Sample queries

Note: you might want to add LIMIT 30 at the end of these queries to make sure they RETURN quickly in case you have a large graph.

Which AWS IAM roles have admin permissions in my accounts?

MATCH (stmt:AWSPolicyStatement)--(pol:AWSPolicy)--(principal:AWSPrincipal)--(a:AWSAccount)
WHERE stmt.effect = "Allow"
AND any(x IN stmt.action WHERE x = '*')
RETURN *

test it locally

Which AWS IAM roles in my environment have the ability to delete policies?

MATCH (stmt:AWSPolicyStatement)--(pol:AWSPolicy)--(principal:AWSPrincipal)--(acc:AWSAccount)
WHERE stmt.effect = "Allow"
AND any(x IN stmt.action WHERE x="iam:DeletePolicy" )
RETURN *

test it locally

Note: can replace “iam:DeletePolicy” to search for other IAM actions.

Which AWS IAM roles in my environment have an action that contains the word “create”?

MATCH (stmt:AWSPolicyStatement)--(pol:AWSPolicy)--(principal:AWSPrincipal)--(acc:AWSAccount)
WHERE stmt.effect = "Allow"
AND any(x IN stmt.action WHERE toLower(x) contains "create")
RETURN *

test it locally

What RDS instances are installed in my AWS accounts?

MATCH (aws:AWSAccount)-[r:RESOURCE]->(rds:RDSInstance)
RETURN *

test it locally

Which RDS instances have encryption turned off?

MATCH (a:AWSAccount)-[:RESOURCE]->(rds:RDSInstance{storage_encrypted:false})
RETURN a.name, rds.id

test it locally

Which EC2 instances are exposed (directly or indirectly) to the internet?

MATCH (instance:EC2Instance{exposed_internet: true})
RETURN instance.instanceid, instance.publicdnsname

test it locally

Which open ports are internet accesible from SecurityGroups

    MATCH (open)-[:MEMBER_OF_EC2_SECURITY_GROUP]->(sg:EC2SecurityGroup)
    MATCH (sg)<-[:MEMBER_OF_EC2_SECURITY_GROUP]-(ipi:IpPermissionInbound)
    MATCH (ipi)<--(ir:IpRange)
    WHERE ir.range = "0.0.0.0/0"
    OPTIONAL MATCH (dns:AWSDNSRecord)-[:DNS_POINTS_TO]->(lb)
    WHERE open.scheme = "internet-facing"
    RETURN DISTINCT ipi.toport as port, open.id, sg.id

test it locally

Which ELB LoadBalancers are internet accessible?

MATCH (elb:LoadBalancer{exposed_internet: true})—->(listener:ELBListener)
RETURN elb.dnsname, listener.port
ORDER by elb.dnsname, listener.port

test it locally

Which ELBv2 LoadBalancerV2s (Application Load Balancers) are internet accessible?

MATCH (elbv2:LoadBalancerV2{exposed_internet: true})—->(listener:ELBV2Listener)
RETURN elbv2.dnsname, listener.port
ORDER by elbv2.dnsname, listener.port

test it locally

Which open ports are internet accesible from ELB or ELBv2?

    MATCH (elb:LoadBalancer{exposed_internet: true})—->(listener:ELBListener)
    RETURN DISTINCT elb.dnsname as dnsname, listener.port as port
    UNION
    MATCH (lb:LoadBalancerV2)-[:ELBV2_LISTENER]->(l:ELBV2Listener)
    WHERE lb.scheme = "internet-facing"
    RETURN DISTINCT lb.dnsname as dnsname, l.port as port

test it locally

Find everything about an IP Address

MATCH (n:EC2PrivateIp)-[r]-(n2)
WHERE n.public_ip = $neodash_ip
RETURN n, r, n2

UNION MATCH(n:EC2Instance)-[r]-(n2)
WHERE n.publicipaddress = $neodash_ip
RETURN  n, r, n2

UNION MATCH(n:NetworkInterface)-[r]-(n2)
WHERE n.public_ip = $neodash_ip
RETURN n, r, n2

UNION MATCH(n:ElasticIPAddress)-[r]-(n2)
WHERE n.public_ip = $neodash_ip
RETURN n, r, n2

test it locally

Which S3 buckets have a policy granting any level of anonymous access to the bucket?

MATCH (s:S3Bucket)
WHERE s.anonymous_access = true
RETURN s

test it locally

How many unencrypted RDS instances do I have in all my AWS accounts?

MATCH (a:AWSAccount)-[:RESOURCE]->(rds:RDSInstance)
WHERE rds.storage_encrypted = false
RETURN a.name as AWSAccount, count(rds) as UnencryptedInstances

test it locally

What languages are used in a given GitHub repository?

MATCH (:GitHubRepository{name:"myrepo"})-[:LANGUAGE]->(lang:ProgrammingLanguage)
RETURN lang.name

test it locally

What are the dependencies used in a given GitHub repository?

MATCH (:GitHubRepository{name:"myrepo"})-[edge:REQUIRES]->(dep:Dependency)
RETURN dep.name, edge.specifier, dep.version

test it locally

If you want to filter to just e.g. Python libraries:

MATCH (:GitHubRepository{name:"myrepo"})-[edge:REQUIRES]->(dep:Dependency:PythonLibrary)
RETURN dep.name, edge.specifier, dep.version

test it locally

Given a dependency, which GitHub repos depend on it?

Using boto3 as an example dependency:

MATCH (dep:Dependency:PythonLibrary{name:"boto3"})<-[req:REQUIRES]-(repo:GitHubRepository)
RETURN repo.name, req.specifier, dep.version

test it locally

What are all the dependencies used across all GitHub repos?

Just the list of dependencies and their versions:

MATCH (dep:Dependency)
RETURN DISTINCT dep.name AS name, dep.version AS version
ORDER BY dep.name

test it locally

With info about which repos are using them:

MATCH (repo:GitHubRepository)-[edge:REQUIRES]->(dep:Dependency)
RETURN repo.name, dep.name, edge.specifier, dep.version

test it locally