RQL find excessive sts:AssumeRole

ConnorSpiess — Tue, 27 Apr 2021 18:39:07 GMT

Trying to put together a query to identify excessive assumeRole permissions. For example it would identify if the following is in a policy.

"Action": ["sts:AssumeRole"],
"Effect": "Allow",
"Resource": "*"

I've been messing around with some queries, I haven't had any luck finding one that works. The following query will pickup policies where the "sts:AssumeRole" and the "*" are in separate statement blocks.

config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-iam-list-roles' AND json.rule = inlinePolicies[*].policyDocument.Statement[*].Action contains "sts:AssumeRole" and inlinePolicies[*].policyDocument.Statement[*].Resource equals "*"

Re: RQL find excessive sts:AssumeRole

ConnorSpiess — Tue, 04 May 2021 18:28:27 GMT

I figured it out. Here is the query I used.

config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-iam-list-roles' AND json.rule = inlinePolicies[*].policyDocument.Statement[?any( Action contains "sts:AssumeRole" and Resource equals "*" )] exists

topic Re: RQL find excessive sts:AssumeRole in Prisma Cloud Discussions

RQL find excessive sts:AssumeRole

Re: RQL find excessive sts:AssumeRole