IAM PassRole RQL with Conditionals

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IAM PassRole RQL with Conditionals

L0 Member

Hello!  I'm attempting to write some RQL to detect policies with the following permissions and struggling a bit.

 

Action: "iam:PassRole"

Effect: "Allow"

Resource: "*"

 

Now, in general this isn't too bad to figure out.  The RQL below accomplishes this nicely, BUT doesn't have any concept of if a Condition statement is present.  I care a bit less about a PassRole permission for an IAM policy that is scoped to the IAM service.

config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = document.Statement[?(@.Action=='iam:PassRole' && @.Effect=='Allow')].Resource equals "*"

 This is where I'm struggling, to get the above search to consider if a Condition statement exists and ignore the finding if a Condition exists.  I've tried a number of things, all which seem to pass the initial Investigate validator but break when actually run.
To be more clear I don't want the following policy to trigger this

"Action": "iam:PassRole",
"Effect": "Allow",
"Resource": "*",
"Condition": {
  "StringEquals": {
    "iam:PassedToService": "transfer.amazonaws.com"
  }
}



config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = "document.Statement[?(@.Action=='iam:PassRole' && @.Effect=='Allow' && @.Resource=='*' && @.Condition !exists)]" 
config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = "document.Statement[?(@.Action=='iam:PassRole' && @.Effect=='Allow' && @.Condition !exists)].Resource equals *" 

I think I'm just missing how to consider a potential Condition in the RQL, any thoughts?

2 REPLIES 2

L0 Member

Hi Miketobias,

 

Use the below query. 

 

config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = (policy.Statement[?any(Effect contains "Allow" and Resource equals * and Action equals iam:PassRole and (Condition does not exist))] exists )

 

Hope it helps!!!

L0 Member

Hi,

 

You can also use this.

 

config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = document.Statement[?(@.Action=='iam:PassRole' && @.Effect=='Allow' && @.Resource == '*' )] exists and document.Statement[*].Condition does not exist

 

Thank You

  • 2679 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!