Prisma Cloud: Support for RQL for Cross Account Join

Prisma Cloud: Support for RQL for Cross Account Join

235
Created On 12/15/22 03:13 AM - Last Modified 03/09/26 20:14 PM


Question


Does RQL support queries for cross account joins?

This above RQL is trying to cross reference account resources under an AWS ORG. 
The resources can only be from 1 AWS account and not several. 
As seen with the cloud.account parameter in bold.

For Example:
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-describe-delivery-channels' AND json.rule = name starts with "aws-controltower-" and s3BucketName exists as X; config from cloud.resource where cloud.account IN ( 'XXX', 'YYY' ) AND api.name = 'aws-s3api-get-bucket-acl' as Y; filter 'not($.X.S3BucketName == $.Y.bucketname)'; show X;




              
Environment

  • Prisma Cloud
  • RQL



              
Answer

No. Currently Config Scanner doesn’t support cross accounts join.
So resources belonging to 1 account can only be joined with the resources of same account. 


Even though the Investigate page will display a green checkmark you will not generate any results. 



              
Additional Information

View our documentation here  on how to Investigate incidents. 



        
       
      





      

        
        
        

    

    

    

      

        
Other users also viewed:

        

             

               
              

        

    

        

        
        

          
Actions

          
    
           
            
            
            
  • 
                Print
            
    • 
            
  • 
            
    • 
            
  • 
              Copy Link
                
                
    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sa92CAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail
    
            
    •