Investigate IAM Incidents on Prisma Cloud

Prisma Cloud ingests various services and associated user data from AWS, Azure, and GCP that you can leverage to investigate the relationships between the entities in your cloud environments and the permissions that allow access to your cloud assets. The Investigate view enables you to use IAM queries to trace the interconnections, visualize how the permissions are granted, know what actions are allowed and when the permissions were used, so that you can discover over-privileged accounts and assess the access risk across multi-cloud deployments. You can view results of the query in a graph view or a table view.
The graphical view provides a high-level overview of the different permissions or scope of access granted to cloud identities, and see the relationship between the Source, Granter, and Destination. You can use this view to modify your RQL query and find answers to who has access, to what, and how it is granted or inherited.
When you have narrowed the IAM query, the tabular view provides more granular details to help you track and resolve identity and access challenges.
  1. Select
  2. Enter an RQL query for an IAM search.
    For example, query
    config from iam where source.public = true AND = 'S3' AND = 'bucket'
    checks for S3 buckets in your account that are accessible from the Internet
  3. Select the
    • Source
      —Resource with permissions such as IAM user, IDP user, EC2 instance, Microsoft Compute Virtual Machine, and Lambda function.
    • Granted By
      —Group, role, or policy that grants permissions to the source to interact with the destination.
    • Cloud Account(s)
      —The cloud account and region associated with the IAM entity.
    • Action
      —The operations that the entity can perform, based on the permissions granted.
    • Destination
      —Cloud resources that had an action occur on it, or is the target of the action.
      When you click the link for the resource, you can see the actions and access information for the same resource —
      Permission as Source
      or the
      Permission as Destination
    • Last Access
      —This is a proprietary algorithm that is calculated in two steps. It step one, it combines services from various cloud entities such as users, service accounts, groups, roles, and binding to compute the net effective permissions of cloud types. In step two, it then matches the actual usage (last access) to show when the permission was actually used.
    • Actions
      —JSON associated with the query. The JSON displays the list of permissions available for the IAM user; this is the snippet of the resource configuration as defined in the cloud service.
      For each result, you can
      View Permission Details
      as a json snippet from the resource configuration.
      To analyze your permissions offline, download the permissions details in a CSV format by clicking
      in the right hand corner.
  4. You can also view as
    For example, the query is
    config from iam where = 'AWS' AND = 'AWS' AND = 'Resource-based Policy'
    The default view is the table view. See details on Graph View Components.
  5. Save
    your RQL query.
    • You can choose to save the searches that you have created for investigating incidents in
      My Saved Searches
      and use the queries to create a custom policy.
    • When you interact with the graph view and click on any column the automatically updates and provides you the option to either:
      • Pin New RQL— Enables you to delete the initial RQL you started with and pin the current RQL as the initial one.
      • Reset to initial RQL—Reverts all the changes on the graph and resets to the initial RQL with which you started.

Graph View Components

Graph View includes 3 columns—Sources, Granters, and Destination. Each column has a container that nests the services or entities that belong to the specific container. You can drill down a logical container to see the list of identities included within.
  • Sources
    —Groups the Service Type logical containers.
    The following table lists the standard service types for each Cloud Service Provider. The list is dynamic and varies according to the data available and ingested for your environment.
    Service Types
    IAM - includes AWS users
    Azure AD (IDP)
    Okta (IDP)
    Azure Active Directory - Azure users (both Azure AD and Okta, if available)
    Because the Okta service replicates Okta users into Azure AD, you cannot view Okta users separately on Prisma Cloud IAM Security.
    Workspace - GCP users
    Because Okta and Azure AD are integrated into Google Workspace, you cannot view those users separately on Prisma Cloud IAM Security.
    App Engine
    Cloud BigQuery
    Cloud Function
    Cloud SQL
    Cloud Spanner
    Secret Manager
  • Granters
    —Groups the Entity Type logical containers.
    The following table lists the standard entity types for each cloud service provider. The list is dynamic and varies according to the data available and ingested for your environment.
    Entity Types
    Direct— User
    Resource—Resource-based permissions (granted by resource-based policies)
    Direct— User
    User Assigned
    System Assigned
    Direct— User
    Service Account
  • Destination
    —Groups the Service Type logical containers. Similar to the source, the list of destinations vary based on your environment.
What’s not supported in the Graph View:
  • The RQL attribute
    is not supported.
  • The Destinations column is limited to 300 entries. If your query returns more than 300 results for the Destination, you can view the
    and you will need to filter your RQL to narrow the results within 300.
  • If the query time out is 1 minute.

Recommended For You