1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Administrator's Guide
    5. Prisma Cloud IAM Security
    6. Investigate IAM Incidents on Prisma Cloud

    Investigate IAM Incidents on Prisma Cloud

    An example work flow that demonstrates how to use the IAM query to investigate entities in your cloud environment for excess permissions.
    Prisma Cloud ingests various services and associated user data from AWS and Azure and enables you to investigate the entities in your cloud environments for users with excess permissions so that you can remediate them. To investigate identity and access management (IAM) data use iam queries. To build IAM queries, enter the following syntax: 
    config from iam where
    Click anywhere in the search box to view the auto-suggestions. A green check mark appears if you entered a valid query.
    You can choose to save the searches that you have created for investigating incidents in
    My Saved Searches
    . Use these queries for future reuse, instead of typing the queries again. You can also use the
    Saved Searches
     to create a policy.
    Saved Searches
     have the list of search queries saved by any user in the system and
    My Recent Searches
     shows the recent queries generated.
    View all of the public access to S3 buckets in a cloud account by entering the following query: 
    config from iam where source.public = true AND dest.cloud.service.name = 'S3' AND dest.cloud.resource.type = 'bucket'
    • SOURCE
      —Resource with permissions such as IAM user, IDP user, EC2 instance, Microsoft Compute Virtual Machine, and Lambda function.
    • GRANTED BY
      —Group, role, or policy that grants permissions to the source to interact with the destination.
    • CLOUD ACCOUNTS(S)
      —The cloud account and region associated with the IAM entity.
    • ACTION
      —Permissions that the user has.
    • DESTINATION
      —Cloud resources that had an action occur on it, or is the target of the action.
    • OPTIONS
      —JSON associated with the query. The JSON shows the list of permissions available for the IAM user—JSON is the way that customers define their permissions in the cloud.
    Select a S3 bucket and then select View Permission Details under
    OPTIONS
     to view the raw permissions.
    Select
    Permission as Source
     and then select
    Permission as Destination
     to change the permission type.
    To analyze your permissions offline, you can download the permissions details in a CSV format, click
    Download
     on the right hand corner.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo