Search for Alerting Rule: AWS Tokens
Use the search tokens below that we provide during rule creation wizard.
Use a text value ##### to show resources based on the unique account ID associated with the connector/ARN at the time of creation.
Example
Show findings with this account ID
account.id: 205767712438
Select the name of the region you're interested in. Select from names in the drop-down menu. The drop-down menu options contains region code. For example, the region code for Singapore is ap-southeast-1. For the complete mapping of region code to region, view AWS Region Mapping.
Example
Find resources in the ap-southeast-1 (Singapore) region
region: ap-southeast-1
Select the type of service you're interested in. Select from names in the drop-down menu. The drop-down menu options contains service type code. For example, the service code for CloudTrail is CLOUD_TRAIL. For the complete mapping of service type code to service type AWS Service Type Mapping.
Example
Show service type CloudTrail
service.type: CLOUD_TRAIL
Select the type of resource you're interested in. Select from names in the drop-down menu. The drop-down menu options contains of resource type code. For example, the service code for S3 Bucket is BUCKET . For the complete mapping of resource type code to resource type, view AWS Resource Type Mapping.
Example
Show resources of type S3 Bucket
resource.type: BUCKET
Use a text value ##### to find resources by the unique ID assigned to the resource.
Example
Show resources with ID acl-8e5198f5
resource.id: acl-8e5198f5
Use a text value ##### to show controls based on the unique control ID associated with the control at the time of creation.
Example
Show controls with this ID
cid: 205767712438
Use values within quotes to help you find controls with a certain name.
Examples
Show findings with this name
control.name: Avoid the use of the root account
Show any findings that contain parts of name
control.name: "Avoid the use of the root account"
control.criticalitycontrol.criticality
Select the control criticality (HIGH, MEDIUM, LOW) you're interested in.
Example
Show controls with High criticality
control.criticality: HIGH
Use control result value (FAIL) to view controls with specific result.
Example
Show controls that failed
control.result: FAIL
Use a date range or specific date to define when the resource was evaluated on.
Examples
Show resources discovered within certain dates
evaluatedOn: [2018-01-01 ... 2018-03-01]
Show resources updated starting 2018-10-01, ending 1 month ago
evaluatedOn: [2018-01-01 ... now-1m]
Show resources updated starting 2 weeks ago, ending 1 second ago
evaluatedOn: [now-2w ... now-1s]
Show resources discovered on specific date
evaluatedOn: 2018-01-08
Use a date range or specific date to define when the resource was last evaluated on.
Examples
Show resources last evaluated within certain dates
lastEvaluated: [2018-01-01 ... 2018-03-01]
Show resources last evaluated starting 2018-10-01, ending 1 month ago
lastEvaluated: [2018-01-01 ... now-1m]
Show resources last evaluated starting 2 weeks ago, ending 1 second ago
lastEvaluated: [now-2w ... now-1s]
Show resources last evaluated on specific date
lastEvaluated: 2018-01-08
Use a date range or specific date to define when the resource was first discovered and evaluated.
Examples
Show resources first evaluated within certain dates
firstEvaluated: [2018-01-01 ... 2018-03-01]
Show resources first evaluated starting 2018-10-01, ending 1 month ago
firstEvaluated: [2018-01-01 ... now-1m]
Show resources first evaluated starting 2 weeks ago, ending 1 second ago
firstEvaluated: [now-2w ... now-1s]
Show resources first evaluated on specific date
firstEvaluated: 2018-01-08
Use values within quotes to find a CIS or AWS policy by name.
Examples
Show findings with this name
policy.name: CIS Amazon Web Services Foundations Benchmark
Show any findings that contain parts of name
policy.name: "CIS Amazon Web Services Foundations Benchmark"
Use a text value ##### to show controls created from QFlow with specified QFlow id.
Examples
Show controls with specific qflow id
qflow.id: 80313390-aa04-11e9-9596-45e2d51410b1
Use values within quotes or back-ticks to find controls created from QFlow with the specified name.
Examples
Show controls that are created from QFlow with a name that partially matches the specified QFlow name.
qflow.name: "Publicly accessible S3 buckets"
Show controls that are created from QFlow with a name that exactly matches the specified QFlow name.
qflow.name: `S3 buckets`
AWS Region Mapping
Code |
Region Name |
us-east-2 |
Ohio |
us-east-1 |
N. Virginia |
us-west-1 |
N. California |
us-west-2 |
Oregon |
ca-central-1 |
Canada Central |
ap-south-1 |
Mumbai |
ap-east-1 |
Hong Kong |
ap-northeast-2 |
Seoul |
ap-southeast-1 |
Singapore |
ap-southeast-2 |
Sydney |
ap-northeast-1 |
Tokyo |
eu-central-1 |
Frankfurt |
eu-west-1 |
Ireland |
eu-west-2 |
London |
sa-east-1 |
São Paulo |
eu-west-3 |
Paris |
eu-north-1 |
Stockholm |
eu-south-1 |
Milan |
me-south-1 |
Bahrain |
af-south-1 |
Cape Town |
us-gov-east-1 |
US GovCloud East |
us-gov-west-1 |
US GovCloud West |
cn-north-1 |
Bejing |
cn-northwest-1 |
Ningxia |
AWS Service Type Mapping
Code |
Service Type |
IAM |
IAM |
CONFIG |
Config |
CLOUD_TRAIL |
CloudTrail |
CLOUD_WATCH |
CloudWatch |
EC2 |
EC2 |
S3 |
S3 |
RDS |
RDS |
VPC |
VPC |
REDSHIFT |
Redshift |
SQS |
SQS |
CLOUD_FRONT |
CloudFront |
LAMBDA |
Lambda Function |
DOCUMENT_DB |
DocumentDB |
NEPTUNE_DB |
NeptuneDB |
EFS |
Efs |
SECRETS_MANAGER |
Secrets Manager |
SNS |
SNS |
ELASTICACHE |
ElastiCache |
ELASTICSEARCH_SERVICE |
Elasticsearch Service |
KINESIS |
Kinesis |
DYNAMO_DB |
DynamoDB |
ROUTE_53 |
Route 53 |
KMS |
KMS |
AWS Resource Type Mapping
Code |
Resource Type |
EC2_INSTANCE |
Instance |
LOAD_BALANCER |
Load Balancer |
VPC |
VPC |
INTERNET_GATEWAY |
Internet Gateway |
SUBNET |
Subnet |
ROUTE_TABLE |
Route Table |
NETWORK_ACL |
Network ACL |
VPC_SECURITY_GROUP |
Security Group |
AUTO_SCALING_GROUP |
Auto Scaling Group |
BUCKET |
S3 Bucket |
IAM_USER |
IAM User |
RDS |
RDS |
EBS |
EBS Volume |
LAMBDA |
Lambda Function |
IAM_PASSWORD |
IAM Password |
SECRETS |
Secrets |
REDSHIFT_CLUSTERS |
Redshift Clusters |
DOCUMENT_DB_INSTANCES |
DocumentDB Instances |
EC2_IMAGES |
AMI |
EC2_VOLUME_SNAPSHOT |
EBS Snapshots |
DOCUMENT_DB_CLUSTERS |
DocumentDB Clusters |
NEPTUNE_DB_CLUSTERS |
NeptuneDB Clusters |
EFS |
EFS |
NEPTUNE_DB_INSTANCES |
NeptuneDB Instances |
SNS_TOPIC |
SNS Topic |
SQS_QUEUE |
SQS Queue |
RDS_CLUSTER |
Amazon Aurora |
RDS_CLUSTER_SNAPSHOT |
Aurora Snapshot |
REDIS |
Redis |
MEMCACHED |
Memcached |
IAM_GROUPS |
IAM Groups |
IAM_USER_ATTACHED_POLICY |
IAM User Attached Policy |
IAM_USER_INLINE_POLICY |
IAM User Inline Policy |
ES_DOMAIN |
Elasticsearch Service Domain |
FIREHOSE |
Firehose |
DYNAMO_DB_TABLE |
DynamoDB Table |
ROUTE_53_DOMAIN |
Route 53 Domain |
IAM_ACCESS_ANALYZER |
Access analyzer |