Extend osquery beyond OS & container runtime with cloudquery

Adding cloud provider telemetry to your osquery deployment arms the modern defender with a single source of visibility across host operating systems, container runtimes and cloud services data. As part of the shared responsibility model with cloud providers, cloudquery enables organizations to fulfill their responsibility for monitoring cloud assets, configuration policies, and configuration drift across their Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) accounts. Cloudquery also provides the telemetry necessary for monitoring your CIS Benchmark and SOC 2 compliance.   

Cloudquery runs as an extension to osquery and leverages the power of normalization so that new insights across your on-premise and cloud environments are just a SQL JOIN away. Like osquery, cloudquery data can be delivered to destinations including files, sockets, Kineses, and Kafka.

cloudquery Empowers Security Teams To:

  • Query cloud provider data in the same way you query operating systems and containers
  • Monitor the configuration policies of your cloud resources and data
  • Visualize on-prem and cloud environments in a single place
  • Manage assets across AWS, Azure and GCP cloud providers in a single place
  • Observe trends through historical data analysis
  • Identify configuration drift
  • Detect misconfigurations, such as public S3 buckets, MFA enablement, and more
  • Conform to CIS Benchmark compliance standards
  • Perform real-time investigations and root cause analysis

How cloudquery Works

Cloudquery can be deployed as an osquery extension or Docker container, on-prem or in the cloud, and can be configured to fetch data from one or more cloud providers. In a typical deployment you’ll have one instance of cloudquery in each cloud provider account. This makes data transfer faster and cheaper as the incoming data will not leave the perimeter of the cloud deployment.

cloudquery-how it worksOnce installed and configured, with credentials established for the desired cloud accounts, cloudquery starts fetching data for various resources using APIs supported by the cloud providers. There are multiple ways to authenticate with cloud providers. With AWS, for example, you can use an instance profile, access keys, role ARN and external ID, giving you options based on your security preferences. If you connect multiple cloud provider accounts, information for each resource will be easily identifiable by the table naming convention with the specific provider name. Your cloudquery data will be delivered to the destination deemed by your osquery configuration, available immediately.

Learn More & Contribute To cloudquery

You can explore details, test & install cloudquery, or submit a contribution by visiting the cloudquery repository on GitHub. Read more about the cloudquery creation story from one of its developers in this blog article

The links below provide a current list of tables cloudquery supports for:

Uptycs engineering resources are dedicated to advancing cloudquery’s open source capabilities along with meaningful contributions from the developer community. Near term improvements will focus on new inventory tables for all cloud providers, new tables for events like AWS CloudTrail and VPC Flow Logs, as well as support for a where clause to help with filtering results.

Install cloudquery Extension