AWS Schema¶
AWSAccount¶
Representation of an AWS Account.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job discovered this node |
name |
The name of the account |
inscope |
Indicates that the account is part of the sync scope (true or false). |
foreign |
Indicates if the account is not part of the sync scope (true or false). One such example is an account that is trusted as part of cross-account AWSRole trust not in scope for sync. |
lastupdated |
Timestamp of the last time the node was updated |
id |
The AWS Account ID number |
Relationships¶
Many node types belong to an
AWSAccount
.``` (AWSAccount)-[RESOURCE]->(AWSDNSZone, AWSGroup, AWSInspectorFinding, AWSInspectorPackage, AWSLambda, AWSPrincipal, AWSUser, AWSVpc, AutoScalingGroup, DNSZone, DynamoDBTable, EBSSnapshot, EBSVolume, EC2Image, EC2Instance, EC2Reservation, EC2ReservedInstance, EC2SecurityGroup, ElasticIPAddress, ESDomain, LaunchConfiguration, LaunchTemplate, LaunchTemplateVersion, LoadBalancer, RDSCluster, RDSInstance, RDSSnapshot, SecretsManagerSecret, SecurityHub, SQSQueue SSMInstanceInformation, SSMInstancePatch) ```
An
AWSPolicy
node is defined for anAWSAccount
.``` (AWSAccount)-[RESOURCE]->(AWSPolicy) ```
AWSRole
nodes are defined inAWSAccount
nodes.``` (AWSAccount)-[RESOURCE]->(AWSRole) ```
AWSCidrBlock¶
AWSIpv4CidrBlock¶
AWSIpv6CidrBlock¶
Representation of an AWS CidrBlock used in VPC configuration.
The AWSCidrBlock
defines the base label
type for AWSIpv4CidrBlock
and AWSIpv6CidrBlock
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job discovered this node |
cidr_block |
The CIDR block |
block_state |
The state of the block |
association_id |
the association id if the block is associated to a VPC |
lastupdated |
Timestamp of the last time the node was updated |
id |
Unique identifier defined with the VPC association and the cidr_block |
Relationships¶
AWSVpc
association(AWSVpc)-[BLOCK_ASSOCIATION]->(AWSCidrBlock)
Peering connection where
AWSCidrBlock
is an accepter or requester cidr.(AWSCidrBlock)<-[REQUESTER_CIDR]-(AWSPeeringConnection) (AWSCidrBlock)<-[ACCEPTER_CIDR]-(AWSPeeringConnection)
Example of high level view of peering (without security group permissions)
MATCH p=(:AWSAccount)-[:RESOURCE|BLOCK_ASSOCIATION*..]->(:AWSCidrBlock)<-[:ACCEPTER_CIDR]-(:AWSPeeringConnection)-[:REQUESTER_CIDR]->(:AWSCidrBlock)<-[:RESOURCE|BLOCK_ASSOCIATION*..]-(:AWSAccount) RETURN p
Exploring detailed inbound peering rules
MATCH (outbound_account:AWSAccount)-[:RESOURCE|BLOCK_ASSOCIATION*..]->(:AWSCidrBlock)<-[:ACCEPTER_CIDR]-(:AWSPeeringConnection)-[:REQUESTER_CIDR]->(inbound_block:AWSCidrBlock)<-[:BLOCK_ASSOCIATION]-(inbound_vpc:AWSVpc)<-[:RESOURCE]-(inbound_account:AWSAccount) WITH inbound_vpc, inbound_block, outbound_account, inbound_account MATCH (inbound_range:IpRange{id: inbound_block.cidr_block})-[:MEMBER_OF_IP_RULE]->(inbound_rule:IpPermissionInbound)-[:MEMBER_OF_EC2_SECURITY_GROUP]->(inbound_group:EC2SecurityGroup)<-[:MEMBER_OF_EC2_SECURITY_GROUP]-(inbound_vpc) RETURN outbound_account.name, inbound_account.name, inbound_range.range, inbound_rule.fromport, inbound_rule.toport, inbound_rule.protocol, inbound_group.name, inbound_vpc.id
AWSGroup¶
Representation of AWS IAM Groups.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
path |
The path to the group (IAM identifier, see linked docs above for details) |
groupid |
Unique string identifying the group |
name |
The friendly name that identifies the group |
createdate |
ISO 8601 date-time string when the group was created |
arn |
The AWS-global identifier for this group |
Relationships¶
Objects part of an AWSGroup may assume AWSRoles.
``` (AWSGroup)-[STS_ASSUMEROLE_ALLOW]->(AWSRole) ```
AWSUsers and AWSPrincipals can be members of AWSGroups.
``` (AWSUser, AWSPrincipal)-[MEMBER_AWS_GROUP]->(AWSGroup) ```
AWSGroups belong to AWSAccounts.
``` (AWSAccount)-[RESOURCE]->(AWSGroup) ```
AWSInspectorFinding¶
Representation of an AWS Inspector Finding
Relationships¶
AWSInspectorFinding may affect EC2 Instances
(AWSInspectorFinding)-[:AFFECTS]->(EC2Instance)
AWSInspectorFinding may affect ECR Repositories
(AWSInspectorFinding)-[:AFFECTS]->(ECRRepository)
AWSInspectorFinding may affect ECR Images
(AWSInspectorFinding)-[:AFFECTS]->(ECRImage)
AWSInspectorFindings belong to AWSAccounts.
``` (AWSAccount)-[RESOURCE]->(AWSInspectorFinding) ```
AWSInspectorPackage¶
Representation of an AWS Inspector Finding Package
Relationships¶
AWSInspectorFindings have AWSInspectorPackages.
``` (AWSInspectorFindings)-[HAS]->(AWSInspectorPackages) ```
AWSInspectorPackages belong to AWSAccounts.
``` (AWSAccount)-[RESOURCE]->(AWSInspectorPackages) ```
AWSLambda¶
Representation of an AWS Lambda Function.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The arn of the lambda function |
name |
The name of the lambda function |
modifieddate |
Timestamp of the last time the function was last updated |
runtime |
The runtime environment for the Lambda function |
description |
The description of the Lambda function |
timeout |
The amount of time in seconds that Lambda allows a function to run before stopping it |
memory |
The memory that’s allocated to the function |
codesize |
The size of the function’s deployment package, in bytes. |
handler |
The function that Lambda calls to begin executing your function. |
version |
The version of the Lambda function. |
tracingconfigmode |
The function’s AWS X-Ray tracing configuration mode. |
revisionid |
The latest updated revision of the function or alias. |
state |
The current state of the function. |
statereason |
The reason for the function’s current state. |
statereasoncode |
The reason code for the function’s current state. |
lastupdatestatus |
The status of the last update that was performed on the function. |
lastupdatestatusreason |
The reason for the last update that was performed on the function. |
lastupdatestatusreasoncode |
The reason code for the last update that was performed on the function. |
packagetype |
The type of deployment package. |
signingprofileversionarn |
The ARN of the signing profile version. |
signingjobarn |
The ARN of the signing job. |
codesha256 |
The SHA256 hash of the function’s deployment package. |
architectures |
The instruction set architecture that the function supports. Architecture is a string array with one of the valid values. |
masterarn |
For Lambda@Edge functions, the ARN of the main function. |
kmskeyarn |
The KMS key that’s used to encrypt the function’s environment variables. This key is only returned if you’ve configured a customer managed key. |
Relationships¶
AWSLambda function are resources in an AWS Account.
``` (AWSAccount)-[RESOURCE]->(AWSLambda) ```
AWSLambda functions may act as AWSPrincipals via role assumption.
``` (AWSLambda)-[STS_ASSUME_ROLE_ALLOW]->(AWSPrincipal) ```
AWSLambda functions may also have aliases.
``` (AWSLambda)-[KNOWN_AS]->(AWSLambdaFunctionAlias) ```
AWSLambda functions may have the resource AWSLambdaEventSourceMapping.
``` (AWSLambda)-[RESOURCE]->(AWSLambdaEventSourceMapping) ```
AWSLambda functions has AWS Lambda Layers.
``` (AWSLambda)-[HAS]->(AWSLambdaLayer) ```
AWSLambda functions has AWS ECR Images.
``` (AWSLambda)-[HAS]->(ECRImage) ```
AWSLambdaFunctionAlias¶
Representation of an AWSLambdaFunctionAlias.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The arn of the lambda function alias |
name |
The name of the lambda function alias |
functionversion |
The function version that the alias invokes. |
revisionid |
A unique identifier that changes when you update the alias. |
description |
The description of the alias. |
Relationships¶
AWSLambda functions may also have aliases.
``` (AWSLambda)-[KNOWN_AS]->(AWSLambdaFunctionAlias) ```
AWSLambdaEventSourceMapping¶
Representation of an AWSLambdaEventSourceMapping.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The id of the event source mapping |
batchsize |
The maximum number of items to retrieve in a single batch. |
startingposition |
The position in a stream from which to start reading. |
startingpositiontimestamp |
The time from which to start reading. |
parallelizationfactor |
The number of batches to process from each shard concurrently. |
maximumbatchingwindowinseconds |
The maximum amount of time to gather records before invoking the function, in seconds. |
eventsourcearn |
The Amazon Resource Name (ARN) of the event source. |
lastmodified |
The date that the event source mapping was last updated, or its state changed. |
state |
The state of the event source mapping. |
maximumrecordage |
Discard records older than the specified age. |
bisectbatchonfunctionerror |
If the function returns an error, split the batch in two and retry. |
maximumretryattempts |
Discard records after the specified number of retries. |
tumblingwindowinseconds |
The duration in seconds of a processing window. |
lastprocessingresult |
The result of the last AWS Lambda invocation of your Lambda function. |
Relationships¶
AWSLambda functions may have the resource AWSLambdaEventSourceMapping.
``` (AWSLambda)-[RESOURCE]->(AWSLambdaEventSourceMapping) ```
AWSLambdaLayer¶
Representation of an AWSLambdaLayer.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The arn of the lambda function layer |
codesize |
The size of the layer archive in bytes. |
signingprofileversionarn |
The Amazon Resource Name (ARN) for a signing profile version. |
signingjobarn |
The Amazon Resource Name (ARN) of a signing job. |
Relationships¶
AWSLambda functions has AWS Lambda Layers.
``` (AWSLambda)-[HAS]->(AWSLambdaLayer) ```
AWSPolicy¶
Representation of an AWS Policy.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
name |
The friendly name (not ARN) identifying the policy |
createdate |
ISO 8601 date-time when the policy was created |
type |
“inline” or “managed” - the type of policy it is |
arn |
The arn for this object |
id |
The unique identifer for a policy. If the policy is managed this will be the Arn. If the policy is inline this will calculated as AWSPrincipal/inline_policy/PolicyName |
Relationships¶
AWSPrincipal
containsAWSPolicy
``` (AWSPrincipal)-[POLICY]->(AWSPolicy) ```
AWSPolicy
containsAWSPolicyStatement
``` (AWSPolicy)-[STATEMENTS]->(AWSPolicyStatement) ```
AWSPolicyStatement¶
Representation of an AWS Policy Statement.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
resources |
(array) The resources the statement is applied to. Can contain wildcards |
actions |
(array) The permissions allowed or denied by the statement. Can contain wildcards |
notactions |
(array) The permission explicitly not matched by the statement |
effect |
“Allow” or “Deny” - the effect of this statement |
id |
The unique identifier for a statement. |
Relationships¶
AWSPolicy
containsAWSPolicyStatement
``` (AWSPolicy)-[STATEMENTS]->(AWSPolicyStatement) ```
AWSPrincipal¶
Representation of an AWSPrincipal.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
path |
The path to the principal |
name |
The friendly name of the principal |
createdate |
ISO 8601 date-time when the principal was created |
arn |
AWS-unique identifier for this object |
userid |
The stable and unique string identifying the principal. |
passwordlastused |
Datetime when this principal’s password was last used |
Relationships¶
AWS Principals can be members of AWS Groups.
``` (AWSPrincipal)-[MEMBER_AWS_GROUP]->(AWSGroup) ```
This AccountAccessKey is used to authenticate to this AWSPrincipal.
``` (AWSPrincipal)-[AWS_ACCESS_KEY]->(AccountAccessKey) ```
AWS Roles can trust AWS Principals.
(AWSRole)-[TRUSTS_AWS_PRINCIPAL]->(AWSPrincipal)
AWS Accounts contain AWS Principals.
``` (AWSAccount)-[RESOURCE]->(AWSPrincipal) ```
Redshift clusters may assume IAM roles. See this article.
(RedshiftCluster)-[STS_ASSUMEROLE_ALLOW]->(AWSPrincipal)
AWSPrincipal::AWSUser¶
Representation of an AWSUser. An AWS User is a type of AWS Principal.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
path |
The path to the user |
name |
The friendly name of the user |
createdate |
ISO 8601 date-time when the user was created |
arn |
AWS-unique identifier for this object |
userid |
The stable and unique string identifying the user. |
passwordlastused |
Datetime when this user’s password was last used |
Relationships¶
AWS Users can be members of AWS Groups.
``` (AWSUser)-[MEMBER_AWS_GROUP]->(AWSGroup) ```
AWS Users can assume AWS Roles.
``` (AWSUser)-[STS_ASSUMEROLE_ALLOW]->(AWSRole) ```
This AccountAccessKey is used to authenticate to this AWSUser
``` (AWSUser)-[AWS_ACCESS_KEY]->(AccountAccessKey) ```
AWS Accounts contain AWS Users.
``` (AWSAccount)-[RESOURCE]->(AWSUser) ```
AWSPrincipal::AWSRole¶
Representation of an AWS IAM Role. An AWS Role is a type of AWS Principal.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
roleid |
The stable and unique string identifying the role. |
name |
The friendly name that identifies the role. |
createdate |
The date and time, in ISO 8601 date-time format, when the role was created. |
arn |
AWS-unique identifier for this object |
Relationships¶
Some AWS Groups, Users, Principals, and EC2 Instances can assume AWS Roles.
(AWSGroup, AWSUser, EC2Instance)-[STS_ASSUMEROLE_ALLOW]->(AWSRole)
Some AWS Roles can assume other AWS Roles.
(AWSRole)-[STS_ASSUMEROLE_ALLOW]->(AWSRole)
Some AWS Roles trust AWS Principals.
(AWSRole)-[TRUSTS_AWS_PRINCIPAL]->(AWSPrincipal)
Members of an Okta group can assume associated AWS roles if Okta SAML is configured with AWS.
(AWSRole)-[ALLOWED_BY]->(OktaGroup)
AWS Roles are defined in AWS Accounts.
(AWSAccount)-[RESOURCE]->(AWSRole)
AWSTransitGateway¶
Representation of an AWS Transit Gateway.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
owner_id |
The ID of the AWS account that owns the transit gateway |
description |
Transit Gateway description |
state |
Can be one of |
tgw_id |
Unique identifier of the Transit Gateway |
id |
Unique identifier of the Transit Gateway |
arn |
AWS-unique identifier for this object (same as |
Relationships¶
Transit Gateways belong to one
AWSAccount
…(AWSAccount)-[RESOURCE]->(AWSTransitGateway)
… and can be shared with other accounts
(AWSAccount)<-[SHARED_WITH]-(AWSTransitGateway)
AWSTag
(AWSTransitGateway)-[TAGGED]->(AWSTag)
AWSTransitGatewayAttachment¶
Representation of an AWS Transit Gateway Attachment.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
resource_type |
Can be one of |
state |
Can be one of |
id |
Unique identifier of the Transit Gateway Attachment |
Relationships¶
AWSAccount
(AWSAccount)-[RESOURCE]->(AWSTransitGatewayAttachment)
AWSVpc
(for VPC attachments)(AWSVpc)-[RESOURCE]->(AWSTransitGatewayAttachment {resource_type: 'vpc'})
AWSTransitGateway
attachment(AWSTransitGateway)<-[ATTACHED_TO]-(AWSTransitGatewayAttachment)
AWSTag
(AWSTransitGatewayAttachment)-[TAGGED]->(AWSTag)
AWSVpc¶
Representation of an AWS CidrBlock used in VPC configuration. More information on https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-vpcs.html
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job discovered this node |
vpcid |
The VPC unique identifier |
primary_cidr_block |
The primary IPv4 CIDR block for the VPC. |
instance_tenancy |
The allowed tenancy of instances launched into the VPC. |
state |
The current state of the VPC. |
region |
(optional) the region of this VPC. This field is only available on VPCs in your account. It is not available on VPCs that are external to your account and linked via a VPC peering relationship. |
id |
Unique identifier defined VPC node (vpcid) |
Relationships¶
AWSAccount
resource(AWSAccount)-[RESOURCE]->(AWSVpc)
AWSVpc
andAWSCidrBlock
association(AWSVpc)-[BLOCK_ASSOCIATION]->(AWSCidrBlock)
AWSVpc
andEC2SecurityGroup
membership association(AWSVpc)<-[MEMBER_OF_EC2_SECURITY_GROUP]-(EC2SecurityGroup)
AWS VPCs can be tagged with AWSTags.
(AWSVpc)-[TAGGED]->(AWSTag)
Redshift clusters can be members of AWSVpcs.
(RedshiftCluster)-[MEMBER_OF_AWS_VPC]->(AWSVpc)
Peering connection where
AWSVpc
is an accepter or requester vpc.(AWSVpc)<-[REQUESTER_VPC]-(AWSPeeringConnection) (AWSVpc)<-[ACCEPTER_VPC]-(AWSPeeringConnection)
Tag::AWSTag¶
Representation of an AWS Tag. AWS Tags can be applied to many objects.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
This tag’s unique identifier of the format |
key |
One part of a key-value pair that makes up a tag. |
value |
One part of a key-value pair that makes up a tag. |
region |
The region where this tag was discovered. |
Relationships¶
AWS VPCs, DB Subnet Groups, EC2 Instances, EC2 SecurityGroups, EC2 Subnets, EC2 Network Interfaces, RDS Instances, and S3 Buckets can be tagged with AWSTags.
(AWSVpc, DBSubnetGroup, EC2Instance, EC2SecurityGroup, EC2Subnet, NetworkInterface, RDSInstance, S3Bucket)-[TAGGED]->(AWSTag)
AccountAccessKey¶
Representation of an AWS Access Key.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
createdate |
Date when access key was created |
status |
Active: valid for API calls. Inactive: not valid for API calls |
lastuseddate |
Date when the key was last used |
lastusedservice |
The service that was last used with the access key |
lastusedregion |
The region where the access key was last used |
accesskeyid |
The ID for this access key |
Relationships¶
Account Access Keys may authenticate AWS Users and AWS Principal objects.
``` (AWSUser, AWSPrincipal)-[AWS_ACCESS_KEY]->(AccountAccessKey) ```
DBSubnetGroup¶
Representation of an RDS DB Subnet Group. For more information on how RDS instances interact with these, please see this article.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
id |
The ARN of the DBSubnetGroup |
name |
The name of DBSubnetGroup |
lastupdated |
Timestamp of the last time the node was updated |
description |
Description of the DB Subnet Group |
status |
The status of the group |
vpc_id |
The ID of the VPC (Virtual Private Cloud) that this DB Subnet Group is associated with. |
value |
The IP address that the DNSRecord points to |
Relationships¶
RDS Instances are part of DB Subnet Groups
(RDSInstance)-[:MEMBER_OF_DB_SUBNET_GROUP]->(DBSubnetGroup)
DB Subnet Groups consist of EC2 Subnets
(DBSubnetGroup)-[:RESOURCE]->(EC2Subnet)
DB Subnet Groups can be tagged with AWSTags.
``` (DBSubnetGroup)-[TAGGED]->(AWSTag) ```
DNSRecord¶
Representation of a generic DNSRecord.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
name |
The name of the DNSRecord |
lastupdated |
Timestamp of the last time the node was updated |
id |
The name of the DNSRecord concatenated with the record type |
type |
The record type of the DNS record |
value |
The IP address that the DNSRecord points to |
Relationships¶
DNSRecords can point to IP addresses.
``` (DNSRecord)-[DNS_POINTS_TO]->(Ip) ```
DNSRecords/AWSDNSRecords can point to each other.
``` (AWSDNSRecord, DNSRecord)-[DNS_POINTS_TO]->(AWSDNSRecord, DNSRecord) ```
DNSRecords can point to LoadBalancers.
``` (DNSRecord)-[DNS_POINTS_TO]->(LoadBalancer) ```
DNSRecords can be members of DNSZones.
``` (DNSRecord)-[MEMBER_OF_DNS_ZONE]->(DNSZone) ```
DNSRecord::AWSDNSRecord¶
Representation of an AWS DNS ResourceRecordSet.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
name |
The name of the DNSRecord |
lastupdated |
Timestamp of the last time the node was updated |
id |
The zoneid for the record, the value of the record, and the type concatenated together |
type |
The record type of the DNS record |
value |
If it is an A, ALIAS, or CNAME record, this is the IP address that the DNSRecord points to. If it is an NS record, the |
Relationships¶
DNSRecords/AWSDNSRecords can point to each other.
``` (AWSDNSRecord, DNSRecord)-[DNS_POINTS_TO]->(AWSDNSRecord, DNSRecord) ```
AWSDNSRecords can point to LoadBalancers.
``` (AWSDNSRecord)-[DNS_POINTS_TO]->(LoadBalancer, ESDomain) ```
AWSDNSRecords can be members of AWSDNSZones.
``` (AWSDNSRecord)-[MEMBER_OF_DNS_ZONE]->(AWSDNSZone) ```
DNSZone¶
Representation of a generic DNS Zone.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
name |
the name of the DNS zone |
comment |
Comments about the zone |
Relationships¶
DNSRecords can be members of DNSZones.
``` (DNSRecord)-[MEMBER_OF_DNS_ZONE]->(DNSZone) ```
DNSZone::AWSDNSZone¶
Representation of an AWS DNS HostedZone.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
name |
the name of the DNS zone |
zoneid |
The zoneid defined by Amazon Route53 |
lastupdated |
Timestamp of the last time the node was updated |
comment |
Comments about the zone |
privatezone |
Whether or not this is a private DNS zone |
Relationships¶
AWSDNSZones and DNSZones can be part of AWSAccounts.
``` (AWSAccount)-[RESOURCE]->(AWSDNSZone) ```
AWSDNSRecords can be members of AWSDNSZones.
``` (AWSDNSRecord)-[MEMBER_OF_DNS_ZONE]->(AWSDNSZone) ```
AWSDNSZone can have subzones hosted by another AWSDNSZone
``` (AWSDNSZone)<-[SUBZONE]-(AWSDNSZone) ```
DynamoDBTable¶
Representation of an AWS DynamoDBTable.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
name |
The name of the table |
id |
The ARN of the table |
region |
The AWS region of the table |
arn |
The AWS-unique identifier |
Relationships¶
DynamoDBTables belong to AWS Accounts.
``` (AWSAccount)-[RESOURCE]->(DynamoDBTable) ```
EC2Instance¶
Our representation of an AWS EC2 Instance.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
Same as |
instanceid |
The instance id provided by AWS. This is globally unique |
publicdnsname |
The public DNS name assigned to the instance |
publicipaddress |
The public IPv4 address assigned to the instance if applicable |
privateipaddress |
The private IPv4 address assigned to the instance |
imageid |
The ID of the Amazon Machine Image used to launch the instance |
subnetid |
The ID of the EC2Subnet associated with this instance |
instancetype |
The instance type. See API docs linked above for specifics. |
iaminstanceprofile |
The IAM instance profile associated with the instance, if applicable. |
launchtime |
The time the instance was launched |
monitoringstate |
Whether monitoring is enabled. Valid Values: disabled, disabling, enabled, pending. |
state |
The current state of the instance. |
launchtimeunix |
The time the instance was launched in unix time |
region |
The AWS region this Instance is running in |
exposed_internet |
The |
availabilityzone |
The Availability Zone of the instance. |
tenancy |
The tenancy of the instance. |
hostresourcegrouparn |
The ARN of the host resource group in which to launch the instances. |
platform |
The value is |
architecture |
The architecture of the image. |
ebsoptimized |
Indicates whether the instance is optimized for Amazon EBS I/O. |
bootmode |
The boot mode of the instance. |
instancelifecycle |
Indicates whether this is a Spot Instance or a Scheduled Instance. |
hibernationoptions |
Indicates whether the instance is enabled for hibernation. |
Relationships¶
EC2 Instances can be part of subnets
``` (EC2Instance)-[PART_OF_SUBNET]->(EC2Subnet) ```
EC2 Instances can have NetworkInterfaces connected to them
``` (EC2Instance)-[NETWORK_INTERFACE]->(NetworkInterface) ```
EC2 Instances may be members of EC2 Reservations
``` (EC2Instance)-[MEMBER_OF_EC2_RESERVATION]->(EC2Reservation) ```
EC2 Instances can be part of EC2 Security Groups
``` (EC2Instance)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup) ```
Load Balancers can expose (be connected to) EC2 Instances
``` (LoadBalancer)-[EXPOSE]->(EC2Instance) ```
Package and Dependency nodes can be deployed in EC2 Instances.
``` (Package, Dependency)-[DEPLOYED]->(EC2Instance) ```
AWS Accounts contain EC2 Instances.
``` (AWSAccount)-[RESOURCE]->(EC2Instance) ```
EC2 Instances can be tagged with AWSTags.
``` (EC2Instance)-[TAGGED]->(AWSTag) ```
AWS EBS Volumes are attached to an EC2 Instance
``` (EBSVolume)-[ATTACHED_TO]->(EC2Instance) ```
EC2 Instances can assume IAM Roles.
``` (EC2Instance)-[STS_ASSUMEROLE_ALLOW]->(AWSRole) ```
EC2Instances can have SSMInstanceInformation
``` (EC2Instance)-[HAS_INFORMATION]->(SSMInstanceInformation) ```
EC2Instances can have SSMInstancePatches
``` (EC2Instance)-[HAS_PATCH]->(SSMInstancePatch) ```
EC2KeyPair¶
Representation of an AWS EC2 Key Pair
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
keyname |
The name of the key pair |
keyfingerprint |
The fingerprint of the public key |
region |
The AWS region |
arn |
AWS-unique identifier for this object |
id |
same as |
user_uploaded |
|
duplicate_keyfingerprint |
|
Relationships¶
EC2 key pairs are contained in AWS Accounts.
``` (AWSAccount)-[RESOURCE]->(EC2KeyPair) ```
EC2 key pairs can be used to log in to AWS EC2 isntances.
``` (EC2KeyPair)-[SSH_LOGIN_TO]->(EC2Instance) ```
EC2 key pairs have matching
keyfingerprint
.``` (EC2KeyPair)-[MATCHING_FINGERPRINT]->(EC2KeyPair) ```
EC2PrivateIp¶
Representation of an AWS EC2 InstancePrivateIpAddress
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
network_interface_id |
id of the network interface with which the IP is associated with |
primary |
Indicates whether this IPv4 address is the primary private IP address of the network interface. |
private_ip_address |
The private IPv4 address of the network interface. |
public_ip |
The public IP address or Elastic IP address bound to the network interface. |
ip_owner_id |
Id of the owner, e.g. |
Relationships¶
EC2PrivateIps are connected with NetworkInterfaces.
``` (NetworkInterface)-[PRIVATE_IP_ADDRESS]->(EC2PrivateIp) ```
EC2Reservation¶
Representation of an AWS EC2 Reservation.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
requesterid |
The ID of the requester that launched the instances on your behalf |
reservationid |
The ID of the reservation. |
region |
The AWS region |
ownerid |
The ID of the AWS account that owns the reservation. |
Relationships¶
EC2 reservations are contained in AWS Accounts.
``` (AWSAccount)-[RESOURCE]->(EC2Reservation) ```
EC2 Instances are members of EC2 reservations.
``` (EC2Instance)-[MEMBER_OF_EC2_RESERVATION]->(EC2Reservation) ```
EC2SecurityGroup¶
Representation of an AWS EC2 Security Group.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
groupid |
The ID of the security group |
name |
The name of the security group |
description |
A description of the security group |
id |
Same as |
region |
The AWS region this security group is installed in |
Relationships¶
EC2 Instances, Network Interfaces, Load Balancers, Elastic Search Domains, IP Rules, IP Permission Inbound nodes, and RDS Instances can be members of EC2 Security Groups.
``` (EC2Instance, NetworkInterface, LoadBalancer, ESDomain, IpRule, IpPermissionInbound, RDSInstance, AWSVpc)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup) ```
Load balancers can define inbound Source Security Groups.
``` (LoadBalancer)-[SOURCE_SECURITY_GROUP]->(EC2SecurityGroup) ```
AWS Accounts contain EC2 Security Groups.
``` (AWSAccount)-[RESOURCE]->(EC2SecurityGroup) ```
EC2 SecurityGroups can be tagged with AWSTags.
``` (EC2SecurityGroup)-[TAGGED]->(AWSTag) ```
Redshift clusters can be members of EC2 Security Groups.
(RedshiftCluster)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
EC2Subnet¶
Representation of an AWS EC2 Subnet.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
subnetid |
The ID of the subnet |
id |
same as subnetid |
region |
The AWS region the subnet is installed on |
name |
The IPv4 CIDR block assigned to the subnet |
cidr_block |
The IPv4 CIDR block assigned to the subnet |
available_ip_address_count |
The number of unused private IPv4 addresses in the subnet. The IPv4 addresses for any stopped instances are considered unavailable |
default_for_az |
Indicates whether this is the default subnet for the Availability Zone. |
map_customer_owned_ip_on_launch |
Indicates whether a network interface created in this subnet (including a network interface created by RunInstances ) receives a customer-owned IPv4 address |
map_public_ip_on_launch |
Indicates whether instances launched in this subnet receive a public IPv4 address |
subnet_arn |
The Amazon Resource Name (ARN) of the subnet |
availability_zone |
The Availability Zone of the subnet |
availability_zone_id |
The AZ ID of the subnet |
state |
The current state of the subnet. |
assignipv6addressoncreation |
Indicates whether a network interface created in this subnet (including a network interface created by RunInstances ) receives an IPv6 address. |
Relationships¶
A Network Interface can be part of an EC2 Subnet.
``` (NetworkInterface)-[PART_OF_SUBNET]->(EC2Subnet) ```
An EC2 Instance can be part of an EC2 Subnet.
``` (EC2Instance)-[PART_OF_SUBNET]->(EC2Subnet) ```
A LoadBalancer can be part of an EC2 Subnet.
``` (LoadBalancer)-[SUBNET]->(EC2Subnet) ```
A LoadBalancer can be part of an EC2 Subnet.
``` (LoadBalancer)-[PART_OF_SUBNET]->(EC2Subnet) ```
A LoadBalancerV2 can be part of an EC2 Subnet.
``` (LoadBalancerV2)-[PART_OF_SUBNET]->(EC2Subnet) ```
DB Subnet Groups consist of EC2 Subnets
(DBSubnetGroup)-[RESOURCE]->(EC2Subnet)
EC2 Subnets can be tagged with AWSTags.
``` (EC2Subnet)-[TAGGED]->(AWSTag) ```
EC2 Subnets are member of a VPC.
``` (EC2Subnet)-[MEMBER_OF_AWS_VPC]->(AWSVpc) ```
EC2 Subnets belong to AWS Accounts
``` (AWSAccount)-[RESOURCE]->(EC2Subnet) ```
EC2PrivateIps are connected with NetworkInterfaces.
(NetworkInterface)-[PRIVATE_IP_ADDRESS]->(EC2PrivateIp)
AWSInternetGateway¶
Representation of an AWS Interent Gateway.
Field |
Description |
---|---|
id |
Internet gateway ID |
arn |
Amazon Resource Name |
region |
The region of the gateway |
Relationships¶
Internet Gateways are attached to a VPC.
``` (AWSInternetGateway)-[ATTACHED_TO]->(AWSVpc) ```
Internet Gateways belong to AWS Accounts
``` (AWSAccount)-[RESOURCE]->(AWSInternetGateway) ```
ECRRepository¶
Representation of an AWS Elastic Container Registry Repository.
Field |
Description |
---|---|
id |
Same as ARN |
arn |
The ARN of the repository |
name |
The name of the repository |
region |
The region of the repository |
created_at |
Date and time when the repository was created |
Relationships¶
An ECRRepository contains ECRRepositoryImages:
(:ECRRepository)-[:REPO_IMAGE]->(:ECRRepositoryImage)
EC2NetworkAcl¶
Representation of an AWS EC2 Network ACL
Field |
Description |
---|---|
id |
The arn of the network ACL |
arn |
Amazon Resource Name |
network_acl_id |
The ID of the network ACL |
is_default |
Indicates whether this is the default network ACL for the VPC. |
vpc_id |
The ID of the VPC this ACL is associated with |
region |
The region |
Relationships¶
EC2 Network ACLs have ingress and egress rules
(:EC2NetworkAcl)-[:MEMBER_OF_NACL]->(:EC2NetworkAclRule:IpPermissionInbound)
(:EC2NetworkAcl)-[:MEMBER_OF_NACL]->(:EC2NetworkAclRule:IpPermissionEgress)
EC2 Network ACLs define egress and ingress rules on subnets
``` (:EC2NetworkAcl)-[:PART_OF_SUBNET]->(:EC2Subnet) ```
EC2 Network ACLs are attached to VPCs.
``` (:EC2NetworkAcl)-[:MEMBER_OF_AWS_VPC]->(:AWSVpc) ```
EC2 Network ACLs belong to AWS Accounts
``` (:AWSAccount)-[:RESOURCE]->(:EC2NetworkAcl) ```
EC2NetworkAclRule :: IpPermissionInbound / IpPermissionEgress¶
Representation of an AWS EC2 Network ACL Rule Entry For additional explanation see https://docs.aws.amazon.com/vpc/latest/userguide/nacl-rules.html.
Field |
Description |
---|---|
id |
The ID of this rule: |
network_acl_id |
The ID of the network ACL that this belongs to |
protocol |
Indicates whether this is the default network ACL for the VPC. |
fromport |
First port in the range that this rule applies to |
toport |
Last port in the range that this rule applies to |
cidrblock |
The IPv4 network range to allow or deny, in CIDR notation. |
egress |
Indicates whether the rule is an egress rule (applied to traffic leaving the subnet). |
rulenumber |
The rule number for the entry. ACL entries are processed in ascending order by rule number. |
ruleaction |
Indicates whether to |
region |
The region |
Relationships¶
EC2 Network ACLs have ingress and egress rules
(:EC2NetworkAcl)-[:MEMBER_OF_NACL]->(:EC2NetworkAclRule:IpPermissionInbound)
(:EC2NetworkAcl)-[:MEMBER_OF_NACL]->(:EC2NetworkAclRule:IpPermissionEgress)
EC2 Network ACL Ruless belong to AWS Accounts
(:AWSAccount)-[:RESOURCE]->(:EC2NetworkAclRule)
ECRRepositoryImage¶
An ECR image may be referenced and tagged by more than one ECR Repository. To best represent this, we’ve created an
ECRRepositoryImage
node as a layer of indirection between the repo and the image.
More concretely explained, we run
``ecr.list_images()` <https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_ImageIdentifier.html>`_, and then
store the image tag on an ECRRepositoryImage
node and the image digest hash on a separate ECRImage
node.
This way, more than one ECRRepositoryImage
can reference/be connected to the same ECRImage
.
Field |
Description |
---|---|
tag |
The tag applied to the repository image, e.g. “latest” |
uri |
The URI where the repository image is stored |
id |
same as uri |
Relationships¶
An ECRRepository contains ECRRepositoryImages:
(:ECRRepository)-[:REPO_IMAGE]->(:ECRRepositoryImage)
ECRRepositoryImages reference ECRImages
(:ECRRepositoryImage)-[:IMAGE]->(:ECRImage)
ECRImage¶
Representation of an ECR image identified by its digest (e.g. a SHA hash). Specifically, this is the “digest part” of ``ecr.list_images()` <https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_ImageIdentifier.html>`_. Also see ECRRepositoryImage.
Field |
Description |
---|---|
digest |
The hash of this ECR image |
id |
Same as digest |
Relationships¶
ECRRepositoryImages reference ECRImages
(:ECRRepositoryImage)-[:IMAGE]->(:ECRImage)
Software packages are a part of ECR Images
(:Package)-[:DEPLOYED]->(:ECRImage)
Package¶
Representation of a software package, as found by an AWS ECR vulnerability scan.
Field |
Description |
---|---|
id |
Concatenation of |
version |
The version of the package, includes the Linux distro that it was built for |
name |
The name of the package |
Relationships¶
Software packages are a part of ECR Images
(:Package)-[:DEPLOYED]->(:ECRImage)
AWS ECR scans yield ECRScanFindings that affect software packages
(:ECRScanFindings)-[:AFFECTS]->(:Package)
ECRScanFinding (:Risk:CVE)¶
Representation of a scan finding from AWS ECR. This is the result output of ``ecr.describe_image_scan_findings()` <https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_DescribeImageScanFindings.html>`_.
Field |
Description |
---|---|
name |
The name of the ECR scan finding, e.g. a CVE name |
id |
Same as name |
severity |
The severity of the risk |
uri |
A URI link to a descriptive article on the risk |
Relationships¶
AWS ECR scans yield ECRScanFindings that affect software packages
(:ECRScanFindings)-[:AFFECTS]->(:Package)
EKSCluster¶
Representation of an AWS EKS Cluster.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
created_at |
The date and time the cluster was created |
region |
The AWS region |
arn |
AWS-unique identifier for this object |
id |
same as |
name |
Name of the EKS Cluster |
endpoint |
The endpoint for the Kubernetes API server. |
endpoint_public_access |
Indicates whether the Amazon EKS public API server endpoint is enabled |
exposed_internet |
Set to True if the EKS Cluster public API server endpoint is enabled |
rolearn |
The ARN of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API |
version |
Kubernetes version running |
platform_version |
Version of EKS |
status |
Status of the cluster. Valid Values: creating, active, deleting, failed, updating |
audit_logging |
Whether audit logging is enabled |
Relationships¶
EKS Clusters belong to AWS Accounts.
``` (AWSAccount)-[RESOURCE]->(EKSCluster) ```
EMRCluster¶
Representation of an AWS EMR Cluster.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
region |
The AWS region |
arn |
AWS-unique identifier for this object |
id |
The Id of the EMR Cluster. |
instance_collection_type |
The instance group configuration of the cluster. A value of INSTANCE_GROUP indicates a uniform instance group configuration. A value of INSTANCE_FLEET indicates an instance fleets configuration. |
log_encryption_kms_key_id |
The KMS key used for encrypting log files. |
requested_ami_version |
The AMI version requested for this cluster. |
running_ami_version |
The AMI version running on this cluster. |
release_label |
The Amazon EMR release label, which determines the version of open-source application packages installed on the cluster. |
auto_terminate |
Specifies whether the cluster should terminate after completing all steps. |
termination_protected |
Indicates whether Amazon EMR will lock the cluster to prevent the EC2 instances from being terminated by an API call or user intervention, or in the event of a cluster error. |
visible_to_all_users |
Indicates whether the cluster is visible to IAM principals in the Amazon Web Services account associated with the cluster. |
master_public_dns_name |
The DNS name of the master node. If the cluster is on a private subnet, this is the private DNS name. On a public subnet, this is the public DNS name. |
security_configuration |
The name of the security configuration applied to the cluster. |
autoscaling_role |
An IAM role for automatic scaling policies. |
scale_down_behavior |
The way that individual Amazon EC2 instances terminate when an automatic scale-in activity occurs or an instance group is resized. |
custom_ami_id |
The ID of a custom Amazon EBS-backed Linux AMI if the cluster uses a custom AMI. |
repo_upgrade_on_boot |
Specifies the type of updates that are applied from the Amazon Linux AMI package repositories when an instance boots using the AMI. |
outpost_arn |
The Amazon Resource Name (ARN) of the Outpost where the cluster is launched. |
log_uri |
The path to the Amazon S3 location where logs for this cluster are stored. |
servicerole |
Service Role of the EMR Cluster |
Relationships¶
EMR Clusters belong to AWS Accounts.
``` (AWSAccount)-[RESOURCE]->(EMRCluster) ```
ESDomain¶
Representation of an AWS ElasticSearch Domain (see ElasticsearchDomainConfig).
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
elasticsearch_cluster_config_instancetype |
The instancetype |
elasticsearch_version |
The version of elasticsearch |
elasticsearch_cluster_config_zoneawarenessenabled |
Indicates whether multiple Availability Zones are enabled. |
elasticsearch_cluster_config_dedicatedmasterenabled |
Indicates whether dedicated master nodes are enabled for the cluster. True if the cluster will use a dedicated master node. False if the cluster will not. |
elasticsearch_cluster_config_dedicatedmastercount |
Number of dedicated master nodes in the cluster. |
elasticsearch_cluster_config_dedicatedmastertype |
Amazon ES instance type of the dedicated master nodes in the cluster. |
domainid |
Unique identifier for an Amazon ES domain. |
encryption_at_rest_options_enabled |
Specify true to enable encryption at rest. |
deleted |
Status of the deletion of an Amazon ES domain. True if deletion of the domain is complete. False if domain deletion is still in progress. |
id |
same as |
arn |
Amazon Resource Name (ARN) of an Amazon ES domain. |
exposed_internet |
|
Relationships¶
Elastic Search domains can be members of EC2 Security Groups.
``` (ESDomain)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup) ```
Elastic Search domains belong to AWS Accounts.
(AWSAccount)-[RESOURCE]->(ESDomain)
DNS Records can point to Elastic Search domains.
``` (DNSRecord)-[DNS_POINTS_TO]->(ESDomain) ```
Endpoint¶
Representation of a generic network endpoint.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
protocol |
The protocol of this endpoint |
port |
The port of this endpoint |
Relationships¶
Endpoints can be installed load balancers, though more specifically we would refer to these Endpoint nodes as ELBListeners.
``` (LoadBalancer)-[ELB_LISTENER]->(Endpoint) ```
Endpoint::ELBListener¶
Representation of an AWS Elastic Load Balancer Listener. Here, an ELBListener is a more specific type of Endpoint. Here’a good introduction.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
protocol |
The protocol of this endpoint |
port |
The port of this endpoint |
policy_names |
A list of SSL policy names set on the listener. |
id |
The ELB ID. This is a concatenation of the DNS name, port, and protocol. |
instance_port |
The port open on the EC2 instance that this listener is connected to |
instance_protocol |
The protocol defined on the EC2 instance that this listener is connected to |
Relationships¶
A ELBListener is installed on a load balancer.
``` (LoadBalancer)-[ELB_LISTENER]->(ELBListener) ```
Endpoint::ELBV2Listener¶
Representation of an AWS Elastic Load Balancer V2 Listener.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
protocol |
The protocol of this endpoint - One of |
port |
The port of this endpoint |
ssl_policy |
Only set for HTTPS or TLS listener. The security policy that defines which protocols and ciphers are supported. |
targetgrouparn |
The ARN of the Target Group, if the Action type is |
Relationships¶
A ELBV2Listener is installed on a LoadBalancerV2.
``` (elbv2)-[r:ELBV2_LISTENER]->(ELBV2Listener) ```
Ip¶
Represents a generic IP address.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
ip |
The IPv4 address |
id |
Same as |
Relationships¶
DNSRecords can point to IP addresses.
``` (DNSRecord)-[DNS_POINTS_TO]->(Ip) ```
IpRule¶
Represents a generic IP rule. The creation of this node is currently derived from ingesting AWS EC2 Security Group rules.
Field |
Description |
---|---|
ruleid |
|
groupid |
The groupid of the EC2 Security Group that this was derived from |
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
protocol |
The protocol this rule applies to |
fromport |
Lowest port in the range defined by this rule |
toport |
Highest port in the range defined by this rule |
Relationships¶
IpRules are defined from EC2SecurityGroups.
``` (IpRule, IpPermissionInbound)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup) ```
IpRule::IpPermissionInbound¶
An IpPermissionInbound node is a specific type of IpRule. It represents a generic inbound IP-based rules. The creation of this node is currently derived from ingesting AWS EC2 Security Group rules.
Field |
Description |
---|---|
ruleid |
|
groupid |
The groupid of the EC2 Security Group that this was derived from |
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
protocol |
The protocol this rule applies to |
fromport |
Lowest port in the range defined by this rule |
toport |
Highest port in the range defined by this rule |
Relationships¶
IpPermissionInbound rules are defined from EC2SecurityGroups.
``` (IpRule, IpPermissionInbound)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup) ```
LoadBalancer¶
Represents an AWS Elastic Load Balancer. See spec for details.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
scheme |
The type of load balancer. Valid only for load balancers in a VPC. If scheme is |
name |
The name of the load balancer |
dnsname |
The DNS name of the load balancer. |
canonicalhostedzonename |
The DNS name of the load balancer |
id |
Currently set to the |
region |
The region of the load balancer |
createdtime |
The date and time the load balancer was created. |
canonicalhostedzonenameid |
The ID of the Amazon Route 53 hosted zone for the load balancer. |
exposed_internet |
The |
Relationships¶
LoadBalancers can be connected to EC2Instances and therefore expose them.
``` (LoadBalancer)-[EXPOSE]->(EC2Instance) ```
LoadBalancers can have source security groups configured.
``` (LoadBalancer)-[SOURCE_SECURITY_GROUP]->(EC2SecurityGroup) ```
LoadBalancers can be part of EC2SecurityGroups.
``` (LoadBalancer)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup) ```
LoadBalancers can be part of EC2 Subnets
``` (LoadBalancer)-[SUBNET]->(EC2Subnet) ```
LoadBalancers can be part of EC2 Subnets
``` (LoadBalancer)-[PART_OF_SUBNET]->(EC2Subnet) ```
LoadBalancers can have listeners configured to accept connections from clients (good introduction).
``` (LoadBalancer)-[ELB_LISTENER]->(Endpoint, ELBListener) ```
LoadBalancers are part of AWSAccounts.
``` (AWSAccount)-[RESOURCE]->(LoadBalancer) ```
AWSDNSRecords and DNSRecords point to LoadBalancers.
``` (AWSDNSRecord, DNSRecord)-[DNS_POINTS_TO]->(LoadBalancer) ```
LoadBalancerV2¶
Represents an Elastic Load Balancer V2 (Application Load Balancer or Network Load Balancer.) API reference here.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
scheme |
The type of load balancer. If scheme is |
name |
The name of the load balancer |
dnsname |
The DNS name of the load balancer. |
exposed_internet |
The |
id |
Currently set to the |
type |
Can be |
region |
The region of the load balancer |
createdtime |
The date and time the load balancer was created. |
canonicalhostedzonenameid |
The ID of the Amazon Route 53 hosted zone for the load balancer. |
Relationships¶
LoadBalancerV2’s can be connected to EC2Instances and therefore expose them.
``` (LoadBalancerV2)-[EXPOSE]->(EC2Instance) ```
EXPOSE
relationshiohip also holds the protocol, port and TargetGroupArn the load balancer points to.LoadBalancerV2’s can be part of EC2SecurityGroups but only if their
type
= “application”. NLBs don’t have SGs.``` (LoadBalancerV2)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup) ```
LoadBalancerV2’s can be part of EC2 Subnets
``` (LoadBalancerV2)-[SUBNET]->(EC2Subnet) ```
LoadBalancerV2’s can be part of EC2 Subnets
``` (LoadBalancerV2)-[PART_OF_SUBNET]->(EC2Subnet) ```
LoadBalancerV2’s have listeners:
``` (LoadBalancerV2)-[ELBV2_LISTENER]->(ELBV2Listener) ```
Nameserver¶
Represents a DNS nameserver. | Field | Description | |-------|————-| | firstseen| Timestamp of when a sync job first discovered this node | | lastupdated | Timestamp of the last time the node was updated | | id | The address of the nameserver| | name | The name or address of the nameserver|
Relationships¶
Nameservers are nameservers for to DNSZone.
``` (Nameserver)-[NAMESERVER]->(DNSZone) ```
NetworkInterface¶
Representation of a generic Network Interface. Currently however, we only create NetworkInterface nodes from AWS EC2 Instances. The spec for an AWS EC2 network interface is here.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
mac_address |
The MAC address of the network interface |
description |
Description of the network interface |
private_ip_address |
The primary IPv4 address of the network interface within the subnet |
id |
The ID of the network interface. (known as |
private_dns_name |
The private DNS name |
status |
Status of the network interface. Valid Values: |
subnetid |
The ID of the subnet |
interface_type |
Describes the type of network interface. Valid values: |
requester_id |
Id of the requester, e.g. |
requester_managed |
Indicates whether the interface is managed by the requester |
source_dest_check |
Indicates whether to validate network traffic to or from this network interface. |
public_ip |
Public IPv4 address attached to the interface |
Relationships¶
EC2 Network Interfaces belong to AWS accounts.
(NetworkInterface)<-[:RESOURCE]->(:AWSAccount)
Network interfaces can be connected to EC2Subnets.
``` (NetworkInterface)-[PART_OF_SUBNET]->(EC2Subnet) ```
Network interfaces can be members of EC2SecurityGroups.
``` (NetworkInterface)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup) ```
EC2Instances can have NetworkInterfaces connected to them.
``` (EC2Instance)-[NETWORK_INTERFACE]->(NetworkInterface) ```
LoadBalancers can have NetworkInterfaces connected to them.
``` (LoadBalancer)-[NETWORK_INTERFACE]->(NetworkInterface) ```
LoadBalancerV2s can have NetworkInterfaces connected to them.
``` (LoadBalancerV2)-[NETWORK_INTERFACE]->(NetworkInterface) ```
EC2PrivateIps are connected to a NetworkInterface.
``` (NetworkInterface)-[PRIVATE_IP_ADDRESS]->(EC2PrivateIp) ```
EC2 Network Interfaces can be tagged with AWSTags.
``` (NetworkInterface)-[TAGGED]->(AWSTag) ```
AWSPeeringConnection¶
Representation of an AWS PeeringConnection implementing an AWS VpcPeeringConnection object.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
vpcPeeringConnectionId, The ID of the VPC peering connection. |
allow_dns_resolution_from_remote_vpc |
Indicates whether a local VPC can resolve public DNS hostnames to private IP addresses when queried from instances in a peer VPC. |
allow_egress_from_local_classic_link_to_remote_vpc |
Indicates whether a local ClassicLink connection can communicate with the peer VPC over the VPC peering connection. |
allow_egress_from_local_vpc_to_remote_classic_link |
Indicates whether a local VPC can communicate with a ClassicLink connection in the peer VPC over the VPC peering connection. |
requester_region |
Peering requester region |
accepter_region |
Peering accepter region |
status_code |
The status of the VPC peering connection. |
status_message |
A message that provides more information about the status, if applicable. |
Relationships¶
AWSVpc
is an accepter or requester vpc.(AWSVpc)<-[REQUESTER_VPC]-(AWSPeeringConnection) (AWSVpc)<-[ACCEPTER_VPC]-(AWSPeeringConnection)
AWSCidrBlock
is an accepter or requester cidr.(AWSCidrBlock)<-[REQUESTER_CIDR]-(AWSPeeringConnection) (AWSCidrBlock)<-[ACCEPTER_CIDR]-(AWSPeeringConnection)
RedshiftCluster¶
Representation of an AWS RedshiftCluster.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
arn |
The Amazon Resource Name (ARN) for the Redshift cluster |
id |
Same as arn |
availability_zone |
Specifies the name of the Availability Zone the cluster is located in |
cluster_create_time |
Provides the date and time the cluster was created |
cluster_identifier |
The unique identifier of the cluster. |
cluster_revision_number |
The specific revision number of the database in the cluster. |
db_name |
The name of the initial database that was created when the cluster was created. This same name is returned for the life of the cluster. If an initial database was not specified, a database named devdev was created by default. |
encrypted |
Specifies whether the cluster has encryption enabled |
cluster_status |
The current state of the cluster. |
endpoint_address |
DNS name of the Redshift cluster endpoint |
endpoint_port |
The port that the Redshift cluster’s endpoint is listening on |
master_username |
The master user name for the cluster. This name is used to connect to the database that is specified in the DBName parameter. |
node_type |
The node type for the nodes in the cluster. |
number_of_nodes |
The number of compute nodes in the cluster. |
publicly_accessible |
A boolean value that, if true, indicates that the cluster can be accessed from a public network. |
vpc_id |
The identifier of the VPC the cluster is in, if the cluster is in a VPC. |
Relationships¶
Redshift clusters are part of AWS Accounts.
``` (AWSAccount)-[RESOURCE]->(RedshiftCluster) ```
Redshift clusters can be members of EC2 Security Groups.
(RedshiftCluster)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
Redshift clusters may assume IAM roles. See this article.
(RedshiftCluster)-[STS_ASSUMEROLE_ALLOW]->(AWSPrincipal)
Redshift clusters can be members of AWSVpcs.
(RedshiftCluster)-[MEMBER_OF_AWS_VPC]->(AWSVpc)
RDSCluster¶
Representation of an AWS Relational Database Service DBCluster
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
Same as ARN |
arn |
The Amazon Resource Name (ARN) for the DB cluster. |
allocated_storage |
For all database engines except Amazon Aurora, AllocatedStorage specifies the allocated storage size in gibibytes (GiB). For Aurora, AllocatedStorage always returns 1, because Aurora DB cluster storage size isn’t fixed, but instead automatically adjusts as needed. |
availability_zones |
Provides the list of Availability Zones (AZs) where instances in the DB cluster can be created. |
backup_retention_period |
Specifies the number of days for which automatic DB snapshots are retained. |
character_set_name |
If present, specifies the name of the character set that this cluster is associated with. |
database_name |
Contains the name of the initial database of this DB cluster that was provided at create time, if one was specified when the DB cluster was created. This same name is returned for the life of the DB cluster. |
db_cluster_identifier |
Contains a user-supplied DB cluster identifier. This identifier is the unique key that identifies a DB cluster. |
db_parameter_group |
Specifies the name of the DB cluster parameter group for the DB cluster. |
status |
Specifies the current state of this DB cluster. |
earliest_restorable_time |
The earliest time to which a database can be restored with point-in-time restore. |
endpoint |
Specifies the connection endpoint for the primary instance of the DB cluster. |
reader_endpoint |
The reader endpoint for the DB cluster. The reader endpoint for a DB cluster load-balances connections across the Aurora Replicas that are available in a DB cluster. As clients request new connections to the reader endpoint, Aurora distributes the connection requests among the Aurora Replicas in the DB cluster. This functionality can help balance your read workload across multiple Aurora Replicas in your DB cluster. If a failover occurs, and the Aurora Replica that you are connected to is promoted to be the primary instance, your connection is dropped. To continue sending your read workload to other Aurora Replicas in the cluster, you can then reconnect to the reader endpoint. |
multi_az |
Specifies whether the DB cluster has instances in multiple Availability Zones. |
engine |
The name of the database engine to be used for this DB cluster. |
engine_version |
Indicates the database engine version. |
latest_restorable_time |
Specifies the latest time to which a database can be restored with point-in-time restore. |
port |
Specifies the port that the database engine is listening on. |
master_username |
Contains the master username for the DB cluster. |
preferred_backup_window |
Specifies the daily time range during which automated backups are created if automated backups are enabled, as determined by the BackupRetentionPeriod. |
preferred_maintenance_window |
Specifies the weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC). |
hosted_zone_id |
Specifies the ID that Amazon Route 53 assigns when you create a hosted zone. |
storage_encrypted |
Specifies whether the DB cluster is encrypted. |
kms_key_id |
If StorageEncrypted is enabled, the AWS KMS key identifier for the encrypted DB cluster. The AWS KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the AWS KMS customer master key (CMK). |
db_cluster_resource_id |
The AWS Region-unique, immutable identifier for the DB cluster. This identifier is found in AWS CloudTrail log entries whenever the AWS KMS CMK for the DB cluster is accessed. |
clone_group_id |
Identifies the clone group to which the DB cluster is associated. |
cluster_create_time |
Specifies the time when the DB cluster was created, in Universal Coordinated Time (UTC). |
earliest_backtrack_time |
The earliest time to which a DB cluster can be backtracked. |
backtrack_window |
The target backtrack window, in seconds. If this value is set to 0, backtracking is disabled for the DB cluster. Otherwise, backtracking is enabled. |
backtrack_consumed_change_records |
The number of change records stored for Backtrack. |
capacity |
The current capacity of an Aurora Serverless DB cluster. The capacity is 0 (zero) when the cluster is paused. |
engine_mode |
The DB engine mode of the DB cluster, either provisioned, serverless, parallelquery, global, or multimaster. |
scaling_configuration_info_min_capacity |
The minimum capacity for the Aurora DB cluster in serverless DB engine mode. |
scaling_configuration_info_max_capacity |
The maximum capacity for an Aurora DB cluster in serverless DB engine mode. |
scaling_configuration_info_auto_pause |
A value that indicates whether automatic pause is allowed for the Aurora DB cluster in serverless DB engine mode. |
deletion_protection |
Indicates if the DB cluster has deletion protection enabled. The database can’t be deleted when deletion protection is enabled. |
Relationships¶
RDS Clusters are part of AWS Accounts.
``` (AWSAccount)-[RESOURCE]->(RDSCluster) ```
Some RDS instances are cluster members.
(replica:RDSInstance)-[IS_CLUSTER_MEMBER_OF]->(source:RDSCluster)
RDSInstance¶
Representation of an AWS Relational Database Service DBInstance.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
Same as ARN |
arn |
The Amazon Resource Name (ARN) for the DB instance. |
db_instance_identifier |
Contains a user-supplied database identifier. This identifier is the unique key that identifies a DB instance. |
availability_zone |
Specifies the name of the Availability Zone the DB instance is located in. |
backup_retention_period |
Specifies the number of days for which automatic DB snapshots are retained. |
preferred_backup_window |
Specifies the daily time range during which automated backups are created if automated backups are enabled, as determined by the BackupRetentionPeriod. |
ca_certificate_identifier |
The identifier of the CA certificate for this DB instance. |
db_cluster_identifier |
If the DB instance is a member of a DB cluster, contains the name of the DB cluster that the DB instance is a member of. |
db_instance_class |
Contains the name of the compute and memory capacity class of the DB instance. |
db_instance_port |
Specifies the port that the DB instance listens on. |
dbi_resource_id |
The AWS Region-unique, immutable identifier for the DB instance. This identifier is found in AWS CloudTrail log entries whenever the AWS KMS key for the DB instance is accessed. |
db_name |
The meaning of this parameter differs according to the database engine you use. For example, this value returns MySQL, MariaDB, or PostgreSQL information when returning values from CreateDBInstanceReadReplica since Read Replicas are only supported for these engines. |
engine |
Provides the name of the database engine to be used for this DB instance. |
engine_version |
Indicates the database engine version. |
enhanced_monitoring_resource_arn |
The Amazon Resource Name (ARN) of the Amazon CloudWatch Logs log stream that receives the Enhanced Monitoring metrics data for the DB instance. |
instance_create_time |
Provides the date and time the DB instance was created. |
kms_key_id |
If StorageEncrypted is true, the AWS KMS key identifier for the encrypted DB instance. |
master_username |
Contains the master username for the DB instance. |
monitoring_role_arn |
The ARN for the IAM role that permits RDS to send Enhanced Monitoring metrics to Amazon CloudWatch Logs. |
multi_az |
Specifies if the DB instance is a Multi-AZ deployment. |
performance_insights_enabled |
True if Performance Insights is enabled for the DB instance, and otherwise false. |
preferred_maintenance_window |
Specifies the weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC). |
publicly_accessible |
Specifies the accessibility options for the DB instance. A value of true specifies an Internet-facing instance with a publicly resolvable DNS name, which resolves to a public IP address. A value of false specifies an internal instance with a DNS name that resolves to a private IP address. |
storage_encrypted |
Specifies whether the DB instance is encrypted. |
endpoint_address |
DNS name of the RDS instance |
endpoint_port |
The port that the RDS instance is listening on |
endpoint_hostedzoneid |
The AWS DNS Zone ID that is associated with the RDS instance’s DNS entry |
auto_minor_version_upgrade |
Specifies whether minor version upgrades are applied automatically to the DB instance during the maintenance window |
iam_database_authentication_enabled |
Specifies if mapping of AWS Identity and Access Management (IAM) accounts to database accounts is enabled |
Relationships¶
RDS Instances are part of AWS Accounts.
``` (AWSAccount)-[RESOURCE]->(RDSInstance) ```
Some RDS instances are Read Replicas.
(replica:RDSInstance)-[IS_READ_REPLICA_OF]->(source:RDSInstance)
RDS Instances can be members of EC2 Security Groups.
(RDSInstance)-[m:MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
RDS Instances are connected to DB Subnet Groups.
(RDSInstance)-[:MEMBER_OF_DB_SUBNET_GROUP]->(DBSubnetGroup)
RDS Instances can be tagged with AWSTags.
``` (RDSInstance)-[TAGGED]->(AWSTag) ```
RDSSnapshot¶
Representation of an AWS Relational Database Service DBSnapshot.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
Same as ARN |
arn |
The Amazon Resource Name (ARN) for the DB snapshot. |
db_snapshot_identifier |
Specifies the identifier for the DB snapshot. |
db_instance_identifier |
Specifies the DB instance identifier of the DB instance this DB snapshot was created from. |
snapshot_create_time |
Specifies when the snapshot was taken in Coordinated Universal Time (UTC). Changes for the copy when the snapshot is copied. |
engine |
Specifies the name of the database engine. |
allocated_storage |
Specifies the allocated storage size in gibibytes (GiB). |
status |
Specifies the status of this DB snapshot. |
port |
Specifies the port that the database engine was listening on at the time of the snapshot. |
availability_zone |
Specifies the name of the Availability Zone the DB instance was located in at the time of the DB snapshot. |
vpc_id |
Provides the VPC ID associated with the DB snapshot. |
instance_create_time |
Specifies the time in Coordinated Universal Time (UTC) when the DB instance, from which the snapshot was taken, was created. |
master_username |
Provides the master username for the DB snapshot. |
engine_version |
Specifies the version of the database engine. |
license_model |
License model information for the restored DB instance. |
snapshot_type |
Provides the type of the DB snapshot. |
iops |
Specifies the Provisioned IOPS (I/O operations per second) value of the DB instance at the time of the snapshot. |
option_group_name |
Provides the option group name for the DB snapshot. |
percent_progress |
The percentage of the estimated data that has been transferred. |
source_region |
The AWS Region that the DB snapshot was created in or copied from. |
source_db_snapshot_identifier |
The DB snapshot Amazon Resource Name (ARN) that the DB snapshot was copied from. It only has a value in the case of a cross-account or cross-Region copy. |
storage_type |
Specifies the storage type associated with DB snapshot. |
tde_credential_arn |
The ARN from the key store with which to associate the instance for TDE encryption. |
encrypted |
Specifies whether the DB snapshot is encrypted. |
kms_key_id |
If Encrypted is true, the AWS KMS key identifier for the encrypted DB snapshot. The AWS KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. |
timezone |
The time zone of the DB snapshot. In most cases, the Timezone element is empty. Timezone content appears only for snapshots taken from Microsoft SQL Server DB instances that were created with a time zone specified. |
iam_database_authentication_enabled |
True if mapping of AWS Identity and Access Management (IAM) accounts to database accounts is enabled, and otherwise false. |
processor_features |
The number of CPU cores and the number of threads per core for the DB instance class of the DB instance when the DB snapshot was created. |
dbi_resource_id |
The identifier for the source DB instance, which can’t be changed and which is unique to an AWS Region. |
original_snapshot_create_time |
Specifies the time of the CreateDBSnapshot operation in Coordinated Universal Time (UTC). Doesn’t change when the snapshot is copied. |
snapshot_database_time |
The timestamp of the most recent transaction applied to the database that you’re backing up. Thus, if you restore a snapshot, SnapshotDatabaseTime is the most recent transaction in the restored DB instance. In contrast, originalSnapshotCreateTime specifies the system time that the snapshot completed. If you back up a read replica, you can determine the replica lag by comparing SnapshotDatabaseTime with originalSnapshotCreateTime. For example, if originalSnapshotCreateTime is two hours later than SnapshotDatabaseTime, then the replica lag is two hours. |
snapshot_target |
Specifies where manual snapshots are stored: AWS Outposts or the AWS Region. |
storage_throughput |
|
region |
The AWS region of the snapshot |
Relationships¶
RDS Snapshots are part of AWS Accounts.
``` (AWSAccount)-[RESOURCE]->(RDSSnapshot) ```
RDS Snapshots are connected to DB Instances.
(RDSSnapshot)-[:IS_SNAPSHOT_SOURCE]->(RDSInstance)
RDS Snapshots can be tagged with AWSTags.
``` (RDSSnapshot)-[TAGGED]->(AWSTag) ```
S3Acl¶
Representation of an AWS S3 Access Control List.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
granteeid |
The ID of the grantee as defined here |
displayname |
Optional display name for the ACL |
permission |
Valid values: |
id |
The ID of this ACL |
type |
The type of the grantee. Either |
ownerid |
The ACL’s owner ID as defined here |
Relationships¶
S3 Access Control Lists apply to S3 buckets.
``` (S3Acl)-[APPLIES_TO]->(S3Bucket) ```
S3Bucket¶
Representation of an AWS S3 Bucket.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
creationdate |
Date-time when the bucket was created |
id |
Same as |
name |
The name of the bucket. This is guaranteed to be globally unique |
anonymous_actions |
List of anonymous internet accessible actions that may be run on the bucket. This list is taken by running policyuniverse on the policy that applies to the bucket. |
anonymous_access |
True if this bucket has a policy applied to it that allows anonymous access or if it is open to the internet. These policy determinations are made by using the policyuniverse library. |
region |
The region that the bucket is in. Only defined if the S3 bucket has a location constraint |
default_encryption |
True if this bucket has default encryption enabled. |
encryption_algorithm |
The encryption algorithm used for default encryption. Only defined if the S3 bucket has default encryption enabled. |
encryption_key_id |
The KMS key ID used for default encryption. Only defined if the S3 bucket has SSE-KMS enabled as the default encryption method. |
bucket_key_enabled |
True if a bucket key is enabled, when using SSE-KMS as the default encryption method. |
versioning_status |
The versioning state of the bucket. |
mfa_delete |
Specifies whether MFA delete is enabled in the bucket versioning configuration. |
block_public_acls |
Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. |
ignore_public_acls |
Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. |
block_public_acls |
Specifies whether Amazon S3 should block public bucket policies for this bucket. |
restrict_public_buckets |
Specifies whether Amazon S3 should restrict public bucket policies for this bucket. |
Relationships¶
S3Buckets are resources in an AWS Account.
``` (AWSAccount)-[RESOURCE]->(S3Bucket) ```
S3 Access Control Lists apply to S3 buckets.
``` (S3Acl)-[APPLIES_TO]->(S3Bucket) ```
S3 Buckets can be tagged with AWSTags.
``` (S3Bucket)-[TAGGED]->(AWSTag) ```
S3PolicyStatement¶
Representation of an AWS S3 Bucket Policy Statements for controlling ownership of objects and ACLs of the bucket.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
policy_id |
Optional string “Id” for the bucket’s policy |
policy_version |
Version of the bucket’s policy |
id |
The unique identifier for a bucket policy statement. |
effect |
Specifies “Deny” or “Allow” for the policy statement |
action |
Specifies permissions that policy statement applies to, as defined here |
resource |
Specifies the resource the bucket policy statement is based on |
condition |
Specifies conditions where permissions are granted: examples |
sid |
Optional string to label the specific bucket policy statement |
Relationships¶
S3PolicyStatements define the policy for S3 Buckets.
``` (:S3Bucket)-[:POLICY_STATEMENT]->(:S3PolicyStatement) ```
KMSKey¶
Representation of an AWS KMS Key.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The id of the key |
name |
The name of the key |
description |
The description of the key |
enabled |
Whether the key is enabled |
region |
The region where key is created |
anonymous_actions |
List of anonymous internet accessible actions that may be run on the key. |
anonymous_access |
True if this key has a policy applied to it that allows anonymous access or if it is open to the internet. |
Relationships¶
AWS KMS Keys are resources in an AWS Account.
``` (AWSAccount)-[RESOURCE]->(KMSKey) ```
AWS KMS Key may also be refered as KMSAlias via aliases.
``` (KMSKey)-[KNOWN_AS]->(KMSAlias) ```
AWS KMS Key may also have KMSGrant based on grants.
``` (KMSGrant)-[APPLIED_ON]->(KMSKey) ```
KMSAlias¶
Representation of an AWS KMS Key Alias.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The arn of the alias |
aliasname |
The name of the alias |
targetkeyid |
The kms key id associated via this alias |
Relationships¶
AWS KMS Key may also be refered as KMSAlias via aliases.
``` (KMSKey)-[KNOWN_AS]->(KMSAlias) ```
KMSGrant¶
Representation of an AWS KMS Key Grant.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The id of the key grant |
name |
The name of the key grant |
granteeprincipal |
The principal associated with the key grant |
creationdate |
ISO 8601 date-time string when the grant was created |
Relationships¶
AWS KMS Key may also have KMSGrant based on grants.
``` (KMSGrant)-[APPLIED_ON]->(KMSKey) ```
APIGatewayRestAPI¶
Representation of an AWS API Gateway REST API.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The id of the REST API |
createddate |
The timestamp when the REST API was created |
version |
The version identifier for the API |
minimumcompressionsize |
A nullable integer that is used to enable or disable the compression of the REST API |
disableexecuteapiendpoint |
Specifies whether clients can invoke your API by using the default |
region |
The region where the REST API is created |
anonymous_actions |
List of anonymous internet accessible actions that may be run on the API. |
anonymous_access |
True if this API has a policy applied to it that allows anonymous access or if it is open to the internet. |
Relationships¶
AWS API Gateway REST APIs are resources in an AWS Account.
``` (AWSAccount)-[RESOURCE]->(APIGatewayRestAPI) ```
AWS API Gateway REST APIs may be associated with an API Gateway Stage.
``` (APIGatewayRestAPI)-[ASSOCIATED_WITH]->(APIGatewayStage) ```
AWS API Gateway REST APIs may also have API Gateway Resource resources.
``` (APIGatewayRestAPI)-[RESOURCE]->(APIGatewayResource) ```
APIGatewayStage¶
Representation of an AWS API Gateway Stage.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The name of the API Gateway Stage |
createddate |
The timestamp when the stage was created |
deploymentid |
The identifier of the Deployment that the stage points to. |
clientcertificateid |
The identifier of a client certificate for an API stage. |
cacheclusterenabled |
Specifies whether a cache cluster is enabled for the stage. |
cacheclusterstatus |
The status of the cache cluster for the stage, if enabled. |
tracingenabled |
Specifies whether active tracing with X-ray is enabled for the Stage |
webaclarn |
The ARN of the WebAcl associated with the Stage |
Relationships¶
AWS API Gateway REST APIs may be associated with an API Gateway Stage.
``` (APIGatewayRestAPI)-[ASSOCIATED_WITH]->(APIGatewayStage) ```
AWS API Gateway Stage may also contain a Client Certificate.
``` (APIGatewayStage)-[HAS_CERTIFICATE]->(APIGatewayClientCertificate) ```
APIGatewayClientCertificate¶
Representation of an AWS API Gateway Client Certificate.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The identifier of the client certificate |
createddate |
The timestamp when the client certificate was created |
expirationdate |
The timestamp when the client certificate will expire |
Relationships¶
AWS API Gateway Stage may also contain a Client Certificate.
``` (APIGatewayStage)-[HAS_CERTIFICATE]->(APIGatewayClientCertificate) ```
APIGatewayResource¶
Representation of an AWS API Gateway Resource.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The id of the REST API |
path |
The timestamp when the REST API was created |
pathpart |
The version identifier for the API |
parentid |
A nullable integer that is used to enable or disable the compression of the REST API |
Relationships¶
AWS API Gateway REST APIs may also have API Gateway Resource resources.
``` (APIGatewayRestAPI)-[RESOURCE]->(APIGatewayResource) ```
AutoScalingGroup¶
Representation of an AWS Auto Scaling Group Resource.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
arn |
The ARN of the Auto Scaling Group |
name |
The name of the Auto Scaling group. |
createdtime |
The date and time the group was created. |
launchconfigurationname |
The name of the associated launch configuration. |
launchtemplatename |
The name of the launch template. |
launchtemplateid |
The ID of the launch template. |
launchtemplateversion |
The version number of the launch template. |
maxsize |
The maximum size of the group. |
minsize |
The minimum size of the group. |
defaultcooldown |
The duration of the default cooldown period, in seconds. |
desiredcapacity |
The desired size of the group. |
healthchecktype |
The service to use for the health checks. |
healthcheckgraceperiod |
The amount of time, in seconds, that Amazon EC2 Auto Scaling waits before checking the health status of an EC2 instance that has come into service. |
status |
The current state of the group when the DeleteAutoScalingGroup operation is in progress. |
newinstancesprotectedfromscalein |
Indicates whether newly launched instances are protected from termination by Amazon EC2 Auto Scaling when scaling in. |
maxinstancelifetime |
The maximum amount of time, in seconds, that an instance can be in service. |
capacityrebalance |
Indicates whether Capacity Rebalancing is enabled. |
region |
The region of the auto scaling group. |
Link to API Documentation of AWS Auto Scaling Groups
Relationships¶
AWS Auto Scaling Groups are a resource under the AWS Account.
``` (AWSAccount)-[RESOURCE]->(AutoScalingGroup) ```
AWS Auto Scaling Groups has one or more subnets/vpc identifiers.
``` (AutoScalingGroup)-[VPC_IDENTIFIER]->(EC2Subnet) ```
AWS EC2 Instances are members of one or more AWS Auto Scaling Groups.
``` (EC2Instance)-[MEMBER_AUTO_SCALE_GROUP]->(AutoScalingGroup) ```
AWS Auto Scaling Groups have Launch Configurations
``` (AutoScalingGroup)-[HAS_LAUNCH_CONFIG]->(LaunchConfiguration) ```
AWS Auto Scaling Groups have Launch Templates
``` (AutoScalingGroup)-[HAS_LAUNCH_TEMPLATE]->(LaunchTemplate) ```
EC2Image¶
Representation of an AWS EC2 Images (AMIs).
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The ID of the AMI. |
name |
The name of the AMI that was provided during image creation. |
creationdate |
The date and time the image was created. |
architecture |
The architecture of the image. |
location |
The location of the AMI. |
type |
The type of image. |
ispublic |
Indicates whether the image has public launch permissions. |
platform |
This value is set to |
usageoperation |
The operation of the Amazon EC2 instance and the billing code that is associated with the AMI. |
state |
The current state of the AMI. |
description |
The description of the AMI that was provided during image creation. |
enasupport |
Specifies whether enhanced networking with ENA is enabled. |
hypervisor |
The hypervisor type of the image. |
rootdevicename |
The device name of the root device volume (for example, |
rootdevicetype |
The type of root device used by the AMI. |
virtualizationtype |
The type of virtualization of the AMI. |
bootmode |
The boot mode of the image. |
region |
The region of the image. |
Link to API Documentation of EC2 Images
Relationships¶
AWS EC2 Images (AMIs) are a resource under the AWS Account.
``` (AWSAccount)-[RESOURCE]->(EC2Image) ```
EC2ReservedInstance¶
Representation of an AWS EC2 Reserved Instance.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The ID of the Reserved Instance. |
availabilityzone |
The Availability Zone in which the Reserved Instance can be used. |
duration |
The duration of the Reserved Instance, in seconds. |
end |
The time when the Reserved Instance expires. |
start |
The date and time the Reserved Instance started. |
count |
The number of reservations purchased. |
type |
The instance type on which the Reserved Instance can be used. |
productdescription |
The Reserved Instance product platform description. |
state |
The state of the Reserved Instance purchase. |
currencycode |
The currency of the Reserved Instance. It’s specified using ISO 4217 standard currency codes. |
instancetenancy |
The tenancy of the instance. |
offeringclass |
The offering class of the Reserved Instance. |
offeringtype |
The Reserved Instance offering type. |
scope |
The scope of the Reserved Instance. |
fixedprice |
The purchase price of the Reserved Instance. |
region |
The region of the reserved instance. |
Relationships¶
AWS EC2 Reserved Instances are a resource under the AWS Account.
``` (AWSAccount)-[RESOURCE]->(EC2ReservedInstance) ```
SecretsManagerSecret¶
Representation of an AWS Secrets Manager Secret
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The arn of the secret. |
created_date |
The date and time when a secret was created. |
deleted_date |
The date and time the deletion of the secret occurred. Not present on active secrets. The secret can be recovered until the number of days in the recovery window has passed, as specified in the RecoveryWindowInDays parameter of the DeleteSecret operation. |
description |
The user-provided description of the secret. |
kms_key_id |
The ARN or alias of the AWS KMS customer master key (CMK) used to encrypt the SecretString and SecretBinary fields in each version of the secret. If you don’t provide a key, then Secrets Manager defaults to encrypting the secret fields with the default KMS CMK, the key named awssecretsmanager, for this account. |
last_accessed_date |
The last date that this secret was accessed. This value is truncated to midnight of the date and therefore shows only the date, not the time. |
last_changed_date |
The last date and time that this secret was modified in any way. |
last_rotated_date |
The most recent date and time that the Secrets Manager rotation process was successfully completed. This value is null if the secret hasn’t ever rotated. |
name |
The friendly name of the secret. You can use forward slashes in the name to represent a path hierarchy. For example, /prod/databases/dbserver1 could represent the secret for a server named dbserver1 in the folder databases in the folder prod. |
owning_service |
Returns the name of the service that created the secret. |
primary_region |
The Region where Secrets Manager originated the secret. |
rotation_enabled |
Indicates whether automatic, scheduled rotation is enabled for this secret. |
rotation_lambda_arn |
The ARN of an AWS Lambda function invoked by Secrets Manager to rotate and expire the secret either automatically per the schedule or manually by a call to RotateSecret. |
rotation_rules_automatically_after_days |
Specifies the number of days between automatic scheduled rotations of the secret. |
Relationships¶
AWS Secrets Manager Secrets are a resource under the AWS Account.
``` (AWSAccount)-[RESOURCE]->(SecretsManagerSecret) ```
EBSVolume¶
Representation of an AWS EBS Volume.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The ID of the EBS Volume. |
availabilityzone |
The Availability Zone for the volume. |
createtime |
The time stamp when volume creation was initiated. |
encrypted |
Indicates whether the volume is encrypted. |
size |
The size of the volume, in GiBs. |
state |
The volume state. |
outpostarn |
The Amazon Resource Name (ARN) of the Outpost. |
snapshotid |
The snapshot ID. |
iops |
The number of I/O operations per second (IOPS). |
type |
The volume type. |
fastrestored |
Indicates whether the volume was created using fast snapshot restore. |
multiattachenabled |
Indicates whether Amazon EBS Multi-Attach is enabled. |
throughput |
The throughput that the volume supports, in MiB/s. |
kmskeyid |
The Amazon Resource Name (ARN) of the AWS Key Management Service (AWS KMS) customer master key (CMK) that was used to protect the volume encryption key for the volume. |
deleteontermination |
Indicates whether the volume is deleted on instance termination. |
region |
The region of the volume. |
Relationships¶
AWS EBS Volumes are a resource under the AWS Account.
``` (AWSAccount)-[RESOURCE]->(EBSVolume) ```
AWS EBS Snapshots are created using EBS Volumes
``` (EBSSnapshot)-[CREATED_FROM]->(EBSVolume) ```
AWS EBS Volumes are attached to an EC2 Instance
``` (EBSVolume)-[ATTACHED_TO_EC2_INSTANCE]->(EC2Instance) ```
AWSTag
``` (EBSVolume)-[TAGGED]->(AWSTag) ```
EBSSnapshot¶
Representation of an AWS EBS Snapshot.
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The ID of the EBS Snapshot. |
description |
The description of the snapshot. |
progress |
The progress of the snapshot, as a percentage. |
encrypted |
Indicates whether the snapshot is encrypted. |
starttime |
The time stamp when the snapshot was initiated. |
state |
The snapshot state. |
statemessage |
Encrypted Amazon EBS snapshots are copied asynchronously. If a snapshot copy operation fails (for example, if the proper AWS Key Management Service (AWS KMS) permissions are not obtained) this field displays error state details to help you diagnose why the error occurred. This parameter is only returned by DescribeSnapshots . |
volumeid |
The volume ID. |
volumesize |
The size of the volume, in GiB. |
outpostarn |
The ARN of the AWS Outpost on which the snapshot is stored. |
dataencryptionkeyid |
The data encryption key identifier for the snapshot. |
kmskeyid |
The Amazon Resource Name (ARN) of the AWS Key Management Service (AWS KMS) customer master key (CMK) that was used to protect the volume encryption key for the parent volume. |
region |
The region of the snapshot. |
Relationships¶
AWS EBS Snapshots are a resource under the AWS Account.
``` (AWSAccount)-[RESOURCE]->(EBSSnapshot) ```
AWS EBS Snapshots are created using EBS Volumes
``` (EBSSnapshot)-[CREATED_FROM]->(EBSVolume) ```
SQSQueue¶
Representation of an AWS SQS Queue
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The arn of the sqs queue. |
created_timestamp |
The time when the queue was created in seconds |
delay_seconds |
The default delay on the queue in seconds. |
last_modified_timestamp |
The time when the queue was last changed in seconds. |
maximum_message_size |
The limit of how many bytes a message can contain before Amazon SQS rejects it. |
message_retention_period |
he length of time, in seconds, for which Amazon SQS retains a message. |
policy |
The IAM policy of the queue. |
arn |
The arn of the sqs queue. |
receive_message_wait_time_seconds |
The length of time, in seconds, for which the ReceiveMessage action waits for a message to arrive. |
redrive_policy_dead_letter_target_arn |
The Amazon Resource Name (ARN) of the dead-letter queue to which Amazon SQS moves messages after the value of maxReceiveCount is exceeded. |
redrive_policy_max_receive_count |
The number of times a message is delivered to the source queue before being moved to the dead-letter queue. When the ReceiveCount for a message exceeds the maxReceiveCount for a queue, Amazon SQS moves the message to the dead-letter-queue. |
visibility_timeout |
The visibility timeout for the queue. |
kms_master_key_id |
The ID of an AWS managed customer master key (CMK) for Amazon SQS or a custom CMK. |
kms_data_key_reuse_period_seconds |
The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. |
fifo_queue |
Whether or not the queue is FIFO. |
content_based_deduplication |
Whether or not content-based deduplication is enabled for the queue. |
deduplication_scope |
Specifies whether message deduplication occurs at the message group or queue level. |
fifo_throughput_limit |
Specifies whether the FIFO queue throughput quota applies to the entire queue or per message group. |
Relationships¶
AWS SQS Queues are a resource under the AWS Account.
``` (AWSAccount)-[RESOURCE]->(SQSQueue) ```
AWS SQS Queues can have other SQS Queues configured as dead letter queues
``` (SQSQueue)-[HAS_DEADLETTER_QUEUE]->(SQSQueue) ```
SecurityHub¶
Representation of the configuration of AWS Security Hub
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The arn of the hub resource. |
subscribed_at |
The date and time when Security Hub was enabled in the account. |
auto_enable_controls |
Whether to automatically enable new controls when they are added to standards that are enabled. |
Relationships¶
AWS Security Hub nodes are a resource under the AWS Account.
``` (AWSAccount)-[RESOURCE]->(SecurityHub) ```
AWSConfigurationRecorder¶
Representation of an AWS Config Configuration Recorder
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
A combination of name:account_id:region |
name |
The name of the recorder. |
role_arn |
Amazon Resource Name (ARN) of the IAM role used to describe the AWS resources associated with the account. |
recording_group_all_supported |
Specifies whether AWS Config records configuration changes for every supported type of regional resource. |
recording_group_include_global_resource_types |
Specifies whether AWS Config includes all supported types of global resources (for example, IAM resources) with the resources that it records. |
recording_group_resource_types |
A comma-separated list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail). |
region |
The region of the configuration recorder. |
Relationships¶
AWS Configuration Recorders are a resource under the AWS Account.
``` (AWSAccount)-[RESOURCE]->(AWSConfigurationRecorder) ```
AWSConfigDeliveryChannel¶
Representation of an AWS Config Delivery Channel
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
A combination of name:account_id:region |
name |
The name of the delivery channel. |
s3_bucket_name |
The name of the Amazon S3 bucket to which AWS Config delivers configuration snapshots and configuration history files. |
s3_key_prefix |
The prefix for the specified Amazon S3 bucket. |
s3_kms_key_arn |
The Amazon Resource Name (ARN) of the AWS Key Management Service (KMS) customer managed key (CMK) used to encrypt objects delivered by AWS Config. Must belong to the same Region as the destination S3 bucket. |
sns_topic_arn |
The Amazon Resource Name (ARN) of the Amazon SNS topic to which AWS Config sends notifications about configuration changes. |
config_snapshot_delivery_properties_delivery_frequency |
The frequency with which AWS Config delivers configuration snapshots. |
region |
The region of the delivery channel. |
Relationships¶
AWS Config Delivery Channels are a resource under the AWS Account.
``` (AWSAccount)-[RESOURCE]->(AWSConfigDeliveryChannel) ```
AWSConfigRule¶
Representation of an AWS Config Rule
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The ARN of the config rule. |
name |
The name of the delivery channel. |
description |
The description that you provide for the AWS Config rule. |
arn |
The ARN of the config rule. |
rule_id |
The ID of the AWS Config rule. |
scope_compliance_resource_types |
The resource types of only those AWS resources that you want to trigger an evaluation for the rule. You can only specify one type if you also specify a resource ID for ComplianceResourceId. |
scope_tag_key |
The tag key that is applied to only those AWS resources that you want to trigger an evaluation for the rule. |
scope_tag_value |
The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule. If you specify a value for TagValue, you must also specify a value for TagKey. |
scope_tag_compliance_resource_id |
The resource types of only those AWS resources that you want to trigger an evaluation for the rule. You can only specify one type if you also specify a resource ID for ComplianceResourceId. |
source_owner |
Indicates whether AWS or the customer owns and manages the AWS Config rule. |
source_identifier |
For AWS Config managed rules, a predefined identifier from a list. For example, IAM_PASSWORD_POLICY is a managed rule. |
source_details |
Provides the source and type of the event that causes AWS Config to evaluate your AWS resources. |
input_parameters |
A string, in JSON format, that is passed to the AWS Config rule Lambda function. |
maximum_execution_frequency |
The maximum frequency with which AWS Config runs evaluations for a rule. |
created_by |
Service principal name of the service that created the rule. |
region |
The region of the delivery channel. |
Relationships¶
AWS Config Rules are a resource under the AWS Account.
``` (AWSAccount)-[RESOURCE]->(AWSConfigRule) ```
LaunchConfiguration¶
Representation of an AWS Launch Configuration
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The ARN of the launch configuration. |
name |
The name of the launch configuration. |
arn |
The ARN of the launch configuration. |
created_time |
The creation date and time for the launch configuration. |
image_id |
The ID of the Amazon Machine Image (AMI) to use to launch your EC2 instances. |
key_name |
The name of the key pair. |
security_groups |
A list that contains the security groups to assign to the instances in the Auto Scaling group. |
instance_type |
The instance type for the instances. |
kernel_id |
The ID of the kernel associated with the AMI. |
ramdisk_id |
The ID of the RAM disk associated with the AMI. |
instance_monitoring_enabled |
If true, detailed monitoring is enabled. Otherwise, basic monitoring is enabled. |
spot_price |
The maximum hourly price to be paid for any Spot Instance launched to fulfill the request. |
iam_instance_profile |
The name or the Amazon Resource Name (ARN) of the instance profile associated with the IAM role for the instance. |
ebs_optimized |
Specifies whether the launch configuration is optimized for EBS I/O (true) or not (false). |
associate_public_ip_address |
For Auto Scaling groups that are running in a VPC, specifies whether to assign a public IP address to the group’s instances. |
placement_tenancy |
The tenancy of the instance, either default or dedicated. An instance with dedicated tenancy runs on isolated, single-tenant hardware and can only be launched into a VPC. |
region |
The region of the launch configuration. |
Relationships¶
Launch Configurations are a resource under the AWS Account.
``` (AWSAccount)-[RESOURCE]->(LaunchConfiguration) ```
LaunchTemplate¶
Representation of an AWS Launch Template
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The ID of the launch template. |
name |
The name of the launch template. |
create_time |
The time launch template was created. |
created_by |
The principal that created the launch template. |
default_version_number |
The version number of the default version of the launch template. |
latest_version_number |
The version number of the latest version of the launch template. |
region |
The region of the launch template. |
Relationships¶
Launch Templates are a resource under the AWS Account.
``` (AWSAccount)-[RESOURCE]->(LaunchTemplate) ```
Launch templates have Launch Template Versions
``` (LaunchTemplate)-[VERSION]->(LaunchTemplateVersion) ```
LaunchTemplateVersion¶
Representation of an AWS Launch Template Version
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The ID of the launch template version (ID-version). |
name |
The name of the launch template. |
create_time |
The time the version was created. |
created_by |
The principal that created the version. |
default_version |
Indicates whether the version is the default version. |
version_number |
The version number. |
version_description |
The description of the version. |
kernel_id |
The ID of the kernel, if applicable. |
ebs_optimized |
Indicates whether the instance is optimized for Amazon EBS I/O. |
iam_instance_profile_arn |
The Amazon Resource Name (ARN) of the instance profile. |
iam_instance_profile_name |
The name of the instance profile. |
image_id |
The ID of the AMI that was used to launch the instance. |
instance_type |
The instance type. |
key_name |
The name of the key pair. |
monitoring_enabled |
Indicates whether detailed monitoring is enabled. Otherwise, basic monitoring is enabled. |
ramdisk_id |
The ID of the RAM disk, if applicable. |
disable_api_termination |
If set to true, indicates that the instance cannot be terminated using the Amazon EC2 console, command line tool, or API. |
instance_initiated_shutdown_behavior |
Indicates whether an instance stops or terminates when you initiate shutdown from the instance (using the operating system command for system shutdown). |
security_group_ids |
The security group IDs. |
security_groups |
The security group names. |
region |
The region of the launch template. |
Relationships¶
Launch Template Versions are a resource under the AWS Account.
``` (AWSAccount)-[RESOURCE]->(LaunchTemplateVersion) ```
Launch templates have Launch Template Versions
``` (LaunchTemplate)-[VERSION]->(LaunchTemplateVersion) ```
ElasticIPAddress¶
Representation of an AWS EC2 Elastic IP address
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The Elastic IP address |
instance_id |
The ID of the instance that the address is associated with (if any). |
public_ip |
The Elastic IP address. |
allocation_id |
The ID representing the allocation of the address for use with EC2-VPC. |
association_id |
The ID representing the association of the address with an instance in a VPC. |
domain |
Indicates whether this Elastic IP address is for use with instances in EC2-Classic (standard) or instances in a VPC (vpc). |
network_interface_id |
The ID of the network interface. |
private_ip_address |
The private IP address associated with the Elastic IP address. |
public_ipv4_pool |
The ID of an address pool. |
network_border_group |
The name of the unique set of Availability Zones, Local Zones, or Wavelength Zones from which AWS advertises IP addresses. |
customer_owned_ip |
The customer-owned IP address. |
customer_owned_ipv4_pool |
The ID of the customer-owned address pool. |
carrier_ip |
The carrier IP address associated. This option is only available for network interfaces which reside in a subnet in a Wavelength Zone (for example an EC2 instance). |
region |
The region of the IP. |
Relationships¶
Elastic IPs are a resource under the AWS Account.
``` (AWSAccount)-[RESOURCE]->(ElasticIPAddress) ```
Elastic IPs can be attached to EC2 instances
``` (EC2Instance)-[ELASTIC_IP_ADDRESS]->(ElasticIPAddress) ```
Elastic IPs can be attached to NetworkInterfaces
``` (NetworkInterface)-[ELASTIC_IP_ADDRESS]->(ElasticIPAddress) ```
ECSCluster¶
Representation of an AWS ECS Cluster
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The ARN of the cluster |
region |
The region of the cluster. |
name |
A user-generated string that you use to identify your cluster. |
arn |
The ARN of the cluster |
ecc_kms_key_id |
An AWS Key Management Service key ID to encrypt the data between the local client and the container. |
ecc_logging |
The log setting to use for redirecting logs for your execute command results. |
ecc_log_configuration_cloud_watch_log_group_name |
The name of the CloudWatch log group to send logs to. |
ecc_log_configuration_cloud_watch_encryption_enabled |
Determines whether to enable encryption on the CloudWatch logs. |
ecc_log_configuration_s3_bucket_name |
The name of the S3 bucket to send logs to. |
ecc_log_configuration_s3_encryption_enabled |
Determines whether to use encryption on the S3 logs. |
ecc_log_configuration_s3_key_prefix |
An optional folder in the S3 bucket to place logs in. |
status |
The status of the cluster |
settings_container_insights |
If enabled is specified, CloudWatch Container Insights will be enabled for the cluster, otherwise it will be disabled unless the containerInsights account setting is enabled. |
capacity_providers |
The capacity providers associated with the cluster. |
attachments_status |
The status of the capacity providers associated with the cluster. |
Relationships¶
ECSClusters are a resource under the AWS Account.
``` (AWSAccount)-[RESOURCE]->(ECSCluster) ```
ECSContainerInstance¶
Representation of an AWS ECS Container Instance
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The ARN of the container instance |
region |
The region of the container instance. |
ec2_instance_id |
The ID of the container instance. For Amazon EC2 instances, this value is the Amazon EC2 instance ID. For external instances, this value is the AWS Systems Manager managed instance ID. |
arn |
The ARN of the container instance |
capacity_provider_name |
The capacity provider that’s associated with the container instance. |
version |
The version counter for the container instance. |
version_info_agent_version |
The version number of the Amazon ECS container agent. |
version_info_agent_hash |
The Git commit hash for the Amazon ECS container agent build on the amazon-ecs-agent GitHub repository. |
version_info_agent_docker_version |
The Docker version that’s running on the container instance. |
status |
The status of the container instance. |
status_reason |
The reason that the container instance reached its current status. |
agent_connected |
This parameter returns true if the agent is connected to Amazon ECS. Registered instances with an agent that may be unhealthy or stopped return false. |
agent_update_status |
The status of the most recent agent update. If an update wasn’t ever requested, this value is NULL. |
registered_at |
The Unix timestamp for the time when the container instance was registered. |
Relationships¶
An ECSCluster has ECSContainerInstances
``` (ECSCluster)-[HAS_CONTAINER_INSTANCE]->(ECSContainerInstance) ```
ECSContainerInstances have ECSTasks
``` (ECSContainerInstance)-[HAS_TASK]->(ECSTask) ```
ECSService¶
Representation of an AWS ECS Service
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The ARN of the service |
region |
The region of the service. |
name |
The name of your service. |
arn |
The ARN of the service |
cluster_arn |
The Amazon Resource Name (ARN) of the cluster that hosts the service. |
status |
The status of the service. |
desired_count |
The desired number of instantiations of the task definition to keep running on the service. |
running_count |
The number of tasks in the cluster that are in the RUNNING state. |
pending_count |
The number of tasks in the cluster that are in the PENDING state. |
launch_type |
The launch type the service is using. |
platform_version |
The platform version to run your service on. A platform version is only specified for tasks that are hosted on AWS Fargate. |
platform_family |
The operating system that your tasks in the service run on. A platform family is specified only for tasks using the Fargate launch type. |
task_definition |
The task definition to use for tasks in the service. |
deployment_config_circuit_breaker_enable |
Determines whether to enable the deployment circuit breaker logic for the service. |
deployment_config_circuit_breaker_rollback |
Determines whether to enable Amazon ECS to roll back the service if a service deployment fails. |
deployment_config_maximum_percent |
If a service is using the rolling update (ECS) deployment type, the maximum percent parameter represents an upper limit on the number of tasks in a service that are allowed in the RUNNING or PENDING state during a deployment, as a percentage of the desired number of tasks (rounded down to the nearest integer), and while any container instances are in the DRAINING state if the service contains tasks using the EC2 launch type. |
deployment_config_minimum_healthy_percent |
If a service is using the rolling update (ECS) deployment type, the minimum healthy percent represents a lower limit on the number of tasks in a service that must remain in the RUNNING state during a deployment, as a percentage of the desired number of tasks (rounded up to the nearest integer), and while any container instances are in the DRAINING state if the service contains tasks using the EC2 launch type. |
role_arn |
The ARN of the IAM role that’s associated with the service. |
created_at |
The Unix timestamp for the time when the service was created. |
health_check_grace_period_seconds |
The period of time, in seconds, that the Amazon ECS service scheduler ignores unhealthy Elastic Load Balancing target health checks after a task has first started. |
created_by |
The principal that created the service. |
enable_ecs_managed_tags |
Determines whether to enable Amazon ECS managed tags for the tasks in the service. |
propagate_tags |
Determines whether to propagate the tags from the task definition or the service to the task. |
enable_execute_command |
Determines whether the execute command functionality is enabled for the service. |
Relationships¶
An ECSCluster has ECSService
``` (ECSCluster)-[HAS_SERVICE]->(ECSService) ```
An ECSCluster has ECSContainerInstances
``` (ECSCluster)-[HAS_CONTAINER_INSTANCE]->(ECSContainerInstance) ```
ECSTaskDefinition¶
Representation of an AWS ECS Task Definition
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The ARN of the task definition |
region |
The region of the task definition. |
family |
The name of a family that this task definition is registered to. |
task_role_arn |
The short name or full Amazon Resource Name (ARN) of the AWS Identity and Access Management role that grants containers in the task permission to call AWS APIs on your behalf. |
execution_role_arn |
The Amazon Resource Name (ARN) of the task execution role that grants the Amazon ECS container agent permission to make AWS API calls on your behalf. |
network_mode |
The Docker networking mode to use for the containers in the task. The valid values are none, bridge, awsvpc, and host. If no network mode is specified, the default is bridge. |
revision |
The revision of the task in a particular family. |
status |
The status of the task definition. |
compatibilities |
The task launch types the task definition validated against during task definition registration. |
runtime_platform_cpu_architecture |
The CPU architecture. |
runtime_platform_operating_system_family |
The operating system. |
requires_compatibilities |
The task launch types the task definition was validated against. |
cpu |
The number of cpu units used by the task. |
memory |
The amount (in MiB) of memory used by the task. |
pid_mode |
The process namespace to use for the containers in the task. |
ipc_mode |
The IPC resource namespace to use for the containers in the task. |
proxy_configuration_type |
The proxy type. |
proxy_configuration_container_name |
The name of the container that will serve as the App Mesh proxy. |
registered_at |
The Unix timestamp for the time when the task definition was registered. |
deregistered_at |
The Unix timestamp for the time when the task definition was deregistered. |
registered_by |
The principal that registered the task definition. |
ephemeral_storage_size_in_gib |
The total amount, in GiB, of ephemeral storage to set for the task. |
Relationships¶
ECSTaskDefinition are a resource under the AWS Account.
``` (AWSAccount)-[RESOURCE]->(ECSTaskDefinition) ```
An ECSTask has an ECSTaskDefinition.
``` (ECSTask)-[HAS_TASK_DEFINITION]->(ECSTaskDefinition) ```
ECSContainerDefinition¶
Representation of an AWS ECS Container Definition
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The ARN of the task definition, plus the container definition name |
region |
The region of the container definition. |
name |
The name of a container. |
image |
The image used to start a container. This string is passed directly to the Docker daemon. |
cpu |
The number of cpu units reserved for the container. |
memory |
The amount (in MiB) of memory to present to the container. |
memory_reservation |
The soft limit (in MiB) of memory to reserve for the container. |
links |
The links parameter allows containers to communicate with each other without the need for port mappings. |
essential |
If the essential parameter of a container is marked as true, and that container fails or stops for any reason, all other containers that are part of the task are stopped. |
entry_point |
The entry point that’s passed to the container. |
command |
The command that’s passed to the container. |
start_timeout |
Time duration (in seconds) to wait before giving up on resolving dependencies for a container. |
stop_timeout |
Time duration (in seconds) to wait before the container is forcefully killed if it doesn’t exit normally on its own. |
hostname |
The hostname to use for your container. |
user |
The user to use inside the container. |
working_directory |
The working directory to run commands inside the container in. |
disable_networking |
When this parameter is true, networking is disabled within the container. |
privileged |
When this parameter is true, the container is given elevated privileges on the host container instance (similar to the root user). |
readonly_root_filesystem |
When this parameter is true, the container is given read-only access to its root file system. |
dns_servers |
A list of DNS servers that are presented to the container. |
dns_search_domains |
A list of DNS search domains that are presented to the container. |
docker_security_options |
A list of strings to provide custom labels for SELinux and AppArmor multi-level security systems. This field isn’t valid for containers in tasks using the Fargate launch type. |
interactive |
When this parameter is true, you can deploy containerized applications that require stdin or a tty to be allocated. |
pseudo_terminal |
When this parameter is true, a TTY is allocated. |
Relationships¶
ECSTaskDefinitions have ECSContainerDefinitions
``` (ECSTaskDefinition)-[HAS_CONTAINER_DEFINITION]->(ECSContainerDefinition) ```
ECSTask¶
Representation of an AWS ECS Task
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The ARN of the task |
region |
The region of the task. |
arn |
The arn of the task. |
availability_zone |
The Availability Zone for the task. |
capacity_provider_name |
The capacity provider that’s associated with the task. |
cluster_arn |
The ARN of the cluster that hosts the task. |
connectivity |
The connectivity status of a task. |
connectivity_at |
The Unix timestamp for the time when the task last went into CONNECTED status. |
container_instance_arn |
The ARN of the container instances that host the task. |
cpu |
The number of CPU units used by the task as expressed in a task definition. |
created_at |
The Unix timestamp for the time when the task was created. More specifically, it’s for the time when the task entered the PENDING state. |
desired_status |
The desired status of the task. |
enable_execute_command |
Determines whether execute command functionality is enabled for this task. |
execution_stopped_at |
The Unix timestamp for the time when the task execution stopped. |
group |
The name of the task group that’s associated with the task. |
health_status |
The health status for the task. |
last_status |
The last known status for the task. |
launch_type |
The infrastructure where your task runs on. |
memory |
The amount of memory (in MiB) that the task uses as expressed in a task definition. |
platform_version |
The platform version where your task runs on. |
platform_family |
The operating system that your tasks are running on. |
pull_started_at |
The Unix timestamp for the time when the container image pull began. |
pull_stopped_at |
The Unix timestamp for the time when the container image pull completed. |
started_at |
The Unix timestamp for the time when the task started. More specifically, it’s for the time when the task transitioned from the PENDING state to the RUNNING state. |
started_by |
The tag specified when a task is started. If an Amazon ECS service started the task, the startedBy parameter contains the deployment ID of that service. |
stop_code |
The stop code indicating why a task was stopped. |
stopped_at |
The Unix timestamp for the time when the task was stopped. More specifically, it’s for the time when the task transitioned from the RUNNING state to the STOPPED state. |
stopped_reason |
The reason that the task was stopped. |
stopping_at |
The Unix timestamp for the time when the task stops. More specifically, it’s for the time when the task transitions from the RUNNING state to STOPPED. |
task_definition_arn |
The ARN of the task definition that creates the task. |
version |
The version counter for the task. |
ephemeral_storage_size_in_gib |
The total amount, in GiB, of ephemeral storage to set for the task. |
Relationships¶
ECSClusters have ECSTasks
``` (ECSCluster)-[HAS_TASK]->(ECSTask) ```
ECSContainerInstances have ECSTasks
``` (ECSContainerInstance)-[HAS_TASK]->(ECSTask) ```
ECSTasks have ECSTaskDefinitions
``` (ECSTask)-[HAS_TASK_DEFINITION]->(ECSTaskDefinition) ```
ECSContainer¶
Representation of an AWS ECS Container
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The ARN of the container |
region |
The region of the container. |
arn |
The arn of the container. |
task_arn |
The ARN of the task. |
name |
The name of the container. |
image |
The image used for the container. |
image_digest |
The container image manifest digest. |
runtime_id |
The ID of the Docker container. |
last_status |
The last known status of the container. |
exit_code |
The exit code returned from the container. |
reason |
A short (255 max characters) human-readable string to provide additional details about a running or stopped container. |
health_status |
The health status of the container. |
cpu |
The number of CPU units set for the container. |
memory |
The hard limit (in MiB) of memory set for the container. |
memory_reservation |
The soft limit (in MiB) of memory set for the container. |
gpu_ids |
The IDs of each GPU assigned to the container. |
Relationships¶
ECSTasks have ECSContainers
``` (ECSTask)-[HAS_CONTAINER]->(ECSContainer) ```
SSMInstanceInformation¶
Representation of an AWS SSM InstanceInformation
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The ARN of the instance information |
region |
The region of the instance information. |
instance_id |
The managed node ID. |
ping_status |
Connection status of SSM Agent. |
last_ping_date_time |
The date and time when the agent last pinged the Systems Manager service. |
agent_version |
The version of SSM Agent running on your Linux managed node. |
is_latest_version |
Indicates whether the latest version of SSM Agent is running on your Linux managed node. This field doesn’t indicate whether or not the latest version is installed on Windows managed nodes, because some older versions of Windows Server use the EC2Config service to process Systems Manager requests. |
platform_type |
The operating system platform type. |
platform_name |
The name of the operating system platform running on your managed node. |
platform_version |
The version of the OS platform running on your managed node. |
activation_id |
The activation ID created by AWS Systems Manager when the server or virtual machine (VM) was registered. |
iam_role |
The AWS Identity and Access Management (IAM) role assigned to the on-premises Systems Manager managed node. This call doesn’t return the IAM role for Amazon Elastic Compute Cloud (Amazon EC2) instances. |
registration_date |
The date the server or VM was registered with AWS as a managed node. |
resource_type |
The type of instance. Instances are either EC2 instances or managed instances. |
name |
The name assigned to an on-premises server, edge device, or virtual machine (VM) when it is activated as a Systems Manager managed node. The name is specified as the DefaultInstanceName property using the CreateActivation command. |
ip_address |
The IP address of the managed node. |
computer_name |
The fully qualified host name of the managed node. |
association_status |
The status of the association. |
last_association_execution_date |
The date the association was last run. |
last_successful_association_execution_date |
The last date the association was successfully run. |
source_id |
The ID of the source resource. For AWS IoT Greengrass devices, SourceId is the Thing name. |
source_type |
The type of the source resource. For AWS IoT Greengrass devices, SourceType is AWS::IoT::Thing. |
Relationships¶
SSMInstanceInformation is a resource under the AWS Account.
``` (AWSAccount)-[RESOURCE]->(SSMInstanceInformation) ```
SSMInstanceInformation is a resource of an EC2Instance
``` (EC2Instance)-[HAS_INFORMATION]->(SSMInstanceInformation) ```
SSMInstancePatch¶
Representation of an AWS SSM PatchComplianceData
Field |
Description |
---|---|
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
id |
The ARN of the instance patch |
region |
The region of the instance patch. |
instance_id |
The managed node ID. |
title |
The title of the patch. |
kb_id |
The operating system-specific ID of the patch. |
classification |
The classification of the patch, such as SecurityUpdates, Updates, and CriticalUpdates. |
severity |
The severity of the patch such as Critical, Important, and Moderate. |
state |
The state of the patch on the managed node, such as INSTALLED or FAILED. |
installed_time |
The date/time the patch was installed on the managed node. Not all operating systems provide this level of information. |
cve_ids |
The IDs of one or more Common Vulnerabilities and Exposure (CVE) issues that are resolved by the patch. |
Relationships¶
SSMInstancePatch is a resource under the AWS Account.
``` (AWSAccount)-[RESOURCE]->(SSMInstancePatch) ```
EC2Instances have SSMInstancePatches
``` (EC2Instance)-[HAS_INFORMATION]->(SSMInstancePatch) ```
AWSIdentityCenter¶
Representation of an AWS Identity Center.
Field |
Description |
---|---|
id |
Unique identifier for the Identity Center instance |
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
identity_store_id |
The identity store ID of the Identity Center instance |
instance_status |
The status of the Identity Center instance |
created_date |
The date the Identity Center instance was created |
last_modified_date |
The date the Identity Center instance was last modified |
Relationships¶
AWSIdentityCenter is part of an AWSAccount.
(AWSAccount)-[RESOURCE]->(AWSIdentityCenter)
AWSIdentityCenter has permission sets.
(AWSIdentityCenter)-[HAS_PERMISSION_SET]->(AWSPermissionSet)
AWSSSOUser¶
Representation of an AWS SSO User.
Field |
Description |
---|---|
id |
Unique identifier for the SSO user |
firstseen |
Timestamp of when a sync job first discovered this node |
lastupdated |
Timestamp of the last time the node was updated |
user_name |
The username of the SSO user |
external_id |
The external ID of the SSO user |
identity_store_id |
The identity store ID of the SSO user |
Relationships¶
AWSSSOUser is part of an AWSAccount.
(AWSAccount)-[RESOURCE]->(AWSSSOUser)
AWSSSOUser can have roles assigned.
(AWSSSOUser)<-[ALLOWED_BY]-(AWSRole)
UserAccount can be assumed by AWSSSOUser.
(UserAccount)-[CAN_ASSUME_IDENTITY]->(AWSSSOUser)
AWSPermissionSet¶
Representation of an AWS Identity Center Permission Set.
Field |
Description |
---|---|
id |
Unique identifier for the Permission Set |
Relationships¶
AWSPermissionSet is part of an AWSIdentityCenter.
(AWSIdentityCenter)<-[HAS_PERMISSION_SET]-(AWSPermissionSet)
AWSPermissionSet can be assigned to roles.
(AWSPermissionSet)-[ASSIGNED_TO_ROLE]->(AWSRole)