Sample queries¶

Note: you might want to add LIMIT 30 at the end of these queries to make sure they RETURN quickly in case you have a large graph.

Which AWS IAM roles have admin permissions in my accounts?¶

MATCH (stmt:AWSPolicyStatement)--(pol:AWSPolicy)--(principal:AWSPrincipal)--(a:AWSAccount)
WHERE stmt.effect = "Allow"
AND any(x IN stmt.action WHERE x = '*')
RETURN *

test it locally

Which AWS IAM roles in my environment have the ability to delete policies?¶

MATCH (stmt:AWSPolicyStatement)--(pol:AWSPolicy)--(principal:AWSPrincipal)--(acc:AWSAccount)
WHERE stmt.effect = "Allow"
AND any(x IN stmt.action WHERE x="iam:DeletePolicy" )
RETURN *

test it locally

Note: can replace “iam:DeletePolicy” to search for other IAM actions.

Which AWS IAM roles in my environment have an action that contains the word “create”?¶

MATCH (stmt:AWSPolicyStatement)--(pol:AWSPolicy)--(principal:AWSPrincipal)--(acc:AWSAccount)
WHERE stmt.effect = "Allow"
AND any(x IN stmt.action WHERE toLower(x) contains "create")
RETURN *

test it locally

What RDS instances are installed in my AWS accounts?¶

MATCH (aws:AWSAccount)-[r:RESOURCE]->(rds:RDSInstance)
RETURN *

test it locally

Which RDS instances have encryption turned off?¶

MATCH (a:AWSAccount)-[:RESOURCE]->(rds:RDSInstance{storage_encrypted:false})
RETURN a.name, rds.id

test it locally

Which EC2 instances are exposed (directly or indirectly) to the internet?¶

MATCH (instance:EC2Instance{exposed_internet: true})
RETURN instance.instanceid, instance.publicdnsname

test it locally

Which open ports are internet accesible from SecurityGroups ¶

    MATCH (open)-[:MEMBER_OF_EC2_SECURITY_GROUP]->(sg:EC2SecurityGroup)
    MATCH (sg)<-[:MEMBER_OF_EC2_SECURITY_GROUP]-(ipi:IpPermissionInbound)
    MATCH (ipi)<--(ir:IpRange)
    WHERE ir.range = "0.0.0.0/0"
    OPTIONAL MATCH (dns:AWSDNSRecord)-[:DNS_POINTS_TO]->(lb)
    WHERE open.scheme = "internet-facing"
    RETURN DISTINCT ipi.toport as port, open.id, sg.id

test it locally

Which ELB LoadBalancers are internet accessible?¶

MATCH (elb:LoadBalancer{exposed_internet: true})—->(listener:ELBListener)
RETURN elb.dnsname, listener.port
ORDER by elb.dnsname, listener.port

test it locally

Which ELBv2 LoadBalancerV2s (Application Load Balancers) are internet accessible?¶

MATCH (elbv2:LoadBalancerV2{exposed_internet: true})—->(listener:ELBV2Listener)
RETURN elbv2.dnsname, listener.port
ORDER by elbv2.dnsname, listener.port

test it locally

Which open ports are internet accesible from ELB or ELBv2?¶

    MATCH (elb:LoadBalancer{exposed_internet: true})—->(listener:ELBListener)
    RETURN DISTINCT elb.dnsname as dnsname, listener.port as port
    UNION
    MATCH (lb:LoadBalancerV2)-[:ELBV2_LISTENER]->(l:ELBV2Listener)
    WHERE lb.scheme = "internet-facing"
    RETURN DISTINCT lb.dnsname as dnsname, l.port as port

test it locally

Find everything about an IP Address¶

MATCH (n:EC2PrivateIp)-[r]-(n2)
WHERE n.public_ip = $neodash_ip
RETURN n, r, n2

UNION MATCH(n:EC2Instance)-[r]-(n2)
WHERE n.publicipaddress = $neodash_ip
RETURN  n, r, n2

UNION MATCH(n:NetworkInterface)-[r]-(n2)
WHERE n.public_ip = $neodash_ip
RETURN n, r, n2

UNION MATCH(n:ElasticIPAddress)-[r]-(n2)
WHERE n.public_ip = $neodash_ip
RETURN n, r, n2

test it locally

Which S3 buckets have a policy granting any level of anonymous access to the bucket?¶

MATCH (s:S3Bucket)
WHERE s.anonymous_access = true
RETURN s

test it locally

How many unencrypted RDS instances do I have in all my AWS accounts?¶

MATCH (a:AWSAccount)-[:RESOURCE]->(rds:RDSInstance)
WHERE rds.storage_encrypted = false
RETURN a.name as AWSAccount, count(rds) as UnencryptedInstances

test it locally

What languages are used in a given GitHub repository?¶

MATCH (:GitHubRepository{name:"myrepo"})-[:LANGUAGE]->(lang:ProgrammingLanguage)
RETURN lang.name

test it locally

What are the dependencies used in a given GitHub repository?¶

MATCH (:GitHubRepository{name:"myrepo"})-[edge:REQUIRES]->(dep:Dependency)
RETURN dep.name, edge.specifier, dep.version

test it locally

If you want to filter to just e.g. Python libraries:

MATCH (:GitHubRepository{name:"myrepo"})-[edge:REQUIRES]->(dep:Dependency:PythonLibrary)
RETURN dep.name, edge.specifier, dep.version

test it locally

Given a dependency, which GitHub repos depend on it?¶

Using boto3 as an example dependency:

MATCH (dep:Dependency:PythonLibrary{name:"boto3"})<-[req:REQUIRES]-(repo:GitHubRepository)
RETURN repo.name, req.specifier, dep.version

test it locally

What are all the dependencies used across all GitHub repos?¶

Just the list of dependencies and their versions:

MATCH (dep:Dependency)
RETURN DISTINCT dep.name AS name, dep.version AS version
ORDER BY dep.name

test it locally

With info about which repos are using them:

MATCH (repo:GitHubRepository)-[edge:REQUIRES]->(dep:Dependency)
RETURN repo.name, dep.name, edge.specifier, dep.version

test it locally

Sample queries¶

Which AWS IAM roles have admin permissions in my accounts?¶

Which AWS IAM roles in my environment have the ability to delete policies?¶

Which AWS IAM roles in my environment have an action that contains the word “create”?¶

What RDS instances are installed in my AWS accounts?¶

Which RDS instances have encryption turned off?¶

Which EC2 instances are exposed (directly or indirectly) to the internet?¶

Which open ports are internet accesible from SecurityGroups¶

Which ELB LoadBalancers are internet accessible?¶

Which ELBv2 LoadBalancerV2s (Application Load Balancers) are internet accessible?¶

Which open ports are internet accesible from ELB or ELBv2?¶

Find everything about an IP Address¶

Which S3 buckets have a policy granting any level of anonymous access to the bucket?¶

How many unencrypted RDS instances do I have in all my AWS accounts?¶

What languages are used in a given GitHub repository?¶

What are the dependencies used in a given GitHub repository?¶

Given a dependency, which GitHub repos depend on it?¶

What are all the dependencies used across all GitHub repos?¶

Which open ports are internet accesible from SecurityGroups ¶