Sign up for FreeKnowledge Base

📖Search Reference

Search types

These are all the possible search types, and their meaning:

  • awsPolicy - an AWS policy

  • condition - a grant condition

  • consumer - the entity that authenticates using a credential; this is typically an IP address

  • credential - a single authentication credential; search matches the name of the credential (e.g. ID of an API key); will be "federated" if the principal authenticates using SSO

  • entitlement - a set of privileges to use one or more resources, granted to an identity (an entitlement may be an AWS policy assignment, GCP role binding, or Azure / Kubernetes / Okta / Workspace role assignment)

  • identity - an IAM identity; search matches the name of the identity (e.g. email; group name, AWS role name, etc.)

  • lateral - represents potential machine-identity impersonation; each path is represented by two graph nodes, one attached to the grant that allows impersonation, the other attached to the principal that can be impersonated (see lateral:flow below)

  • permissionSet - an AWS permission set

  • privilege - a grantable privilege (this can be an AWS action, or Azure, Google Cloud, Okta, or Workspace permission)

  • resource - an IAM resource

  • risk - a security risk associated with holding a privilege; possible risks are listed in the IAM Privilege Catalog; you can also search for risk severity scores (e.g. CRITICAL)

  • role - an Azure, Google Cloud, Kubernetes, Okta, or Workspace role (note that this is not an AWS role; use identity:type:aws-iam-role to search AWS roles)

  • usage - represents privilege usage (in the last 90 days):

    • used - the privilege was used in the last 90 days

    • unused - the privilege has been unused for all of the previous 90 days

    • unknown - P0 lacks evidence to determine if the privilege is used or unused

Search attributes

Search attributes allow more specific type searches. Allowable attributes are:

  • condition:expression - a grant condition's expression

  • credential:created90 - represents if this credential was created within the previous 90 days (fresh) or prior (stale)

  • credential:last40 & credential:last90 - represents if this authentication method has been used in the previous 40 or 90 days (respectively); values are used or unused

  • credential:type - the type of the authentication credential; may be one of

    • federated - a credential from an external IAM system

    • key - a static secret credential

    • short-lived - represents all ephemeral credentials, including JWTs, temporary keys, account impersonation, and the like

  • entitlement:cross - true if access is granted to an identity managed outside of the IAM resource (e.g. a GCP role assigned to an Okta user)

  • entitlement:parent - the scope (AWS account, Azure subscription, GCP project, etc.) in which this entitlement is defined

  • entitlement:principal - the principal identity granted access by this entitlement

  • entitlement:principalType - the identity type of this entitlement's principal identity (see identity:type below for possible values)

  • entitlement:provider - the service in which this entitlement is defined; possible values are aws, azure, azure-ad, gcp, k8s, okta, or workspace

  • entitlement:resource - the resource(s) to which this entitlement grants access

  • entitlement:role - the role granted by this entitlement

  • identity:accessAdd - who can add users to this group (only available for Workspace groups):

    • admin - only group administrators can add users

    • group - anyone in the group can add users

    • owner - only the group owners can add users

    • If not present, no one can directly add users

  • identity:accessApprove - who can approve group join requests (only available for Workspace groups):

    • admin - only group administrators can approve requests

    • group - anyone in the group can approve requests

    • owner - only the group owners can approve requests

    • If not present, no one can approve requests

  • identity:accessJoin - who can join this group without approval (only available for Workspace groups):

    • public - anyone on the Internet can join

    • domain - anyone in the Workspace domain can join

    • invited - users can join if they've received an invite

    • If not present, users can only be directly added to the group

  • identity:accessView - who can view this group's content (only available for Workspace groups; content is the group's messages):

    • public - anyone on the Internet can view

    • domain - anyone in the Workspace domain can view

    • group - anyone in the group can view

    • admin - only group administrators can view

  • identity:external - true if the identity is managed outside the assessed environment

  • identity:parent - the scope (AWS account, Azure subscription, GCP project, etc.) that manages this identity

  • identity:provider - the service that manages this identity; possible values are aws, azure, azure-ad, gcp, k8s, okta, or workspace

  • identity:status - one of:

    • enabled - the principal can authenticate

    • disabled - the principal's authentication is disabled

  • identity:type - the type of the IAM principal; may be one of

    • aws-iam-role - an AWS IAM role

    • aws-permission-set-role - an AWS IAM role automatically generated by AWS when assigning an AWS permission set to an account

    • federated - an identity used to provide access to identities from another provider (e.g. an AWS IAM role with Principal.Federated in its trust relationship); the identity's parents will be the federated identities

    • group - a directory group

    • public - any identity

    • service-agent - a provider-managed account

    • service-account - a machine identity (in AWS this is usually an AWS role)

    • user - a user identity

  • lateral:type - the mechanism via which lateral escalation can be achieved:

    • grant - lateral movement via a granted privilege (e.g. GCP iam.serviceAccounts.actAs or AWS sts:assumeRole)

    • resource - lateral movement via usage of a service-linked resource (e.g. lateral movement to a compute service identity via shell access)

    • Note: federated access is represented as a direct principal-to-principal relationship, and is not modeled via lateral-movement

  • privilegeSet:provider - the service that manages this role or AWS policy; possible values are aws, azure, azure-ad, gcp, k8s, okta, or workspace

  • resource:service - the resource's parent cloud service; use the API path of the service (e.g. sso instead of Identity Center)

  • resource:type - the resource's type (e.g. bucket)

  • risk:score - the access risk score from the IAM Privilege Catalog; one of CRITICAL, HIGH, MEDIUM, BOOST, EVASION, or LOW

IAM graph

Your IAM data are connected in a directed graph, as shown, with each node label indicating the datum's respective type:

Via queries should only be used for types matching along a directed path in this graph. E.g., principal:->used:->risk: will produce matches, but resource:->risk: will not.

PreviousQuery SearchNextPosture Overview

Last updated