AWS Client

ECR

cartography.client.aws.ecr.get_ecr_images(neo4j_session: Session, aws_account_id: str) Set[Tuple[str, str, str, str, str]]

Query the graph for all ECR images and their parent images.

This function retrieves ECR repository images along with their parent image hierarchy, returning essential metadata used to identify which images to scan.

Parameters:

  • neo4j_session (neo4j.Session) – The Neo4j session object for database queries.

  • aws_account_id (str) – The AWS account ID to get ECR repository data for.

Returns:

A set of 5-tuples containing:

  • repo region (str): The AWS region of the ECR repository

  • image tag (str): The tag of the repository image

  • image URI (str): The URI identifier of the repository image

  • repo name (str): The name of the ECR repository

  • image digest (str): The binary digest of the ECR image

Return type:

Set[Tuple[str, str, str, str, str]]

Note

The function uses an optional traversal to include parent images in the hierarchy, ensuring all related images are captured for scanning purposes.

See also

Neo4j Community discussion on extracting nodes from paths: https://community.neo4j.com/t/extract-list-of-nodes-and-labels-from-path/13665/4

IAM

cartography.client.aws.iam.get_aws_admin_like_principals(neo4j_session: Session) List[Dict[str, Any]]

Retrieve AWS principals with admin-like privileges.

This function identifies AWS principals that have IAM policies allowing broad access with both resource=* and action=* permissions, indicating administrator-level privileges.

Parameters:

neo4j_session (Session) – The Neo4j session object for database queries.

Returns:

A list of dictionaries containing information about

admin-like principals. Each dictionary contains:

  • account_name (str): The name of the AWS account

  • account_id (str): The AWS account ID

  • principal_name (str): The name of the principal (user, role, etc.)

  • policy_name (str): The name of the policy granting admin privileges

Return type:

List[Dict[str, Any]]

Examples

>>> principals = get_aws_admin_like_principals(session)
>>> print(principals)
[
    {
        'account_name': 'my_account',
        'account_id': '1234',
        'principal_name': 'admin_role',
        'policy_name': 'highly_privileged_policy',
    },
]

Note

The function specifically looks for IAM policy statements with:

  • effect = 'Allow'

  • resource containing * (wildcard)

  • action containing * (wildcard)

Results are ordered by account name and principal name for consistent output.

See also

Original query implementation by Marco Lancini: https://github.com/marco-lancini/cartography-queries/blob/4d1f3913facdce7a4011141a4c7a15997c03553f/queries/queries.json#L236