Query Resources
Starter+Enterprise
Query Resources lets you run SQL queries directly against your live AWS resource inventory using Calabi Cloud Query. Every query hits real-time data — there is no ETL pipeline or nightly sync. The moment a resource changes in AWS, the next query reflects it.
Use Query Resources to answer operational questions instantly: which EC2 instances are running without tags, which S3 buckets allow public access, which RDS instances in eu-west-1 are not encrypted, and much more.
Opening the Query Editor
- Navigate to Cloud Operations in the Calabi sidebar.
- Click Query Resources.
- The SQL editor opens with a schema browser on the left and the query pane on the right.
- Select a connection (cloud account) from the dropdown at the top-right if you have multiple accounts configured.
Query Editor Features
| Feature | Description |
|---|---|
| SQL editor | Syntax-highlighted editor with multi-statement support |
| Schema browser | Expandable tree of all available tables and their columns |
| Column autocomplete | Tab-completion for table names, column names, and SQL keywords |
| Query history | Last 100 queries per user, searchable |
| Result preview | Up to 10,000 rows displayed inline with column sorting and filtering |
| Export to CSV | Download any result set as a CSV file |
| Save query | Save a named query to your personal or shared library |
| Schedule query | Run a saved query on a cron schedule and deliver results by email or Slack |
Example Queries
List all running EC2 instances
SELECT
instance_id,
instance_type,
region,
state ->> 'Name' AS state,
launch_time,
tags ->> 'Name' AS name
FROM
aws_ec2_instance
WHERE
state ->> 'Name' = 'running'
ORDER BY
launch_time DESC;
Find S3 buckets without server-side encryption
SELECT
name,
region,
creation_date
FROM
aws_s3_bucket
WHERE
server_side_encryption_configuration IS NULL
ORDER BY
creation_date;
List RDS instances by region with encryption status
SELECT
db_instance_identifier,
db_instance_class,
engine,
engine_version,
region,
storage_encrypted,
multi_az,
deletion_protection
FROM
aws_rds_db_instance
ORDER BY
region, db_instance_identifier;
Find Lambda functions with public resource policies
SELECT
name,
region,
runtime,
last_modified
FROM
aws_lambda_function
WHERE
policy_std -> 'Statement' @> '[{"Effect":"Allow","Principal":{"AWS":"*"}}]'
ORDER BY
region, name;
List IAM users with console access and no MFA
SELECT
name,
create_date,
password_last_used,
mfa_enabled
FROM
aws_iam_user
WHERE
password_enabled = true
AND mfa_enabled = false
ORDER BY
create_date;
Find EKS clusters and their Kubernetes versions
SELECT
name,
region,
version AS k8s_version,
status,
created_at
FROM
aws_eks_cluster
ORDER BY
region, name;
Supported AWS Services
The table below lists the cloud service categories available as queryable tables. Each category contains multiple tables — use the schema browser to see the full column list.
| Category | Key tables | Notes |
|---|---|---|
| EC2 | aws_ec2_instance, aws_ec2_ami, aws_ec2_key_pair, aws_ec2_security_group, aws_ec2_subnet, aws_ec2_vpc | Full resource metadata including tags |
| S3 | aws_s3_bucket, aws_s3_object | Bucket policies, ACLs, encryption; object queries require a bucket name filter |
| RDS | aws_rds_db_instance, aws_rds_db_cluster, aws_rds_db_snapshot | Includes Aurora clusters and automated backups |
| IAM | aws_iam_user, aws_iam_role, aws_iam_policy, aws_iam_group, aws_iam_access_key | Policy documents parsed as JSONB |
| Lambda | aws_lambda_function, aws_lambda_version, aws_lambda_alias | Includes concurrency, VPC config, and resource policies |
| ECS | aws_ecs_cluster, aws_ecs_service, aws_ecs_task, aws_ecs_task_definition | Task-level CPU/memory and networking config |
| EKS | aws_eks_cluster, aws_eks_node_group, aws_eks_addon | Node group instance types and scaling config |
| CloudWatch | aws_cloudwatch_alarm, aws_cloudwatch_log_group, aws_cloudwatch_metric | Alarm state and log retention policies |
| Cost Explorer | aws_cost_by_service_daily, aws_cost_by_account_monthly | Aggregated cost data (1-day lag) |
| EBS | aws_ebs_volume, aws_ebs_snapshot | Attachment state, encryption, age |
| SNS / SQS | aws_sns_topic, aws_sqs_queue | Subscription counts and access policies |
| CloudTrail | aws_cloudtrail_trail, aws_cloudtrail_event | Trail config and recent API activity |
| VPC | aws_vpc, aws_vpc_subnet, aws_vpc_route_table, aws_vpc_endpoint | CIDR blocks, flow logs, peering |
| Secrets Manager | aws_secretsmanager_secret | Rotation config and last accessed date |
| KMS | aws_kms_key | Key state, rotation status, policy |
Searching for a table
Type any part of a service name in the schema browser search box to filter the table list. For example, typing rds shows all RDS-related tables immediately.
Saving and Scheduling Queries
Save a query
- Write and run your query in the editor.
- Click Save in the toolbar.
- Enter a name and optionally a description.
- Choose Personal (visible only to you) or Shared (visible to all users with Cloud Operations access).
Schedule a saved query
- Open a saved query from the query library.
- Click Schedule.
- Set a cron expression or choose a preset interval (hourly, daily, weekly).
- Choose a delivery channel: email address, Slack channel, or both.
- Optionally set a row count threshold — the result is only delivered if the query returns at least N rows (useful for alerting on non-empty findings).
Example: Alert when any S3 bucket without encryption is found
Schedule: daily at 06:00 UTC
Delivery: #security-alerts Slack channel
Row threshold: 1 (only fire if at least one bucket is unencrypted)
Query Limits and Performance
| Limit | Default | Configurable |
|---|---|---|
| Maximum rows returned | 10,000 | Yes — see Configure |
| Query timeout | 60 seconds | Yes — see Configure |
| Concurrent queries per user | 3 | No |
| Result cache TTL | 5 minutes | Yes — see Configure |
Results are cached at the query level. If two users run the same query within the cache TTL window, the second user receives the cached result instantly. You can bypass the cache by appending -- nocache as a comment at the end of your query.
Related Pages
- Configure — Connect an cloud account or adjust query timeout and cache settings
- Age Reports — Pre-built aging queries for snapshots, objects, and volumes
- Security Posture — Pre-built security checks built on the same query engine