You can use AWS Config to query the current configuration state of AWS resources based on configuration properties for a single account and region, or across multiple accounts and regions. You can perform ad hoc, property-based queries against current AWS resource state metadata across all resources that AWS Config supports. The advanced query feature provides a single query endpoint and a powerful query language to get current resource state metadata without performing service-specific describe API calls. You can use configuration aggregators to run the same queries from a central account across multiple accounts and AWS regions.
AWS Config uses a subset of structured query language (SQL) SELECT syntax to perform property-based queries and aggregations on the current configuration item (CI) data. The queries range in complexity from simple matches against tag and/or resource identifiers, to more complex queries, such as viewing all S3 buckets that have versioning disabled. This allows you to query exactly the current resource state you need without performing AWS service-specific API calls.
Before beginning, you will need to have a rule that will be used for querying resources using the advanced query interface.
desired-instance-typerule and click Next.
Scroll to the bottom of the page and in the value field, next to the
instanceType key, enter this string:
Then click Next and complete the rule creation wizard.
Before proceeding, you must create a CloudFormation stack that includes the resources required for this lab. Click here to deploy this stack into your account:
Note: This link will take you to the us-east-1 AWS region. If you wish to use another region, you will need to adjust the region in the top right-hand corner of the console.
Now that you have the lab stack and rule created, your account is ready to begin using advanced queries. Start by going to the Advanced queries portion of the Config console.
Click in the search box, and then click Name, and then select
EC2 instances by type. Finally click on the Copy to editor button.
Change the instance type on the last line to t3.small. The complete, new query will look like this:
SELECT resourceId, resourceName, resourceType, configuration.instanceType, tags, availabilityZone WHERE resourceType = 'AWS::EC2::Instance' AND configuration.instanceType = 't3.small'
These results are simple, but do not show the relationships between resources. Let’s run a more interesting query that reveals more about the environment that the instance has been created in. Copy the
resourceId from the previous query and execute a new one with that as a parameter.
SELECT * WHERE relationships.resourceId = 'your server id'
Scrolling-down to the output you can now see a more detailed list of resources that are related to this server, including its VPC, attached EBS volume, subnet, security group, elastic network interface, and the CloudFormation stack that created it.
You can create groupings and aggregations through Advanced Query as well:
SELECT configuration.complianceType, COUNT(*) WHERE resourceType = 'AWS::Config::ResourceCompliance' GROUP BY configuration.complianceType
And unused EBS volumes:
SELECT resourceId, accountId, awsRegion, resourceType, configuration.volumeType, configuration.size, resourceCreationTime, tags, configuration.encrypted, configuration.availabilityZone, configuration.state.value WHERE resourceType = 'AWS::EC2::Volume' AND configuration.state.value <> 'in-use'
The results from any and all of these queries can be exported to either CSV or JSON using the Export as button.