Compliance-Focused Queries

Verify Cloud Compliance with SQL

CloudQuery lets you verify compliance with standards like CIS, ISO 27001, and NIST by querying your cloud asset inventory directly.

Compliance Queries in Action

Use these queries to maintain compliance and avoid costly violations.

Find untagged resources (AWS, GCP, Azure)

Why it matters: Lack of tagging makes compliance tracking and cost allocation difficult.


SELECT
  cloud, account, name, region, resource_type
FROM
  cloud_assets
WHERE
  tags = '{}' OR tags IS NULL;

Identify inconsistent tagging formats (AWS, GCP, Azure)

Why it matters: Tag inconsistency prevents automated cost allocation and policy enforcement.


SELECT
  cloud, account, name, region, resource_type
FROM
  cloud_assets
WHERE
  tags LIKE '%Environment%'
  OR tags LIKE '%ENV%'
  OR tags LIKE '%Env%'
  OR tags LIKE '%env%'
  OR tags LIKE '%ENVIRONMENT%';

Identify resources not tagged according to a governance policy (AWS, GCP, Azure)

Why it matters: Proper tagging helps track resources for compliance, auditing, and cost allocation.


SELECT
  cloud, account, name, region, resource_type, tags
FROM
  cloud_assets
WHERE
  tags NOT LIKE '%cost_center%'
  OR tags NOT LIKE '%owner%'
  OR tags NOT LIKE '%environment%';

Identify resources running in unauthorized regions (AWS, GCP, Azure)

Why it matters: Regulatory restrictions prevent companies from deploying workloads in unauthorized regions.


SELECT
  cloud, account, name, region, resource_type
FROM
  cloud_assets
WHERE
  region NOT IN ('us-east-1', 'us-west-1', 'eu-west-1');

Find AWS RDS instances lacking automated backups (AWS)

Why it matters: Without backups, organizations risk permanent data loss.


SELECT
    db_instance_arn, backup_retention_period, region
FROM
    aws_rds_instances
WHERE
    backup_retention_period = 0;

Identify databases without SSL encryption (AWS)

Why it matters: Unsecured database connections expose data to attacks.


SELECT
	*
FROM
	aws_rds_instances
WHERE
	empty(ca_certificate_identifier);

List RDS instances not using encryption at rest (AWS)

Why it matters: Unencrypted databases violate compliance and security policies.


SELECT
  *
FROM
  aws_rds_instances
WHERE
  storage_encrypted=false;

Find IAM users without MFA enabled (AWS)

Why it matters: Lack of MFA increases the risk of account compromise.


SELECT
  u.*
FROM
  aws_iam_users AS u
LEFT JOIN
  aws_iam_mfa_devices AS m
ON
  u.user_name = m.user_name
WHERE
  m.user_name IS NULL;

More query examples

See the query examples overview for security and FinOps-focused queries.

Next Steps

Security-Focused Queries - Security queries
FinOps-Focused Queries - Cost optimization queries
Policies - Automate compliance checks with policy rules
Reports - Generate compliance reports