Sign up for FreeSandbox

πŸ“–Search Reference

Search types

These are all the possible search types, and their meaning:

  • action - an AWS action

  • condition - a grant condition

  • credential - a single authentication credential; search matches the name of the credential (e.g. ID of an API key); will be "federated" if the principal authenticates using SSO

  • effect - an AWS policy-statement effect

  • grant - an IAM grant

  • lateral - represents potential machine-identity impersonation; each path is represented by two graph nodes, one attached to the grant that allows impersonation, the other attached to the principal that can be impersonated (see lateral:flow below)

  • mfa - a principal's multi-factor status; only available for human identities:

    • enabled - MFA is in use

    • disabled - MFA is not in use

    • unknown - MFA status is unknown to P0

  • policy - an AWS policy

  • permission - a Google Cloud permission

  • principal - an IAM principal; search matches the name of the principal (e.g. email; group name, AWS role name, etc.)

  • resource - an IAM resource

  • risk - a security risk associated with holding a privilege; possible risks are listed in the IAM Privilege Catalog; you can also search for risk severity scores (e.g. CRITICAL)

  • role - a Google Cloud role (note that this is not an AWS role; use the principal type to search AWS roles)

  • usage - represents privilege usage (in the last 90 days):

    • used - the privilege was used in the last 90 days

    • unused - the privilege has been unused for all of the previous 90 days

    • unknown - P0 lacks evidence to determine if the privilege is used or unused

Search attributes

Search attributes allow more specific type searches. Allowable attributes are:

  • condition:expression - a grant condition's expression

  • credential:created90 - represents if this credential was created within the previous 90 days (fresh) or prior (stale)

  • credential:last40 & credential:last90 - represents if this authentication method has been used in the previous 40 or 90 days (respectively); values are used or unused

  • credential:type - the type of the authentication credential; may be one of

    • federated - a credential from an external IAM system

    • key - a static secret credential

    • short-lived - represents all ephemeral credentials, including JWTs, temporary keys, account impersonation, and the like

  • grant:principal - the principal bound directly to an IAM grant

  • grant:principalType - the principal type of the principal bound directly to an IAM grant (see principal:type below for possible values)

  • grant:resource - the identifier of the resource bound directly to an IAM grant

  • lateral:flow - the direction of lateral movement:

    • accessor - indicates a grant that allows lateral movement (all such grants can be identified using lateral:flow:accessor)

    • accessee - indicates a principal that can be impersonated using lateral movement (all such principals can be identified using lateral:flow:accessee)

  • lateral:type - the mechanism via which lateral escalation can be acheived:

    • grant - lateral movement via a granted privilege (e.g. GCP iam.serviceAccounts.actAs or AWS sts:assumeRole)

    • resource - lateral movement via usage of a service-linked resource (e.g. lateral movement to a compute service identity via shell access)

    • Note: federated access is represented as a direct principal-to-principal relationship, and is not modeled via lateral-movement

  • principal:status - one of:

    • enabled - the principal can authenticate

    • disabled - the principal's authentication is disabled

  • principal:type - the type of the IAM principal; may be one of

    • group - a directory group

    • public - any identity

    • service-agent - a provider-managed account

    • service-account - a machine identity (in AWS this is usually an AWS role)

    • user - a user identity

  • resource:service - the resource's parent cloud service; use the API path of the service (e.g. sso instead of Identity Center)

  • resource:type - the resource's type (e.g. bucket)

IAM graph

Your IAM data are connected in a directed graph, as shown, with each node label indicating the datum's respective type:

Where multiple of the same type of node are connected in the diagram (as for principals and resources), this means that arbitrarily many of this node type may be chained together (for instance, a user may belong to a group, which may be a member of another group, and so forth).

Where multiple type labels are used, the first label applies for Google Cloud assessments; the second for AWS assessments.

Via queries should only be used for types matching along a directed path in this graph. E.g., principal:->used:->risk: will produce matches, but resource:->risk: will not.

PreviousQuery SearchNextSlack

Last updated