From c8dff85122df5fd3cd5faf144112e105ed95f339 Mon Sep 17 00:00:00 2001 From: jenjoe22 Date: Thu, 12 Dec 2024 16:12:36 -0600 Subject: [PATCH] permission-query-update --- .../permissions-query-attributes.adoc | 44 ++++++++++++++----- 1 file changed, 33 insertions(+), 11 deletions(-) diff --git a/docs/en/enterprise-edition/content-collections/search-and-investigate/permissions-queries/permissions-query-attributes.adoc b/docs/en/enterprise-edition/content-collections/search-and-investigate/permissions-queries/permissions-query-attributes.adoc index 70c6db45dd..9069d439a9 100644 --- a/docs/en/enterprise-edition/content-collections/search-and-investigate/permissions-queries/permissions-query-attributes.adoc +++ b/docs/en/enterprise-edition/content-collections/search-and-investigate/permissions-queries/permissions-query-attributes.adoc @@ -28,6 +28,20 @@ Use the following to find cross-account connection: config from iam where source.cloud.account != dest.cloud.account ---- +* *source.cloud.account.isvendor* ++ +This query retrieves all permissions granted to known vendors in the environment. ++ +---- +config from iam where source.cloud.account.isvendor = true +---- ++ +The following example retrieves all vendor accounts that do not start with Red. ++ +---- +config from iam where source.cloud.account DOES NOT START WITH 'Red' and source.cloud.account.isvendor = true +---- + * *source.cloud.accountgroup* + Narrows down the permissions to the cloud accounts in your cloud account group. The following example list permissions of all EC2 instances in any of your AWS accounts: @@ -71,14 +85,6 @@ Lists the effective permissions for a cloud resource with a specific tag. config from iam where source.cloud.resource.tag ( 'string' ) exists ---- -* *grantedby.cloud.condition* -+ -Queries permissions where the policy statement contain and or doesn't contain conditions. -+ ----- -config from iam where grantedby.cloud.policy.condition ('aws:sourceIP', 'IpAddress') exists ----- - * *source.cloud.service.name* + Queries permissions of a specific cloud service such as: IAM, S3, EC2, `Microsoft.Compute`, or `Microsoft.Storage`. @@ -244,6 +250,14 @@ Queries all S3 buckets that are publicly accessible. All GCP public resources wi config from iam where source.public = true AND dest.cloud.service.name = 'S3' AND dest.cloud.resource.type = 'bucket' ---- +* *grantedby.cloud.condition* ++ +Queries permissions where the policy statement contain and or doesn't contain conditions. ++ +---- +config from iam where grantedby.cloud.policy.condition ('aws:sourceIP', 'IpAddress') exists +---- + * *grantedby.cloud.type* + Narrows down your search option to specific clouds. The following example lists effective permissions where the granter such as group, role, or policy is in your AWS cloud accounts: @@ -266,6 +280,14 @@ Queries permissions that have been granted by a specific policy by its id, such config from iam where grantedby.cloud.policy.id = 'arn:aws:iam::aws:policy/AdministratorAccess' ---- +* *grantedby.cloud.policy.isExcessive* + +* true + +* false + +Identifies excessive access in IAM policies (AWS IAM Policies/Azure Roles/GCP Roles) when including “*” in the action or scope sections. + * *grantedby.cloud.policy.name* + Queries permissions that have been granted by a specific policy such as AWS Managed Policy, AWS Inline Policy, or GCP role name. The following example lists all effective permissions that have been granted by the AWS Managed Policy `AdministratorAccess`: @@ -342,18 +364,18 @@ Queries permissions granted by a specific entity, such as AWS IAM group or role, config from iam where grantedby.cloud.entity.tag ( 'Severity' ) = 'High' ---- -* *grantedby.level.id*: +* *grantedby.level.id* Identifies permissions granted by specific level ID. For example: ** Azure: Groups with access to Azure management group/Subscriptions/Resources. ** GCP: Users with access to GCP organization/Folder/Project/Service. -* *grantedby.level.name*: +* *grantedby.level.name* Identifies permissions granted by specific level name. For example: ** Azure: Groups with access to Azure management group/Subscriptions/Resources. ** GCP: Users with access to GCP organization/Folder/Project/Service. -* *grantedby.level.type*: +* *grantedby.level.type* Queries permissions granted to a specific level type. For example: ** Azure: Groups with access to Azure management group/Subscriptions/Resources.