Investigate IAM Incidents on Prisma Cloud

An example work flow that demonstrates how to use the IAM query to investigate entities in your cloud environment for excess permissions.
Prisma Cloud ingests various services and associated user data from AWS and Azure and enables you to investigate the entities in your cloud environments for users with excess permissions so that you can remediate them. To investigate identity and access management (IAM) data use iam queries. To build IAM queries, enter the following syntax:
config from iam where
Click anywhere in the search box to view the auto-suggestions. A green check mark appears if you entered a valid query.
You can choose to save the searches that you have created for investigating incidents in
My Saved Searches
. Use these queries for future reuse, instead of typing the queries again. You can also use the
Saved Searches
to create a policy.
Saved Searches
have the list of search queries saved by any user in the system and
My Recent Searches
shows the recent queries generated.
View all of the public access to S3 buckets in a cloud account by entering the following query:
config from iam where source.public = true AND = 'S3' AND = 'bucket'
    —Resource with permissions such as IAM user, IDP user, EC2 instance, Microsoft Compute Virtual Machine, and Lambda function.
    —Group, role, or policy that grants permissions to the source to interact with the destination.
    —The cloud account and region associated with the IAM entity.
    —Permissions that the user has.
    —Cloud resources that had an action occur on it, or is the target of the action.
    —JSON associated with the query. The JSON shows the list of permissions available for the IAM user—JSON is the way that customers define their permissions in the cloud.
Select a S3 bucket and then select View Permission Details under
to view the raw permissions.
Permission as Source
and then select
Permission as Destination
to change the permission type.
To analyze your permissions offline, you can download the permissions details in a CSV format, click
on the right hand corner.

Recommended For You