Prisma Cloud: How to check if EC2 Instance Connect, Session Manager, and EC2 Serial Console are blocked via RQL.

Prisma Cloud: How to check if EC2 Instance Connect, Session Manager, and EC2 Serial Console are blocked via RQL.

3099
Created On 09/30/22 20:05 PM - Last Modified 12/10/24 15:04 PM


Objective


How to check if your EC2 Instance Connect, Session Manager, and EC2 Serial Console are blocked via RQL in Prisma Cloud.
 

Environment


  • Prisma Cloud
  • AWS
  • RQL

Procedure


GUI: Log into Prisma Cloud Console > Investigate > Search the RQL query below

Screenshot 2024-04-05 at 12.22.29 PM.png
 

config from cloud.resource where api.name = 'aws-iam-list-users' as X; config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = document.Statement[?any( (Action contains "ec2-instance-connect:SendSSHPublicKey" or Action contains "contains iam:GetAccountPasswordPolicy" or Action contains "contains ec2-instance-connect:SendSerialConsoleSSHPublicKey") and Effect equals "Allow" )] exists as Y; filter '$.X.groups[*].attachedManagedPolicies[*] contains $.Y.policyName'; show X;
  1. Note: If your RQL query produces results then that means those resources are blocked.
  1. To confirm console block in AWS: AWS Console > IAM > User > User name > Permissions Policies > click block policies for EC2 Instance Connect, Session Manager, EC2 Serial Console > check JSON contents for permissions.

Additional Information
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZKiCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language