Cartography Schema¶

ℹ️ Quick notes on notation¶

Bolded words in the schema tables indicate that this field is indexed, so your queries will run faster if you use these fields.

This isn’t proper Neo4j syntax, but for the purpose of this document we will use this notation:

   (NodeTypeA)-[RELATIONSHIP_R]->(NodeTypeB, NodeTypeC, NodeTypeD, NodeTypeE)

to mean a shortened version of this:

   (NodeTypeA)-[RELATIONSHIP_R]->(NodeTypeB)
   (NodeTypeA)-[RELATIONSHIP_R]->(NodeTypeC)
   (NodeTypeA)-[RELATIONSHIP_R]->(NodeTypeD)
   (NodeTypeA)-[RELATIONSHIP_R]->(NodeTypeE)

In words, this means that ``NodeTypeA`` has ``RELATIONSHIP_R`` pointing to ``NodeTypeB``\ , and ``NodeTypeA`` has ``RELATIONSHIP_R`` pointing to ``NodeTypeC``.

In these docs, more specific nodes will be decorated with GenericNode::SpecificNode notation. For example, if we have a Car node and a RaceCar node, we will refer to the RaceCar as Car::RaceCar.

Cartography metadata schema¶

Some Cartography sync jobs write nodes to convey information about the job itself. See https://github.com/lyft/cartography/issues/758 for more background on this.

SyncMetadata:ModuleSyncMetadata¶

This is a node to represent metadata about the sync job of a particular module. Its existence indicates that a particular sync job did happen. The ‘types’ used here should be actual node labels. For example, if we did sync a particular AWSAccount’s S3Buckets, the grouptype is ‘AWSAccount’, the groupid is the particular account’s id, and the syncedtype is ‘S3Bucket’.

Field	Description	Source
id	`{group_type}_{group_id}_{synced_type}`	util.py
grouptype	The parent module’s type	util.py
groupid	The parent module’s id	util.py
syncedtype	The sub-module’s type	util.py

AWS Schema¶

AWSAccount¶

Representation of an AWS Account.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
name	The name of the account
inscope	Indicates that the account is part of the sync scope (true or false).
foreign	Indicates if the account is not part of the sync scope (true or false). One such example is an account that is trusted as part of cross-account AWSRole trust not in scope for sync.
lastupdated	Timestamp of the last time the node was updated
id	The AWS Account ID number

Relationships¶

Many node types belong to an AWSAccount.

```
(AWSAccount)-[RESOURCE]->(AWSDNSZone,
                      AWSGroup,
                      AWSInspectorFinding,
                      AWSInspectorPackage,
                      AWSLambda,
                      AWSPrincipal,
                      AWSUser,
                      AWSVpc,
                      AutoScalingGroup,
                      DNSZone,
                      DynamoDBTable,
                      EBSSnapshot,
                      EBSVolume,
                      EC2Image,
                      EC2Instance,
                      EC2Reservation,
                      EC2ReservedInstance,
                      EC2SecurityGroup,
                      ElasticIPAddress,
                      ESDomain,
                      LaunchConfiguration,
                      LaunchTemplate,
                      LaunchTemplateVersion,
                      LoadBalancer,
                      RDSCluster,
                      RDSInstance,
                      RDSSnapshot,
                      SecretsManagerSecret,
                      SecurityHub,
                      SQSQueue
                      SSMInstanceInformation,
                      SSMInstancePatch)
```

An AWSPolicy node is defined for an AWSAccount.

```
(AWSAccount)-[RESOURCE]->(AWSPolicy)
```

AWSRole nodes are defined in AWSAccount nodes.

```
(AWSAccount)-[RESOURCE]->(AWSRole)
```

AWSCidrBlock¶

AWSIpv4CidrBlock¶

AWSIpv6CidrBlock¶

Representation of an AWS CidrBlock used in VPC configuration. The AWSCidrBlock defines the base label type for AWSIpv4CidrBlock and AWSIpv6CidrBlock

Field	Description
firstseen	Timestamp of when a sync job discovered this node
cidr_block	The CIDR block
block_state	The state of the block
association_id	the association id if the block is associated to a VPC
lastupdated	Timestamp of the last time the node was updated
id	Unique identifier defined with the VPC association and the cidr_block

Relationships¶

AWSVpc association

(AWSVpc)-[BLOCK_ASSOCIATION]->(AWSCidrBlock)

Peering connection where AWSCidrBlock is an accepter or requester cidr.

(AWSCidrBlock)<-[REQUESTER_CIDR]-(AWSPeeringConnection)
(AWSCidrBlock)<-[ACCEPTER_CIDR]-(AWSPeeringConnection)

Example of high level view of peering (without security group permissions)

MATCH p=(:AWSAccount)-[:RESOURCE|BLOCK_ASSOCIATION*..]->(:AWSCidrBlock)<-[:ACCEPTER_CIDR]-(:AWSPeeringConnection)-[:REQUESTER_CIDR]->(:AWSCidrBlock)<-[:RESOURCE|BLOCK_ASSOCIATION*..]-(:AWSAccount)
RETURN p

Exploring detailed inbound peering rules

MATCH (outbound_account:AWSAccount)-[:RESOURCE|BLOCK_ASSOCIATION*..]->(:AWSCidrBlock)<-[:ACCEPTER_CIDR]-(:AWSPeeringConnection)-[:REQUESTER_CIDR]->(inbound_block:AWSCidrBlock)<-[:BLOCK_ASSOCIATION]-(inbound_vpc:AWSVpc)<-[:RESOURCE]-(inbound_account:AWSAccount)
WITH inbound_vpc, inbound_block, outbound_account, inbound_account
MATCH (inbound_range:IpRange{id: inbound_block.cidr_block})-[:MEMBER_OF_IP_RULE]->(inbound_rule:IpPermissionInbound)-[:MEMBER_OF_EC2_SECURITY_GROUP]->(inbound_group:EC2SecurityGroup)<-[:MEMBER_OF_EC2_SECURITY_GROUP]-(inbound_vpc)
RETURN outbound_account.name, inbound_account.name, inbound_range.range, inbound_rule.fromport, inbound_rule.toport, inbound_rule.protocol, inbound_group.name, inbound_vpc.id

AWSGroup¶

Representation of AWS IAM Groups.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
path	The path to the group (IAM identifier, see linked docs above for details)
groupid	Unique string identifying the group
name	The friendly name that identifies the group
createdate	ISO 8601 date-time string when the group was created
arn	The AWS-global identifier for this group

Relationships¶

Objects part of an AWSGroup may assume AWSRoles.

```
(AWSGroup)-[STS_ASSUMEROLE_ALLOW]->(AWSRole)
```

AWSUsers and AWSPrincipals can be members of AWSGroups.

```
(AWSUser, AWSPrincipal)-[MEMBER_AWS_GROUP]->(AWSGroup)
```

AWSGroups belong to AWSAccounts.

```
(AWSAccount)-[RESOURCE]->(AWSGroup)
```

AWSInspectorFinding¶

Representation of an AWS Inspector Finding

Relationships¶

AWSInspectorFinding may affect EC2 Instances

(AWSInspectorFinding)-[:AFFECTS]->(EC2Instance)

AWSInspectorFinding may affect ECR Repositories

(AWSInspectorFinding)-[:AFFECTS]->(ECRRepository)

AWSInspectorFinding may affect ECR Images

(AWSInspectorFinding)-[:AFFECTS]->(ECRImage)

AWSInspectorFindings belong to AWSAccounts.

```
(AWSAccount)-[RESOURCE]->(AWSInspectorFinding)
```

AWSInspectorPackage¶

Representation of an AWS Inspector Finding Package

Relationships¶

AWSInspectorFindings have AWSInspectorPackages.

```
(AWSInspectorFindings)-[HAS]->(AWSInspectorPackages)
```

AWSInspectorPackages belong to AWSAccounts.

```
(AWSAccount)-[RESOURCE]->(AWSInspectorPackages)
```

AWSLambda¶

Representation of an AWS Lambda Function.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The arn of the lambda function
name	The name of the lambda function
modifieddate	Timestamp of the last time the function was last updated
runtime	The runtime environment for the Lambda function
description	The description of the Lambda function
timeout	The amount of time in seconds that Lambda allows a function to run before stopping it
memory	The memory that’s allocated to the function
codesize	The size of the function’s deployment package, in bytes.
handler	The function that Lambda calls to begin executing your function.
version	The version of the Lambda function.
tracingconfigmode	The function’s AWS X-Ray tracing configuration mode.
revisionid	The latest updated revision of the function or alias.
state	The current state of the function.
statereason	The reason for the function’s current state.
statereasoncode	The reason code for the function’s current state.
lastupdatestatus	The status of the last update that was performed on the function.
lastupdatestatusreason	The reason for the last update that was performed on the function.
lastupdatestatusreasoncode	The reason code for the last update that was performed on the function.
packagetype	The type of deployment package.
signingprofileversionarn	The ARN of the signing profile version.
signingjobarn	The ARN of the signing job.
codesha256	The SHA256 hash of the function’s deployment package.
architectures	The instruction set architecture that the function supports. Architecture is a string array with one of the valid values.
masterarn	For Lambda@Edge functions, the ARN of the main function.
kmskeyarn	The KMS key that’s used to encrypt the function’s environment variables. This key is only returned if you’ve configured a customer managed key.

Relationships¶

AWSLambda function are resources in an AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(AWSLambda)
```
```
AWSLambda functions may act as AWSPrincipals via role assumption.
```
```
(AWSLambda)-[STS_ASSUME_ROLE_ALLOW]->(AWSPrincipal)
```
```

AWSLambda functions may also have aliases.

```
(AWSLambda)-[KNOWN_AS]->(AWSLambdaFunctionAlias)
```

AWSLambda functions may have the resource AWSLambdaEventSourceMapping.
```
```
(AWSLambda)-[RESOURCE]->(AWSLambdaEventSourceMapping)
```
```

AWSLambda functions has AWS Lambda Layers.

```
(AWSLambda)-[HAS]->(AWSLambdaLayer)
```

AWSLambda functions has AWS ECR Images.
```
```
(AWSLambda)-[HAS]->(ECRImage)
```
```

AWSLambdaFunctionAlias¶

Representation of an AWSLambdaFunctionAlias.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The arn of the lambda function alias
name	The name of the lambda function alias
functionversion	The function version that the alias invokes.
revisionid	A unique identifier that changes when you update the alias.
description	The description of the alias.

Relationships¶

AWSLambda functions may also have aliases.

```
(AWSLambda)-[KNOWN_AS]->(AWSLambdaFunctionAlias)
```

AWSLambdaEventSourceMapping¶

Representation of an AWSLambdaEventSourceMapping.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The id of the event source mapping
batchsize	The maximum number of items to retrieve in a single batch.
startingposition	The position in a stream from which to start reading.
startingpositiontimestamp	The time from which to start reading.
parallelizationfactor	The number of batches to process from each shard concurrently.
maximumbatchingwindowinseconds	The maximum amount of time to gather records before invoking the function, in seconds.
eventsourcearn	The Amazon Resource Name (ARN) of the event source.
lastmodified	The date that the event source mapping was last updated, or its state changed.
state	The state of the event source mapping.
maximumrecordage	Discard records older than the specified age.
bisectbatchonfunctionerror	If the function returns an error, split the batch in two and retry.
maximumretryattempts	Discard records after the specified number of retries.
tumblingwindowinseconds	The duration in seconds of a processing window.
lastprocessingresult	The result of the last AWS Lambda invocation of your Lambda function.

Relationships¶

AWSLambda functions may have the resource AWSLambdaEventSourceMapping.
```
```
(AWSLambda)-[RESOURCE]->(AWSLambdaEventSourceMapping)
```
```

AWSLambdaLayer¶

Representation of an AWSLambdaLayer.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The arn of the lambda function layer
codesize	The size of the layer archive in bytes.
signingprofileversionarn	The Amazon Resource Name (ARN) for a signing profile version.
signingjobarn	The Amazon Resource Name (ARN) of a signing job.

Relationships¶

AWSLambda functions has AWS Lambda Layers.

```
(AWSLambda)-[HAS]->(AWSLambdaLayer)
```

AWSPolicy¶

Representation of an AWS Policy.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
name	The friendly name (not ARN) identifying the policy
createdate	ISO 8601 date-time when the policy was created
type	“inline” or “managed” - the type of policy it is
arn	The arn for this object
id	The unique identifer for a policy. If the policy is managed this will be the Arn. If the policy is inline this will calculated as AWSPrincipal/inline_policy/PolicyName

Relationships¶

AWSPrincipal contains AWSPolicy

```
(AWSPrincipal)-[POLICY]->(AWSPolicy)
```

AWSPolicy contains AWSPolicyStatement

```
(AWSPolicy)-[STATEMENTS]->(AWSPolicyStatement)
```

AWSPolicyStatement¶

Representation of an AWS Policy Statement.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
resources	(array) The resources the statement is applied to. Can contain wildcards
actions	(array) The permissions allowed or denied by the statement. Can contain wildcards
notactions	(array) The permission explicitly not matched by the statement
effect	“Allow” or “Deny” - the effect of this statement
id	The unique identifier for a statement. If the statement has an Sid the id will be calculated as AWSPolicy.id/statements/Sid. If the statement has no Sid the id will be calculated as AWSPolicy.id/statements/index of statement in statement list

Relationships¶

AWSPolicy contains AWSPolicyStatement

```
(AWSPolicy)-[STATEMENTS]->(AWSPolicyStatement)
```

AWSPrincipal¶

Representation of an AWSPrincipal.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
path	The path to the principal
name	The friendly name of the principal
createdate	ISO 8601 date-time when the principal was created
arn	AWS-unique identifier for this object
userid	The stable and unique string identifying the principal.
passwordlastused	Datetime when this principal’s password was last used

Relationships¶

AWS Principals can be members of AWS Groups.

```
(AWSPrincipal)-[MEMBER_AWS_GROUP]->(AWSGroup)
```

This AccountAccessKey is used to authenticate to this AWSPrincipal.
```
```
(AWSPrincipal)-[AWS_ACCESS_KEY]->(AccountAccessKey)
```
```

AWS Roles can trust AWS Principals.

(AWSRole)-[TRUSTS_AWS_PRINCIPAL]->(AWSPrincipal)

AWS Accounts contain AWS Principals.

```
(AWSAccount)-[RESOURCE]->(AWSPrincipal)
```

Redshift clusters may assume IAM roles. See this article.

(RedshiftCluster)-[STS_ASSUMEROLE_ALLOW]->(AWSPrincipal)

AWSPrincipal::AWSUser¶

Representation of an AWSUser. An AWS User is a type of AWS Principal.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
path	The path to the user
name	The friendly name of the user
createdate	ISO 8601 date-time when the user was created
arn	AWS-unique identifier for this object
userid	The stable and unique string identifying the user.
passwordlastused	Datetime when this user’s password was last used

Relationships¶

AWS Users can be members of AWS Groups.

```
(AWSUser)-[MEMBER_AWS_GROUP]->(AWSGroup)
```

AWS Users can assume AWS Roles.

```
(AWSUser)-[STS_ASSUMEROLE_ALLOW]->(AWSRole)
```

This AccountAccessKey is used to authenticate to this AWSUser
```
```
(AWSUser)-[AWS_ACCESS_KEY]->(AccountAccessKey)
```
```

AWS Accounts contain AWS Users.

```
(AWSAccount)-[RESOURCE]->(AWSUser)
```

AWSPrincipal::AWSRole¶

Representation of an AWS IAM Role. An AWS Role is a type of AWS Principal.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
roleid	The stable and unique string identifying the role.
name	The friendly name that identifies the role.
createdate	The date and time, in ISO 8601 date-time format, when the role was created.
arn	AWS-unique identifier for this object

Relationships¶

Some AWS Groups, Users, Principals, and EC2 Instances can assume AWS Roles.
```
(AWSGroup, AWSUser, EC2Instance)-[STS_ASSUMEROLE_ALLOW]->(AWSRole)
```

Some AWS Roles can assume other AWS Roles.

(AWSRole)-[STS_ASSUMEROLE_ALLOW]->(AWSRole)

Some AWS Roles trust AWS Principals.

(AWSRole)-[TRUSTS_AWS_PRINCIPAL]->(AWSPrincipal)

Members of an Okta group can assume associated AWS roles if Okta SAML is configured with AWS.
```
(AWSRole)-[ALLOWED_BY]->(OktaGroup)
```
AWS Roles are defined in AWS Accounts.
```
(AWSAccount)-[RESOURCE]->(AWSRole)
```

AWSTransitGateway¶

Representation of an AWS Transit Gateway.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
owner_id	The ID of the AWS account that owns the transit gateway
description	Transit Gateway description
state	Can be one of `pending \| available \| modifying \| deleting \| deleted`
tgw_id	Unique identifier of the Transit Gateway
id	Unique identifier of the Transit Gateway
arn	AWS-unique identifier for this object (same as `id`)

Relationships¶

Transit Gateways belong to one AWSAccount…

(AWSAccount)-[RESOURCE]->(AWSTransitGateway)

… and can be shared with other accounts

(AWSAccount)<-[SHARED_WITH]-(AWSTransitGateway)

AWSTag
```
(AWSTransitGateway)-[TAGGED]->(AWSTag)
```

AWSTransitGatewayAttachment¶

Representation of an AWS Transit Gateway Attachment.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
resource_type	Can be one of `vpc \| vpn \| direct-connect-gateway \| tgw-peering`
state	Can be one of `initiating \| pendingAcceptance \| rollingBack \| pending \| available \| modifying \| deleting \| deleted \| failed \| rejected \| rejecting \| failing`
id	Unique identifier of the Transit Gateway Attachment

Relationships¶

AWSAccount

(AWSAccount)-[RESOURCE]->(AWSTransitGatewayAttachment)

AWSVpc (for VPC attachments)

(AWSVpc)-[RESOURCE]->(AWSTransitGatewayAttachment {resource_type: 'vpc'})

AWSTransitGateway attachment

(AWSTransitGateway)<-[ATTACHED_TO]-(AWSTransitGatewayAttachment)

AWSTag

(AWSTransitGatewayAttachment)-[TAGGED]->(AWSTag)

AWSVpc¶

Representation of an AWS CidrBlock used in VPC configuration. More information on https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-vpcs.html

Field	Description
firstseen	Timestamp of when a sync job discovered this node
vpcid	The VPC unique identifier
primary_cidr_block	The primary IPv4 CIDR block for the VPC.
instance_tenancy	The allowed tenancy of instances launched into the VPC.
state	The current state of the VPC.
region	(optional) the region of this VPC. This field is only available on VPCs in your account. It is not available on VPCs that are external to your account and linked via a VPC peering relationship.
id	Unique identifier defined VPC node (vpcid)

Relationships¶

AWSAccount resource
```
(AWSAccount)-[RESOURCE]->(AWSVpc)
```

AWSVpc and AWSCidrBlock association

(AWSVpc)-[BLOCK_ASSOCIATION]->(AWSCidrBlock)

AWSVpc and EC2SecurityGroup membership association

(AWSVpc)<-[MEMBER_OF_EC2_SECURITY_GROUP]-(EC2SecurityGroup)

AWS VPCs can be tagged with AWSTags.
```
(AWSVpc)-[TAGGED]->(AWSTag)
```

Redshift clusters can be members of AWSVpcs.

(RedshiftCluster)-[MEMBER_OF_AWS_VPC]->(AWSVpc)

Peering connection where AWSVpc is an accepter or requester vpc.

(AWSVpc)<-[REQUESTER_VPC]-(AWSPeeringConnection)
(AWSVpc)<-[ACCEPTER_VPC]-(AWSPeeringConnection)

Tag::AWSTag ¶

Representation of an AWS Tag. AWS Tags can be applied to many objects.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	This tag’s unique identifier of the format `{TagKey}:{TagValue}`. We fabricated this ID.
key	One part of a key-value pair that makes up a tag.
value	One part of a key-value pair that makes up a tag.
region	The region where this tag was discovered.

Relationships¶

AWS VPCs, DB Subnet Groups, EC2 Instances, EC2 SecurityGroups, EC2 Subnets, EC2 Network Interfaces, RDS Instances, and S3 Buckets can be tagged with AWSTags.
```
(AWSVpc, DBSubnetGroup, EC2Instance, EC2SecurityGroup, EC2Subnet, NetworkInterface, RDSInstance, S3Bucket)-[TAGGED]->(AWSTag)
```

AccountAccessKey¶

Representation of an AWS Access Key.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
createdate	Date when access key was created
status	Active: valid for API calls. Inactive: not valid for API calls
lastuseddate	Date when the key was last used
lastusedservice	The service that was last used with the access key
lastusedregion	The region where the access key was last used
accesskeyid	The ID for this access key

Relationships¶

Account Access Keys may authenticate AWS Users and AWS Principal objects.
```
```
(AWSUser, AWSPrincipal)-[AWS_ACCESS_KEY]->(AccountAccessKey)
```
```

DBSubnetGroup¶

Representation of an RDS DB Subnet Group. For more information on how RDS instances interact with these, please see this article.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
id	The ARN of the DBSubnetGroup
name	The name of DBSubnetGroup
lastupdated	Timestamp of the last time the node was updated
description	Description of the DB Subnet Group
status	The status of the group
vpc_id	The ID of the VPC (Virtual Private Cloud) that this DB Subnet Group is associated with.
value	The IP address that the DNSRecord points to

Relationships¶

RDS Instances are part of DB Subnet Groups

(RDSInstance)-[:MEMBER_OF_DB_SUBNET_GROUP]->(DBSubnetGroup)

DB Subnet Groups consist of EC2 Subnets

(DBSubnetGroup)-[:RESOURCE]->(EC2Subnet)

DB Subnet Groups can be tagged with AWSTags.

```
(DBSubnetGroup)-[TAGGED]->(AWSTag)
```

DNSRecord¶

Representation of a generic DNSRecord.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
name	The name of the DNSRecord
lastupdated	Timestamp of the last time the node was updated
id	The name of the DNSRecord concatenated with the record type
type	The record type of the DNS record
value	The IP address that the DNSRecord points to

Relationships¶

DNSRecords can point to IP addresses.

```
(DNSRecord)-[DNS_POINTS_TO]->(Ip)
```

DNSRecords/AWSDNSRecords can point to each other.

```
(AWSDNSRecord, DNSRecord)-[DNS_POINTS_TO]->(AWSDNSRecord, DNSRecord)
```

DNSRecords can point to LoadBalancers.

```
(DNSRecord)-[DNS_POINTS_TO]->(LoadBalancer)
```

DNSRecords can be members of DNSZones.

```
(DNSRecord)-[MEMBER_OF_DNS_ZONE]->(DNSZone)
```

DNSRecord::AWSDNSRecord¶

Representation of an AWS DNS ResourceRecordSet.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
name	The name of the DNSRecord
lastupdated	Timestamp of the last time the node was updated
id	The zoneid for the record, the value of the record, and the type concatenated together
type	The record type of the DNS record
value	If it is an A, ALIAS, or CNAME record, this is the IP address that the DNSRecord points to. If it is an NS record, the `name` is used here.

Relationships¶

DNSRecords/AWSDNSRecords can point to each other.

```
(AWSDNSRecord, DNSRecord)-[DNS_POINTS_TO]->(AWSDNSRecord, DNSRecord)
```

AWSDNSRecords can point to LoadBalancers.

```
(AWSDNSRecord)-[DNS_POINTS_TO]->(LoadBalancer, ESDomain)
```

AWSDNSRecords can be members of AWSDNSZones.

```
(AWSDNSRecord)-[MEMBER_OF_DNS_ZONE]->(AWSDNSZone)
```

DNSZone¶

Representation of a generic DNS Zone.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
name	the name of the DNS zone
comment	Comments about the zone

Relationships¶

DNSRecords can be members of DNSZones.

```
(DNSRecord)-[MEMBER_OF_DNS_ZONE]->(DNSZone)
```

DNSZone::AWSDNSZone¶

Representation of an AWS DNS HostedZone.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
name	the name of the DNS zone
zoneid	The zoneid defined by Amazon Route53
lastupdated	Timestamp of the last time the node was updated
comment	Comments about the zone
privatezone	Whether or not this is a private DNS zone

Relationships¶

AWSDNSZones and DNSZones can be part of AWSAccounts.
```
```
(AWSAccount)-[RESOURCE]->(AWSDNSZone)
```
```

AWSDNSRecords can be members of AWSDNSZones.

```
(AWSDNSRecord)-[MEMBER_OF_DNS_ZONE]->(AWSDNSZone)
```

AWSDNSZone can have subzones hosted by another AWSDNSZone
```
```
(AWSDNSZone)<-[SUBZONE]-(AWSDNSZone)
```
```

DynamoDBTable¶

Representation of an AWS DynamoDBTable.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
name	The name of the table
id	The ARN of the table
region	The AWS region of the table
arn	The AWS-unique identifier

Relationships¶

DynamoDBTables belong to AWS Accounts.

```
(AWSAccount)-[RESOURCE]->(DynamoDBTable)
```

EC2Instance¶

Our representation of an AWS EC2 Instance.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	Same as `instanceid` below.
instanceid	The instance id provided by AWS. This is globally unique
publicdnsname	The public DNS name assigned to the instance
publicipaddress	The public IPv4 address assigned to the instance if applicable
privateipaddress	The private IPv4 address assigned to the instance
imageid	The ID of the Amazon Machine Image used to launch the instance
subnetid	The ID of the EC2Subnet associated with this instance
instancetype	The instance type. See API docs linked above for specifics.
iaminstanceprofile	The IAM instance profile associated with the instance, if applicable.
launchtime	The time the instance was launched
monitoringstate	Whether monitoring is enabled. Valid Values: disabled, disabling, enabled, pending.
state	The current state of the instance.
launchtimeunix	The time the instance was launched in unix time
region	The AWS region this Instance is running in
exposed_internet	The `exposed_internet` flag on an EC2 instance is set to `True` when (1) the instance is part of an EC2 security group or is connected to a network interface connected to an EC2 security group that allows connectivity from the 0.0.0.0/0 subnet or (2) the instance is connected to an Elastic Load Balancer that has its own `exposed_internet` flag set to `True`.
availabilityzone	The Availability Zone of the instance.
tenancy	The tenancy of the instance.
hostresourcegrouparn	The ARN of the host resource group in which to launch the instances.
platform	The value is `Windows` for Windows instances; otherwise blank.
architecture	The architecture of the image.
ebsoptimized	Indicates whether the instance is optimized for Amazon EBS I/O.
bootmode	The boot mode of the instance.
instancelifecycle	Indicates whether this is a Spot Instance or a Scheduled Instance.
hibernationoptions	Indicates whether the instance is enabled for hibernation.

Relationships¶

EC2 Instances can be part of subnets

```
(EC2Instance)-[PART_OF_SUBNET]->(EC2Subnet)
```

EC2 Instances can have NetworkInterfaces connected to them

```
(EC2Instance)-[NETWORK_INTERFACE]->(NetworkInterface)
```

EC2 Instances may be members of EC2 Reservations

```
(EC2Instance)-[MEMBER_OF_EC2_RESERVATION]->(EC2Reservation)
```

EC2 Instances can be part of EC2 Security Groups

```
(EC2Instance)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
```

Load Balancers can expose (be connected to) EC2 Instances
```
```
(LoadBalancer)-[EXPOSE]->(EC2Instance)
```
```
Package and Dependency nodes can be deployed in EC2 Instances.
```
```
(Package, Dependency)-[DEPLOYED]->(EC2Instance)
```
```

AWS Accounts contain EC2 Instances.

```
(AWSAccount)-[RESOURCE]->(EC2Instance)
```

EC2 Instances can be tagged with AWSTags.

```
(EC2Instance)-[TAGGED]->(AWSTag)
```

AWS EBS Volumes are attached to an EC2 Instance

```
(EBSVolume)-[ATTACHED_TO]->(EC2Instance)
```

EC2 Instances can assume IAM Roles.

```
(EC2Instance)-[STS_ASSUMEROLE_ALLOW]->(AWSRole)
```

EC2Instances can have SSMInstanceInformation

```
(EC2Instance)-[HAS_INFORMATION]->(SSMInstanceInformation)
```

EC2Instances can have SSMInstancePatches

```
(EC2Instance)-[HAS_PATCH]->(SSMInstancePatch)
```

EC2KeyPair¶

Representation of an AWS EC2 Key Pair

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
keyname	The name of the key pair
keyfingerprint	The fingerprint of the public key
region	The AWS region
arn	AWS-unique identifier for this object
id	same as `arn`
user_uploaded	`user_uploaded` is set to `True` if the the KeyPair was uploaded to AWS. Uploaded KeyPairs will have 128-bit MD5 hashed `keyfingerprint`, and KeyPairs from AWS will have 160-bit SHA-1 hashed `keyfingerprint`s.
duplicate_keyfingerprint	`duplicate_keyfingerprint` is set to `True` if the KeyPair has the same `keyfingerprint` as another KeyPair.

Relationships¶

EC2 key pairs are contained in AWS Accounts.

```
(AWSAccount)-[RESOURCE]->(EC2KeyPair)
```

EC2 key pairs can be used to log in to AWS EC2 isntances.
```
```
(EC2KeyPair)-[SSH_LOGIN_TO]->(EC2Instance)
```
```

EC2 key pairs have matching keyfingerprint.

```
(EC2KeyPair)-[MATCHING_FINGERPRINT]->(EC2KeyPair)
```

EC2PrivateIp¶

Representation of an AWS EC2 InstancePrivateIpAddress

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
network_interface_id	id of the network interface with which the IP is associated with
primary	Indicates whether this IPv4 address is the primary private IP address of the network interface.
private_ip_address	The private IPv4 address of the network interface.
public_ip	The public IP address or Elastic IP address bound to the network interface.
ip_owner_id	Id of the owner, e.g. `amazon-elb` for ELBs

Relationships¶

EC2PrivateIps are connected with NetworkInterfaces.

```
(NetworkInterface)-[PRIVATE_IP_ADDRESS]->(EC2PrivateIp)
```

EC2Reservation¶

Representation of an AWS EC2 Reservation.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
requesterid	The ID of the requester that launched the instances on your behalf
reservationid	The ID of the reservation.
region	The AWS region
ownerid	The ID of the AWS account that owns the reservation.

Relationships¶

EC2 reservations are contained in AWS Accounts.

```
(AWSAccount)-[RESOURCE]->(EC2Reservation)
```

EC2 Instances are members of EC2 reservations.

```
(EC2Instance)-[MEMBER_OF_EC2_RESERVATION]->(EC2Reservation)
```

EC2SecurityGroup¶

Representation of an AWS EC2 Security Group.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
groupid	The ID of the security group
name	The name of the security group
description	A description of the security group
id	Same as `groupid`
region	The AWS region this security group is installed in

Relationships¶

EC2 Instances, Network Interfaces, Load Balancers, Elastic Search Domains, IP Rules, IP Permission Inbound nodes, and RDS Instances can be members of EC2 Security Groups.

```
(EC2Instance,
 NetworkInterface,
 LoadBalancer,
 ESDomain,
 IpRule,
 IpPermissionInbound,
 RDSInstance,
 AWSVpc)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
```

Load balancers can define inbound Source Security Groups.

```
(LoadBalancer)-[SOURCE_SECURITY_GROUP]->(EC2SecurityGroup)
```

AWS Accounts contain EC2 Security Groups.

```
(AWSAccount)-[RESOURCE]->(EC2SecurityGroup)
```

EC2 SecurityGroups can be tagged with AWSTags.

```
(EC2SecurityGroup)-[TAGGED]->(AWSTag)
```

Redshift clusters can be members of EC2 Security Groups.

(RedshiftCluster)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)

EC2Subnet¶

Representation of an AWS EC2 Subnet.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
subnetid	The ID of the subnet
id	same as subnetid
region	The AWS region the subnet is installed on
name	The IPv4 CIDR block assigned to the subnet
cidr_block	The IPv4 CIDR block assigned to the subnet
available_ip_address_count	The number of unused private IPv4 addresses in the subnet. The IPv4 addresses for any stopped instances are considered unavailable
default_for_az	Indicates whether this is the default subnet for the Availability Zone.
map_customer_owned_ip_on_launch	Indicates whether a network interface created in this subnet (including a network interface created by RunInstances ) receives a customer-owned IPv4 address
map_public_ip_on_launch	Indicates whether instances launched in this subnet receive a public IPv4 address
subnet_arn	The Amazon Resource Name (ARN) of the subnet
availability_zone	The Availability Zone of the subnet
availability_zone_id	The AZ ID of the subnet
state	The current state of the subnet.
assignipv6addressoncreation	Indicates whether a network interface created in this subnet (including a network interface created by RunInstances ) receives an IPv6 address.

Relationships¶

A Network Interface can be part of an EC2 Subnet.

```
(NetworkInterface)-[PART_OF_SUBNET]->(EC2Subnet)
```

An EC2 Instance can be part of an EC2 Subnet.

```
(EC2Instance)-[PART_OF_SUBNET]->(EC2Subnet)
```

A LoadBalancer can be part of an EC2 Subnet.

```
(LoadBalancer)-[SUBNET]->(EC2Subnet)

```

A LoadBalancer can be part of an EC2 Subnet.

```
(LoadBalancer)-[PART_OF_SUBNET]->(EC2Subnet)
```

A LoadBalancerV2 can be part of an EC2 Subnet.

```
(LoadBalancerV2)-[PART_OF_SUBNET]->(EC2Subnet)
```

DB Subnet Groups consist of EC2 Subnets

(DBSubnetGroup)-[RESOURCE]->(EC2Subnet)

EC2 Subnets can be tagged with AWSTags.
```
```
(EC2Subnet)-[TAGGED]->(AWSTag)
```
```

EC2 Subnets are member of a VPC.

```
(EC2Subnet)-[MEMBER_OF_AWS_VPC]->(AWSVpc)
```

EC2 Subnets belong to AWS Accounts

```
(AWSAccount)-[RESOURCE]->(EC2Subnet)
```

EC2PrivateIps are connected with NetworkInterfaces.

(NetworkInterface)-[PRIVATE_IP_ADDRESS]->(EC2PrivateIp)

AWSInternetGateway¶

Representation of an AWS Interent Gateway.

Field	Description
id	Internet gateway ID
arn	Amazon Resource Name
region	The region of the gateway

Relationships¶

Internet Gateways are attached to a VPC.

```
(AWSInternetGateway)-[ATTACHED_TO]->(AWSVpc)
```

Internet Gateways belong to AWS Accounts

```
(AWSAccount)-[RESOURCE]->(AWSInternetGateway)
```

ECRRepository¶

Representation of an AWS Elastic Container Registry Repository.

Field	Description
id	Same as ARN
arn	The ARN of the repository
name	The name of the repository
region	The region of the repository
created_at	Date and time when the repository was created

Relationships¶

An ECRRepository contains ECRRepositoryImages:

(:ECRRepository)-[:REPO_IMAGE]->(:ECRRepositoryImage)

EC2NetworkAcl¶

Representation of an AWS EC2 Network ACL

Field	Description
id	The arn of the network ACL
arn	Amazon Resource Name
network_acl_id	The ID of the network ACL
is_default	Indicates whether this is the default network ACL for the VPC.
vpc_id	The ID of the VPC this ACL is associated with
region	The region

Relationships¶

EC2 Network ACLs have ingress and egress rules

(:EC2NetworkAcl)-[:MEMBER_OF_NACL]->(:EC2NetworkAclRule:IpPermissionInbound)

(:EC2NetworkAcl)-[:MEMBER_OF_NACL]->(:EC2NetworkAclRule:IpPermissionEgress)

EC2 Network ACLs define egress and ingress rules on subnets
```
```
(:EC2NetworkAcl)-[:PART_OF_SUBNET]->(:EC2Subnet)
```
```

EC2 Network ACLs are attached to VPCs.

```
(:EC2NetworkAcl)-[:MEMBER_OF_AWS_VPC]->(:AWSVpc)
```

EC2 Network ACLs belong to AWS Accounts

```
(:AWSAccount)-[:RESOURCE]->(:EC2NetworkAcl)
```

EC2NetworkAclRule :: IpPermissionInbound / IpPermissionEgress¶

Representation of an AWS EC2 Network ACL Rule Entry For additional explanation see https://docs.aws.amazon.com/vpc/latest/userguide/nacl-rules.html.

Field	Description
id	The ID of this rule: `{network_acl_id}/{egress or inbound}/{rule_number}`
network_acl_id	The ID of the network ACL that this belongs to
protocol	Indicates whether this is the default network ACL for the VPC.
fromport	First port in the range that this rule applies to
toport	Last port in the range that this rule applies to
cidrblock	The IPv4 network range to allow or deny, in CIDR notation.
egress	Indicates whether the rule is an egress rule (applied to traffic leaving the subnet).
rulenumber	The rule number for the entry. ACL entries are processed in ascending order by rule number.
ruleaction	Indicates whether to `allow` or `den` the traffic that matches the rule.
region	The region

Relationships¶

EC2 Network ACLs have ingress and egress rules

(:EC2NetworkAcl)-[:MEMBER_OF_NACL]->(:EC2NetworkAclRule:IpPermissionInbound)

(:EC2NetworkAcl)-[:MEMBER_OF_NACL]->(:EC2NetworkAclRule:IpPermissionEgress)

EC2 Network ACL Ruless belong to AWS Accounts

(:AWSAccount)-[:RESOURCE]->(:EC2NetworkAclRule)

ECRRepositoryImage¶

An ECR image may be referenced and tagged by more than one ECR Repository. To best represent this, we’ve created an ECRRepositoryImage node as a layer of indirection between the repo and the image.

More concretely explained, we run ``ecr.list_images()` <https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_ImageIdentifier.html>`_, and then store the image tag on an ECRRepositoryImage node and the image digest hash on a separate ECRImage node.

This way, more than one ECRRepositoryImage can reference/be connected to the same ECRImage.

Field	Description
tag	The tag applied to the repository image, e.g. “latest”
uri	The URI where the repository image is stored
id	same as uri

Relationships¶

An ECRRepository contains ECRRepositoryImages:

(:ECRRepository)-[:REPO_IMAGE]->(:ECRRepositoryImage)

ECRRepositoryImages reference ECRImages

(:ECRRepositoryImage)-[:IMAGE]->(:ECRImage)

ECRImage¶

Representation of an ECR image identified by its digest (e.g. a SHA hash). Specifically, this is the “digest part” of ``ecr.list_images()` <https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_ImageIdentifier.html>`_. Also see ECRRepositoryImage.

Field	Description
digest	The hash of this ECR image
id	Same as digest

Relationships¶

ECRRepositoryImages reference ECRImages

(:ECRRepositoryImage)-[:IMAGE]->(:ECRImage)

Software packages are a part of ECR Images
```
(:Package)-[:DEPLOYED]->(:ECRImage)
```

Package¶

Representation of a software package, as found by an AWS ECR vulnerability scan.

Field	Description
id	Concatenation of `{version}\|{name}`
version	The version of the package, includes the Linux distro that it was built for
name	The name of the package

Relationships¶

Software packages are a part of ECR Images
```
(:Package)-[:DEPLOYED]->(:ECRImage)
```
AWS ECR scans yield ECRScanFindings that affect software packages
```
(:ECRScanFindings)-[:AFFECTS]->(:Package)
```

ECRScanFinding (:Risk:CVE)¶

Representation of a scan finding from AWS ECR. This is the result output of ``ecr.describe_image_scan_findings()` <https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_DescribeImageScanFindings.html>`_.

Field	Description
name	The name of the ECR scan finding, e.g. a CVE name
id	Same as name
severity	The severity of the risk
uri	A URI link to a descriptive article on the risk

Relationships¶

AWS ECR scans yield ECRScanFindings that affect software packages
```
(:ECRScanFindings)-[:AFFECTS]->(:Package)
```

EKSCluster¶

Representation of an AWS EKS Cluster.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
created_at	The date and time the cluster was created
region	The AWS region
arn	AWS-unique identifier for this object
id	same as `arn`
name	Name of the EKS Cluster
endpoint	The endpoint for the Kubernetes API server.
endpoint_public_access	Indicates whether the Amazon EKS public API server endpoint is enabled
exposed_internet	Set to True if the EKS Cluster public API server endpoint is enabled
rolearn	The ARN of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API
version	Kubernetes version running
platform_version	Version of EKS
status	Status of the cluster. Valid Values: creating, active, deleting, failed, updating
audit_logging	Whether audit logging is enabled

Relationships¶

EKS Clusters belong to AWS Accounts.

```
(AWSAccount)-[RESOURCE]->(EKSCluster)
```

EMRCluster¶

Representation of an AWS EMR Cluster.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
region	The AWS region
arn	AWS-unique identifier for this object
id	The Id of the EMR Cluster.
instance_collection_type	The instance group configuration of the cluster. A value of INSTANCE_GROUP indicates a uniform instance group configuration. A value of INSTANCE_FLEET indicates an instance fleets configuration.
log_encryption_kms_key_id	The KMS key used for encrypting log files.
requested_ami_version	The AMI version requested for this cluster.
running_ami_version	The AMI version running on this cluster.
release_label	The Amazon EMR release label, which determines the version of open-source application packages installed on the cluster.
auto_terminate	Specifies whether the cluster should terminate after completing all steps.
termination_protected	Indicates whether Amazon EMR will lock the cluster to prevent the EC2 instances from being terminated by an API call or user intervention, or in the event of a cluster error.
visible_to_all_users	Indicates whether the cluster is visible to IAM principals in the Amazon Web Services account associated with the cluster.
master_public_dns_name	The DNS name of the master node. If the cluster is on a private subnet, this is the private DNS name. On a public subnet, this is the public DNS name.
security_configuration	The name of the security configuration applied to the cluster.
autoscaling_role	An IAM role for automatic scaling policies.
scale_down_behavior	The way that individual Amazon EC2 instances terminate when an automatic scale-in activity occurs or an instance group is resized.
custom_ami_id	The ID of a custom Amazon EBS-backed Linux AMI if the cluster uses a custom AMI.
repo_upgrade_on_boot	Specifies the type of updates that are applied from the Amazon Linux AMI package repositories when an instance boots using the AMI.
outpost_arn	The Amazon Resource Name (ARN) of the Outpost where the cluster is launched.
log_uri	The path to the Amazon S3 location where logs for this cluster are stored.
servicerole	Service Role of the EMR Cluster

Relationships¶

EMR Clusters belong to AWS Accounts.

```
(AWSAccount)-[RESOURCE]->(EMRCluster)
```

ESDomain¶

Representation of an AWS ElasticSearch Domain (see ElasticsearchDomainConfig).

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
elasticsearch_cluster_config_instancetype	The instancetype
elasticsearch_version	The version of elasticsearch
elasticsearch_cluster_config_zoneawarenessenabled	Indicates whether multiple Availability Zones are enabled.
elasticsearch_cluster_config_dedicatedmasterenabled	Indicates whether dedicated master nodes are enabled for the cluster. True if the cluster will use a dedicated master node. False if the cluster will not.
elasticsearch_cluster_config_dedicatedmastercount	Number of dedicated master nodes in the cluster.
elasticsearch_cluster_config_dedicatedmastertype	Amazon ES instance type of the dedicated master nodes in the cluster.
domainid	Unique identifier for an Amazon ES domain.
encryption_at_rest_options_enabled	Specify true to enable encryption at rest.
deleted	Status of the deletion of an Amazon ES domain. True if deletion of the domain is complete. False if domain deletion is still in progress.
id	same as `domainid`
arn	Amazon Resource Name (ARN) of an Amazon ES domain.
exposed_internet	`exposed_internet` is set to `True` if the ElasticSearch domain has a policy applied to it that makes it internet-accessible. This policy determination is made by using the policyuniverse library. The code for this augmentation is implemented at `cartography.intel.aws.elasticsearch._process_access_policy()`.

Relationships¶

Elastic Search domains can be members of EC2 Security Groups.

```
(ESDomain)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
```

Elastic Search domains belong to AWS Accounts.
```
(AWSAccount)-[RESOURCE]->(ESDomain)
```

DNS Records can point to Elastic Search domains.

```
(DNSRecord)-[DNS_POINTS_TO]->(ESDomain)
```

Endpoint¶

Representation of a generic network endpoint.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
protocol	The protocol of this endpoint
port	The port of this endpoint

Relationships¶

Endpoints can be installed load balancers, though more specifically we would refer to these Endpoint nodes as ELBListeners.
```
```
(LoadBalancer)-[ELB_LISTENER]->(Endpoint)
```
```

Endpoint::ELBListener¶

Representation of an AWS Elastic Load Balancer Listener. Here, an ELBListener is a more specific type of Endpoint. Here’a good introduction.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
protocol	The protocol of this endpoint
port	The port of this endpoint
policy_names	A list of SSL policy names set on the listener.
id	The ELB ID. This is a concatenation of the DNS name, port, and protocol.
instance_port	The port open on the EC2 instance that this listener is connected to
instance_protocol	The protocol defined on the EC2 instance that this listener is connected to

Relationships¶

A ELBListener is installed on a load balancer.

```
(LoadBalancer)-[ELB_LISTENER]->(ELBListener)
```

Endpoint::ELBV2Listener¶

Representation of an AWS Elastic Load Balancer V2 Listener.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
protocol	The protocol of this endpoint - One of `'HTTP''HTTPS''TCP''TLS''UDP''TCP_UDP'`
port	The port of this endpoint
ssl_policy	Only set for HTTPS or TLS listener. The security policy that defines which protocols and ciphers are supported.
targetgrouparn	The ARN of the Target Group, if the Action type is `forward`.

Relationships¶

A ELBV2Listener is installed on a LoadBalancerV2.

```
(elbv2)-[r:ELBV2_LISTENER]->(ELBV2Listener)
```

Ip¶

Represents a generic IP address.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
ip	The IPv4 address
id	Same as `ip`

Relationships¶

DNSRecords can point to IP addresses.

```
(DNSRecord)-[DNS_POINTS_TO]->(Ip)
```

IpRule¶

Represents a generic IP rule. The creation of this node is currently derived from ingesting AWS EC2 Security Group rules.

Field	Description
ruleid	`{group_id}/{rule_type}/{from_port}{to_port}{protocol}`
groupid	The groupid of the EC2 Security Group that this was derived from
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
protocol	The protocol this rule applies to
fromport	Lowest port in the range defined by this rule
toport	Highest port in the range defined by this rule

Relationships¶

IpRules are defined from EC2SecurityGroups.

```
(IpRule, IpPermissionInbound)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
```

IpRule::IpPermissionInbound¶

An IpPermissionInbound node is a specific type of IpRule. It represents a generic inbound IP-based rules. The creation of this node is currently derived from ingesting AWS EC2 Security Group rules.

Field	Description
ruleid	`{group_id}/{rule_type}/{from_port}{to_port}{protocol}`
groupid	The groupid of the EC2 Security Group that this was derived from
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
protocol	The protocol this rule applies to
fromport	Lowest port in the range defined by this rule
toport	Highest port in the range defined by this rule

Relationships¶

IpPermissionInbound rules are defined from EC2SecurityGroups.

```
(IpRule, IpPermissionInbound)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
```

LoadBalancer¶

Represents an AWS Elastic Load Balancer. See spec for details.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
scheme	The type of load balancer. Valid only for load balancers in a VPC. If scheme is `internet-facing`, the load balancer has a public DNS name that resolves to a public IP address. If scheme is `internal`, the load balancer has a public DNS name that resolves to a private IP address.
name	The name of the load balancer
dnsname	The DNS name of the load balancer.
canonicalhostedzonename	The DNS name of the load balancer
id	Currently set to the `dnsname` of the load balancer.
region	The region of the load balancer
createdtime	The date and time the load balancer was created.
canonicalhostedzonenameid	The ID of the Amazon Route 53 hosted zone for the load balancer.
exposed_internet	The `exposed_internet` flag is set to `True` when the load balancer’s `scheme` field is set to `internet-facing`. This indicates that the load balancer has a public DNS name that resolves to a public IP address.

Relationships¶

LoadBalancers can be connected to EC2Instances and therefore expose them.
```
```
(LoadBalancer)-[EXPOSE]->(EC2Instance)
```
```

LoadBalancers can have source security groups configured.

```
(LoadBalancer)-[SOURCE_SECURITY_GROUP]->(EC2SecurityGroup)
```

LoadBalancers can be part of EC2SecurityGroups.

```
(LoadBalancer)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
```

LoadBalancers can be part of EC2 Subnets

```
(LoadBalancer)-[SUBNET]->(EC2Subnet)
```

LoadBalancers can be part of EC2 Subnets

```
(LoadBalancer)-[PART_OF_SUBNET]->(EC2Subnet)
```

LoadBalancers can have listeners configured to accept connections from clients (good introduction).
```
```
(LoadBalancer)-[ELB_LISTENER]->(Endpoint, ELBListener)
```
```

LoadBalancers are part of AWSAccounts.

```
(AWSAccount)-[RESOURCE]->(LoadBalancer)
```

AWSDNSRecords and DNSRecords point to LoadBalancers.

```
(AWSDNSRecord, DNSRecord)-[DNS_POINTS_TO]->(LoadBalancer)
```

LoadBalancerV2¶

Represents an Elastic Load Balancer V2 (Application Load Balancer or Network Load Balancer.) API reference here.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
scheme	The type of load balancer. If scheme is `internet-facing`, the load balancer has a public DNS name that resolves to a public IP address. If scheme is `internal`, the load balancer has a public DNS name that resolves to a private IP address.
name	The name of the load balancer
dnsname	The DNS name of the load balancer.
exposed_internet	The `exposed_internet` flag is set to `True` when the load balancer’s `scheme` field is set to `internet-facing`. This indicates that the load balancer has a public DNS name that resolves to a public IP address.
id	Currently set to the `dnsname` of the load balancer.
type	Can be `application` or `network`
region	The region of the load balancer
createdtime	The date and time the load balancer was created.
canonicalhostedzonenameid	The ID of the Amazon Route 53 hosted zone for the load balancer.

Relationships¶

LoadBalancerV2’s can be connected to EC2Instances and therefore expose them.
```
```
(LoadBalancerV2)-[EXPOSE]->(EC2Instance)
```
```
EXPOSE relationshiohip also holds the protocol, port and TargetGroupArn the load balancer points to.
LoadBalancerV2’s can be part of EC2SecurityGroups but only if their type = “application”. NLBs don’t have SGs.
```
```
(LoadBalancerV2)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
```
```

LoadBalancerV2’s can be part of EC2 Subnets

```
(LoadBalancerV2)-[SUBNET]->(EC2Subnet)
```

LoadBalancerV2’s can be part of EC2 Subnets

```
(LoadBalancerV2)-[PART_OF_SUBNET]->(EC2Subnet)
```

LoadBalancerV2’s have listeners:

```
(LoadBalancerV2)-[ELBV2_LISTENER]->(ELBV2Listener)
```

Nameserver¶

Represents a DNS nameserver. | Field | Description | |-------|————-| | firstseen| Timestamp of when a sync job first discovered this node | | lastupdated | Timestamp of the last time the node was updated | | id | The address of the nameserver| | name | The name or address of the nameserver|

Relationships¶

Nameservers are nameservers for to DNSZone.

```
(Nameserver)-[NAMESERVER]->(DNSZone)
```

NetworkInterface¶

Representation of a generic Network Interface. Currently however, we only create NetworkInterface nodes from AWS EC2 Instances. The spec for an AWS EC2 network interface is here.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
mac_address	The MAC address of the network interface
description	Description of the network interface
private_ip_address	The primary IPv4 address of the network interface within the subnet
id	The ID of the network interface. (known as `networkInterfaceId` in EC2)
private_dns_name	The private DNS name
status	Status of the network interface. Valid Values: `available \| associated \| attaching \| in-use \| detaching`
subnetid	The ID of the subnet
interface_type	Describes the type of network interface. Valid values: `interface \| efa`
requester_id	Id of the requester, e.g. `amazon-elb` for ELBs
requester_managed	Indicates whether the interface is managed by the requester
source_dest_check	Indicates whether to validate network traffic to or from this network interface.
public_ip	Public IPv4 address attached to the interface

Relationships¶

EC2 Network Interfaces belong to AWS accounts.

(NetworkInterface)<-[:RESOURCE]->(:AWSAccount)

Network interfaces can be connected to EC2Subnets.

```
(NetworkInterface)-[PART_OF_SUBNET]->(EC2Subnet)
```

Network interfaces can be members of EC2SecurityGroups.

```
(NetworkInterface)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
```

EC2Instances can have NetworkInterfaces connected to them.

```
(EC2Instance)-[NETWORK_INTERFACE]->(NetworkInterface)
```

LoadBalancers can have NetworkInterfaces connected to them.

```
(LoadBalancer)-[NETWORK_INTERFACE]->(NetworkInterface)
```

LoadBalancerV2s can have NetworkInterfaces connected to them.

```
(LoadBalancerV2)-[NETWORK_INTERFACE]->(NetworkInterface)
```

EC2PrivateIps are connected to a NetworkInterface.

```
(NetworkInterface)-[PRIVATE_IP_ADDRESS]->(EC2PrivateIp)
```

EC2 Network Interfaces can be tagged with AWSTags.
```
```
(NetworkInterface)-[TAGGED]->(AWSTag)
```
```

AWSPeeringConnection¶

Representation of an AWS PeeringConnection implementing an AWS VpcPeeringConnection object.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	vpcPeeringConnectionId, The ID of the VPC peering connection.
allow_dns_resolution_from_remote_vpc	Indicates whether a local VPC can resolve public DNS hostnames to private IP addresses when queried from instances in a peer VPC.
allow_egress_from_local_classic_link_to_remote_vpc	Indicates whether a local ClassicLink connection can communicate with the peer VPC over the VPC peering connection.
allow_egress_from_local_vpc_to_remote_classic_link	Indicates whether a local VPC can communicate with a ClassicLink connection in the peer VPC over the VPC peering connection.
requester_region	Peering requester region
accepter_region	Peering accepter region
status_code	The status of the VPC peering connection.
status_message	A message that provides more information about the status, if applicable.

Relationships¶

AWSVpc is an accepter or requester vpc.

(AWSVpc)<-[REQUESTER_VPC]-(AWSPeeringConnection)
(AWSVpc)<-[ACCEPTER_VPC]-(AWSPeeringConnection)

AWSCidrBlock is an accepter or requester cidr.

(AWSCidrBlock)<-[REQUESTER_CIDR]-(AWSPeeringConnection)
(AWSCidrBlock)<-[ACCEPTER_CIDR]-(AWSPeeringConnection)

RedshiftCluster¶

Representation of an AWS RedshiftCluster.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
arn	The Amazon Resource Name (ARN) for the Redshift cluster
id	Same as arn
availability_zone	Specifies the name of the Availability Zone the cluster is located in
cluster_create_time	Provides the date and time the cluster was created
cluster_identifier	The unique identifier of the cluster.
cluster_revision_number	The specific revision number of the database in the cluster.
db_name	The name of the initial database that was created when the cluster was created. This same name is returned for the life of the cluster. If an initial database was not specified, a database named devdev was created by default.
encrypted	Specifies whether the cluster has encryption enabled
cluster_status	The current state of the cluster.
endpoint_address	DNS name of the Redshift cluster endpoint
endpoint_port	The port that the Redshift cluster’s endpoint is listening on
master_username	The master user name for the cluster. This name is used to connect to the database that is specified in the DBName parameter.
node_type	The node type for the nodes in the cluster.
number_of_nodes	The number of compute nodes in the cluster.
publicly_accessible	A boolean value that, if true, indicates that the cluster can be accessed from a public network.
vpc_id	The identifier of the VPC the cluster is in, if the cluster is in a VPC.

Relationships¶

Redshift clusters are part of AWS Accounts.

```
(AWSAccount)-[RESOURCE]->(RedshiftCluster)
```

Redshift clusters can be members of EC2 Security Groups.

(RedshiftCluster)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)

Redshift clusters may assume IAM roles. See this article.

(RedshiftCluster)-[STS_ASSUMEROLE_ALLOW]->(AWSPrincipal)

Redshift clusters can be members of AWSVpcs.

(RedshiftCluster)-[MEMBER_OF_AWS_VPC]->(AWSVpc)

RDSCluster¶

Representation of an AWS Relational Database Service DBCluster

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	Same as ARN
arn	The Amazon Resource Name (ARN) for the DB cluster.
allocated_storage	For all database engines except Amazon Aurora, AllocatedStorage specifies the allocated storage size in gibibytes (GiB). For Aurora, AllocatedStorage always returns 1, because Aurora DB cluster storage size isn’t fixed, but instead automatically adjusts as needed.
availability_zones	Provides the list of Availability Zones (AZs) where instances in the DB cluster can be created.
backup_retention_period	Specifies the number of days for which automatic DB snapshots are retained.
character_set_name	If present, specifies the name of the character set that this cluster is associated with.
database_name	Contains the name of the initial database of this DB cluster that was provided at create time, if one was specified when the DB cluster was created. This same name is returned for the life of the DB cluster.
db_cluster_identifier	Contains a user-supplied DB cluster identifier. This identifier is the unique key that identifies a DB cluster.
db_parameter_group	Specifies the name of the DB cluster parameter group for the DB cluster.
status	Specifies the current state of this DB cluster.
earliest_restorable_time	The earliest time to which a database can be restored with point-in-time restore.
endpoint	Specifies the connection endpoint for the primary instance of the DB cluster.
reader_endpoint	The reader endpoint for the DB cluster. The reader endpoint for a DB cluster load-balances connections across the Aurora Replicas that are available in a DB cluster. As clients request new connections to the reader endpoint, Aurora distributes the connection requests among the Aurora Replicas in the DB cluster. This functionality can help balance your read workload across multiple Aurora Replicas in your DB cluster. If a failover occurs, and the Aurora Replica that you are connected to is promoted to be the primary instance, your connection is dropped. To continue sending your read workload to other Aurora Replicas in the cluster, you can then reconnect to the reader endpoint.
multi_az	Specifies whether the DB cluster has instances in multiple Availability Zones.
engine	The name of the database engine to be used for this DB cluster.
engine_version	Indicates the database engine version.
latest_restorable_time	Specifies the latest time to which a database can be restored with point-in-time restore.
port	Specifies the port that the database engine is listening on.
master_username	Contains the master username for the DB cluster.
preferred_backup_window	Specifies the daily time range during which automated backups are created if automated backups are enabled, as determined by the BackupRetentionPeriod.
preferred_maintenance_window	Specifies the weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC).
hosted_zone_id	Specifies the ID that Amazon Route 53 assigns when you create a hosted zone.
storage_encrypted	Specifies whether the DB cluster is encrypted.
kms_key_id	If StorageEncrypted is enabled, the AWS KMS key identifier for the encrypted DB cluster. The AWS KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the AWS KMS customer master key (CMK).
db_cluster_resource_id	The AWS Region-unique, immutable identifier for the DB cluster. This identifier is found in AWS CloudTrail log entries whenever the AWS KMS CMK for the DB cluster is accessed.
clone_group_id	Identifies the clone group to which the DB cluster is associated.
cluster_create_time	Specifies the time when the DB cluster was created, in Universal Coordinated Time (UTC).
earliest_backtrack_time	The earliest time to which a DB cluster can be backtracked.
backtrack_window	The target backtrack window, in seconds. If this value is set to 0, backtracking is disabled for the DB cluster. Otherwise, backtracking is enabled.
backtrack_consumed_change_records	The number of change records stored for Backtrack.
capacity	The current capacity of an Aurora Serverless DB cluster. The capacity is 0 (zero) when the cluster is paused.
engine_mode	The DB engine mode of the DB cluster, either provisioned, serverless, parallelquery, global, or multimaster.
scaling_configuration_info_min_capacity	The minimum capacity for the Aurora DB cluster in serverless DB engine mode.
scaling_configuration_info_max_capacity	The maximum capacity for an Aurora DB cluster in serverless DB engine mode.
scaling_configuration_info_auto_pause	A value that indicates whether automatic pause is allowed for the Aurora DB cluster in serverless DB engine mode.
deletion_protection	Indicates if the DB cluster has deletion protection enabled. The database can’t be deleted when deletion protection is enabled.

Relationships¶

RDS Clusters are part of AWS Accounts.

```
(AWSAccount)-[RESOURCE]->(RDSCluster)
```

Some RDS instances are cluster members.

(replica:RDSInstance)-[IS_CLUSTER_MEMBER_OF]->(source:RDSCluster)

RDSInstance¶

Representation of an AWS Relational Database Service DBInstance.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	Same as ARN
arn	The Amazon Resource Name (ARN) for the DB instance.
db_instance_identifier	Contains a user-supplied database identifier. This identifier is the unique key that identifies a DB instance.
availability_zone	Specifies the name of the Availability Zone the DB instance is located in.
backup_retention_period	Specifies the number of days for which automatic DB snapshots are retained.
preferred_backup_window	Specifies the daily time range during which automated backups are created if automated backups are enabled, as determined by the BackupRetentionPeriod.
ca_certificate_identifier	The identifier of the CA certificate for this DB instance.
db_cluster_identifier	If the DB instance is a member of a DB cluster, contains the name of the DB cluster that the DB instance is a member of.
db_instance_class	Contains the name of the compute and memory capacity class of the DB instance.
db_instance_port	Specifies the port that the DB instance listens on.
dbi_resource_id	The AWS Region-unique, immutable identifier for the DB instance. This identifier is found in AWS CloudTrail log entries whenever the AWS KMS key for the DB instance is accessed.
db_name	The meaning of this parameter differs according to the database engine you use. For example, this value returns MySQL, MariaDB, or PostgreSQL information when returning values from CreateDBInstanceReadReplica since Read Replicas are only supported for these engines. MySQL, MariaDB, SQL Server, PostgreSQL: Contains the name of the initial database of this instance that was provided at create time, if one was specified when the DB instance was created. This same name is returned for the life of the DB instance. Oracle: Contains the Oracle System ID (SID) of the created DB instance. Not shown when the returned parameters do not apply to an Oracle DB instance.
engine	Provides the name of the database engine to be used for this DB instance.
engine_version	Indicates the database engine version.
enhanced_monitoring_resource_arn	The Amazon Resource Name (ARN) of the Amazon CloudWatch Logs log stream that receives the Enhanced Monitoring metrics data for the DB instance.
instance_create_time	Provides the date and time the DB instance was created.
kms_key_id	If StorageEncrypted is true, the AWS KMS key identifier for the encrypted DB instance.
master_username	Contains the master username for the DB instance.
monitoring_role_arn	The ARN for the IAM role that permits RDS to send Enhanced Monitoring metrics to Amazon CloudWatch Logs.
multi_az	Specifies if the DB instance is a Multi-AZ deployment.
performance_insights_enabled	True if Performance Insights is enabled for the DB instance, and otherwise false.
preferred_maintenance_window	Specifies the weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC).
publicly_accessible	Specifies the accessibility options for the DB instance. A value of true specifies an Internet-facing instance with a publicly resolvable DNS name, which resolves to a public IP address. A value of false specifies an internal instance with a DNS name that resolves to a private IP address.
storage_encrypted	Specifies whether the DB instance is encrypted.
endpoint_address	DNS name of the RDS instance
endpoint_port	The port that the RDS instance is listening on
endpoint_hostedzoneid	The AWS DNS Zone ID that is associated with the RDS instance’s DNS entry
auto_minor_version_upgrade	Specifies whether minor version upgrades are applied automatically to the DB instance during the maintenance window
iam_database_authentication_enabled	Specifies if mapping of AWS Identity and Access Management (IAM) accounts to database accounts is enabled

Relationships¶

RDS Instances are part of AWS Accounts.

```
(AWSAccount)-[RESOURCE]->(RDSInstance)
```

Some RDS instances are Read Replicas.

(replica:RDSInstance)-[IS_READ_REPLICA_OF]->(source:RDSInstance)

RDS Instances can be members of EC2 Security Groups.

(RDSInstance)-[m:MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)

RDS Instances are connected to DB Subnet Groups.

(RDSInstance)-[:MEMBER_OF_DB_SUBNET_GROUP]->(DBSubnetGroup)

RDS Instances can be tagged with AWSTags.

```
(RDSInstance)-[TAGGED]->(AWSTag)
```

RDSSnapshot¶

Representation of an AWS Relational Database Service DBSnapshot.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	Same as ARN
arn	The Amazon Resource Name (ARN) for the DB snapshot.
db_snapshot_identifier	Specifies the identifier for the DB snapshot.
db_instance_identifier	Specifies the DB instance identifier of the DB instance this DB snapshot was created from.
snapshot_create_time	Specifies when the snapshot was taken in Coordinated Universal Time (UTC). Changes for the copy when the snapshot is copied.
engine	Specifies the name of the database engine.
allocated_storage	Specifies the allocated storage size in gibibytes (GiB).
status	Specifies the status of this DB snapshot.
port	Specifies the port that the database engine was listening on at the time of the snapshot.
availability_zone	Specifies the name of the Availability Zone the DB instance was located in at the time of the DB snapshot.
vpc_id	Provides the VPC ID associated with the DB snapshot.
instance_create_time	Specifies the time in Coordinated Universal Time (UTC) when the DB instance, from which the snapshot was taken, was created.
master_username	Provides the master username for the DB snapshot.
engine_version	Specifies the version of the database engine.
license_model	License model information for the restored DB instance.
snapshot_type	Provides the type of the DB snapshot.
iops	Specifies the Provisioned IOPS (I/O operations per second) value of the DB instance at the time of the snapshot.
option_group_name	Provides the option group name for the DB snapshot.
percent_progress	The percentage of the estimated data that has been transferred.
source_region	The AWS Region that the DB snapshot was created in or copied from.
source_db_snapshot_identifier	The DB snapshot Amazon Resource Name (ARN) that the DB snapshot was copied from. It only has a value in the case of a cross-account or cross-Region copy.
storage_type	Specifies the storage type associated with DB snapshot.
tde_credential_arn	The ARN from the key store with which to associate the instance for TDE encryption.
encrypted	Specifies whether the DB snapshot is encrypted.
kms_key_id	If Encrypted is true, the AWS KMS key identifier for the encrypted DB snapshot. The AWS KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.
timezone	The time zone of the DB snapshot. In most cases, the Timezone element is empty. Timezone content appears only for snapshots taken from Microsoft SQL Server DB instances that were created with a time zone specified.
iam_database_authentication_enabled	True if mapping of AWS Identity and Access Management (IAM) accounts to database accounts is enabled, and otherwise false.
processor_features	The number of CPU cores and the number of threads per core for the DB instance class of the DB instance when the DB snapshot was created.
dbi_resource_id	The identifier for the source DB instance, which can’t be changed and which is unique to an AWS Region.
original_snapshot_create_time	Specifies the time of the CreateDBSnapshot operation in Coordinated Universal Time (UTC). Doesn’t change when the snapshot is copied.
snapshot_database_time	The timestamp of the most recent transaction applied to the database that you’re backing up. Thus, if you restore a snapshot, SnapshotDatabaseTime is the most recent transaction in the restored DB instance. In contrast, originalSnapshotCreateTime specifies the system time that the snapshot completed. If you back up a read replica, you can determine the replica lag by comparing SnapshotDatabaseTime with originalSnapshotCreateTime. For example, if originalSnapshotCreateTime is two hours later than SnapshotDatabaseTime, then the replica lag is two hours.
snapshot_target	Specifies where manual snapshots are stored: AWS Outposts or the AWS Region.
storage_throughput
region	The AWS region of the snapshot

Relationships¶

RDS Snapshots are part of AWS Accounts.

```
(AWSAccount)-[RESOURCE]->(RDSSnapshot)
```

RDS Snapshots are connected to DB Instances.

(RDSSnapshot)-[:IS_SNAPSHOT_SOURCE]->(RDSInstance)

RDS Snapshots can be tagged with AWSTags.

```
(RDSSnapshot)-[TAGGED]->(AWSTag)
```

S3Acl¶

Representation of an AWS S3 Access Control List.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
granteeid	The ID of the grantee as defined here
displayname	Optional display name for the ACL
permission	Valid values: `FULL_CONTROL \| READ \| WRITE \| READ_ACP \| WRITE_ACP` (ACP = Access Control Policy)
id	The ID of this ACL
type	The type of the grantee. Either `CanonicalUser \| AmazonCustomerByEmail \| Group`.
ownerid	The ACL’s owner ID as defined here

Relationships¶

S3 Access Control Lists apply to S3 buckets.
```
```
(S3Acl)-[APPLIES_TO]->(S3Bucket)
```
```

S3Bucket¶

Representation of an AWS S3 Bucket.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
creationdate	Date-time when the bucket was created
id	Same as `name`, as seen below
name	The name of the bucket. This is guaranteed to be globally unique
anonymous_actions	List of anonymous internet accessible actions that may be run on the bucket. This list is taken by running policyuniverse on the policy that applies to the bucket.
anonymous_access	True if this bucket has a policy applied to it that allows anonymous access or if it is open to the internet. These policy determinations are made by using the policyuniverse library.
region	The region that the bucket is in. Only defined if the S3 bucket has a location constraint
default_encryption	True if this bucket has default encryption enabled.
encryption_algorithm	The encryption algorithm used for default encryption. Only defined if the S3 bucket has default encryption enabled.
encryption_key_id	The KMS key ID used for default encryption. Only defined if the S3 bucket has SSE-KMS enabled as the default encryption method.
bucket_key_enabled	True if a bucket key is enabled, when using SSE-KMS as the default encryption method.
versioning_status	The versioning state of the bucket.
mfa_delete	Specifies whether MFA delete is enabled in the bucket versioning configuration.
block_public_acls	Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket.
ignore_public_acls	Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket.
block_public_acls	Specifies whether Amazon S3 should block public bucket policies for this bucket.
restrict_public_buckets	Specifies whether Amazon S3 should restrict public bucket policies for this bucket.

Relationships¶

S3Buckets are resources in an AWS Account.

```
(AWSAccount)-[RESOURCE]->(S3Bucket)
```

S3 Access Control Lists apply to S3 buckets.
```
```
(S3Acl)-[APPLIES_TO]->(S3Bucket)
```
```
S3 Buckets can be tagged with AWSTags.
```
```
(S3Bucket)-[TAGGED]->(AWSTag)
```
```

S3PolicyStatement¶

Representation of an AWS S3 Bucket Policy Statements for controlling ownership of objects and ACLs of the bucket.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
policy_id	Optional string “Id” for the bucket’s policy
policy_version	Version of the bucket’s policy
id	The unique identifier for a bucket policy statement. If the statement has an Sid the id will be calculated as S3Bucket.id/policy_statement/index of statement in statement/Sid. If the statement has no Sid the id will be calculated as S3Bucket.id/policy_statement/index of statement in statement/
effect	Specifies “Deny” or “Allow” for the policy statement
action	Specifies permissions that policy statement applies to, as defined here
resource	Specifies the resource the bucket policy statement is based on
condition	Specifies conditions where permissions are granted: examples
sid	Optional string to label the specific bucket policy statement

Relationships¶

S3PolicyStatements define the policy for S3 Buckets.

```
(:S3Bucket)-[:POLICY_STATEMENT]->(:S3PolicyStatement)
```

KMSKey¶

Representation of an AWS KMS Key.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The id of the key
name	The name of the key
description	The description of the key
enabled	Whether the key is enabled
region	The region where key is created
anonymous_actions	List of anonymous internet accessible actions that may be run on the key.
anonymous_access	True if this key has a policy applied to it that allows anonymous access or if it is open to the internet.

Relationships¶

AWS KMS Keys are resources in an AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(KMSKey)
```
```
AWS KMS Key may also be refered as KMSAlias via aliases.
```
```
(KMSKey)-[KNOWN_AS]->(KMSAlias)
```
```
AWS KMS Key may also have KMSGrant based on grants.
```
```
(KMSGrant)-[APPLIED_ON]->(KMSKey)
```
```

KMSAlias¶

Representation of an AWS KMS Key Alias.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The arn of the alias
aliasname	The name of the alias
targetkeyid	The kms key id associated via this alias

Relationships¶

AWS KMS Key may also be refered as KMSAlias via aliases.
```
```
(KMSKey)-[KNOWN_AS]->(KMSAlias)
```
```

KMSGrant¶

Representation of an AWS KMS Key Grant.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The id of the key grant
name	The name of the key grant
granteeprincipal	The principal associated with the key grant
creationdate	ISO 8601 date-time string when the grant was created

Relationships¶

AWS KMS Key may also have KMSGrant based on grants.
```
```
(KMSGrant)-[APPLIED_ON]->(KMSKey)
```
```

APIGatewayRestAPI¶

Representation of an AWS API Gateway REST API.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The id of the REST API
createddate	The timestamp when the REST API was created
version	The version identifier for the API
minimumcompressionsize	A nullable integer that is used to enable or disable the compression of the REST API
disableexecuteapiendpoint	Specifies whether clients can invoke your API by using the default `execute-api` endpoint
region	The region where the REST API is created
anonymous_actions	List of anonymous internet accessible actions that may be run on the API.
anonymous_access	True if this API has a policy applied to it that allows anonymous access or if it is open to the internet.

Relationships¶

AWS API Gateway REST APIs are resources in an AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(APIGatewayRestAPI)
```
```
AWS API Gateway REST APIs may be associated with an API Gateway Stage.
```
```
(APIGatewayRestAPI)-[ASSOCIATED_WITH]->(APIGatewayStage)
```
```
AWS API Gateway REST APIs may also have API Gateway Resource resources.
```
```
(APIGatewayRestAPI)-[RESOURCE]->(APIGatewayResource)
```
```

APIGatewayStage¶

Representation of an AWS API Gateway Stage.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The name of the API Gateway Stage
createddate	The timestamp when the stage was created
deploymentid	The identifier of the Deployment that the stage points to.
clientcertificateid	The identifier of a client certificate for an API stage.
cacheclusterenabled	Specifies whether a cache cluster is enabled for the stage.
cacheclusterstatus	The status of the cache cluster for the stage, if enabled.
tracingenabled	Specifies whether active tracing with X-ray is enabled for the Stage
webaclarn	The ARN of the WebAcl associated with the Stage

Relationships¶

AWS API Gateway REST APIs may be associated with an API Gateway Stage.
```
```
(APIGatewayRestAPI)-[ASSOCIATED_WITH]->(APIGatewayStage)
```
```

AWS API Gateway Stage may also contain a Client Certificate.

```
(APIGatewayStage)-[HAS_CERTIFICATE]->(APIGatewayClientCertificate)
```

APIGatewayClientCertificate¶

Representation of an AWS API Gateway Client Certificate.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The identifier of the client certificate
createddate	The timestamp when the client certificate was created
expirationdate	The timestamp when the client certificate will expire

Relationships¶

AWS API Gateway Stage may also contain a Client Certificate.

```
(APIGatewayStage)-[HAS_CERTIFICATE]->(APIGatewayClientCertificate)
```

APIGatewayResource¶

Representation of an AWS API Gateway Resource.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The id of the REST API
path	The timestamp when the REST API was created
pathpart	The version identifier for the API
parentid	A nullable integer that is used to enable or disable the compression of the REST API

Relationships¶

AWS API Gateway REST APIs may also have API Gateway Resource resources.
```
```
(APIGatewayRestAPI)-[RESOURCE]->(APIGatewayResource)
```
```

AutoScalingGroup¶

Representation of an AWS Auto Scaling Group Resource.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
arn	The ARN of the Auto Scaling Group
name	The name of the Auto Scaling group.
createdtime	The date and time the group was created.
launchconfigurationname	The name of the associated launch configuration.
launchtemplatename	The name of the launch template.
launchtemplateid	The ID of the launch template.
launchtemplateversion	The version number of the launch template.
maxsize	The maximum size of the group.
minsize	The minimum size of the group.
defaultcooldown	The duration of the default cooldown period, in seconds.
desiredcapacity	The desired size of the group.
healthchecktype	The service to use for the health checks.
healthcheckgraceperiod	The amount of time, in seconds, that Amazon EC2 Auto Scaling waits before checking the health status of an EC2 instance that has come into service.
status	The current state of the group when the DeleteAutoScalingGroup operation is in progress.
newinstancesprotectedfromscalein	Indicates whether newly launched instances are protected from termination by Amazon EC2 Auto Scaling when scaling in.
maxinstancelifetime	The maximum amount of time, in seconds, that an instance can be in service.
capacityrebalance	Indicates whether Capacity Rebalancing is enabled.
region	The region of the auto scaling group.

Link to API Documentation of AWS Auto Scaling Groups

Relationships¶

AWS Auto Scaling Groups are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(AutoScalingGroup)
```
```
AWS Auto Scaling Groups has one or more subnets/vpc identifiers.
```
```
(AutoScalingGroup)-[VPC_IDENTIFIER]->(EC2Subnet)
```
```

AWS EC2 Instances are members of one or more AWS Auto Scaling Groups.

```
(EC2Instance)-[MEMBER_AUTO_SCALE_GROUP]->(AutoScalingGroup)
```

AWS Auto Scaling Groups have Launch Configurations

```
(AutoScalingGroup)-[HAS_LAUNCH_CONFIG]->(LaunchConfiguration)
```

AWS Auto Scaling Groups have Launch Templates

```
(AutoScalingGroup)-[HAS_LAUNCH_TEMPLATE]->(LaunchTemplate)
```

EC2Image¶

Representation of an AWS EC2 Images (AMIs).

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ID of the AMI.
name	The name of the AMI that was provided during image creation.
creationdate	The date and time the image was created.
architecture	The architecture of the image.
location	The location of the AMI.
type	The type of image.
ispublic	Indicates whether the image has public launch permissions.
platform	This value is set to `windows` for Windows AMIs; otherwise, it is blank.
usageoperation	The operation of the Amazon EC2 instance and the billing code that is associated with the AMI.
state	The current state of the AMI.
description	The description of the AMI that was provided during image creation.
enasupport	Specifies whether enhanced networking with ENA is enabled.
hypervisor	The hypervisor type of the image.
rootdevicename	The device name of the root device volume (for example, `/dev/sda1` ).
rootdevicetype	The type of root device used by the AMI.
virtualizationtype	The type of virtualization of the AMI.
bootmode	The boot mode of the image.
region	The region of the image.

Link to API Documentation of EC2 Images

Relationships¶

AWS EC2 Images (AMIs) are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(EC2Image)
```
```

EC2ReservedInstance¶

Representation of an AWS EC2 Reserved Instance.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ID of the Reserved Instance.
availabilityzone	The Availability Zone in which the Reserved Instance can be used.
duration	The duration of the Reserved Instance, in seconds.
end	The time when the Reserved Instance expires.
start	The date and time the Reserved Instance started.
count	The number of reservations purchased.
type	The instance type on which the Reserved Instance can be used.
productdescription	The Reserved Instance product platform description.
state	The state of the Reserved Instance purchase.
currencycode	The currency of the Reserved Instance. It’s specified using ISO 4217 standard currency codes.
instancetenancy	The tenancy of the instance.
offeringclass	The offering class of the Reserved Instance.
offeringtype	The Reserved Instance offering type.
scope	The scope of the Reserved Instance.
fixedprice	The purchase price of the Reserved Instance.
region	The region of the reserved instance.

Relationships¶

AWS EC2 Reserved Instances are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(EC2ReservedInstance)
```
```

SecretsManagerSecret¶

Representation of an AWS Secrets Manager Secret

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The arn of the secret.
created_date	The date and time when a secret was created.
deleted_date	The date and time the deletion of the secret occurred. Not present on active secrets. The secret can be recovered until the number of days in the recovery window has passed, as specified in the RecoveryWindowInDays parameter of the DeleteSecret operation.
description	The user-provided description of the secret.
kms_key_id	The ARN or alias of the AWS KMS customer master key (CMK) used to encrypt the SecretString and SecretBinary fields in each version of the secret. If you don’t provide a key, then Secrets Manager defaults to encrypting the secret fields with the default KMS CMK, the key named awssecretsmanager, for this account.
last_accessed_date	The last date that this secret was accessed. This value is truncated to midnight of the date and therefore shows only the date, not the time.
last_changed_date	The last date and time that this secret was modified in any way.
last_rotated_date	The most recent date and time that the Secrets Manager rotation process was successfully completed. This value is null if the secret hasn’t ever rotated.
name	The friendly name of the secret. You can use forward slashes in the name to represent a path hierarchy. For example, /prod/databases/dbserver1 could represent the secret for a server named dbserver1 in the folder databases in the folder prod.
owning_service	Returns the name of the service that created the secret.
primary_region	The Region where Secrets Manager originated the secret.
rotation_enabled	Indicates whether automatic, scheduled rotation is enabled for this secret.
rotation_lambda_arn	The ARN of an AWS Lambda function invoked by Secrets Manager to rotate and expire the secret either automatically per the schedule or manually by a call to RotateSecret.
rotation_rules_automatically_after_days	Specifies the number of days between automatic scheduled rotations of the secret.

Relationships¶

AWS Secrets Manager Secrets are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(SecretsManagerSecret)
```
```

EBSVolume¶

Representation of an AWS EBS Volume.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ID of the EBS Volume.
availabilityzone	The Availability Zone for the volume.
createtime	The time stamp when volume creation was initiated.
encrypted	Indicates whether the volume is encrypted.
size	The size of the volume, in GiBs.
state	The volume state.
outpostarn	The Amazon Resource Name (ARN) of the Outpost.
snapshotid	The snapshot ID.
iops	The number of I/O operations per second (IOPS).
type	The volume type.
fastrestored	Indicates whether the volume was created using fast snapshot restore.
multiattachenabled	Indicates whether Amazon EBS Multi-Attach is enabled.
throughput	The throughput that the volume supports, in MiB/s.
kmskeyid	The Amazon Resource Name (ARN) of the AWS Key Management Service (AWS KMS) customer master key (CMK) that was used to protect the volume encryption key for the volume.
deleteontermination	Indicates whether the volume is deleted on instance termination.
region	The region of the volume.

Relationships¶

AWS EBS Volumes are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(EBSVolume)
```
```

AWS EBS Snapshots are created using EBS Volumes

```
(EBSSnapshot)-[CREATED_FROM]->(EBSVolume)
```

AWS EBS Volumes are attached to an EC2 Instance

```
(EBSVolume)-[ATTACHED_TO_EC2_INSTANCE]->(EC2Instance)
```

AWSTag
```
```
(EBSVolume)-[TAGGED]->(AWSTag)
```
```

EBSSnapshot¶

Representation of an AWS EBS Snapshot.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ID of the EBS Snapshot.
description	The description of the snapshot.
progress	The progress of the snapshot, as a percentage.
encrypted	Indicates whether the snapshot is encrypted.
starttime	The time stamp when the snapshot was initiated.
state	The snapshot state.
statemessage	Encrypted Amazon EBS snapshots are copied asynchronously. If a snapshot copy operation fails (for example, if the proper AWS Key Management Service (AWS KMS) permissions are not obtained) this field displays error state details to help you diagnose why the error occurred. This parameter is only returned by DescribeSnapshots .
volumeid	The volume ID.
volumesize	The size of the volume, in GiB.
outpostarn	The ARN of the AWS Outpost on which the snapshot is stored.
dataencryptionkeyid	The data encryption key identifier for the snapshot.
kmskeyid	The Amazon Resource Name (ARN) of the AWS Key Management Service (AWS KMS) customer master key (CMK) that was used to protect the volume encryption key for the parent volume.
region	The region of the snapshot.

Relationships¶

AWS EBS Snapshots are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(EBSSnapshot)
```
```

AWS EBS Snapshots are created using EBS Volumes

```
(EBSSnapshot)-[CREATED_FROM]->(EBSVolume)
```

SQSQueue¶

Representation of an AWS SQS Queue

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The arn of the sqs queue.
created_timestamp	The time when the queue was created in seconds
delay_seconds	The default delay on the queue in seconds.
last_modified_timestamp	The time when the queue was last changed in seconds.
maximum_message_size	The limit of how many bytes a message can contain before Amazon SQS rejects it.
message_retention_period	he length of time, in seconds, for which Amazon SQS retains a message.
policy	The IAM policy of the queue.
arn	The arn of the sqs queue.
receive_message_wait_time_seconds	The length of time, in seconds, for which the ReceiveMessage action waits for a message to arrive.
redrive_policy_dead_letter_target_arn	The Amazon Resource Name (ARN) of the dead-letter queue to which Amazon SQS moves messages after the value of maxReceiveCount is exceeded.
redrive_policy_max_receive_count	The number of times a message is delivered to the source queue before being moved to the dead-letter queue. When the ReceiveCount for a message exceeds the maxReceiveCount for a queue, Amazon SQS moves the message to the dead-letter-queue.
visibility_timeout	The visibility timeout for the queue.
kms_master_key_id	The ID of an AWS managed customer master key (CMK) for Amazon SQS or a custom CMK.
kms_data_key_reuse_period_seconds	The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again.
fifo_queue	Whether or not the queue is FIFO.
content_based_deduplication	Whether or not content-based deduplication is enabled for the queue.
deduplication_scope	Specifies whether message deduplication occurs at the message group or queue level.
fifo_throughput_limit	Specifies whether the FIFO queue throughput quota applies to the entire queue or per message group.

Relationships¶

AWS SQS Queues are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(SQSQueue)
```
```
AWS SQS Queues can have other SQS Queues configured as dead letter queues
```
```
(SQSQueue)-[HAS_DEADLETTER_QUEUE]->(SQSQueue)
```
```

SecurityHub¶

Representation of the configuration of AWS Security Hub

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The arn of the hub resource.
subscribed_at	The date and time when Security Hub was enabled in the account.
auto_enable_controls	Whether to automatically enable new controls when they are added to standards that are enabled.

Relationships¶

AWS Security Hub nodes are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(SecurityHub)
```
```

AWSConfigurationRecorder¶

Representation of an AWS Config Configuration Recorder

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	A combination of name:account_id:region
name	The name of the recorder.
role_arn	Amazon Resource Name (ARN) of the IAM role used to describe the AWS resources associated with the account.
recording_group_all_supported	Specifies whether AWS Config records configuration changes for every supported type of regional resource.
recording_group_include_global_resource_types	Specifies whether AWS Config includes all supported types of global resources (for example, IAM resources) with the resources that it records.
recording_group_resource_types	A comma-separated list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail).
region	The region of the configuration recorder.

Relationships¶

AWS Configuration Recorders are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(AWSConfigurationRecorder)
```
```

AWSConfigDeliveryChannel¶

Representation of an AWS Config Delivery Channel

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	A combination of name:account_id:region
name	The name of the delivery channel.
s3_bucket_name	The name of the Amazon S3 bucket to which AWS Config delivers configuration snapshots and configuration history files.
s3_key_prefix	The prefix for the specified Amazon S3 bucket.
s3_kms_key_arn	The Amazon Resource Name (ARN) of the AWS Key Management Service (KMS) customer managed key (CMK) used to encrypt objects delivered by AWS Config. Must belong to the same Region as the destination S3 bucket.
sns_topic_arn	The Amazon Resource Name (ARN) of the Amazon SNS topic to which AWS Config sends notifications about configuration changes.
config_snapshot_delivery_properties_delivery_frequency	The frequency with which AWS Config delivers configuration snapshots.
region	The region of the delivery channel.

Relationships¶

AWS Config Delivery Channels are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(AWSConfigDeliveryChannel)
```
```

AWSConfigRule¶

Representation of an AWS Config Rule

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ARN of the config rule.
name	The name of the delivery channel.
description	The description that you provide for the AWS Config rule.
arn	The ARN of the config rule.
rule_id	The ID of the AWS Config rule.
scope_compliance_resource_types	The resource types of only those AWS resources that you want to trigger an evaluation for the rule. You can only specify one type if you also specify a resource ID for ComplianceResourceId.
scope_tag_key	The tag key that is applied to only those AWS resources that you want to trigger an evaluation for the rule.
scope_tag_value	The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule. If you specify a value for TagValue, you must also specify a value for TagKey.
scope_tag_compliance_resource_id	The resource types of only those AWS resources that you want to trigger an evaluation for the rule. You can only specify one type if you also specify a resource ID for ComplianceResourceId.
source_owner	Indicates whether AWS or the customer owns and manages the AWS Config rule.
source_identifier	For AWS Config managed rules, a predefined identifier from a list. For example, IAM_PASSWORD_POLICY is a managed rule.
source_details	Provides the source and type of the event that causes AWS Config to evaluate your AWS resources.
input_parameters	A string, in JSON format, that is passed to the AWS Config rule Lambda function.
maximum_execution_frequency	The maximum frequency with which AWS Config runs evaluations for a rule.
created_by	Service principal name of the service that created the rule.
region	The region of the delivery channel.

Relationships¶

AWS Config Rules are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(AWSConfigRule)
```
```

LaunchConfiguration¶

Representation of an AWS Launch Configuration

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ARN of the launch configuration.
name	The name of the launch configuration.
arn	The ARN of the launch configuration.
created_time	The creation date and time for the launch configuration.
image_id	The ID of the Amazon Machine Image (AMI) to use to launch your EC2 instances.
key_name	The name of the key pair.
security_groups	A list that contains the security groups to assign to the instances in the Auto Scaling group.
instance_type	The instance type for the instances.
kernel_id	The ID of the kernel associated with the AMI.
ramdisk_id	The ID of the RAM disk associated with the AMI.
instance_monitoring_enabled	If true, detailed monitoring is enabled. Otherwise, basic monitoring is enabled.
spot_price	The maximum hourly price to be paid for any Spot Instance launched to fulfill the request.
iam_instance_profile	The name or the Amazon Resource Name (ARN) of the instance profile associated with the IAM role for the instance.
ebs_optimized	Specifies whether the launch configuration is optimized for EBS I/O (true) or not (false).
associate_public_ip_address	For Auto Scaling groups that are running in a VPC, specifies whether to assign a public IP address to the group’s instances.
placement_tenancy	The tenancy of the instance, either default or dedicated. An instance with dedicated tenancy runs on isolated, single-tenant hardware and can only be launched into a VPC.
region	The region of the launch configuration.

Relationships¶

Launch Configurations are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(LaunchConfiguration)
```
```

LaunchTemplate¶

Representation of an AWS Launch Template

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ID of the launch template.
name	The name of the launch template.
create_time	The time launch template was created.
created_by	The principal that created the launch template.
default_version_number	The version number of the default version of the launch template.
latest_version_number	The version number of the latest version of the launch template.
region	The region of the launch template.

Relationships¶

Launch Templates are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(LaunchTemplate)
```
```

Launch templates have Launch Template Versions

```
(LaunchTemplate)-[VERSION]->(LaunchTemplateVersion)
```

LaunchTemplateVersion¶

Representation of an AWS Launch Template Version

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ID of the launch template version (ID-version).
name	The name of the launch template.
create_time	The time the version was created.
created_by	The principal that created the version.
default_version	Indicates whether the version is the default version.
version_number	The version number.
version_description	The description of the version.
kernel_id	The ID of the kernel, if applicable.
ebs_optimized	Indicates whether the instance is optimized for Amazon EBS I/O.
iam_instance_profile_arn	The Amazon Resource Name (ARN) of the instance profile.
iam_instance_profile_name	The name of the instance profile.
image_id	The ID of the AMI that was used to launch the instance.
instance_type	The instance type.
key_name	The name of the key pair.
monitoring_enabled	Indicates whether detailed monitoring is enabled. Otherwise, basic monitoring is enabled.
ramdisk_id	The ID of the RAM disk, if applicable.
disable_api_termination	If set to true, indicates that the instance cannot be terminated using the Amazon EC2 console, command line tool, or API.
instance_initiated_shutdown_behavior	Indicates whether an instance stops or terminates when you initiate shutdown from the instance (using the operating system command for system shutdown).
security_group_ids	The security group IDs.
security_groups	The security group names.
region	The region of the launch template.

Relationships¶

Launch Template Versions are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(LaunchTemplateVersion)
```
```

Launch templates have Launch Template Versions

```
(LaunchTemplate)-[VERSION]->(LaunchTemplateVersion)
```

ElasticIPAddress¶

Representation of an AWS EC2 Elastic IP address

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The Elastic IP address
instance_id	The ID of the instance that the address is associated with (if any).
public_ip	The Elastic IP address.
allocation_id	The ID representing the allocation of the address for use with EC2-VPC.
association_id	The ID representing the association of the address with an instance in a VPC.
domain	Indicates whether this Elastic IP address is for use with instances in EC2-Classic (standard) or instances in a VPC (vpc).
network_interface_id	The ID of the network interface.
private_ip_address	The private IP address associated with the Elastic IP address.
public_ipv4_pool	The ID of an address pool.
network_border_group	The name of the unique set of Availability Zones, Local Zones, or Wavelength Zones from which AWS advertises IP addresses.
customer_owned_ip	The customer-owned IP address.
customer_owned_ipv4_pool	The ID of the customer-owned address pool.
carrier_ip	The carrier IP address associated. This option is only available for network interfaces which reside in a subnet in a Wavelength Zone (for example an EC2 instance).
region	The region of the IP.

Relationships¶

Elastic IPs are a resource under the AWS Account.

```
(AWSAccount)-[RESOURCE]->(ElasticIPAddress)
```

Elastic IPs can be attached to EC2 instances

```
(EC2Instance)-[ELASTIC_IP_ADDRESS]->(ElasticIPAddress)
```

Elastic IPs can be attached to NetworkInterfaces

```
(NetworkInterface)-[ELASTIC_IP_ADDRESS]->(ElasticIPAddress)
```

ECSCluster¶

Representation of an AWS ECS Cluster

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ARN of the cluster
region	The region of the cluster.
name	A user-generated string that you use to identify your cluster.
arn	The ARN of the cluster
ecc_kms_key_id	An AWS Key Management Service key ID to encrypt the data between the local client and the container.
ecc_logging	The log setting to use for redirecting logs for your execute command results.
ecc_log_configuration_cloud_watch_log_group_name	The name of the CloudWatch log group to send logs to.
ecc_log_configuration_cloud_watch_encryption_enabled	Determines whether to enable encryption on the CloudWatch logs.
ecc_log_configuration_s3_bucket_name	The name of the S3 bucket to send logs to.
ecc_log_configuration_s3_encryption_enabled	Determines whether to use encryption on the S3 logs.
ecc_log_configuration_s3_key_prefix	An optional folder in the S3 bucket to place logs in.
status	The status of the cluster
settings_container_insights	If enabled is specified, CloudWatch Container Insights will be enabled for the cluster, otherwise it will be disabled unless the containerInsights account setting is enabled.
capacity_providers	The capacity providers associated with the cluster.
attachments_status	The status of the capacity providers associated with the cluster.

Relationships¶

ECSClusters are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(ECSCluster)
```
```

ECSContainerInstance¶

Representation of an AWS ECS Container Instance

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ARN of the container instance
region	The region of the container instance.
ec2_instance_id	The ID of the container instance. For Amazon EC2 instances, this value is the Amazon EC2 instance ID. For external instances, this value is the AWS Systems Manager managed instance ID.
arn	The ARN of the container instance
capacity_provider_name	The capacity provider that’s associated with the container instance.
version	The version counter for the container instance.
version_info_agent_version	The version number of the Amazon ECS container agent.
version_info_agent_hash	The Git commit hash for the Amazon ECS container agent build on the amazon-ecs-agent GitHub repository.
version_info_agent_docker_version	The Docker version that’s running on the container instance.
status	The status of the container instance.
status_reason	The reason that the container instance reached its current status.
agent_connected	This parameter returns true if the agent is connected to Amazon ECS. Registered instances with an agent that may be unhealthy or stopped return false.
agent_update_status	The status of the most recent agent update. If an update wasn’t ever requested, this value is NULL.
registered_at	The Unix timestamp for the time when the container instance was registered.

Relationships¶

An ECSCluster has ECSContainerInstances

```
(ECSCluster)-[HAS_CONTAINER_INSTANCE]->(ECSContainerInstance)
```

ECSContainerInstances have ECSTasks

```
(ECSContainerInstance)-[HAS_TASK]->(ECSTask)
```

ECSService¶

Representation of an AWS ECS Service

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ARN of the service
region	The region of the service.
name	The name of your service.
arn	The ARN of the service
cluster_arn	The Amazon Resource Name (ARN) of the cluster that hosts the service.
status	The status of the service.
desired_count	The desired number of instantiations of the task definition to keep running on the service.
running_count	The number of tasks in the cluster that are in the RUNNING state.
pending_count	The number of tasks in the cluster that are in the PENDING state.
launch_type	The launch type the service is using.
platform_version	The platform version to run your service on. A platform version is only specified for tasks that are hosted on AWS Fargate.
platform_family	The operating system that your tasks in the service run on. A platform family is specified only for tasks using the Fargate launch type.
task_definition	The task definition to use for tasks in the service.
deployment_config_circuit_breaker_enable	Determines whether to enable the deployment circuit breaker logic for the service.
deployment_config_circuit_breaker_rollback	Determines whether to enable Amazon ECS to roll back the service if a service deployment fails.
deployment_config_maximum_percent	If a service is using the rolling update (ECS) deployment type, the maximum percent parameter represents an upper limit on the number of tasks in a service that are allowed in the RUNNING or PENDING state during a deployment, as a percentage of the desired number of tasks (rounded down to the nearest integer), and while any container instances are in the DRAINING state if the service contains tasks using the EC2 launch type.
deployment_config_minimum_healthy_percent	If a service is using the rolling update (ECS) deployment type, the minimum healthy percent represents a lower limit on the number of tasks in a service that must remain in the RUNNING state during a deployment, as a percentage of the desired number of tasks (rounded up to the nearest integer), and while any container instances are in the DRAINING state if the service contains tasks using the EC2 launch type.
role_arn	The ARN of the IAM role that’s associated with the service.
created_at	The Unix timestamp for the time when the service was created.
health_check_grace_period_seconds	The period of time, in seconds, that the Amazon ECS service scheduler ignores unhealthy Elastic Load Balancing target health checks after a task has first started.
created_by	The principal that created the service.
enable_ecs_managed_tags	Determines whether to enable Amazon ECS managed tags for the tasks in the service.
propagate_tags	Determines whether to propagate the tags from the task definition or the service to the task.
enable_execute_command	Determines whether the execute command functionality is enabled for the service.

Relationships¶

An ECSCluster has ECSService

```
(ECSCluster)-[HAS_SERVICE]->(ECSService)
```

An ECSCluster has ECSContainerInstances

```
(ECSCluster)-[HAS_CONTAINER_INSTANCE]->(ECSContainerInstance)
```

ECSTaskDefinition¶

Representation of an AWS ECS Task Definition

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ARN of the task definition
region	The region of the task definition.
family	The name of a family that this task definition is registered to.
task_role_arn	The short name or full Amazon Resource Name (ARN) of the AWS Identity and Access Management role that grants containers in the task permission to call AWS APIs on your behalf.
execution_role_arn	The Amazon Resource Name (ARN) of the task execution role that grants the Amazon ECS container agent permission to make AWS API calls on your behalf.
network_mode	The Docker networking mode to use for the containers in the task. The valid values are none, bridge, awsvpc, and host. If no network mode is specified, the default is bridge.
revision	The revision of the task in a particular family.
status	The status of the task definition.
compatibilities	The task launch types the task definition validated against during task definition registration.
runtime_platform_cpu_architecture	The CPU architecture.
runtime_platform_operating_system_family	The operating system.
requires_compatibilities	The task launch types the task definition was validated against.
cpu	The number of cpu units used by the task.
memory	The amount (in MiB) of memory used by the task.
pid_mode	The process namespace to use for the containers in the task.
ipc_mode	The IPC resource namespace to use for the containers in the task.
proxy_configuration_type	The proxy type.
proxy_configuration_container_name	The name of the container that will serve as the App Mesh proxy.
registered_at	The Unix timestamp for the time when the task definition was registered.
deregistered_at	The Unix timestamp for the time when the task definition was deregistered.
registered_by	The principal that registered the task definition.
ephemeral_storage_size_in_gib	The total amount, in GiB, of ephemeral storage to set for the task.

Relationships¶

ECSTaskDefinition are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(ECSTaskDefinition)
```
```

An ECSTask has an ECSTaskDefinition.

```
(ECSTask)-[HAS_TASK_DEFINITION]->(ECSTaskDefinition)
```

ECSContainerDefinition¶

Representation of an AWS ECS Container Definition

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ARN of the task definition, plus the container definition name
region	The region of the container definition.
name	The name of a container.
image	The image used to start a container. This string is passed directly to the Docker daemon.
cpu	The number of cpu units reserved for the container.
memory	The amount (in MiB) of memory to present to the container.
memory_reservation	The soft limit (in MiB) of memory to reserve for the container.
links	The links parameter allows containers to communicate with each other without the need for port mappings.
essential	If the essential parameter of a container is marked as true, and that container fails or stops for any reason, all other containers that are part of the task are stopped.
entry_point	The entry point that’s passed to the container.
command	The command that’s passed to the container.
start_timeout	Time duration (in seconds) to wait before giving up on resolving dependencies for a container.
stop_timeout	Time duration (in seconds) to wait before the container is forcefully killed if it doesn’t exit normally on its own.
hostname	The hostname to use for your container.
user	The user to use inside the container.
working_directory	The working directory to run commands inside the container in.
disable_networking	When this parameter is true, networking is disabled within the container.
privileged	When this parameter is true, the container is given elevated privileges on the host container instance (similar to the root user).
readonly_root_filesystem	When this parameter is true, the container is given read-only access to its root file system.
dns_servers	A list of DNS servers that are presented to the container.
dns_search_domains	A list of DNS search domains that are presented to the container.
docker_security_options	A list of strings to provide custom labels for SELinux and AppArmor multi-level security systems. This field isn’t valid for containers in tasks using the Fargate launch type.
interactive	When this parameter is true, you can deploy containerized applications that require stdin or a tty to be allocated.
pseudo_terminal	When this parameter is true, a TTY is allocated.

Relationships¶

ECSTaskDefinitions have ECSContainerDefinitions

```
(ECSTaskDefinition)-[HAS_CONTAINER_DEFINITION]->(ECSContainerDefinition)
```

ECSTask¶

Representation of an AWS ECS Task

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ARN of the task
region	The region of the task.
arn	The arn of the task.
availability_zone	The Availability Zone for the task.
capacity_provider_name	The capacity provider that’s associated with the task.
cluster_arn	The ARN of the cluster that hosts the task.
connectivity	The connectivity status of a task.
connectivity_at	The Unix timestamp for the time when the task last went into CONNECTED status.
container_instance_arn	The ARN of the container instances that host the task.
cpu	The number of CPU units used by the task as expressed in a task definition.
created_at	The Unix timestamp for the time when the task was created. More specifically, it’s for the time when the task entered the PENDING state.
desired_status	The desired status of the task.
enable_execute_command	Determines whether execute command functionality is enabled for this task.
execution_stopped_at	The Unix timestamp for the time when the task execution stopped.
group	The name of the task group that’s associated with the task.
health_status	The health status for the task.
last_status	The last known status for the task.
launch_type	The infrastructure where your task runs on.
memory	The amount of memory (in MiB) that the task uses as expressed in a task definition.
platform_version	The platform version where your task runs on.
platform_family	The operating system that your tasks are running on.
pull_started_at	The Unix timestamp for the time when the container image pull began.
pull_stopped_at	The Unix timestamp for the time when the container image pull completed.
started_at	The Unix timestamp for the time when the task started. More specifically, it’s for the time when the task transitioned from the PENDING state to the RUNNING state.
started_by	The tag specified when a task is started. If an Amazon ECS service started the task, the startedBy parameter contains the deployment ID of that service.
stop_code	The stop code indicating why a task was stopped.
stopped_at	The Unix timestamp for the time when the task was stopped. More specifically, it’s for the time when the task transitioned from the RUNNING state to the STOPPED state.
stopped_reason	The reason that the task was stopped.
stopping_at	The Unix timestamp for the time when the task stops. More specifically, it’s for the time when the task transitions from the RUNNING state to STOPPED.
task_definition_arn	The ARN of the task definition that creates the task.
version	The version counter for the task.
ephemeral_storage_size_in_gib	The total amount, in GiB, of ephemeral storage to set for the task.

Relationships¶

ECSClusters have ECSTasks

```
(ECSCluster)-[HAS_TASK]->(ECSTask)
```

ECSContainerInstances have ECSTasks

```
(ECSContainerInstance)-[HAS_TASK]->(ECSTask)
```

ECSTasks have ECSTaskDefinitions

```
(ECSTask)-[HAS_TASK_DEFINITION]->(ECSTaskDefinition)
```

ECSContainer¶

Representation of an AWS ECS Container

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ARN of the container
region	The region of the container.
arn	The arn of the container.
task_arn	The ARN of the task.
name	The name of the container.
image	The image used for the container.
image_digest	The container image manifest digest.
runtime_id	The ID of the Docker container.
last_status	The last known status of the container.
exit_code	The exit code returned from the container.
reason	A short (255 max characters) human-readable string to provide additional details about a running or stopped container.
health_status	The health status of the container.
cpu	The number of CPU units set for the container.
memory	The hard limit (in MiB) of memory set for the container.
memory_reservation	The soft limit (in MiB) of memory set for the container.
gpu_ids	The IDs of each GPU assigned to the container.

Relationships¶

ECSTasks have ECSContainers

```
(ECSTask)-[HAS_CONTAINER]->(ECSContainer)
```

SSMInstanceInformation¶

Representation of an AWS SSM InstanceInformation

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ARN of the instance information
region	The region of the instance information.
instance_id	The managed node ID.
ping_status	Connection status of SSM Agent.
last_ping_date_time	The date and time when the agent last pinged the Systems Manager service.
agent_version	The version of SSM Agent running on your Linux managed node.
is_latest_version	Indicates whether the latest version of SSM Agent is running on your Linux managed node. This field doesn’t indicate whether or not the latest version is installed on Windows managed nodes, because some older versions of Windows Server use the EC2Config service to process Systems Manager requests.
platform_type	The operating system platform type.
platform_name	The name of the operating system platform running on your managed node.
platform_version	The version of the OS platform running on your managed node.
activation_id	The activation ID created by AWS Systems Manager when the server or virtual machine (VM) was registered.
iam_role	The AWS Identity and Access Management (IAM) role assigned to the on-premises Systems Manager managed node. This call doesn’t return the IAM role for Amazon Elastic Compute Cloud (Amazon EC2) instances.
registration_date	The date the server or VM was registered with AWS as a managed node.
resource_type	The type of instance. Instances are either EC2 instances or managed instances.
name	The name assigned to an on-premises server, edge device, or virtual machine (VM) when it is activated as a Systems Manager managed node. The name is specified as the DefaultInstanceName property using the CreateActivation command.
ip_address	The IP address of the managed node.
computer_name	The fully qualified host name of the managed node.
association_status	The status of the association.
last_association_execution_date	The date the association was last run.
last_successful_association_execution_date	The last date the association was successfully run.
source_id	The ID of the source resource. For AWS IoT Greengrass devices, SourceId is the Thing name.
source_type	The type of the source resource. For AWS IoT Greengrass devices, SourceType is AWS::IoT::Thing.

Relationships¶

SSMInstanceInformation is a resource under the AWS Account.

```
(AWSAccount)-[RESOURCE]->(SSMInstanceInformation)
```

SSMInstanceInformation is a resource of an EC2Instance

```
(EC2Instance)-[HAS_INFORMATION]->(SSMInstanceInformation)
```

SSMInstancePatch¶

Representation of an AWS SSM PatchComplianceData

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ARN of the instance patch
region	The region of the instance patch.
instance_id	The managed node ID.
title	The title of the patch.
kb_id	The operating system-specific ID of the patch.
classification	The classification of the patch, such as SecurityUpdates, Updates, and CriticalUpdates.
severity	The severity of the patch such as Critical, Important, and Moderate.
state	The state of the patch on the managed node, such as INSTALLED or FAILED.
installed_time	The date/time the patch was installed on the managed node. Not all operating systems provide this level of information.
cve_ids	The IDs of one or more Common Vulnerabilities and Exposure (CVE) issues that are resolved by the patch.

Relationships¶

SSMInstancePatch is a resource under the AWS Account.

```
(AWSAccount)-[RESOURCE]->(SSMInstancePatch)
```

EC2Instances have SSMInstancePatches

```
(EC2Instance)-[HAS_INFORMATION]->(SSMInstancePatch)
```

AWSIdentityCenter¶

Representation of an AWS Identity Center.

Field	Description
id	Unique identifier for the Identity Center instance
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
identity_store_id	The identity store ID of the Identity Center instance
instance_status	The status of the Identity Center instance
created_date	The date the Identity Center instance was created
last_modified_date	The date the Identity Center instance was last modified

Relationships¶

AWSIdentityCenter is part of an AWSAccount.

(AWSAccount)-[RESOURCE]->(AWSIdentityCenter)

AWSIdentityCenter has permission sets.

(AWSIdentityCenter)-[HAS_PERMISSION_SET]->(AWSPermissionSet)

AWSSSOUser¶

Representation of an AWS SSO User.

Field	Description
id	Unique identifier for the SSO user
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
user_name	The username of the SSO user
external_id	The external ID of the SSO user
identity_store_id	The identity store ID of the SSO user

Relationships¶

AWSSSOUser is part of an AWSAccount.
```
(AWSAccount)-[RESOURCE]->(AWSSSOUser)
```
AWSSSOUser can have roles assigned.
```
(AWSSSOUser)<-[ALLOWED_BY]-(AWSRole)
```

UserAccount can be assumed by AWSSSOUser.

(UserAccount)-[CAN_ASSUME_IDENTITY]->(AWSSSOUser)

AWSPermissionSet¶

Representation of an AWS Identity Center Permission Set.

Field	Description
id	Unique identifier for the Permission Set

name | The name of the Permission Set |
arn | The Amazon Resource Name (ARN) of the Permission Set |
description | The description of the Permission Set |
session_duration | The session duration of the Permission Set |
instance_arn | The ARN of the Identity Center instance the Permission Set belongs to |
firstseen | Timestamp of when a sync job first discovered this node |
lastupdated | Timestamp of the last time the node was updated |

Relationships¶

AWSPermissionSet is part of an AWSIdentityCenter.

(AWSIdentityCenter)<-[HAS_PERMISSION_SET]-(AWSPermissionSet)

AWSPermissionSet can be assigned to roles.

(AWSPermissionSet)-[ASSIGNED_TO_ROLE]->(AWSRole)

Azure Schema¶

AzureTenant¶

Representation of an Azure Tenant.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The Azure Tenant ID number

Relationships¶

Azure Principal is part of the Azure Account.

```
(AzureTenant)-[RESOURCE]->(AzurePrincipal)
```

AzurePrincipal¶

Representation of an Azure Principal..

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
email	Email of the Azure Principal

Relationships¶

Azure Principal is part of the Azure Account.

```
(AzurePrincipal)-[RESOURCE]->(AzureTenant)
```

AzureSubscription¶

Representation of an Azure Subscription..

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The Azure Subscription ID number
name	The friendly name that identifies the subscription
path	The full ID for the Subscription
state	Can be one of `Enabled \| Disabled \| Deleted \| PastDue \| Warned`

Relationships¶

Azure Tenant contains one or more Subscriptions.

```
(AzureTenant)-[RESOURCE]->(AzureSubscription)
```

VirtualMachine¶

Representation of an Azure Virtual Machine.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The Azure Virtual Machine ID number
type	The type of the resource
location	The location where Virtual Machine is created
resourcegroup	The Resource Group where Virtual Machine is created
name	The friendly name that identifies the Virtual Machine
plan	The plan associated with the Virtual Machine
size	The size of the Virtual Machine
license_type	The type of license
computer_name	The computer name
identity_type	The type of identity used for the virtual machine
zones	The Virtual Machine zones
ultra_ssd_enabled	Enables or disables a capability on the virtual machine or virtual machine scale set.
priority	Specifies the priority for the virtual machine
eviction_policy	Specifies the eviction policy for the Virtual Machine

Relationships¶

Azure Subscription contains one or more Virtual Machines.

```
(AzureSubscription)-[RESOURCE]->(VirtualMachine)
```

AzureDataDisk¶

Representation of an Azure Data Disk.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The Azure Data Disk ID number
lun	Specifies the logical unit number of the data disk
name	The data disk name
vhd	The virtual hard disk associated with data disk
image	The source user image virtual hard disk
size	The size of the disk in GB
caching	Specifies the caching requirement
createoption	Specifies how the disk should be created
write_accelerator_enabled	Specifies whether writeAccelerator should be enabled or disabled on the data disk
managed_disk_storage_type	The data disk storage type

Relationships¶

Azure Virtual Machines are attached to Data Disks.

```
(VirtualMachine)-[ATTACHED_TO]->(AzureDataDisk)
```

AzureDisk¶

Representation of an Azure Disk.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The Azure Disk ID number
type	The type of the resource
location	The location where Disk is created
resourcegroup	The Resource Group where Disk is created
name	The friendly name that identifies the Disk
createoption	Specifies how the disk should be created
disksizegb	The size of the disk in GB
encryption	Specifies whether the disk has encryption enabled
maxshares	Specifies how many machines can share the disk
ostype	The operating system type of the disk
tier	Performance Tier associated with the disk
sku	The disk sku name
zones	The logical zone list for disk

Relationships¶

Azure Subscription contains one or more Disks.

```
(AzureSubscription)-[RESOURCE]->(AzureDisk)
```

AzureSnapshot¶

Representation of an Azure Snapshot.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The Azure Snapshot ID number
type	The type of the resource
location	The location where snapshot is created
resourcegroup	The Resource Group where snapshot is created
name	The friendly name that identifies the snapshot
createoption	Specifies how the disk should be created
disksizegb	The size of the snapshot in GB
encryption	Specifies whether the snapshot has encryption enabled
incremental	Indicates whether a snapshot is incremental or not
network_access_policy	Policy for accessing the snapshot via network
ostype	The operating system type of the snapshot
tier	Performance Tier associated with the snapshot
sku	The snapshot sku name
zones	The logical zone list for snapshot

Relationships¶

Azure Subscription contains one or more Snapshots.

```
(AzureSubscription)-[RESOURCE]->(AzureSnapshot)
```

AzureSQLServer¶

Representation of an AzureSQLServer.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The resource ID
location	The location where the resource is created
resourcegroup	The Resource Group where SQL Server is created
name	The friendly name that identifies the SQL server
kind	Specifies the kind of SQL server
state	The state of the server
version	The version of the server

Relationships¶

Azure Subscription contains one or more SQL Servers.

```
(AzureSubscription)-[RESOURCE]->(AzureSQLServer)
```

Azure SQL Server can be used by one or more Azure Server DNS Aliases.
```
```
(AzureSQLServer)-[USED_BY]->(AzureServerDNSAlias)
```
```
Azure SQL Server can be administered by one or more Azure Server AD Administrators.
```
```
(AzureSQLServer)-[ADMINISTERED_BY]->(AzureServerADAdministrator)
```
```

Azure SQL Server has one or more Azure Recoverable Database.

```
(AzureSQLServer)-[RESOURCE]->(AzureRecoverableDatabase)
```

Azure SQL Server has one or more Azure Restorable Dropped Database.

```
(AzureSQLServer)-[RESOURCE]->(AzureRestorableDroppedDatabase)
```

Azure SQL Server has one or more Azure Failover Group.

```
(AzureSQLServer)-[RESOURCE]->(AzureFailoverGroup)
```

Azure SQL Server has one or more Azure Elastic Pool.

```
(AzureSQLServer)-[RESOURCE]->(AzureElasticPool)
```

Azure SQL Server has one or more Azure SQL Database.

```
(AzureSQLServer)-[RESOURCE]->(AzureSQLDatabase)
```

AzureServerDNSAlias¶

Representation of an AzureServerDNSAlias.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The resource ID
name	The name of the server DNS alias
dnsrecord	The fully qualified DNS record for alias.

Relationships¶

Azure SQL Server can be used by one or more Azure Server DNS Aliases.
```
```
(AzureSQLServer)-[USED_BY]->(AzureServerDNSAlias)
```
```

AzureServerADAdministrator¶

Representation of an AzureServerADAdministrator.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The resource ID
name	The name of the resource.
administratortype	The type of the server administrator.
login	The login name of the server administrator.

Relationships¶

Azure SQL Server can be administered by one or more Azure Server AD Administrators.
```
```
(AzureSQLServer)-[ADMINISTERED_BY]->(AzureServerADAdministrator)
```
```

AzureRecoverableDatabase¶

Representation of an AzureRecoverableDatabase.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The resource ID
name	The name of the resource.
edition	The edition of the database.
servicelevelobjective	The service level objective name of the database.
lastbackupdate	The last available backup date of the database (ISO8601 format).

Relationships¶

Azure SQL Server has one or more Azure Recoverable Database.

```
(AzureSQLServer)-[RESOURCE]->(AzureRecoverableDatabase)
```

AzureRestorableDroppedDatabase¶

Representation of an AzureRestorableDroppedDatabase.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The resource ID
name	The name of the resource.
location	The geo-location where the resource lives.
databasename	The name of the database.
creationdate	The creation date of the database (ISO8601 format).
deletiondate	The deletion date of the database (ISO8601 format).
restoredate	The earliest restore date of the database (ISO8601 format).
edition	The edition of the database.
servicelevelobjective	The service level objective name of the database.
maxsizebytes	The max size in bytes of the database.

Relationships¶

Azure SQL Server has one or more Azure Restorable Dropped Database.

```
(AzureSQLServer)-[RESOURCE]->(AzureRestorableDroppedDatabase)
```

AzureFailoverGroup¶

Representation of an AzureFailoverGroup.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The resource ID
name	The name of the resource.
location	The geo-location where the resource lives.
replicationrole	Local replication role of the failover group instance.
replicationstate	Replication state of the failover group instance.

Relationships¶

Azure SQL Server has one or more Azure Failover Group.

```
(AzureSQLServer)-[RESOURCE]->(AzureFailoverGroup)
```

AzureElasticPool¶

Representation of an AzureElasticPool.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The resource ID
name	The name of the resource.
location	The location of the resource.
kind	The kind of elastic pool.
creationdate	The creation date of the elastic pool (ISO8601 format).
state	The state of the elastic pool.
maxsizebytes	The storage limit for the database elastic pool in bytes.
licensetype	The license type to apply for this elastic pool.
zoneredundant	Specifies whether or not this elastic pool is zone redundant, which means the replicas of this elastic pool will be spread across multiple availability zones.

Relationships¶

Azure SQL Server has one or more Azure Elastic Pool.

```
(AzureSQLServer)-[RESOURCE]->(AzureElasticPool)
```

AzureSQLDatabase¶

Representation of an AzureSQLDatabase.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The resource ID
name	The name of the resource.
location	The location of the resource.
kind	The kind of database.
creationdate	The creation date of the database (ISO8601 format).
databaseid	The ID of the database.
maxsizebytes	The max size of the database expressed in bytes.
licensetype	The license type to apply for this database.
secondarylocation	The default secondary region for this database.
elasticpoolid	The resource identifier of the elastic pool containing this database.
collation	The collation of the database.
failovergroupid	Failover Group resource identifier that this database belongs to.
zoneredundant	Whether or not this database is zone redundant, which means the replicas of this database will be spread across multiple availability zones.
restorabledroppeddbid	The resource identifier of the restorable dropped database associated with create operation of this database.
recoverabledbid	The resource identifier of the recoverable database associated with create operation of this database.

Relationships¶

Azure SQL Server has one or more Azure SQL Database.

```
(AzureSQLServer)-[RESOURCE]->(AzureSQLDatabase)
```

Azure SQL Database contains one or more Azure Replication Links.
```
```
(AzureSQLDatabase)-[CONTAINS]->(AzureReplicationLink)
```
```

Azure SQL Database contains a Database Threat Detection Policy.

```
(AzureSQLDatabase)-[CONTAINS]->(AzureDatabaseThreatDetectionPolicy)
```

Azure SQL Database contains one or more Restore Points.

```
(AzureSQLDatabase)-[CONTAINS]->(AzureRestorePoint)
```

Azure SQL Database contains Transparent Data Encryption.

```
(AzureSQLDatabase)-[CONTAINS]->(AzureTransparentDataEncryption)
```

AzureReplicationLink¶

Representation of an AzureReplicationLink.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The resource ID
name	The name of the resource.
location	Location of the server that contains this firewall rule.
partnerdatabase	The name of the partner database.
partnerlocation	The Azure Region of the partner database.
partnerrole	The role of the database in the replication link.
partnerserver	The name of the server hosting the partner database.
mode	Replication mode of this replication link.
state	The replication state for the replication link.
percentcomplete	The percentage of seeding complete for the replication link.
role	The role of the database in the replication link.
starttime	The start time for the replication link.
terminationallowed	Legacy value indicating whether termination is allowed.

Relationships¶

Azure SQL Database contains one or more Azure Replication Links.
```
```
(AzureSQLDatabase)-[CONTAINS]->(AzureReplicationLink)
```
```

AzureDatabaseThreatDetectionPolicy¶

Representation of an AzureDatabaseThreatDetectionPolicy.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The resource ID
name	The name of the resource.
location	The geo-location where the resource lives.
kind	The kind of the resource.
emailadmins	Specifies that the alert is sent to the account administrators.
emailaddresses	Specifies the semicolon-separated list of e-mail addresses to which the alert is sent.
retentiondays	Specifies the number of days to keep in the Threat Detection audit logs.
state	Specifies the state of the policy.
storageendpoint	Specifies the blob storage endpoint.
useserverdefault	Specifies whether to use the default server policy.
disabledalerts	Specifies the semicolon-separated list of alerts that are disabled, or empty string to disable no alerts.

Relationships¶

Azure SQL Database contains a Database Threat Detection Policy.

```
(AzureSQLDatabase)-[CONTAINS]->(AzureDatabaseThreatDetectionPolicy)
```

AzureRestorePoint¶

Representation of an AzureRestorePoint.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The resource ID
name	The name of the resource.
location	The geo-location where the resource lives.
restoredate	The earliest time to which this database can be restored.
restorepointtype	The type of restore point.
creationdate	The time the backup was taken.

Relationships¶

Azure SQL Database contains one or more Restore Points.

```
(AzureSQLDatabase)-[CONTAINS]->(AzureRestorePoint)
```

AzureTransparentDataEncryption¶

Representation of an AzureTransparentDataEncryption.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The resource ID
name	The name of the resource.
location	The resource location.
status	The status of the database transparent data encryption.

Relationships¶

Azure SQL Database contains Transparent Data Encryption.

```
(AzureSQLDatabase)-[CONTAINS]->(AzureTransparentDataEncryption)
```

AzureStorageAccount¶

Representation of an AzureStorageAccount.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	Fully qualified resource ID for the resource.
type	The type of the resource.
location	The geo-location where the resource lives.
resourcegroup	The Resource Group where the storage account is created
name	The name of the resource.
kind	Gets the Kind of the resource.
creationtime	Gets the creation date and time of the storage account in UTC.
hnsenabled	Specifies if the Account HierarchicalNamespace is enabled.
primarylocation	Gets the location of the primary data center for the storage account.
secondarylocation	Gets the location of the geo-replicated secondary for the storage account.
provisioningstate	Gets the status of the storage account at the time the operation was called.
statusofprimary	Gets the status availability status of the primary location of the storage account.
statusofsecondary	Gets the status availability status of the secondary location of the storage account.
supportshttpstrafficonly	Allows https traffic only to storage service if sets to true.

Relationships¶

Azure Subscription contains one or more Storage Accounts.

```
(AzureSubscription)-[RESOURCE]->(AzureStorageAccount)
```

Azure Storage Accounts uses one or more Queue Services.

```
(AzureStorageAccount)-[USES]->(AzureStorageQueueService)
```

Azure Storage Accounts uses one or more Table Services.

```
(AzureStorageAccount)-[USES]->(AzureStorageTableService)
```

Azure Storage Accounts uses one or more File Services.

```
(AzureStorageAccount)-[USES]->(AzureStorageFileService)
```

Azure Storage Accounts uses one or more Blob Services.

```
(AzureStorageAccount)-[USES]->(AzureStorageBlobService)
```

AzureStorageQueueService¶

Representation of an AzureStorageQueueService.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	Fully qualified resource ID for the resource.
type	The type of the resource.
name	The name of the queue service.

Relationships¶

Azure Storage Accounts uses one or more Queue Services.

```
(AzureStorageAccount)-[USES]->(AzureStorageQueueService)
```

Queue Service contains one or more queues.

```
(AzureStorageQueueService)-[CONTAINS]->(AzureStorageQueue)
```

AzureStorageTableService¶

Representation of an AzureStorageTableService.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	Fully qualified resource ID for the resource.
type	The type of the resource.
name	The name of the table service.

Relationships¶

Azure Storage Accounts uses one or more Table Services.

```
(AzureStorageAccount)-[USES]->(AzureStorageTableService)
```

Table Service contains one or more tables.

```
(AzureStorageTableService)-[CONTAINS]->(AzureStorageTable)
```

AzureStorageFileService¶

Representation of an AzureStorageFileService.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	Fully qualified resource ID for the resource.
type	The type of the resource.
name	The name of the file service.

Relationships¶

Azure Storage Accounts uses one or more File Services.

```
(AzureStorageAccount)-[USES]->(AzureStorageFileService)
```

Table Service contains one or more file shares.

```
(AzureStorageFileService)-[CONTAINS]->(AzureStorageFileShare)
```

AzureStorageBlobService¶

Representation of an AzureStorageBlobService.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	Fully qualified resource ID for the resource.
type	The type of the resource.
name	The name of the blob service.

Relationships¶

Azure Storage Accounts uses one or more Blob Services.

```
(AzureStorageAccount)-[USES]->(AzureStorageBlobService)
```

Blob Service contains one or more blob containers.

```
(AzureStorageBlobService)-[CONTAINS]->(AzureStorageBlobContainer)
```

AzureStorageQueue¶

Representation of an AzureStorageQueue.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	Fully qualified resource ID for the resource.
type	The type of the resource.
name	The name of the queue.

Relationships¶

Queue Service contains one or more queues.

```
(AzureStorageQueueService)-[CONTAINS]->(AzureStorageQueue)
```

AzureStorageTable¶

Representation of an AzureStorageTable.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	Fully qualified resource ID for the resource.
type	The type of the resource.
name	The name of the table resource.
tablename	Table name under the specified account.

Relationships¶

Table Service contains one or more tables.

```
(AzureStorageTableService)-[CONTAINS]->(AzureStorageTable)
```

AzureStorageFileShare¶

Representation of an AzureStorageFileShare.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	Fully qualified resource ID for the resource.
type	The type of the resource.
name	The name of the resource.
lastmodifiedtime	Specifies the date and time the share was last modified.
sharequota	The maximum size of the share, in gigabytes.
accesstier	Specifies the access tier for the share.
deleted	Indicates whether the share was deleted.
accesstierchangetime	Indicates the last modification time for share access tier.
accesstierstatus	Indicates if there is a pending transition for access tier.
deletedtime	The deleted time if the share was deleted.
enabledprotocols	The authentication protocol that is used for the file share.
remainingretentiondays	Remaining retention days for share that was soft deleted.
shareusagebytes	The approximate size of the data stored on the share.
version	The version of the share.

Relationships¶

File Service contains one or more file shares.

```
(AzureStorageTableService)-[CONTAINS]->(AzureStorageFileShare)
```

AzureStorageBlobContainer¶

Representation of an AzureStorageBlobContainer.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	Fully qualified resource ID for the resource.
type	The type of the resource.
name	The name of the resource.
deleted	Indicates whether the blob container was deleted.
deletedtime	Blob container deletion time.
defaultencryptionscope	Default the container to use specified encryption scope for all writes.
publicaccess	Specifies whether data in the container may be accessed publicly and the level of access.
leasestatus	The lease status of the container.
leasestate	Lease state of the container.
lastmodifiedtime	Specifies the date and time the container was last modified.
remainingretentiondays	Specifies the remaining retention days for soft deleted blob container.
version	The version of the deleted blob container.
hasimmutabilitypolicy	Specifies the if the container has an ImmutabilityPolicy or not.
haslegalhold	Specifies if the container has any legal hold tags.
leaseduration	Specifies whether the lease on a container is of infinite or fixed duration, only when the container is leased.

Relationships¶

Blob Service contains one or more blob containers.

```
(AzureStorageBlobService)-[CONTAINS]->(AzureStorageBlobContainer)
```

AzureCosmosDBAccount¶

Representation of an AzureCosmosDBAccount.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The unique resource identifier of the ARM resource.
location	The location of the resource group to which the resource belongs.
resourcegroup	The Resource Group where the database account is created.
name	The name of the ARM resource.
kind	Indicates the type of database account.
type	The type of Azure resource.
ipranges	List of IpRules.
capabilities	List of Cosmos DB capabilities for the account.
documentendpoint	The connection endpoint for the Cosmos DB database account.
virtualnetworkfilterenabled	Flag to indicate whether to enable/disable Virtual Network ACL rules.
enableautomaticfailover	Enables automatic failover of the write region in the rare event that the region is unavailable due to an outage.
provisioningstate	The status of the Cosmos DB account at the time the operation was called.
multiplewritelocations	Enables the account to write in multiple locations.
accountoffertype	The offer type for the Cosmos DB database account.
publicnetworkaccess	Whether requests from Public Network are allowed.
enablecassandraconnector	Enables the cassandra connector on the Cosmos DB C* account.
connectoroffer	The cassandra connector offer type for the Cosmos DB database C* account.
disablekeybasedmetadatawriteaccess	Disable write operations on metadata resources (databases, containers, throughput) via account keys.
keyvaulturi	The URI of the key vault.
enablefreetier	Flag to indicate whether Free Tier is enabled.
enableanalyticalstorage	Flag to indicate whether to enable storage analytics.
defaultconsistencylevel	The default consistency level and configuration settings of the Cosmos DB account.
maxstalenessprefix	When used with the Bounded Staleness consistency level, this value represents the number of stale requests tolerated.
maxintervalinseconds	When used with the Bounded Staleness consistency level, this value represents the time amount of staleness (in seconds) tolerated.

Relationships¶

Azure Subscription contains one or more database accounts.

```
(AzureSubscription)-[RESOURCE]->(AzureCosmosDBAccount)
```

Azure Database Account can be read from, written from and is associated with Azure CosmosDB Locations.

```
(AzureCosmosDBAccount)-[CAN_WRITE_FROM]->(AzureCosmosDBLocation)
```
(AzureCosmosDBAccount)-[CAN_READ_FROM]->(AzureCosmosDBLocation)
```
(AzureCosmosDBAccount)-[ASSOCIATED_WITH]->(AzureCosmosDBLocation)
```

Azure Database Account contains one or more Cors Policy.

```
(AzureCosmosDBAccount)-[CONTAINS]->(AzureCosmosDBCorsPolicy)
```

Azure Database Account contains one or more failover policies.

```
(AzureCosmosDBAccount)-[CONTAINS]->(AzureCosmosDBAccountFailoverPolicy)
```

Azure Database Account is configured with one or more private endpoint connections.

```
(AzureCosmosDBAccount)-[CONFIGURED_WITH]->(AzureCDBPrivateEndpointConnection)
```

Azure Database Account is configured with one or more virtual network rules.

```
(AzureCosmosDBAccount)-[CONFIGURED_WITH]->(AzureCosmosDBVirtualNetworkRule)
```

Azure Database Account contains one or more SQL databases.

```
(AzureCosmosDBAccount)-[CONTAINS]->(AzureCosmosDBSqlDatabase)
```

Azure Database Account contains one or more Cassandra keyspace.

```
(AzureCosmosDBAccount)-[CONTAINS]->(AzureCosmosDBCassandraKeyspace)
```

Azure Database Account contains one or more MongoDB Database.

```
(AzureCosmosDBAccount)-[CONTAINS]->(AzureCosmosDBMongoDBDatabase)
```

Azure Database Account contains one or more table resource.

```
(AzureCosmosDBAccount)-[CONTAINS]->(AzureCosmosDBTableResource)
```

AzureCosmosDBLocation¶

Representation of an Azure CosmosDB Location.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The unique identifier of the region within the database account.
locationname	The name of the region.
documentendpoint	The connection endpoint for the specific region.
provisioningstate	The status of the Cosmos DB account at the time the operation was called.
failoverpriority	The failover priority of the region.
iszoneredundant	Flag to indicate whether or not this region is an AvailabilityZone region.

Relationships¶

Azure Database Account has write permissions from, read permissions from and is associated with Azure CosmosDB Locations.

```
(AzureCosmosDBAccount)-[CAN_WRITE_FROM]->(AzureCosmosDBLocation)
```
(AzureCosmosDBAccount)-[CAN_READ_FROM]->(AzureCosmosDBLocation)
```
(AzureCosmosDBAccount)-[ASSOCIATED_WITH]->(AzureCosmosDBLocation)
```

AzureCosmosDBCorsPolicy¶

Representation of an Azure Cosmos DB Cors Policy.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The unique resource identifier for Cors Policy.
allowedorigins	The origin domains that are permitted to make a request against the service via CORS.
allowedmethods	The methods (HTTP request verbs) that the origin domain may use for a CORS request.
allowedheaders	The request headers that the origin domain may specify on the CORS request.
exposedheaders	The response headers that may be sent in the response to the CORS request and exposed by the browser to the request issuer.
maxageinseconds	The maximum amount time that a browser should cache the preflight OPTIONS request.

Relationships¶

Azure Database Account contains one or more Cors Policy.

```
(AzureCosmosDBAccount)-[CONTAINS]->(AzureCosmosDBCorsPolicy)
```

AzureCosmosDBAccountFailoverPolicy¶

Representation of an Azure Database Account Failover Policy.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The unique identifier of the region in which the database account replicates to.
locationname	The name of the region in which the database account exists.
failoverpriority	The failover priority of the region. A failover priority of 0 indicates a write region.

Relationships¶

Azure Database Account contains one or more failover policies.

```
(AzureCosmosDBAccount)-[CONTAINS]->(AzureCosmosDBAccountFailoverPolicy)
```

AzureCDBPrivateEndpointConnection¶

Representation of an Azure Cosmos DB Private Endpoint Connection.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	Fully qualified resource Id for the resource.
name	The name of the resource.
privateendpointid	Resource id of the private endpoint.
status	The private link service connection status.
actionrequired	Any action that is required beyond basic workflow (approve/ reject/ disconnect).

Relationships¶

Azure Database Account is configured with one or more private endpoint connections.

```
(AzureCosmosDBAccount)-[CONFIGURED_WITH]->(AzureCDBPrivateEndpointConnection)
```

AzureCosmosDBVirtualNetworkRule¶

Representation of an Azure Cosmos DB Virtual Network Rule.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	Resource ID of a subnet.
ignoremissingvnetserviceendpoint	Create firewall rule before the virtual network has vnet service endpoint enabled.

Relationships¶

Azure Database Account is configured with one or more virtual network rules.

```
(AzureCosmosDBAccount)-[CONFIGURED_WITH]->(AzureCosmosDBVirtualNetworkRule)
```

AzureCosmosDBSqlDatabase¶

Representation of an AzureCosmosDBSqlDatabase.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The unique resource identifier of the ARM resource.
name	The name of the ARM resource.
type	The type of Azure resource.
location	The location of the resource group to which the resource belongs.
throughput	Value of the Cosmos DB resource throughput or autoscaleSettings.
maxthroughput	Represents maximum throughput, the resource can scale up to.

Relationships¶

Azure Database Account contains one or more SQL databases.

```
(AzureCosmosDBAccount)-[CONTAINS]->(AzureCosmosDBSqlDatabase)
```

SQL Databases contain one or more SQL containers.

```
(AzureCosmosDBSqlDatabase)-[CONTAINS]->(AzureCosmosDBSqlContainer)
```

AzureCosmosDBCassandraKeyspace¶

Representation of an AzureCosmosDBCassandraKeyspace.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The unique resource identifier of the ARM resource.
name	The name of the ARM resource.
type	The type of Azure resource.
location	The location of the resource group to which the resource belongs.
throughput	Value of the Cosmos DB resource throughput or autoscaleSettings.
maxthroughput	Represents maximum throughput, the resource can scale up to.

Relationships¶

Azure Database Account contains one or more Cassandra keyspace.

```
(AzureCosmosDBAccount)-[CONTAINS]->(AzureCosmosDBCassandraKeyspace)
```

Cassandra Keyspace contains one or more Cassandra tables.

```
(AzureCosmosDBCassandraKeyspace)-[CONTAINS]->(AzureCosmosDBCassandraTable)
```

AzureCosmosDBMongoDBDatabase¶

Representation of an AzureCosmosDBMongoDBDatabase.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The unique resource identifier of the ARM resource.
name	The name of the ARM resource.
type	The type of Azure resource.
location	The location of the resource group to which the resource belongs.
throughput	Value of the Cosmos DB resource throughput or autoscaleSettings.
maxthroughput	Represents maximum throughput, the resource can scale up to.

Relationships¶

Azure Database Account contains one or more MongoDB Database.

```
(AzureCosmosDBAccount)-[CONTAINS]->(AzureCosmosDBMongoDBDatabase)
```

MongoDB database contains one or more MongoDB collections.

```
(AzureCosmosDBMongoDBDatabase)-[CONTAINS]->(AzureCosmosDBMongoDBCollection)
```

AzureCosmosDBTableResource¶

Representation of an AzureCosmosDBTableResource.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The unique resource identifier of the ARM resource.
name	The name of the ARM resource.
type	The type of Azure resource.
location	The location of the resource group to which the resource belongs.
throughput	Value of the Cosmos DB resource throughput or autoscaleSettings.
maxthroughput	Represents maximum throughput, the resource can scale up to.

Relationships¶

Azure Database Account contains one or more table resource.

```
(AzureCosmosDBAccount)-[CONTAINS]->(AzureCosmosDBTableResource)
```

AzureCosmosDBSqlContainer¶

Representation of an AzureCosmosDBSqlContainer.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The unique resource identifier of the ARM resource.
name	The name of the ARM resource.
type	The type of Azure resource.
location	The location of the resource group to which the resource belongs.
throughput	Value of the Cosmos DB resource throughput or autoscaleSettings.
maxthroughput	Represents maximum throughput, the resource can scale up to.
container	Name of the Cosmos DB SQL container.
defaultttl	Default time to live.
analyticalttl	Specifies the Analytical TTL.
isautomaticindexingpolicy	Indicates if the indexing policy is automatic.
indexingmode	Indicates the indexing mode.
conflictresolutionpolicymode	Indicates the conflict resolution mode.

Relationships¶

SQL Databases contain one or more SQL containers.

```
(AzureCosmosDBSqlDatabase)-[CONTAINS]->(AzureCosmosDBSqlContainer)
```

AzureCosmosDBCassandraTable¶

Representation of an AzureCosmosDBCassandraTable.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The unique resource identifier of the ARM resource.
name	The name of the ARM resource.
type	The type of Azure resource.
location	The location of the resource group to which the resource belongs.
throughput	Value of the Cosmos DB resource throughput or autoscaleSettings.
maxthroughput	Represents maximum throughput, the resource can scale up to.
container	Name of the Cosmos DB Cassandra table.
defaultttl	Time to live of the Cosmos DB Cassandra table.
analyticalttl	Specifies the Analytical TTL.

Relationships¶

Cassandra Keyspace contains one or more Cassandra tables.

```
(AzureCosmosDBCassandraKeyspace)-[CONTAINS]->(AzureCosmosDBCassandraTable)
```

AzureCosmosDBMongoDBCollection¶

Representation of an AzureCosmosDBMongoDBCollection.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The unique resource identifier of the ARM resource.
name	The name of the ARM resource.
type	The type of Azure resource.
location	The location of the resource group to which the resource belongs.
throughput	Value of the Cosmos DB resource throughput or autoscaleSettings.
maxthroughput	Represents maximum throughput, the resource can scale up to.
collectionname	Name of the Cosmos DB MongoDB collection.
analyticalttl	Specifies the Analytical TTL.

Relationships¶

MongoDB database contains one or more MongoDB collections.

```
(AzureCosmosDBMongoDBDatabase)-[CONTAINS]->(AzureCosmosDBMongoDBCollection)
```

DigitalOcean Schema¶

DOAccount¶

Representation of a DigitalOcean Account object.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The UUID of the account
uuid	The UUID of the account (same value as id)
droplet_limit	Total number of droplets that the account can have at one time
floating_ip_limit	Total number of floating IPs the account may have
status	Status of the account

Relationships¶

DOAccount contains DOProjects.
```
(DOAccount)-[RESOURCE]->(DOProjects)
```

DOProject¶

Representation of a DigitalOcean Project object.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The unique universal identifier of the project
account_id	Id of the DOAccount where this project belongs to
description	The description of the project
environment	The environment of the project’s resources
is_default	If true, all resources will be added to this project if no project is specified
name	The human-readable name for the project
owner_uuid	The unique universal identifier of the project’s owner
created_at	A time value given in ISO8601 combined date and time format that represents when the project was created
updated_at	A time value given in ISO8601 combined date and time format that represents when the project was updated

Relationships¶

DOProject has DODroplets as resource.
```
(DOProject)-[RESOURCE]->(DODroplet)
```

DODroplet¶

Representation of a DigitalOcean Droplet object.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	A unique identifier for each Droplet instance
account_id	Id of the DOAccount where this Droplet belongs to
features	An array of features enabled on this Droplet
locked	A boolean value indicating whether the Droplet has been locked, preventing actions by users
image	The slug of the base image used to create the Droplet instance
ip_address	The v4 external ip address of this Droplet
ip_v6_address	The v6 external ip address of this Droplet
kernel	The current kernel image id
name	The human-readable name set for the Droplet instance
private_ip_address	The v4 internal ip address of this Droplet
project_id	Id of the DOProject where this Droplet belongs to
region	The region that the Droplet instance is deployed in
size	The current size object describing the Droplet
status	A status string indicating the state of the Droplet instance.This may be “new”, “active”, “off”, or “archive”
tags	An array of Tags the Droplet has been tagged with
volumes	A flat array including the unique identifier for each Block Storage volume attached to the Droplet
created_at	A time value given in ISO8601 combined date and time format that represents when the Droplet was created

Relationships¶

DODroplet is a resource of a DOProject.
```
(DODroplet)<-[RESOURCE]-(DOProject)
```

GCP Schema¶

GCPOrganization¶

Representation of a GCP Organization object.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The name of the GCP Organization, e.g. “organizations/1234”
displayname	The “friendly name”, e.g. “My Company”
lifecyclestate	The organization’s current lifecycle state. Assigned by the server. See the official docs.

Relationships¶

GCPOrganizations contain GCPFolders.

(GCPOrganization)-[RESOURCE]->(GCPFolder)

GCPOrganizations can contain GCPProjects.

(GCPOrganization)-[RESOURCE]->(GCPProjects)

GCPFolder¶

Representation of a GCP Folder. An additional helpful reference is the Google Compute Platform resource hierarchy.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The name of the folder, e.g. “folders/1234”
displayname	A friendly name of the folder, e.g. “My Folder”.
lifecyclestate	The folder’s current lifecycle state. Assigned by the server. See the official docs.

Relationships¶

GCPOrganizations are parents of GCPFolders.
```
(GCPOrganization)<-[PARENT]-(GCPFolder)
```
GCPFolders can contain GCPProjects
```
(GCPFolder)-[RESOURCE]->(GCPProject)
```
GCPFolders can contain other GCPFolders.
```
(GCPFolder)-[RESOURCE]->(GCPFolder)
```

GCPProject¶

Representation of a GCP Project. An additional helpful reference is the Google Compute Platform resource hierarchy.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ID of the project, e.g. “sys-12345”
projectnumber	The number uniquely identifying the project, e.g. ‘987654’
displayname	A friendly name of the project, e.g. “MyProject”.
lifecyclestate	The project’s current lifecycle state. Assigned by the server. See the official docs.

Relationships¶

GCPOrganizations contain GCPProjects.

(GCPOrganization)-[RESOURCE]->(GCPProjects)

GCPFolders can contain GCPProjects
```
(GCPFolder)-[RESOURCE]->(GCPProject)
```

GCPVpcs are part of GCPProjects
```
(GCPProject)-[RESOURCE]->(GCPVpc)
```

GCPBucket¶

Representation of a GCP Storage Bucket.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ID of the storage bucket, e.g. “bucket-12345”
projectnumber	The number uniquely identifying the project associated with the storage bucket, e.g. ‘987654’
self_link	The URI of the storage bucket
kind	The kind of item this is. For storage buckets, this is always storage#bucket
location	The location of the bucket. Object data for objects in the bucket resides in physical storage within this region. Defaults to US. See Cloud Storage bucket locations for the authoritative list.
location_type	The type of location that the bucket resides in, as determined by the `location` property
meta_generation	The metadata generation of this bucket
storage_class	The bucket’s default storage class, used whenever no `storageClass` is specified for a newly-created object. For more information, see storage classes
time_created	The creation time of the bucket in RFC 3339 format
retention_period	The period of time, in seconds, that objects in the bucket must be retained and cannot be deleted, overwritten, or archived
iam_config_bucket_policy_only	The bucket’s Bucket Policy Only configuration
owner_entity	The entity, in the form `project-owner-projectId`
owner_entity_id	The ID for the entity
versioning_enabled	The bucket’s versioning configuration (if set to `True`, versioning is fully enabled for this bucket)
log_bucket	The destination bucket where the current bucket’s logs should be placed
requester_pays	The bucket’s billing configuration (if set to true, Requester Pays is enabled for this bucket)
default_kms_key_name	A Cloud KMS key that will be used to encrypt objects inserted into this bucket, if no encryption method is specified

Relationships¶

GCPBuckets are part of GCPProjects.
```
(GCPProject)-[RESOURCE]->(GCPBucket)
```
GCPBuckets can be labelled with GCPBucketLabels.
```
(GCPBucket)<-[LABELLED]-(GCPBucketLabels)
```

GCPDNSZone¶

Representation of a GCP DNS Zone.

Field	Description
created_at	The date and time the zone was created
description	An optional description of the zone
dns_name	The DNS name of this managed zone, for instance “example.com.”.
firstseen	Timestamp of when a sync job first discovered this node
id	Unique identifier
name	The name of the zone
nameservers	Virtual name servers the zone is delegated to
visibility	The zone’s visibility: `public` zones are exposed to the Internet, while `private` zones are visible only to Virtual Private Cloud resources.

Relationships¶

GKEClusters are resources of GCPProjects.
```
(GCPProject)-[RESOURCE]->(GCPDNSZone)
```

Label: GCPBucketLabel¶

Representation of a GCP Storage Bucket Label. This node contains a key-value pair.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ID of the bucket label. Takes the form “GCPBucketLabel_{key}.”
key	The key of the bucket label.
value	The value of the bucket label.

GCPBuckets can be labeled with GCPBucketLabels.
```
(GCPBucket)<-[LABELED]-(GCPBucketLabels)
```

GCPInstance¶

Representation of a GCP Instance. Additional references can be found in the official documentation.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The partial resource URI representing this instance. Has the form `projects/{project_name}/zones/{zone_name}/instances/{instance_name}`.
partial_uri	Same as `id` above.
self_link	The full resource URI representing this instance. Has the form `https://www.googleapis.com/compute/v1/{partial_uri}`
instancename	The name of the instance, e.g. “my-instance”
zone_name	The zone that the instance is installed on
hostname	If present, the hostname of the instance
exposed_internet	Set to True with `exposed_internet_type = 'direct'` if there is an ‘allow’ IPRule attached to one of the instance’s ingress firewalls with the following conditions: The ‘allow’ IpRule allows traffic from one or more TCP ports, and the ‘allow’ IpRule is not superceded by a ‘deny’ IPRule (in GCP, a firewall rule of priority 1 gets applied ahead of a firewall rule of priority 100, and ‘deny’ rules of the same priority are applied ahead of ‘allow’ rules)
status	The GCP Instance Lifecycle state of the instance

Relationships¶

GCPInstances are resources of GCPProjects.
```
(GCPProject)-[RESOURCE]->(GCPInstance)
```

GCPNetworkInterfaces are attached to GCPInstances

(GCPInstance)-[NETWORK_INTERFACE]->(GCPNetworkInterface)

GCP Instances may be members of one or more GCP VPCs.

   (GCPInstance)-[:MEMBER_OF_GCP_VPC]->(GCPVpc)

Also note that this relationship is a shortcut for:

(GCPInstance)-[:NETWORK_INTERFACE]->(:GCPNetworkInterface)-[:PART_OF_SUBNET]->(GCPSubnet)<-[:RESOURCE]-(GCPVpc)

GCP Instances may have GCP Tags defined on them for use in network firewall routing.
```
(GCPInstance)-[:TAGGED]->(GCPNetworkTag)
```

GCP Firewalls allow ingress to GCP instances.

   (GCPFirewall)-[:FIREWALL_INGRESS]->(GCPInstance)

Note that this relationship is a shortcut for:

   (vpc:GCPVpc)<-[MEMBER_OF_GCP_VPC]-(GCPInstance)-[TAGGED]->(GCPNetworkTag)-[TARGET_TAG]-(GCPFirewall{direction: 'INGRESS'})<-[RESOURCE]-(vpc)

as well as

MATCH (fw:GCPFirewall{direction: 'INGRESS', has_target_service_accounts: False}})
WHERE NOT (fw)-[TARGET_TAG]->(GCPNetworkTag)
MATCH (GCPInstance)-[MEMBER_OF_GCP_VPC]->(GCPVpc)-[RESOURCE]->(fw)

GCPNetworkTag¶

Representation of a Tag defined on a GCP Instance or GCP Firewall. Tags are defined on GCP instances for use in network firewall routing.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	GCP doesn’t define a resource URI for Tags so we define this as `{instance resource URI}/tags/{tag value}`
tag_id	same as `id`
value	The actual value of the tag

Relationships¶

GCP Instances can be labeled with tags.

(GCPInstance)-[:TAGGED]->(GCPNetworkTag)

GCP Firewalls can be labeled with tags to direct traffic to or deny traffic to labeled GCPInstances
```
(GCPFirewall)-[:TARGET_TAG]->(GCPNetworkTag)
```
GCPNetworkTags are defined on a VPC and only have effect on assets in that VPC
```
(GCPVpc)-[DEFINED_IN]->(GCPNetworkTag)
```

GCPVpc¶

Representation of a GCP VPC. In GCP documentation this is also known simply as a “Network” object.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The partial resource URI representing this VPC. Has the form `projects/{project_name}/global/networks/{vpc name}`.
partial_uri	Same as `id`
self_link	The full resource URI representing this VPC. Has the form `https://www.googleapis.com/compute/v1/{partial_uri}`
name	The name of the VPC
project_id	The project ID that this VPC belongs to
auto_create_subnetworks	When set to true, the VPC network is created in “auto” mode. When set to false, the VPC network is created in “custom” mode. An auto mode VPC network starts with one subnet per region. Each subnet has a predetermined range as described in Auto mode VPC network IP ranges.
routing_confg_routing_mode	The network-wide routing mode to use. If set to REGIONAL, this network’s Cloud Routers will only advertise routes with subnets of this network in the same region as the router. If set to GLOBAL, this network’s Cloud Routers will advertise routes with all subnets of this network, across regions.
description	A description for the VPC

Relationships¶

GCPVpcs are part of projects
```
(GCPProject)-[RESOURCE]->(GCPVpc)
```
GCPVpcs contain GCPSubnets
```
(GCPVpc)-[RESOURCE]->(GCPSubnet)
```
GCPSubnets are part of GCP VPCs
```
(GCPVpc)-[RESOURCE]->(GCPSubnet)
```
GCPNetworkTags are defined on a VPC and only have effect on assets in that VPC
```
(GCPVpc)-[DEFINED_IN]->(GCPNetworkTag)
```

GCP Instances may be members of one or more GCP VPCs.

   (GCPInstance)-[:MEMBER_OF_GCP_VPC]->(GCPVpc)

Also note that this relationship is a shortcut for:

(GCPInstance)-[:NETWORK_INTERFACE]->(:GCPNetworkInterface)-[:PART_OF_SUBNET]->(GCPSubnet)<-[:RESOURCE]-(GCPVpc)

GCPNetworkInterface¶

Representation of a GCP Instance’s network interface (scroll down to the fields on “networkInterface”).

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	A partial resource URI representing this network interface. Note: GCP does not define a partial resource URI for network interfaces, so we create one so we can uniquely identify GCP network interfaces. Has the form `projects/{project_name}/zones/{zone_name}/instances/{instance_name}/networkinterfaces/{network interface name}`.
nic_id	Same as `id`
name	The name of the network interface
private_ip	The private IP address of this network interface. This IP is valid on the network interface’s VPC.

Relationships¶

GCPNetworkInterfaces are attached to GCPInstances

(GCPInstance)-[NETWORK_INTERFACE]->(GCPNetworkInterface)

GCPNetworkInterfaces are connected to GCPSubnets

(GCPNetworkInterface)-[PART_OF_SUBNET]->(GCPSubnet)

GCPNetworkInterfaces have GCPNicAccessConfig objects defined on them
```
(GCPNetworkInterface)-[RESOURCE]->(GCPNicAccessConfig)
```

GCPNicAccessConfig¶

Representation of the AccessConfig object on a GCP Instance’s network interface (scroll down to the fields on “networkInterface”).

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	A partial resource URI representing this AccessConfig. Note: GCP does not define a partial resource URI for AccessConfigs, so we create one so we can uniquely identify GCP network interface access configs. Has the form `projects/{project_name}/zones/{zone_name}/instances/{instance_name}/networkinterfaces/{network interface name}/accessconfigs/{access config type}`.
partial_uri	Same as `id`
type	The type of configuration. GCP docs say: “The default and only option is ONE_TO_ONE_NAT.”
name	The name of this access configuration. The default and recommended name is External NAT, but you can use any arbitrary string, such as My external IP or Network Access.
public_ip	The external IP associated with this instance
set_public_ptr	Specifies whether a public DNS ‘PTR’ record should be created to map the external IP address of the instance to a DNS domain name.
public_ptr_domain_name	The DNS domain name for the public PTR record. You can set this field only if the setPublicPtr field is enabled.
network_tier	This signifies the networking tier used for configuring this access configuration and can only take the following values: PREMIUM, STANDARD.

Relationships¶

GCPNetworkInterfaces have GCPNicAccessConfig objects defined on them
```
(GCPNetworkInterface)-[RESOURCE]->(GCPNicAccessConfig)
```

GCPRecordSet¶

Representation of a GCP Resource Record Set.

Field	Description
data	Data contained in the record
firstseen	Timestamp of when a sync job first discovered this node
id	Same as `name`
name	The name of the Resource Record Set
type	The identifier of a supported record type. See the list of Supported DNS record types.
ttl	Number of seconds that this ResourceRecordSet can be cached by resolvers.

Relationships¶

GCPRecordSets are records of GCPDNSZones.

(GCPDNSZone)-[HAS_RECORD]->(GCPRecordSet)

GCPSubnet¶

Representation of a GCP Subnetwork.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	A partial resource URI representing this Subnet. Has the form `projects/{project}/regions/{region}/subnetworks/{subnet name}`.
partial_uri	Same as `id`
self_link	The full resource URI representing this subnet. Has the form `https://www.googleapis.com/compute/v1/{partial_uri}`
project_id	The project ID that this Subnet belongs to
name	The name of this Subnet
region	The region of this Subnet
gateway_address	Gateway IP address of this Subnet
ip_cidr_range	The CIDR range covered by this Subnet
vpc_partial_uri	The partial URI of the VPC that this Subnet is a part of
private_ip_google_access	Whether the VMs in this subnet can access Google services without assigned external IP addresses. This field can be both set at resource creation time and updated using setPrivateIpGoogleAccess.

Relationships¶

GCPSubnets are part of GCP VPCs
```
(GCPVpc)-[RESOURCE]->(GCPSubnet)
```

GCPNetworkInterfaces are connected to GCPSubnets

(GCPNetworkInterface)-[PART_OF_SUBNET]->(GCPSubnet)

GCPFirewall¶

Representation of a GCP Firewall.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	A partial resource URI representing this Firewall.
partial_uri	Same as `id`
direction	Either ‘INGRESS’ for inbound or ‘EGRESS’ for outbound
disabled	Whether this firewall object is disabled
priority	The priority of this firewall rule from 1 (apply this first)-65535 (apply this last)
self_link	The full resource URI to this firewall
has_target_service_accounts	Set to True if this Firewall has target service accounts defined. This field is currently a placeholder for future functionality to add GCP IAM objects to Cartography. If True, this firewall rule will only apply to GCP instances that use the specified target service account.

Relationships¶

Firewalls belong to VPCs
```
(GCPVpc)-[RESOURCE]->(GCPFirewall)
```

Firewalls define rules that allow traffic

(GcpIpRule)-[ALLOWED_BY]->(GCPFirewall)

Firewalls define rules that deny traffic
```
(GcpIpRule)-[DENIED_BY]->(GCPFirewall)
```
GCP Firewalls can be labeled with tags to direct traffic to or deny traffic to labeled GCPInstances
```
(GCPFirewall)-[:TARGET_TAG]->(GCPNetworkTag)
```

GCP Firewalls allow ingress to GCP instances.

   (GCPFirewall)-[:FIREWALL_INGRESS]->(GCPInstance)

Note that this relationship is a shortcut for:

   (vpc:GCPVpc)<-[MEMBER_OF_GCP_VPC]-(GCPInstance)-[TAGGED]->(GCPNetworkTag)-[TARGET_TAG]-(GCPFirewall{direction: 'INGRESS'})<-[RESOURCE]-(vpc)

as well as

MATCH (fw:GCPFirewall{direction: 'INGRESS', has_target_service_accounts: False}})
WHERE NOT (fw)-[TARGET_TAG]->(GCPNetworkTag)
MATCH (GCPInstance)-[MEMBER_OF_GCP_VPC]->(GCPVpc)-[RESOURCE]->(fw)

GCPForwardingRule¶

Representation of GCP Forwarding Rules and Global Forwarding Rules.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	A partial resource URI representing this Forwarding Rule
partial_uri	Same as `id`
ip_address	IP address that this Forwarding Rule serves
ip_protocol	IP protocol to which this rule applies
load_balancing_scheme	Specifies the Forwarding Rule type
name	Name of the Forwarding Rule
network	A partial resource URI of the network this Forwarding Rule belongs to
port_range	Port range used in conjunction with a target resource. Only packets addressed to ports in the specified range will be forwarded to target configured
ports	Ports to forward to a backend service. Only packets addressed to these ports are forwarded to the backend services configured
project_id	The project ID that this Forwarding Rule belongs to
region	The region of this Forwarding Rule
self_link	Server-defined URL for the resource
subnetwork	A partial resource URI of the subnetwork this Forwarding Rule belongs to
target	A partial resource URI of the target resource to receive the traffic

Relationships¶

GCPForwardingRules can be a resource of a GCPVpc.
```
(GCPVpc)-[RESOURCE]->(GCPForwardingRule)
```
GCPForwardingRules can be a resource of a GCPSubnet.
```
(GCPSubnet)-[RESOURCE]->(GCPForwardingRule)
```

GKECluster¶

Representation of a GCP GKE Cluster.

Field	Description
basic_auth	Set to `True` if both `masterauth_username` and `masterauth_password` are set
created_at	The date and time the cluster was created
cluster_ipv4cidr	The IP address range of the container pods in the cluster
current_master_version	The current software version of the master endpoint
database_encryption	Configuration of etcd encryption
description	An optional description of the cluster
endpoint	The IP address of the cluster’s master endpoint. The endpoint can be accessed from the internet at https://username:password@endpoint/
exposed_internet	Set to `True` if at least among `private_nodes`, `private_endpoint_enabled`, or `master_authorized_networks` are disabled
firstseen	Timestamp of when a sync job first discovered this node
id	Same as `self_link`
initial_version	The initial Kubernetes version for the cluster
location	The name of the Google Compute Engine zone or region in which the cluster resides
logging_service	The logging service used to write logs. Available options: `logging.googleapis.com/kubernetes`, `logging.googleapis.com`, `none`
master_authorized_networks	If enabled, it disallows all external traffic to access Kubernetes master through HTTPS except traffic from the given CIDR blocks, Google Compute Engine Public IPs and Google Prod IPs
masterauth_username	The username to use for HTTP basic authentication to the master endpoint. For clusters v1.6.0 and later, basic authentication can be disabled by leaving username unspecified (or setting it to the empty string)
masterauth_password	The password to use for HTTP basic authentication to the master endpoint. If a password is provided for cluster creation, username must be non-empty
monitoring_service	The monitoring service used to write metrics. Available options: `monitoring.googleapis.com/kubernetes`, `monitoring.googleapis.com`, `none`
name	The name of the cluster
network	The name of the Google Compute Engine network to which the cluster is connected
network_policy	Set to `True` if a network policy provider has been enabled
private_endpoint_enabled	Whether the master’s internal IP address is used as the cluster endpoint
private_endpoint	The internal IP address of the cluster’s master endpoint
private_nodes	If enabled, all nodes are given only private addresses and communicate with the master via private networking
public_endpoint	The external IP address of the cluster’s master endpoint
self_link	Server-defined URL for the resource
services_ipv4cidr	The IP address range of the Kubernetes services in the cluster
shielded_nodes	Whether Shielded Nodes are enabled
status	The current status of the cluster
subnetwork	The name of the Google Compute Engine subnetwork to which the cluster is connected
zone	The name of the Google Compute Engine zone in which the cluster resides

Relationships¶

GKEClusters are resources of GCPProjects.
```
(GCPProject)-[RESOURCE]->(GKECluster)
```

IpRule::IpPermissionInbound::GCPIpRule¶

An IpPermissionInbound node is a specific type of IpRule. It represents a generic inbound IP-based rules. The creation of this node is currently derived from ingesting AWS EC2 Security Group rules.

Field	Description
ruleid	`{firewall_partial_uri}/{rule_type}/{port_range}{protocol}`
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
protocol	The protocol this rule applies to
fromport	Lowest port in the range defined by this rule
toport	Highest port in the range defined by this rule

Relationships¶

GCP Firewall rules are defined on IpRange objects.

(GCPIpRule, IpRule, IpPermissionInbound)<-[MEMBER_OF_IP_RULE)-(:IpRange)

Firewalls define rules that allow traffic

(GcpIpRule)-[ALLOWED_BY]->(GCPFirewall)

Firewalls define rules that deny traffic
```
(GcpIpRule)-[DENIED_BY]->(GCPFirewall)
```

IpRange¶

Representation of an IP range or subnet.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	CIDR notation for the IP range. E.g. “0.0.0.0/0” for the whole internet.

Relationships¶

GCP Firewall rules are defined on IpRange objects.

(GCPIpRule, IpRule, IpPermissionInbound)<-[MEMBER_OF_IP_RULE)-(:IpRange)

Github Schema¶

GitHubRepository¶

Representation of a single GitHubRepository (repo) repository object. This node contains all data unique to the repo.

Field	Description
firstseen	Timestamp of when a sync job first created this node
lastupdated	Timestamp of the last time the node was updated
id	The GitHub repo id. These are not unique across GitHub instances, so are prepended with the API URL the id applies to
createdat	GitHub timestamp from when the repo was created
name	Name of the repo
fullname	Name of the organization and repo together
description	Text describing the repo
primarylanguage	The primary language used in the repo
homepage	The website used as a homepage for project information
defaultbranch	The default branch used by the repo, typically master
defaultbranchid	The unique identifier of the default branch
private	True if repo is private
disabled	True if repo is disabled
archived	True if repo is archived
locked	True if repo is locked
giturl	URL used to access the repo from git commandline
url	Web URL for viewing the repo
sshurl	URL for access the repo via SSH
updatedat	GitHub timestamp for last time repo was modified

Relationships¶

GitHubUsers or GitHubOrganizations own GitHubRepositories.

(GitHubUser)-[OWNER]->(GitHubRepository)
(GitHubOrganization)-[OWNER]->(GitHubRepository)

GitHubRepositories in an organization can have outside collaborators with different permissions, including ADMIN, WRITE, MAINTAIN, TRIAGE, and READ (Reference).
```
(GitHubUser)-[:OUTSIDE_COLLAB_{ACTION}]->(GitHubRepository)
```

GitHubRepositories use ProgrammingLanguages

(GitHubRepository)-[:LANGUAGE]->(ProgrammingLanguage)

GitHubRepositories have GitHubBranches

(GitHubRepository)-[:BRANCH]->(GitHubBranch)

GitHubTeams can have various levels of access to GitHubRepositories.

(GitHubTeam)-[ADMIN|READ|WRITE|TRIAGE|MAINTAIN]->(GitHubRepository)

GitHubOrganization¶

Representation of a single GitHubOrganization organization object. This node contains minimal data for the GitHub Organization.

Field	Description
firstseen	Timestamp of when a sync job first created this node
lastupdated	Timestamp of the last time the node was updated
id	The URL of the GitHub organization
username	Name of the organization

Relationships¶

GitHubOrganizations own GitHubRepositories.

(GitHubOrganization)-[OWNER]->(GitHubRepository)

GitHubTeams are resources under GitHubOrganizations
```
(GitHubOrganization)-[RESOURCE]->(GitHubTeam)
```
GitHubUsers are members of an organization. In some cases there may be a user who is “unaffiliated” with an org, for example if the user is an enterprise owner, but not member of, the org. Enterprise owners have complete control over the enterprise (i.e. they can manage all enterprise settings, members, and policies) yet may not show up on member lists of the GitHub org.
```
(GitHubUser)-[MEMBER_OF|UNAFFILIATED]->(GitHubOrganization)
```

GitHubTeam¶

A GitHubTeam organization object.

Field	Description
firstseen	Timestamp of when a sync job first created this node
lastupdated	Timestamp of the last time the node was updated
id	The URL of the GitHub Team
name	The name (a.k.a URL slug) of the GitHub Team
description	Description of the GitHub team

Relationships¶

GitHubTeams can have various levels of access to GitHubRepositories.

(GitHubTeam)-[ADMIN|READ|WRITE|TRIAGE|MAINTAIN]->(GitHubRepository)

GitHubTeams are resources under GitHubOrganizations
```
(GitHubOrganization)-[RESOURCE]->(GitHubTeam)
```

GitHubUser¶

Representation of a single GitHubUser user object. This node contains minimal data for the GitHub User.

Field	Description
firstseen	Timestamp of when a sync job first created this node
lastupdated	Timestamp of the last time the node was updated
id	The URL of the GitHub user
username	Name of the user
fullname	The full name
has_2fa_enabled	Whether the user has 2-factor authentication enabled
role	Either ‘ADMIN’ (denoting that the user is an owner of a Github organization) or ‘MEMBER’
is_site_admin	Whether the user is a site admin
is_enterprise_owner	Whether the user is an enterprise owner
permission	Only present if the user is an outside collaborator of this repo. `permission` is either ADMIN, MAINTAIN, READ, TRIAGE, or WRITE (ref).
email	The user’s publicly visible profile email.
company	The user’s public profile company.

Relationships¶

GitHubUsers own GitHubRepositories.

(GitHubUser)-[OWNER]->(GitHubRepository)

GitHubRepositories in an organization can have outside collaborators with different permissions, including ADMIN, WRITE, MAINTAIN, TRIAGE, and READ (Reference).
```
(GitHubUser)-[:OUTSIDE_COLLAB_{ACTION}]->(GitHubRepository)
```
GitHubUsers are members of an organization. In some cases there may be a user who is “unaffiliated” with an org, for example if the user is an enterprise owner, but not member of, the org. Enterprise owners have complete control over the enterprise (i.e. they can manage all enterprise settings, members, and policies) yet may not show up on member lists of the GitHub org.
```
(GitHubUser)-[MEMBER_OF|UNAFFILIATED]->(GitHubOrganization)
```

GitHubBranch¶

Representation of a single GitHubBranch ref object. This node contains minimal data for a repository branch.

Field	Description
firstseen	Timestamp of when a sync job first created this node
lastupdated	Timestamp of the last time the node was updated
id	The GitHub branch id. These are not unique across GitHub instances, so are prepended with the API URL the id applies to
name	Name of the branch

Relationships¶

GitHubRepositories have GitHubBranches.

(GitHubBranch)<-[BRANCH]-(GitHubRepository)

ProgrammingLanguage¶

Representation of a single Programming Language language object. This node contains programming language information.

Field	Description
firstseen	Timestamp of when a sync job first created this node
lastupdated	Timestamp of the last time the node was updated
id	Language ids need not be tracked across instances, so defaults to the name
name	Name of the language

Relationships¶

GitHubRepositories use ProgrammingLanguages.

(ProgrammingLanguage)<-[LANGUAGE]-(GitHubRepository)

Dependency::PythonLibrary¶

Representation of a Python library as listed in a requirements.txt or setup.cfg file. Within a setup.cfg file, cartography will load everything from install_requires, setup_requires, and extras_require.

Field	Description
id	The canonicalized name of the library. If the library was pinned in a requirements file using the `==` operator, then `id` has the form `{canonical name}\|{pinned_version}`.
name	The canonicalized name of the library.
version	The exact version of the library. This field is only present if the library was pinned in a requirements file using the `==` operator.

Relationships¶

Software on Github repos can import Python libraries by optionally specifying a version number.
```
(GitHubRepository)-[:REQUIRES{specifier}]->(PythonLibrary)
```
- specifier: A string describing this library’s version e.g. “<4.0,>=3.0” or “==1.0.2”. This field is only present on the :REQUIRES edge if the repo’s requirements file provided a version pin.
A Python Dependency is affected by a SemgrepSCAFinding (optional)
```
(:SemgrepSCAFinding)-[:AFFECTS]->(:PythonLibrary)
```

GSuite Schema¶

GSuiteUser¶

Reference: https://developers.google.com/admin-sdk/directory/v1/reference/users#resource

Field	Description
id	The unique ID for the user as a string. A user id can be used as a user request URI’s userKey
user_id	duplicate of id.
agreed_to_terms	This property is true if the user has completed an initial login and accepted the Terms of Service agreement.
change_password_at_next_login	Indicates if the user is forced to change their password at next login. This setting doesn’t apply when the user signs in via a third-party identity provider.
creation_time	The time the user’s account was created. The value is in ISO 8601 date and time format. The time is the complete date plus hours, minutes, and seconds in the form YYYY-MM-DDThh:mm:ssTZD. For example, 2010-04-05T17:30:04+01:00.
customer_id	The customer ID to retrieve all account users. You can use the alias my_customer to represent your account’s customerId. As a reseller administrator, you can use the resold customer account’s customerId. To get a customerId, use the account’s primary domain in the domain parameter of a users.list request.
etag	ETag of the resource
include_in_global_address_list	Indicates if the user’s profile is visible in the G Suite global address list when the contact sharing feature is enabled for the domain. For more information about excluding user profiles, see the administration help center.
ip_whitelisted	If true, the user’s IP address is white listed.
is_admin	Indicates a user with super admininistrator privileges. The isAdmin property can only be edited in the Make a user an administrator operation (makeAdmin method). If edited in the user insert or update methods, the edit is ignored by the API service.
is_delegated_admin	Indicates if the user is a delegated administrator. Delegated administrators are supported by the API but cannot create or undelete users, or make users administrators. These requests are ignored by the API service. Roles and privileges for administrators are assigned using the Admin console.
is_enforced_in_2_sv	Is 2-step verification enforced (Read-only)
is_enrolled_in_2_sv	Is enrolled in 2-step verification (Read-only)
is_mailbox_setup	Indicates if the user’s Google mailbox is created. This property is only applicable if the user has been assigned a Gmail license.
kind	The type of the API resource. For Users resources, the value is admin#directory#user.
last_login_time	The last time the user logged into the user’s account. The value is in ISO 8601 date and time format. The time is the complete date plus hours, minutes, and seconds in the form YYYY-MM-DDThh:mm:ssTZD. For example, 2010-04-05T17:30:04+01:00.
name	First name + Last name
family_name	The user’s last name. Required when creating a user account.
given_name	The user’s first name. Required when creating a user account.
org_unit_path	The full path of the parent organization associated with the user. If the parent organization is the top-level, it is represented as a forward slash (/).
primary_email	The user’s primary email address. This property is required in a request to create a user account. The primaryEmail must be unique and cannot be an alias of another user.
suspended	Indicates if user is suspended
thumbnail_photo_etag	ETag of the user’s photo
thumbnail_photo_url	Photo Url of the user
lastupdated	Timestamp of when a sync job last updated this node
firstseen	Timestamp of when a sync job first discovered this node

Relationships¶

GSuiteUser is an identity for a Human

(Human)-[IDENTITY_GSUITE]->(GSuiteUser)

GSuiteGroup¶

Reference: https://developers.google.com/admin-sdk/directory/v1/reference/groups

Field	Description
id	The unique ID of a group. A group id can be used as a group request URI’s groupKey.
admin_created	Value is true if this group was created by an administrator rather than a user.
description	An extended description to help users determine the purpose of a group. For example, you can include information about who should join the group, the types of messages to send to the group, links to FAQs about the group, or related groups. Maximum length is 4,096 characters.
direct_members_count	The number of users that are direct members of the group. If a group is a member (child) of this group (the parent), members of the child group are not counted in the directMembersCount property of the parent group
email	The group’s email address. If your account has multiple domains, select the appropriate domain for the email address. The email must be unique. This property is required when creating a group. Group email addresses are subject to the same character usage rules as usernames, see the administration help center for the details.
etag	ETag of the resource
kind	The type of the API resource. For Groups resources, the value is admin#directory#group.
name	The group’s display name.
lastupdated	Timestamp of when a sync job last updated this node
firstseen	Timestamp of when a sync job first discovered this node

Jamf Schema¶

JamfComputerGroup¶

Representation of a Jamf computer group.

Field	Description
id	The group id
name	The friendly name of the group
is_smart	Whether the group is smart

Relationships¶

Coming soon!

Kubernetes Schema¶

KubernetesCluster¶

Representation of a Kubernetes Cluster.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	Identifier for the cluster i.e. UID of `kube-system` namespace
name	Name assigned to the cluster which is derived from kubeconfig context

Relationships¶

KubernetesCluster has KubernetesNamespaces.

(KubernetesCluster)-[HAS_NAMESPACE]->(KubernetesNamespace)

KubernetesCluster can have KubernetesPods.

(KubernetesCluster)-[HAS_POD]->(KubernetesPod)

KubernetesNamespace¶

Representation of a Kubernetes Namespace.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	UID of the kubernetes namespace
name	Name of the kubernetes namespace
created_at	Timestamp of the creation time of the kubernetes namespace
deleted_at	Timestamp of the deletion time of the kubernetes namespace

Relationships¶

KubernetesNamespace can have KubernetesPods.

(KubernetesNamespace)-[HAS_POD]->(KubernetesPod)

KubernetesNamespace can have KubernetesServices.

(KubernetesNamespace)-[HAS_SERVICE]->(KubernetesService)

KubernetesNamespace can have KubernetesSecrets.

(KubernetesNamespace)-[HAS_SECRET]->(KubernetesSecret)

KubernetesPod¶

Representation of a Kubernetes Pod.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	UID of the kubernetes pod
name	Name of the kubernetes pod
status_phase	The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle.
created_at	Timestamp of the creation time of the kubernetes pod
deleted_at	Timestamp of the deletion time of the kubernetes pod

Relationships¶

KubernetesPod has KubernetesContainers.

(KubernetesPod)-[HAS_CONTAINER]->(KubernetesContainer)

KubernetesContainer¶

Representation of a Kubernetes Container.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	Identifier for the container which is derived from the UID of pod and the name of container
name	Name of the container in kubernetes pod
image	Docker image used in the container
status_image_id	ImageID of the container’s image.
status_image_sha	The SHA portion of the status_image_id
status_ready	Specifies whether the container has passed its readiness probe.
status_started	Specifies whether the container has passed its startup probe.
statys_state	State of the container (running, terminated, waiting)

Relationships¶

KubernetesPod has KubernetesContainers.

(KubernetesPod)-[HAS_CONTAINER]->(KubernetesContainer)

KubernetesService¶

Representation of a Kubernetes Service.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	UID of the kubernetes service
name	Name of the kubernetes service
created_at	Timestamp of the creation time of the kubernetes service
deleted_at	Timestamp of the deletion time of the kubernetes service
type	Type of kubernetes service e.g. `ClusterIP`
load_balancer_ip	IP of the load balancer when service type is `LoadBalancer`
ingress_host	Hostname of the ingress endpoint, if any
ingress_ip	IP of the ingress endpoint, if any

Relationships¶

KubernetesService can serve KubernetesPods.

(KubernetesService)-[SERVES_POD]->(KubernetesPod)

KubernetesSecret¶

Representation of a Kubernetes Secret.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	UID of the kubernetes secret
name	Name of the kubernetes secret
created_at	Timestamp of the creation time of the kubernetes secret
deleted_at	Timestamp of the deletion time of the kubernetes secret
type	Type of kubernetes secret e.g. `Opaque`

Relationships¶

KubernetesNamespace can have KubernetesSecrets.

(KubernetesNamespace)-[HAS_SECRET]->(KubernetesSecret)

Okta Schema¶

OktaOrganization¶

Representation of an Okta Organization.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The name of the Okta Organization, e.g. “lyft”
name	The name of the Okta Organization, e.g. “lyft”

Relationships¶

An OktaOrganization contains OktaUsers

(OktaOrganization)-[RESOURCE]->(OktaUser)

An OktaOrganization contains OktaGroups.

(OktaOrganization)-[RESOURCE]->(OktaGroup)

An OktaOrganization contains OktaApplications

(OktaOrganization)-[RESOURCE]->(OktaApplication)

An OktaOrganization has OktaTrustedOrigins

(OktaOrganization)-[RESOURCE]->(OktaTrustedOrigin)

An OktaOrganization has OktaAdministrationRoles

(OktaOrganization)-[RESOURCE]->(OktaAdministrationRole)

OktaUser¶

Representation of an Okta User.

Field	Description
id	user id
first_name	user first name
last_name	user last name
login	user usernmae used to login (usually email)
email	user email
second_email	user secondary email
mobile_phone	user mobile phone
created	date and time of creation
activated	date and time of activation
status_changed	date and time of the last state change
last_login	date and time of last login
okta_last_updated	date and time of last user property changes
password_changed	date and time of last password change
transition_to_status	date and time of last state transition change
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated

Relationships¶

An OktaOrganization contains OktaUsers

(OktaUser)<-[RESOURCE]->(OktaOrganization)

OktaUsers are assigned OktaApplication

(OktaUser)-[APPLICATION]->(OktaApplication)

OktaUser is an identity for a Human
```
(OktaUser)<-[IDENTITY_OKTA]-(Human)
```

An OktaUser can be a member of an OktaGroup

(OktaUser)-[MEMBER_OF_OKTA_GROUP]->(OktaGroup)

An OktaUser can be a member of an OktaAdministrationRole

(OktaUser)-[MEMBER_OF_OKTA_ROLE]->(OktaAdministrationRole)

OktaUsers can have authentication factors
```
(OktaUser)-[FACTOR]->(OktaUserFactor)
```

OktaGroup¶

Representation of an Okta Group.

Field	Description
id	application id
name	group name
description	group description
sam_account_name	windows SAM account name mapped
dn	group dn
windows_domain_qualified_name	windows domain name
external_id	group foreign id
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated

Relationships¶

OktaOrganizations contain OktaGroups

(OktaGroup)<-[RESOURCE]->(OktaOrganizations)

OktaApplications can be assigned to OktaGroups

(OktaGroup)-[APPLICATION]->(OktaApplication)

An OktaUser can be a member of an OktaGroup

(OktaUser)-[MEMBER_OF_OKTA_GROUP]->(OktaGroup)

An OktaGroup can be a member of an OktaAdministrationRole
```
(OktaGroup)-[MEMBER_OF_OKTA_ROLE]->(OktaAdministrationRole)
```
- Members of an Okta group can assume associated AWS roles if Okta SAML is configured with AWS.
```
(AWSRole)-[ALLOWED_BY]->(OktaGroup)
```

OktaApplication¶

Representation of an Okta Application.

Field	Description
id	application id
name	application name
label	application label
created	application creation date
okta_last_updated	date and time of last application property changes
status	application status
activated	application activation state
features	application features
sign_on_mode	application signon mode
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated

Relationships¶

OktaApplication is a resource of an OktaOrganization

(OktaApplication)<-[RESOURCE]->(OktaOrganization)

OktaGroups can be assigned OktaApplications

(OktaGroup)-[APPLICATION]->(OktaApplication)

OktaUsers are assigned OktaApplications

(OktaUser)-[APPLICATION]->(OktaApplication)

OktaApplications have ReplyUris

(ReplyUri)-[REPLYURI]->(OktaApplication)

OktaUserFactor¶

Representation of Okta User authentication Factors.

Field	Description
id	factor id
factor_type	factor type
provider	factor provider
status	factor status
created	factor creation date and time
okta_last_updated	date and time of last property changes
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated

Relationships¶

OktaUsers can have authentication Factors
```
(OktaUser)-[FACTOR]->(OktaUserFactor)
```

OktaTrustedOrigin¶

Representation of an Okta Trusted Origin for login/logout or recovery operations.

Field	Description
id	trusted origin id
name	name
scopes	array of scope
status	status
created	date & time of creation in okta
create_by	id of user who created the trusted origin
okta_last_updated	date and time of last property changes
okta_last_updated_by	id of user who last updated the trusted origin
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated

Relationships¶

An OktaOrganization has OktaTrustedOrigins.

(OktaOrganization)-[RESOURCE]->(OktaTrustedOrigin)

OktaAdministrationRole¶

Representation of an Okta Administration Role.

Field	Description
id	role id mapped to the type
type	role type
label	role label
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated

Relationships¶

OktaUsers can be members of OktaAdministrationRoles

(OktaUser)-[MEMBER_OF_OKTA_ROLE]->(OktaAdministrationRole)

An OktaGroup can be a member of an OktaAdministrationRolee

(OktaGroup)-[MEMBER_OF_OKTA_ROLE]->(OktaAdministrationRole)

An OktaOrganization contains OktaAdministrationRoles

(OktaOrganization)-[RESOURCE]->(OktaAdministrationRole)

Reply Uri¶

Representation of Okta Application ReplyUri.

Field	Description
id	uri the app can send the reply to
uri	uri the app can send the reply to
valid	is the DNS of the reply uri valid. Invalid replyuris can lead to oath phishing
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated

Relationships¶

OktaApplications have ReplyUris

(ReplyUri)-[REPLYURI]->(OktaApplication)

Pagerduty Schema¶

PagerDutyEscalationPolicy¶

Representation of a PagerDuty Escalation Policy

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ID of the escalation policy
html_url	the API show URL at which the object is accessible
type	The type of this pagerduty object (escalation_policy)
summary	A short-form, server-generated string that provides succinct, important information about an object suitable for primary labeling of an entity in a client. In many cases, this will be identical to name, though it is not intended to be an identifier.
on_call_handoff_notifications	Determines how on call handoff notifications will be sent for users on the escalation policy. Defaults to “if_has_services”.
name	The name of the escalation policy.
num_loops	The number of times the escalation policy will repeat after reaching the end of its escalation.

Relationships¶

A PagerDutyEscalationPolicy has PagerDutyEscalationPolicyRules

(PagerDutyEscalationPolicy)-[HAS\_RULE]->(PagerDutyEscalationPolicyRule)

A PagerDutyEscalationPolicy is associated with PagerDutyUsers

(PagerDutyEscalationPolicy)-[ASSOCIATED\_WITH]->(PagerDutyUser)

A PagerDutyEscalationPolicy is associated with PagerDutySchedules

(PagerDutyEscalationPolicy)-[ASSOCIATED\_WITH]->(PagerDutySchedule)

A PagerDutyEscalationPolicy is associated with PagerDutyServices

(PagerDutyEscalationPolicy)-[ASSOCIATED\_WITH]->(PagerDutyService)

A PagerDutyEscalationPolicy is associated with PagerDutyTeams

(PagerDutyEscalationPolicy)-[ASSOCIATED\_WITH]->(PagerDutyTeam)

PagerDutySchedule¶

Representation of a PagerDuty Schedule

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ID of the schedule
html_url	the API show URL at which the object is accessible
type	The type of this pagerduty object (schedule)
summary	A short-form, server-generated string that provides succinct, important information about an object suitable for primary labeling of an entity in a client. In many cases, this will be identical to name, though it is not intended to be an identifier.
name	The name of the schedule.
time_zone	The time zone of the schedule
description	The description of the schedule

Relationships¶

A PagerDutySchedule has PagerDutyScheduleLayers

(PagerDutySchedule)-[HAS\_LAYER]->(PagerDutyScheduleLayer)

PagerDutyScheduleLayer¶

Representation of a layer in a PagerDuty Schedule

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ID of the schedule layer
schedule_id	The ID of the schedule this layer is attached to.
start	The start time of this layer
end	The end time of this layer. If null, the layer does not end.
rotation_virtual_start	The effective start time of the layer. This can be before the start time of the schedule.
rotation_turn_length_seconds	The duration of each on-call shift in seconds.

Relationships¶

No relationships originating from PagerDutyScheduleLayer

PagerDutyService¶

Representation of a PagerDuty Service

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ID of the service
html_url	the API show URL at which the object is accessible
type	The type of this pagerduty object (service)
summary	A short-form, server-generated string that provides succinct, important information about an object suitable for primary labeling of an entity in a client. In many cases, this will be identical to name, though it is not intended to be an identifier.
name	The name of this service
description	The user-provided description of the service.
auto_resolve_timeout	Time in seconds that an incident is automatically resolved if left open for that long. Value is null if the feature is disabled. Value must not be negative. Setting this field to 0, null (or unset in POST request) will disable the feature.
acknowledgement_timeout	Time in seconds that an incident changes to the Triggered State after being Acknowledged. Value is null if the feature is disabled. Value must not be negative. Setting this field to 0, null (or unset in POST request) will disable the feature.
created_at	The date/time when this service was created
status	The current state of the Service.
alert_creation	Whether a service creates only incidents, or both alerts and incidents. A service must create alerts in order to enable incident merging.
alert_grouping_parameters_type	The type of Alert Grouping.
incident_urgency_rule_type	The type of incident urgency: whether it’s constant, or it’s dependent on the support hours.
incident_urgency_rule_during_support_hours_type	The type of incident urgency: whether it’s constant, or it’s dependent on the support hours.
incident_urgency_rule_during_support_hours_urgency	The incidents’ urgency, if type is constant.
incident_urgency_rule_outside_support_hours_type	The type of incident urgency: whether it’s constant, or it’s dependent on the support hours.
incident_urgency_rule_outside_support_hours_urgency	The incidents’ urgency, if type is constant.
support_hours_type	The type of support hours
support_hours_time_zone	The time zone for the support hours
support_hours_start_time	The support hours’ starting time of day (date portion is ignored)
support_hours_end_time	support_hours_end_time
support_hours_days_of_week	(no description)

Relationships¶

A PagerDutyService has PagerDutyIntegrations

(PagerDutyService)-[HAS\_INTEGRATION]->(PagerDutyIntegration)

PagerDutyIntegration¶

Representation of a PagerDuty Integration

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ID of the integration
html_url	the API show URL at which the object is accessible
type	The type of this pagerduty object (integration)
summary	A short-form, server-generated string that provides succinct, important information about an object suitable for primary labeling of an entity in a client. In many cases, this will be identical to name, though it is not intended to be an identifier.
name	The name of this integration
created_at	The date/time when this integration was created.

Relationships¶

A PagerDutyIntegration has PagerDutyVendors

(PagerDutyIntegration)-[HAS\_VENDOR]->(PagerDutyVendor)

PagerDutyTeam¶

Representation of a PagerDuty Team

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ID of the team
html_url	the API show URL at which the object is accessible
type	The type of this pagerduty object (team)
summary	A short-form, server-generated string that provides succinct, important information about an object suitable for primary labeling of an entity in a client. In many cases, this will be identical to name, though it is not intended to be an identifier.
name	The name of the team
description	The description of the team
default_role	(no description, but returned by API)

Relationships¶

A PagerDutyTeam is associated with PagerDutyServices

(PagerDutyTeam)-[ASSOCIATED\_WITH]->(PagerDutyServices)

PagerDutyUser¶

Representation of a PagerDuty User

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ID of the user
html_url	the API show URL at which the object is accessible
type	The type of this pagerduty object (user)
summary	A short-form, server-generated string that provides succinct, important information about an object suitable for primary labeling of an entity in a client. In many cases, this will be identical to name, though it is not intended to be an identifier.
name	The name of the user
email	The user’s email address
time_zone	The preferred time zone name. If null, the account’s time zone will be used.
color	The schedule color
role	The user role. Account must have the read_only_users ability to set a user as a read_only_user or a read_only_limited_user, and must have advanced permissions abilities to set a user as observer or restricted_access.
avatar_url	The URL of the user’s avatar.
description	The user’s bio.
invitation_sent	If true, the user has an outstanding invitation.
job_title	The user’s title

Relationships¶

A PagerDutyUser is a member of PagerDutySchedules

(PagerDutyUser)-[MEMBER\_OF]->(PagerDutySchedule)

A PagerDutyUser is a member of PagerDutyScheduleLayers

(PagerDutyUser)-[MEMBER\_OF]->(PagerDutyScheduleLayer)

A PagerDutyUser is a member of PagerDutyTeams

(PagerDutyUser)-[MEMBER\_OF]->(PagerDutyTeam)

Cartography Schema¶

ℹ️ Quick notes on notation¶

Cartography metadata schema¶

SyncMetadata:ModuleSyncMetadata¶

AWS Schema¶

AWSAccount¶

Relationships¶

AWSCidrBlock¶

AWSIpv4CidrBlock¶

AWSIpv6CidrBlock¶

Relationships¶

AWSGroup¶

Relationships¶

AWSInspectorFinding¶

Relationships¶

AWSInspectorPackage¶

Relationships¶

AWSLambda¶

Relationships¶

AWSLambdaFunctionAlias¶

Relationships¶

AWSLambdaEventSourceMapping¶

Relationships¶

AWSLambdaLayer¶

Relationships¶

AWSPolicy¶

Relationships¶

AWSPolicyStatement¶

Relationships¶

AWSPrincipal¶

Relationships¶

AWSPrincipal::AWSUser¶

Relationships¶

AWSPrincipal::AWSRole¶

Relationships¶

AWSTransitGateway¶

Relationships¶

AWSTransitGatewayAttachment¶

Relationships¶

AWSVpc¶

Relationships¶

Tag::AWSTag¶

Relationships¶

AccountAccessKey¶

Relationships¶

DBSubnetGroup¶

Relationships¶

DNSRecord¶

Relationships¶

DNSRecord::AWSDNSRecord¶

Relationships¶

DNSZone¶

Relationships¶

DNSZone::AWSDNSZone¶

Relationships¶

DynamoDBTable¶

Relationships¶

EC2Instance¶

Relationships¶

EC2KeyPair¶

Relationships¶

EC2PrivateIp¶

Relationships¶

EC2Reservation¶

Relationships¶

EC2SecurityGroup¶

Relationships¶

EC2Subnet¶

Relationships¶

AWSInternetGateway¶

Relationships¶

ECRRepository¶

Relationships¶

EC2NetworkAcl¶

Relationships¶

EC2NetworkAclRule :: IpPermissionInbound / IpPermissionEgress¶

Relationships¶

ECRRepositoryImage¶

Relationships¶

ECRImage¶

Tag::AWSTag ¶