Prisma Cloud: Can You Query A List of AWS Roles With '* ' Wildcard In Policies Using RQL

Prisma Cloud: Can You Query A List of AWS Roles With '* ' Wildcard In Policies Using RQL

461
Created On 10/12/22 20:17 PM - Last Modified 07/30/25 14:57 PM


Question


Can you query a list of AWS roles with '*' wildcard in policies using RQL?

Environment


  • Prisma Cloud
  • Investigate tab
  • RQL (Resource Query Language)

Answer


AWS roles with '*' wildcard in policies can be found with the following RQL query: 
config from iam where dest.cloud.type = 'AWS' AND dest.cloud.resource.name = '*' AND grantedby.cloud.entity.type = 'role'

 

Additional Information


An RQL like the following will not fetch AWS roles with '*' wildcard in policies: 
config from iam where dest.cloud.type = 'AWS' AND dest.cloud.resource.name = '*' AND source.cloud.service.name = 'iam' AND source.cloud.resource.type = 'role'
That's because A role is considered the “Granter” instead of the source as shown in the example above.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kEVQCA2&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail