AWS Config advanced queries provide a SQL-based querying interface to retrieve resource configuration metadata of AWS resources and identify resource compliance state. You can use AWS Config advanced queries in a single AWS Account and Region or in a multi-account and cross-region setup with AWS Config configuration aggregators. Writing queries requires you to know SQL and understand the underlying configuration properties and relationships of resources. As your AWS environment grows in size and complexity, writing SQL statements for your queries could become more complex and time consuming.
AWS Config recently launched generative AI-powered natural language querying (Preview) that allows users to query AWS resources, configurations or compliance state using queries written as simple commands or questions in natural language. Writing these same queries as statements, commands or questions in natural language reduces the need to learn SQL or understand the underlying resource configuration properties and relationships.
In this post, we will show you how to get started with natural language queries in AWS Config advanced queries. We will show you how to start with a statement and refine it to ultimately find the answer to your question.
Prerequisites
For this post, you should be familiar with AWS Config advanced queries and AWS Config aggregator. Additionally, you will need to have AWS Config set up in at least 2 Regions as well as an AWS Config aggregator for your account. To test the queries, you need encrypted and unencrypted EBS volumes across Regions. If you need to create EBS volumes, please refer to the documentation.
Getting started
The goal is to view all EBS volumes across your AWS environment along with their encryption status. You’ll start by looking at all volumes and then filter on encrypted volumes.
1. In the AWS console and navigate to AWS Config. Select Advanced queries in the left navigation pane (fig. 1)
Fig. 1
2. Select new query. Change the query scope to your aggregator. In the natural language query processor, enter “List volumes” and select Generate (fig. 2)
Fig. 2
3. Notice that the resulting query will provide you a list of EBS volumes, but results only include resourceId and resourceType fields but not the encryption status (Fig. 3). So, you will try again by expanding your prompt a bit more in the next step.
Fig. 3
4. Back in the Natural language query processor, enter the following text “List EBS volumes. show volume ID, AZ, resource type and encryption status”, (Fig. 4) then select Generate again.
Fig. 4
5. Notice that the updated query now includes configuration.encrypted field, which is exactly what you need to get the encryption status of each volume.
6. Select Populate to editor and run the query in the editor.
7. Now you can see 4 EBS volumes listed along with the encryption status for each volume (Fig. 5)
Fig. 5
8. Let’s try something different. Return to the Natural language query processor and enter “List encrypted EBS volumes. show volume ID, AZ, resource type and encryption status” and select Generate.
9. Select Populate to editor and run the generated query to see the following results (Fig. 6)
Fig. 6
As with many other generative AI applications, getting your prompts to produce the expected SQL query may take a bit of a trial and error, so please feel free to experiment and try out any prompts to fit your needs.
Conclusion
In this blog post, you’ve seen you how you can leverage generative AI based natural language queries in AWS Config. This new feature is available in preview in US East (N. Virginia) and US West (Oregon) AWS Regions. To get started, visit AWS Config advanced queries in the AWS console.