IAM Query Conditions

The IAM Security module supports conditions which enables you to apply filters to the
config from iam where
query for more granular results. You can use conditions to minimize the exposure of a resource based policy by making it available only to an organization or specific account, or you can use conditions to minimize the access to a machine (EC2 instances or Lambda functions); for example, if a machine has permissions that are publicly available, you can add a condition to enable actions only to a specific IP address. IAM Security include s the new
grantedby.cloud.condition
attribute which queries permissions where the policy statement contain/doesn’t contain conditions (See IAM Query Attributes for full list of IAM attributes). The following example filters all results with the source IP address:
config from iam where grantedby.cloud.policy.condition('aws:sourceIP') does not exist
Several operators are supported which gives you more flexibility on how filters are applied:
  • != (not equal)
  • = (equal)
  • does not exist
  • exists
  • in
  • not in
Example
config from iam where
queries applying conditions along with brief explanations of what they do.
Description
RQL
Operator
Show results where a specific condition exists.
config from iam where grantedby.cloud.policy.condition ('aws:sourceIP') exists
exists
Show results where a specific condition doesn’t exist.
config from iam where grantedby.cloud.policy.condition ('aws:sourceIP') does not exist
does not exist
Show results where a specific condition and operator exists.
config from iam where grantedby.cloud.policy.condition ('aws:sourceIP', 'IpAddress') exists
exists
Show results where a specific condition and operator doesn’t exist.
config from iam where grantedby.cloud.policy.condition ('aws:sourceIP', 'IpAddress') does not exist
does not exist
Show results where a specific condition with a specific value exists.
config from iam where grantedby.cloud.policy.condition ('aws:sourceIP') = '1.1.1.1'
=
Show results where a specific condition with a different value exists.
config from iam where grantedby.cloud.policy.condition ('aws:sourceIP') != '1.1.1.1'
!=
Show results where a specific condition and operator with a specific value exists.
config from iam where grantedby.cloud.policy.condition ('aws:sourceIP', 'IpAddress') = '1.1.1.1'
=
Show results where a specific condition and operator with a different value exists.
config from iam where grantedby.cloud.policy.condition ('aws:sourceIP', 'IpAddress') != '1.1.1.1'
!=
Show results where a specific condition and operator with one or more different values does not exist.
config from iam where grantedby.cloud.policy.condition ('aws:sourceIP') NOT IN ('1.1.1.1', '2.2.2.2')
NOT IN
Show results where a specific condition and operator with one or more different values exists.
config from iam where grantedby.cloud.policy.condition('aws:sourceIP', 'IpAddress') NOT IN ('1.1.1.1', '2.2.2.2')
NOT IN
Show results where a specific condition with one or more values exists.
config from iam where grantedby.cloud.policy.condition ('aws:sourceIP') IN ('1.1.1.1')
IN
Show results where a specific condition and operator with one or more values exists.
config from iam where grantedby.cloud.policy.condition ('aws:sourceIP', 'IpAddress') IN ('1.1.1.1')
IN

Recommended For You