IAM Query Examples

Learn how to use the
config from iam where
query to find risky or extra permissions assigned to cloud entities or users.
A list of
config from iam where
query examples for IAM AWS and IAM Azure.

IAM AWS Examples

DESCRIPTION
RQL
Find all effective permissions of a specific IAM user
config from iam where source.cloud.service.name = 'iam' and source.cloud.resource.type = 'user' and source.cloud.resource.name = 'my-user'
Find all permissions that were granted by the role
my-role
config from iam wheregrantedby.cloud.entity.id = 'arn:aws:iam::123123123:role/my-role'
Find all identities that can invoke the lambda function
my-function
config from iam where dest.cloud.service.name = 'lambda' and dest.cloud.resource.type = 'function' and dest.cloud.resource.name = 'my-function' and action.name = 'lambda:InvokeFunction'
Find permissions granted by the Lambda function itself
config from iam where dest.cloud.service.name = 'lambda' and dest.cloud.resource.type = 'function' and dest.cloud.resource.name = 'my-function' and action.name = 'lambda:InvokeFunction' and grantedby.cloud.policy.type='Resource-based Policy'
Find all public access to S3 buckets in the AWS Virginia region
config from iam where source.public = true and dest.cloud.service.name = 's3' and dest.cloud.resource.type = 'bucket' and dest.cloud.region = 'AWS Virginia'
Find all permissions that allows action on all resource (using ‘*’)
config from iam where dest.cloud.resource.name = '*'

IAM Azure Examples

DESCRIPTION
RQL
Find all effective permissions of the Azure AD user
my-user
config from iam where dest.cloud.type='AZURE' AND source.cloud.service.name = 'Azure Active Directory' AND source.cloud.resource.type = 'user' AND source.cloud.resource.name = 'my-user'
Find all permissions that were granted by the custom role
my-role
config from iam where dest.cloud.type = 'AZURE' AND grantedby.cloud.policy.name = 'my-role'
Find all identities that can invoke the storage account
my-storage account
config from iam where dest.cloud.type='AZURE' AND dest.cloud.service.name = 'Microsoft.Storage' AND dest.cloud.resource.type = 'storageAccounts' AND dest.cloud.resource.name = 'my-storage-account'
Find all identities with the
Microsoft.KeyVault/vaults/write
permission that haven’t used this permission for more than 10 days
config from iam where dest.cloud.type='AZURE' AND action.name = 'Microsoft.KeyVault/vaults/write' and action.lastaccess.days > 10

Recommended For You