This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

IAM PassRole RQL with Conditionals

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IAM PassRole RQL with Conditionals

miketobias
L0 Member

‎06-14-2021 09:51 AM

Hello!  I'm attempting to write some RQL to detect policies with the following permissions and struggling a bit.

 

Action: "iam:PassRole"

Effect: "Allow"

Resource: "*"

 

Now, in general this isn't too bad to figure out.  The RQL below accomplishes this nicely, BUT doesn't have any concept of if a Condition statement is present.  I care a bit less about a PassRole permission for an IAM policy that is scoped to the IAM service.

config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = document.Statement[?(@.Action=='iam:PassRole' && @.Effect=='Allow')].Resource equals "*"

 This is where I'm struggling, to get the above search to consider if a Condition statement exists and ignore the finding if a Condition exists.  I've tried a number of things, all which seem to pass the initial Investigate validator but break when actually run.
To be more clear I don't want the following policy to trigger this

"Action": "iam:PassRole",
"Effect": "Allow",
"Resource": "*",
"Condition": {
  "StringEquals": {
    "iam:PassedToService": "transfer.amazonaws.com"
  }
}



config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = "document.Statement[?(@.Action=='iam:PassRole' && @.Effect=='Allow' && @.Resource=='*' && @.Condition !exists)]" 
config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = "document.Statement[?(@.Action=='iam:PassRole' && @.Effect=='Allow' && @.Condition !exists)].Resource equals *"

I think I'm just missing how to consider a potential Condition in the RQL, any thoughts?

0 Likes Likes
2 REPLIES 2

SBatchu
L0 Member

‎07-18-2022 06:03 AM - last edited on ‎07-25-2022 09:16 AM by

Hi Miketobias,

 

Use the below query. 

 

config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = (policy.Statement[?any(Effect contains "Allow" and Resource equals * and Action equals iam:PassRole and (Condition does not exist))] exists )

 

Hope it helps!!!

SBatchu
L0 Member

‎07-19-2022 02:52 AM

Hi,

 

You can also use this.

 

config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = document.Statement[?(@.Action=='iam:PassRole' && @.Effect=='Allow' && @.Resource == '*' )] exists and document.Statement[*].Condition does not exist

 

Thank You

  • 2668 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks