Example searches for understanding fundamental VQL concepts and options.
Last updated
Was this helpful?
This guide will help you learn VQL through practical examples, starting with basic queries and progressing to more complex scenarios. Use the examples in this document to familiarize yourself with Veza graph search concepts, and how they can be expressed using Veza Query Language (VQL).
Every query constructed using the starts with a SHOW statement specifying the entities that will be returned as results. Entities that match the search conditions are shown in rows with detailed entity metadata.
After specifying the source node, you can apply filters (WHERE clauses) and relationship constraints (RELATED TO) to further narrow your search.
By default, the results show the source entity types indicated by the SHOW keywords. Use the INCLUDE clause to change the result output format to include destination nodes and summary entities.
For the detailed VQL specification, see .
A VQL query consists of at least one source specification, which determines the entity type(s) to return as results.
Here is a simple VQL expression that will return all AWS S3 Buckets that Veza has discovered:
By default, the results contain a selection of entity properties and not the full set of attributes. Modify the SHOW statement to retrieve specific properties you're interested in:
For each result, columns will include the S3 Bucket creation date and indicate if the Block Public Access option is enabled.
VQL allows you to query relationships between interconnected graph entities using a simple syntax. In this example, we return all AWS IAM Users RELATED TO S3 Buckets:
Conversely, to list S3 Buckets accessible by IAM Users:
To only return results that meet certain conditions, include a WHERE clause. In this example, results are constrained to AWS IAM Users related to S3 Buckets that have public ACLs OR have Object Lock Enabled set to true:
Relationships in the Veza graph can include intermediate entities, such as roles, groups, or policies connecting a source to a destination.
In the example below, use the WITH PATH option to only return AWS IAM Users that are connected to S3 Buckets via an intermediate IAM Role:
Alternately, to exclude paths that include a specific node type:
By default, query results are a list of source entities and their attributes. You can optionally get results as source and destination pairs, where each row represents a unique path connecting two entities.
Update the previous example to return the exact S3 Buckets each IAM User can access by adding the RESULT INCLUDE DESTINATION NODES keyword. This will show each combination of IAM Users and S3 Buckets connected by IAM Roles:
Use the following query to include the summary and the sequence of IAM Roles granting access to S3 Buckets in the search results:
With VQL, you can filter results based on the number of destination entities a source is related to. This option can help identify widely-accessible resources, users with overly broad permissions or roles or groups that grant access to a wide range of other entities.
Update the example above with a HAVING clause to only return AWS IAM Users who have access to more than 10 S3 Buckets:
This variation returns users who have access to more than 20% of S3 Buckets:
When working with large result sets, use pagination to retrieve results in manageable chunks:
After receiving the initial results, use the cursor token provided in the response to fetch the next set of results:
This output format is equivalent to the option in Query Builder or the format of an .
VQL supports to provide insight into the intermediate entities in the path connecting a source and destination. This option can help identify deeply nested groups, inherited roles, and other hierarchical relationships.
While querying for relationships, add a QUERY OPTION to filter results by (available for supported integrations):
Experimenting with different node types, filters, and relationship constraints can help identify the best queries for your unique environment and security needs. For the full range of where clause operators and all query options, see