Sample Queries¶
Find old IAM user access keys
select ?account_id ?iam_user_name ?access_key_id ?access_key_create_date ?access_key_status where
{
?iam_user a <alti:aws:iam:user> ;
<alti:name> ?iam_user_name ;
<alti:account> ?account .
?account <alti:account_id> ?account_id
optional {
?iam_user <alti:access_key> ?access_key .
?access_key <alti:access_key_id> ?access_key_id ;
<alti:create_date> ?access_key_create_date ;
<alti:status> ?access_key_status
}
}
order by ?access_key_create_date
Locate vpcs with no ec2 instances, rds instances lambdas or ENIs attached.
select ?account_id ?region_name ?vpc_id
where {
?vpc a <alti:aws:ec2:vpc> ;
<alti:account> ?account ;
<alti:region> ?region ;
<alti:id> ?vpc_id ;
<alti:is_default> ?is_default .
?region <alti:name> ?region_name .
?account <alti:account_id> ?account_id .
FILTER NOT EXISTS { ?resource <alti:aws:ec2:vpc> ?vpc .
?resource a ?resource_type .
FILTER ( ?resource_type = <alti:aws:ec2:instance> ||
?resource_type = <alti:aws:rds:db> ||
?resource_type = <alti:aws:lambda:function> ||
?resource_type = <alti:aws:ec2:network-interface> ) }
}
order by ?account_id ?region_name ?vpc_id
Locate EC2 instances which are running, have a public IP and have security groups which allow tcp port 22, ordered by uptime.
select ?launch_time ?ec2_instance_id ?sg_id ?public_ip_address ?from_port ?to_port
where {
?ec2_instance a <alti:aws:ec2:instance> ;
<alti:id> ?ec2_instance_id ;
<alti:account> ?account ;
<alti:public_ip_address> ?public_ip_address ;
<alti:state> 'running' ;
<alti:launch_time> ?launch_time ;
<alti:security-group> ?sg .
?sg <alti:id> ?sg_id ;
<alti:ingress_rule> ?ingress_rule .
?ingress_rule <alti:ip_protocol> 'tcp' ;
<alti:from_port> ?from_port ;
<alti:to_port> ?to_port
FILTER (?from_port <= 22 && ?to_port >= 22)
} order by desc(?launch_time)