πŸ“–Search Reference

Search types

These are all the possible search types, and their meaning:

  • action - an AWS action

  • condition - a grant condition

  • credential - a single authentication credential; search matches the name of the credential (e.g. ID of an API key); will be "federated" if the principal authenticates using SSO

  • effect - an AWS policy-statement effect

  • grant - an IAM grant

  • lateral - represents potential machine-identity impersonation; each path is represented by two graph nodes, one attached to the grant that allows impersonation, the other attached to the principal that can be impersonated (see lateral:flow below)

  • mfa - a principal's multi-factor status; only available for human identities:

    • enabled - MFA is in use

    • disabled - MFA is not in use

    • unknown - MFA status is unknown to P0

  • policy - an AWS policy

  • permission - a Google Cloud permission

  • principal - an IAM principal; search matches the name of the principal (e.g. email; group name, AWS role name, etc.)

  • resource - an IAM resource

  • risk - a security risk associated with holding a privilege; possible risks are listed in the IAM Privilege Catalog; you can also search for risk severity scores (e.g. CRITICAL)

  • role - a Google Cloud role (note that this is not an AWS role; use the principal type to search AWS roles)

  • usage - represents privilege usage (in the last 90 days):

    • used - the privilege was used in the last 90 days

    • unused - the privilege has been unused for all of the previous 90 days

    • unknown - P0 lacks evidence to determine if the privilege is used or unused

Search attributes

Search attributes allow more specific type searches. Allowable attributes are:

  • condition:expression - a grant condition's expression

  • credential:created90 - represents if this credential was created within the previous 90 days (fresh) or prior (stale)

  • credential:last40 & credential:last90 - represents if this authentication method has been used in the previous 40 or 90 days (respectively); values are used or unused

  • credential:type - the type of the authentication credential; may be one of

    • federated - a credential from an external IAM system

    • key - a static secret credential

    • short-lived - represents all ephemeral credentials, including JWTs, temporary keys, account impersonation, and the like

  • grant:principal - the principal bound directly to an IAM grant

  • grant:principalType - the principal type of the principal bound directly to an IAM grant (see principal:type below for possible values)

  • grant:resource - the identifier of the resource bound directly to an IAM grant

  • lateral:flow - the direction of lateral movement:

    • accessor - indicates a grant that allows lateral movement (all such grants can be identified using lateral:flow:accessor)

    • accessee - indicates a principal that can be impersonated using lateral movement (all such principals can be identified using lateral:flow:accessee)

  • lateral:type - the mechanism via which lateral escalation can be acheived:

    • grant - lateral movement via a granted privilege (e.g. GCP iam.serviceAccounts.actAs or AWS sts:assumeRole)

    • resource - lateral movement via usage of a service-linked resource (e.g. lateral movement to a compute service identity via shell access)

    • Note: federated access is represented as a direct principal-to-principal relationship, and is not modeled via lateral-movement

  • principal:accessAdd - who can add users to this group (only available for Workspace groups):

    • admin - only group administrators can add users

    • group - anyone in the group can add users

    • owner - only the group owners can add users

    • If not present, no one can directly add users

  • principal:accessApprove - who can approve group join requests (only available for Workspace groups):

    • admin - only groups administrators can approve requests

    • group - anyone in the group can approve requests

    • owner - onlty the group owners can approve requests

    • If not present, no one can approve requests

  • principal:accessJoin - who can join this group without approval (only available for Workspace groups):

    • public - anyone on the Internet can join

    • domain - anyone in the Workspace domain can join

    • invited - users can join if they've received an invite

    • If not present, users can only be directly added to the group

  • principal:accessView - who can view this group's content (only available for Workspace groups; content is the group's messages)

    • public - anyone on the Internet can view

    • domain - anyone in the Workspace domain can view

    • group - anyone in the group can view

    • admin - only group administrators can view

  • principal:status - one of:

    • enabled - the principal can authenticate

    • disabled - the principal's authentication is disabled

  • principal:type - the type of the IAM principal; may be one of

    • group - a directory group

    • public - any identity

    • service-agent - a provider-managed account

    • service-account - a machine identity (in AWS this is usually an AWS role)

    • user - a user identity

  • resource:service - the resource's parent cloud service; use the API path of the service (e.g. sso instead of Identity Center)

  • resource:type - the resource's type (e.g. bucket)

IAM graph

Your IAM data are connected in a directed graph, as shown, with each node label indicating the datum's respective type:

Where multiple of the same type of node are connected in the diagram (as for principals and resources), this means that arbitrarily many of this node type may be chained together (for instance, a user may belong to a group, which may be a member of another group, and so forth).

Where multiple type labels are used, the first label applies for Google Cloud assessments; the second for AWS assessments.

Via queries should only be used for types matching along a directed path in this graph. E.g., principal:->used:->risk: will produce matches, but resource:->risk: will not.

Last updated