Context Used to Calculate Effective Permissions

The IAM Security module works by running a proprietary algorithm that has two parts. It first combines various cloud types such as AWS IAM roles, AWS IAM policies, AWS IAM groups, AWS resource based policies, and AWS service control policies (SCPs) to compute the net effective permissions of cloud types. It then matches the actual usage (last access) to show when a permission was actually used. This document details the resource types that are used in the net effective permissions calculation and the write events that are supported.
The list of policy types and identities that are used to calculate the net effective permissions are as follow:
  • AWS IAM Role
  • AWS IAM Policy
  • AWS IAM Group
  • AWS service control policies (SCPs)
  • Role trust relationships
If your cloud environment has additional resource types, Prisma Cloud does not factor them into the net-effective permissions.
In addition, permissions can also be set by a resource based policy. The following shows AWS
resource based policies
that are supported in the net effective permissions calculation.
  • Lambda function
  • S3 bucket
  • SQS queue
  • SNS topic
  • ECS task definition
  • Secret Manager secret
  • KMS key
  • Lambda layer version
When you define permissions you have several IAM concepts that you can specify. The IAM Security module currently uses some of these concepts but not all of them, and the concepts that are not used are ignored. The following IAM concepts are ignored:
  • Boundaries
  • IAM variables
  • Service linked roles
  • NotAction
  • NotResource
After the net effective permissions are calculated the actual usage (last access) is matched to determine when write events were actually used. Last access is supported by the majority of write events, and the following AWS services have been verified:
Event Name
  • CreateEnvironmentEC2
Elastic Compute Cloud
  • CreateImage
  • CreateNetworkAcl
  • CreateRoute
  • CreateSecurityGroup
  • CreateSubnet
  • CreateVpcEndpoint
  • DeleteFlowLogs
  • DeletePlacementGroup
  • DeleteVolume
  • DeleteVpnGateway
  • ImportKeyPair
  • MonitorInstances
  • AssociateIamInstanceProfile
  • ModifyVpcEndpointServicePermissions
Elastic Container Registry
  • PutImage
  • DeleteLifecyclePolicy
  • DeleteRepositoryPolicy
  • PutLifecyclePolicy
  • SetRepositoryPolicy
Elastic Container Service
  • DeregisterTaskDefinition
  • CreateCacheCluster
  • CreateCacheSecurityGroup
Elastic File System
  • CreateFileSystem
Elastic Load Balancing
  • CreateListener
  • DeleteLoadBalancerListeners
  • SetLoadBalancerPoliciesOfListener
  • CreateLoadBalancerPolicy
  • DeleteLoadBalancerPolicy
Elastic MapReduce
  • RunJobFlow
  • CreateElasticsearchServiceRole
Identity and Access Management
  • AddUserToGroup
  • CreatePolicy
  • CreateUser
  • DeleteRole
  • DeleteUserPolicy
  • UpdateAccessKey
  • UpdateUser
  • PutGroupPolicy
  • PutRolePolicy
  • PutUserPolicy
  • AttachGroupPolicy
  • AttachUserPolicy
  • CreatePolicyVersion
  • AddUserToGroup
  • UpdateLoginProfile
  • CreateAccessKey
  • AttachRolePolicy
  • SetDefaultPolicyVersion
  • CreateLoginProfile
Key Management Service
  • CreateKey
  • UpdateFunctionCode20150331v2
  • AddPermission20150331v2
  • RemovePermission20150331v2
Relational Database Service
  • CreateDBClusterSnapshot
  • DeleteDBSubnetGroup
Amazon Redshift
  • CreateCluster
  • DeleteClusterParameterGroup
  • ModifyClusterIamRoles
  • PutBucketAcl
Simple Notification Service
  • CreateTopic
Simple Queue Service
  • DeleteQueue
AWS Certificate Manager
  • AddTagsToCertificate
Managed Message Broker Service
  • CreateBroker
AWS Batch
  • DeleteComputeEnvironment
Amazon Cognito Identity Pools
  • CreateIdentityPool
AWS Config
  • DeleteDeliveryChannel
AWS Database Migration Service
  • CreateReplicationInstance
Amazon DynamoDB
  • CreateTable
AWS Backup
  • PutBackupVaultAccessPolicy
  • DeleteBackupVaultAccessPolicy
AWS Organizations
  • UpdatePolicy
  • AttachPolicy
  • AttachPrincipalPolicy
  • DetachPrincipalPolicy
  • DetachPolicy
  • CreateSecurityProfile
  • UpdateSecurityProfile
  • DeleteSecurityProfile
See What is Prisma Cloud IAM Security to learn more about how the IAM Security module works.

Recommended For You