πSearch Reference
Search types
These are all the possible search types, and their meaning:
action - an AWS action
condition - a grant condition
credential - a single authentication credential; search matches the name of the credential (e.g. ID of an API key); will be "federated" if the principal authenticates using SSO
effect - an AWS policy-statement effect
grant - an IAM grant
lateral - represents potential machine-identity impersonation; each path is represented by two graph nodes, one attached to the grant that allows impersonation, the other attached to the principal that can be impersonated (see
lateral:flow
below)mfa - a principal's multi-factor status; only available for human identities:
enabled
- MFA is in usedisabled
- MFA is not in useunknown
- MFA status is unknown to P0
policy - an AWS policy
permission - a Google Cloud permission
principal - an IAM principal; search matches the name of the principal (e.g. email; group name, AWS role name, etc.)
resource - an IAM resource
risk - a security risk associated with holding a privilege; possible risks are listed in the IAM Privilege Catalog; you can also search for risk severity scores (e.g.
CRITICAL
)role - a Google Cloud role (note that this is not an AWS role; use the principal type to search AWS roles)
usage - represents privilege usage (in the last 90 days):
used
- the privilege was used in the last 90 daysunused
- the privilege has been unused for all of the previous 90 daysunknown
- P0 lacks evidence to determine if the privilege is used or unused
Search attributes
Search attributes allow more specific type searches. Allowable attributes are:
condition:expression - a grant condition's expression
credential:created90 - represents if this credential was created within the previous 90 days (
fresh
) or prior (stale
)credential:last40 & credential:last90 - represents if this authentication method has been used in the previous 40 or 90 days (respectively); values are
used
orunused
credential:type - the type of the authentication credential; may be one of
federated
- a credential from an external IAM systemkey
- a static secret credentialshort-lived
- represents all ephemeral credentials, including JWTs, temporary keys, account impersonation, and the like
grant:principal - the principal bound directly to an IAM grant
grant:principalType - the principal type of the principal bound directly to an IAM grant (see
principal:type
below for possible values)grant:resource - the identifier of the resource bound directly to an IAM grant
lateral:flow - the direction of lateral movement:
accessor
- indicates a grant that allows lateral movement (all such grants can be identified usinglateral:flow:accessor
)accessee
- indicates a principal that can be impersonated using lateral movement (all such principals can be identified usinglateral:flow:accessee
)
lateral:type - the mechanism via which lateral escalation can be acheived:
grant
- lateral movement via a granted privilege (e.g. GCPiam.serviceAccounts.actAs
or AWSsts:assumeRole
)resource
- lateral movement via usage of a service-linked resource (e.g. lateral movement to a compute service identity via shell access)Note: federated access is represented as a direct principal-to-principal relationship, and is not modeled via lateral-movement
principal:accessAdd - who can add users to this group (only available for Workspace groups):
admin
- only group administrators can add usersgroup
- anyone in the group can add usersowner
- only the group owners can add usersIf not present, no one can directly add users
principal:accessApprove - who can approve group join requests (only available for Workspace groups):
admin
- only groups administrators can approve requestsgroup
- anyone in the group can approve requestsowner
- onlty the group owners can approve requestsIf not present, no one can approve requests
principal:accessJoin - who can join this group without approval (only available for Workspace groups):
public
- anyone on the Internet can joindomain
- anyone in the Workspace domain can joininvited
- users can join if they've received an inviteIf not present, users can only be directly added to the group
principal:accessView - who can view this group's content (only available for Workspace groups; content is the group's messages)
public
- anyone on the Internet can viewdomain
- anyone in the Workspace domain can viewgroup
- anyone in the group can viewadmin
- only group administrators can view
principal:status - one of:
enabled
- the principal can authenticatedisabled
- the principal's authentication is disabled
principal:type - the type of the IAM principal; may be one of
group
- a directory grouppublic
- any identityservice-agent
- a provider-managed accountservice-account
- a machine identity (in AWS this is usually an AWS role)user
- a user identity
resource:service - the resource's parent cloud service; use the API path of the service (e.g.
sso
instead ofIdentity Center
)resource:type - the resource's type (e.g.
bucket
)
IAM graph
Your IAM data are connected in a directed graph, as shown, with each node label indicating the datum's respective type:
Where multiple of the same type of node are connected in the diagram (as for principals and resources), this means that arbitrarily many of this node type may be chained together (for instance, a user may belong to a group, which may be a member of another group, and so forth).
Where multiple type labels are used, the first label applies for Google Cloud assessments; the second for AWS assessments.
Via queries should only be used for types matching along a directed path in this graph. E.g., principal:->used:->risk:
will produce matches, but resource:->risk:
will not.
Last updated