Search Reference

Search types

These are all the possible search types, and their meaning:

• awsPolicy - an AWS policy

• condition - a grant condition

• consumer - the entity that authenticates using a credential; this is typically an IP address

• credential - a single authentication credential; search matches the name of the credential (e.g. ID of an API key); will be "federated" if the principal authenticates using SSO

• entitlement - a set of privileges to use one or more resources, granted to an identity (an entitlement may be an AWS policy assignment, GCP role binding, or Azure / Kubernetes / Okta / Workspace role assignment)

• identity - an IAM identity; search matches the name of the identity (e.g. email; group name, AWS role name, etc.)

• lateral - represents potential machine-identity impersonation; each path is represented by two graph nodes, one attached to the grant that allows impersonation, the other attached to the principal that can be impersonated (see lateral:flow below)

• permission set - an AWS permission set

• privilege - a grantable privilege (this can be an AWS action, or Azure, Google Cloud, Okta, or Workspace permission)

• resource - an IAM resource

• risk - a security risk associated with holding a privilege; possible risks are listed in the IAM Privilege Catalog; you can also search for risk severity scores (e.g. CRITICAL)

• role - an Azure, Google Cloud, Kubernetes, Okta, or Workspace role (note that this is not an AWS role; use identity:type:aws-iam-role to search AWS roles)

• usage - represents privilege usage (in the last 90 days):

  • used - the privilege was used in the last 90 days

  • unused - the privilege has been unused for all of the previous 90 days

  • unknown - P0 lacks evidence to determine if the privilege is used or unused

Search attributes

Search attributes allow more specific type searches. Allowable attributes are:

• condition:expression - a grant condition's expression

• credential:created90 - represents if this credential was created within the previous 90 days (fresh) or prior (stale)

• credential:last40 & credential:last90 - represents if this authentication method has been used in the previous 40 or 90 days (respectively); values are used or unused

• credential:type - the type of the authentication credential; may be one of

  • federated - a credential from an external IAM system

  • key - a static secret credential

  • short-lived - represents all ephemeral credentials, including JWTs, temporary keys, account impersonation, and the like

• entitlement:cross - true if access is granted to an identity managed outside of the IAM resource (e.g. a GCP role assigned to an Okta user)

• entitlement:parent - the scope (AWS account, Azure subscription, GCP project, etc.) in which this entitlement is defined

• entitlement:principal - the principal identity granted access by this entitlement

• entitlement:principalType - the identity type of this entitlement's principal identity (see identity:type below for possible values)

• entitlement:provider - the service in which this entitlement is defined; possible values are aws, azure, azure-ad, gcp, k8s, okta, or workspace

• entitlement:resource - the resource(s) to which this entitlement grants access

• entitlement:role - the role granted by this entitlement

• identity:accessAdd - who can add users to this group (only available for Workspace groups):

  • admin - only group administrators can add users

  • group - anyone in the group can add users

  • owner - only the group owners can add users

  • If not present, no one can directly add users

• identity:accessApprove - who can approve group join requests (only available for Workspace groups):

  • admin - only group administrators can approve requests

  • group - anyone in the group can approve requests

  • owner - only the group owners can approve requests

  • If not present, no one can approve requests

• identity:accessJoin - who can join this group without approval (only available for Workspace groups):

  • public - anyone on the Internet can join

  • domain - anyone in the Workspace domain can join

  • invited - users can join if they've received an invite

  • If not present, users can only be directly added to the group

• identity:accessView - who can view this group's content (only available for Workspace groups; content is the group's messages):

  • public - anyone on the Internet can view

  • domain - anyone in the Workspace domain can view

  • group - anyone in the group can view

  • admin - only group administrators can view

• identity:external - true if the identity is managed outside the assessed environment

• identity:parent - the scope (AWS account, Azure subscription, GCP project, etc.) that manages this identity

• identity:provider - the service that manages this identity; possible values are aws, azure, azure-ad, gcp, k8s, okta, or workspace

• identity:status - one of:

  • enabled - the principal can authenticate

  • disabled - the principal's authentication is disabled

• identity:type - the type of the IAM principal; may be one of

  • aws-iam-role - an AWS IAM role

  • aws-permission-set-role - an AWS IAM role automatically generated by AWS when assigning an AWS permission set to an account

  • federated - an identity used to provide access to identities from another provider (e.g. an AWS IAM role with Principal.Federated in its trust relationship); the identity's parents will be the federated identities

  • group - a directory group

  • public - any identity

  • service-agent - a provider-managed account

  • service-account - a machine identity (in AWS this is usually an AWS role)

  • user - a user identity

• lateral:type - the mechanism via which lateral escalation can be achieved:

  • grant - lateral movement via a granted privilege (e.g. GCP iam.serviceAccounts.actAs or AWS sts:assumeRole)

  • resource - lateral movement via usage of a service-linked resource (e.g. lateral movement to a compute service identity via shell access)

  • Note: federated access is represented as a direct principal-to-principal relationship, and is not modeled via lateral-movement

• privilegeSet:provider - the service that manages this role or AWS policy; possible values are aws, azure, azure-ad, gcp, k8s, okta, or workspace

• resource:service - the resource's parent cloud service; use the API path of the service (e.g. sso instead of Identity Center)

• resource:type - the resource's type (e.g. bucket)

• risk:score - the access risk score from the IAM Privilege Catalog; one of CRITICAL, HIGH, MEDIUM, BOOST, EVASION, or LOW

IAM graph

Your IAM data are connected in a directed graph, as shown, with each node label indicating the datum's respective type: