Prisma Cloud Policy "AWS S3 bucket accessible to unmonitored cloud accounts" analysis

1. Where is the unmonitored account listed in the resource JSON? (Not listed)
2. Is the cloud account ID (in the JSON) of the monitored account or unmonitored account? (monitored account) Where do I see which unmonitored account ID it is? (In AWS)
3. Is there a way to list all the canonical user id for each monitored aws account and map it to the actual AWS account ID within prisma cloud?  (No)
4. How can you show the conical IDs for all the accounts which are monitored in Prisma Cloud? (Use RQL)

• Prisma Cloud
• AWS (Amazon)

1. This policy identifies those S3 buckets which have either the read/write permission opened up for Cloud Accounts which are NOT part of Cloud Accounts monitored by Prisma Cloud. These accounts with read/write privileges should be reviewed and confirmed that these are valid accounts of your organization (or authorised by your organization) and are not active under Prisma Cloud monitoring. "accountId": "XXXXXXXXX",
2. This account id in the JSON is one of your monitored accounts in Prisma Cloud member account of your AWS Org.
   1. Log in to the AWS Console
   2. Navigate to the 'S3' service
   3. Click on the reported S3 bucket
   4. Click on the 'Permissions' tab
   5. Navigate to the 'Access control list (ACL)' section and Click on the 'Edit'
   6. Under 'Access for other AWS accounts', Add the Cloud Accounts with the requisite permission to these S3 buckets. Look in AWS under the s3 ACL for the list of unmonitored accounts.
3. In the Access Control List for the s3 bucket is where you can find it. Grantee id – if the value specified is the canonical user ID of an AWS account AWS documentation for reference. 
4. Please try this RQL to show the conical IDs for all the accounts which are monitored in Prisma Cloud

config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-s3api-get-bucket-acl' AND json.rule = "acl.grants[?(@.grantee.typeIdentifier=='id')].grantee.identifier size > 0 and _AWSCloudAccount.isRedLockMonitored(acl.grants[?(@.grantee.typeIdentifier=='id')].grantee.identifier) is true"