement that is managed by AWS
aws.waf.rule.statement.notstatementRule statement that negates another rule statement
aws.waf.rule.statement.orstatementRule statement that matches if one of the rule statements inside it matches
aws.waf.rule.statement.ratebasedstatementRule statement that matches at a certain rate of requests (rate limiting)
aws.waf.rule.statement.regexmatchstatementRule statement that matches a specified regex pattern
aws.waf.rule.statement.regexpatternsetreferencestatementRule statement that checks for a regex pattern defined in a regex pattern set
aws.waf.rule.statement.rulegroupreferencestatementRule statement that refers to a group of rules
aws.waf.rule.statement.sizeconstraintstatementRule statement that checks the size of the specified field
aws.waf.rule.statement.sqlimatchstatementStatement that matches SQLI attacks
aws.waf.rule.statement.xssmatchstatementStatement that matches XSS attacks
aws.waf.rulegroupAmazon WAF v2 RuleGroup