Search types

These are all the possible search types, and their meaning:

• action - an AWS action

• authentication - a summary of a principal's authentication events; see available attributes in the Search attributes section below

• condition - a grant condition

• credential - a single authentication credential; search matches the name of the credential (e.g. ID of an API key); will be "federated" if the principal authenticates using SSO

• effect - an AWS policy-statement effect

• grant - an IAM grant; note that the name is not predictable for Google Cloud grants

• mfa - a principal's multi-factor status; only available for human identities:

  • enabled - MFA is in use

  • disabled - MFA is not in use

  • unknown - MFA status is unknown to P0

• policy - an AWS policy

• permission - a Google Cloud permission

• principal - an IAM principal; search matches the name of the principal (e.g. email; group name, AWS role name, etc.)

• resource - an IAM resource

• risk - a security risk associated with holding a privilege; possible risks are listed in the IAM Privilege Catalog; you can also search for risk severity scores (e.g. CRITICAL)

• role - a Google Cloud role (note that this is not an AWS role; use the principal type to search AWS roles)

• usage - represents privilege usage (in the last 90 days):

  • used - the privilege was used in the last 90 days

  • unused - the privilege has been unused for all of the previous 90 days

  • unknown - P0 lacks evidence to determine if the privilege is used or unused

• unused - represents an unused privilege (matches the privilege name)

• !unused - represents a privileged that is either used, or whose usage status is unknown (matches the privilege name)

• used - represents a used privilege (matches the privilege name)

• !used - represents a privileged that is either unused, or whose usage status is unknown (matches the privilege name)

Search attributes

Search attributes allow more specific type searches. Allowable attributes are:

• authentication:created90 - represents if this authentication method was created within the previous 90 days (fresh) or prior (stale)

• authentication:last40 & authentication:last90 - represents if this authentication method has been used in the previous 40 or 90 days (respectively); values are used or unused

• condition:expression - a grant condition's expression

• credential:type - the type of the authentication credential; may be one of

  • federated - a credential from an external IAM system

  • key - a static secret credential

  • short-lived - represents all ephemeral credentials, including JWTs, temporary keys, account impersonation, and the like

• grant:principal - the principal bound directly to an IAM grant

• grant:principalType - the principal type of the principal bound directly to an IAM grant (see principal:type below for possible values)

• grant:resource - the identifier of the resource bound directly to an IAM grant

• principal:status - one of:

  • enabled - the principal can authenticate

  • disabled - the principal's authentication is disabled

• principal:type - the type of the IAM principal; may be one of

  • group - a directory group

  • public - any identity

  • service-agent - a provider-managed account

  • service-account - a machine identity (in AWS this is usually an AWS role)

  • user - a user identity

IAM graph

Your IAM data are connected in a directed graph, as shown, with each node label indicating the datum's respective type:

Where multiple of the same type of node are connected in the diagram (as for principals and resources), this means that arbitrarily many of this node type may be chained together (for instance, a user may belong to a group, which may be a member of another group, and so forth).

Where multiple type labels are used, the first label applies for Google Cloud assessments; the second for AWS assessments.