IAM Query Attributes

Review your options when using
config from iam where
on the
Investigate
tab of the Prisma Cloud administrative console.
Each attribute allows you to narrow down your search criteria. The auto-suggest feature displays expressions and operators available for each attribute.
  • Source
    —an identity that takes action on other cloud resources. A source can be any resource with permissions such as an IAM user, IDP user, EC2 instance, and Lambda function.
  • Destination
    —any cloud resource on which an action has occurred on or is the target of the action.
  • Granter
    —the group, role, or policy that grants permissions to the source to interact with the destination.
For example, an IAM user
(source)
who can add an entry to a DynamoDB table
(destination)
using the AWS managed policy of the group
(granter entity)
to which the user belongs.
Below are the attributes that can be used on the IAM query.
  • source.cloud.account
    Narrows down the effective permissions search to one-or-more cloud accounts that you have connected to Prisma Cloud. The following example lists all the effective permissions for all users in your AWS account.
    config from iam where source.cloud.account = 'Production' AND source.cloud.resource.type = 'user'
    Can be used to find cross-account connection with the following syntax:
    config from iam where source.cloud.account != dest.cloud.account
    Only cross-account access granted by the resource-based policy is currently supported.
  • source.cloud.accountgroup
    Narrows down the permissions to the cloud accounts in your cloud account group. The following example list permissions of all EC2 instances in any of your AWS accounts:
    config from iam where source.cloud.accountgroup = 'All my AWS accounts' AND source.cloud.service.name = 'ec2' AND source.cloud.resource.type = 'instance'
  • source.cloud.type
    Narrows down your search option to specific clouds. The following example lists all effective permissions where the sources are in your AWS cloud accounts:
    config from iam where source.cloud.type = 'AWS'
  • source.cloud.region
    Narrows down your effective permissions search where the sources are in one or more cloud regions. The following example lists all AWS Lambda permissions for your AWS account in the Virginia region:
    config from iam where source.cloud.region = 'AWS Virginia' AND source.cloud.service.name = 'lambda' AND source.cloud.resource.type = 'function'
  • grantedby.cloud.condition
    Queries permissions where the policy statement contain and or doesn't contain conditions.
    config from iam where grantedby.cloud.policy.condition ('aws:sourceIP', 'IpAddress') exists
  • source.cloud.service.name
    Queries permissions of a specific cloud service such as IAM, S3, or EC2. The following example lists all EC2 permissions in your AWS cloud accounts:
    config from iam where source.cloud.service.name = ‘EC2’
  • source.cloud.resource.id
    Queries specific cloud resources by its id, such as AWS Lambda function ARN, AWS IAM user ARN, and AWS EC2 instance ARN. The following example lists all AWS Lambda function permissions:
    config from iam where source.cloud.resource.id = 'arn:aws:lambda:us-east-2:123456789012:function:my-function'
  • source.cloud.resource.type
    Queries permissions of a specific cloud type such as IAM user, S3 bucket, or EC2 instance. The following example lists all AWS Lambda function permissions:
    config from iam where source.cloud.service.name = 'lambda' AND source.cloud.resource.type = 'function'
  • source.email
    Queries permissions of a user by its email address. The following example lists all effective permissions of my@email.com:
    config from iam where source.email = 'my@email.com'
    This feature requires IdP integration.
  • source.idp.service
    Narrows down the effective permissions search where the sources are in an IdP service, such as Okta. The following example lists all effective permissions of Okta users:
    config from iam where source.idp.service = 'Okta'
    This feature requires IdP integration.
  • source.idp.email
    Narrows down effective permissions search where the source is an IdP user by its email address. The following example lists all effective permissions of Okta users with the email, my@email.com:
    config from iam where source.idp.email = 'my@email.com'
    This feature requires IdP integration.
  • source.idp.group
    Narrows down the effective permissions search where the source is a group defined within the IdP:
    config from iam where source.idp.group = 'my-group'
    This feature requires IdP integration.
  • source.idp.username
    List the effective permissions for a specific user within a source IdP:
    config from iam where source.idp.username = 'my-username'
    This feature requires IdP integration.
  • source.idp.domain
    Narrows down the effective permissions search where the source is an IdP user in a specific domain, such as my-domain.okta.com.
    config from iam where source.idp.domain = 'my-domain.okta.com'
    This feature requires IdP integration.
  • source.public
    Queries all S3 buckets that are publicly accessible.
    config from iam where source.public = true AND dest.cloud.service.name = 'S3' AND dest.cloud.resource.type = 'bucket'
  • grantedby.cloud.type
    Narrows down your search option to specific clouds. The following example lists effective permissions where the granter such as group, role, or policy is in your AWS cloud accounts:
    config from iam where grantedby.cloud.type = 'AWS'
  • grantedby.cloud.policy.id
    Queries permissions that have been granted by a specific policy by its id, such as AWS Managed Policy ARN or AWS Custom Policy. The following example lists effective permissions that have been granted by the AWS Managed Policy AdministratorAccess:
    config from iam where grantedby.cloud.policy.name = 'AdministratorAccess'
  • grantedby.cloud.policy.name
    Queries permissions that have been granted by a specific policy such as AWS Managed Policy or AWS Inline Policy. The following example lists all effective permissions that have been granted by the AWS Managed Policy AdministratorAccess:
    config from iam where grantedby.cloud.policy.name = 'AdministratorAccess'
  • grantedby.cloud.policy.type
    Queries permissions that have been granted by a specific policy type, such as AWS Managed Policy, AWS Customer Policy and AWS Inline Policy. The following example lists all effective permissions that have been granted to a user by any AWS Inline Policy:
    config from iam where source.cloud.resource.type = 'user' AND grantedby.cloud.policy.type = 'Inline Policy'
  • grantedby.cloud.entity.id
    Queries permissions that have been granted by a specific entity by its id, such as AWS IAM Group ARN or AWS IAM Role ARN. The following example lists all effective permissions that have been granted by the AWS IAM Group, my-group:
    config from iam where grantedby.cloud.entity.id = 'arn:aws:iam::123456789012:group/my-group'
  • grantedby.cloud.entity.name
    Queries permissions that have been granted by a specific entity, such as AWS IAM Group or AWS IAM Role. The following example lists all effective permissions that have been granted by the AWS IAM Group, my-group:
    config from iam where grantedby.cloud.entity.name = 'my-group'
  • grantedby.cloud.entity.type
    Queries permissions that have been granted by a specific entity type, such as AWS IAM Group or AWS IAM Role. The following example lists all effective permissions that have been granted to a user by any AWS IAM Group:
    config from iam where source.cloud.resource.type = 'user' AND grantedby.cloud.entity.type = 'group'
  • dest.cloud.account
    Narrows down your effective permissions search to one or more cloud accounts that you have connected to Prisma Cloud. The following example lists all effective permissions to all buckets in your AWS Production account:
    config from iam where dest.cloud.account = 'Production' AND dest.cloud.resouce.type = 'bucket'
    Can be used to find cross-account connection with the following syntax:
    config from iam where dest.cloud.account != source.cloud.account
    Only cross-account access granted by the resource-based policy is currently supported.
  • dest.cloud.accountgroup
    Narrows down the permissions to the cloud accounts in your cloud account group. The following example lists permissions to all EC2 instances in any of your AWS accounts:
    config from iam where dest.cloud.accountgroup = 'All my AWS accounts' AND dest.cloud.service.name = 'ec2' AND dest.cloud.resource.type = 'instance'
  • dest.cloud.type
    Narrows down your search option to specific clouds. The following example lists all effective permissions where the destinations are in your AWS cloud accounts:
    config from iam where dest.cloud.type = 'AWS'
  • dest.cloud.region
    Narrows down effective permissions search where the destinations are in one or more cloud regions. The following example lists all effective permissions to AWS Lambda in your AWS account in the Virginia region:
    config from iam where dest.cloud.region = 'AWS Virginia' AND dest.cloud.service.name = 'lambda' AND dest.cloud.resource.type = 'function'
  • dest.cloud.service.name
    Queries permissions to a specific cloud service such as IAM, S3, or EC2. The following example lists permissions to all EC2 instances in any of your AWS accounts:
    config from iam where dest.cloud.service.name = 'EC2'
  • dest.cloud.resource.name
    Queries permissions to a specific cloud service such as AWS Lambda function, AWS IAM user, and AWS EC2 instance. The following example lists all effective permissions to the AWS Lambda function:
    config from iam where dest.cloud.service.name = 'lambda' AND dest.cloud.resource.type = 'function' AND dest.cloud.resource.name = 'my-function'
  • dest.cloud.resource.id
    Queries permissions to a specific cloud resource by its id, such as AWS Lambda function ARN, AWS IAM user ARN, and AWS EC2 instance ARN. The following example lists all effective permissions to the AWS Lambda function:
    config from iam where dest.cloud.resource.id = 'arn:aws:lambda:us-east-2:123456789012:function:my-function'
  • dest.cloud.resource.type
    Queries permissions to a specific cloud type such as an IAM user, S3 bucket, or EC2 instance. The following example lists all effective permissions to the AWS Lambda functions:
    config from iam where dest.cloud.service.name = 'lambda' AND dest.cloud.resource.type = 'function'
  • action.name
    Narrows down the effective permissions search to one or more action names. The following example lists all the effective permissions to get an object from an AWS S3 Bucket:
    config from iam where dest.cloud.service.name = 's3' AND dest.cloud.resource.type = 'bucket' AND action.name = 'S3:GetObject'
  • action.lastaccess.days
    Narrows down the effective permissions search according to the last access. The following example lists all the effective permissions to get an object from an AWS S3 bucket that was not used more than 90 days ago.
    config from iam where dest.cloud.service.name = 's3' AND dest.cloud.resource.type = 'bucket' AND action.name = 'S3:GetObject' and action.lastaccess.days > 90
    Last access info is only logged for successful accesses. If the operation failed like for lack of permissions for example, then the access information would not be logged.

Recommended For You