About miketobias

Hello!  I'm attempting to write some RQL to detect policies with the following permissions and struggling a bit.   Action: "iam:PassRole" Effect: "Allow" Resource: "*"   Now, in general this isn't too bad to figure out.  The RQL below accomplishes this nicely, BUT doesn't have any concept of if a Condition statement is present.  I care a bit less about a PassRole permission for an IAM policy that is scoped to the IAM service. config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = document.Statement[?(@.Action=='iam:PassRole' && @.Effect=='Allow')].Resource equals "*"  This is where I'm struggling, to get the above search to consider if a Condition statement exists and ignore the finding if a Condition exists.  I've tried a number of things, all which seem to pass the initial Investigate validator but break when actually run. To be more clear I don't want the following policy to trigger this "Action": "iam:PassRole", "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "transfer.amazonaws.com" } } config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = "document.Statement[?(@.Action=='iam:PassRole' && @.Effect=='Allow' && @.Resource=='*' && @.Condition !exists)]" config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = "document.Statement[?(@.Action=='iam:PassRole' && @.Effect=='Allow' && @.Condition !exists)].Resource equals *" I think I'm just missing how to consider a potential Condition in the RQL, any thoughts? ... View more