This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About ConnorSpiess
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About ConnorSpiess
09-06-2023
2Posts
0Likes
1Solution
Sep 06, 2023Last Visited
User
Activity
User
Profile
Latest posts by ConnorSpiess
| Subject | Views | Posted |
|---|---|---|
| 2541 | 05-04-2021 11:28 AM | |
| 2602 | 04-27-2021 11:39 AM |
User Badges
Community Statistics
| Member Since | 04-05-2021 06:58 AM |
| Date Last Visited | 09-06-2023 11:57 AM |
| Posts | 2 |
05-04-2021
11:28 AM
I figured it out. Here is the query I used. config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-iam-list-roles' AND json.rule = inlinePolicies[*].policyDocument.Statement[?any( Action contains "sts:AssumeRole" and Resource equals "*" )] exists
... View more
04-27-2021
11:39 AM
Trying to put together a query to identify excessive assumeRole permissions. For example it would identify if the following is in a policy. "Action": ["sts:AssumeRole"], "Effect": "Allow", "Resource": "*" I've been messing around with some queries, I haven't had any luck finding one that works. The following query will pickup policies where the "sts:AssumeRole" and the "*" are in separate statement blocks. config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-iam-list-roles' AND json.rule = inlinePolicies[*].policyDocument.Statement[*].Action contains "sts:AssumeRole" and inlinePolicies[*].policyDocument.Statement[*].Resource equals "*"
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks