From 2a1a40cc1e12de661845680d509b3de4696c779c Mon Sep 17 00:00:00 2001
From: Alex Chantavy <achantavy@lyft.com>
Date: Thu, 22 Aug 2024 13:00:54 -0700
Subject: [PATCH] Add more IAM sample queries to docs

---
 docs/root/usage/samplequeries.md | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/docs/root/usage/samplequeries.md b/docs/root/usage/samplequeries.md
index 32ac8c6b3..06dfce65f 100644
--- a/docs/root/usage/samplequeries.md
+++ b/docs/root/usage/samplequeries.md
@@ -1,5 +1,35 @@
 ## Sample queries
 
+Note: you might want to add `LIMIT 30` at the end of these queries to make sure they return
+quickly in case you have a large graph.
+
+### Which AWS IAM roles have admin permissions in my accounts?
+```
+MATCH (stmt:AWSPolicyStatement)--(pol:AWSPolicy)--(principal:AWSPrincipal)--(a:AWSAccount)
+WHERE stmt.effect = "Allow"
+AND any(x IN stmt.action WHERE x = '*')
+RETURN *
+```
+
+### Which AWS IAM roles in my environment have the ability to delete policies?
+```
+MATCH (stmt:AWSPolicyStatement)--(pol:AWSPolicy)--(principal:AWSPrincipal)--(acc:AWSAccount)
+WHERE stmt.effect = "Allow"
+AND any(x IN stmt.action WHERE x="iam:DeletePolicy" )
+RETURN *
+```
+
+Note: can replace "`iam:DeletePolicy`" to search for other IAM actions.
+
+
+### Which AWS IAM roles in my environment have an action that contains the word "create"?
+```
+MATCH (stmt:AWSPolicyStatement)--(pol:AWSPolicy)--(principal:AWSPrincipal)--(acc:AWSAccount)
+WHERE stmt.effect = "Allow"
+AND any(x IN stmt.action WHERE toLower(x) contains "create")
+RETURN *
+```
+
 ### What [RDS](https://aws.amazon.com/rds/) instances are installed in my [AWS](https://aws.amazon.com/) accounts?
 ```
 MATCH (aws:AWSAccount)-[r:RESOURCE]->(rds:RDSInstance)