IAM Query Examples

Learn how to use the
config from iam where
query to find risky or extra permissions assigned to cloud entities or users.
DESCRIPTION
RQL
Find all effective permissions of a specific IAM user
config from iam where source.cloud.service.name = 'iam' and source.cloud.resource.type = 'user' and source.cloud.resource.name = 'my-user'
Find all permissions that were granted by the role ‘my-role’
config from iam wheregrantedby.cloud.entity.id = 'arn:aws:iam::123123123:role/my-role'
Find all identities that can invoke the lambda function “my-function”
config from iam where dest.cloud.service.name = 'lambda' and dest.cloud.resource.type = 'function' and dest.cloud.resource.name = 'my-function' and action.name = 'lambda:InvokeFunction'
Find permissions granted by the Lambda function itself
config from iam where dest.cloud.service.name = 'lambda' and dest.cloud.resource.type = 'function' and dest.cloud.resource.name = 'my-function' and action.name = 'lambda:InvokeFunction' and grantedby.cloud.policy.type='Resource-based Policy'
Find all public access to S3 buckets in the AWS Virginia region
config from iam where source.public = true and dest.cloud.service.name = 's3' and dest.cloud.resource.type = 'bucket' and dest.cloud.region = 'AWS Virginia'
Find all permissions that allows action on all resource (using ‘*’)
config from iam where dest.cloud.service.name = 'lambda' and dest.cloud.resource.type = 'function' and dest.cloud.resource.name = 'my-function' and action.name = 'lambda:InvokeFunction' and grantedby.cloud.policy.type = 'Resource-based Policy'

Recommended For You