https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/iam-passrole-rql-with-conditionals/m-p/509181#M530 <P>Hi&nbsp;Miketobias,</P> <P>&nbsp;</P> <P>Use the below query.&nbsp;</P> <P>&nbsp;</P> <P>config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = (policy.Statement[?any(Effect contains "Allow" and Resource equals * and Action equals iam:PassRole and (Condition does not exist))] exists )</P> <P>&nbsp;</P> <P>Hope it helps!!!</P> Mon, 25 Jul 2022 16:16:28 GMT SBatchu 2022-07-25T16:16:28Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/iam-passrole-rql-with-conditionals/m-p/413014#M384 <P>Hello!&nbsp; I'm attempting to write some RQL to detect policies with the following permissions and struggling a bit.</P><P>&nbsp;</P><P>Action: "iam:PassRole"</P><P>Effect: "Allow"</P><P>Resource: "*"</P><P>&nbsp;</P><P>Now, in general this isn't too bad to figure out.&nbsp; The RQL below accomplishes this nicely, BUT doesn't have any concept of if a Condition statement is present.&nbsp; I care a bit less about a PassRole permission for an IAM policy that is scoped to the IAM service.</P><LI-CODE lang="python">config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = document.Statement[?(@.Action=='iam:PassRole' &amp;&amp; @.Effect=='Allow')].Resource equals "*"</LI-CODE><P>&nbsp;This is where I'm struggling, to get the above search to consider if a Condition statement exists and ignore the finding if a Condition exists.&nbsp; I've tried a number of things, all which seem to pass the initial Investigate validator but break when actually run.<BR />To be more clear I don't want the following policy to trigger this</P><LI-CODE lang="markup">"Action": "iam:PassRole", "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "transfer.amazonaws.com" } }</LI-CODE><P><BR /><BR /></P><LI-CODE lang="markup">config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = "document.Statement[?(@.Action=='iam:PassRole' &amp;&amp; @.Effect=='Allow' &amp;&amp; @.Resource=='*' &amp;&amp; @.Condition !exists)]" </LI-CODE><LI-CODE lang="markup">config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = "document.Statement[?(@.Action=='iam:PassRole' &amp;&amp; @.Effect=='Allow' &amp;&amp; @.Condition !exists)].Resource equals *" </LI-CODE><P>I think I'm just missing how to consider a potential Condition in the RQL, any thoughts?</P> Mon, 14 Jun 2021 16:51:44 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/iam-passrole-rql-with-conditionals/m-p/413014#M384 miketobias 2021-06-14T16:51:44Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/iam-passrole-rql-with-conditionals/m-p/509181#M530 <P>Hi&nbsp;Miketobias,</P> <P>&nbsp;</P> <P>Use the below query.&nbsp;</P> <P>&nbsp;</P> <P>config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = (policy.Statement[?any(Effect contains "Allow" and Resource equals * and Action equals iam:PassRole and (Condition does not exist))] exists )</P> <P>&nbsp;</P> <P>Hope it helps!!!</P> Mon, 25 Jul 2022 16:16:28 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/iam-passrole-rql-with-conditionals/m-p/509181#M530 SBatchu 2022-07-25T16:16:28Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/iam-passrole-rql-with-conditionals/m-p/509266#M532 <P>Hi,</P> <P>&nbsp;</P> <P>You can also use this.</P> <P>&nbsp;</P> <P>config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = document.Statement[?(@.Action=='iam:PassRole' &amp;&amp; @.Effect=='Allow' &amp;&amp; @.Resource == '*' )] exists and document.Statement[*].Condition does not exist</P> <P>&nbsp;</P> <P>Thank You</P> Tue, 19 Jul 2022 09:52:15 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/iam-passrole-rql-with-conditionals/m-p/509266#M532 SBatchu 2022-07-19T09:52:15Z