Monitoring Federated Access to AWS Accounts Interrogate Your AWS Env
This is one in a series of short, simple J1 queries that will help you interrogate your AWS environments. The JupiterOne platform used to run these queries is free.
There are times when understanding the access of AWS through users, IAM users, roles, and groups is insufficient because we’re using perhaps an SSO provider to federate access into AWS. It’s a relatively common scenario, but it can be challenging to understand how those SSO providers provide access into AWS. This query shows how that access is provided.
Cut-and-Paste Query
Here’s the query you can use to cut-and-paste into your J1 instance. Watch JupiterOne technical expert, Akash Ganapathi, walk through the example query and then display the results in real time. If you find this useful, give us some contact info at the bottom of this page and we’ll send you twice a month updates as we continue to explore various environments with JupiterOne.
FIND User as U THAT ASSIGNED Application as App THAT CONNECTS aws_account with tag.Production=true as AWS RETURN U.displayName as User, App.tag.AccountName as IdP, App.displayName as ssoApplication, App.signOnMode as signOnMode, AWS.displayName as awsAccount
Contribute your J1 Query to the Community
We will frequently be adding cut-and-paste J1 queries to our gallery. Join the community and every two weeks we’ll send you a list of new queries. You can contribute your own queries for inclusion and examination in an upcoming article. Use the form below to join us.
Get updates from JupiterOne Mission Control
Fresh content and cool cybersecurity news alerts delivered to your inboxat least 2x a month! Just let us know where to send it.