Search Reference

Search types

These are all the possible search types, and their meaning:

awsPolicy - an AWS policy
condition - a grant condition
consumer - the entity that authenticates using a credential; this is typically an IP address
credential - a single authentication credential; search matches the name of the credential (e.g. ID of an API key); will be "federated" if the principal authenticates using SSO
entitlement - a set of privileges to use one or more resources, granted to an identity (an entitlement may be an AWS policy assignment, GCP role binding, or Azure / Kubernetes / Okta / Workspace role assignment)
identity - an IAM identity; search matches the name of the identity (e.g. email; group name, AWS role name, etc.)
lateral - represents potential machine-identity impersonation; each path is represented by two graph nodes, one attached to the grant that allows impersonation, the other attached to the principal that can be impersonated (see lateral:flow below)
permission set - an AWS permission set
privilege - a grantable privilege (this can be an AWS action, or Azure, Google Cloud, Okta, or Workspace permission)
resource - an IAM resource
risk - a security risk associated with holding a privilege; possible risks are listed in the ; you can also search for risk severity scores (e.g. CRITICAL)
role - an Azure, Google Cloud, Kubernetes, Okta, or Workspace role (note that this is not an AWS role; use identity:type:aws-iam-role to search AWS roles)
usage - represents privilege usage (in the last 90 days):
- used - the privilege was used in the last 90 days
- unused - the privilege has been unused for all of the previous 90 days
- unknown - P0 lacks evidence to determine if the privilege is used or unused

Search attributes

Search attributes allow more specific type searches. Allowable attributes are:

condition:expression - a grant condition's expression
credential:created90 - represents if this credential was created within the previous 90 days (fresh) or prior (stale)
credential:last40 & credential:last90 - represents if this authentication method has been used in the previous 40 or 90 days (respectively); values are used or unused
credential:type - the type of the authentication credential; may be one of
- federated - a credential from an external IAM system
- key - a static secret credential
- short-lived - represents all ephemeral credentials, including JWTs, temporary keys, account impersonation, and the like
entitlement:cross - true if access is granted to an identity managed outside of the IAM resource (e.g. a GCP role assigned to an Okta user)
entitlement:parent - the scope (AWS account, Azure subscription, GCP project, etc.) in which this entitlement is defined
entitlement:principal - the principal identity granted access by this entitlement
entitlement:principalType - the identity type of this entitlement's principal identity (see identity:type below for possible values)
entitlement:provider - the service in which this entitlement is defined; possible values are aws, azure, azure-ad, gcp, k8s, okta, or workspace
entitlement:resource - the resource(s) to which this entitlement grants access
entitlement:role - the role granted by this entitlement
identity:accessAdd - who can add users to this group (only available for Workspace groups):
- admin - only group administrators can add users
- group - anyone in the group can add users
- owner - only the group owners can add users
- If not present, no one can directly add users
identity:accessApprove - who can approve group join requests (only available for Workspace groups):
- admin - only group administrators can approve requests
- group - anyone in the group can approve requests
- owner - only the group owners can approve requests
- If not present, no one can approve requests
identity:accessJoin - who can join this group without approval (only available for Workspace groups):
- public - anyone on the Internet can join
- domain - anyone in the Workspace domain can join
- invited - users can join if they've received an invite
- If not present, users can only be directly added to the group
identity:accessView - who can view this group's content (only available for Workspace groups; content is the group's messages):
- public - anyone on the Internet can view
- domain - anyone in the Workspace domain can view
- group - anyone in the group can view
- admin - only group administrators can view
identity:external - true if the identity is managed outside the assessed environment
identity:parent - the scope (AWS account, Azure subscription, GCP project, etc.) that manages this identity
identity:provider - the service that manages this identity; possible values are aws, azure, azure-ad, gcp, k8s, okta, or workspace
identity:status - one of:
- enabled - the principal can authenticate
- disabled - the principal's authentication is disabled
identity:type - the type of the IAM principal; may be one of
- aws-iam-role - an AWS IAM role
- aws-permission-set-role - an AWS IAM role automatically generated by AWS when assigning an AWS permission set to an account
- federated - an identity used to provide access to identities from another provider (e.g. an AWS IAM role with Principal.Federated in its trust relationship); the identity's parents will be the federated identities
- group - a directory group
- public - any identity
- service-agent - a provider-managed account
- service-account - a machine identity (in AWS this is usually an AWS role)
- user - a user identity
lateral:type - the mechanism via which lateral escalation can be achieved:
- grant - lateral movement via a granted privilege (e.g. GCP iam.serviceAccounts.actAs or AWS sts:assumeRole)
- resource - lateral movement via usage of a service-linked resource (e.g. lateral movement to a compute service identity via shell access)
- Note: federated access is represented as a direct principal-to-principal relationship, and is not modeled via lateral-movement
privilegeSet:provider - the service that manages this role or AWS policy; possible values are aws, azure, azure-ad, gcp, k8s, okta, or workspace
resource:service - the resource's parent cloud service; use the API path of the service (e.g. sso instead of Identity Center)
resource:type - the resource's type (e.g. bucket)

IAM graph

Your IAM data are connected in a directed graph, as shown, with each node label indicating the datum's respective type:

Via queries should only be used for types matching along a directed path in this graph. E.g., principal:->used:->risk: will produce matches, but resource:->risk: will not.

PreviousQuery Search NextPosture Overview

Last updated 1 month ago