Investigate IAM Incidents on Prisma Cloud

An example work flow that demonstrates how to use the IAM query to investigate entities in your cloud environment for excess permissions.
Prisma Cloud ingests various services and associated user data from AWS and enables you to investigate the entities in your AWS environment for users with excess permissions so that you can remediate them. To investigate identity and access management (IAM) data use iam queries. To build IAM queries, enter the following syntax:
config from iam where
Click anywhere in the search box to view the auto-suggestions. A green check mark appears if you entered a valid query.
You can choose to save the searches that you have created for investigating incidents in
My Saved Searches
. Use these queries for future reuse, instead of typing the queries again. You can also use the
Saved Searches
to create a policy.
Saved Searches
have the list of search queries saved by any user in the system and
My Recent Searches
shows the recent queries generated.
View all of the public access to S3 buckets in a cloud account by entering the following query:
config from iam where source.public = true AND dest.cloud.service.name = 'S3' AND dest.cloud.resource.type = 'bucket'
  • SOURCE
    —Resource with permissions such as IAM user, IDP user, EC2 instance, and Lambda function.
  • GRANTED BY
    —Group, role, or policy that grants permissions to the source to interact with the destination.
  • CLOUD ACCOUNTS(S)
    —AWS account and region associated with the IAM entity.
  • ACTION
    —Permissions that the user has.
  • DESTINATION
    —Cloud resources that had an action occur on it, or is the target of the action.
  • OPTIONS
    —JSON associated with the query. The JSON shows the list of permissions available for the IAM user—JSON is the way that customers define their permissions in the cloud.
Select a S3 bucket and then select View Permission Details under
OPTIONS
to view the raw permissions.
Select
Permission as Source
and then select
Permission as Destination
to change the permission type.
To analyze your permissions offline, you can download the permissions details in a CSV format, click
Download
on the right hand corner.

Recommended For You