Context Used to Calculate Effective Permissions

Details the resource types that are used in the net effective permissions calculation and the write events that are supported.
The IAM Security module works by running a proprietary algorithm that has two parts. It first combines services from various cloud entities such as AWS IAM roles, AWS IAM policies, AWS IAM groups, AWS service control policies (SCPs), Azure resource groups, Azure Active Directory (AD), GCP users, GCP service accounts, GCP groups, and GCP roles to compute the net effective permissions of cloud types. It then matches the actual usage (last access) to show when a permission was actually used.

AWS Net Effective Permissions Calculation

The list of AWS policy types and identities that are used to calculate the net effective permissions are as follows:
  • AWS IAM role
  • AWS IAM policy
  • AWS IAM group
  • AWS service control policies (SCPs)
  • Role trust relationships
If your cloud environment has additional resource types, Prisma Cloud does not factor them into the net-effective permissions.
In addition, permissions can also be set by a resource-based policy. The following AWS
resource-based policies
are supported in the net effective permissions calculation:
  • Lambda function
  • S3 bucket
  • SQS queue
  • SNS topic
  • ECS task definition
  • Secret manager
  • KMS key
  • Lambda layer version
When you define permissions there several IAM concepts that you can specify. The IAM Security module currently uses some of these concepts and ignores the following concepts:
  • Boundaries
  • IAM variables
  • Service linked roles
  • NotResource
After the net effective permissions are calculated the actual usage (last access) is matched to determine when write events were actually used. Because the last access calculation is based on a 24-hour period for each account, you should wait at least 24 hours to see the updated last access value for any new actions in your account. Last access is supported by the majority of write events. The following AWS services and events are verified:
Service
Event Name
Cloud9
  • CreateEnvironmentEC2
Elastic Compute Cloud
  • CreateImage
  • CreateNetworkAcl
  • CreateRoute
  • CreateSecurityGroup
  • CreateSubnet
  • CreateVpcEndpoint
  • DeleteFlowLogs
  • DeletePlacementGroup
  • DeleteVolume
  • DeleteVpnGateway
  • ImportKeyPair
  • MonitorInstances
  • AssociateIamInstanceProfile
  • ModifyVpcEndpointServicePermissions
Elastic Container Registry
  • PutImage
  • DeleteLifecyclePolicy
  • DeleteRepositoryPolicy
  • PutLifecyclePolicy
  • SetRepositoryPolicy
Elastic Container Service
  • DeregisterTaskDefinition
ElastiCache
  • CreateCacheCluster
  • CreateCacheSecurityGroup
Elastic File System
  • CreateFileSystem
Elastic Load Balancing
  • CreateListener
  • DeleteLoadBalancerListeners
  • SetLoadBalancerPoliciesOfListener
  • CreateLoadBalancerPolicy
  • DeleteLoadBalancerPolicy
Elastic MapReduce
  • RunJobFlow
Elasticsearch
  • CreateElasticsearchServiceRole
Identity and Access Management
  • AddUserToGroup
  • CreatePolicy
  • CreateUser
  • DeleteRole
  • DeleteUserPolicy
  • UpdateAccessKey
  • UpdateUser
  • PutGroupPolicy
  • PutRolePolicy
  • PutUserPolicy
  • AttachGroupPolicy
  • AttachUserPolicy
  • CreatePolicyVersion
  • AddUserToGroup
  • UpdateLoginProfile
  • CreateAccessKey
  • AttachRolePolicy
  • SetDefaultPolicyVersion
  • CreateLoginProfile
Key Management Service
  • CreateKey
Lambda
  • UpdateFunctionCode20150331v2
  • AddPermission20150331v2
  • RemovePermission20150331v2
Relational Database Service
  • CreateDBClusterSnapshot
  • DeleteDBSubnetGroup
Amazon Redshift
  • CreateCluster
  • DeleteClusterParameterGroup
  • ModifyClusterIamRoles
S3
  • PutBucketAcl
Simple Notification Service
  • CreateTopic
Simple Queue Service
  • DeleteQueue
AWS Certificate Manager
  • AddTagsToCertificate
Managed Message Broker Service
  • CreateBroker
AWS Batch
  • DeleteComputeEnvironment
Amazon Cognito Identity Pools
  • CreateIdentityPool
AWS Config
  • DeleteDeliveryChannel
AWS Database Migration Service
  • CreateReplicationInstance
Amazon DynamoDB
  • CreateTable
AWS Backup
  • PutBackupVaultAccessPolicy
  • DeleteBackupVaultAccessPolicy
AWS Organizations
  • UpdatePolicy
AWS IoT
  • AttachPolicy
  • AttachPrincipalPolicy
  • DetachPrincipalPolicy
  • DetachPolicy
  • CreateSecurityProfile
  • UpdateSecurityProfile
  • DeleteSecurityProfile

Azure Net Effective Permissions Calculation

When processing Azure Active Directory (AD) groups, the maximum number of 1000 group members are allowed.
See What is Prisma Cloud IAM Security to learn more about how the IAM Security module works.

GCP Net Effective Permissions Calculation

Prisma Cloud uses GCP entities, service-based policies, and IAM concepts for calculating net effective permissions. If your cloud environment has additional resource types, Prisma Cloud does not factor them into the net-effective permissions.
The list of GCP entities that are used to calculate the net effective permissions are as follows:
Entities
GCP Principal
  • User account
  • Service account
  • Group account
GCP Role
  • Basic
  • Predefined
  • Custom
GCP Levels
  • Organization
  • Folder
  • Project
  • Service (if supported)
GCP Public
  • All users
  • All authenticated users
Prisma Cloud leverages GCP
Deny Policies
feature to calculate net effective permissions.
Deny Policies
is a public Beta release on GCP, so
Net effective permissions calculation for denied permissions
will also be a Beta release on Prisma Cloud.
In addition, permissions can also be set by a service-based policy. The following GCP
service-based policies
are supported in the net effective permissions calculation:
Service-based Policies
App Engine
gcloud-app-engine-application
Big Query
  • gcloud-bigquery-dataset-list
  • gcloud-bigquery-table
Cloud Bigtable
  • gcloud-bigtable-instance-list
  • gcloud-bigtable-table
Cloud Compute
  • gcloud-compute-instances-list
  • gcloud-compute-image
  • gcloud-compute-instance-disk-snapshot
Cloud Functions
gcloud-cloud-function
Cloud Key Management Service
gcloud-kms-keyring-list
Cloud Run
gcloud-cloud-run-services-list
Cloud Spanner
  • gcloud-cloud-spanner-database
  • gcloud-cloud-spanner-instance
  • gcloud-cloud-spanner-instance-backup
Cloud Storage
gcloud-storage-buckets-list
Cloud SQL
gcloud-sql-instances-list
Dataproc
gcloud-dataproc-clusters-list
Pub/Sub
  • gcloud-pubsub-topic
  • gcloud-pubsub-snapshot
Secrets Manager
gcloud-secretsmanager-secret
When you define permissions there are several IAM concepts that you can specify. The IAM Security module currently uses some of these concepts and ignores the following concepts:
  • Conditions
  • GCP Project Boundaries
  • Dynamic Groups
  • Level for Permissions in Custom Roles
  • Permissions Dependencies
  • Google-Managed Service Accounts
  • Google Workspace Domain
  • Cloud Identity Domain
  • Project Viewer
  • Project Owner
  • Cross-Account Support with Service Accounts
  • When processing Groups, a maximum of 1000 members are allowed.
  • Group permissions are displayed only if you have:
    • Onboarded your GCP Organization on Prisma Cloud. Projects do not allow you to view group permissions.
    • Added Deny Policies at the folder level.
    • Included the group.read permission in Google Workspace for the Prisma Cloud Service Account.
After the net effective permissions are calculated the actual usage (last access) is matched to determine when write events were actually used. Last access is supported by the majority of write events. Because the last access calculation is based on a 24-hour period for each account, you should wait at least 24 hours to see the updated last access value for any new actions in your account. The following GCP services and events are verified:
Service
Event Name
IAM
  • iam.roles.create
  • iam.roles.create
  • iam.roles.delete
  • iam.roles.undelete
  • iam.roles.update
  • iam.serviceAccountKeys.create
  • iam.serviceAccountKeys.delete
  • iam.serviceAccounts.create
  • iam.serviceAccounts.delete
  • iam.serviceAccounts.disable
  • iam.serviceAccounts.enable
  • iam.serviceAccounts.setIamPolicy
  • iam.serviceAccounts.undelete
  • iam.serviceAccounts.update
Compute
  • compute.backendServices.setIamPolicy
  • compute.disks.removeResourcePolicies
  • compute.disks.setIamPolicy
  • compute.images.setIamPolicy
  • compute.instanceTemplates.setIamPolicy
  • compute.instances.removeResourcePolicies
  • compute.instances.setIamPolicy
  • compute.instances.setServiceAccount
  • compute.machineImages.setIamPolicy
  • compute.snapshots.setIamPolicy

Recommended For You