nerdexam
Palo_Alto_Networks

PCCSE · Question #256

Which RQL query will help create a custom identity and access management (IAM) policy to alert on Lambda functions that have permission to terminate EC2 instances?

The correct answer is D. config from iam where dest.cloud.type = 'AWS' AND source.cloud.service.name = 'lambda' AND. IAM RQL queries use the 'config from iam where' syntax with source and destination fields to identify which services have permission to perform specific actions on other services.

Cloud Infrastructure Entitlement Management (CIEM)

Question

Which RQL query will help create a custom identity and access management (IAM) policy to alert on Lambda functions that have permission to terminate EC2 instances?

Options

  • Aiam from cloud.resource where dest.cloud.type = 'AWS' AND source.cloud.service.name =
  • Bconfig from iam where dest.cloud.type = 'AWS' AND source.cloud.service.name = 'ec2' AND
  • Ciam from cloud.resource where cloud.type equals 'AWS' AND cloud.resource.type equals 'lambda
  • Dconfig from iam where dest.cloud.type = 'AWS' AND source.cloud.service.name = 'lambda' AND

How the community answered

(30 responses)
  • A
    3% (1)
  • B
    3% (1)
  • C
    10% (3)
  • D
    83% (25)

Why each option

IAM RQL queries use the 'config from iam where' syntax with source and destination fields to identify which services have permission to perform specific actions on other services.

Aiam from cloud.resource where dest.cloud.type = 'AWS' AND source.cloud.service.name =

'iam from cloud.resource' is not valid RQL syntax; IAM queries must begin with 'config from iam where'.

Bconfig from iam where dest.cloud.type = 'AWS' AND source.cloud.service.name = 'ec2' AND

Setting 'source.cloud.service.name = ec2' identifies EC2 as the source principal, which would find EC2 instances with permissions - not Lambda functions - making this semantically incorrect for the stated goal.

Ciam from cloud.resource where cloud.type equals 'AWS' AND cloud.resource.type equals 'lambda

'iam from cloud.resource' is not a valid RQL construct, and 'cloud.resource.type equals lambda' is not the correct field syntax for IAM queries.

Dconfig from iam where dest.cloud.type = 'AWS' AND source.cloud.service.name = 'lambda' ANDCorrect

The correct RQL prefix for IAM queries is 'config from iam where', which queries the effective permissions graph. Setting 'source.cloud.service.name = lambda' identifies Lambda as the principal, and adding a condition on the destination action (ec2:TerminateInstances) locates Lambda functions that hold that specific permission. This combination precisely targets the described overpermissioned IAM scenario.

Concept tested: Prisma Cloud IAM RQL query syntax for Lambda permissions

Source: https://docs.prismacloud.io/en/enterprise-edition/content-collections/search-and-investigate/permissions-queries/permissions-query-attributes

Topics

#RQL#IAM#CIEM#Serverless Security

Community Discussion

No community discussion yet for this question.

Full PCCSE Practice