How can I query all my distinct EC2 instances or EKS clusters in Panther?
With Panther Cloud Security Scanning enabled, panther_cloudsecurity.public.resource_history
would be the best table to query. For example,
SELECT distinct arn
FROM
panther_cloudsecurity.public.resource_history
WHERE
resourceType = 'AWS.EC2.Instance' AND p_occurs_since('2 days')
This query would return all your distinct AWS EC2 Instances. For EKS Clusters, change the resourceType to AWS.EKS.Cluster
.
Note: The time limit will not exclude any older resources because all the records are synced every 24 hours.