Search for Alerting Rule: AWS Tokens 
Click here to see this page in full context


Search for Alerting Rule: AWS Tokens 

Use the search tokens below that we provide during rule creation wizard.

account.idaccount.id

Use a text value ##### to show resources based on the unique account ID associated with the connector/ARN at the time of creation.

Example

Show findings with this account ID

account.id: 205767712438

regionregion

Select the name of the region you're interested in. Select from names in the drop-down menu. The drop-down menu options contains region code. For example, the region code for Singapore is ap-southeast-1. For the complete mapping of region code to region, view AWS Region Mapping.

Example

Find resources in the ap-southeast-1 (Singapore) region

region: ap-southeast-1

service.typeservice.type

Select the type of service you're interested in. Select from names in the drop-down menu. The drop-down menu options contains service type code. For example, the service code for CloudTrail is CLOUD_TRAIL. For the complete mapping of service type code to service type AWS Service Type Mapping.

Example

Show service type CloudTrail

service.type: CLOUD_TRAIL

resource.typeresource.type

Select the type of resource you're interested in. Select from names in the drop-down menu. The drop-down menu options contains of resource type code. For example, the service code for S3 Bucket is BUCKET . For the complete mapping of resource type code to resource type, view AWS Resource Type Mapping.

Example

Show resources of type S3 Bucket

resource.type: BUCKET

resource.idresource.id

Use a text value ##### to find resources by the unique ID assigned to the resource.

Example

Show resources with ID acl-8e5198f5

resource.id: acl-8e5198f5

cidcid

Use a text value ##### to show controls based on the unique control ID associated with the control at the time of creation.

Example

Show controls with this ID

cid: 205767712438

control.namecontrol.name

Use values within quotes to help you find controls with a certain name.

Examples

Show findings with this name

control.name: Avoid the use of the root account

Show any findings that contain parts of name

control.name: "Avoid the use of the root account"

control.criticalitycontrol.criticality

Select the control criticality (HIGH, MEDIUM, LOW) you're interested in.

Example

Show controls with High criticality

control.criticality: HIGH

control.resultcontrol.result

Use control result value (FAIL) to view controls with specific result.

Example

Show controls that failed

control.result: FAIL

evaluatedOnevaluatedOn

Use a date range or specific date to define when the resource was evaluated on.

Examples

Show resources discovered within certain dates

evaluatedOn: [2018-01-01 ... 2018-03-01]

Show resources updated starting 2018-10-01, ending 1 month ago

evaluatedOn: [2018-01-01 ... now-1m]

Show resources updated starting 2 weeks ago, ending 1 second ago

evaluatedOn: [now-2w ... now-1s]

Show resources discovered on specific date

evaluatedOn: 2018-01-08

lastEvaluatedlastEvaluated

Use a date range or specific date to define when the resource was last evaluated on.

Examples

Show resources last evaluated within certain dates

lastEvaluated: [2018-01-01 ... 2018-03-01]

Show resources last evaluated starting 2018-10-01, ending 1 month ago

lastEvaluated: [2018-01-01 ... now-1m]

Show resources last evaluated starting 2 weeks ago, ending 1 second ago

lastEvaluated: [now-2w ... now-1s]

Show resources last evaluated on specific date

lastEvaluated: 2018-01-08

firstEvaluatedfirstEvaluated

Use a date range or specific date to define when the resource was first discovered and evaluated.

Examples

Show resources first evaluated within certain dates

firstEvaluated: [2018-01-01 ... 2018-03-01]

Show resources first evaluated starting 2018-10-01, ending 1 month ago

firstEvaluated: [2018-01-01 ... now-1m]

Show resources first evaluated starting 2 weeks ago, ending 1 second ago

firstEvaluated: [now-2w ... now-1s]

Show resources first evaluated on specific date

firstEvaluated: 2018-01-08

policy.namepolicy.name

Use values within quotes to find a CIS or AWS policy by name.

Examples

Show findings with this name

policy.name: CIS Amazon Web Services Foundations Benchmark

Show any findings that contain parts of name

policy.name: "CIS Amazon Web Services Foundations Benchmark"

qflow.idqflow.id

Use a text value ##### to show controls created from QFlow with specified QFlow id.

Examples

Show controls with specific qflow id

qflow.id: 80313390-aa04-11e9-9596-45e2d51410b1

qflow.nameqflow.name

Use values within quotes or back-ticks to find controls created from QFlow with the specified name.

Examples

Show controls that are created from QFlow with a name that partially matches the specified QFlow name.

qflow.name: "Publicly accessible S3 buckets"

Show controls that are created from QFlow with a name that exactly matches the specified QFlow name.

qflow.name: `S3 buckets`

AWS Region Mapping

Code

Region Name

us-east-2

 Ohio

us-east-1

 N. Virginia

us-west-1

 N. California

us-west-2

 Oregon

ca-central-1

 Canada Central

ap-south-1

 Mumbai

ap-east-1

 Hong Kong

ap-northeast-2

 Seoul

ap-southeast-1

 Singapore

ap-southeast-2

 Sydney

ap-northeast-1

 Tokyo

eu-central-1

 Frankfurt

eu-west-1

 Ireland

eu-west-2

 London

sa-east-1

 São Paulo

eu-west-3

 Paris

eu-north-1

 Stockholm

eu-south-1

 Milan

me-south-1

 Bahrain

af-south-1

 Cape Town

us-gov-east-1

 US GovCloud East

us-gov-west-1

 US GovCloud West

cn-north-1

 Bejing

cn-northwest-1

 Ningxia

AWS Service Type Mapping

Code

Service Type

IAM

IAM

CONFIG

Config

CLOUD_TRAIL

CloudTrail

CLOUD_WATCH

CloudWatch

EC2

EC2

S3

S3

RDS

RDS

VPC

VPC

REDSHIFT

Redshift

SQS

SQS

CLOUD_FRONT

CloudFront

LAMBDA

Lambda Function

DOCUMENT_DB

DocumentDB

NEPTUNE_DB

NeptuneDB

EFS

Efs

SECRETS_MANAGER

Secrets Manager

SNS

SNS

ELASTICACHE

ElastiCache

ELASTICSEARCH_SERVICE

Elasticsearch Service

KINESIS

Kinesis

DYNAMO_DB

DynamoDB

ROUTE_53

Route 53

KMS

KMS

AWS Resource Type Mapping

Code

Resource Type

EC2_INSTANCE

Instance

LOAD_BALANCER

Load Balancer

VPC

VPC

INTERNET_GATEWAY

Internet Gateway

SUBNET

Subnet

ROUTE_TABLE

Route Table

NETWORK_ACL

Network ACL

VPC_SECURITY_GROUP

Security Group

AUTO_SCALING_GROUP

Auto Scaling Group

BUCKET

S3 Bucket

IAM_USER

IAM User

RDS

RDS

EBS

EBS Volume

LAMBDA

Lambda Function

IAM_PASSWORD

IAM Password

SECRETS

Secrets

REDSHIFT_CLUSTERS

Redshift Clusters

DOCUMENT_DB_INSTANCES

DocumentDB Instances

EC2_IMAGES

AMI

EC2_VOLUME_SNAPSHOT

EBS Snapshots

DOCUMENT_DB_CLUSTERS

DocumentDB Clusters

NEPTUNE_DB_CLUSTERS

NeptuneDB Clusters

EFS

EFS

NEPTUNE_DB_INSTANCES

NeptuneDB Instances

SNS_TOPIC

SNS Topic

SQS_QUEUE

SQS Queue

RDS_CLUSTER

Amazon Aurora

RDS_CLUSTER_SNAPSHOT

Aurora Snapshot

REDIS

Redis

MEMCACHED

Memcached

IAM_GROUPS

IAM Groups

IAM_USER_ATTACHED_POLICY

IAM User Attached Policy

IAM_USER_INLINE_POLICY

IAM User Inline Policy

ES_DOMAIN

Elasticsearch Service Domain

FIREHOSE

Firehose

DYNAMO_DB_TABLE

DynamoDB Table

ROUTE_53_DOMAIN

Route 53 Domain

IAM_ACCESS_ANALYZER

Access analyzer

Was this topic helpful?

success Thank you! We're glad to hear that this topic was useful.
success We appreciate your feedback. We'll work to make this topic better for you in the future.