RQL Custom queries for AWS needed URGENTLY

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

RQL Custom queries for AWS needed URGENTLY

L0 Member

I am new to RQL and I need to build custom queries quickly for compliance reporting an would appreciate if any SME can help with providing RQL queries for the below, rather than myself spending sleepless nights to re-invent the wheel when an expert somewhere would take them 5 min. Kindly assist

Custom RQL queries needed for :


1) Ensure the unused Key Pairs and Security Groups from AWS console are removed.
2) Ensure that you create Separate Keys and Groups for each set of Application Instance. Don’t use single Security Group and Key Pairs for the entire region
3) Ensure PEM keys for SSH are not shared with User
4) Ensure that you always have source IP address specified in the IAM Policies.
5) Ensure IAM instance roles are used for AWS resource access from instance-to-instance.
6) Ensure User Activity is monitored for the Audit purposes.
7) Ensure CloudTrail logs are encrypted at rest
😎 Ensure a log metric filter and alarm exist for security group changes
9) Ensure appropriate subscribers to each SNS topic
10) Ensure PEM keys for SSH are not shared with User
11) Ensure the usage of different CMK per type of data based on its classification and region
12) Ensure that their is a private connection between VPC and S3 and the traffic never leaves the Amazon network
13) Ensure the In-Transit data encryption in the communication between datacenters and Amazon AWS
14) Ensure that where used secure SSL Ciphers when connecting between the EC2 instance and ELB
15) Ensure standard / approved AMI used to launch the EC2 Instances 


appreciate the quick response.


Many thanks



L0 Member


I would suggest opening a support case with the relevant account information so we can go ahead and hop on a call with you to determine some of your use cases and work with you on getting these RQL's constructed as well as walk you through some of the RQL related documents we have available. 

Thank you. 

Support Portal Link: https://support.paloaltonetworks.com/

Thank you for the response. I am currently unable to create support cases for some reason. During the recent Office Hours, someone took my email and they said they would look into it. Not heard from them since.

Kindly assist.


L3 Networker

@FKisambu,  you will likely require professional services to develop these custom rules or do it yourself.


Based on my experience,  RQL as Prisma Cloud Policies are good for detecting and alerting.  Use the native remediation, if possible.

Another option is to automate the remediation then simply code a "daemon" in a popular programming language like python or bash; schedule to run periodically; poll the Alert APIs; implement your decision-making policies then take appropriate action within that daemon.

Tommy Hunt AWS-CSA, Java-CEA, PMP, SAFe Program Consultant
  • 3 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!