IAM Query Attributes

Source
—an identity that takes action on other cloud resources. A source can be any resource with permissions such as an IAM user, Azure Active Directory user, EC2 instance, Lambda function, and Azure virtual machine.
Destination
—any cloud resource on which an action has occurred on or is the target of the action.
Granter
—the group, role, or policy that grants permissions to the source to interact with the destination.

source.cloud.account

Narrows down the effective permissions search to one-or-more cloud accounts that you have connected to Prisma Cloud. The following example lists all the effective permissions for all users in your AWS account, Azure tenant, or GCP account.

config from iam where source.cloud.account = 'Production' AND source.cloud.resource.type = 'user'

Can be used to find cross-account connection with the following syntax:

config from iam where source.cloud.account != dest.cloud.account

source.cloud.accountgroup

Narrows down the permissions to the cloud accounts in your cloud account group. The following example list permissions of all EC2 instances in any of your AWS accounts:

config from iam where source.cloud.accountgroup = 'All my AWS accounts' AND source.cloud.service.name = 'ec2' AND source.cloud.resource.type = 'instance'

Lists permissions of all Azure virtual machine instances in any of your Azure subscriptions:

config from iam where source.cloud.accountgroup = 'All my Azure accounts' AND source.cloud.service.name = 'Microsoft.Compute' AND source.cloud.resource.type = 'virtualMachines'

source.cloud.type

Narrows down your search option to specific clouds. The following example lists all effective permissions where the sources are in your AWS cloud accounts:

config from iam where source.cloud.type = 'AWS'

Lists all effective permissions where the sources are in your Azure subscriptions:

config from iam where source.cloud.type = 'AZURE'

source.cloud.region

Narrows down your effective permissions search where the sources are in one or more cloud regions. The following example lists all AWS Lambda permissions for your AWS account in the Virginia region:

config from iam where source.cloud.region = 'AWS Virginia' AND source.cloud.service.name = 'lambda' AND source.cloud.resource.type = 'function'

source.cloud.resource.tag

Lists the effective permissions for a cloud resource with a specific tag.

config from iam where source.cloud.resource.tag ( 'string' ) exists

grantedby.cloud.condition

Queries permissions where the policy statement contain and or doesn’t contain conditions.

config from iam where grantedby.cloud.policy.condition ('aws:sourceIP', 'IpAddress') exists

source.cloud.service.name

Queries permissions of a specific cloud service such as: IAM, S3, EC2, Microsoft.Compute, Microsoft.Storage, GCP compute.

This example lists all EC2 permissions in your AWS cloud accounts:

config from iam where source.cloud.service.name = 'EC2'

Lists all Microsoft.Compute permissions in your Azure cloud accounts:

config from iam where source.cloud.service.name = 'Microsoft.Compute'

Lists GCP compute instances permissions:

config from iam where source.cloud.service.name = 'compute' and dest.cloud.type = 'GCP'

source.cloud.resource.id

Queries permissions of a specific cloud resources by its id, such as AWS Lambda function ARN, AWS IAM user ARN, AWS EC2 instance ARN, any Azure resource ID, GCP user account, service, machine ID, etc.

The following example lists all AWS Lambda function permissions:

config from iam where source.cloud.resource.id = 'arn:aws:lambda:us-east-2:123456789012:function:my-function'

The following lists permissions of a specific Azure virtual machine:

config from iam where source.cloud.resource.id = '/subscriptions/aaaaa-bbb-ccc-ddd-eeeee/resourceGroups/resource-group/providers/Microsoft.Compute/virtualMachines/my-machine'

source.cloud.resource.name

Queries permissions of a specific cloud resource by its name, such as AWS Lambda function, AWS IAM user, AWS EC2 instance, any Azure resource, GCP user account, service, machine, etc.

The following example lists all permissions of a specific AWS Lambda function:

config from iam where source.cloud.resource.name = 'my-lambda-function'

The following example lists all permissions of a user:

config from iam where source.cloud.resource.name = 'my-user'

source.cloud.resource.type

Queries permissions of a specific cloud resource type such as an IAM user, S3 bucket, EC2 instance, Azure AD user,

Microsoft.Storage

storage account,

Microsoft.compute

virtual machine, GCP Workspace user, etc..

The following example lists all AWS Lambda functions and each of their permissions:

config from iam where source.cloud.service.name = 'lambda' AND source.cloud.resource.type = 'function'

The following example lists all Azure functions and each of their permissions:

config from iam where source.cloud.service.name = 'Microsoft.Compute' and source.cloud.resource.type = 'function'

source.email

Queries permissions of a user by its email address. The following example lists all effective permissions of my@email.com:

config from iam where source.email = 'my@email.com'

This feature requires IdP integration.

source.idp.service

Narrows down the effective permissions search where the sources are in an IdP service, such as Okta. The following example lists all effective permissions of Okta users:

config from iam where source.idp.service = 'Okta'

This feature requires IdP integration.

The following example lists all effective permissions of Azure AD users:

config from iam where source.idp.service = 'Azure Active Directory'

source.idp.email

Narrows down effective permissions search where the source is an IdP user by its email address. The following example lists all effective permissions of Okta users with the email, my@email.com:

config from iam where source.idp.email = 'my@email.com'

This feature requires IdP integration.

source.idp.group

Narrows down the effective permissions search where the source is a group defined within the IdP:

config from iam where source.idp.group = 'my-group'

This feature requires IdP integration.

source.idp.username

List the effective permissions for a specific user within a source IdP:

config from iam where source.idp.username = 'my-username'

This feature requires IdP integration.

source.idp.domain

Narrows down the effective permissions search where the source is an IdP user in a specific domain, such as my-domain.okta.com.

config from iam where source.idp.domain = 'my-domain.okta.com'

This feature requires IdP integration.

source.public

Queries all S3 buckets that are publicly accessible. All GCP public resources–with

allUsers

and/or

allAuthenticatedUsers

Principals.

config from iam where source.public = true AND dest.cloud.service.name = 'S3' AND dest.cloud.resource.type = 'bucket'

grantedby.cloud.type

Narrows down your search option to specific clouds. The following example lists effective permissions where the granter such as group, role, or policy is in your AWS cloud accounts:

config from iam where grantedby.cloud.type = 'AWS'

The following lists effective permissions in your Azure cloud accounts:

config from iam where grantedby.cloud.type = 'AZURE'

grantedby.cloud.policy.id

Queries permissions that have been granted by a specific policy by its id, such as AWS Managed Policy ARN, AWS Custom Policy, or GCP role ID. The following example lists effective permissions that have been granted by the AWS Managed Policy

AdministratorAccess

:

config from iam where grantedby.cloud.policy.id = 'arn:aws:iam::aws:policy/AdministratorAccess'

grantedby.cloud.policy.name

Queries permissions that have been granted by a specific policy such as AWS Managed Policy, AWS Inline Policy, or GCP role name. The following example lists all effective permissions that have been granted by the AWS Managed Policy AdministratorAccess:

config from iam where grantedby.cloud.policy.name = 'AdministratorAccess'

grantedby.cloud.policy.type

Queries permissions that have been granted by a specific policy type, such as AWS Managed Policy, AWS Customer Policy, AWS Inline Policy, Azure built-in role, Azure custom role, GCP basic role, GCP custom role, or GCP predefined role.

The following example lists all effective permissions that have been granted to a user by any AWS Inline Policy:

config from iam where source.cloud.resource.type = 'user' AND grantedby.cloud.policy.type = 'Inline Policy'

The following example lists all effective permissions that have been granted to a user by any Azure built-in role:

config from iam where source.cloud.resource.type = 'user' AND grantedby.cloud.policy.type = 'Built-in Role'

grantedby.cloud.entity.id

Queries permissions that have been granted by a specific entity by its id, such as AWS IAM group ARN, AWS IAM role ARN, GCP group ID, or GCP service account ID. The following example lists all effective permissions that have been granted by the AWS IAM group,

my-group

:

config from iam where grantedby.cloud.entity.id = 'arn:aws:iam::123456789012:group/my-group'

grantedby.cloud.entity.name

Queries permissions that have been granted by a specific entity, such as AWS IAM group, AWS IAM role, GCP group name, or GCP service account name. The following example lists all effective permissions that have been granted by the AWS IAM group, my-group:

config from iam where grantedby.cloud.entity.name = 'my-group'

grantedby.cloud.entity.type

Queries permissions that have been granted by a specific entity type, such as AWS IAM group, AWS IAM role, GCP group, or GCP service account. The following example lists all effective permissions that have been granted to a user by any AWS IAM group:

config from iam where source.cloud.resource.type = 'user' AND grantedby.cloud.entity.type = 'group'

grantedby.cloud.policy.tag

Queries permissions granted by a specific policy such as AWS Managed or Inline policy, or GCP role name with a specific tag. The following example lists all effective permissions that have been granted by the AWS policies, with the tag Severity equals High:

config from iam where grantedby.cloud.policy.tag ( 'Severity' ) = 'High'

grantedby.cloud.entity.tag

Queries permissions granted by a specific entity, such as AWS IAM group or role, GCP group or service account name with a specific tag. For example, the following example lists all the effective permissions granted by AWS entities, with the tag Severity equals High.

config from iam where grantedby.cloud.entity.tag ( 'Severity' ) = 'High'

grantedby.level.id

Queries the identities and their granted permissions at a specific cloud provider’s resource hierarchical level by its level id.

Azure: Identities with specific access to a Azure Management Group/Subscription/Resource. (below the 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' represents your subscription ID)
Management Group id format: '/providers/Microsoft.Management/managementGroups/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
Subscription id format: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
Resource format example : '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/my-mg1/providers/Microsoft.KeyVault/vaults/my-kv'
GCP: Users with specific access to GCP Organizations/Folders/Projects/Services. Note: GCP uses uniquie identifiers for each level type.
Organization id format: '//cloudresourcemanager.googleapis.com/organizations/##'
Folder id format: '//cloudresourcemanager.googleapis.com/folders/##'
Project id format: '//cloudresourcemanager.googleapis.com/projects/my-project'
Service id examples: '//bigquery.googleapis.com/projects/my-project/datasets/billing_export', '//storage.googleapis.com/my-bucket'

grantedby.level.name

Queries the identities and their granted permissions at a specific cloud provider’s resource hierarchical level by its assigned level name. This is typically the resource name you have given it or a default name such as with Azure Root Management Group by default is 'Tenant Root Group'.

Azure: Identities with specific access to an Azure Management Group/Subscription/Resource.
GCP: Users with specific access to a GCP Organizations/Folders/Projects/Services.

grantedby.level.type

Queries the identities and their granted permissions at a specific cloud provider’s resource hierarchical level by its level type.

Current available level types are:

'Azure Management Group'
'Azure Subscription'
'Azure Resource'
'GCP Organization'
'GCP Folder'
'GCP Project'
'GCP Service'

dest.cloud.account

Narrows down your effective permissions search to one or more cloud accounts that you have connected to Prisma Cloud. The following example lists all effective permissions to all buckets in your AWS Production account:

config from iam where dest.cloud.account = 'Production' AND dest.cloud.resouce.type = 'bucket'

Can be used to find cross-account connection with the following syntax:

config from iam where dest.cloud.account != source.cloud.account

The following example uses the

LIKE

operator to display results where IAM permissions have been granted on the cloud service provider using the wildcard (*) character to authorize access:

config from iam where dest.cloud.account LIKE 'account-dev-3'

The LIKE operator finds permissions granted for all (

*

) cloud accounts and the cloud account named

account-dev-3

.

If you use the

=

operator in the RQL query above, instead of the LIKE operator, you will view results for only cloud account named

account-dev-3

.

dest.cloud.accountgroup

Narrows down the permissions to the cloud accounts in your cloud account group. The following example lists permissions to all EC2 instances in any of your AWS accounts:

config from iam where dest.cloud.accountgroup = 'All my AWS accounts' AND dest.cloud.service.name = 'ec2' AND dest.cloud.resource.type = 'instance'

dest.cloud.type

Narrows down your search option to specific clouds. The following example lists all effective permissions where the destinations are in your AWS cloud accounts:

config from iam where dest.cloud.type = 'AWS'

dest.cloud.region

Narrows down effective permissions search where the destinations are in one or more cloud regions. The following example lists all effective permissions to AWS Lambda in your AWS account in the Virginia region:

config from iam where dest.cloud.region = 'AWS Virginia' AND dest.cloud.service.name = 'lambda' AND dest.cloud.resource.type = 'function'

dest.cloud.service.name

Queries permissions to a specific cloud service such as IAM, S3, or EC2. The following example lists permissions to all EC2 instances in any of your AWS accounts:

config from iam where dest.cloud.service.name = 'EC2'

dest.cloud.resource.name

Queries permissions to a specific cloud service such as AWS Lambda function, AWS IAM user, and AWS EC2 instance. The following example lists all effective permissions to the AWS Lambda function:

config from iam where dest.cloud.service.name = 'lambda' AND dest.cloud.resource.type = 'function' AND dest.cloud.resource.name = 'my-function'

dest.cloud.resource.id

Queries permissions to a specific cloud resource by its ID, such as AWS Lambda function ARN, AWS IAM user ARN, and AWS EC2 instance ARN. The following example lists all effective permissions to the AWS Lambda function:

config from iam where dest.cloud.resource.id = 'arn:aws:lambda:us-east-2:123456789012:function:my-function'

dest.cloud.resource.type

Queries permissions to a specific cloud type such as an IAM user, S3 bucket, or EC2 instance. The following example lists all effective permissions to the AWS Lambda functions:

config from iam where dest.cloud.service.name = 'lambda' AND dest.cloud.resource.type = 'function'

dest.cloud.resource.tag

Lists the effective permissions for a cloud resource destination with a specific resource tag.

config from iam where dest.cloud.resource.tag ( 'string' ) exists

dest.cloud.wildcardscope

Queries all non-specific resources that include wildcards for example, resources that equal or include “*”.

config from iam where action.name CONTAINS ALL ( 'ec2:RunInstances', 'ec2:DescribeInstances', 'lambda:InvokeFunction' ) and dest.cloud.wildcardscope = true

action.name

Narrows down the effective permissions search to one or more action names. The following example lists all the effective permissions to get an object from an AWS S3 Bucket:

config from iam where dest.cloud.service.name = 's3' AND dest.cloud.resource.type = 'bucket' AND action.name = 'S3:GetObject'

config from iam where action.name CONTAINS ALL ( 'Microsoft.AgFoodPlatform/farmBeats/seasons/write', 'Microsoft.AgFoodPlatform/fields/delete' )

action.lastaccess.days
Displays when a specific permission was actually last used. The following example lists all the effective permissions to get an object from an AWS S3 bucket that was not used more than 90 days ago.
config from iam where dest.cloud.service.name = 's3' AND dest.cloud.resource.type = 'bucket' AND action.name = 'S3:GetObject' and action.lastaccess.days > 90
Last access information is only logged for successful accesses. If the operation failed, for example due to lack of permissions, then the access information is not logged.
The number of results displayed for last access destinations is limited to the latest 100 results for a permission.