Search Reference
Last updated
Last updated
These are all the possible search types, and their meaning:
awsPolicy - an AWS policy
condition - a grant condition
consumer - the entity that authenticates using a credential; this is typically an IP address
credential - a single authentication credential; search matches the name of the credential (e.g. ID of an API key); will be "federated" if the principal authenticates using SSO
entitlement - a set of privileges to use one or more resources, granted to an identity (an entitlement may be an AWS policy assignment, GCP role binding, or Azure / Kubernetes / Okta / Workspace role assignment)
identity - an IAM identity; search matches the name of the identity (e.g. email; group name, AWS role name, etc.)
lateral - represents potential machine-identity impersonation; each path is represented by two graph nodes, one attached to the grant that allows impersonation, the other attached to the principal that can be impersonated (see lateral:flow
below)
permission set - an AWS permission set
privilege - a grantable privilege (this can be an AWS action, or Azure, Google Cloud, Okta, or Workspace permission)
resource - an IAM resource
risk - a security risk associated with holding a privilege; possible risks are listed in the ; you can also search for risk severity scores (e.g. CRITICAL
)
role - an Azure, Google Cloud, Kubernetes, Okta, or Workspace role (note that this is not an AWS role; use identity:type:aws-iam-role
to search AWS roles)
usage - represents privilege usage (in the last 90 days):
used
- the privilege was used in the last 90 days
unused
- the privilege has been unused for all of the previous 90 days
unknown
- P0 lacks evidence to determine if the privilege is used or unused
Search attributes allow more specific type searches. Allowable attributes are:
condition:expression - a grant condition's expression
credential:created90 - represents if this credential was created within the previous 90 days (fresh
) or prior (stale
)
credential:last40 & credential:last90 - represents if this authentication method has been used in the previous 40 or 90 days (respectively); values are used
or unused
credential:type - the type of the authentication credential; may be one of
federated
- a credential from an external IAM system
key
- a static secret credential
short-lived
- represents all ephemeral credentials, including JWTs, temporary keys, account impersonation, and the like
entitlement:cross - true if access is granted to an identity managed outside of the IAM resource (e.g. a GCP role assigned to an Okta user)
entitlement:parent - the scope (AWS account, Azure subscription, GCP project, etc.) in which this entitlement is defined
entitlement:principal - the principal identity granted access by this entitlement
entitlement:principalType - the identity type of this entitlement's principal identity (see identity:type
below for possible values)
entitlement:provider - the service in which this entitlement is defined; possible values are aws
, azure
, azure-ad
, gcp
, k8s
, okta
, or workspace
entitlement:resource - the resource(s) to which this entitlement grants access
entitlement:role - the role granted by this entitlement
identity:accessAdd - who can add users to this group (only available for Workspace groups):
admin
- only group administrators can add users
group
- anyone in the group can add users
owner
- only the group owners can add users
If not present, no one can directly add users
identity:accessApprove - who can approve group join requests (only available for Workspace groups):
admin
- only group administrators can approve requests
group
- anyone in the group can approve requests
owner
- only the group owners can approve requests
If not present, no one can approve requests
identity:accessJoin - who can join this group without approval (only available for Workspace groups):
public
- anyone on the Internet can join
domain
- anyone in the Workspace domain can join
invited
- users can join if they've received an invite
If not present, users can only be directly added to the group
identity:accessView - who can view this group's content (only available for Workspace groups; content is the group's messages):
public
- anyone on the Internet can view
domain
- anyone in the Workspace domain can view
group
- anyone in the group can view
admin
- only group administrators can view
identity:external - true if the identity is managed outside the assessed environment
identity:parent - the scope (AWS account, Azure subscription, GCP project, etc.) that manages this identity
identity:provider - the service that manages this identity; possible values are aws
, azure
, azure-ad
, gcp
, k8s
, okta
, or workspace
identity:status - one of:
enabled
- the principal can authenticate
disabled
- the principal's authentication is disabled
identity:type - the type of the IAM principal; may be one of
aws-iam-role
- an AWS IAM role
aws-permission-set-role
- an AWS IAM role automatically generated by AWS when assigning an AWS permission set to an account
federated
- an identity used to provide access to identities from another provider (e.g. an AWS IAM role with Principal.Federated
in its trust relationship); the identity's parents will be the federated identities
group
- a directory group
public
- any identity
service-agent
- a provider-managed account
service-account
- a machine identity (in AWS this is usually an AWS role)
user
- a user identity
lateral:type - the mechanism via which lateral escalation can be achieved:
grant
- lateral movement via a granted privilege (e.g. GCP iam.serviceAccounts.actAs
or AWS sts:assumeRole
)
resource
- lateral movement via usage of a service-linked resource (e.g. lateral movement to a compute service identity via shell access)
Note: federated access is represented as a direct principal-to-principal relationship, and is not modeled via lateral-movement
privilegeSet:provider - the service that manages this role or AWS policy; possible values are aws
, azure
, azure-ad
, gcp
, k8s
, okta
, or workspace
resource:service - the resource's parent cloud service; use the API path of the service (e.g. sso
instead of Identity Center
)
resource:type - the resource's type (e.g. bucket
)
Your IAM data are connected in a directed graph, as shown, with each node label indicating the datum's respective type:
risk:score - the access risk score from the ; one of CRITICAL
, HIGH
, MEDIUM
, BOOST
, EVASION
, or LOW