CloudWatch RQL

Reply
L0 Member

CloudWatch RQL

Hi all,

 

Relatively new with Prisma and playing with the RQL. Would anyone be able to tell me if there's a query i can run that tells me if cloudwatch is enabled within an AWS environment?

 

Report wise, I tried running something against CIS compliance and it's really just telling me that cloud trail is not integrated with cloud watch which doesn't directly answer the question, for compliance purposes.

L2 Linker

Re: CloudWatch RQL

You can use this to see the various alarms that might be setup in CloudWatch: config where api.name = 'aws-cloudwatch-describe-alarms' 

 

There is a policy that will also look to see if cloudtrail is not integrated with cloudwatch: config where cloud.type = 'aws' AND api.name = 'aws-cloudtrail-describe-trails' AND json.rule = 'cloudWatchLogsRoleArn equals null or cloudWatchLogsRoleArn does not exist'

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!