Sample GraphQL Queries
One-Click Least Privilege. Zero Disruption.
© 2025 Sonrai Security. All rights reserved.
Overview
These samples show visibility (read-only) queries for the Sonrai GraphQL API. You can copy/paste the API calls directly, and then modify the variables for your environment.
note
All account numbers, OUs, scopes, regions, emails, and other identifiers used in the samples on this page are placeholders — be sure to replace them for your environment before running your own queries or mutations.
Account & Hierarchy Discovery
List All Account Resource IDs & Scopes
Example query
query getCloudHierarchyList($filters: CloudHierarchyFilter) {
CloudHierarchyList(where: $filters) {
items {
resourceId # Account number
scope # Scope string, used for other queries/mutations
cloudType
parentScope
scopeFriendlyName
name
owners {
name
email
}
createdAt
}
}
}
Example variables
{
"filters": {
"entryType": { "op": "NEQ", "value": "managementAccount" },
"active": { "op": "EQ", "value": true }
}
}
Sonrai Platform Specific APIs
List All Sonrai Platform Users, Roles & Last Login
Example query
query getSonraiUsers {
SonraiUsers {
items {
name
email
isActive
lastLogin
roleAssignments {
items { scope role { items { name } } }
}
}
}
}
Cloud Identity, Privilege & Usage Visibility Additional Filters
ListResourceSummaries queries can return millions of results depending on the size of your cloud deployment. In some scenarios, this may cause a timeout or an error in the results from the GraphQL endpoint. In that case, you should display results in a similar manner to this example.
Example query
query getResourceSummaries(
$limit: Long = 10
$offset: Long
$orderBy: [ResourceSummariesOrderBy]
$skipCount: Boolean! = false
$filters: ResourceSummariesFilter
) {
ListResourceSummaries(where: $filters) {
totalCount @skip(if: $skipCount)
items(limit: $limit, offset: $offset, orderBy: $orderBy) {
srn
label
account
cloudType
tags
accountName
name
usageLabel
identityLabels
effectiveaccessSrns
effectiveaccessNames
accesskeyNames
accesskeySrns
typeFriendlyName
type
__typename
}
__typename
}
}
Example variables
{
"limit": 100,
"skipCount": false,
"offset": 0,
"filters": {
"label": {
"op": "IN_LIST",
"values": [
"User",
"Role",
"Group"
]
},
"active": {
"op": "EQ",
"value": true
}
}
}
Additional Filters
To filter the listresourcesummaries endpoint for specific types of resources, adjust the variables to include a "type" with values. Available types when filtering include:
- AWS IAM Users:
"User" - AWS Identity Center Users:
"SAML" - AWS Identity Center Groups:
"SAMLGroup" - AWS IAM Roles:
"Role" - AWS Account Root Users:
"Root" - AWS IAM Groups:
"Group" - Azure AD Users:
"ActiveDirectoryUser" - Azure AD Groups:
"ActiveDirectoryGroup" - Azure AD Enterprise Apps:
"ActiveDirectoryApp" - Azure System Assigned Managed Identity:
"AzureSystemAssignedManagedIdentity" - Azure User Assigned Managed Identity:
"AzureUserAssignedManagedIdentity" - GCP Workspace Groups:
"GCPGoogleGroup" - GCP Workspace Users:
"GCPUser" - GCP Cloud Service Accounts:
"GCPServiceAccount"
For example, using the variable below will return only resources of the type AWS IAM Roles.
Example variables
{
"limit": 100,
"skipCount": false,
"offset": 0,
"filters": {
"active": {
"op": "EQ",
"value": true
},
"type": {
"op": "IN_LIST",
"values": [
"Role"
]
}
}
}
Get a count of all identities (User and Roles + Access Keys)
Example query
query IdentityTotal {
ListResourceSummaries(
where: {
serviceType: { op: EQ, value: "iam" }
type: { op: IN_LIST, values: ["Role", "User", "AWSAccessKey"] }
}
) {
Identities: totalCount
}
}
Get all IAM Users that have at least one access key
Example query
query getIAMUsersWithAccessKeys {
ListResourceSummaries(
where: {
type: { op: IN_LIST, values: ["User"] }
accesskeySrns: { op: ARRAY_NOT_EMPTY }
}
) {
items {
srn
name
type
account
accesskeyNames
accesskeySrns
}
}
}
Look Up CloudTrail Config
Example query
query IdentityTotal {
ListResourceSummaries(
where: { serviceType: { op: EQ, value: "cloudtrail" } }
) {
items {
srn
name
properties
}
}
}
Look Up SCPs and RCPs
Example query
{
AWSDirectPolicies(
where: { policySrn: { op: STARTS_WITH, value: "srn:aws:organizations" } }
) {
totalCount
items(
orderBy: {
policySrn: { order: ASC, precedence: 1 }
policyName: { order: ASC, precedence: 2 }
}
) {
# Policy Fields
policyName
policySrn
orgAccount: account
scpAttachmentPoint: resource {
srn
}
policyType: policySrn @regex(match: ".*/Policy/(\\w+)/.*", replace: "$1")
policy: properties @jsonPath(path: "$.policy")
}
}
}
Getting Cloud Actions
Example query
query getCloudActions {
ListCloudActions(
where: {
timestamp: { op: GT, function: { dateTimeNow: { offsetDays: -1 } } }
eventName: { value: "Microsoft.Storage/storageAccounts/listKeys/action" }
succeeded: { op: EQ, value: true }
resourceSrns: {
op: ARRAY_CONTAINS
replacer: {
key: "values"
graphqlQuery: "{ ListResourceSummaries( where: { serviceType: { value: \"Microsoft.Storage\" }, label: { value: \"DataStore\" }, properties: { op: NOT_CONTAINS, key: { value: \"storageAccount.properties.allowSharedKeyAccess\" }, booleanValue: { op: EQ, value: false } } } ) { items { srn } } }"
jsonPath: ".srn"
}
}
}
) {
count
items {
eventName
# timestamp
actionClassifications
succeeded
srcIp
userAgent
account
type
serviceType
resourceSrns
actorSrns
}
}
}
Get all Actions for a Specific Identity
Example query
query getActionsForIdentity {
ListCloudActions(
where: {
succeeded: { op: EQ, value: true }
actorSrns: {
op: ARRAY_CONTAINS
values: ["srn:aws:iam::123456789012/Role/my_role"]
}
}
) {
count
items {
eventName
# timestamp
actionClassifications
succeeded
srcIp
userAgent
account
type
serviceType
resourceSrns
actorSrns
}
}
}
List Identities With Excessive Privileges in a Scope
Example query
query getExcessivePrivilegeIdentitiesCount(
$filters: ExcessiveIAMPrivilegeFilter!
) {
ExcessiveIAMPrivilege(where: $filters) {
count
}
}
Example variables
{
"filters": {
"scope": { "value": "aws/r-xxxxx", "op": "STARTS_WITH" }
}
}
List Unused (Dormant) Identities in an Account
Example query
query getUnusedIdentities($filters: UnusedIdentitiesFilter!) {
UnusedIdentities(where: $filters) {
items {
account
count
}
}
}
Example variables
{
"filters": {
"scope": { "value": "aws/r-xxxxx/ou-xxxx-yyyyy/123456789012", "op": "EQ" },
"daysSinceLastLogin": { "op": "EQ", "value": "90" }
}
}
List the number of identities that can use an Identities Center PermissionSet Role
Example query
query getPermissionSets($scope: String!) {
PermissionSets(where: { scope: { op: EQ, value: $scope } }) {
items {
name
identityLabels
userCount
}
}
}
Example variables
{ "scope": "aws/r-xxxxx/ou-xxxxx-yyyyy/123456789012" }
List Excessive Privilege Accounts & Identity Counts
Example query
query getExcessivePrivilegeAccounts($filters: ExcessiveIAMPrivilegeFilter!) {
ExcessiveIAMPrivilege(where: $filters) {
items { account accountName identityCount }
}
}
Example variables
{
"filters": {
"scope": { "op": "STARTS_WITH", "value": "aws/r-xxxxx" },
"identitySearch": ""
}
}
Policy & Service Visibility
Fetch All Third Parties With Access
Example query
query getThirdParties($scope: String!) {
ThirdParties(where: { scope: { value: $scope, op: EQ } }) {
items {
thirdPartyFriendlyName
status {
state
}
resources {
service
resourceType
count
}
accountCount
lastAccessed
labels {
name
severity
}
thirdPartyId
}
}
}
Example variables
{ "scope": "aws/r-xxxxx" }
Get Sensitive Permissions in a Service at Scope
Example query
query getCloudServices($filters: CloudServiceFilter) {
CloudServices(where: $filters) {
items(orderBy: { sensitivePermissionCount: { order: DESC } }) {
service
sensitivePermissionCount
availableActions
controlKey
status {
status
isStatusPending
}
}
}
}
Example variables
{ "scope": "aws/r-xxxxx" }
Fetch All Unused Identities by Account (Days Dormant Determined by Global Setting)
Example query
query getUnusedIdentities($filters: UnusedIdentitiesFilter!) {
UnusedIdentities(where: $filters) {
items {
account
count
}
}
}
Example variables
{
"filters": {
"scope": { "op": "STARTS_WITH", "value": "aws/r-xxxxx" },
"daysSinceLastLogin": { "op": "EQ", "value": "90" },
"identitySearch": ""
}
}
Describe an AWS Resource Policy
Example query
query fetchResourcePolicy($resourceSrn: String!) {
DescribeAWSDirectPolicy(where: { srn: { op: EQ, value: $resourceSrn } }) {
items {
policyJson
}
}
}
Example variables
{ "resourceSrn": "srn:aws:s3::123456789012/DataContainer/example-bucket" }
List IAM Policies for a Role
Example query
query getIamPolicy($roleSrn: String!) {
AWSDirectPolicies(
where: {
srn: { op: EQ, value: $roleSrn }
policyName: { op: LIKE, value: "%assumed-role%" }
}
) {
totalCount
items {
policySrn
}
}
}
Example variables
{ "roleSrn": "srn:aws:iam::123456789012/Role/ExampleRole" }
List Policy JSONs for a Role
Example query
query getPolicyJsons($roleSrn: String!, $account: String!) {
DescribeAWSDirectPolicy(
where: {
srn: { op: EQ, value: $roleSrn }
account: { op: EQ, value: $account }
}
) {
items {
policyName
type
policySrn
policyJson
}
}
}
Example variables
{
"roleSrn": "srn:aws:iam::123456789012/Role/ExampleRole",
"account": "123456789012"
}
Permissions On Demand & JIT
List All POND (JIT) Requests
Example query
query getPONDRequestList($filters: PONDRequestFilter) {
PONDRequests(where: $filters) {
items(orderBy: { lastRequested: { order: DESC } }) {
pondRequestId
identity
account
scope
status
requestedDuration
approvers {
name
}
permissions {
permission
}
}
}
}
Example variables
{
"filters": {
"rootScope": { "op": "EQ", "value": "aws/r-xxxxx" },
"status": { "op": "NEQ", "value": "UNMANAGED" },
"firstRequested": { "op": "GTE", "value": "2024-01-01T00:00:00.000+00:00" },
"type": { "op": "NEQ", "value": "SERVICE_BLOCK" }
}
}
Third Party & Region Visibility
List Third Party IAM Access by Account
Example query
query getThirdPartyIamAccess($scope: String!, $thirdPartyId: String!) {
ThirdPartyAccessByAccount(
where: {
scope: { op: EQ, value: $scope }
thirdPartyId: { op: EQ, value: $thirdPartyId }
}
) {
count
items {
scope
scopeFriendlyName
labels {
name
severity
}
status {
state
}
roles {
roleName
lastAccessed
}
}
}
}
Example variables
{
"scope": "aws/r-xxxxx",
"thirdPartyId": "third-party-uuid-1234"
}
List Third Party Access by Resource
Example query
query getThirdPartyResources($scope: String!, $thirdPartyId: String!) {
ThirdPartyAccessByResource(
where: {
scope: { op: EQ, value: $scope }
thirdPartyId: { op: EQ, value: $thirdPartyId }
}
) {
items {
resourceName
resourceType
serviceFriendlyName
service
account
scope
labels {
name
severity
}
}
}
}
Example variables
{
"scope": "aws/r-xxxxx",
"thirdPartyId": "third-party-uuid-1234"
}
List All Regions for a Scope
Example query
query getRegions($filters: RegionControlFilter) {
RegionsControls(where: $filters) {
items {
regionId
regionName
status {
status
pending
}
coordinates {
lat
long
}
criticalRegion
cloudType
}
}
}
Example variables
{
"filters": { "Scope": { "op": "STARTS_WITH", "value": "aws/r-xxxxx" } }
}