QUESTION

 How can I query all my distinct EC2 instances or EKS clusters in Panther?

ANSWER

With Panther Cloud Security Scanning enabled, panther_cloudsecurity.public.resource_history would be the best table to query. For example,

SELECT distinct arn
FROM
   panther_cloudsecurity.public.resource_history
WHERE
   resourceType  = 'AWS.EC2.Instance' AND p_occurs_since('2 days')

This query would return all your distinct AWS EC2 Instances. For EKS Clusters, change the resourceType to AWS.EKS.Cluster.


Note: The time limit will not exclude any older resources because all the records are synced every 24 hours.