AWS Config Advanced Query: SQL-Like Queries for Fast Cloud Insights
Instantly analyze AWS resource configurations across accounts without complex scripts
Ever struggled to understand the actual configuration of your AWS resources?
IaC (Infrastructure as Code) is great, but every team abstracts things differently, making it hard to know what’s actually configured in AWS right now.
Need to quickly check configuration differences between dev and production?
Looking for a way to query AWS resources across multiple accounts without writing custom scripts?
There’s an underrated but powerful AWS-native tool that simplifies this: AWS Config Advanced Query.
With SQL-like queries, you can instantly pull resource configurations across your AWS accounts, ensuring compliance, debugging misconfigurations, and tracking infrastructure changes — all without complex scripts or manual checks.
In this guide, we’ll explore practical examples to help you leverage AWS Config Advanced Query for better cloud visibility and governance.
Find Lambda functions using a runtime older than Node.js 22
This query identifies all Lambda functions that are still using Node.js versions older than 22.
SELECT
accountID,
resourceId,
configuration.runtime,
configuration.lastModified,
configuration.description
WHERE
resourceType = 'AWS::Lambda::Function'
AND configuration.runtime LIKE 'nodejs%'
AND configuration.runtime < 'nodejs22.x'
ORDER BY accountIDDon’t just detect EOL — celebrate the team that upgrades to the latest version the fastest! 🏎️ 🏁
Find instances configured with Aurora I/O-Optimized
This query lists all RDS instances that have the Aurora I/O-Optimized storage type enabled.
SELECT
accountId,
configuration.dBInstanceClass,
configuration.engineVersion,
resourceName
WHERE
resourceType = 'AWS::RDS::DBInstance'
AND configuration.storageType = 'aurora-iopt1'
ORDER BY
accountIdI/O-Optimized comes with a 30% premium on Reserved Instance pricing. Fun fact: It also improves I/O speed!
Find tables using Provisioned Mode in DynamoDB
This query finds all DynamoDB tables using Provisioned Mode instead of On-Demand Mode.
SELECT
resourceId,
accountId,
configuration.provisionedThroughput.readCapacityUnits,
configuration.provisionedThroughput.writeCapacityUnits
WHERE
resourceType = 'AWS::DynamoDB::Table'
AND (
configuration.provisionedThroughput.readCapacityUnits > 0
OR configuration.provisionedThroughput.writeCapacityUnits > 0
)Unless you’re a DynamoDB expert, On-Demand mode is recommended over Provisioned mode.
Find CloudFront Distributions that do not support IPv6
This query identifies all CloudFront distributions that have IPv6 disabled.
SELECT
accountId,
configuration.aliasICPRecordals,
configuration.distributionConfig.cacheBehaviors.items,
configuration.distributionConfig.httpVersion,
WHERE
resourceType = 'AWS::CloudFront::Distribution'
AND configuration.distributionConfig.isIPV6Enabled = false
order by
accountIdList all used Public IPs across accounts
This query extracts all used Public IP addresses across AWS accounts.
SELECT
accountId,
configuration.association.publicIp,
configuration.interfaceType,
availabilityZone,
resourceId,
WHERE
resourceType = 'AWS::EC2::NetworkInterface'
AND configuration.association.publicIp > '0.0.0.0'
ORDER BY
accountId,
configuration.interfaceTypeList all Elastic IPs (EIPs)
This query lists all allocated Elastic IPs (EIPs) across AWS accounts.
SELECT
accountId,
resourceName,
awsRegion,
resourceId,
relationships,
WHERE
resourceType='AWS::EC2::EIP'
ORDER BY
accountIdAWS Config resource schema documentation is as follows:
Conclusion
AWS Config Advanced Query makes it easy to analyze resource configurations across accounts with SQL-like queries. No complex scripts or manual checks are needed — just write a query and get insights instantly.
Start using AWS Config Advanced Query today to improve cloud governance, detect misconfigurations, and simplify compliance monitoring!