Compliance-focused queries

Ensure cloud compliance effortlessly with CloudQuery’s SQL-powered auditing.

Ensure cloud compliance with SQL

Maintaining compliance across cloud environments requires continuous monitoring and enforcement of policies. CloudQuery enables you to run SQL queries on your cloud asset inventory, allowing you to quickly verify compliance with regulatory standards like CIS, ISO 27001, and NIST.

Compliance queries in action

Here are some essential queries to help you maintain compliance and avoid costly violations.

Find untagged resources (AWS, GCP, Azure)

Why it matters: Lack of tagging makes compliance tracking and cost allocation difficult.

SELECT
    cloud, account, name, region, resource_type
FROM
    cloud_assets
WHERE
    tags = '{}' OR tags IS NULL;
Identify inconsistent tagging formats (AWS, GCP, Azure)

Why it matters: Tag inconsistency prevents automated cost allocation and policy enforcement.

SELECT
    cloud, account, name, region, resource_type
FROM
    cloud_assets
WHERE
    tags LIKE '%Environment%'
    OR tags LIKE '%ENV%'
    OR tags LIKE '%Env%'
    OR tags LIKE '%env%'
    OR tags LIKE '%ENVIRONMENT%';
Identify resources not tagged according to a governance policy (AWS, GCP, Azure)

Why it matters: Proper tagging helps track resources for compliance, auditing, and cost allocation.

SELECT
    cloud, account, name, region, resource_type, tags
FROM
    cloud_assets
WHERE
    tags NOT LIKE '%cost_center%'
    OR tags NOT LIKE '%owner%'
    OR tags NOT LIKE '%environment%';
Identify resources running in unauthorized regions (AWS, GCP, Azure)

Why it matters: Regulatory restrictions prevent companies from deploying workloads in unauthorized regions.

SELECT
    cloud, account, name, region, resource_type
FROM
    cloud_assets
WHERE
    region NOT IN ('us-east-1', 'us-west-1', 'eu-west-1');
Find AWS RDS instances lacking automated backups (AWS)

Why it matters: Without backups, organizations risk permanent data loss.

SELECT
    db_instance_arn, backup_retention_period, region
FROM
    aws_rds_instances
WHERE
    backup_retention_period = 0;
Identify databases without SSL encryption (AWS)

Why it matters: Unsecured database connections expose data to attacks.

SELECT
	*
FROM
	aws_rds_instances
WHERE
	empty(ca_certificate_identifier);
List RDS instances not using encryption at rest (AWS)

Why it matters: Unencrypted databases violate compliance and security policies.

SELECT
	*
FROM
	aws_rds_instances
WHERE
	storage_encrypted=false;
Find IAM users without MFA enabled (AWS)

Why it matters: Lack of MFA increases the risk of account compromise.

SELECT
	u.*
FROM
	aws_iam_users AS u
LEFT JOIN
	aws_iam_mfa_devices AS m
ON
	u.user_name = m.user_name
WHERE
	m.user_name IS NULL;

Want more?

These are just a few examples of how CloudQuery turns your cloud into an instantly queryable database—giving you unparalleled visibility into compliance risks.

Check out the main query examples page for more ways to audit, secure, and optimize your cloud—all with SQL!

PreviousSecurity-focused queriesNextFinOps-focused queries

Last updated

Was this helpful?