Search Reference
Last updated
Last updated
These are all the possible search types, and their meaning:
action - an AWS action
condition - a grant condition
credential - a single authentication credential; search matches the name of the credential (e.g. ID of an API key); will be "federated" if the principal authenticates using SSO
effect - an AWS policy-statement effect
grant - an IAM grant (an AWS policy assignment, GCP role binding, or Azure / Kubernetes / Okta / Workspace role assignment)
identity - an IAM identity; search matches the name of the identity (e.g. email; group name, AWS role name, etc.)
lateral - represents potential machine-identity impersonation; each path is represented by two graph nodes, one attached to the grant that allows impersonation, the other attached to the principal that can be impersonated (see lateral:flow
below)
mfa - a principal's multi-factor status; only available for human identities:
enabled
- MFA is in use
disabled
- MFA is not in use
unknown
- MFA status is unknown to P0
policy - an AWS policy
permission - a Google Cloud permission
resource - an IAM resource
risk - a security risk associated with holding a privilege; possible risks are listed in the ; you can also search for risk severity scores (e.g. CRITICAL
)
role - a Google Cloud role (note that this is not an AWS role; use the principal type to search AWS roles)
usage - represents privilege usage (in the last 90 days):
used
- the privilege was used in the last 90 days
unused
- the privilege has been unused for all of the previous 90 days
unknown
- P0 lacks evidence to determine if the privilege is used or unused
Search attributes allow more specific type searches. Allowable attributes are:
condition:expression - a grant condition's expression
credential:created90 - represents if this credential was created within the previous 90 days (fresh
) or prior (stale
)
credential:last40 & credential:last90 - represents if this authentication method has been used in the previous 40 or 90 days (respectively); values are used
or unused
credential:type - the type of the authentication credential; may be one of
federated
- a credential from an external IAM system
key
- a static secret credential
short-lived
- represents all ephemeral credentials, including JWTs, temporary keys, account impersonation, and the like
grant:cross - true if access is granted to an identity managed outside of the IAM resource (e.g. a GCP role assigned to an Okta user)
grant:principal - the principal bound directly to an IAM grant
grant:principalType - the identity type of the principal bound directly to an IAM grant (see principal:type
below for possible values)
grant:resource - the identifier of the resource bound directly to an IAM grant
identity:accessAdd - who can add users to this group (only available for Workspace groups):
admin
- only group administrators can add users
group
- anyone in the group can add users
owner
- only the group owners can add users
If not present, no one can directly add users
identity:accessApprove - who can approve group join requests (only available for Workspace groups):
admin
- only groups administrators can approve requests
group
- anyone in the group can approve requests
owner
- onlty the group owners can approve requests
If not present, no one can approve requests
identity:accessJoin - who can join this group without approval (only available for Workspace groups):
public
- anyone on the Internet can join
domain
- anyone in the Workspace domain can join
invited
- users can join if they've received an invite
If not present, users can only be directly added to the group
identity:accessView - who can view this group's content (only available for Workspace groups; content is the group's messages)
public
- anyone on the Internet can view
domain
- anyone in the Workspace domain can view
group
- anyone in the group can view
admin
- only group administrators can view
identity:external - true if the identity is managed outside the assessed environment
identity:status - one of:
enabled
- the principal can authenticate
disabled
- the principal's authentication is disabled
identity:type - the type of the IAM principal; may be one of
group
- a directory group
public
- any identity
service-agent
- a provider-managed account
service-account
- a machine identity (in AWS this is usually an AWS role)
user
- a user identity
lateral:type - the mechanism via which lateral escalation can be acheived:
grant
- lateral movement via a granted privilege (e.g. GCP iam.serviceAccounts.actAs
or AWS sts:assumeRole
)
resource
- lateral movement via usage of a service-linked resource (e.g. lateral movement to a compute service identity via shell access)
Note: federated access is represented as a direct principal-to-principal relationship, and is not modeled via lateral-movement
resource:service - the resource's parent cloud service; use the API path of the service (e.g. sso
instead of Identity Center
)
resource:type - the resource's type (e.g. bucket
)
Your IAM data are connected in a directed graph, as shown, with each node label indicating the datum's respective type:
Where multiple of the same type of node are connected in the diagram (as for principals and resources), this means that arbitrarily many of this node type may be chained together (for instance, a user may belong to a group, which may be a member of another group, and so forth).
Where multiple type labels are used, the first label applies for Google Cloud assessments; the second for AWS assessments.