Prisma Certified Cloud Security Engineer (PCCSE) — Question 226

Which RQL query will help create a custom identity and access management (IAM) policy to alert on Lambda functions that have permission to terminate EC2 instances?

Answer options

• A. iam from cloud.resource where dest.cloud.type = ’AWS’ AND source.cloud.service.name = ’lambda’ AND source.cloud.resource.type = ’function’ AND dest.cloud.service.name = ’ec2’ AND action.name = ’ec2:TerminateInstances’
• B. config from iam where dest.cloud.type = ’AWS’ AND source.cloud.service.name = ’ec2’ AND source.cloud.resource.type = ’instance’ AND dest.cloud.service.name = ’lambda’ AND action.name = ’ec2:TerminateInstances’
• C. iam from cloud.resource where cloud.type equals ’AWS’ AND cloud.resource.type equals ’lambda function’ AND cloud.service.name = ’ec2’ AND action.name equals ’ec2:TerminateInstances’
• D. config from iam where dest.cloud.type = ’AWS’ AND source.cloud.service.name = ’lambda’ AND source.cloud.resource.type = ’function’ AND dest.cloud.service.name = ’ec2’ AND action.name = ’ec2:TerminateInstances’

Correct answer: D

Explanation

Option D is correct because it properly identifies Lambda functions as the source and EC2 as the destination, checking for the specific action of terminating instances. Options A and C incorrectly position the IAM query or do not match the required action and resources. Option B is incorrect as it reverses the roles of Lambda and EC2, making it invalid for this scenario.