Comment on page
❔
Query Search
This page describes how P0's IAM-Assessment query searches work.
Query searches are controlled using two parts:
- show - controls which kind of data are displayed
- where - controls which data to show
Currently, you can choose to "show" either principals (users, groups, machine identities, and so forth) or grants (in Google Cloud, a role binding; in AWS, a policy attachment).
The "where" control is a free-form search box. You can enter any term here, and P0 will find the principals or grants that relate to your search term.
Example:
Searching for a permission (in this case
compute.instances.create in a Google Cloud assessment) will show you all grants that provide that permission:
To see why a search result matches your query, you can click on that result's "view" link. The details page will show an "Explanation" section at the bottom, describing how that result satisfies your query:
You can be more specific in your queries by writing query expressions. Here's a summary of query expressions:
"{keyword}" | Match data exactly | |
!{keyword} | Invert keyword matches | |
^{term} | Remove matches from results | |
{type}:{keyword} | Match data types | |
{type}={keyword} | Match first datum only | |
{type}:{attribute}:{keyword} | Match data attributes | |
{term} {term} | Require multiple data connections | |
{term}->{term} | Place multiple conditions on a data connection |
By default, P0 matches IAM data as long as it includes your search keyword. To match data exactly, enclose your keyword in double quotes. In the above example, searching for
compute.instances.get will show you grants that give the compute.instances.get permission, but also grants that give the compute.instances.getIamPolicy, compute.instances.getScreenshot, and related permissions. By searching for "compute.instances.get" you can limit results to only those grants that give access to the data you're looking for.When using exact matches with type and attribute matches, the quotes surround the keyword only:
type:attribute:"keyword".You can also use quotes to search for data where the data includes a colon without triggering a type or attribute match.
You can search for grants and principals that are connected to data that don't match a keyword by typing a
! in front of your search keyword.Note that using an inverted match on its own usually won't do much, as grants and principals are connected to a lot of data, and some of these data are likely to not match your keyword. Instead, inverted matches are usually best when combined with type or attribute matches, or with exclusion matches. For example,
mfa:!enabled will show you all users that have either disabled or unknown MFA status.When using inverted matches with type and attribute matches, the
! comes after the type and attribute: type:attribute:!keyword.You can search for grants and principals that are not connected to data that match a term by typing a
^ in front of your entire search term.For example, searching for
^authentication:used will show all principals that have only unused or no authentication methods.When using exclusion matches, the
^ comes before the type and attribute: ^type:attribute:keyword.Limit your search to a specific type of IAM data using a type prefix. For example, adding
risk:CRITICAL in front of your search will limit your search to only showing grants that allow a critical IAM risk (as defined by the IAM Privilege Catalog). See Search types for a list of all possible types.You can use a type match without a keyword to search for the presence of data.
For example,
condition: will show you all conditional grants.Data may be connected to a chain of items of the same type. For instance, a grant on a resource will give access to all that resource's children, and all those child resources' children, and so forth. Or, grants may be made to directory groups with nested group membership.
To restrict your search to only the first item in such a chain, use a first match. For example,
[email protected] will show only the [email protected] user, and not groups that user belongs to.Attribute expressions allow you to make even more specific type searches. For example, searching for
authentication:last90:unused will limit displayed principals to those with at least one authentication method that has not been used in the previous 90 days. See Search attributes for a list of all possible attributes.Return grants and principals that are connected to multiple data by separating search terms using whitespace.
For instance,
resource:one resource:two will show you grants that provide access to both resources "one" and "two".Your IAM data are modeled as a directed graph. You can require data to be connected to your search results according to multiple search terms using a via match.
To use a via match, connect two or more terms using
->.For example, to find all grants that have unused permissions that create a data exfiltration risk, you can search for
unused:->risk:"exfiltration:data".Exclusion matches combined with via matches will return results where one or more of the via conditions do not match.
One of the best resources for constructing queries is to view the search queries for P0's built-in assessment monitors.
For instance, here's the query for detecting unused service account keys:
principal:type:"service-account"->authentication:last40:"unused"->credential:"key"This returns all service-account principals that have at least one static credential that has not been used in the last 40 days.
You can also construct queries using tooltips in the displayed data. To do this, hover over an item you want to either include or exclude from your search:
Select the corresponding "show" or "hide" link to either include or exclude that item in your search results.
Last modified 30d ago