06-21-2019 12:58 AM - last edited on 03-11-2022 08:51 AM by RPrasadi
I am trying to create an RQL query, which will check if anyone attaches or modify roles to an AWS instance.
I am using the below Query :
event where cloud.account = 'My-AWS' AND operation = 'AddRoleToInstanceProfile'
I did some testing on one of the instances. However, I am not able to get any result.
Please help on the correct RQL
06-21-2019 07:56 AM
I was able to find results with that operation, so I don't think RQL is the issue. Are you sure the events for your AWS instance is being ingested?
02-18-2022 10:24 AM
Hi Kchn
If possible can you please share your RQL for our reference to identify the recently modified roles to an AWS instance,?
03-09-2022 06:29 AM
Hello @APaul,
Thanks for your good question. I will reuse your query 😀
You could use also 'AttachRolePolicy' or 'AttachSecurityProfile' if you want to be inform on attachment policy on "critical" role.
JB
03-09-2022 07:09 AM
Hi @JJoly
I am new to the RQL, can you please share some example queries, please.
03-09-2022 07:28 AM
Hey,
event from cloud.audit_logs where cloud.type = 'AWS' AND operation in ('AttachSecurityProfile', 'AttachRolePolicy')Could be interesting for monitoring role and policy but you should specify a list a critical roles that you want to monitor.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
