An example work flow that demonstrates how to use the
IAM query to investigate entities in your cloud environment for
Prisma Cloud ingests various services and associated
user data from AWS and Azure and enables you to investigate the
entities in your cloud environments for users with excess permissions
so that you can remediate them. To investigate identity and access
management (IAM) data use iam queries. To build
IAM queries, enter the following syntax:
config from iam where
anywhere in the search box to view the auto-suggestions. A green
check mark appears if you entered a valid query.
You can choose to save the searches that you have created for
investigating incidents in
My Saved Searches
Use these queries for future reuse, instead of typing the queries
again. You can also use the
create a policy.
list of search queries saved by any user in the system and
shows the recent queries generated.
View all of the public access to S3 buckets in a cloud account
by entering the following query:
config from iam where source.public = true AND dest.cloud.service.name = 'S3' AND dest.cloud.resource.type = 'bucket'
—Resource with permissions such as IAM user,
IDP user, EC2 instance, Microsoft Compute Virtual Machine, and Lambda function.
—Group, role, or policy that grants permissions
to the source to interact with the destination.
—The cloud account and region associated
with the IAM entity.
—Permissions that the user has.
—Cloud resources that had an action occur on
it, or is the target of the action.
—JSON associated with the query. The JSON shows
the list of permissions available for the IAM user—JSON is the way
that customers define their permissions in the cloud.
Select a S3 bucket and then select View Permission Details under
view the raw permissions.
Permission as Source
and then select
to change the permission type.
To analyze your permissions offline, you can download the permissions
details in a CSV format, click