Prisma Cloud : How to narrow down AWS IAM policy alerts and remediate them

• How to narrow down the open alerts  related to the AWS IAM policies , for example : "AWS IAM Policy permission may cause privilege escalation" for any over permissive privilege

For example:

• Taking example of one Resource from the above snip , that is 'Test-IAM'

• Prisma Cloud
• AWS

1. First check the IAM policy's ( "AWS IAM Policy permission may cause privilege escalation" ) query and understand what is the condition for this policy to trigger the alert

2. So, according to the policy's RQL, the alert will be triggered when the IAM role contains any of those actions mentioned in the RQL query and the effect is 'allow' (For example : Action contains - iam:SetDefaultPolicyVersion , iam:PassRole,  iam:CreateAccessKey etc or even the action contains an asterisk i.e  iam:* )
3. Now, verify the resource config for the resource shown in the alerts and check for any of these IAM actions mentioned in the RQL query is existing in the config

4. As it can be seen from the above snip, the resource 'Test-IAM' which is an IAM policy configured in the AWS account has the actions 'iam:Get* , iam:List* and iam:PassRole' with the 'Effect' : 'Allow' and indicates the 'Resource as '*' ', which matches few of the conditions in the RQL policy and indicates an over permissive privilege since this applies to any AWS resource that assumes this IAM policy (due to the asterisk '*' ) 
5. So, to fix this alert,  login to the AWS account and identify this IAM policy ( example in this case the IAM policy name is 'Test-IAM' ) and ensure to give only the least privileges

6. As it can be seen the IAM permissions in the policy allows full access to All resources and which is an over permissive privilege, fixing this and ensuring to give only the least privilege will resolve the alert in Prisma Cloud