How to check whether a RQL of config policy correctly detect resources
Objective
There are some circumstances a RQL is very long so that it is difficult to understand the all meanings a glance.
This article explain to check a RQL step by step for in such the case.
Environment
Prisma Cloud Enterprise Edition
Procedure
Example Policy: AWS SNS topic not configured with secure data transport policy
RQL:
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-sns-get-topic-attributes' AND json.rule = Policy.Statement[*].Condition.Bool.aws:SecureTransport does not exist or Policy.Statement[?any((Effect equals Allow and Action contains Publish and (Principal.AWS equals * or Principal equals *) and (Condition.Bool.aws:SecureTransport contains false or Condition.Bool.aws:SecureTransport contains FALSE)) or (Effect equals Deny and Action contains Publish and (Principal.AWS equals * or Principal equals *) and (Condition.Bool.aws:SecureTransport contains true or Condition.Bool.aws:SecureTransport contains TRUE)))] exists
Example Target Resource:
[STEPS]
1. Decompose the RQL into logical units by operators such as AND, OR, parentheses, etc.
2. Compare disassembled the RQL and the resource for each unit.
Comparing the above with the following. There is no Condition in the Statement.
Therefore, the RQL of this part becomes true.
NOTE: In this following example, the result will be false because the target key exists.
3. Combine the units and check if the target resource matches the policy.
Conclusion: The above RQL returns true
4. We now confirmed that the RQL correctly match the target resource.
Additional Information
The operators used in RQLs are described in the following documents.
- RQL Operators
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-reference/operators.html