https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/what-is-the-reason-for-the-rql-filter-of-get-account-password/m-p/342407#M285 <P>In most RQLs of policies that use the "get-account-password-policy" API, "isDefaultPolicy is true" is checked, but there is no "isDefaultPolicy" in AWSCLI Docs.</P><P>&nbsp;</P><P>Why is isDefaultPolicy checked?</P><P>&nbsp;</P><P><STRONG>Sample Default Policy List</STRONG></P><P><U>1) AWS IAM password policy allows password reuse</U></P><P><SPAN>config where cloud.type = 'aws' and api.name='aws-iam-get-account-password-policy' AND json.rule='<U><STRONG>isDefaultPolicy is true</STRONG></U> or passwordReusePrevention equals null or passwordReusePrevention !isType Integer or passwordReusePrevention &lt; 1'</SPAN></P><P>&nbsp;</P><P><U>2)&nbsp;AWS IAM password policy does not expire in 90 days</U></P><P><SPAN>config where api.name='aws-iam-get-account-password-policy' AND json.rule='<U><STRONG>isDefaultPolicy is true</STRONG> </U>or maxPasswordAge !isType Integer or $.maxPasswordAge &gt; 90 or maxPasswordAge equals 0'</SPAN></P><P>&nbsp;</P><P>AWSCLI Docs</P><P><A href="https://docs.aws.amazon.com/cli/latest/reference/iam/get-account-password-policy.html" target="_blank" rel="noopener">https://docs.aws.amazon.com/cli/latest/reference/iam/get-account-password-policy.html</A></P> Wed, 02 Sep 2020 17:46:42 GMT KRyu 2020-09-02T17:46:42Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/what-is-the-reason-for-the-rql-filter-of-get-account-password/m-p/342407#M285 <P>In most RQLs of policies that use the "get-account-password-policy" API, "isDefaultPolicy is true" is checked, but there is no "isDefaultPolicy" in AWSCLI Docs.</P><P>&nbsp;</P><P>Why is isDefaultPolicy checked?</P><P>&nbsp;</P><P><STRONG>Sample Default Policy List</STRONG></P><P><U>1) AWS IAM password policy allows password reuse</U></P><P><SPAN>config where cloud.type = 'aws' and api.name='aws-iam-get-account-password-policy' AND json.rule='<U><STRONG>isDefaultPolicy is true</STRONG></U> or passwordReusePrevention equals null or passwordReusePrevention !isType Integer or passwordReusePrevention &lt; 1'</SPAN></P><P>&nbsp;</P><P><U>2)&nbsp;AWS IAM password policy does not expire in 90 days</U></P><P><SPAN>config where api.name='aws-iam-get-account-password-policy' AND json.rule='<U><STRONG>isDefaultPolicy is true</STRONG> </U>or maxPasswordAge !isType Integer or $.maxPasswordAge &gt; 90 or maxPasswordAge equals 0'</SPAN></P><P>&nbsp;</P><P>AWSCLI Docs</P><P><A href="https://docs.aws.amazon.com/cli/latest/reference/iam/get-account-password-policy.html" target="_blank" rel="noopener">https://docs.aws.amazon.com/cli/latest/reference/iam/get-account-password-policy.html</A></P> Wed, 02 Sep 2020 17:46:42 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/what-is-the-reason-for-the-rql-filter-of-get-account-password/m-p/342407#M285 KRyu 2020-09-02T17:46:42Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/what-is-the-reason-for-the-rql-filter-of-get-account-password/m-p/342585#M286 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/127039">@KRyu</a>&nbsp;</P><P>&nbsp;</P><P>When querying the API in AWS, if no policy has been defined, no resource is returned, thus we must account for when no policy is defined. The Prisma Cloud platform is a resource centric utility, so we can't check for proper configuration when the resource doesn't even exist. So we create a default value for any account that doesn't have a defined password policy, isDefaultValue is our placeholder/identifier for that circumstance.</P> Thu, 06 Aug 2020 22:00:35 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/what-is-the-reason-for-the-rql-filter-of-get-account-password/m-p/342585#M286 FranciscoBreijo 2020-08-06T22:00:35Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/what-is-the-reason-for-the-rql-filter-of-get-account-password/m-p/342618#M288 <P>Thanks for your detailed answer.</P><P>&nbsp;</P><P>If so, is there a separate API that can use "isDefaultPolicy" as a JSON condition?</P><P>I searched Prisma Cloud Docs, but couldn't find an explanation.</P> Fri, 07 Aug 2020 00:38:13 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/what-is-the-reason-for-the-rql-filter-of-get-account-password/m-p/342618#M288 KRyu 2020-08-07T00:38:13Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/what-is-the-reason-for-the-rql-filter-of-get-account-password/m-p/511755#M619 <P>Greetings KRyu,</P> <P>&nbsp;</P> <P>I hope that this note finds you well! I know that it has been a while since you had posted this question but I wanted to see if you still potentially needed any help. Thank you for your time and I hope that you have a good remainder of your day.</P> <P>&nbsp;</P> <P>Kind Regards,</P> <P>J. Avery King</P> Fri, 12 Aug 2022 17:39:58 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/what-is-the-reason-for-the-rql-filter-of-get-account-password/m-p/511755#M619 AKing9 2022-08-12T17:39:58Z