IAM Query Examples
These IAM Query examples help you with how to:
- Use theconfig from iam wherequery to find risky or extra permissions assigned to cloud entities or users.
- Build your queries and append additional filters to easily customize your search results.
- Use the powerfulGraphview to help you start with a broad query and easily narrow your search results from there.
- Save your queries to quickly run again in the future and/or easily create custom policies that you can turn into Alerts.
Have a query you think would be useful to other customers? Contribute using
Edit on Github
link above!A list of
config from iam where
query examples for general and specific CSPs including AWS, Azure, and GCP.General IAM Examples
DESCRIPTION | RQL |
Find all permissions that allows action on all resource (using ‘*’) |
|
Cloud Accounts & Groups | |
Find all identities (internal & external) and their effective permissions to a specific account. |
|
Find all identities (internal & external) and their effective permissions to an account group (this shows all cloud accounts you have assigned to a particular Prisma Cloud Account Group). |
|
Active & Inactive Access | |
Show all ACTIVE identites access and specific actions over the last specified number of days Show the same by group (or substitute with other entity types, such as 'user' or 'role') |
|
Show all INACTIVE identities and their allowed actions over the last specified number of days |
|
IdP/SSO Service Assigned Permissions | |
Find all permissions assigned to Azure AD Identities. Append additional query attributes to further filter your query. |
|
AWS IAM Examples
DESCRIPTION | RQL |
Find all AWS groups that grant the following set of permissions: |
|
Find all effective permissions of a specific IAM user. This calculates only the allowed permissions, taking into account any other policies (i.e. SCPs, Permissions Boundaries, etc.) that may deny permissions, even if an attached policy/role allows them. |
|
Find all identities (internal & external) and their effective permissions to a specific account. |
|
Find all identities that can invoke the lambda function my-function |
|
Find permissions granted by the Lambda function itself |
|
Find all public access to S3 buckets in the AWS Virginia region |
|
Find all permissions that were granted by the role with the tag Severity equals High |
|
Discover Granted Permissions/Access | |
Find all permissions that were granted by the role 'my-role' utilizing the ARN id. |
|
Find identities that have been granted a specific policy such as AWS Managed Policy, AWS Inline Policy and how it is attached (i.e. attached by Role, Group, Inline Policy). Utilize Graph view to quickly visualize results. |
|
Active & Inactive Access | |
Show all ACTIVE AWS identites access and specific actions over the last specified number of days |
|
Show all INACTIVE AWS identities and their allowed actions over the last specified number of days |
|
Show list of all INACTIVE AWS identities including via console and via access keys (unlike above query, this does not show all the actions/permissions, only list of the identities). |
|
Show only permissions used in last specified number of days that are granted by a role. This can also be done by other entity types such as 'group' which may have inline policies attached directly to the group. This type of query can be very powerful to help create new least privilege Custom Roles/Policies by only looking at what permissions are actually being used with the current role/policy. |
|
Cross-Account Access | |
Find external identities who have access to my account |
|
OR by using account name given in Prisma Cloud (same results as above example) |
|
Find external identities who have access to all accounts in my AccountGroup (in this case, the Account Group name entered in Prisma Cloud to group multiple accounts together such as in an organization). |
|
Azure IAM Examples
DESCRIPTION | RQL |
Find all effective permissions of the Azure AD user my-user |
|
Find all permissions that were granted by the custom role my-role |
|
Discover Granted Permissions/Access | |
Find all permissions granted to Azure Service Principals |
|
Find all identities assigned the Azure built in Owner role |
|
Find all identities with Custom Roles |
|
Find all identities that can delete MS SQL DBs |
|
Find all identities that can invoke the storage account my-storage account |
|
Active & Inactive Access | |
Find all identities with the Microsoft.KeyVault/vaults/write permission that haven’t used this permission for more than 10 days |
|
GCP IAM Examples
DESCRIPTION | RQL |
Find users with direct permissions |
|
Find GCP users with 'Owner' role on org level connected directly (with all permissions) |
|
Find GCP users with 'Owner' role on org level connected directly (with an enhanced action to see all users) |
|
Find users with direct permissions through GCP Basic roles |
|
Find users with direct permissions through GCP predefined roles |
|
Find users with direct permissions through GCP custom roles |
|
Find users with direct permissions and a specific role |
|
Find users in a specific group |
|
Find users in a specific group and with a specific role |
|
Find who has access to a specific service |
|
Find who has access to a specific resource type |
|
Find who has access to a specific resource |
The above query will display results only for resources with the permissions defined on the resource level and not the organization, folder, or project level. |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.