IAM Query Attributes
Learn about IAM Query attributes in RQL.
Review your options when using
config from iam where
on the Investigate
tab of the Prisma Cloud administrative console.
Each attribute allows you to narrow down your search criteria. The auto-suggest feature displays expressions and operators available for each attribute.
- Source—an identity that takes action on other cloud resources. A source can be any resource with permissions such as an IAM user, Azure Active Directory user, EC2 instance, Lambda function, and Azure virtual machine.
- Destination—any cloud resource on which an action has occurred on or is the target of the action.
- Granter—the group, role, or policy that grants permissions to the source to interact with the destination.
For example, an IAM user (source) who can add an entry to a DynamoDB table (destination) using the AWS managed policy of the group (granter entity) to which the user belongs.
You can use the following attributes on the IAM query:
- source.cloud.accountNarrows down the effective permissions search to one-or-more cloud accounts that you have connected to Prisma Cloud. The following example lists all the effective permissions for all users in your AWS account, Azure tenant, or GCP account.config from iam where source.cloud.account = 'Production' AND source.cloud.resource.type = 'user'Can be used to find cross-account connection with the following syntax:config from iam where source.cloud.account != dest.cloud.account
- source.cloud.accountgroupNarrows down the permissions to the cloud accounts in your cloud account group. The following example list permissions of all EC2 instances in any of your AWS accounts:
Lists permissions of all Azure virtual machine instances in any of your Azure subscriptions:config from iam where source.cloud.accountgroup = 'All my AWS accounts' AND source.cloud.service.name = 'ec2' AND source.cloud.resource.type = 'instance'config from iam where source.cloud.accountgroup = 'All my Azure accounts' AND source.cloud.service.name = 'Microsoft.Compute' AND source.cloud.resource.type = 'virtualMachines' - source.cloud.typeNarrows down your search option to specific clouds. The following example lists all effective permissions where the sources are in your AWS cloud accounts:config from iam where source.cloud.type = 'AWS'Lists all effective permissions where the sources are in your Azure subscriptions:config from iam where source.cloud.type = 'AZURE'
- source.cloud.regionNarrows down your effective permissions search where the sources are in one or more cloud regions. The following example lists all AWS Lambda permissions for your AWS account in the Virginia region:config from iam where source.cloud.region = 'AWS Virginia' AND source.cloud.service.name = 'lambda' AND source.cloud.resource.type = 'function'
- grantedby.cloud.conditionQueries permissions where the policy statement contain and or doesn’t contain conditions.config from iam where grantedby.cloud.policy.condition ('aws:sourceIP', 'IpAddress') exists
- source.cloud.service.nameQueries permissions of a specific cloud service such as: IAM, S3, EC2,Microsoft.Compute, orMicrosoft.Storage.The following example lists all EC2 permissions in your AWS cloud accounts:
The following example lists allconfig from iam where source.cloud.service.name = 'EC2'Microsoft.Computepermissions in your Azure cloud accounts:config from iam where source.cloud.service.name = 'Microsoft.Compute' - source.cloud.resource.idQueries specific cloud resources by its id, such as AWS Lambda function ARN, AWS IAM user ARN, AWS EC2 instance ARN, any Azure resource ID, GCP user account or service. The following example lists all AWS Lambda function permissions:
The following lists permissions of a specific Azure virtual machine :config from iam where source.cloud.resource.id = 'arn:aws:lambda:us-east-2:123456789012:function:my-function'config from iam where source.cloud.resource.id = '/subscriptions/aaaaa-bbb-ccc-ddd-eeeee/resourceGroups/resource-group/providers/Microsoft.Compute/virtualMachines/my-machine' - source.cloud.resource.nameLists permissions permissions of a specific cloud service such as: IAM, S3, EC2, Microsoft.Compute, or Microsoft.Storage.Lists all EC2 permissions in your AWS cloud accounts:config from iam where source.cloud.service.name = 'EC2'Lists all Microsoft.Compute permissions in your Azure cloud accounts:config from iam where source.cloud.service.name = 'Microsoft.Compute'Lists GCP compute instances permissions:config from iam where source.cloud.service.name = 'compute' and dest.cloud.type = 'GCP'
- source.cloud.resource.typeQueries permissions of a specific cloud type such as an IAM user, S3 bucket, EC2 instance, Azure AD user,Microsoft.Storagestorage account,Microsoft.computevirtual machine, GCP Workspace user. The following example lists all AWS Lambda function permissions:
The following example lists all Azure function permissions:config from iam where source.cloud.service.name = 'lambda' AND source.cloud.resource.type = 'function'config from iam where source.cloud.service.name = 'Microsoft.Compute' and source.cloud.resource.type = 'function' - source.emailQueries permissions of a user by its email address. The following example lists all effective permissions of my@email.com:config from iam where source.email = 'my@email.com'This feature requires IdP integration.
- source.idp.serviceNarrows down the effective permissions search where the sources are in an IdP service, such as Okta. The following example lists all effective permissions of Okta users:config from iam where source.idp.service = 'Okta'This feature requires IdP integration.The following example lists all effective permissions of Azure AD users:config from iam where source.idp.service = 'Azure Active Directory'
- source.idp.emailNarrows down effective permissions search where the source is an IdP user by its email address. The following example lists all effective permissions of Okta users with the email, my@email.com:config from iam where source.idp.email = 'my@email.com'This feature requires IdP integration.
- source.idp.groupNarrows down the effective permissions search where the source is a group defined within the IdP:config from iam where source.idp.group = 'my-group'This feature requires IdP integration.
- source.idp.usernameList the effective permissions for a specific user within a source IdP:config from iam where source.idp.username = 'my-username'This feature requires IdP integration.
- source.idp.domainNarrows down the effective permissions search where the source is an IdP user in a specific domain, such as my-domain.okta.com.config from iam where source.idp.domain = 'my-domain.okta.com'This feature requires IdP integration.
- source.publicQueries all S3 buckets that are publicly accessible. All GCP public resources–withallUsersand/orallAuthenticatedUsersPrincipals.config from iam where source.public = true AND dest.cloud.service.name = 'S3' AND dest.cloud.resource.type = 'bucket'
- grantedby.cloud.typeNarrows down your search option to specific clouds. The following example lists effective permissions where the granter such as group, role, or policy is in your AWS cloud accounts:config from iam where grantedby.cloud.type = 'AWS'The following lists effective permissions in your Azure cloud accounts:config from iam where grantedby.cloud.type = 'AZURE'
- grantedby.cloud.policy.idQueries permissions that have been granted by a specific policy by its id, such as AWS Managed Policy ARN, AWS Custom Policy, or GCP role ID. The following example lists effective permissions that have been granted by the AWS Managed PolicyAdministratorAccess:config from iam where grantedby.cloud.policy.id = 'arn:aws:iam::aws:policy/AdministratorAccess'
- grantedby.cloud.policy.nameQueries permissions that have been granted by a specific policy such as AWS Managed Policy, AWS Inline Policy, or GCP role name. The following example lists all effective permissions that have been granted by the AWS Managed Policy AdministratorAccess:config from iam where grantedby.cloud.policy.name = 'AdministratorAccess'
- grantedby.cloud.policy.typeQueries permissions that have been granted by a specific policy type, such as AWS Managed Policy, AWS Customer Policy, AWS Inline Policy, Azure built-in role, Azure custom role, GCP basic role, GCP custom role, or GCP predefined role.The following example lists all effective permissions that have been granted to a user by any AWS Inline Policy:config from iam where source.cloud.resource.type = 'user' AND grantedby.cloud.policy.type = 'Inline Policy'The following example lists all effective permissions that have been granted to a user by any Azure built-in role:config from iam where source.cloud.resource.type = 'user' AND grantedby.cloud.policy.type = 'Built-in Role'
- grantedby.cloud.entity.idQueries permissions that have been granted by a specific entity by its id, such as AWS IAM group ARN, AWS IAM role ARN, GCP group ID, or GCP service account ID. The following example lists all effective permissions that have been granted by the AWS IAM group,my-group:config from iam where grantedby.cloud.entity.id = 'arn:aws:iam::123456789012:group/my-group'
- grantedby.cloud.entity.nameQueries permissions that have been granted by a specific entity, such as AWS IAM group, AWS IAM role, GCP group name, or GCP service account name. The following example lists all effective permissions that have been granted by the AWS IAM group, my-group:config from iam where grantedby.cloud.entity.name = 'my-group'
- grantedby.cloud.entity.typeQueries permissions that have been granted by a specific entity type, such as AWS IAM group, AWS IAM role, GCP group, or GCP service account. The following example lists all effective permissions that have been granted to a user by any AWS IAM group:config from iam where source.cloud.resource.type = 'user' AND grantedby.cloud.entity.type = 'group'
- grantedby.level.idIdentifies the group role or policy by level id that grants permissions to the source to interact with the destination. For instance, roles with access to GCP organization/Folder/Project/Service ID.
- grantedby.level.nameNarrows down your effective permissions search to a group role or policy level name. For instance, roles with access to GCP organization/Folder/Project/Service name.
- grantedby.level.typeQueries permission granted by a specific policy level type. For instance, roles with access to GCP Organization/GCP Folder/GCP Project/GCP Service
- dest.cloud.accountNarrows down your effective permissions search to one or more cloud accounts that you have connected to Prisma Cloud. The following example lists all effective permissions to all buckets in your AWS Production account:config from iam where dest.cloud.account = 'Production' AND dest.cloud.resouce.type = 'bucket'Can be used to find cross-account connection with the following syntax:config from iam where dest.cloud.account != source.cloud.accountThe following example uses theLIKEoperator to display results where IAM permissions have been granted on the cloud service provider using the wildcard (*) character to authorize access:
The LIKE operator finds permissions granted for all (config from iam where dest.cloud.account LIKE 'account-dev-3'*) cloud accounts and the cloud account namedaccount-dev-3.If you use the=operator in the RQL query above, instead of the LIKE operator, you will view results for only cloud account namedaccount-dev-3. - dest.cloud.accountgroupNarrows down the permissions to the cloud accounts in your cloud account group. The following example lists permissions to all EC2 instances in any of your AWS accounts:config from iam where dest.cloud.accountgroup = 'All my AWS accounts' AND dest.cloud.service.name = 'ec2' AND dest.cloud.resource.type = 'instance'
- dest.cloud.typeNarrows down your search option to specific clouds. The following example lists all effective permissions where the destinations are in your AWS cloud accounts:config from iam where dest.cloud.type = 'AWS'
- dest.cloud.regionNarrows down effective permissions search where the destinations are in one or more cloud regions. The following example lists all effective permissions to AWS Lambda in your AWS account in the Virginia region:config from iam where dest.cloud.region = 'AWS Virginia' AND dest.cloud.service.name = 'lambda' AND dest.cloud.resource.type = 'function'
- dest.cloud.service.nameQueries permissions to a specific cloud service such as IAM, S3, or EC2. The following example lists permissions to all EC2 instances in any of your AWS accounts:config from iam where dest.cloud.service.name = 'EC2'
- dest.cloud.resource.nameQueries permissions to a specific cloud service such as AWS Lambda function, AWS IAM user, and AWS EC2 instance. The following example lists all effective permissions to the AWS Lambda function:config from iam where dest.cloud.service.name = 'lambda' AND dest.cloud.resource.type = 'function' AND dest.cloud.resource.name = 'my-function'
- dest.cloud.resource.idQueries permissions to a specific cloud resource by its ID, such as AWS Lambda function ARN, AWS IAM user ARN, and AWS EC2 instance ARN. The following example lists all effective permissions to the AWS Lambda function:config from iam where dest.cloud.resource.id = 'arn:aws:lambda:us-east-2:123456789012:function:my-function'
- dest.cloud.resource.typeQueries permissions to a specific cloud type such as an IAM user, S3 bucket, or EC2 instance. The following example lists all effective permissions to the AWS Lambda functions:config from iam where dest.cloud.service.name = 'lambda' AND dest.cloud.resource.type = 'function'
- action.nameNarrows down the effective permissions search to one or more action names. The following example lists all the effective permissions to get an object from an AWS S3 Bucket:config from iam where dest.cloud.service.name = 's3' AND dest.cloud.resource.type = 'bucket' AND action.name = 'S3:GetObject'
- action.lastaccess.daysDisplays when a specific permission was actually last used. The following example lists all the effective permissions to get an object from an AWS S3 bucket that was not used more than 90 days ago.config from iam where dest.cloud.service.name = 's3' AND dest.cloud.resource.type = 'bucket' AND action.name = 'S3:GetObject' and action.lastaccess.days > 90
- Last access information is only logged for successful accesses. If the operation failed, for example due to lack of permissions, then the access information is not logged.
- The number of results displayed for last access destinations is limited to the latest 100 results for a permission.
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.