Identity and Access Management (IAM) refers to the processes and tools for managing user access to resources and enforcing security policies. IAM is crucial for securing the modern enterprise as it enables organizations to control who can access what resources. By enforcing strong IAM policies, companies can enforce the principle of least privilege, meaning users and resources are only granted minimum permissions necessary to perform their jobs. This minimizes the horizontal scaling of security attacks in the event of compromised credentials.
Prisma Cloud offers capabilities to embed IAM into the software delivery lifecycle. It can scan infrastructure-as-code for misconfigurations and enforce least privilege during deployment. Additionally, Prisma Cloud can monitor permissions at runtime and alert on anomalies that indicate privilege creep or excessive permissions. By leveraging the CIEM module within Prisma Cloud, organizations can confidently monitor access while minimizing risk.
This article will provide RQLs to create sample policies based on IAM requirements, as well as demonstrate how a simple IAM RQL can be continually extended to add additional IAM functionality.
Entitlement Management is managing identities and privileges. Security teams want to enforce the principle of least-privileged access to cloud infrastructure and resources. Reducing the attack surface and mitigating access risks posed by excessive permissions help to secure the user’s cloud environment.
Figure 1: Three Pillars of CIEM Module_palo-alto-networks
Figure 2: IAM Policy attributes as defined in reference [1]_palo-alto-networks
Let's begin by writing an RQL to find permissions of all IAM users:
config from iam where source.cloud.service.name = 'iam' and source.cloud.resource.type = 'user'
Let’s modify the use case to find a list of users who are inactive for more than 90 days:
config from iam where source.cloud.service.name = 'iam' and source.cloud.resource.type = 'user' AND action.lastaccess.days > 90
To find users that can take action on a particular service such as EC2:
config from iam where source.cloud.service.name = 'iam' and source.cloud.resource.type = 'user' AND dest.cloud.type = 'AWS' AND dest.cloud.service.name = 'ec2'
By adding the requirements to find all users that can terminate instances and create NACL groups, we add that to the end of the previous RQL to get:
config from iam where source.cloud.service.name = 'iam' and source.cloud.resource.type = 'user' AND dest.cloud.type = 'AWS' AND dest.cloud.service.name = 'ec2' AND action.name IN ( 'ec2:CreateNetworkAcl', 'ec2:TerminateInstances' )
And to see if this user has unrestricted access to all resources in a particular cloud account, we again add to the end of the previous RQL:
config from iam where source.cloud.service.name = 'iam' and source.cloud.resource.type = 'user' AND dest.cloud.type = 'AWS' AND dest.cloud.service.name = 'ec2' AND action.name IN ( 'ec2:CreateNetworkAcl', 'ec2:TerminateInstances' ) AND dest.cloud.wildcardscope = true and dest.cloud.account = ‘ABC-123’
As we can see from the above example, we started off with a very basic query and built a complex query around it. Further in this article, we will share some common use cases to build your IAM policies around.
7. Find policies that allow to encrypt and decrypt kms keys without any conditions:
config from iam where grantedby.cloud.policy.condition ( 'aws:SourceArn' ) exists AND action.name IN
('kms:Decrypt', 'kms:Encrypt' )
8. Find all Okta identities that can assume roles:
config from iam where action.name IN ( 'sts:AssumeRole', 'sts:AssumeRoleWithSAML', 'sts:AssumeRoleWithWebIdentity' ) AND source.idp.service = 'Okta'
The IAM graph view provides a visual representation of the connections between various entities which help you understand the relationships among source entities; those granting access, and the destinations or resources being accessed.
This visualization aids in answering critical questions, such as identifying who has access to specific resources and how that access was initially granted. Graph visualization is an excellent way to create IAM queries on the go by simply clicking the desired component and the query completes automatically. As you modify these connections visually, the corresponding Relationship Query Language (RQL) statements are automatically updated in the background.
Figure 3: Graph visualization snippet from Prisma cloud_palo-alto-networks
This is only supported for source, granters and cases in which destinations are less than 300.
The asset inventory page shows the IAM relationships of the cloud resources when the IAM module is enabled. You can also remediate overly permissive roles and groups:
Figure 4: IAM details tab in the asset inventory view_palo-alto-networks
(In the image above, we can see what IAM identities can take action on this lambda function “PythonFunctionSE”. Switching to Permission as Destination, tells what actions on all resources this Lambda function can perform.)
You can also view policies as to which resources, groups and roles a policy is attached to along with permissions.
Figure 5: Different IAM attributes for a particular cloud resource as seen in the asset inventory view_palo-alto-networks
The least privilege wizard goes a step further and analyzes unused permissions and generates files as needed.
Figure 6: Least privilege recommendation by Prisma cloud for an overly permissive role_palo-alto-networks
Identity and Access Management (IAM) is a fundamental component of security and operational efficiency in today's digital world. IAM establishes a critical framework to safeguard sensitive data, applications, and resources by ensuring only authorized users and systems can access them.
Least privilege using IAM minimizes security risks: data breaches; unauthorized changes; and insider threats. IAM streamlines workflows by granting appropriate access to users when needed, improving productivity and compliance.
The importance of IAM lies in its ability to protect organizations against evolving cyberthreats, enhancing operational effectiveness, and building trust among users and stakeholders. IAM's capacity to secure organizations, enable efficient operations, and foster trust makes it an essential pillar of modern digital security and workflow management.
This article has shown examples of simple through complex IAM RQLs which can implement IAM policies in your organization. By simply changing one parameter, the RQL can determine IAM policies for different users, cloud objects or actions.
[1] Prisma™ Cloud Resource Query Language (RQL) Reference, IAM Query Attributes
[2] Prisma™ Cloud Resource Query Language (RQL) Reference, IAM Query Examples
[3] Prisma™ Cloud Resource Query Language (RQL) Reference, IAM Query Conditions
Bishvesh Pachauli is a Customer Success Engineer and Paul Burega is a CSE Team Lead. Paul and Bishvesh utilize a collaborative approach to break down complex problems into solutions for global enterprise customers and leverage their multi-industry knowledge to inspire success.
