1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Resource Query Language (RQL) Reference
    5. Prisma Cloud RQL Reference
    6. IAM Query
    7. IAM Query Examples

    IAM Query Examples

    Learn how to use the
    config from iam where
     query to find risky or extra permissions assigned to cloud entities or users.
    A list of
    config from iam where
     query examples for IAM AWS and IAM Azure.

    IAM AWS Examples

    DESCRIPTION
    RQL
    Find all effective permissions of a specific IAM user
    config from iam where source.cloud.service.name = 'iam' and source.cloud.resource.type = 'user' and source.cloud.resource.name = 'my-user'
    Find all permissions that were granted by the role
    my-role
    config from iam wheregrantedby.cloud.entity.id = 'arn:aws:iam::123123123:role/my-role'
    Find all identities that can invoke the lambda function
    my-function
    config from iam where dest.cloud.service.name = 'lambda' and dest.cloud.resource.type = 'function' and dest.cloud.resource.name = 'my-function' and action.name = 'lambda:InvokeFunction'
    Find permissions granted by the Lambda function itself
    config from iam where dest.cloud.service.name = 'lambda' and dest.cloud.resource.type = 'function' and dest.cloud.resource.name = 'my-function' and action.name = 'lambda:InvokeFunction' and grantedby.cloud.policy.type='Resource-based Policy'
    Find all public access to S3 buckets in the AWS Virginia region
    config from iam where source.public = true and dest.cloud.service.name = 's3' and dest.cloud.resource.type = 'bucket' and dest.cloud.region = 'AWS Virginia'
    Find all permissions that allows action on all resource (using ‘*’)
    config from iam where dest.cloud.resource.name = '*'

    IAM Azure Examples

    DESCRIPTION
    RQL
    Find all effective permissions of the Azure AD user
    my-user
    config from iam where dest.cloud.type='AZURE' AND source.cloud.service.name = 'Azure Active Directory' AND source.cloud.resource.type = 'user' AND source.cloud.resource.name = 'my-user'
    Find all permissions that were granted by the custom role
    my-role
    config from iam where dest.cloud.type = 'AZURE' AND grantedby.cloud.policy.name = 'my-role'
    Find all identities that can invoke the storage account
    my-storage account
    config from iam where dest.cloud.type='AZURE' AND dest.cloud.service.name = 'Microsoft.Storage' AND dest.cloud.resource.type = 'storageAccounts' AND dest.cloud.resource.name = 'my-storage-account'
    Find all identities with the
    Microsoft.KeyVault/vaults/write
     permission that haven’t used this permission for more than 10 days
    config from iam where dest.cloud.type='AZURE' AND action.name = 'Microsoft.KeyVault/vaults/write' and action.lastaccess.days > 10

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo