Focus
Focus
Table of Contents

IAM Query Attributes

Learn about IAM Query attributes in RQL.
Review your options when using
config from iam where
on the
Investigate
tab of the Prisma Cloud administrative console.
Each attribute allows you to narrow down your search criteria. The auto-suggest feature displays expressions and operators available for each attribute.
  • Source
    —an identity that takes action on other cloud resources. A source can be any resource with permissions such as an IAM user, Azure Active Directory user, EC2 instance, Lambda function, and Azure virtual machine.
  • Destination
    —any cloud resource on which an action has occurred on or is the target of the action.
  • Granter
    —the group, role, or policy that grants permissions to the source to interact with the destination.
For example, an IAM user (source) who can add an entry to a DynamoDB table (destination) using the AWS managed policy of the group (granter entity) to which the user belongs.
You can use the following attributes on the IAM query:
  • source.cloud.account
    Narrows down the effective permissions search to one-or-more cloud accounts that you have connected to Prisma Cloud. The following example lists all the effective permissions for all users in your AWS account, Azure tenant, or GCP account.
    config from iam where source.cloud.account = 'Production' AND source.cloud.resource.type = 'user'
    Can be used to find cross-account connection with the following syntax:
    config from iam where source.cloud.account != dest.cloud.account
  • source.cloud.accountgroup
    Narrows down the permissions to the cloud accounts in your cloud account group. The following example list permissions of all EC2 instances in any of your AWS accounts:
    config from iam where source.cloud.accountgroup = 'All my AWS accounts' AND source.cloud.service.name = 'ec2' AND source.cloud.resource.type = 'instance'
    Lists permissions of all Azure virtual machine instances in any of your Azure subscriptions:
    config from iam where source.cloud.accountgroup = 'All my Azure accounts' AND source.cloud.service.name = 'Microsoft.Compute' AND source.cloud.resource.type = 'virtualMachines'
  • source.cloud.type
    Narrows down your search option to specific clouds. The following example lists all effective permissions where the sources are in your AWS cloud accounts:
    config from iam where source.cloud.type = 'AWS'
    Lists all effective permissions where the sources are in your Azure subscriptions:
    config from iam where source.cloud.type = 'AZURE'
  • source.cloud.region
    Narrows down your effective permissions search where the sources are in one or more cloud regions. The following example lists all AWS Lambda permissions for your AWS account in the Virginia region:
    config from iam where source.cloud.region = 'AWS Virginia' AND source.cloud.service.name = 'lambda' AND source.cloud.resource.type = 'function'
  • source.cloud.resource.tag
    Lists the effective permissions for a cloud resource with a specific tag.
    config from iam where source.cloud.resource.tag ( 'string' ) exists
  • grantedby.cloud.condition
    Queries permissions where the policy statement contain and or doesn’t contain conditions.
    config from iam where grantedby.cloud.policy.condition ('aws:sourceIP', 'IpAddress') exists
  • source.cloud.service.name
    Queries permissions of a specific cloud service such as: IAM, S3, EC2, Microsoft.Compute, Microsoft.Storage, GCP compute.
    This example lists all EC2 permissions in your AWS cloud accounts:
    config from iam where source.cloud.service.name = 'EC2'
    Lists all Microsoft.Compute permissions in your Azure cloud accounts:
    config from iam where source.cloud.service.name = 'Microsoft.Compute'
    Lists GCP compute instances permissions:
    config from iam where source.cloud.service.name = 'compute' and dest.cloud.type = 'GCP'
  • source.cloud.resource.id
    Queries permissions of a specific cloud resources by its id, such as AWS Lambda function ARN, AWS IAM user ARN, AWS EC2 instance ARN, any Azure resource ID, GCP user account, service, machine ID, etc.
    The following example lists all AWS Lambda function permissions:
    config from iam where source.cloud.resource.id = 'arn:aws:lambda:us-east-2:123456789012:function:my-function'
    The following lists permissions of a specific Azure virtual machine:
    config from iam where source.cloud.resource.id = '/subscriptions/aaaaa-bbb-ccc-ddd-eeeee/resourceGroups/resource-group/providers/Microsoft.Compute/virtualMachines/my-machine'
  • source.cloud.resource.name
    Queries permissions of a specific cloud resource by its name, such as AWS Lambda function, AWS IAM user, AWS EC2 instance, any Azure resource, GCP user account, service, machine, etc.
    The following example lists all permissions of a specific AWS Lambda function:
    config from iam where source.cloud.resource.name = 'my-lambda-function'
    The following example lists all permissions of a user:
    config from iam where source.cloud.resource.name = 'my-user'
  • source.cloud.resource.type
    Queries permissions of a specific cloud resource type such as an IAM user, S3 bucket, EC2 instance, Azure AD user,
    Microsoft.Storage
    storage account,
    Microsoft.compute
    virtual machine, GCP Workspace user, etc..
    The following example lists all AWS Lambda functions and each of their permissions:
    config from iam where source.cloud.service.name = 'lambda' AND source.cloud.resource.type = 'function'
    The following example lists all Azure functions and each of their permissions:
    config from iam where source.cloud.service.name = 'Microsoft.Compute' and source.cloud.resource.type = 'function'
  • source.email
    Queries permissions of a user by its email address. The following example lists all effective permissions of my@email.com:
    config from iam where source.email = 'my@email.com'
    This feature requires IdP integration.
  • source.idp.service
    Narrows down the effective permissions search where the sources are in an IdP service, such as Okta. The following example lists all effective permissions of Okta users:
    config from iam where source.idp.service = 'Okta'
    This feature requires IdP integration.
    The following example lists all effective permissions of Azure AD users:
    config from iam where source.idp.service = 'Azure Active Directory'
  • source.idp.email
    Narrows down effective permissions search where the source is an IdP user by its email address. The following example lists all effective permissions of Okta users with the email, my@email.com:
    config from iam where source.idp.email = 'my@email.com'
    This feature requires IdP integration.
  • source.idp.group
    Narrows down the effective permissions search where the source is a group defined within the IdP:
    config from iam where source.idp.group = 'my-group'
    This feature requires IdP integration.
  • source.idp.username
    List the effective permissions for a specific user within a source IdP:
    config from iam where source.idp.username = 'my-username'
    This feature requires IdP integration.
  • source.idp.domain
    Narrows down the effective permissions search where the source is an IdP user in a specific domain, such as my-domain.okta.com.
    config from iam where source.idp.domain = 'my-domain.okta.com'
    This feature requires IdP integration.
  • source.public
    Queries all S3 buckets that are publicly accessible. All GCP public resources–with
    allUsers
    and/or
    allAuthenticatedUsers
    Principals.
    config from iam where source.public = true AND dest.cloud.service.name = 'S3' AND dest.cloud.resource.type = 'bucket'
  • grantedby.cloud.type
    Narrows down your search option to specific clouds. The following example lists effective permissions where the granter such as group, role, or policy is in your AWS cloud accounts:
    config from iam where grantedby.cloud.type = 'AWS'
    The following lists effective permissions in your Azure cloud accounts:
    config from iam where grantedby.cloud.type = 'AZURE'
  • grantedby.cloud.policy.id
    Queries permissions that have been granted by a specific policy by its id, such as AWS Managed Policy ARN, AWS Custom Policy, or GCP role ID. The following example lists effective permissions that have been granted by the AWS Managed Policy
    AdministratorAccess
    :
    config from iam where grantedby.cloud.policy.id = 'arn:aws:iam::aws:policy/AdministratorAccess'
  • grantedby.cloud.policy.name
    Queries permissions that have been granted by a specific policy such as AWS Managed Policy, AWS Inline Policy, or GCP role name. The following example lists all effective permissions that have been granted by the AWS Managed Policy AdministratorAccess:
    config from iam where grantedby.cloud.policy.name = 'AdministratorAccess'
  • grantedby.cloud.policy.type
    Queries permissions that have been granted by a specific policy type, such as AWS Managed Policy, AWS Customer Policy, AWS Inline Policy, Azure built-in role, Azure custom role, GCP basic role, GCP custom role, or GCP predefined role.
    The following example lists all effective permissions that have been granted to a user by any AWS Inline Policy:
    config from iam where source.cloud.resource.type = 'user' AND grantedby.cloud.policy.type = 'Inline Policy'
    The following example lists all effective permissions that have been granted to a user by any Azure built-in role:
    config from iam where source.cloud.resource.type = 'user' AND grantedby.cloud.policy.type = 'Built-in Role'
  • grantedby.cloud.entity.id
    Queries permissions that have been granted by a specific entity by its id, such as AWS IAM group ARN, AWS IAM role ARN, GCP group ID, or GCP service account ID. The following example lists all effective permissions that have been granted by the AWS IAM group,
    my-group
    :
    config from iam where grantedby.cloud.entity.id = 'arn:aws:iam::123456789012:group/my-group'
  • grantedby.cloud.entity.name
    Queries permissions that have been granted by a specific entity, such as AWS IAM group, AWS IAM role, GCP group name, or GCP service account name. The following example lists all effective permissions that have been granted by the AWS IAM group, my-group:
    config from iam where grantedby.cloud.entity.name = 'my-group'
  • grantedby.cloud.entity.type
    Queries permissions that have been granted by a specific entity type, such as AWS IAM group, AWS IAM role, GCP group, or GCP service account. The following example lists all effective permissions that have been granted to a user by any AWS IAM group:
    config from iam where source.cloud.resource.type = 'user' AND grantedby.cloud.entity.type = 'group'
  • grantedby.cloud.policy.tag
    Queries permissions granted by a specific policy such as AWS Managed or Inline policy, or GCP role name with a specific tag. The following example lists all effective permissions that have been granted by the AWS policies, with the tag Severity equals High:
    config from iam where grantedby.cloud.policy.tag ( 'Severity' ) = 'High'
  • grantedby.cloud.entity.tag
    Queries permissions granted by a specific entity, such as AWS IAM group or role, GCP group or service account name with a specific tag. For example, the following example lists all the effective permissions granted by AWS entities, with the tag Severity equals High.
    config from iam where grantedby.cloud.entity.tag ( 'Severity' ) = 'High'
  • grantedby.level.id
    Queries the identities and their granted permissions at a specific cloud provider’s resource hierarchical level by its level id.
    • Azure: Identities with specific access to a Azure Management Group/Subscription/Resource. (below the 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' represents your subscription ID)
      • Management Group id format: '/providers/Microsoft.Management/managementGroups/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
      • Subscription id format: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
      • Resource format example : '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/my-mg1/providers/Microsoft.KeyVault/vaults/my-kv'
    • GCP: Users with specific access to GCP Organizations/Folders/Projects/Services. Note: GCP uses uniquie identifiers for each level type.
      • Organization id format: '//cloudresourcemanager.googleapis.com/organizations/##'
      • Folder id format: '//cloudresourcemanager.googleapis.com/folders/##'
      • Project id format: '//cloudresourcemanager.googleapis.com/projects/my-project'
      • Service id examples: '//bigquery.googleapis.com/projects/my-project/datasets/billing_export', '//storage.googleapis.com/my-bucket'
  • grantedby.level.name
    Queries the identities and their granted permissions at a specific cloud provider’s resource hierarchical level by its assigned level name. This is typically the resource name you have given it or a default name such as with Azure Root Management Group by default is 'Tenant Root Group'.
    • Azure: Identities with specific access to an Azure Management Group/Subscription/Resource.
    • GCP: Users with specific access to a GCP Organizations/Folders/Projects/Services.
  • grantedby.level.type
    Queries the identities and their granted permissions at a specific cloud provider’s resource hierarchical level by its level type.
    Current available level types are:
    • 'Azure Management Group'
    • 'Azure Subscription'
    • 'Azure Resource'
    • 'GCP Organization'
    • 'GCP Folder'
    • 'GCP Project'
    • 'GCP Service'
  • dest.cloud.account
    Narrows down your effective permissions search to one or more cloud accounts that you have connected to Prisma Cloud. The following example lists all effective permissions to all buckets in your AWS Production account:
    config from iam where dest.cloud.account = 'Production' AND dest.cloud.resouce.type = 'bucket'
    Can be used to find cross-account connection with the following syntax:
    config from iam where dest.cloud.account != source.cloud.account
    The following example uses the
    LIKE
    operator to display results where IAM permissions have been granted on the cloud service provider using the wildcard (*) character to authorize access:
    config from iam where dest.cloud.account LIKE 'account-dev-3'
    The LIKE operator finds permissions granted for all (
    *
    ) cloud accounts and the cloud account named
    account-dev-3
    .
    If you use the
    =
    operator in the RQL query above, instead of the LIKE operator, you will view results for only cloud account named
    account-dev-3
    .
  • dest.cloud.accountgroup
    Narrows down the permissions to the cloud accounts in your cloud account group. The following example lists permissions to all EC2 instances in any of your AWS accounts:
    config from iam where dest.cloud.accountgroup = 'All my AWS accounts' AND dest.cloud.service.name = 'ec2' AND dest.cloud.resource.type = 'instance'
  • dest.cloud.type
    Narrows down your search option to specific clouds. The following example lists all effective permissions where the destinations are in your AWS cloud accounts:
    config from iam where dest.cloud.type = 'AWS'
  • dest.cloud.region
    Narrows down effective permissions search where the destinations are in one or more cloud regions. The following example lists all effective permissions to AWS Lambda in your AWS account in the Virginia region:
    config from iam where dest.cloud.region = 'AWS Virginia' AND dest.cloud.service.name = 'lambda' AND dest.cloud.resource.type = 'function'
  • dest.cloud.service.name
    Queries permissions to a specific cloud service such as IAM, S3, or EC2. The following example lists permissions to all EC2 instances in any of your AWS accounts:
    config from iam where dest.cloud.service.name = 'EC2'
  • dest.cloud.resource.name
    Queries permissions to a specific cloud service such as AWS Lambda function, AWS IAM user, and AWS EC2 instance. The following example lists all effective permissions to the AWS Lambda function:
    config from iam where dest.cloud.service.name = 'lambda' AND dest.cloud.resource.type = 'function' AND dest.cloud.resource.name = 'my-function'
  • dest.cloud.resource.id
    Queries permissions to a specific cloud resource by its ID, such as AWS Lambda function ARN, AWS IAM user ARN, and AWS EC2 instance ARN. The following example lists all effective permissions to the AWS Lambda function:
    config from iam where dest.cloud.resource.id = 'arn:aws:lambda:us-east-2:123456789012:function:my-function'
  • dest.cloud.resource.type
    Queries permissions to a specific cloud type such as an IAM user, S3 bucket, or EC2 instance. The following example lists all effective permissions to the AWS Lambda functions:
    config from iam where dest.cloud.service.name = 'lambda' AND dest.cloud.resource.type = 'function'
  • dest.cloud.resource.tag
    Lists the effective permissions for a cloud resource destination with a specific resource tag.
    config from iam where dest.cloud.resource.tag ( 'string' ) exists
  • dest.cloud.wildcardscope
    Queries all non-specific resources that include wildcards for example, resources that equal or include “*”.
    config from iam where action.name CONTAINS ALL ( 'ec2:RunInstances', 'ec2:DescribeInstances', 'lambda:InvokeFunction' ) and dest.cloud.wildcardscope = true
  • action.name
    Narrows down the effective permissions search to one or more action names. The following example lists all the effective permissions to get an object from an AWS S3 Bucket:
    config from iam where dest.cloud.service.name = 's3' AND dest.cloud.resource.type = 'bucket' AND action.name = 'S3:GetObject'
Only the CONTAINS ALL operator is supported for this attribute. With this operator, you can run queries with AND logic in between values. For example, you would run the following query if you want to retrieve only roles that contain all actions X, Y and Z:
config from iam where action.name CONTAINS ALL ( 'Microsoft.AgFoodPlatform/farmBeats/seasons/write', 'Microsoft.AgFoodPlatform/fields/delete' )
  • action.lastaccess.days
    Displays when a specific permission was actually last used. The following example lists all the effective permissions to get an object from an AWS S3 bucket that was not used more than 90 days ago.
    config from iam where dest.cloud.service.name = 's3' AND dest.cloud.resource.type = 'bucket' AND action.name = 'S3:GetObject' and action.lastaccess.days > 90
    • Last access information is only logged for successful accesses. If the operation failed, for example due to lack of permissions, then the access information is not logged.
    • The number of results displayed for last access destinations is limited to the latest 100 results for a permission.

Recommended For You