Query AWS and OCI resources, security configurations, CloudTrail events, and network traffic
The copilot can answer questions about your connected AWS and OCI accounts — resource inventory, security configurations, CloudTrail audit events, CloudWatch metrics, VPC Flow Logs, and more. The examples on this page illustrate common query patterns, but you can ask anything about your cloud accounts in natural language.
Use @cloud:connection-name to direct your query to a specific AWS or OCI account. You can target multiple accounts in a single query for cross-account comparisons.
@cloud:prod-aws show me all publicly accessible S3 buckets
@cloud:prod-aws @cloud:staging-aws compare the IAM policies attached to the EKS node group roles
If you have only one cloud account connected, the copilot targets it automatically.
Find your connection names on the Cloud Connections page in the Kestrel dashboard. The name matches whatever you set when connecting the account.
Query any cloud resource — instances, storage, databases, serverless functions, networking, and more.
@cloud:prod-aws Show me all EC2 instances in us-east-1 and us-west-2, grouped by instance type. Include running state and launch time.
@cloud:prod-aws Which S3 buckets don't have versioning enabled? Flag any that also lack server-side encryption.
@cloud:prod-aws List all RDS instances that aren't using Multi-AZ deployment. Include their storage size, engine version, and whether automated backups are enabled.
@cloud:prod-aws Show me all Lambda functions that haven't been invoked in the last 30 days. What's the total allocated memory across them?
@cloud:prod-aws What ECS services are running in the production cluster? Show me the task definition, desired count, and running count for each.
@cloud:prod-aws Which ELBs have no healthy targets registered? Include the target group health check configuration.
Inspect IAM policies, security groups, encryption settings, and access controls.
@cloud:prod-aws Which security groups allow inbound SSH (port 22) from 0.0.0.0/0? Show me the group name, VPC, and what resources are using each group.
@cloud:prod-aws List all IAM users with console access that don't have MFA enabled.
@cloud:prod-aws Show me all IAM roles that have AdministratorAccess or full S3 access policies attached. Which services or users assume these roles?
@cloud:prod-aws Which KMS keys are scheduled for deletion? Are any of them still being used by S3 buckets or RDS instances?
@cloud:prod-aws Are there any S3 bucket policies that grant cross-account access? Show me the principal ARNs and what permissions they have.
@cloud:prod-aws Which EC2 instances have public IP addresses and security groups that allow inbound traffic on non-standard ports?
@cloud:prod-aws Who modified the IAM policy for the deploy-bot role in the last 48 hours? Show the full event details including source IP and user agent.
@cloud:prod-aws Show me all console logins in the last 7 days. Flag any that came from unusual IP addresses or happened outside business hours.
@cloud:prod-aws What API calls did user david@acme.com make yesterday? Focus on any destructive actions like Delete* or Terminate*.
@cloud:prod-aws Were there any security group changes in the last 24 hours? Show me the before and after rules for each change.
@cloud:prod-aws Which IAM roles were created or modified in the last week? Show me who made the changes and what permissions were granted.
Compare configurations and resources across multiple cloud accounts.
@cloud:prod-aws @cloud:staging-aws Compare the security group rules for the EKS node groups. Are there any rules in staging that aren't in production?
@cloud:prod-aws @cloud:staging-aws Which RDS instances exist in production but not in staging? Are there any configuration differences for the ones that exist in both?
@cloud:prod-aws @cloud:staging-aws Compare the Lambda function configurations for the payment-processor functions across both accounts. Flag any differences in memory, timeout, or environment variables.
@cloud:prod-aws @cloud:dev-aws Are the same IAM policies attached to the CI/CD role in both accounts?
@cloud:prod-aws We got an alert about unauthorized access. Show me all CloudTrail events from unusual source IPs in the last 12 hours.
Kestrel:
I found 3 API calls from IP addresses not in your organization’s known CIDR ranges:
AssumeRole on arn:aws:iam::123456789012:role/deploy-bot from 198.51.100.42 at 03:14 UTC — user agent aws-cli/2.15.0
ListBuckets from the same IP at 03:16 UTC using the assumed deploy-bot session
GetObject on s3://prod-config-bucket/database.yml at 03:17 UTC from the same session
The deploy-bot role was assumed using access key AKIA...3F7Q which belongs to IAM user ci-pipeline. This key hasn’t been rotated in 214 days.
You:
What permissions does that deploy-bot role have? And is the access key compromised?
Kestrel:
The deploy-bot role has the following attached policies:
AmazonS3FullAccess (AWS managed)
custom-deploy-policy (inline) — grants ec2:*, ecs:*, and lambda:* on all resources
This is significantly over-permissioned for a CI/CD role. Regarding the access key — the source IP 198.51.100.42 geolocates to a datacenter in Ashburn, VA (AWS us-east-1 region), which could be a legitimate CI runner. However, previous API calls from ci-pipeline all originated from 10.0.x.x (your VPC). I’d recommend rotating the key immediately and scoping down the role permissions.
You:
Generate a Terraform change to scope down that role to just the S3 and ECS permissions it actually needs.
Kestrel:
Based on the CloudTrail history for this role over the last 90 days, the deploy-bot role actually only uses these actions: s3:GetObject, s3:PutObject on the prod-config-bucket and prod-artifacts buckets, and ecs:UpdateService, ecs:DescribeServices on the production cluster. Here’s a least-privilege policy:(displays Terraform diff replacing the over-permissioned policies with a scoped-down custom policy)