Investigate IAM Incidents on Prisma Cloud
Prisma Cloud ingests various services and associated user data from AWS, Azure, and GCP that you can leverage to investigate the relationships between the entities in your cloud environments and the permissions that allow access to your cloud assets. The Investigate view enables you to use IAM queries to trace the interconnections, visualize how the permissions are granted, know what actions are allowed and when the permissions were used, so that you can discover over-privileged accounts and assess the access risk across multi-cloud deployments. You can view results of the query in a graph view or a table view.
The graphical view provides a high-level overview of the different permissions or scope of access granted to cloud identities, and see the relationship between the Source, Granter, and Destination. You can use this view to modify your RQL query and find answers to who has access, to what, and how it is granted or inherited.
When you have narrowed the IAM query, the tabular view provides more granular details to help you track and resolve identity and access challenges.
- SelectInvestigate.
- Enter an RQL query for an IAM search.For example, queryconfig from iam where source.public = true AND dest.cloud.service.name = 'S3' AND dest.cloud.resource.type = 'bucket'checks for S3 buckets in your account that are accessible from the Internet
- Select theTableview.
- Source—Resource with permissions such as IAM user, IDP user, EC2 instance, Microsoft Compute Virtual Machine, and Lambda function.
- Granted By—Group, role, or policy that grants permissions to the source to interact with the destination.
- Cloud Account(s)—The cloud account and region associated with the IAM entity.
- Action—The operations that the entity can perform, based on the permissions granted.
- Destination—Cloud resources that had an action occur on it, or is the target of the action.When you click the link for the resource, you can see the actions and access information for the same resource —Permission as Sourceor thePermission as Destination.
- Last Access—This is a proprietary algorithm that is calculated in two steps. It step one, it combines services from various cloud entities such as users, service accounts, groups, roles, and binding to compute the net effective permissions of cloud types. In step two, it then matches the actual usage (last access) to show when the permission was actually used.
- Actions—JSON associated with the query. The JSON displays the list of permissions available for the IAM user; this is the snippet of the resource configuration as defined in the cloud service.For each result, you canView Permission Detailsas a json snippet from the resource configuration.
To analyze your permissions offline, download the permissions details in a CSV format by clickingDownloadin the right hand corner.
- You can also view asGraph.For example, the query isconfig from iam where dest.cloud.type = 'AWS' AND grantedby.cloud.type = 'AWS' AND grantedby.cloud.policy.type = 'Resource-based Policy'.The default view is the table view. See details on Graph View Components.
- Saveyour RQL query.
- You can choose to save the searches that you have created for investigating incidents inMy Saved Searchesand use the queries to create a custom policy.
- When you interact with the graph view and click on any column the automatically updates and provides you the option to either:
- Pin New RQL— Enables you to delete the initial RQL you started with and pin the current RQL as the initial one.
- Reset to initial RQL—Reverts all the changes on the graph and resets to the initial RQL with which you started.
Graph View Components
Graph View includes 3 columns—Sources, Granters, and Destination. Each column has a container that nests the services or entities that belong to the specific container. You can drill down a logical container to see the list of identities included within.
- Sources—Groups the Service Type logical containers.The following table lists the standard service types for each Cloud Service Provider. The list is dynamic and varies according to the data available and ingested for your environment.CSPService TypesAWSLambdaECSElasticbeanstalkIAM - includes AWS usersSTSEC2Azure AD (IDP)Okta (IDP)AzureAzure Active Directory - Azure users (both Azure AD and Okta, if available)Because the Okta service replicates Okta users into Azure AD, you cannot view Okta users separately on Prisma Cloud IAM Security.Microsoft.ComputeMicrosoft.ApiManagementMicrosoft.WebMicrosoft.LogicGCPComputeWorkspace - GCP usersBecause Okta and Azure AD are integrated into Google Workspace, you cannot view those users separately on Prisma Cloud IAM Security.App EngineBigQueryCloud BigQueryCloud FunctionCloud SQLPub/SubCloud SpannerSecret Manager
- Granters—Groups the Entity Type logical containers.The following table lists the standard entity types for each cloud service provider. The list is dynamic and varies according to the data available and ingested for your environment.CSPEntity TypesAWSRoleGroupDirect— UserResource—Resource-based permissions (granted by resource-based policies)AzureDirect— UserUser AssignedSystem AssignedGroupGCPDirect— UserService AccountGroup
- Destination—Groups the Service Type logical containers. Similar to the source, the list of destinations vary based on your environment.
What’s not supported in the Graph View:
- The RQL attributeaction.lastaccess.daysis not supported.
- The Destinations column is limited to 300 entries. If your query returns more than 300 results for the Destination, you can view theSourcesandGrantersand you will need to filter your RQL to narrow the results within 300.
- If the query time out is 1 minute.
