Skip to content
CrowdStrike Developer Center

cloud_security_rules

This data source retrieves detailed information about a specific cloud security rule, including its unique identifier (ID) and associated attributes. All non-FQL fields can accept wildcards * and query Falcon using logical AND. If FQL is defined, all other fields will be ignored. For advanced queries to further narrow your search, please use a Falcon Query Language (FQL) filter. For additional information on FQL filtering and usage, refer to the official CrowdStrike documentation: Falcon Query Language (FQL)

API Scopes

Section titled “API Scopes”

The following API scopes are required:

  • Cloud Security Policies: READ
  • Cloud Security Policies: WRITE

Example Usage

Section titled “Example Usage”
terraform {
  required_providers {
    crowdstrike = {
      source = "registry.terraform.io/crowdstrike/crowdstrike"
    }
  }
}


provider "crowdstrike" {
  cloud = "us-2"
}


# return a single rule within a cloud provider
data "crowdstrike_cloud_security_rules" "specific" {
  cloud_provider = "AWS"
  rule_name      = "NLB/ALB configured publicly with TLS/SSL disabled"
}


# query by FQL filter
data "crowdstrike_cloud_security_rules" "original" {
  fql = "rule_name:'NLB/ALB configured publicly with TLS/SSL disabled'"
}


# return all rules for a specific resource type within a benchmark
data "crowdstrike_cloud_security_rules" "original" {
  resource_type = "AWS::ElasticLoadBalancingV2::*"
  benchmark     = "CIS 1.0.0 AWS Web Architecture"
}


# return all rules for a specific resource type within an entire framework
data "crowdstrike_cloud_security_rules" "original" {
  resource_type = "AWS::ElasticLoadBalancingV2::*"
  framework     = "CIS"
}

Schema

Section titled “Schema”

Optional

Section titled “Optional”
  • benchmark (String) Name of the benchmark that this rule is attached to. Note that rules can be associated with multiple benchmarks. Example: CIS 1.0.0 AWS*
  • cloud_provider (String) Cloud provider for where the rule resides.
  • fql (String) Falcon Query Language (FQL) filter for advanced control searches. FQL filter, allowed props: rule_origin, rule_parent_uuid, rule_name, rule_description, rule_domain, rule_status, rule_severity, rule_short_code, rule_service, rule_resource_type, rule_provider, rule_subdomain, rule_auto_remediable, rule_control_requirement, rule_control_section, rule_compliance_benchmark, rule_compliance_framework, rule_mitre_tactic, rule_mitre_technique, rule_created_at, rule_updated_at, rule_updated_by
  • framework (String) Name of the framework that this rule is attached to. Note that rules can be associated with multiple benchmarks. Examples: CIS, NIST
  • resource_type (String) Name of the resource type to search for. Examples: AWS::IAM::CredentialReport, Microsoft.Compute/virtualMachines, container.googleapis.com/Cluster.
  • rule_name (String) Name of the rule to search for.
  • rule_origin (String) Rule origin to filter by. Valid values are ‘Default’ or ‘Custom’.
  • service (String) Name of the service within the cloud provider that rule is for. Examples: IAM, S3, Microsoft.Compute

Read-Only

Section titled “Read-Only”

Nested Schema for rules

Section titled “Nested Schema for rules”

Read-Only:

  • alert_info (List of String) A list of the alert logic and detection criteria for rule violations.
  • attack_types (Set of String) Specific attack types associated with the rule.
  • auto_remediable (Boolean) Autoremediation enabled for the policy rule
  • cloud_platform (String) Cloud platform for the policy rule.
  • cloud_provider (String) Cloud provider for the policy rule.
  • controls (Attributes Set) Security framework and compliance rule information. (see below for nested schema)
  • description (String) Description of the policy rule.
  • domain (String) Domain for the policy rule.
  • id (String) Unique identifier of the policy rule.
  • logic (String) Rego logic for the policy rule.
  • name (String) Name of the policy rule.
  • parent_rule_id (String) Id of the parent rule to inherit properties from.
  • remediation_info (List of String) Information about how to remediate issues detected by this rule.
  • resource_type (String) The full resource type. Format examples: AWS::IAM::CredentialReport, Microsoft.Compute/virtualMachines, container.googleapis.com/Cluster
  • rule_origin (String) Rule origin indicating whether this is a Default or Custom rule.
  • severity (String) Severity of the rule. Valid values are critical, high, medium, informational.
  • subdomain (String) Subdomain for the policy rule. Valid values are ‘IOM’ (Indicators of Misconfiguration) or ‘IAC’ (Infrastructure as Code).
  • suppression_rule_ids (List of String) Suppression rule ids assigned to this rule

Nested Schema for rules.controls

Section titled “Nested Schema for rules.controls”

Read-Only:

  • authority (String) The compliance framework
  • code (String) The compliance framework rule code
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use