Search for Alerting Rule: AWS Tokens 

Use the search tokens below that we provide during rule creation wizard.

aws.accountIdaws.accountId

Use a text value ##### to show resources based on the unique account ID associated with the connector/ARN at the time of creation.

Example

Show findings with this account ID

aws.accountId: 205767712438

cloud.regioncloud.region

Select the name of the region you're interested in. Select from names in the drop-down menu. The drop-down menu options contains region code. For example, the region code for Singapore is ap-southeast-1. For the complete mapping of region code to region, view AWS Region Mapping.

Example

Find resources in the ap-southeast-1 (Singapore) region

cloud.region: ap-southeast-1

service.typeservice.type

Select the type of service you're interested in. Select from names in the drop-down menu. The drop-down menu options contains service type code. For example, the service code for CloudTrail is CLOUD_TRAIL. For the complete mapping of service type code to service type AWS Service Type Mapping.

Example

Show service type CloudTrail

service.type: CLOUD_TRAIL

cloud.resource.typecloud.resource.type

Select the type of resource you're interested in. Select from names in the drop-down menu. The drop-down menu options contains of resource type code. For example, the service code for S3 Bucket is BUCKET . For the complete mapping of resource type code to resource type, view AWS Resource Type Mapping.

Example

Show resources of type S3 Bucket

cloud.resource.type: BUCKET

cloud.resource.idcloud.resource.id

Use a text value ##### to find resources by the unique ID assigned to the resource.

Example

Show resources with ID acl-8e5198f5

cloud.resource.id: acl-8e5198f5

control.idcontrol.id

Use a text value ##### to show controls based on the unique control ID associated with the control at the time of creation.

Example

Show controls with this ID

control.id: 205767712438

control.namecontrol.name

Use values within quotes to help you find controls with a certain name.

Examples

Show findings with this name

control.name: Avoid the use of the root account

Show any findings that contain parts of name

control.name: "Avoid the use of the root account"

control.criticalitycontrol.criticality

Select the control criticality (HIGH, MEDIUM, LOW) you're interested in.

Example

Show controls with High criticality

control.criticality: HIGH

control.resultcontrol.result

Use control result value (FAIL) to view controls with specific result.

Example

Show controls that failed

control.result: FAIL

cloud.resource.evaluatedDatecloud.resource.evaluatedDate

Use a date range or specific date to define when the resource was evaluated on.

Examples

Show resources discovered within certain dates

cloud.resource.evaluatedDate: [2018-01-01 ... 2018-03-01]

Show resources updated starting 2018-10-01, ending 1 month ago

cloud.resource.evaluatedDate: [2018-01-01 ... now-1m]

Show resources updated starting 2 weeks ago, ending 1 second ago

cloud.resource.evaluatedDate: [now-2w ... now-1s]

Show resources discovered on specific date

cloud.resource.evaluatedDate: 2018-01-08

cloud.resource.lastEvaluatedDatecloud.resource.lastEvaluatedDate

Use a date range or specific date to define when the resource was last evaluated on.

Examples

Show resources last evaluated within certain dates

cloud.resource.lastEvaluatedDate: [2018-01-01 ... 2018-03-01]

Show resources last evaluated starting 2018-10-01, ending 1 month ago

cloud.resource.lastEvaluatedDate: [2018-01-01 ... now-1m]

Show resources last evaluated starting 2 weeks ago, ending 1 second ago

cloud.resource.lastEvaluatedDate: [now-2w ... now-1s]

Show resources last evaluated on specific date

cloud.resource.lastEvaluatedDate: 2018-01-08

cloud.resource.firstEvaluatedDatecloud.resource.firstEvaluatedDate

Use a date range or specific date to define when the resource was first discovered and evaluated.

Examples

Show resources first evaluated within certain dates

cloud.resource.firstEvaluatedDate: [2018-01-01 ... 2018-03-01]

Show resources first evaluated starting 2018-10-01, ending 1 month ago

cloud.resource.firstEvaluatedDate: [2018-01-01 ... now-1m]

Show resources first evaluated starting 2 weeks ago, ending 1 second ago

cloud.resource.firstEvaluatedDate: [now-2w ... now-1s]

Show resources first evaluated on specific date

cloud.resource.firstEvaluatedDate: 2018-01-08

policy.namepolicy.name

Use values within quotes to find a CIS or AWS policy by name.

Examples

Show findings with this name

policy.name: CIS Amazon Web Services Foundations Benchmark

Show any findings that contain parts of name

policy.name: "CIS Amazon Web Services Foundations Benchmark"

qflow.idqflow.id

Use a text value ##### to show controls created from QFlow with specified QFlow id.

Examples

Show controls with specific qflow id

qflow.id: 80313390-aa04-11e9-9596-45e2d51410b1

qflow.nameqflow.name

Use values within quotes or back-ticks to find controls created from QFlow with the specified name.

Examples

Show controls that are created from QFlow with a name that partially matches the specified QFlow name.

qflow.name: "Publicly accessible S3 buckets"

Show controls that are created from QFlow with a name that exactly matches the specified QFlow name.

qflow.name: `S3 buckets`

aws.account.tags.keyaws.account.tags.key

Use values within quotes or backticks to find list of AWS connector with the specified key.

Examples

Show AWS connectors with the specified key

aws.account.tags.key: "Department"

Show AWS connectors that match the exact specified key

aws.account.tags.key: `S3 Department`

aws.account.statusaws.account.status

Use this is search AWS resources based on their account status.

Example

Show AWS resources with ACTIVE account status

aws.account.status: ACTIVE

cloud.resource.lastFixedDatecloud.resource.lastFixedDate

Use a date range or specific date to find when the misconfigured or vulnerable resources were last fixed.

Examples

Show the misconfigured or vulnerable resources last fixed within certain dates

cloud.resource.lastFixedDate: [2023-10-01 .. 2023-12-01]

Show the misconfigured or vulnerable resources last fixed starting 2023-01-01, ending 1 month ago

cloud.resource.lastFixedDate: [2023-01-01 .. now-1m]

Show the misconfigured or vulnerable resources last fixed starting 2 weeks ago, ending 1 second ago

cloud.resource.lastFixedDate: [now-2w .. now-1s]

Show the misconfigured or vulnerable resources last fixed on specific date

cloud.resource.lastFixedDate: 2023-01-08

cloud.resource.lastReopenedDatecloud.resource.lastReopenedDate

Use a date range or specific date to find when the misconfigured or vulnerable resources were last reopened.

Examples

Show the misconfigured or vulnerable resources last reopened within certain dates

cloud.resource.lastReopenedDate: [2023-10-01 .. 2023-12-01]

Show the misconfigured or vulnerable resources last reopened starting 2023-01-01, ending 1 month ago

cloud.resource.lastReopenedDate: [2023-01-01 .. now-1m]

Show the misconfigured or vulnerable resources last reopened starting 2 weeks ago, ending 1 second ago

cloud.resource.lastReopenedDate: [now-2w .. now-1s]

Show the misconfigured or vulnerable resources last reopened on specific date

cloud.resource.lastReopenedDate: 2023-01-08

connector.tag.nameconnector.tag.name

Search for connectors based on the applied tag name. Select the tag name from the drop-down.

Example

Show connectors tagged with Production

connector.tag.name: Production

connector.uuidconnector.uuid

Filter results by the unique identifier (UUID) of a connector.

Example

Show results associated with the connector having UUID 123e4567-e89b-12d3-a456-426614174000

connector.uuid: 123e4567-e89b-12d3-a456-426614174000

control.idcontrol.id

Use a text value ##### to show controls based on the unique control ID associated with the control at the time of creation.

Example

Show controls with this ID

control.id: 205767712438

control.criticalitycontrol.criticality

Select the control criticality (HIGH, MEDIUM, LOW) you're interested in.

Example

Show controls with High criticality

control.criticality: HIGH

control.namecontrol.name

Use values within quotes to help you find controls with a certain name.

Examples

Show findings with this name

control.name: Avoid the use of the root account

Show any findings that contain parts of name

control.name: "Avoid the use of the root account"

control.resultcontrol.result

Select the control result you're interested in: PASS or FAIL.

Examples

Show controls that passed

control.result: PASS

Show controls that failed

control.result: FAIL

aws.account.tags.value aws.account.tags.value

Use values within quotes or backticks to find list of AWS connector with the specified value.

Examples

Show AWS connectors with the specified value

aws.account.tags.value: "Finance"

Show AWS connectors that match the exact specified value

aws.account.tags.value: `B1 Finance`

evidence.keyevidence.key

Filter results based on the specific evidence key associated with a finding.

Example

Show findings where the evidence key is "encryptionEnabled"

evidence.key: encryptionEnabled

evidence.valueevidence.value

Filter results based on the specific value captured in the evidence associated with a finding.

Example

Show findings where the evidence value is "false"

evidence.value: false

AWS Region Mapping

Code

Region Name

us-east-2

 Ohio

us-east-1

 N. Virginia

us-west-1

 N. California

us-west-2

 Oregon

ca-central-1

 Canada Central

ap-south-1

 Mumbai

ap-east-1

 Hong Kong

ap-northeast-2

 Seoul

ap-southeast-1

 Singapore

ap-southeast-2

 Sydney

ap-northeast-1

 Tokyo

eu-central-1

 Frankfurt

eu-west-1

 Ireland

eu-west-2

 London

sa-east-1

 São Paulo

eu-west-3

 Paris

eu-north-1

 Stockholm

eu-south-1

 Milan

me-south-1

 Bahrain

af-south-1

 Cape Town

us-gov-east-1

 US GovCloud East

us-gov-west-1

 US GovCloud West

cn-north-1

 Bejing

cn-northwest-1

 Ningxia

AWS Service Type Mapping

Code

Service Type

IAM

IAM

CONFIG

Config

CLOUD_TRAIL

CloudTrail

CLOUD_WATCH

CloudWatch

EC2

EC2

S3

S3

RDS

RDS

VPC

VPC

REDSHIFT

Redshift

SQS

SQS

CLOUD_FRONT

CloudFront

LAMBDA

Lambda Function

DOCUMENT_DB

DocumentDB

NEPTUNE_DB

NeptuneDB

EFS

Efs

SECRETS_MANAGER

Secrets Manager

SNS

SNS

ELASTICACHE

ElastiCache

ELASTICSEARCH
_SERVICE

Elasticsearch Service

KINESIS

Kinesis

DYNAMO_DB

DynamoDB

ROUTE_53

Route 53

KMS

KMS

AWS Resource Type Mapping

Code

Resource Type

EC2_INSTANCE

Instance

LOAD_BALANCER

Load Balancer

VPC

VPC

INTERNET_GATEWAY

Internet Gateway

SUBNET

Subnet

ROUTE_TABLE

Route Table

NETWORK_ACL

Network ACL

VPC_SECURITY_
GROUP

Security Group

AUTO_SCALING_GROUP

Auto Scaling Group

BUCKET

S3 Bucket

IAM_USER

IAM User

RDS

RDS

EBS

EBS Volume

LAMBDA

Lambda Function

IAM_PASSWORD

IAM Password

SECRETS

Secrets

REDSHIFT_
CLUSTERS

Redshift Clusters

DOCUMENT_DB_
INSTANCES

DocumentDB Instances

EC2_IMAGES

AMI

EC2_VOLUME_SNAPSHOT

EBS Snapshots

DOCUMENT_DB_CLUSTERS

DocumentDB Clusters

NEPTUNE_DB_CLUSTERS

NeptuneDB Clusters

EFS

EFS

NEPTUNE_DB_INSTANCES

NeptuneDB Instances

SNS_TOPIC

SNS Topic

SQS_QUEUE

SQS Queue

RDS_CLUSTER

Amazon Aurora

RDS_CLUSTER_
SNAPSHOT

Aurora Snapshot

REDIS

Redis

MEMCACHED

Memcached

IAM_GROUPS

IAM Groups

IAM_USER_
ATTACHED_POLICY

IAM User Attached Policy

IAM_USER_INLINE_
POLICY

IAM User Inline Policy

ES_DOMAIN

Elasticsearch Service
Domain

FIREHOSE

Firehose

DYNAMO_DB_TABLE

DynamoDB Table

ROUTE_53_DOMAIN

Route 53 Domain

IAM_ACCESS_
ANALYZER

Access analyzer

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: December, 2025