Sample GraphQL Mutations
One-Click Least Privilege. Zero Disruption.
© 2025 Sonrai Security. All rights reserved.
Overview
These samples show change/action mutations for the Sonrai GraphQL API. You can copy/paste the API calls directly, and then modify the variables for your environment.
note
All account numbers, OUs, scopes, regions, emails, and other identifiers used in the samples on this page are placeholders — be sure to replace them for your environment before running your own queries or mutations.
tip
These API calls may stage the changes into “Pending Changes” and require a deployment before they take effect.
Disable a Service
Example mutation
mutation disableService($input: ServiceActionInput!) {
DisableService(input: $input) {
success
}
}
Example variables
{
"input": {
"controlKey": "ram",
"scope": "aws/r-xxxxx/ou-xxxxx-yyyyy/123456789012"
}
}
Disable All Unused Services at a Scope
Example mutation
mutation disableUnusedServices($input: DisableUnusedServicesInput!) {
DisableUnusedServices(input: $input) {
success
}
}
Example variables
{
"input": { "scope": "aws/r-xxxxx/ou-xxxxx-yyyyy" }
}
Protect Sensitive Permission for a Service
Example mutation
mutation protectService($input: ProtectActionInput!) {
ProtectService(input: $input) {
success
}
}
Example variables (no exemptions)
{
"input": {
"controlKey": "s3",
"scope": "aws/r-xxxxx/ou-xxxxx-yyyyy/123456789012",
"identities": [],
"ssoActorIds": []
}
}
Create exemptions when protecting sensitive permissions by changing the variables to specify identities or actors that should be allowed to access these permissions, as shown below:
Example variables (with exemptions)
{
"input": {
"controlKey": "iam",
"scope": "aws/r-xxxxx/ou-xxxxx-yyyyy/123456789012",
"identities": [
"arn:aws:iam::123456789012:role/sonrai-collector-crc123456",
"arn:aws:iam::123456789012:role/sonrai-pond-crc123456"
],
"ssoActorIds": [
"email@sonraisecurity.com"
]
}
}
Protect Sensitive Permission for In-Use Services at a Scope
Example mutation
mutation protectAllIdentities($input: ProtectAllInput!) {
ProtectAllIdentities(input: $input) {
success
}
}
Example variables
{
"input": { "scope": "aws/r-xxxxx/ou-xxxxx-yyyyy" }
}
Disable a Region
Example mutation
mutation disableRegion($input: RegionMutationInput) {
DisableRegion(input: $input) {
success
}
}
Example variables
{
"input": {
"regionId": "us-east-2",
"scope": "aws/r-xxxxx/ou-xxxxx-yyyyy"
}
}
Block Access for a Third Party
Example mutation
mutation blockThirdParty($thirdPartyId: String!, $scope: String!) {
DenyThirdPartyAccess(input: { thirdPartyId: $thirdPartyId, scope: $scope }) {
success
}
}
Example variables
{
"thirdPartyId": "third-party-uuid-1234",
"scope": "aws/r-xxxxx"
}
Quarantine a Single Identity
Example mutation
mutation quarantine($input: ChangeQuarantineStatusInput!) {
ChangeQuarantineStatus(input: $input) {
transactionId
success
count
}
}
Example variables
{
"input": {
"identities": [
{
"resourceId": "arn:aws:iam::123456789012:role/ExampleRole",
"scope": "aws/r-xxxxx/ou-xxxxx-yyyyy/123456789012",
"name": "ExampleRole",
"account": "123456789012"
}
],
"action": "ADD",
"rootScope": "aws/r-xxxxx"
}
}
Quarantine All Unused Identities in an Account
Example mutation
mutation quarantineZombies($input: QuarantineZombiesAtScopeInput!) {
QuarantineZombiesAtScope(input: $input) {
transactionId
success
count
}
}
Example variables
{
"input": {
"scope": "aws/r-xxxxx/ou-xxxxx-yyyyy/123456789012",
"daysSinceLastLogin": "90"
}
}
One-Click Protect All (protect all, disable unused, quarantine unused)
Example mutation
mutation oneClickProtectMutation($input: OneClickProtectScopeInput) {
OneClickProtectAtScope(input: $input) {
transactionId
}
}
Example variables
{
"input": { "scope": "aws/r-xxxxx/ou-xxxxx-yyyyy" }
}
Add Approver(s) at a Scope
Example mutation
mutation assignScopeOwners($input: AssignScopeOwnersInput) {
AssignScopeOwners(input: $input) {
success
error
}
}
Example variables
{
"input": {
"scope": "aws/r-xxxxx/ou-xxxxx-yyyyy/123456789012",
"overrideChildScopes": false,
"owners": [
{ "email": "user1@example.com" },
{ "email": "user2@example.com" }
]
}
}