Skip to main content

Sample AWS S3 RQL Queries#

note

The following guide will walk you through AWS RQL Query Examples

S3 public bucket and exclude buckets with tag key is "DataClassification" and tag value is "Public"#

config from cloud.resource where cloud.type = 'aws' AND api.name='aws-s3api-get-bucket-acl' AND
json.rule = "((((acl.grants[?(@.grantee=='AllUsers')] size > 0) or policyStatus.isPublic is true)
and publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration does not exist) or
((acl.grants[?(@.grantee=='AllUsers')] size > 0) and ((publicAccessBlockConfiguration.ignorePublicAcls is false and
accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and
accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false) or
(publicAccessBlockConfiguration.ignorePublicAcls is false and
accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false))) or
(policyStatus.isPublic is true and ((publicAccessBlockConfiguration.restrictPublicBuckets is false and
accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and
accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false) or
(publicAccessBlockConfiguration.restrictPublicBuckets is false and
accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false)))) and websiteConfiguration does not exist
and tagSets.DataClassification != Public"

S3 buckets connected to Cloudfront distribution#

config from cloud.resource where api.name = 'aws-cloudfront-list-distributions' as X; config from cloud.resource where api.name = 'aws-s3api-get-bucket-acl' as Y; filter '$.X.origins.items[*].id contains $.Y.bucketName'; show Y;

S3 buckets that have PUT actions with ALLOW effects to external AWS accounts (that are not monitored by Prisma Cloud)#

config from cloud.resource where api.name='aws-s3api-get-bucket-acl' AND json.rule = policy.Statement[*].Principal.AWS[*] exists and _AWSCloudAccount.isRedLockMonitored(policy.Statement[*].Principal.AWS[*]) is false and policy.Statement[?(@.Effect=='Allow')].Action any equal s3:PutObject
Last updated on by sullivan1337