Cartography Schema

ℹ️ Quick notes on notation

  • Bolded words in the schema tables indicate that this field is indexed, so your queries will run faster if you use these fields.

  • This isn’t proper Neo4j syntax, but for the purpose of this document we will use this notation:

       (NodeTypeA)-[RELATIONSHIP_R]->(NodeTypeB, NodeTypeC, NodeTypeD, NodeTypeE)
    
    to mean a shortened version of this:
    
       (NodeTypeA)-[RELATIONSHIP_R]->(NodeTypeB)
       (NodeTypeA)-[RELATIONSHIP_R]->(NodeTypeC)
       (NodeTypeA)-[RELATIONSHIP_R]->(NodeTypeD)
       (NodeTypeA)-[RELATIONSHIP_R]->(NodeTypeE)
    
    In words, this means that ``NodeTypeA`` has ``RELATIONSHIP_R`` pointing to ``NodeTypeB``\ , and ``NodeTypeA`` has ``RELATIONSHIP_R`` pointing to ``NodeTypeC``.
    
  • In these docs, more specific nodes will be decorated with GenericNode::SpecificNode notation. For example, if we have a Car node and a RaceCar node, we will refer to the RaceCar as Car::RaceCar.

Cartography metadata schema

Some Cartography sync jobs write nodes to convey information about the job itself. See https://github.com/lyft/cartography/issues/758 for more background on this.

SyncMetadata:ModuleSyncMetadata

This is a node to represent metadata about the sync job of a particular module. Its existence indicates that a particular sync job did happen. The ‘types’ used here should be actual node labels. For example, if we did sync a particular AWSAccount’s S3Buckets, the grouptype is ‘AWSAccount’, the groupid is the particular account’s id, and the syncedtype is ‘S3Bucket’.

Field

Description

Source

id

{group_type}_{group_id}_{synced_type}

util.py

grouptype

The parent module’s type

util.py

groupid

The parent module’s id

util.py

syncedtype

The sub-module’s type

util.py

AWS Schema

AWSAccount

Representation of an AWS Account.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

name

The name of the account

inscope

Indicates that the account is part of the sync scope (true or false).

foreign

Indicates if the account is not part of the sync scope (true or false). One such example is an account that is trusted as part of cross-account AWSRole trust not in scope for sync.

lastupdated

Timestamp of the last time the node was updated

id

The AWS Account ID number

Relationships

  • Many node types belong to an AWSAccount.

    ```
    (AWSAccount)-[RESOURCE]->(AWSDNSZone,
                          AWSGroup,
                          AWSInspectorFinding,
                          AWSInspectorPackage,
                          AWSLambda,
                          AWSPrincipal,
                          AWSUser,
                          AWSVpc,
                          AutoScalingGroup,
                          DNSZone,
                          DynamoDBTable,
                          EBSSnapshot,
                          EBSVolume,
                          EC2Image,
                          EC2Instance,
                          EC2Reservation,
                          EC2ReservedInstance,
                          EC2SecurityGroup,
                          ElasticIPAddress,
                          ESDomain,
                          LaunchConfiguration,
                          LaunchTemplate,
                          LaunchTemplateVersion,
                          LoadBalancer,
                          RDSCluster,
                          RDSInstance,
                          RDSSnapshot,
                          SecretsManagerSecret,
                          SecurityHub,
                          SQSQueue
                          SSMInstanceInformation,
                          SSMInstancePatch)
    ```
    
  • An AWSPolicy node is defined for an AWSAccount.

    ```
    (AWSAccount)-[RESOURCE]->(AWSPolicy)
    ```
    
  • AWSRole nodes are defined in AWSAccount nodes.

    ```
    (AWSAccount)-[RESOURCE]->(AWSRole)
    ```
    

AWSCidrBlock

AWSIpv4CidrBlock

AWSIpv6CidrBlock

Representation of an AWS CidrBlock used in VPC configuration. The AWSCidrBlock defines the base label type for AWSIpv4CidrBlock and AWSIpv6CidrBlock

Field

Description

firstseen

Timestamp of when a sync job discovered this node

cidr_block

The CIDR block

block_state

The state of the block

association_id

the association id if the block is associated to a VPC

lastupdated

Timestamp of the last time the node was updated

id

Unique identifier defined with the VPC association and the cidr_block

Relationships

  • AWSVpc association

    (AWSVpc)-[BLOCK_ASSOCIATION]->(AWSCidrBlock)
    
  • Peering connection where AWSCidrBlock is an accepter or requester cidr.

    (AWSCidrBlock)<-[REQUESTER_CIDR]-(AWSPeeringConnection)
    (AWSCidrBlock)<-[ACCEPTER_CIDR]-(AWSPeeringConnection)
    

    Example of high level view of peering (without security group permissions)

    MATCH p=(:AWSAccount)-[:RESOURCE|BLOCK_ASSOCIATION*..]->(:AWSCidrBlock)<-[:ACCEPTER_CIDR]-(:AWSPeeringConnection)-[:REQUESTER_CIDR]->(:AWSCidrBlock)<-[:RESOURCE|BLOCK_ASSOCIATION*..]-(:AWSAccount)
    RETURN p
    

    Exploring detailed inbound peering rules

    MATCH (outbound_account:AWSAccount)-[:RESOURCE|BLOCK_ASSOCIATION*..]->(:AWSCidrBlock)<-[:ACCEPTER_CIDR]-(:AWSPeeringConnection)-[:REQUESTER_CIDR]->(inbound_block:AWSCidrBlock)<-[:BLOCK_ASSOCIATION]-(inbound_vpc:AWSVpc)<-[:RESOURCE]-(inbound_account:AWSAccount)
    WITH inbound_vpc, inbound_block, outbound_account, inbound_account
    MATCH (inbound_range:IpRange{id: inbound_block.cidr_block})-[:MEMBER_OF_IP_RULE]->(inbound_rule:IpPermissionInbound)-[:MEMBER_OF_EC2_SECURITY_GROUP]->(inbound_group:EC2SecurityGroup)<-[:MEMBER_OF_EC2_SECURITY_GROUP]-(inbound_vpc)
    RETURN outbound_account.name, inbound_account.name, inbound_range.range, inbound_rule.fromport, inbound_rule.toport, inbound_rule.protocol, inbound_group.name, inbound_vpc.id
    

AWSGroup

Representation of AWS IAM Groups.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

path

The path to the group (IAM identifier, see linked docs above for details)

groupid

Unique string identifying the group

name

The friendly name that identifies the group

createdate

ISO 8601 date-time string when the group was created

arn

The AWS-global identifier for this group

Relationships

  • Objects part of an AWSGroup may assume AWSRoles.

    ```
    (AWSGroup)-[STS_ASSUMEROLE_ALLOW]->(AWSRole)
    ```
    
  • AWSUsers and AWSPrincipals can be members of AWSGroups.

    ```
    (AWSUser, AWSPrincipal)-[MEMBER_AWS_GROUP]->(AWSGroup)
    ```
    
  • AWSGroups belong to AWSAccounts.

    ```
    (AWSAccount)-[RESOURCE]->(AWSGroup)
    ```
    

AWSInspectorFinding

Representation of an AWS Inspector Finding

Relationships

  • AWSInspectorFinding may affect EC2 Instances

    (AWSInspectorFinding)-[:AFFECTS]->(EC2Instance)
    
  • AWSInspectorFinding may affect ECR Repositories

    (AWSInspectorFinding)-[:AFFECTS]->(ECRRepository)
    
  • AWSInspectorFinding may affect ECR Images

    (AWSInspectorFinding)-[:AFFECTS]->(ECRImage)
    
  • AWSInspectorFindings belong to AWSAccounts.

    ```
    (AWSAccount)-[RESOURCE]->(AWSInspectorFinding)
    ```
    

AWSInspectorPackage

Representation of an AWS Inspector Finding Package

Relationships

  • AWSInspectorFindings have AWSInspectorPackages.

    ```
    (AWSInspectorFindings)-[HAS]->(AWSInspectorPackages)
    ```
    
  • AWSInspectorPackages belong to AWSAccounts.

    ```
    (AWSAccount)-[RESOURCE]->(AWSInspectorPackages)
    ```
    

AWSLambda

Representation of an AWS Lambda Function.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The arn of the lambda function

name

The name of the lambda function

modifieddate

Timestamp of the last time the function was last updated

runtime

The runtime environment for the Lambda function

description

The description of the Lambda function

timeout

The amount of time in seconds that Lambda allows a function to run before stopping it

memory

The memory that’s allocated to the function

codesize

The size of the function’s deployment package, in bytes.

handler

The function that Lambda calls to begin executing your function.

version

The version of the Lambda function.

tracingconfigmode

The function’s AWS X-Ray tracing configuration mode.

revisionid

The latest updated revision of the function or alias.

state

The current state of the function.

statereason

The reason for the function’s current state.

statereasoncode

The reason code for the function’s current state.

lastupdatestatus

The status of the last update that was performed on the function.

lastupdatestatusreason

The reason for the last update that was performed on the function.

lastupdatestatusreasoncode

The reason code for the last update that was performed on the function.

packagetype

The type of deployment package.

signingprofileversionarn

The ARN of the signing profile version.

signingjobarn

The ARN of the signing job.

codesha256

The SHA256 hash of the function’s deployment package.

architectures

The instruction set architecture that the function supports. Architecture is a string array with one of the valid values.

masterarn

For Lambda@Edge functions, the ARN of the main function.

kmskeyarn

The KMS key that’s used to encrypt the function’s environment variables. This key is only returned if you’ve configured a customer managed key.

Relationships

  • AWSLambda function are resources in an AWS Account.

    ```
    (AWSAccount)-[RESOURCE]->(AWSLambda)
    ```
    
  • AWSLambda functions may act as AWSPrincipals via role assumption.

    ```
    (AWSLambda)-[STS_ASSUME_ROLE_ALLOW]->(AWSPrincipal)
    ```
    
  • AWSLambda functions may also have aliases.

    ```
    (AWSLambda)-[KNOWN_AS]->(AWSLambdaFunctionAlias)
    ```
    
  • AWSLambda functions may have the resource AWSLambdaEventSourceMapping.

    ```
    (AWSLambda)-[RESOURCE]->(AWSLambdaEventSourceMapping)
    ```
    
  • AWSLambda functions has AWS Lambda Layers.

    ```
    (AWSLambda)-[HAS]->(AWSLambdaLayer)
    ```
    
  • AWSLambda functions has AWS ECR Images.

    ```
    (AWSLambda)-[HAS]->(ECRImage)
    ```
    

AWSLambdaFunctionAlias

Representation of an AWSLambdaFunctionAlias.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The arn of the lambda function alias

name

The name of the lambda function alias

functionversion

The function version that the alias invokes.

revisionid

A unique identifier that changes when you update the alias.

description

The description of the alias.

Relationships

  • AWSLambda functions may also have aliases.

    ```
    (AWSLambda)-[KNOWN_AS]->(AWSLambdaFunctionAlias)
    ```
    

AWSLambdaEventSourceMapping

Representation of an AWSLambdaEventSourceMapping.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The id of the event source mapping

batchsize

The maximum number of items to retrieve in a single batch.

startingposition

The position in a stream from which to start reading.

startingpositiontimestamp

The time from which to start reading.

parallelizationfactor

The number of batches to process from each shard concurrently.

maximumbatchingwindowinseconds

The maximum amount of time to gather records before invoking the function, in seconds.

eventsourcearn

The Amazon Resource Name (ARN) of the event source.

lastmodified

The date that the event source mapping was last updated, or its state changed.

state

The state of the event source mapping.

maximumrecordage

Discard records older than the specified age.

bisectbatchonfunctionerror

If the function returns an error, split the batch in two and retry.

maximumretryattempts

Discard records after the specified number of retries.

tumblingwindowinseconds

The duration in seconds of a processing window.

lastprocessingresult

The result of the last AWS Lambda invocation of your Lambda function.

Relationships

  • AWSLambda functions may have the resource AWSLambdaEventSourceMapping.

    ```
    (AWSLambda)-[RESOURCE]->(AWSLambdaEventSourceMapping)
    ```
    

AWSLambdaLayer

Representation of an AWSLambdaLayer.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The arn of the lambda function layer

codesize

The size of the layer archive in bytes.

signingprofileversionarn

The Amazon Resource Name (ARN) for a signing profile version.

signingjobarn

The Amazon Resource Name (ARN) of a signing job.

Relationships

  • AWSLambda functions has AWS Lambda Layers.

    ```
    (AWSLambda)-[HAS]->(AWSLambdaLayer)
    ```
    

AWSPolicy

Representation of an AWS Policy.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

name

The friendly name (not ARN) identifying the policy

createdate

ISO 8601 date-time when the policy was created

type

“inline” or “managed” - the type of policy it is

arn

The arn for this object

id

The unique identifer for a policy. If the policy is managed this will be the Arn. If the policy is inline this will calculated as AWSPrincipal/inline_policy/PolicyName

Relationships

  • AWSPrincipal contains AWSPolicy

    ```
    (AWSPrincipal)-[POLICY]->(AWSPolicy)
    ```
    
  • AWSPolicy contains AWSPolicyStatement

    ```
    (AWSPolicy)-[STATEMENTS]->(AWSPolicyStatement)
    ```
    

AWSPolicyStatement

Representation of an AWS Policy Statement.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

resources

(array) The resources the statement is applied to. Can contain wildcards

actions

(array) The permissions allowed or denied by the statement. Can contain wildcards

notactions

(array) The permission explicitly not matched by the statement

effect

“Allow” or “Deny” - the effect of this statement

id

The unique identifier for a statement.
If the statement has an Sid the id will be calculated as AWSPolicy.id/statements/Sid.
If the statement has no Sid the id will be calculated as AWSPolicy.id/statements/index of statement in statement list

Relationships

  • AWSPolicy contains AWSPolicyStatement

    ```
    (AWSPolicy)-[STATEMENTS]->(AWSPolicyStatement)
    ```
    

AWSPrincipal

Representation of an AWSPrincipal.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

path

The path to the principal

name

The friendly name of the principal

createdate

ISO 8601 date-time when the principal was created

arn

AWS-unique identifier for this object

userid

The stable and unique string identifying the principal.

passwordlastused

Datetime when this principal’s password was last used

Relationships

  • AWS Principals can be members of AWS Groups.

    ```
    (AWSPrincipal)-[MEMBER_AWS_GROUP]->(AWSGroup)
    ```
    
  • This AccountAccessKey is used to authenticate to this AWSPrincipal.

    ```
    (AWSPrincipal)-[AWS_ACCESS_KEY]->(AccountAccessKey)
    ```
    
  • AWS Roles can trust AWS Principals.

    (AWSRole)-[TRUSTS_AWS_PRINCIPAL]->(AWSPrincipal)
    
  • AWS Accounts contain AWS Principals.

    ```
    (AWSAccount)-[RESOURCE]->(AWSPrincipal)
    ```
    
  • Redshift clusters may assume IAM roles. See this article.

    (RedshiftCluster)-[STS_ASSUMEROLE_ALLOW]->(AWSPrincipal)
    

AWSPrincipal::AWSUser

Representation of an AWSUser. An AWS User is a type of AWS Principal.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

path

The path to the user

name

The friendly name of the user

createdate

ISO 8601 date-time when the user was created

arn

AWS-unique identifier for this object

userid

The stable and unique string identifying the user.

passwordlastused

Datetime when this user’s password was last used

Relationships

  • AWS Users can be members of AWS Groups.

    ```
    (AWSUser)-[MEMBER_AWS_GROUP]->(AWSGroup)
    ```
    
  • AWS Users can assume AWS Roles.

    ```
    (AWSUser)-[STS_ASSUMEROLE_ALLOW]->(AWSRole)
    ```
    
  • This AccountAccessKey is used to authenticate to this AWSUser

    ```
    (AWSUser)-[AWS_ACCESS_KEY]->(AccountAccessKey)
    ```
    
  • AWS Accounts contain AWS Users.

    ```
    (AWSAccount)-[RESOURCE]->(AWSUser)
    ```
    

AWSPrincipal::AWSRole

Representation of an AWS IAM Role. An AWS Role is a type of AWS Principal.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

roleid

The stable and unique string identifying the role.

name

The friendly name that identifies the role.

createdate

The date and time, in ISO 8601 date-time format, when the role was created.

arn

AWS-unique identifier for this object

Relationships

  • Some AWS Groups, Users, Principals, and EC2 Instances can assume AWS Roles.

    (AWSGroup, AWSUser, EC2Instance)-[STS_ASSUMEROLE_ALLOW]->(AWSRole)
    
  • Some AWS Roles can assume other AWS Roles.

    (AWSRole)-[STS_ASSUMEROLE_ALLOW]->(AWSRole)
    
  • Some AWS Roles trust AWS Principals.

    (AWSRole)-[TRUSTS_AWS_PRINCIPAL]->(AWSPrincipal)
    
  • Members of an Okta group can assume associated AWS roles if Okta SAML is configured with AWS.

    (AWSRole)-[ALLOWED_BY]->(OktaGroup)
    
  • AWS Roles are defined in AWS Accounts.

    (AWSAccount)-[RESOURCE]->(AWSRole)
    

AWSTransitGateway

Representation of an AWS Transit Gateway.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

owner_id

The ID of the AWS account that owns the transit gateway

description

Transit Gateway description

state

Can be one of pending | available | modifying | deleting | deleted

tgw_id

Unique identifier of the Transit Gateway

id

Unique identifier of the Transit Gateway

arn

AWS-unique identifier for this object (same as id)

Relationships

  • Transit Gateways belong to one AWSAccount

    (AWSAccount)-[RESOURCE]->(AWSTransitGateway)
    
  • … and can be shared with other accounts

    (AWSAccount)<-[SHARED_WITH]-(AWSTransitGateway)
    
  • AWSTag

    (AWSTransitGateway)-[TAGGED]->(AWSTag)
    

AWSTransitGatewayAttachment

Representation of an AWS Transit Gateway Attachment.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

resource_type

Can be one of vpc | vpn | direct-connect-gateway | tgw-peering

state

Can be one of initiating | pendingAcceptance | rollingBack | pending | available | modifying | deleting | deleted | failed | rejected | rejecting | failing

id

Unique identifier of the Transit Gateway Attachment

Relationships

  • AWSAccount

    (AWSAccount)-[RESOURCE]->(AWSTransitGatewayAttachment)
    
  • AWSVpc (for VPC attachments)

    (AWSVpc)-[RESOURCE]->(AWSTransitGatewayAttachment {resource_type: 'vpc'})
    
  • AWSTransitGateway attachment

    (AWSTransitGateway)<-[ATTACHED_TO]-(AWSTransitGatewayAttachment)
    
  • AWSTag

    (AWSTransitGatewayAttachment)-[TAGGED]->(AWSTag)
    

AWSVpc

Representation of an AWS CidrBlock used in VPC configuration. More information on https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-vpcs.html

Field

Description

firstseen

Timestamp of when a sync job discovered this node

vpcid

The VPC unique identifier

primary_cidr_block

The primary IPv4 CIDR block for the VPC.

instance_tenancy

The allowed tenancy of instances launched into the VPC.

state

The current state of the VPC.

region

(optional) the region of this VPC. This field is only available on VPCs in your account. It is not available on VPCs that are external to your account and linked via a VPC peering relationship.

id

Unique identifier defined VPC node (vpcid)

Relationships

  • AWSAccount resource

    (AWSAccount)-[RESOURCE]->(AWSVpc)
    
  • AWSVpc and AWSCidrBlock association

    (AWSVpc)-[BLOCK_ASSOCIATION]->(AWSCidrBlock)
    
  • AWSVpc and EC2SecurityGroup membership association

    (AWSVpc)<-[MEMBER_OF_EC2_SECURITY_GROUP]-(EC2SecurityGroup)
    
  • AWS VPCs can be tagged with AWSTags.

    (AWSVpc)-[TAGGED]->(AWSTag)
    
  • Redshift clusters can be members of AWSVpcs.

    (RedshiftCluster)-[MEMBER_OF_AWS_VPC]->(AWSVpc)
    
  • Peering connection where AWSVpc is an accepter or requester vpc.

    (AWSVpc)<-[REQUESTER_VPC]-(AWSPeeringConnection)
    (AWSVpc)<-[ACCEPTER_VPC]-(AWSPeeringConnection)
    

Tag::AWSTag

Representation of an AWS Tag. AWS Tags can be applied to many objects.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

This tag’s unique identifier of the format {TagKey}:{TagValue}. We fabricated this ID.

key

One part of a key-value pair that makes up a tag.

value

One part of a key-value pair that makes up a tag.

region

The region where this tag was discovered.

Relationships

  • AWS VPCs, DB Subnet Groups, EC2 Instances, EC2 SecurityGroups, EC2 Subnets, EC2 Network Interfaces, RDS Instances, and S3 Buckets can be tagged with AWSTags.

    (AWSVpc, DBSubnetGroup, EC2Instance, EC2SecurityGroup, EC2Subnet, NetworkInterface, RDSInstance, S3Bucket)-[TAGGED]->(AWSTag)
    

AccountAccessKey

Representation of an AWS Access Key.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

createdate

Date when access key was created

status

Active: valid for API calls. Inactive: not valid for API calls

lastuseddate

Date when the key was last used

lastusedservice

The service that was last used with the access key

lastusedregion

The region where the access key was last used

accesskeyid

The ID for this access key

Relationships

  • Account Access Keys may authenticate AWS Users and AWS Principal objects.

    ```
    (AWSUser, AWSPrincipal)-[AWS_ACCESS_KEY]->(AccountAccessKey)
    ```
    

DBSubnetGroup

Representation of an RDS DB Subnet Group. For more information on how RDS instances interact with these, please see this article.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

id

The ARN of the DBSubnetGroup

name

The name of DBSubnetGroup

lastupdated

Timestamp of the last time the node was updated

description

Description of the DB Subnet Group

status

The status of the group

vpc_id

The ID of the VPC (Virtual Private Cloud) that this DB Subnet Group is associated with.

value

The IP address that the DNSRecord points to

Relationships

  • RDS Instances are part of DB Subnet Groups

    (RDSInstance)-[:MEMBER_OF_DB_SUBNET_GROUP]->(DBSubnetGroup)
    
  • DB Subnet Groups consist of EC2 Subnets

    (DBSubnetGroup)-[:RESOURCE]->(EC2Subnet)
    
  • DB Subnet Groups can be tagged with AWSTags.

    ```
    (DBSubnetGroup)-[TAGGED]->(AWSTag)
    ```
    

DNSRecord

Representation of a generic DNSRecord.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

name

The name of the DNSRecord

lastupdated

Timestamp of the last time the node was updated

id

The name of the DNSRecord concatenated with the record type

type

The record type of the DNS record

value

The IP address that the DNSRecord points to

Relationships

  • DNSRecords can point to IP addresses.

    ```
    (DNSRecord)-[DNS_POINTS_TO]->(Ip)
    ```
    
  • DNSRecords/AWSDNSRecords can point to each other.

    ```
    (AWSDNSRecord, DNSRecord)-[DNS_POINTS_TO]->(AWSDNSRecord, DNSRecord)
    ```
    
  • DNSRecords can point to LoadBalancers.

    ```
    (DNSRecord)-[DNS_POINTS_TO]->(LoadBalancer)
    ```
    
  • DNSRecords can be members of DNSZones.

    ```
    (DNSRecord)-[MEMBER_OF_DNS_ZONE]->(DNSZone)
    ```
    

DNSRecord::AWSDNSRecord

Representation of an AWS DNS ResourceRecordSet.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

name

The name of the DNSRecord

lastupdated

Timestamp of the last time the node was updated

id

The zoneid for the record, the value of the record, and the type concatenated together

type

The record type of the DNS record

value

If it is an A, ALIAS, or CNAME record, this is the IP address that the DNSRecord points to. If it is an NS record, the name is used here.

Relationships

  • DNSRecords/AWSDNSRecords can point to each other.

    ```
    (AWSDNSRecord, DNSRecord)-[DNS_POINTS_TO]->(AWSDNSRecord, DNSRecord)
    ```
    
  • AWSDNSRecords can point to LoadBalancers.

    ```
    (AWSDNSRecord)-[DNS_POINTS_TO]->(LoadBalancer, ESDomain)
    ```
    
  • AWSDNSRecords can be members of AWSDNSZones.

    ```
    (AWSDNSRecord)-[MEMBER_OF_DNS_ZONE]->(AWSDNSZone)
    ```
    

DNSZone

Representation of a generic DNS Zone.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

name

the name of the DNS zone

comment

Comments about the zone

Relationships

  • DNSRecords can be members of DNSZones.

    ```
    (DNSRecord)-[MEMBER_OF_DNS_ZONE]->(DNSZone)
    ```
    

DNSZone::AWSDNSZone

Representation of an AWS DNS HostedZone.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

name

the name of the DNS zone

zoneid

The zoneid defined by Amazon Route53

lastupdated

Timestamp of the last time the node was updated

comment

Comments about the zone

privatezone

Whether or not this is a private DNS zone

Relationships

  • AWSDNSZones and DNSZones can be part of AWSAccounts.

    ```
    (AWSAccount)-[RESOURCE]->(AWSDNSZone)
    ```
    
  • AWSDNSRecords can be members of AWSDNSZones.

    ```
    (AWSDNSRecord)-[MEMBER_OF_DNS_ZONE]->(AWSDNSZone)
    ```
    
  • AWSDNSZone can have subzones hosted by another AWSDNSZone

    ```
    (AWSDNSZone)<-[SUBZONE]-(AWSDNSZone)
    ```
    

DynamoDBTable

Representation of an AWS DynamoDBTable.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

name

The name of the table

id

The ARN of the table

region

The AWS region of the table

arn

The AWS-unique identifier

Relationships

  • DynamoDBTables belong to AWS Accounts.

    ```
    (AWSAccount)-[RESOURCE]->(DynamoDBTable)
    ```
    

EC2Instance

Our representation of an AWS EC2 Instance.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

Same as instanceid below.

instanceid

The instance id provided by AWS. This is globally unique

publicdnsname

The public DNS name assigned to the instance

publicipaddress

The public IPv4 address assigned to the instance if applicable

privateipaddress

The private IPv4 address assigned to the instance

imageid

The ID of the Amazon Machine Image used to launch the instance

subnetid

The ID of the EC2Subnet associated with this instance

instancetype

The instance type. See API docs linked above for specifics.

iaminstanceprofile

The IAM instance profile associated with the instance, if applicable.

launchtime

The time the instance was launched

monitoringstate

Whether monitoring is enabled. Valid Values: disabled, disabling, enabled, pending.

state

The current state of the instance.

launchtimeunix

The time the instance was launched in unix time

region

The AWS region this Instance is running in

exposed_internet

The exposed_internet flag on an EC2 instance is set to True when (1) the instance is part of an EC2 security group or is connected to a network interface connected to an EC2 security group that allows connectivity from the 0.0.0.0/0 subnet or (2) the instance is connected to an Elastic Load Balancer that has its own exposed_internet flag set to True.

availabilityzone

The Availability Zone of the instance.

tenancy

The tenancy of the instance.

hostresourcegrouparn

The ARN of the host resource group in which to launch the instances.

platform

The value is Windows for Windows instances; otherwise blank.

architecture

The architecture of the image.

ebsoptimized

Indicates whether the instance is optimized for Amazon EBS I/O.

bootmode

The boot mode of the instance.

instancelifecycle

Indicates whether this is a Spot Instance or a Scheduled Instance.

hibernationoptions

Indicates whether the instance is enabled for hibernation.

Relationships

  • EC2 Instances can be part of subnets

    ```
    (EC2Instance)-[PART_OF_SUBNET]->(EC2Subnet)
    ```
    
  • EC2 Instances can have NetworkInterfaces connected to them

    ```
    (EC2Instance)-[NETWORK_INTERFACE]->(NetworkInterface)
    ```
    
  • EC2 Instances may be members of EC2 Reservations

    ```
    (EC2Instance)-[MEMBER_OF_EC2_RESERVATION]->(EC2Reservation)
    ```
    
  • EC2 Instances can be part of EC2 Security Groups

    ```
    (EC2Instance)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
    ```
    
  • Load Balancers can expose (be connected to) EC2 Instances

    ```
    (LoadBalancer)-[EXPOSE]->(EC2Instance)
    ```
    
  • Package and Dependency nodes can be deployed in EC2 Instances.

    ```
    (Package, Dependency)-[DEPLOYED]->(EC2Instance)
    ```
    
  • AWS Accounts contain EC2 Instances.

    ```
    (AWSAccount)-[RESOURCE]->(EC2Instance)
    ```
    
  • EC2 Instances can be tagged with AWSTags.

    ```
    (EC2Instance)-[TAGGED]->(AWSTag)
    ```
    
  • AWS EBS Volumes are attached to an EC2 Instance

    ```
    (EBSVolume)-[ATTACHED_TO]->(EC2Instance)
    ```
    
  • EC2 Instances can assume IAM Roles.

    ```
    (EC2Instance)-[STS_ASSUMEROLE_ALLOW]->(AWSRole)
    ```
    
  • EC2Instances can have SSMInstanceInformation

    ```
    (EC2Instance)-[HAS_INFORMATION]->(SSMInstanceInformation)
    ```
    
  • EC2Instances can have SSMInstancePatches

    ```
    (EC2Instance)-[HAS_PATCH]->(SSMInstancePatch)
    ```
    

EC2KeyPair

Representation of an AWS EC2 Key Pair

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

keyname

The name of the key pair

keyfingerprint

The fingerprint of the public key

region

The AWS region

arn

AWS-unique identifier for this object

id

same as arn

user_uploaded

user_uploaded is set to True if the the KeyPair was uploaded to AWS. Uploaded KeyPairs will have 128-bit MD5 hashed keyfingerprint, and KeyPairs from AWS will have 160-bit SHA-1 hashed keyfingerprints.

duplicate_keyfingerprint

duplicate_keyfingerprint is set to True if the KeyPair has the same keyfingerprint as another KeyPair.

Relationships

  • EC2 key pairs are contained in AWS Accounts.

    ```
    (AWSAccount)-[RESOURCE]->(EC2KeyPair)
    ```
    
  • EC2 key pairs can be used to log in to AWS EC2 isntances.

    ```
    (EC2KeyPair)-[SSH_LOGIN_TO]->(EC2Instance)
    ```
    
  • EC2 key pairs have matching keyfingerprint.

    ```
    (EC2KeyPair)-[MATCHING_FINGERPRINT]->(EC2KeyPair)
    ```
    

EC2PrivateIp

Representation of an AWS EC2 InstancePrivateIpAddress

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

network_interface_id

id of the network interface with which the IP is associated with

primary

Indicates whether this IPv4 address is the primary private IP address of the network interface.

private_ip_address

The private IPv4 address of the network interface.

public_ip

The public IP address or Elastic IP address bound to the network interface.

ip_owner_id

Id of the owner, e.g. amazon-elb for ELBs

Relationships

  • EC2PrivateIps are connected with NetworkInterfaces.

    ```
    (NetworkInterface)-[PRIVATE_IP_ADDRESS]->(EC2PrivateIp)
    ```
    

EC2Reservation

Representation of an AWS EC2 Reservation.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

requesterid

The ID of the requester that launched the instances on your behalf

reservationid

The ID of the reservation.

region

The AWS region

ownerid

The ID of the AWS account that owns the reservation.

Relationships

  • EC2 reservations are contained in AWS Accounts.

    ```
    (AWSAccount)-[RESOURCE]->(EC2Reservation)
    ```
    
  • EC2 Instances are members of EC2 reservations.

    ```
    (EC2Instance)-[MEMBER_OF_EC2_RESERVATION]->(EC2Reservation)
    ```
    

EC2SecurityGroup

Representation of an AWS EC2 Security Group.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

groupid

The ID of the security group

name

The name of the security group

description

A description of the security group

id

Same as groupid

region

The AWS region this security group is installed in

Relationships

  • EC2 Instances, Network Interfaces, Load Balancers, Elastic Search Domains, IP Rules, IP Permission Inbound nodes, and RDS Instances can be members of EC2 Security Groups.

    ```
    (EC2Instance,
     NetworkInterface,
     LoadBalancer,
     ESDomain,
     IpRule,
     IpPermissionInbound,
     RDSInstance,
     AWSVpc)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
    ```
    
  • Load balancers can define inbound Source Security Groups.

    ```
    (LoadBalancer)-[SOURCE_SECURITY_GROUP]->(EC2SecurityGroup)
    ```
    
  • AWS Accounts contain EC2 Security Groups.

    ```
    (AWSAccount)-[RESOURCE]->(EC2SecurityGroup)
    ```
    
  • EC2 SecurityGroups can be tagged with AWSTags.

    ```
    (EC2SecurityGroup)-[TAGGED]->(AWSTag)
    ```
    
  • Redshift clusters can be members of EC2 Security Groups.

    (RedshiftCluster)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
    

EC2Subnet

Representation of an AWS EC2 Subnet.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

subnetid

The ID of the subnet

id

same as subnetid

region

The AWS region the subnet is installed on

name

The IPv4 CIDR block assigned to the subnet

cidr_block

The IPv4 CIDR block assigned to the subnet

available_ip_address_count

The number of unused private IPv4 addresses in the subnet. The IPv4 addresses for any stopped instances are considered unavailable

default_for_az

Indicates whether this is the default subnet for the Availability Zone.

map_customer_owned_ip_on_launch

Indicates whether a network interface created in this subnet (including a network interface created by RunInstances ) receives a customer-owned IPv4 address

map_public_ip_on_launch

Indicates whether instances launched in this subnet receive a public IPv4 address

subnet_arn

The Amazon Resource Name (ARN) of the subnet

availability_zone

The Availability Zone of the subnet

availability_zone_id

The AZ ID of the subnet

state

The current state of the subnet.

assignipv6addressoncreation

Indicates whether a network interface created in this subnet (including a network interface created by RunInstances ) receives an IPv6 address.

Relationships

  • A Network Interface can be part of an EC2 Subnet.

    ```
    (NetworkInterface)-[PART_OF_SUBNET]->(EC2Subnet)
    ```
    
  • An EC2 Instance can be part of an EC2 Subnet.

    ```
    (EC2Instance)-[PART_OF_SUBNET]->(EC2Subnet)
    ```
    
  • A LoadBalancer can be part of an EC2 Subnet.

    ```
    (LoadBalancer)-[SUBNET]->(EC2Subnet)
    
    ```
    
  • A LoadBalancer can be part of an EC2 Subnet.

    ```
    (LoadBalancer)-[PART_OF_SUBNET]->(EC2Subnet)
    ```
    
  • A LoadBalancerV2 can be part of an EC2 Subnet.

    ```
    (LoadBalancerV2)-[PART_OF_SUBNET]->(EC2Subnet)
    ```
    
  • DB Subnet Groups consist of EC2 Subnets

    (DBSubnetGroup)-[RESOURCE]->(EC2Subnet)
    
  • EC2 Subnets can be tagged with AWSTags.

    ```
    (EC2Subnet)-[TAGGED]->(AWSTag)
    ```
    
  • EC2 Subnets are member of a VPC.

    ```
    (EC2Subnet)-[MEMBER_OF_AWS_VPC]->(AWSVpc)
    ```
    
  • EC2 Subnets belong to AWS Accounts

    ```
    (AWSAccount)-[RESOURCE]->(EC2Subnet)
    ```
    
  • EC2PrivateIps are connected with NetworkInterfaces.

    (NetworkInterface)-[PRIVATE_IP_ADDRESS]->(EC2PrivateIp)
    

AWSInternetGateway

Representation of an AWS Interent Gateway.

Field

Description

id

Internet gateway ID

arn

Amazon Resource Name

region

The region of the gateway

Relationships

  • Internet Gateways are attached to a VPC.

    ```
    (AWSInternetGateway)-[ATTACHED_TO]->(AWSVpc)
    ```
    
  • Internet Gateways belong to AWS Accounts

    ```
    (AWSAccount)-[RESOURCE]->(AWSInternetGateway)
    ```
    

ECRRepository

Representation of an AWS Elastic Container Registry Repository.

Field

Description

id

Same as ARN

arn

The ARN of the repository

name

The name of the repository

region

The region of the repository

created_at

Date and time when the repository was created

Relationships

  • An ECRRepository contains ECRRepositoryImages:

    (:ECRRepository)-[:REPO_IMAGE]->(:ECRRepositoryImage)
    

ECRRepositoryImage

An ECR image may be referenced and tagged by more than one ECR Repository. To best represent this, we’ve created an ECRRepositoryImage node as a layer of indirection between the repo and the image.

More concretely explained, we run ``ecr.list_images()` <https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_ImageIdentifier.html>`_, and then store the image tag on an ECRRepositoryImage node and the image digest hash on a separate ECRImage node.

This way, more than one ECRRepositoryImage can reference/be connected to the same ECRImage.

Field

Description

tag

The tag applied to the repository image, e.g. “latest”

uri

The URI where the repository image is stored

id

same as uri

Relationships

  • An ECRRepository contains ECRRepositoryImages:

    (:ECRRepository)-[:REPO_IMAGE]->(:ECRRepositoryImage)
    
  • ECRRepositoryImages reference ECRImages

    (:ECRRepositoryImage)-[:IMAGE]->(:ECRImage)
    

ECRImage

Representation of an ECR image identified by its digest (e.g. a SHA hash). Specifically, this is the “digest part” of ``ecr.list_images()` <https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_ImageIdentifier.html>`_. Also see ECRRepositoryImage.

Field

Description

digest

The hash of this ECR image

id

Same as digest

Relationships

  • ECRRepositoryImages reference ECRImages

    (:ECRRepositoryImage)-[:IMAGE]->(:ECRImage)
    
  • Software packages are a part of ECR Images

    (:Package)-[:DEPLOYED]->(:ECRImage)
    

Package

Representation of a software package, as found by an AWS ECR vulnerability scan.

Field

Description

id

Concatenation of {version}|{name}

version

The version of the package, includes the Linux distro that it was built for

name

The name of the package

Relationships

  • Software packages are a part of ECR Images

    (:Package)-[:DEPLOYED]->(:ECRImage)
    
  • AWS ECR scans yield ECRScanFindings that affect software packages

    (:ECRScanFindings)-[:AFFECTS]->(:Package)
    

ECRScanFinding (:Risk:CVE)

Representation of a scan finding from AWS ECR. This is the result output of ``ecr.describe_image_scan_findings()` <https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_DescribeImageScanFindings.html>`_.

Field

Description

name

The name of the ECR scan finding, e.g. a CVE name

id

Same as name

severity

The severity of the risk

uri

A URI link to a descriptive article on the risk

Relationships

  • AWS ECR scans yield ECRScanFindings that affect software packages

    (:ECRScanFindings)-[:AFFECTS]->(:Package)
    

EKSCluster

Representation of an AWS EKS Cluster.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

created_at

The date and time the cluster was created

region

The AWS region

arn

AWS-unique identifier for this object

id

same as arn

name

Name of the EKS Cluster

endpoint

The endpoint for the Kubernetes API server.

endpoint_public_access

Indicates whether the Amazon EKS public API server endpoint is enabled

exposed_internet

Set to True if the EKS Cluster public API server endpoint is enabled

rolearn

The ARN of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API

version

Kubernetes version running

platform_version

Version of EKS

status

Status of the cluster. Valid Values: creating, active, deleting, failed, updating

audit_logging

Whether audit logging is enabled

Relationships

  • EKS Clusters belong to AWS Accounts.

    ```
    (AWSAccount)-[RESOURCE]->(EKSCluster)
    ```
    

EMRCluster

Representation of an AWS EMR Cluster.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

region

The AWS region

arn

AWS-unique identifier for this object

id

The Id of the EMR Cluster.

instance_collection_type

The instance group configuration of the cluster. A value of INSTANCE_GROUP indicates a uniform instance group configuration. A value of INSTANCE_FLEET indicates an instance fleets configuration.

log_encryption_kms_key_id

The KMS key used for encrypting log files.

requested_ami_version

The AMI version requested for this cluster.

running_ami_version

The AMI version running on this cluster.

release_label

The Amazon EMR release label, which determines the version of open-source application packages installed on the cluster.

auto_terminate

Specifies whether the cluster should terminate after completing all steps.

termination_protected

Indicates whether Amazon EMR will lock the cluster to prevent the EC2 instances from being terminated by an API call or user intervention, or in the event of a cluster error.

visible_to_all_users

Indicates whether the cluster is visible to IAM principals in the Amazon Web Services account associated with the cluster.

master_public_dns_name

The DNS name of the master node. If the cluster is on a private subnet, this is the private DNS name. On a public subnet, this is the public DNS name.

security_configuration

The name of the security configuration applied to the cluster.

autoscaling_role

An IAM role for automatic scaling policies.

scale_down_behavior

The way that individual Amazon EC2 instances terminate when an automatic scale-in activity occurs or an instance group is resized.

custom_ami_id

The ID of a custom Amazon EBS-backed Linux AMI if the cluster uses a custom AMI.

repo_upgrade_on_boot

Specifies the type of updates that are applied from the Amazon Linux AMI package repositories when an instance boots using the AMI.

outpost_arn

The Amazon Resource Name (ARN) of the Outpost where the cluster is launched.

log_uri

The path to the Amazon S3 location where logs for this cluster are stored.

servicerole

Service Role of the EMR Cluster

Relationships

  • EMR Clusters belong to AWS Accounts.

    ```
    (AWSAccount)-[RESOURCE]->(EMRCluster)
    ```
    

ESDomain

Representation of an AWS ElasticSearch Domain (see ElasticsearchDomainConfig).

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

elasticsearch_cluster_config_instancetype

The instancetype

elasticsearch_version

The version of elasticsearch

elasticsearch_cluster_config_zoneawarenessenabled

Indicates whether multiple Availability Zones are enabled.

elasticsearch_cluster_config_dedicatedmasterenabled

Indicates whether dedicated master nodes are enabled for the cluster. True if the cluster will use a dedicated master node. False if the cluster will not.

elasticsearch_cluster_config_dedicatedmastercount

Number of dedicated master nodes in the cluster.

elasticsearch_cluster_config_dedicatedmastertype

Amazon ES instance type of the dedicated master nodes in the cluster.

domainid

Unique identifier for an Amazon ES domain.

encryption_at_rest_options_enabled

Specify true to enable encryption at rest.

deleted

Status of the deletion of an Amazon ES domain. True if deletion of the domain is complete. False if domain deletion is still in progress.

id

same as domainid

arn

Amazon Resource Name (ARN) of an Amazon ES domain.

exposed_internet

exposed_internet is set to True if the ElasticSearch domain has a policy applied to it that makes it internet-accessible. This policy determination is made by using the policyuniverse library. The code for this augmentation is implemented at cartography.intel.aws.elasticsearch._process_access_policy().

Relationships

  • Elastic Search domains can be members of EC2 Security Groups.

    ```
    (ESDomain)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
    ```
    
  • Elastic Search domains belong to AWS Accounts.

    (AWSAccount)-[RESOURCE]->(ESDomain)
    
  • DNS Records can point to Elastic Search domains.

    ```
    (DNSRecord)-[DNS_POINTS_TO]->(ESDomain)
    ```
    

Endpoint

Representation of a generic network endpoint.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

protocol

The protocol of this endpoint

port

The port of this endpoint

Relationships

  • Endpoints can be installed load balancers, though more specifically we would refer to these Endpoint nodes as ELBListeners.

    ```
    (LoadBalancer)-[ELB_LISTENER]->(Endpoint)
    ```
    

Endpoint::ELBListener

Representation of an AWS Elastic Load Balancer Listener. Here, an ELBListener is a more specific type of Endpoint. Here’a good introduction.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

protocol

The protocol of this endpoint

port

The port of this endpoint

policy_names

A list of SSL policy names set on the listener.

id

The ELB ID. This is a concatenation of the DNS name, port, and protocol.

instance_port

The port open on the EC2 instance that this listener is connected to

instance_protocol

The protocol defined on the EC2 instance that this listener is connected to

Relationships

  • A ELBListener is installed on a load balancer.

    ```
    (LoadBalancer)-[ELB_LISTENER]->(ELBListener)
    ```
    

Endpoint::ELBV2Listener

Representation of an AWS Elastic Load Balancer V2 Listener.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

protocol

The protocol of this endpoint - One of 'HTTP''HTTPS''TCP''TLS''UDP''TCP_UDP'

port

The port of this endpoint

ssl_policy

Only set for HTTPS or TLS listener. The security policy that defines which protocols and ciphers are supported.

targetgrouparn

The ARN of the Target Group, if the Action type is forward.

Relationships

  • A ELBV2Listener is installed on a LoadBalancerV2.

    ```
    (elbv2)-[r:ELBV2_LISTENER]->(ELBV2Listener)
    ```
    

Ip

Represents a generic IP address.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

ip

The IPv4 address

id

Same as ip

Relationships

  • DNSRecords can point to IP addresses.

    ```
    (DNSRecord)-[DNS_POINTS_TO]->(Ip)
    ```
    

IpRule

Represents a generic IP rule. The creation of this node is currently derived from ingesting AWS EC2 Security Group rules.

Field

Description

ruleid

{group_id}/{rule_type}/{from_port}{to_port}{protocol}

groupid

The groupid of the EC2 Security Group that this was derived from

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

protocol

The protocol this rule applies to

fromport

Lowest port in the range defined by this rule

toport

Highest port in the range defined by this rule

Relationships

  • IpRules are defined from EC2SecurityGroups.

    ```
    (IpRule, IpPermissionInbound)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
    ```
    

IpRule::IpPermissionInbound

An IpPermissionInbound node is a specific type of IpRule. It represents a generic inbound IP-based rules. The creation of this node is currently derived from ingesting AWS EC2 Security Group rules.

Field

Description

ruleid

{group_id}/{rule_type}/{from_port}{to_port}{protocol}

groupid

The groupid of the EC2 Security Group that this was derived from

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

protocol

The protocol this rule applies to

fromport

Lowest port in the range defined by this rule

toport

Highest port in the range defined by this rule

Relationships

  • IpPermissionInbound rules are defined from EC2SecurityGroups.

    ```
    (IpRule, IpPermissionInbound)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
    ```
    

LoadBalancer

Represents an AWS Elastic Load Balancer. See spec for details.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

scheme

The type of load balancer. Valid only for load balancers in a VPC. If scheme is internet-facing, the load balancer has a public DNS name that resolves to a public IP address. If scheme is internal, the load balancer has a public DNS name that resolves to a private IP address.

name

The name of the load balancer

dnsname

The DNS name of the load balancer.

canonicalhostedzonename

The DNS name of the load balancer

id

Currently set to the dnsname of the load balancer.

region

The region of the load balancer

createdtime

The date and time the load balancer was created.

canonicalhostedzonenameid

The ID of the Amazon Route 53 hosted zone for the load balancer.

exposed_internet

The exposed_internet flag is set to True when the load balancer’s scheme field is set to internet-facing. This indicates that the load balancer has a public DNS name that resolves to a public IP address.

Relationships

  • LoadBalancers can be connected to EC2Instances and therefore expose them.

    ```
    (LoadBalancer)-[EXPOSE]->(EC2Instance)
    ```
    
  • LoadBalancers can have source security groups configured.

    ```
    (LoadBalancer)-[SOURCE_SECURITY_GROUP]->(EC2SecurityGroup)
    ```
    
  • LoadBalancers can be part of EC2SecurityGroups.

    ```
    (LoadBalancer)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
    ```
    
  • LoadBalancers can be part of EC2 Subnets

    ```
    (LoadBalancer)-[SUBNET]->(EC2Subnet)
    ```
    
  • LoadBalancers can be part of EC2 Subnets

    ```
    (LoadBalancer)-[PART_OF_SUBNET]->(EC2Subnet)
    ```
    
  • LoadBalancers can have listeners configured to accept connections from clients (good introduction).

    ```
    (LoadBalancer)-[ELB_LISTENER]->(Endpoint, ELBListener)
    ```
    
  • LoadBalancers are part of AWSAccounts.

    ```
    (AWSAccount)-[RESOURCE]->(LoadBalancer)
    ```
    
  • AWSDNSRecords and DNSRecords point to LoadBalancers.

    ```
    (AWSDNSRecord, DNSRecord)-[DNS_POINTS_TO]->(LoadBalancer)
    ```
    

LoadBalancerV2

Represents an Elastic Load Balancer V2 (Application Load Balancer or Network Load Balancer.) API reference here.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

scheme

The type of load balancer. If scheme is internet-facing, the load balancer has a public DNS name that resolves to a public IP address. If scheme is internal, the load balancer has a public DNS name that resolves to a private IP address.

name

The name of the load balancer

dnsname

The DNS name of the load balancer.

exposed_internet

The exposed_internet flag is set to True when the load balancer’s scheme field is set to internet-facing. This indicates that the load balancer has a public DNS name that resolves to a public IP address.

id

Currently set to the dnsname of the load balancer.

type

Can be application or network

region

The region of the load balancer

createdtime

The date and time the load balancer was created.

canonicalhostedzonenameid

The ID of the Amazon Route 53 hosted zone for the load balancer.

Relationships

  • LoadBalancerV2’s can be connected to EC2Instances and therefore expose them.

    ```
    (LoadBalancerV2)-[EXPOSE]->(EC2Instance)
    ```
    

    EXPOSE relationshiohip also holds the protocol, port and TargetGroupArn the load balancer points to.

  • LoadBalancerV2’s can be part of EC2SecurityGroups but only if their type = “application”. NLBs don’t have SGs.

    ```
    (LoadBalancerV2)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
    ```
    
  • LoadBalancerV2’s can be part of EC2 Subnets

    ```
    (LoadBalancerV2)-[SUBNET]->(EC2Subnet)
    ```
    
  • LoadBalancerV2’s can be part of EC2 Subnets

    ```
    (LoadBalancerV2)-[PART_OF_SUBNET]->(EC2Subnet)
    ```
    
  • LoadBalancerV2’s have listeners:

    ```
    (LoadBalancerV2)-[ELBV2_LISTENER]->(ELBV2Listener)
    ```
    

Nameserver

Represents a DNS nameserver. | Field | Description | |-------|————-| | firstseen| Timestamp of when a sync job first discovered this node | | lastupdated | Timestamp of the last time the node was updated | | id | The address of the nameserver| | name | The name or address of the nameserver|

Relationships

  • Nameservers are nameservers for to DNSZone.

    ```
    (Nameserver)-[NAMESERVER]->(DNSZone)
    ```
    

NetworkInterface

Representation of a generic Network Interface. Currently however, we only create NetworkInterface nodes from AWS EC2 Instances. The spec for an AWS EC2 network interface is here.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

mac_address

The MAC address of the network interface

description

Description of the network interface

private_ip_address

The primary IPv4 address of the network interface within the subnet

id

The ID of the network interface. (known as networkInterfaceId in EC2)

private_dns_name

The private DNS name

status

Status of the network interface. Valid Values: available | associated | attaching | in-use | detaching

subnetid

The ID of the subnet

interface_type

Describes the type of network interface. Valid values: interface | efa

requester_id

Id of the requester, e.g. amazon-elb for ELBs

requester_managed

Indicates whether the interface is managed by the requester

source_dest_check

Indicates whether to validate network traffic to or from this network interface.

public_ip

Public IPv4 address attached to the interface

Relationships

  • EC2 Network Interfaces belong to AWS accounts.

    (NetworkInterface)<-[:RESOURCE]->(:AWSAccount)
    
  • Network interfaces can be connected to EC2Subnets.

    ```
    (NetworkInterface)-[PART_OF_SUBNET]->(EC2Subnet)
    ```
    
  • Network interfaces can be members of EC2SecurityGroups.

    ```
    (NetworkInterface)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
    ```
    
  • EC2Instances can have NetworkInterfaces connected to them.

    ```
    (EC2Instance)-[NETWORK_INTERFACE]->(NetworkInterface)
    ```
    
  • LoadBalancers can have NetworkInterfaces connected to them.

    ```
    (LoadBalancer)-[NETWORK_INTERFACE]->(NetworkInterface)
    ```
    
  • LoadBalancerV2s can have NetworkInterfaces connected to them.

    ```
    (LoadBalancerV2)-[NETWORK_INTERFACE]->(NetworkInterface)
    ```
    
  • EC2PrivateIps are connected to a NetworkInterface.

    ```
    (NetworkInterface)-[PRIVATE_IP_ADDRESS]->(EC2PrivateIp)
    ```
    
  • EC2 Network Interfaces can be tagged with AWSTags.

    ```
    (NetworkInterface)-[TAGGED]->(AWSTag)
    ```
    

AWSPeeringConnection

Representation of an AWS PeeringConnection implementing an AWS VpcPeeringConnection object.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

vpcPeeringConnectionId, The ID of the VPC peering connection.

allow_dns_resolution_from_remote_vpc

Indicates whether a local VPC can resolve public DNS hostnames to private IP addresses when queried from instances in a peer VPC.

allow_egress_from_local_classic_link_to_remote_vpc

Indicates whether a local ClassicLink connection can communicate with the peer VPC over the VPC peering connection.

allow_egress_from_local_vpc_to_remote_classic_link

Indicates whether a local VPC can communicate with a ClassicLink connection in the peer VPC over the VPC peering connection.

requester_region

Peering requester region

accepter_region

Peering accepter region

status_code

The status of the VPC peering connection.

status_message

A message that provides more information about the status, if applicable.

Relationships

  • AWSVpc is an accepter or requester vpc.

    (AWSVpc)<-[REQUESTER_VPC]-(AWSPeeringConnection)
    (AWSVpc)<-[ACCEPTER_VPC]-(AWSPeeringConnection)
    
  • AWSCidrBlock is an accepter or requester cidr.

    (AWSCidrBlock)<-[REQUESTER_CIDR]-(AWSPeeringConnection)
    (AWSCidrBlock)<-[ACCEPTER_CIDR]-(AWSPeeringConnection)
    

RedshiftCluster

Representation of an AWS RedshiftCluster.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

arn

The Amazon Resource Name (ARN) for the Redshift cluster

id

Same as arn

availability_zone

Specifies the name of the Availability Zone the cluster is located in

cluster_create_time

Provides the date and time the cluster was created

cluster_identifier

The unique identifier of the cluster.

cluster_revision_number

The specific revision number of the database in the cluster.

db_name

The name of the initial database that was created when the cluster was created. This same name is returned for the life of the cluster. If an initial database was not specified, a database named devdev was created by default.

encrypted

Specifies whether the cluster has encryption enabled

cluster_status

The current state of the cluster.

endpoint_address

DNS name of the Redshift cluster endpoint

endpoint_port

The port that the Redshift cluster’s endpoint is listening on

master_username

The master user name for the cluster. This name is used to connect to the database that is specified in the DBName parameter.

node_type

The node type for the nodes in the cluster.

number_of_nodes

The number of compute nodes in the cluster.

publicly_accessible

A boolean value that, if true, indicates that the cluster can be accessed from a public network.

vpc_id

The identifier of the VPC the cluster is in, if the cluster is in a VPC.

Relationships

  • Redshift clusters are part of AWS Accounts.

    ```
    (AWSAccount)-[RESOURCE]->(RedshiftCluster)
    ```
    
  • Redshift clusters can be members of EC2 Security Groups.

    (RedshiftCluster)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
    
  • Redshift clusters may assume IAM roles. See this article.

    (RedshiftCluster)-[STS_ASSUMEROLE_ALLOW]->(AWSPrincipal)
    
  • Redshift clusters can be members of AWSVpcs.

    (RedshiftCluster)-[MEMBER_OF_AWS_VPC]->(AWSVpc)
    

RDSCluster

Representation of an AWS Relational Database Service DBCluster

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

Same as ARN

arn

The Amazon Resource Name (ARN) for the DB cluster.

allocated_storage

For all database engines except Amazon Aurora, AllocatedStorage specifies the allocated storage size in gibibytes (GiB). For Aurora, AllocatedStorage always returns 1, because Aurora DB cluster storage size isn’t fixed, but instead automatically adjusts as needed.

availability_zones

Provides the list of Availability Zones (AZs) where instances in the DB cluster can be created.

backup_retention_period

Specifies the number of days for which automatic DB snapshots are retained.

character_set_name

If present, specifies the name of the character set that this cluster is associated with.

database_name

Contains the name of the initial database of this DB cluster that was provided at create time, if one was specified when the DB cluster was created. This same name is returned for the life of the DB cluster.

db_cluster_identifier

Contains a user-supplied DB cluster identifier. This identifier is the unique key that identifies a DB cluster.

db_parameter_group

Specifies the name of the DB cluster parameter group for the DB cluster.

status

Specifies the current state of this DB cluster.

earliest_restorable_time

The earliest time to which a database can be restored with point-in-time restore.

endpoint

Specifies the connection endpoint for the primary instance of the DB cluster.

reader_endpoint

The reader endpoint for the DB cluster. The reader endpoint for a DB cluster load-balances connections across the Aurora Replicas that are available in a DB cluster. As clients request new connections to the reader endpoint, Aurora distributes the connection requests among the Aurora Replicas in the DB cluster. This functionality can help balance your read workload across multiple Aurora Replicas in your DB cluster. If a failover occurs, and the Aurora Replica that you are connected to is promoted to be the primary instance, your connection is dropped. To continue sending your read workload to other Aurora Replicas in the cluster, you can then reconnect to the reader endpoint.

multi_az

Specifies whether the DB cluster has instances in multiple Availability Zones.

engine

The name of the database engine to be used for this DB cluster.

engine_version

Indicates the database engine version.

latest_restorable_time

Specifies the latest time to which a database can be restored with point-in-time restore.

port

Specifies the port that the database engine is listening on.

master_username

Contains the master username for the DB cluster.

preferred_backup_window

Specifies the daily time range during which automated backups are created if automated backups are enabled, as determined by the BackupRetentionPeriod.

preferred_maintenance_window

Specifies the weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC).

hosted_zone_id

Specifies the ID that Amazon Route 53 assigns when you create a hosted zone.

storage_encrypted

Specifies whether the DB cluster is encrypted.

kms_key_id

If StorageEncrypted is enabled, the AWS KMS key identifier for the encrypted DB cluster. The AWS KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the AWS KMS customer master key (CMK).

db_cluster_resource_id

The AWS Region-unique, immutable identifier for the DB cluster. This identifier is found in AWS CloudTrail log entries whenever the AWS KMS CMK for the DB cluster is accessed.

clone_group_id

Identifies the clone group to which the DB cluster is associated.

cluster_create_time

Specifies the time when the DB cluster was created, in Universal Coordinated Time (UTC).

earliest_backtrack_time

The earliest time to which a DB cluster can be backtracked.

backtrack_window

The target backtrack window, in seconds. If this value is set to 0, backtracking is disabled for the DB cluster. Otherwise, backtracking is enabled.

backtrack_consumed_change_records

The number of change records stored for Backtrack.

capacity

The current capacity of an Aurora Serverless DB cluster. The capacity is 0 (zero) when the cluster is paused.

engine_mode

The DB engine mode of the DB cluster, either provisioned, serverless, parallelquery, global, or multimaster.

scaling_configuration_info_min_capacity

The minimum capacity for the Aurora DB cluster in serverless DB engine mode.

scaling_configuration_info_max_capacity

The maximum capacity for an Aurora DB cluster in serverless DB engine mode.

scaling_configuration_info_auto_pause

A value that indicates whether automatic pause is allowed for the Aurora DB cluster in serverless DB engine mode.

deletion_protection

Indicates if the DB cluster has deletion protection enabled. The database can’t be deleted when deletion protection is enabled.

Relationships

  • RDS Clusters are part of AWS Accounts.

    ```
    (AWSAccount)-[RESOURCE]->(RDSCluster)
    ```
    
  • Some RDS instances are cluster members.

    (replica:RDSInstance)-[IS_CLUSTER_MEMBER_OF]->(source:RDSCluster)
    

RDSInstance

Representation of an AWS Relational Database Service DBInstance.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

Same as ARN

arn

The Amazon Resource Name (ARN) for the DB instance.

db_instance_identifier

Contains a user-supplied database identifier. This identifier is the unique key that identifies a DB instance.

availability_zone

Specifies the name of the Availability Zone the DB instance is located in.

backup_retention_period

Specifies the number of days for which automatic DB snapshots are retained.

preferred_backup_window

Specifies the daily time range during which automated backups are created if automated backups are enabled, as determined by the BackupRetentionPeriod.

ca_certificate_identifier

The identifier of the CA certificate for this DB instance.

db_cluster_identifier

If the DB instance is a member of a DB cluster, contains the name of the DB cluster that the DB instance is a member of.

db_instance_class

Contains the name of the compute and memory capacity class of the DB instance.

db_instance_port

Specifies the port that the DB instance listens on.

dbi_resource_id

The AWS Region-unique, immutable identifier for the DB instance. This identifier is found in AWS CloudTrail log entries whenever the AWS KMS key for the DB instance is accessed.

db_name

The meaning of this parameter differs according to the database engine you use. For example, this value returns MySQL, MariaDB, or PostgreSQL information when returning values from CreateDBInstanceReadReplica since Read Replicas are only supported for these engines.

MySQL, MariaDB, SQL Server, PostgreSQL: Contains the name of the initial database of this instance that was provided at create time, if one was specified when the DB instance was created. This same name is returned for the life of the DB instance.

Oracle: Contains the Oracle System ID (SID) of the created DB instance. Not shown when the returned parameters do not apply to an Oracle DB instance.

engine

Provides the name of the database engine to be used for this DB instance.

engine_version

Indicates the database engine version.

enhanced_monitoring_resource_arn

The Amazon Resource Name (ARN) of the Amazon CloudWatch Logs log stream that receives the Enhanced Monitoring metrics data for the DB instance.

instance_create_time

Provides the date and time the DB instance was created.

kms_key_id

If StorageEncrypted is true, the AWS KMS key identifier for the encrypted DB instance.

master_username

Contains the master username for the DB instance.

monitoring_role_arn

The ARN for the IAM role that permits RDS to send Enhanced Monitoring metrics to Amazon CloudWatch Logs.

multi_az

Specifies if the DB instance is a Multi-AZ deployment.

performance_insights_enabled

True if Performance Insights is enabled for the DB instance, and otherwise false.

preferred_maintenance_window

Specifies the weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC).

publicly_accessible

Specifies the accessibility options for the DB instance. A value of true specifies an Internet-facing instance with a publicly resolvable DNS name, which resolves to a public IP address. A value of false specifies an internal instance with a DNS name that resolves to a private IP address.

storage_encrypted

Specifies whether the DB instance is encrypted.

endpoint_address

DNS name of the RDS instance

endpoint_port

The port that the RDS instance is listening on

endpoint_hostedzoneid

The AWS DNS Zone ID that is associated with the RDS instance’s DNS entry

auto_minor_version_upgrade

Specifies whether minor version upgrades are applied automatically to the DB instance during the maintenance window

iam_database_authentication_enabled

Specifies if mapping of AWS Identity and Access Management (IAM) accounts to database accounts is enabled

Relationships

  • RDS Instances are part of AWS Accounts.

    ```
    (AWSAccount)-[RESOURCE]->(RDSInstance)
    ```
    
  • Some RDS instances are Read Replicas.

    (replica:RDSInstance)-[IS_READ_REPLICA_OF]->(source:RDSInstance)
    
  • RDS Instances can be members of EC2 Security Groups.

    (RDSInstance)-[m:MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
    
  • RDS Instances are connected to DB Subnet Groups.

    (RDSInstance)-[:MEMBER_OF_DB_SUBNET_GROUP]->(DBSubnetGroup)
    
  • RDS Instances can be tagged with AWSTags.

    ```
    (RDSInstance)-[TAGGED]->(AWSTag)
    ```
    

RDSSnapshot

Representation of an AWS Relational Database Service DBSnapshot.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

Same as ARN

arn

The Amazon Resource Name (ARN) for the DB snapshot.

db_snapshot_identifier

Specifies the identifier for the DB snapshot.

db_instance_identifier

Specifies the DB instance identifier of the DB instance this DB snapshot was created from.

snapshot_create_time

Specifies when the snapshot was taken in Coordinated Universal Time (UTC). Changes for the copy when the snapshot is copied.

engine

Specifies the name of the database engine.

allocated_storage

Specifies the allocated storage size in gibibytes (GiB).

status

Specifies the status of this DB snapshot.

port

Specifies the port that the database engine was listening on at the time of the snapshot.

availability_zone

Specifies the name of the Availability Zone the DB instance was located in at the time of the DB snapshot.

vpc_id

Provides the VPC ID associated with the DB snapshot.

instance_create_time

Specifies the time in Coordinated Universal Time (UTC) when the DB instance, from which the snapshot was taken, was created.

master_username

Provides the master username for the DB snapshot.

engine_version

Specifies the version of the database engine.

license_model

License model information for the restored DB instance.

snapshot_type

Provides the type of the DB snapshot.

iops

Specifies the Provisioned IOPS (I/O operations per second) value of the DB instance at the time of the snapshot.

option_group_name

Provides the option group name for the DB snapshot.

percent_progress

The percentage of the estimated data that has been transferred.

source_region

The AWS Region that the DB snapshot was created in or copied from.

source_db_snapshot_identifier

The DB snapshot Amazon Resource Name (ARN) that the DB snapshot was copied from. It only has a value in the case of a cross-account or cross-Region copy.

storage_type

Specifies the storage type associated with DB snapshot.

tde_credential_arn

The ARN from the key store with which to associate the instance for TDE encryption.

encrypted

Specifies whether the DB snapshot is encrypted.

kms_key_id

If Encrypted is true, the AWS KMS key identifier for the encrypted DB snapshot. The AWS KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.

timezone

The time zone of the DB snapshot. In most cases, the Timezone element is empty. Timezone content appears only for snapshots taken from Microsoft SQL Server DB instances that were created with a time zone specified.

iam_database_authentication_enabled

True if mapping of AWS Identity and Access Management (IAM) accounts to database accounts is enabled, and otherwise false.

processor_features

The number of CPU cores and the number of threads per core for the DB instance class of the DB instance when the DB snapshot was created.

dbi_resource_id

The identifier for the source DB instance, which can’t be changed and which is unique to an AWS Region.

original_snapshot_create_time

Specifies the time of the CreateDBSnapshot operation in Coordinated Universal Time (UTC). Doesn’t change when the snapshot is copied.

snapshot_database_time

The timestamp of the most recent transaction applied to the database that you’re backing up. Thus, if you restore a snapshot, SnapshotDatabaseTime is the most recent transaction in the restored DB instance. In contrast, originalSnapshotCreateTime specifies the system time that the snapshot completed. If you back up a read replica, you can determine the replica lag by comparing SnapshotDatabaseTime with originalSnapshotCreateTime. For example, if originalSnapshotCreateTime is two hours later than SnapshotDatabaseTime, then the replica lag is two hours.

snapshot_target

Specifies where manual snapshots are stored: AWS Outposts or the AWS Region.

storage_throughput

region

The AWS region of the snapshot

Relationships

  • RDS Snapshots are part of AWS Accounts.

    ```
    (AWSAccount)-[RESOURCE]->(RDSSnapshot)
    ```
    
  • RDS Snapshots are connected to DB Instances.

    (RDSSnapshot)-[:IS_SNAPSHOT_SOURCE]->(RDSInstance)
    
  • RDS Snapshots can be tagged with AWSTags.

    ```
    (RDSSnapshot)-[TAGGED]->(AWSTag)
    ```
    

S3Acl

Representation of an AWS S3 Access Control List.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

granteeid

The ID of the grantee as defined here

displayname

Optional display name for the ACL

permission

Valid values: FULL_CONTROL | READ | WRITE | READ_ACP | WRITE_ACP (ACP = Access Control Policy)

id

The ID of this ACL

type

The type of the grantee. Either CanonicalUser | AmazonCustomerByEmail | Group.

ownerid

The ACL’s owner ID as defined here

Relationships

  • S3 Access Control Lists apply to S3 buckets.

    ```
    (S3Acl)-[APPLIES_TO]->(S3Bucket)
    ```
    

S3Bucket

Representation of an AWS S3 Bucket.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

creationdate

Date-time when the bucket was created

id

Same as name, as seen below

name

The name of the bucket. This is guaranteed to be globally unique

anonymous_actions

List of anonymous internet accessible actions that may be run on the bucket. This list is taken by running policyuniverse on the policy that applies to the bucket.

anonymous_access

True if this bucket has a policy applied to it that allows anonymous access or if it is open to the internet. These policy determinations are made by using the policyuniverse library.

region

The region that the bucket is in. Only defined if the S3 bucket has a location constraint

default_encryption

True if this bucket has default encryption enabled.

encryption_algorithm

The encryption algorithm used for default encryption. Only defined if the S3 bucket has default encryption enabled.

encryption_key_id

The KMS key ID used for default encryption. Only defined if the S3 bucket has SSE-KMS enabled as the default encryption method.

bucket_key_enabled

True if a bucket key is enabled, when using SSE-KMS as the default encryption method.

versioning_status

The versioning state of the bucket.

mfa_delete

Specifies whether MFA delete is enabled in the bucket versioning configuration.

block_public_acls

Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket.

ignore_public_acls

Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket.

block_public_acls

Specifies whether Amazon S3 should block public bucket policies for this bucket.

restrict_public_buckets

Specifies whether Amazon S3 should restrict public bucket policies for this bucket.

Relationships

  • S3Buckets are resources in an AWS Account.

    ```
    (AWSAccount)-[RESOURCE]->(S3Bucket)
    ```
    
  • S3 Access Control Lists apply to S3 buckets.

    ```
    (S3Acl)-[APPLIES_TO]->(S3Bucket)
    ```
    
  • S3 Buckets can be tagged with AWSTags.

    ```
    (S3Bucket)-[TAGGED]->(AWSTag)
    ```
    

S3PolicyStatement

Representation of an AWS S3 Bucket Policy Statements for controlling ownership of objects and ACLs of the bucket.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

policy_id

Optional string “Id” for the bucket’s policy

policy_version

Version of the bucket’s policy

id

The unique identifier for a bucket policy statement.
If the statement has an Sid the id will be calculated as S3Bucket.id/policy_statement/index of statement in statement/Sid.
If the statement has no Sid the id will be calculated as S3Bucket.id/policy_statement/index of statement in statement/

effect

Specifies “Deny” or “Allow” for the policy statement

action

Specifies permissions that policy statement applies to, as defined here

resource

Specifies the resource the bucket policy statement is based on

condition

Specifies conditions where permissions are granted: examples

sid

Optional string to label the specific bucket policy statement

Relationships

  • S3PolicyStatements define the policy for S3 Buckets.

    ```
    (:S3Bucket)-[:POLICY_STATEMENT]->(:S3PolicyStatement)
    ```
    

KMSKey

Representation of an AWS KMS Key.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The id of the key

name

The name of the key

description

The description of the key

enabled

Whether the key is enabled

region

The region where key is created

anonymous_actions

List of anonymous internet accessible actions that may be run on the key.

anonymous_access

True if this key has a policy applied to it that allows anonymous access or if it is open to the internet.

Relationships

  • AWS KMS Keys are resources in an AWS Account.

    ```
    (AWSAccount)-[RESOURCE]->(KMSKey)
    ```
    
  • AWS KMS Key may also be refered as KMSAlias via aliases.

    ```
    (KMSKey)-[KNOWN_AS]->(KMSAlias)
    ```
    
  • AWS KMS Key may also have KMSGrant based on grants.

    ```
    (KMSGrant)-[APPLIED_ON]->(KMSKey)
    ```
    

KMSAlias

Representation of an AWS KMS Key Alias.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The arn of the alias

aliasname

The name of the alias

targetkeyid

The kms key id associated via this alias

Relationships

  • AWS KMS Key may also be refered as KMSAlias via aliases.

    ```
    (KMSKey)-[KNOWN_AS]->(KMSAlias)
    ```
    

KMSGrant

Representation of an AWS KMS Key Grant.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The id of the key grant

name

The name of the key grant

granteeprincipal

The principal associated with the key grant

creationdate

ISO 8601 date-time string when the grant was created

Relationships

  • AWS KMS Key may also have KMSGrant based on grants.

    ```
    (KMSGrant)-[APPLIED_ON]->(KMSKey)
    ```
    

APIGatewayRestAPI

Representation of an AWS API Gateway REST API.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The id of the REST API

createddate

The timestamp when the REST API was created

version

The version identifier for the API

minimumcompressionsize

A nullable integer that is used to enable or disable the compression of the REST API

disableexecuteapiendpoint

Specifies whether clients can invoke your API by using the default execute-api endpoint

region

The region where the REST API is created

anonymous_actions

List of anonymous internet accessible actions that may be run on the API.

anonymous_access

True if this API has a policy applied to it that allows anonymous access or if it is open to the internet.

Relationships

  • AWS API Gateway REST APIs are resources in an AWS Account.

    ```
    (AWSAccount)-[RESOURCE]->(APIGatewayRestAPI)
    ```
    
  • AWS API Gateway REST APIs may be associated with an API Gateway Stage.

    ```
    (APIGatewayRestAPI)-[ASSOCIATED_WITH]->(APIGatewayStage)
    ```
    
  • AWS API Gateway REST APIs may also have API Gateway Resource resources.

    ```
    (APIGatewayRestAPI)-[RESOURCE]->(APIGatewayResource)
    ```
    

APIGatewayStage

Representation of an AWS API Gateway Stage.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The name of the API Gateway Stage

createddate

The timestamp when the stage was created

deploymentid

The identifier of the Deployment that the stage points to.

clientcertificateid

The identifier of a client certificate for an API stage.

cacheclusterenabled

Specifies whether a cache cluster is enabled for the stage.

cacheclusterstatus

The status of the cache cluster for the stage, if enabled.

tracingenabled

Specifies whether active tracing with X-ray is enabled for the Stage

webaclarn

The ARN of the WebAcl associated with the Stage

Relationships

  • AWS API Gateway REST APIs may be associated with an API Gateway Stage.

    ```
    (APIGatewayRestAPI)-[ASSOCIATED_WITH]->(APIGatewayStage)
    ```
    
  • AWS API Gateway Stage may also contain a Client Certificate.

    ```
    (APIGatewayStage)-[HAS_CERTIFICATE]->(APIGatewayClientCertificate)
    ```
    

APIGatewayClientCertificate

Representation of an AWS API Gateway Client Certificate.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The identifier of the client certificate

createddate

The timestamp when the client certificate was created

expirationdate

The timestamp when the client certificate will expire

Relationships

  • AWS API Gateway Stage may also contain a Client Certificate.

    ```
    (APIGatewayStage)-[HAS_CERTIFICATE]->(APIGatewayClientCertificate)
    ```
    

APIGatewayResource

Representation of an AWS API Gateway Resource.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The id of the REST API

path

The timestamp when the REST API was created

pathpart

The version identifier for the API

parentid

A nullable integer that is used to enable or disable the compression of the REST API

Relationships

  • AWS API Gateway REST APIs may also have API Gateway Resource resources.

    ```
    (APIGatewayRestAPI)-[RESOURCE]->(APIGatewayResource)
    ```
    

AutoScalingGroup

Representation of an AWS Auto Scaling Group Resource.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

arn

The ARN of the Auto Scaling Group

name

The name of the Auto Scaling group.

createdtime

The date and time the group was created.

launchconfigurationname

The name of the associated launch configuration.

launchtemplatename

The name of the launch template.

launchtemplateid

The ID of the launch template.

launchtemplateversion

The version number of the launch template.

maxsize

The maximum size of the group.

minsize

The minimum size of the group.

defaultcooldown

The duration of the default cooldown period, in seconds.

desiredcapacity

The desired size of the group.

healthchecktype

The service to use for the health checks.

healthcheckgraceperiod

The amount of time, in seconds, that Amazon EC2 Auto Scaling waits before checking the health status of an EC2 instance that has come into service.

status

The current state of the group when the DeleteAutoScalingGroup operation is in progress.

newinstancesprotectedfromscalein

Indicates whether newly launched instances are protected from termination by Amazon EC2 Auto Scaling when scaling in.

maxinstancelifetime

The maximum amount of time, in seconds, that an instance can be in service.

capacityrebalance

Indicates whether Capacity Rebalancing is enabled.

region

The region of the auto scaling group.

Link to API Documentation of AWS Auto Scaling Groups

Relationships

  • AWS Auto Scaling Groups are a resource under the AWS Account.

    ```
    (AWSAccount)-[RESOURCE]->(AutoScalingGroup)
    ```
    
  • AWS Auto Scaling Groups has one or more subnets/vpc identifiers.

    ```
    (AutoScalingGroup)-[VPC_IDENTIFIER]->(EC2Subnet)
    ```
    
  • AWS EC2 Instances are members of one or more AWS Auto Scaling Groups.

    ```
    (EC2Instance)-[MEMBER_AUTO_SCALE_GROUP]->(AutoScalingGroup)
    ```
    
  • AWS Auto Scaling Groups have Launch Configurations

    ```
    (AutoScalingGroup)-[HAS_LAUNCH_CONFIG]->(LaunchConfiguration)
    ```
    
  • AWS Auto Scaling Groups have Launch Templates

    ```
    (AutoScalingGroup)-[HAS_LAUNCH_TEMPLATE]->(LaunchTemplate)
    ```
    

EC2Image

Representation of an AWS EC2 Images (AMIs).

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ID of the AMI.

name

The name of the AMI that was provided during image creation.

creationdate

The date and time the image was created.

architecture

The architecture of the image.

location

The location of the AMI.

type

The type of image.

ispublic

Indicates whether the image has public launch permissions.

platform

This value is set to windows for Windows AMIs; otherwise, it is blank.

usageoperation

The operation of the Amazon EC2 instance and the billing code that is associated with the AMI.

state

The current state of the AMI.

description

The description of the AMI that was provided during image creation.

enasupport

Specifies whether enhanced networking with ENA is enabled.

hypervisor

The hypervisor type of the image.

rootdevicename

The device name of the root device volume (for example, /dev/sda1 ).

rootdevicetype

The type of root device used by the AMI.

virtualizationtype

The type of virtualization of the AMI.

bootmode

The boot mode of the image.

region

The region of the image.

Link to API Documentation of EC2 Images

Relationships

  • AWS EC2 Images (AMIs) are a resource under the AWS Account.

    ```
    (AWSAccount)-[RESOURCE]->(EC2Image)
    ```
    

EC2ReservedInstance

Representation of an AWS EC2 Reserved Instance.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ID of the Reserved Instance.

availabilityzone

The Availability Zone in which the Reserved Instance can be used.

duration

The duration of the Reserved Instance, in seconds.

end

The time when the Reserved Instance expires.

start

The date and time the Reserved Instance started.

count

The number of reservations purchased.

type

The instance type on which the Reserved Instance can be used.

productdescription

The Reserved Instance product platform description.

state

The state of the Reserved Instance purchase.

currencycode

The currency of the Reserved Instance. It’s specified using ISO 4217 standard currency codes.

instancetenancy

The tenancy of the instance.

offeringclass

The offering class of the Reserved Instance.

offeringtype

The Reserved Instance offering type.

scope

The scope of the Reserved Instance.

fixedprice

The purchase price of the Reserved Instance.

region

The region of the reserved instance.

Relationships

  • AWS EC2 Reserved Instances are a resource under the AWS Account.

    ```
    (AWSAccount)-[RESOURCE]->(EC2ReservedInstance)
    ```
    

SecretsManagerSecret

Representation of an AWS Secrets Manager Secret

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The arn of the secret.

created_date

The date and time when a secret was created.

deleted_date

The date and time the deletion of the secret occurred. Not present on active secrets. The secret can be recovered until the number of days in the recovery window has passed, as specified in the RecoveryWindowInDays parameter of the DeleteSecret operation.

description

The user-provided description of the secret.

kms_key_id

The ARN or alias of the AWS KMS customer master key (CMK) used to encrypt the SecretString and SecretBinary fields in each version of the secret. If you don’t provide a key, then Secrets Manager defaults to encrypting the secret fields with the default KMS CMK, the key named awssecretsmanager, for this account.

last_accessed_date

The last date that this secret was accessed. This value is truncated to midnight of the date and therefore shows only the date, not the time.

last_changed_date

The last date and time that this secret was modified in any way.

last_rotated_date

The most recent date and time that the Secrets Manager rotation process was successfully completed. This value is null if the secret hasn’t ever rotated.

name

The friendly name of the secret. You can use forward slashes in the name to represent a path hierarchy. For example, /prod/databases/dbserver1 could represent the secret for a server named dbserver1 in the folder databases in the folder prod.

owning_service

Returns the name of the service that created the secret.

primary_region

The Region where Secrets Manager originated the secret.

rotation_enabled

Indicates whether automatic, scheduled rotation is enabled for this secret.

rotation_lambda_arn

The ARN of an AWS Lambda function invoked by Secrets Manager to rotate and expire the secret either automatically per the schedule or manually by a call to RotateSecret.

rotation_rules_automatically_after_days

Specifies the number of days between automatic scheduled rotations of the secret.

Relationships

  • AWS Secrets Manager Secrets are a resource under the AWS Account.

    ```
    (AWSAccount)-[RESOURCE]->(SecretsManagerSecret)
    ```
    

EBSVolume

Representation of an AWS EBS Volume.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ID of the EBS Volume.

availabilityzone

The Availability Zone for the volume.

createtime

The time stamp when volume creation was initiated.

encrypted

Indicates whether the volume is encrypted.

size

The size of the volume, in GiBs.

state

The volume state.

outpostarn

The Amazon Resource Name (ARN) of the Outpost.

snapshotid

The snapshot ID.

iops

The number of I/O operations per second (IOPS).

type

The volume type.

fastrestored

Indicates whether the volume was created using fast snapshot restore.

multiattachenabled

Indicates whether Amazon EBS Multi-Attach is enabled.

throughput

The throughput that the volume supports, in MiB/s.

kmskeyid

The Amazon Resource Name (ARN) of the AWS Key Management Service (AWS KMS) customer master key (CMK) that was used to protect the volume encryption key for the volume.

deleteontermination

Indicates whether the volume is deleted on instance termination.

region

The region of the volume.

Relationships

  • AWS EBS Volumes are a resource under the AWS Account.

    ```
    (AWSAccount)-[RESOURCE]->(EBSVolume)
    ```
    
  • AWS EBS Snapshots are created using EBS Volumes

    ```
    (EBSSnapshot)-[CREATED_FROM]->(EBSVolume)
    ```
    
  • AWS EBS Volumes are attached to an EC2 Instance

    ```
    (EBSVolume)-[ATTACHED_TO_EC2_INSTANCE]->(EC2Instance)
    ```
    
  • AWSTag

    ```
    (EBSVolume)-[TAGGED]->(AWSTag)
    ```
    

EBSSnapshot

Representation of an AWS EBS Snapshot.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ID of the EBS Snapshot.

description

The description of the snapshot.

progress

The progress of the snapshot, as a percentage.

encrypted

Indicates whether the snapshot is encrypted.

starttime

The time stamp when the snapshot was initiated.

state

The snapshot state.

statemessage

Encrypted Amazon EBS snapshots are copied asynchronously. If a snapshot copy operation fails (for example, if the proper AWS Key Management Service (AWS KMS) permissions are not obtained) this field displays error state details to help you diagnose why the error occurred. This parameter is only returned by DescribeSnapshots .

volumeid

The volume ID.

volumesize

The size of the volume, in GiB.

outpostarn

The ARN of the AWS Outpost on which the snapshot is stored.

dataencryptionkeyid

The data encryption key identifier for the snapshot.

kmskeyid

The Amazon Resource Name (ARN) of the AWS Key Management Service (AWS KMS) customer master key (CMK) that was used to protect the volume encryption key for the parent volume.

region

The region of the snapshot.

Relationships

  • AWS EBS Snapshots are a resource under the AWS Account.

    ```
    (AWSAccount)-[RESOURCE]->(EBSSnapshot)
    ```
    
  • AWS EBS Snapshots are created using EBS Volumes

    ```
    (EBSSnapshot)-[CREATED_FROM]->(EBSVolume)
    ```
    

SQSQueue

Representation of an AWS SQS Queue

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The arn of the sqs queue.

created_timestamp

The time when the queue was created in seconds

delay_seconds

The default delay on the queue in seconds.

last_modified_timestamp

The time when the queue was last changed in seconds.

maximum_message_size

The limit of how many bytes a message can contain before Amazon SQS rejects it.

message_retention_period

he length of time, in seconds, for which Amazon SQS retains a message.

policy

The IAM policy of the queue.

arn

The arn of the sqs queue.

receive_message_wait_time_seconds

The length of time, in seconds, for which the ReceiveMessage action waits for a message to arrive.

redrive_policy_dead_letter_target_arn

The Amazon Resource Name (ARN) of the dead-letter queue to which Amazon SQS moves messages after the value of maxReceiveCount is exceeded.

redrive_policy_max_receive_count

The number of times a message is delivered to the source queue before being moved to the dead-letter queue. When the ReceiveCount for a message exceeds the maxReceiveCount for a queue, Amazon SQS moves the message to the dead-letter-queue.

visibility_timeout

The visibility timeout for the queue.

kms_master_key_id

The ID of an AWS managed customer master key (CMK) for Amazon SQS or a custom CMK.

kms_data_key_reuse_period_seconds

The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again.

fifo_queue

Whether or not the queue is FIFO.

content_based_deduplication

Whether or not content-based deduplication is enabled for the queue.

deduplication_scope

Specifies whether message deduplication occurs at the message group or queue level.

fifo_throughput_limit

Specifies whether the FIFO queue throughput quota applies to the entire queue or per message group.

Relationships

  • AWS SQS Queues are a resource under the AWS Account.

    ```
    (AWSAccount)-[RESOURCE]->(SQSQueue)
    ```
    
  • AWS SQS Queues can have other SQS Queues configured as dead letter queues

    ```
    (SQSQueue)-[HAS_DEADLETTER_QUEUE]->(SQSQueue)
    ```
    

SecurityHub

Representation of the configuration of AWS Security Hub

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The arn of the hub resource.

subscribed_at

The date and time when Security Hub was enabled in the account.

auto_enable_controls

Whether to automatically enable new controls when they are added to standards that are enabled.

Relationships

  • AWS Security Hub nodes are a resource under the AWS Account.

    ```
    (AWSAccount)-[RESOURCE]->(SecurityHub)
    ```
    

AWSConfigurationRecorder

Representation of an AWS Config Configuration Recorder

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

A combination of name:account_id:region

name

The name of the recorder.

role_arn

Amazon Resource Name (ARN) of the IAM role used to describe the AWS resources associated with the account.

recording_group_all_supported

Specifies whether AWS Config records configuration changes for every supported type of regional resource.

recording_group_include_global_resource_types

Specifies whether AWS Config includes all supported types of global resources (for example, IAM resources) with the resources that it records.

recording_group_resource_types

A comma-separated list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail).

region

The region of the configuration recorder.

Relationships

  • AWS Configuration Recorders are a resource under the AWS Account.

    ```
    (AWSAccount)-[RESOURCE]->(AWSConfigurationRecorder)
    ```
    

AWSConfigDeliveryChannel

Representation of an AWS Config Delivery Channel

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

A combination of name:account_id:region

name

The name of the delivery channel.

s3_bucket_name

The name of the Amazon S3 bucket to which AWS Config delivers configuration snapshots and configuration history files.

s3_key_prefix

The prefix for the specified Amazon S3 bucket.

s3_kms_key_arn

The Amazon Resource Name (ARN) of the AWS Key Management Service (KMS) customer managed key (CMK) used to encrypt objects delivered by AWS Config. Must belong to the same Region as the destination S3 bucket.

sns_topic_arn

The Amazon Resource Name (ARN) of the Amazon SNS topic to which AWS Config sends notifications about configuration changes.

config_snapshot_delivery_properties_delivery_frequency

The frequency with which AWS Config delivers configuration snapshots.

region

The region of the delivery channel.

Relationships

  • AWS Config Delivery Channels are a resource under the AWS Account.

    ```
    (AWSAccount)-[RESOURCE]->(AWSConfigDeliveryChannel)
    ```
    

AWSConfigRule

Representation of an AWS Config Rule

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ARN of the config rule.

name

The name of the delivery channel.

description

The description that you provide for the AWS Config rule.

arn

The ARN of the config rule.

rule_id

The ID of the AWS Config rule.

scope_compliance_resource_types

The resource types of only those AWS resources that you want to trigger an evaluation for the rule. You can only specify one type if you also specify a resource ID for ComplianceResourceId.

scope_tag_key

The tag key that is applied to only those AWS resources that you want to trigger an evaluation for the rule.

scope_tag_value

The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule. If you specify a value for TagValue, you must also specify a value for TagKey.

scope_tag_compliance_resource_id

The resource types of only those AWS resources that you want to trigger an evaluation for the rule. You can only specify one type if you also specify a resource ID for ComplianceResourceId.

source_owner

Indicates whether AWS or the customer owns and manages the AWS Config rule.

source_identifier

For AWS Config managed rules, a predefined identifier from a list. For example, IAM_PASSWORD_POLICY is a managed rule.

source_details

Provides the source and type of the event that causes AWS Config to evaluate your AWS resources.

input_parameters

A string, in JSON format, that is passed to the AWS Config rule Lambda function.

maximum_execution_frequency

The maximum frequency with which AWS Config runs evaluations for a rule.

created_by

Service principal name of the service that created the rule.

region

The region of the delivery channel.

Relationships

  • AWS Config Rules are a resource under the AWS Account.

    ```
    (AWSAccount)-[RESOURCE]->(AWSConfigRule)
    ```
    

LaunchConfiguration

Representation of an AWS Launch Configuration

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ARN of the launch configuration.

name

The name of the launch configuration.

arn

The ARN of the launch configuration.

created_time

The creation date and time for the launch configuration.

image_id

The ID of the Amazon Machine Image (AMI) to use to launch your EC2 instances.

key_name

The name of the key pair.

security_groups

A list that contains the security groups to assign to the instances in the Auto Scaling group.

instance_type

The instance type for the instances.

kernel_id

The ID of the kernel associated with the AMI.

ramdisk_id

The ID of the RAM disk associated with the AMI.

instance_monitoring_enabled

If true, detailed monitoring is enabled. Otherwise, basic monitoring is enabled.

spot_price

The maximum hourly price to be paid for any Spot Instance launched to fulfill the request.

iam_instance_profile

The name or the Amazon Resource Name (ARN) of the instance profile associated with the IAM role for the instance.

ebs_optimized

Specifies whether the launch configuration is optimized for EBS I/O (true) or not (false).

associate_public_ip_address

For Auto Scaling groups that are running in a VPC, specifies whether to assign a public IP address to the group’s instances.

placement_tenancy

The tenancy of the instance, either default or dedicated. An instance with dedicated tenancy runs on isolated, single-tenant hardware and can only be launched into a VPC.

region

The region of the launch configuration.

Relationships

  • Launch Configurations are a resource under the AWS Account.

    ```
    (AWSAccount)-[RESOURCE]->(LaunchConfiguration)
    ```
    

LaunchTemplate

Representation of an AWS Launch Template

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ID of the launch template.

name

The name of the launch template.

create_time

The time launch template was created.

created_by

The principal that created the launch template.

default_version_number

The version number of the default version of the launch template.

latest_version_number

The version number of the latest version of the launch template.

region

The region of the launch template.

Relationships

  • Launch Templates are a resource under the AWS Account.

    ```
    (AWSAccount)-[RESOURCE]->(LaunchTemplate)
    ```
    
  • Launch templates have Launch Template Versions

    ```
    (LaunchTemplate)-[VERSION]->(LaunchTemplateVersion)
    ```
    

LaunchTemplateVersion

Representation of an AWS Launch Template Version

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ID of the launch template version (ID-version).

name

The name of the launch template.

create_time

The time the version was created.

created_by

The principal that created the version.

default_version

Indicates whether the version is the default version.

version_number

The version number.

version_description

The description of the version.

kernel_id

The ID of the kernel, if applicable.

ebs_optimized

Indicates whether the instance is optimized for Amazon EBS I/O.

iam_instance_profile_arn

The Amazon Resource Name (ARN) of the instance profile.

iam_instance_profile_name

The name of the instance profile.

image_id

The ID of the AMI that was used to launch the instance.

instance_type

The instance type.

key_name

The name of the key pair.

monitoring_enabled

Indicates whether detailed monitoring is enabled. Otherwise, basic monitoring is enabled.

ramdisk_id

The ID of the RAM disk, if applicable.

disable_api_termination

If set to true, indicates that the instance cannot be terminated using the Amazon EC2 console, command line tool, or API.

instance_initiated_shutdown_behavior

Indicates whether an instance stops or terminates when you initiate shutdown from the instance (using the operating system command for system shutdown).

security_group_ids

The security group IDs.

security_groups

The security group names.

region

The region of the launch template.

Relationships

  • Launch Template Versions are a resource under the AWS Account.

    ```
    (AWSAccount)-[RESOURCE]->(LaunchTemplateVersion)
    ```
    
  • Launch templates have Launch Template Versions

    ```
    (LaunchTemplate)-[VERSION]->(LaunchTemplateVersion)
    ```
    

ElasticIPAddress

Representation of an AWS EC2 Elastic IP address

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The Elastic IP address

instance_id

The ID of the instance that the address is associated with (if any).

public_ip

The Elastic IP address.

allocation_id

The ID representing the allocation of the address for use with EC2-VPC.

association_id

The ID representing the association of the address with an instance in a VPC.

domain

Indicates whether this Elastic IP address is for use with instances in EC2-Classic (standard) or instances in a VPC (vpc).

network_interface_id

The ID of the network interface.

private_ip_address

The private IP address associated with the Elastic IP address.

public_ipv4_pool

The ID of an address pool.

network_border_group

The name of the unique set of Availability Zones, Local Zones, or Wavelength Zones from which AWS advertises IP addresses.

customer_owned_ip

The customer-owned IP address.

customer_owned_ipv4_pool

The ID of the customer-owned address pool.

carrier_ip

The carrier IP address associated. This option is only available for network interfaces which reside in a subnet in a Wavelength Zone (for example an EC2 instance).

region

The region of the IP.

Relationships

  • Elastic IPs are a resource under the AWS Account.

    ```
    (AWSAccount)-[RESOURCE]->(ElasticIPAddress)
    ```
    
  • Elastic IPs can be attached to EC2 instances

    ```
    (EC2Instance)-[ELASTIC_IP_ADDRESS]->(ElasticIPAddress)
    ```
    
  • Elastic IPs can be attached to NetworkInterfaces

    ```
    (NetworkInterface)-[ELASTIC_IP_ADDRESS]->(ElasticIPAddress)
    ```
    

ECSCluster

Representation of an AWS ECS Cluster

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ARN of the cluster

region

The region of the cluster.

name

A user-generated string that you use to identify your cluster.

arn

The ARN of the cluster

ecc_kms_key_id

An AWS Key Management Service key ID to encrypt the data between the local client and the container.

ecc_logging

The log setting to use for redirecting logs for your execute command results.

ecc_log_configuration_cloud_watch_log_group_name

The name of the CloudWatch log group to send logs to.

ecc_log_configuration_cloud_watch_encryption_enabled

Determines whether to enable encryption on the CloudWatch logs.

ecc_log_configuration_s3_bucket_name

The name of the S3 bucket to send logs to.

ecc_log_configuration_s3_encryption_enabled

Determines whether to use encryption on the S3 logs.

ecc_log_configuration_s3_key_prefix

An optional folder in the S3 bucket to place logs in.

status

The status of the cluster

settings_container_insights

If enabled is specified, CloudWatch Container Insights will be enabled for the cluster, otherwise it will be disabled unless the containerInsights account setting is enabled.

capacity_providers

The capacity providers associated with the cluster.

attachments_status

The status of the capacity providers associated with the cluster.

Relationships

  • ECSClusters are a resource under the AWS Account.

    ```
    (AWSAccount)-[RESOURCE]->(ECSCluster)
    ```
    

ECSContainerInstance

Representation of an AWS ECS Container Instance

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ARN of the container instance

region

The region of the container instance.

ec2_instance_id

The ID of the container instance. For Amazon EC2 instances, this value is the Amazon EC2 instance ID. For external instances, this value is the AWS Systems Manager managed instance ID.

arn

The ARN of the container instance

capacity_provider_name

The capacity provider that’s associated with the container instance.

version

The version counter for the container instance.

version_info_agent_version

The version number of the Amazon ECS container agent.

version_info_agent_hash

The Git commit hash for the Amazon ECS container agent build on the amazon-ecs-agent GitHub repository.

version_info_agent_docker_version

The Docker version that’s running on the container instance.

status

The status of the container instance.

status_reason

The reason that the container instance reached its current status.

agent_connected

This parameter returns true if the agent is connected to Amazon ECS. Registered instances with an agent that may be unhealthy or stopped return false.

agent_update_status

The status of the most recent agent update. If an update wasn’t ever requested, this value is NULL.

registered_at

The Unix timestamp for the time when the container instance was registered.

Relationships

  • An ECSCluster has ECSContainerInstances

    ```
    (ECSCluster)-[HAS_CONTAINER_INSTANCE]->(ECSContainerInstance)
    ```
    
  • ECSContainerInstances have ECSTasks

    ```
    (ECSContainerInstance)-[HAS_TASK]->(ECSTask)
    ```
    

ECSService

Representation of an AWS ECS Service

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ARN of the service

region

The region of the service.

name

The name of your service.

arn

The ARN of the service

cluster_arn

The Amazon Resource Name (ARN) of the cluster that hosts the service.

status

The status of the service.

desired_count

The desired number of instantiations of the task definition to keep running on the service.

running_count

The number of tasks in the cluster that are in the RUNNING state.

pending_count

The number of tasks in the cluster that are in the PENDING state.

launch_type

The launch type the service is using.

platform_version

The platform version to run your service on. A platform version is only specified for tasks that are hosted on AWS Fargate.

platform_family

The operating system that your tasks in the service run on. A platform family is specified only for tasks using the Fargate launch type.

task_definition

The task definition to use for tasks in the service.

deployment_config_circuit_breaker_enable

Determines whether to enable the deployment circuit breaker logic for the service.

deployment_config_circuit_breaker_rollback

Determines whether to enable Amazon ECS to roll back the service if a service deployment fails.

deployment_config_maximum_percent

If a service is using the rolling update (ECS) deployment type, the maximum percent parameter represents an upper limit on the number of tasks in a service that are allowed in the RUNNING or PENDING state during a deployment, as a percentage of the desired number of tasks (rounded down to the nearest integer), and while any container instances are in the DRAINING state if the service contains tasks using the EC2 launch type.

deployment_config_minimum_healthy_percent

If a service is using the rolling update (ECS) deployment type, the minimum healthy percent represents a lower limit on the number of tasks in a service that must remain in the RUNNING state during a deployment, as a percentage of the desired number of tasks (rounded up to the nearest integer), and while any container instances are in the DRAINING state if the service contains tasks using the EC2 launch type.

role_arn

The ARN of the IAM role that’s associated with the service.

created_at

The Unix timestamp for the time when the service was created.

health_check_grace_period_seconds

The period of time, in seconds, that the Amazon ECS service scheduler ignores unhealthy Elastic Load Balancing target health checks after a task has first started.

created_by

The principal that created the service.

enable_ecs_managed_tags

Determines whether to enable Amazon ECS managed tags for the tasks in the service.

propagate_tags

Determines whether to propagate the tags from the task definition or the service to the task.

enable_execute_command

Determines whether the execute command functionality is enabled for the service.

Relationships

  • An ECSCluster has ECSService

    ```
    (ECSCluster)-[HAS_SERVICE]->(ECSService)
    ```
    
  • An ECSCluster has ECSContainerInstances

    ```
    (ECSCluster)-[HAS_CONTAINER_INSTANCE]->(ECSContainerInstance)
    ```
    

ECSTaskDefinition

Representation of an AWS ECS Task Definition

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ARN of the task definition

region

The region of the task definition.

family

The name of a family that this task definition is registered to.

task_role_arn

The short name or full Amazon Resource Name (ARN) of the AWS Identity and Access Management role that grants containers in the task permission to call AWS APIs on your behalf.

execution_role_arn

The Amazon Resource Name (ARN) of the task execution role that grants the Amazon ECS container agent permission to make AWS API calls on your behalf.

network_mode

The Docker networking mode to use for the containers in the task. The valid values are none, bridge, awsvpc, and host. If no network mode is specified, the default is bridge.

revision

The revision of the task in a particular family.

status

The status of the task definition.

compatibilities

The task launch types the task definition validated against during task definition registration.

runtime_platform_cpu_architecture

The CPU architecture.

runtime_platform_operating_system_family

The operating system.

requires_compatibilities

The task launch types the task definition was validated against.

cpu

The number of cpu units used by the task.

memory

The amount (in MiB) of memory used by the task.

pid_mode

The process namespace to use for the containers in the task.

ipc_mode

The IPC resource namespace to use for the containers in the task.

proxy_configuration_type

The proxy type.

proxy_configuration_container_name

The name of the container that will serve as the App Mesh proxy.

registered_at

The Unix timestamp for the time when the task definition was registered.

deregistered_at

The Unix timestamp for the time when the task definition was deregistered.

registered_by

The principal that registered the task definition.

ephemeral_storage_size_in_gib

The total amount, in GiB, of ephemeral storage to set for the task.

Relationships

  • ECSTaskDefinition are a resource under the AWS Account.

    ```
    (AWSAccount)-[RESOURCE]->(ECSTaskDefinition)
    ```
    
  • An ECSTask has an ECSTaskDefinition.

    ```
    (ECSTask)-[HAS_TASK_DEFINITION]->(ECSTaskDefinition)
    ```
    

ECSContainerDefinition

Representation of an AWS ECS Container Definition

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ARN of the task definition, plus the container definition name

region

The region of the container definition.

name

The name of a container.

image

The image used to start a container. This string is passed directly to the Docker daemon.

cpu

The number of cpu units reserved for the container.

memory

The amount (in MiB) of memory to present to the container.

memory_reservation

The soft limit (in MiB) of memory to reserve for the container.

links

The links parameter allows containers to communicate with each other without the need for port mappings.

essential

If the essential parameter of a container is marked as true, and that container fails or stops for any reason, all other containers that are part of the task are stopped.

entry_point

The entry point that’s passed to the container.

command

The command that’s passed to the container.

start_timeout

Time duration (in seconds) to wait before giving up on resolving dependencies for a container.

stop_timeout

Time duration (in seconds) to wait before the container is forcefully killed if it doesn’t exit normally on its own.

hostname

The hostname to use for your container.

user

The user to use inside the container.

working_directory

The working directory to run commands inside the container in.

disable_networking

When this parameter is true, networking is disabled within the container.

privileged

When this parameter is true, the container is given elevated privileges on the host container instance (similar to the root user).

readonly_root_filesystem

When this parameter is true, the container is given read-only access to its root file system.

dns_servers

A list of DNS servers that are presented to the container.

dns_search_domains

A list of DNS search domains that are presented to the container.

docker_security_options

A list of strings to provide custom labels for SELinux and AppArmor multi-level security systems. This field isn’t valid for containers in tasks using the Fargate launch type.

interactive

When this parameter is true, you can deploy containerized applications that require stdin or a tty to be allocated.

pseudo_terminal

When this parameter is true, a TTY is allocated.

Relationships

  • ECSTaskDefinitions have ECSContainerDefinitions

    ```
    (ECSTaskDefinition)-[HAS_CONTAINER_DEFINITION]->(ECSContainerDefinition)
    ```
    

ECSTask

Representation of an AWS ECS Task

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ARN of the task

region

The region of the task.

arn

The arn of the task.

availability_zone

The Availability Zone for the task.

capacity_provider_name

The capacity provider that’s associated with the task.

cluster_arn

The ARN of the cluster that hosts the task.

connectivity

The connectivity status of a task.

connectivity_at

The Unix timestamp for the time when the task last went into CONNECTED status.

container_instance_arn

The ARN of the container instances that host the task.

cpu

The number of CPU units used by the task as expressed in a task definition.

created_at

The Unix timestamp for the time when the task was created. More specifically, it’s for the time when the task entered the PENDING state.

desired_status

The desired status of the task.

enable_execute_command

Determines whether execute command functionality is enabled for this task.

execution_stopped_at

The Unix timestamp for the time when the task execution stopped.

group

The name of the task group that’s associated with the task.

health_status

The health status for the task.

last_status

The last known status for the task.

launch_type

The infrastructure where your task runs on.

memory

The amount of memory (in MiB) that the task uses as expressed in a task definition.

platform_version

The platform version where your task runs on.

platform_family

The operating system that your tasks are running on.

pull_started_at

The Unix timestamp for the time when the container image pull began.

pull_stopped_at

The Unix timestamp for the time when the container image pull completed.

started_at

The Unix timestamp for the time when the task started. More specifically, it’s for the time when the task transitioned from the PENDING state to the RUNNING state.

started_by

The tag specified when a task is started. If an Amazon ECS service started the task, the startedBy parameter contains the deployment ID of that service.

stop_code

The stop code indicating why a task was stopped.

stopped_at

The Unix timestamp for the time when the task was stopped. More specifically, it’s for the time when the task transitioned from the RUNNING state to the STOPPED state.

stopped_reason

The reason that the task was stopped.

stopping_at

The Unix timestamp for the time when the task stops. More specifically, it’s for the time when the task transitions from the RUNNING state to STOPPED.

task_definition_arn

The ARN of the task definition that creates the task.

version

The version counter for the task.

ephemeral_storage_size_in_gib

The total amount, in GiB, of ephemeral storage to set for the task.

Relationships

  • ECSClusters have ECSTasks

    ```
    (ECSCluster)-[HAS_TASK]->(ECSTask)
    ```
    
  • ECSContainerInstances have ECSTasks

    ```
    (ECSContainerInstance)-[HAS_TASK]->(ECSTask)
    ```
    
  • ECSTasks have ECSTaskDefinitions

    ```
    (ECSTask)-[HAS_TASK_DEFINITION]->(ECSTaskDefinition)
    ```
    

ECSContainer

Representation of an AWS ECS Container

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ARN of the container

region

The region of the container.

arn

The arn of the container.

task_arn

The ARN of the task.

name

The name of the container.

image

The image used for the container.

image_digest

The container image manifest digest.

runtime_id

The ID of the Docker container.

last_status

The last known status of the container.

exit_code

The exit code returned from the container.

reason

A short (255 max characters) human-readable string to provide additional details about a running or stopped container.

health_status

The health status of the container.

cpu

The number of CPU units set for the container.

memory

The hard limit (in MiB) of memory set for the container.

memory_reservation

The soft limit (in MiB) of memory set for the container.

gpu_ids

The IDs of each GPU assigned to the container.

Relationships

  • ECSTasks have ECSContainers

    ```
    (ECSTask)-[HAS_CONTAINER]->(ECSContainer)
    ```
    

SSMInstanceInformation

Representation of an AWS SSM InstanceInformation

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ARN of the instance information

region

The region of the instance information.

instance_id

The managed node ID.

ping_status

Connection status of SSM Agent.

last_ping_date_time

The date and time when the agent last pinged the Systems Manager service.

agent_version

The version of SSM Agent running on your Linux managed node.

is_latest_version

Indicates whether the latest version of SSM Agent is running on your Linux managed node. This field doesn’t indicate whether or not the latest version is installed on Windows managed nodes, because some older versions of Windows Server use the EC2Config service to process Systems Manager requests.

platform_type

The operating system platform type.

platform_name

The name of the operating system platform running on your managed node.

platform_version

The version of the OS platform running on your managed node.

activation_id

The activation ID created by AWS Systems Manager when the server or virtual machine (VM) was registered.

iam_role

The AWS Identity and Access Management (IAM) role assigned to the on-premises Systems Manager managed node. This call doesn’t return the IAM role for Amazon Elastic Compute Cloud (Amazon EC2) instances.

registration_date

The date the server or VM was registered with AWS as a managed node.

resource_type

The type of instance. Instances are either EC2 instances or managed instances.

name

The name assigned to an on-premises server, edge device, or virtual machine (VM) when it is activated as a Systems Manager managed node. The name is specified as the DefaultInstanceName property using the CreateActivation command.

ip_address

The IP address of the managed node.

computer_name

The fully qualified host name of the managed node.

association_status

The status of the association.

last_association_execution_date

The date the association was last run.

last_successful_association_execution_date

The last date the association was successfully run.

source_id

The ID of the source resource. For AWS IoT Greengrass devices, SourceId is the Thing name.

source_type

The type of the source resource. For AWS IoT Greengrass devices, SourceType is AWS::IoT::Thing.

Relationships

  • SSMInstanceInformation is a resource under the AWS Account.

    ```
    (AWSAccount)-[RESOURCE]->(SSMInstanceInformation)
    ```
    
  • SSMInstanceInformation is a resource of an EC2Instance

    ```
    (EC2Instance)-[HAS_INFORMATION]->(SSMInstanceInformation)
    ```
    

SSMInstancePatch

Representation of an AWS SSM PatchComplianceData

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ARN of the instance patch

region

The region of the instance patch.

instance_id

The managed node ID.

title

The title of the patch.

kb_id

The operating system-specific ID of the patch.

classification

The classification of the patch, such as SecurityUpdates, Updates, and CriticalUpdates.

severity

The severity of the patch such as Critical, Important, and Moderate.

state

The state of the patch on the managed node, such as INSTALLED or FAILED.

installed_time

The date/time the patch was installed on the managed node. Not all operating systems provide this level of information.

cve_ids

The IDs of one or more Common Vulnerabilities and Exposure (CVE) issues that are resolved by the patch.

Relationships

  • SSMInstancePatch is a resource under the AWS Account.

    ```
    (AWSAccount)-[RESOURCE]->(SSMInstancePatch)
    ```
    
  • EC2Instances have SSMInstancePatches

    ```
    (EC2Instance)-[HAS_INFORMATION]->(SSMInstancePatch)
    ```
    

Azure Schema

AzureTenant

Representation of an Azure Tenant.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The Azure Tenant ID number

Relationships

  • Azure Principal is part of the Azure Account.

    ```
    (AzureTenant)-[RESOURCE]->(AzurePrincipal)
    ```
    

AzurePrincipal

Representation of an Azure Principal..

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

email

Email of the Azure Principal

Relationships

  • Azure Principal is part of the Azure Account.

    ```
    (AzurePrincipal)-[RESOURCE]->(AzureTenant)
    ```
    

AzureSubscription

Representation of an Azure Subscription..

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The Azure Subscription ID number

name

The friendly name that identifies the subscription

path

The full ID for the Subscription

state

Can be one of Enabled | Disabled | Deleted | PastDue | Warned

Relationships

  • Azure Tenant contains one or more Subscriptions.

    ```
    (AzureTenant)-[RESOURCE]->(AzureSubscription)
    ```
    

VirtualMachine

Representation of an Azure Virtual Machine.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The Azure Virtual Machine ID number

type

The type of the resource

location

The location where Virtual Machine is created

resourcegroup

The Resource Group where Virtual Machine is created

name

The friendly name that identifies the Virtual Machine

plan

The plan associated with the Virtual Machine

size

The size of the Virtual Machine

license_type

The type of license

computer_name

The computer name

identity_type

The type of identity used for the virtual machine

zones

The Virtual Machine zones

ultra_ssd_enabled

Enables or disables a capability on the virtual machine or virtual machine scale set.

priority

Specifies the priority for the virtual machine

eviction_policy

Specifies the eviction policy for the Virtual Machine

Relationships

  • Azure Subscription contains one or more Virtual Machines.

    ```
    (AzureSubscription)-[RESOURCE]->(VirtualMachine)
    ```
    

AzureDataDisk

Representation of an Azure Data Disk.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The Azure Data Disk ID number

lun

Specifies the logical unit number of the data disk

name

The data disk name

vhd

The virtual hard disk associated with data disk

image

The source user image virtual hard disk

size

The size of the disk in GB

caching

Specifies the caching requirement

createoption

Specifies how the disk should be created

write_accelerator_enabled

Specifies whether writeAccelerator should be enabled or disabled on the data disk

managed_disk_storage_type

The data disk storage type

Relationships

  • Azure Virtual Machines are attached to Data Disks.

    ```
    (VirtualMachine)-[ATTACHED_TO]->(AzureDataDisk)
    ```
    

AzureDisk

Representation of an Azure Disk.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The Azure Disk ID number

type

The type of the resource

location

The location where Disk is created

resourcegroup

The Resource Group where Disk is created

name

The friendly name that identifies the Disk

createoption

Specifies how the disk should be created

disksizegb

The size of the disk in GB

encryption

Specifies whether the disk has encryption enabled

maxshares

Specifies how many machines can share the disk

ostype

The operating system type of the disk

tier

Performance Tier associated with the disk

sku

The disk sku name

zones

The logical zone list for disk

Relationships

  • Azure Subscription contains one or more Disks.

    ```
    (AzureSubscription)-[RESOURCE]->(AzureDisk)
    ```
    

AzureSnapshot

Representation of an Azure Snapshot.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The Azure Snapshot ID number

type

The type of the resource

location

The location where snapshot is created

resourcegroup

The Resource Group where snapshot is created

name

The friendly name that identifies the snapshot

createoption

Specifies how the disk should be created

disksizegb

The size of the snapshot in GB

encryption

Specifies whether the snapshot has encryption enabled

incremental

Indicates whether a snapshot is incremental or not

network_access_policy

Policy for accessing the snapshot via network

ostype

The operating system type of the snapshot

tier

Performance Tier associated with the snapshot

sku

The snapshot sku name

zones

The logical zone list for snapshot

Relationships

  • Azure Subscription contains one or more Snapshots.

    ```
    (AzureSubscription)-[RESOURCE]->(AzureSnapshot)
    ```
    

AzureSQLServer

Representation of an AzureSQLServer.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The resource ID

location

The location where the resource is created

resourcegroup

The Resource Group where SQL Server is created

name

The friendly name that identifies the SQL server

kind

Specifies the kind of SQL server

state

The state of the server

version

The version of the server

Relationships

  • Azure Subscription contains one or more SQL Servers.

    ```
    (AzureSubscription)-[RESOURCE]->(AzureSQLServer)
    ```
    
  • Azure SQL Server can be used by one or more Azure Server DNS Aliases.

    ```
    (AzureSQLServer)-[USED_BY]->(AzureServerDNSAlias)
    ```
    
  • Azure SQL Server can be administered by one or more Azure Server AD Administrators.

    ```
    (AzureSQLServer)-[ADMINISTERED_BY]->(AzureServerADAdministrator)
    ```
    
  • Azure SQL Server has one or more Azure Recoverable Database.

    ```
    (AzureSQLServer)-[RESOURCE]->(AzureRecoverableDatabase)
    ```
    
  • Azure SQL Server has one or more Azure Restorable Dropped Database.

    ```
    (AzureSQLServer)-[RESOURCE]->(AzureRestorableDroppedDatabase)
    ```
    
  • Azure SQL Server has one or more Azure Failover Group.

    ```
    (AzureSQLServer)-[RESOURCE]->(AzureFailoverGroup)
    ```
    
  • Azure SQL Server has one or more Azure Elastic Pool.

    ```
    (AzureSQLServer)-[RESOURCE]->(AzureElasticPool)
    ```
    
  • Azure SQL Server has one or more Azure SQL Database.

    ```
    (AzureSQLServer)-[RESOURCE]->(AzureSQLDatabase)
    ```
    

AzureServerDNSAlias

Representation of an AzureServerDNSAlias.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The resource ID

name

The name of the server DNS alias

dnsrecord

The fully qualified DNS record for alias.

Relationships

  • Azure SQL Server can be used by one or more Azure Server DNS Aliases.

    ```
    (AzureSQLServer)-[USED_BY]->(AzureServerDNSAlias)
    ```
    

AzureServerADAdministrator

Representation of an AzureServerADAdministrator.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The resource ID

name

The name of the resource.

administratortype

The type of the server administrator.

login

The login name of the server administrator.

Relationships

  • Azure SQL Server can be administered by one or more Azure Server AD Administrators.

    ```
    (AzureSQLServer)-[ADMINISTERED_BY]->(AzureServerADAdministrator)
    ```
    

AzureRecoverableDatabase

Representation of an AzureRecoverableDatabase.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The resource ID

name

The name of the resource.

edition

The edition of the database.

servicelevelobjective

The service level objective name of the database.

lastbackupdate

The last available backup date of the database (ISO8601 format).

Relationships

  • Azure SQL Server has one or more Azure Recoverable Database.

    ```
    (AzureSQLServer)-[RESOURCE]->(AzureRecoverableDatabase)
    ```
    

AzureRestorableDroppedDatabase

Representation of an AzureRestorableDroppedDatabase.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The resource ID

name

The name of the resource.

location

The geo-location where the resource lives.

databasename

The name of the database.

creationdate

The creation date of the database (ISO8601 format).

deletiondate

The deletion date of the database (ISO8601 format).

restoredate

The earliest restore date of the database (ISO8601 format).

edition

The edition of the database.

servicelevelobjective

The service level objective name of the database.

maxsizebytes

The max size in bytes of the database.

Relationships

  • Azure SQL Server has one or more Azure Restorable Dropped Database.

    ```
    (AzureSQLServer)-[RESOURCE]->(AzureRestorableDroppedDatabase)
    ```
    

AzureFailoverGroup

Representation of an AzureFailoverGroup.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The resource ID

name

The name of the resource.

location

The geo-location where the resource lives.

replicationrole

Local replication role of the failover group instance.

replicationstate

Replication state of the failover group instance.

Relationships

  • Azure SQL Server has one or more Azure Failover Group.

    ```
    (AzureSQLServer)-[RESOURCE]->(AzureFailoverGroup)
    ```
    

AzureElasticPool

Representation of an AzureElasticPool.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The resource ID

name

The name of the resource.

location

The location of the resource.

kind

The kind of elastic pool.

creationdate

The creation date of the elastic pool (ISO8601 format).

state

The state of the elastic pool.

maxsizebytes

The storage limit for the database elastic pool in bytes.

licensetype

The license type to apply for this elastic pool.

zoneredundant

Specifies whether or not this elastic pool is zone redundant, which means the replicas of this elastic pool will be spread across multiple availability zones.

Relationships

  • Azure SQL Server has one or more Azure Elastic Pool.

    ```
    (AzureSQLServer)-[RESOURCE]->(AzureElasticPool)
    ```
    

AzureSQLDatabase

Representation of an AzureSQLDatabase.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The resource ID

name

The name of the resource.

location

The location of the resource.

kind

The kind of database.

creationdate

The creation date of the database (ISO8601 format).

databaseid

The ID of the database.

maxsizebytes

The max size of the database expressed in bytes.

licensetype

The license type to apply for this database.

secondarylocation

The default secondary region for this database.

elasticpoolid

The resource identifier of the elastic pool containing this database.

collation

The collation of the database.

failovergroupid

Failover Group resource identifier that this database belongs to.

zoneredundant

Whether or not this database is zone redundant, which means the replicas of this database will be spread across multiple availability zones.

restorabledroppeddbid

The resource identifier of the restorable dropped database associated with create operation of this database.

recoverabledbid

The resource identifier of the recoverable database associated with create operation of this database.

Relationships

  • Azure SQL Server has one or more Azure SQL Database.

    ```
    (AzureSQLServer)-[RESOURCE]->(AzureSQLDatabase)
    ```
    
  • Azure SQL Database contains one or more Azure Replication Links.

    ```
    (AzureSQLDatabase)-[CONTAINS]->(AzureReplicationLink)
    ```
    
  • Azure SQL Database contains a Database Threat Detection Policy.

    ```
    (AzureSQLDatabase)-[CONTAINS]->(AzureDatabaseThreatDetectionPolicy)
    ```
    
  • Azure SQL Database contains one or more Restore Points.

    ```
    (AzureSQLDatabase)-[CONTAINS]->(AzureRestorePoint)
    ```
    
  • Azure SQL Database contains Transparent Data Encryption.

    ```
    (AzureSQLDatabase)-[CONTAINS]->(AzureTransparentDataEncryption)
    ```
    

AzureDatabaseThreatDetectionPolicy

Representation of an AzureDatabaseThreatDetectionPolicy.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The resource ID

name

The name of the resource.

location

The geo-location where the resource lives.

kind

The kind of the resource.

emailadmins

Specifies that the alert is sent to the account administrators.

emailaddresses

Specifies the semicolon-separated list of e-mail addresses to which the alert is sent.

retentiondays

Specifies the number of days to keep in the Threat Detection audit logs.

state

Specifies the state of the policy.

storageendpoint

Specifies the blob storage endpoint.

useserverdefault

Specifies whether to use the default server policy.

disabledalerts

Specifies the semicolon-separated list of alerts that are disabled, or empty string to disable no alerts.

Relationships

  • Azure SQL Database contains a Database Threat Detection Policy.

    ```
    (AzureSQLDatabase)-[CONTAINS]->(AzureDatabaseThreatDetectionPolicy)
    ```
    

AzureRestorePoint

Representation of an AzureRestorePoint.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The resource ID

name

The name of the resource.

location

The geo-location where the resource lives.

restoredate

The earliest time to which this database can be restored.

restorepointtype

The type of restore point.

creationdate

The time the backup was taken.

Relationships

  • Azure SQL Database contains one or more Restore Points.

    ```
    (AzureSQLDatabase)-[CONTAINS]->(AzureRestorePoint)
    ```
    

AzureTransparentDataEncryption

Representation of an AzureTransparentDataEncryption.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The resource ID

name

The name of the resource.

location

The resource location.

status

The status of the database transparent data encryption.

Relationships

  • Azure SQL Database contains Transparent Data Encryption.

    ```
    (AzureSQLDatabase)-[CONTAINS]->(AzureTransparentDataEncryption)
    ```
    

AzureStorageAccount

Representation of an AzureStorageAccount.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

Fully qualified resource ID for the resource.

type

The type of the resource.

location

The geo-location where the resource lives.

resourcegroup

The Resource Group where the storage account is created

name

The name of the resource.

kind

Gets the Kind of the resource.

creationtime

Gets the creation date and time of the storage account in UTC.

hnsenabled

Specifies if the Account HierarchicalNamespace is enabled.

primarylocation

Gets the location of the primary data center for the storage account.

secondarylocation

Gets the location of the geo-replicated secondary for the storage account.

provisioningstate

Gets the status of the storage account at the time the operation was called.

statusofprimary

Gets the status availability status of the primary location of the storage account.

statusofsecondary

Gets the status availability status of the secondary location of the storage account.

supportshttpstrafficonly

Allows https traffic only to storage service if sets to true.

Relationships

  • Azure Subscription contains one or more Storage Accounts.

    ```
    (AzureSubscription)-[RESOURCE]->(AzureStorageAccount)
    ```
    
  • Azure Storage Accounts uses one or more Queue Services.

    ```
    (AzureStorageAccount)-[USES]->(AzureStorageQueueService)
    ```
    
  • Azure Storage Accounts uses one or more Table Services.

    ```
    (AzureStorageAccount)-[USES]->(AzureStorageTableService)
    ```
    
  • Azure Storage Accounts uses one or more File Services.

    ```
    (AzureStorageAccount)-[USES]->(AzureStorageFileService)
    ```
    
  • Azure Storage Accounts uses one or more Blob Services.

    ```
    (AzureStorageAccount)-[USES]->(AzureStorageBlobService)
    ```
    

AzureStorageQueueService

Representation of an AzureStorageQueueService.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

Fully qualified resource ID for the resource.

type

The type of the resource.

name

The name of the queue service.

Relationships

  • Azure Storage Accounts uses one or more Queue Services.

    ```
    (AzureStorageAccount)-[USES]->(AzureStorageQueueService)
    ```
    
  • Queue Service contains one or more queues.

    ```
    (AzureStorageQueueService)-[CONTAINS]->(AzureStorageQueue)
    ```
    

AzureStorageTableService

Representation of an AzureStorageTableService.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

Fully qualified resource ID for the resource.

type

The type of the resource.

name

The name of the table service.

Relationships

  • Azure Storage Accounts uses one or more Table Services.

    ```
    (AzureStorageAccount)-[USES]->(AzureStorageTableService)
    ```
    
  • Table Service contains one or more tables.

    ```
    (AzureStorageTableService)-[CONTAINS]->(AzureStorageTable)
    ```
    

AzureStorageFileService

Representation of an AzureStorageFileService.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

Fully qualified resource ID for the resource.

type

The type of the resource.

name

The name of the file service.

Relationships

  • Azure Storage Accounts uses one or more File Services.

    ```
    (AzureStorageAccount)-[USES]->(AzureStorageFileService)
    ```
    
  • Table Service contains one or more file shares.

    ```
    (AzureStorageFileService)-[CONTAINS]->(AzureStorageFileShare)
    ```
    

AzureStorageBlobService

Representation of an AzureStorageBlobService.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

Fully qualified resource ID for the resource.

type

The type of the resource.

name

The name of the blob service.

Relationships

  • Azure Storage Accounts uses one or more Blob Services.

    ```
    (AzureStorageAccount)-[USES]->(AzureStorageBlobService)
    ```
    
  • Blob Service contains one or more blob containers.

    ```
    (AzureStorageBlobService)-[CONTAINS]->(AzureStorageBlobContainer)
    ```
    

AzureStorageQueue

Representation of an AzureStorageQueue.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

Fully qualified resource ID for the resource.

type

The type of the resource.

name

The name of the queue.

Relationships

  • Queue Service contains one or more queues.

    ```
    (AzureStorageQueueService)-[CONTAINS]->(AzureStorageQueue)
    ```
    

AzureStorageTable

Representation of an AzureStorageTable.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

Fully qualified resource ID for the resource.

type

The type of the resource.

name

The name of the table resource.

tablename

Table name under the specified account.

Relationships

  • Table Service contains one or more tables.

    ```
    (AzureStorageTableService)-[CONTAINS]->(AzureStorageTable)
    ```
    

AzureStorageFileShare

Representation of an AzureStorageFileShare.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

Fully qualified resource ID for the resource.

type

The type of the resource.

name

The name of the resource.

lastmodifiedtime

Specifies the date and time the share was last modified.

sharequota

The maximum size of the share, in gigabytes.

accesstier

Specifies the access tier for the share.

deleted

Indicates whether the share was deleted.

accesstierchangetime

Indicates the last modification time for share access tier.

accesstierstatus

Indicates if there is a pending transition for access tier.

deletedtime

The deleted time if the share was deleted.

enabledprotocols

The authentication protocol that is used for the file share.

remainingretentiondays

Remaining retention days for share that was soft deleted.

shareusagebytes

The approximate size of the data stored on the share.

version

The version of the share.

Relationships

  • File Service contains one or more file shares.

    ```
    (AzureStorageTableService)-[CONTAINS]->(AzureStorageFileShare)
    ```
    

AzureStorageBlobContainer

Representation of an AzureStorageBlobContainer.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

Fully qualified resource ID for the resource.

type

The type of the resource.

name

The name of the resource.

deleted

Indicates whether the blob container was deleted.

deletedtime

Blob container deletion time.

defaultencryptionscope

Default the container to use specified encryption scope for all writes.

publicaccess

Specifies whether data in the container may be accessed publicly and the level of access.

leasestatus

The lease status of the container.

leasestate

Lease state of the container.

lastmodifiedtime

Specifies the date and time the container was last modified.

remainingretentiondays

Specifies the remaining retention days for soft deleted blob container.

version

The version of the deleted blob container.

hasimmutabilitypolicy

Specifies the if the container has an ImmutabilityPolicy or not.

haslegalhold

Specifies if the container has any legal hold tags.

leaseduration

Specifies whether the lease on a container is of infinite or fixed duration, only when the container is leased.

Relationships

  • Blob Service contains one or more blob containers.

    ```
    (AzureStorageBlobService)-[CONTAINS]->(AzureStorageBlobContainer)
    ```
    

AzureCosmosDBAccount

Representation of an AzureCosmosDBAccount.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The unique resource identifier of the ARM resource.

location

The location of the resource group to which the resource belongs.

resourcegroup

The Resource Group where the database account is created.

name

The name of the ARM resource.

kind

Indicates the type of database account.

type

The type of Azure resource.

ipranges

List of IpRules.

capabilities

List of Cosmos DB capabilities for the account.

documentendpoint

The connection endpoint for the Cosmos DB database account.

virtualnetworkfilterenabled

Flag to indicate whether to enable/disable Virtual Network ACL rules.

enableautomaticfailover

Enables automatic failover of the write region in the rare event that the region is unavailable due to an outage.

provisioningstate

The status of the Cosmos DB account at the time the operation was called.

multiplewritelocations

Enables the account to write in multiple locations.

accountoffertype

The offer type for the Cosmos DB database account.

publicnetworkaccess

Whether requests from Public Network are allowed.

enablecassandraconnector

Enables the cassandra connector on the Cosmos DB C* account.

connectoroffer

The cassandra connector offer type for the Cosmos DB database C* account.

disablekeybasedmetadatawriteaccess

Disable write operations on metadata resources (databases, containers, throughput) via account keys.

keyvaulturi

The URI of the key vault.

enablefreetier

Flag to indicate whether Free Tier is enabled.

enableanalyticalstorage

Flag to indicate whether to enable storage analytics.

defaultconsistencylevel

The default consistency level and configuration settings of the Cosmos DB account.

maxstalenessprefix

When used with the Bounded Staleness consistency level, this value represents the number of stale requests tolerated.

maxintervalinseconds

When used with the Bounded Staleness consistency level, this value represents the time amount of staleness (in seconds) tolerated.

Relationships

  • Azure Subscription contains one or more database accounts.

    ```
    (AzureSubscription)-[RESOURCE]->(AzureCosmosDBAccount)
    ```
    
  • Azure Database Account can be read from, written from and is associated with Azure CosmosDB Locations.

    ```
    (AzureCosmosDBAccount)-[CAN_WRITE_FROM]->(AzureCosmosDBLocation)
    ```
    (AzureCosmosDBAccount)-[CAN_READ_FROM]->(AzureCosmosDBLocation)
    ```
    (AzureCosmosDBAccount)-[ASSOCIATED_WITH]->(AzureCosmosDBLocation)
    ```
    
  • Azure Database Account contains one or more Cors Policy.

    ```
    (AzureCosmosDBAccount)-[CONTAINS]->(AzureCosmosDBCorsPolicy)
    ```
    
  • Azure Database Account contains one or more failover policies.

    ```
    (AzureCosmosDBAccount)-[CONTAINS]->(AzureCosmosDBAccountFailoverPolicy)
    ```
    
  • Azure Database Account is configured with one or more private endpoint connections.

    ```
    (AzureCosmosDBAccount)-[CONFIGURED_WITH]->(AzureCDBPrivateEndpointConnection)
    ```
    
  • Azure Database Account is configured with one or more virtual network rules.

    ```
    (AzureCosmosDBAccount)-[CONFIGURED_WITH]->(AzureCosmosDBVirtualNetworkRule)
    ```
    
  • Azure Database Account contains one or more SQL databases.

    ```
    (AzureCosmosDBAccount)-[CONTAINS]->(AzureCosmosDBSqlDatabase)
    ```
    
  • Azure Database Account contains one or more Cassandra keyspace.

    ```
    (AzureCosmosDBAccount)-[CONTAINS]->(AzureCosmosDBCassandraKeyspace)
    ```
    
  • Azure Database Account contains one or more MongoDB Database.

    ```
    (AzureCosmosDBAccount)-[CONTAINS]->(AzureCosmosDBMongoDBDatabase)
    ```
    
  • Azure Database Account contains one or more table resource.

    ```
    (AzureCosmosDBAccount)-[CONTAINS]->(AzureCosmosDBTableResource)
    ```
    

AzureCosmosDBLocation

Representation of an Azure CosmosDB Location.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The unique identifier of the region within the database account.

locationname

The name of the region.

documentendpoint

The connection endpoint for the specific region.

provisioningstate

The status of the Cosmos DB account at the time the operation was called.

failoverpriority

The failover priority of the region.

iszoneredundant

Flag to indicate whether or not this region is an AvailabilityZone region.

Relationships

  • Azure Database Account has write permissions from, read permissions from and is associated with Azure CosmosDB Locations.

    ```
    (AzureCosmosDBAccount)-[CAN_WRITE_FROM]->(AzureCosmosDBLocation)
    ```
    (AzureCosmosDBAccount)-[CAN_READ_FROM]->(AzureCosmosDBLocation)
    ```
    (AzureCosmosDBAccount)-[ASSOCIATED_WITH]->(AzureCosmosDBLocation)
    ```
    

AzureCosmosDBCorsPolicy

Representation of an Azure Cosmos DB Cors Policy.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The unique resource identifier for Cors Policy.

allowedorigins

The origin domains that are permitted to make a request against the service via CORS.

allowedmethods

The methods (HTTP request verbs) that the origin domain may use for a CORS request.

allowedheaders

The request headers that the origin domain may specify on the CORS request.

exposedheaders

The response headers that may be sent in the response to the CORS request and exposed by the browser to the request issuer.

maxageinseconds

The maximum amount time that a browser should cache the preflight OPTIONS request.

Relationships

  • Azure Database Account contains one or more Cors Policy.

    ```
    (AzureCosmosDBAccount)-[CONTAINS]->(AzureCosmosDBCorsPolicy)
    ```
    

AzureCosmosDBAccountFailoverPolicy

Representation of an Azure Database Account Failover Policy.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The unique identifier of the region in which the database account replicates to.

locationname

The name of the region in which the database account exists.

failoverpriority

The failover priority of the region. A failover priority of 0 indicates a write region.

Relationships

  • Azure Database Account contains one or more failover policies.

    ```
    (AzureCosmosDBAccount)-[CONTAINS]->(AzureCosmosDBAccountFailoverPolicy)
    ```
    

AzureCDBPrivateEndpointConnection

Representation of an Azure Cosmos DB Private Endpoint Connection.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

Fully qualified resource Id for the resource.

name

The name of the resource.

privateendpointid

Resource id of the private endpoint.

status

The private link service connection status.

actionrequired

Any action that is required beyond basic workflow (approve/ reject/ disconnect).

Relationships

  • Azure Database Account is configured with one or more private endpoint connections.

    ```
    (AzureCosmosDBAccount)-[CONFIGURED_WITH]->(AzureCDBPrivateEndpointConnection)
    ```
    

AzureCosmosDBVirtualNetworkRule

Representation of an Azure Cosmos DB Virtual Network Rule.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

Resource ID of a subnet.

ignoremissingvnetserviceendpoint

Create firewall rule before the virtual network has vnet service endpoint enabled.

Relationships

  • Azure Database Account is configured with one or more virtual network rules.

    ```
    (AzureCosmosDBAccount)-[CONFIGURED_WITH]->(AzureCosmosDBVirtualNetworkRule)
    ```
    

AzureCosmosDBSqlDatabase

Representation of an AzureCosmosDBSqlDatabase.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The unique resource identifier of the ARM resource.

name

The name of the ARM resource.

type

The type of Azure resource.

location

The location of the resource group to which the resource belongs.

throughput

Value of the Cosmos DB resource throughput or autoscaleSettings.

maxthroughput

Represents maximum throughput, the resource can scale up to.

Relationships

  • Azure Database Account contains one or more SQL databases.

    ```
    (AzureCosmosDBAccount)-[CONTAINS]->(AzureCosmosDBSqlDatabase)
    ```
    
  • SQL Databases contain one or more SQL containers.

    ```
    (AzureCosmosDBSqlDatabase)-[CONTAINS]->(AzureCosmosDBSqlContainer)
    ```
    

AzureCosmosDBCassandraKeyspace

Representation of an AzureCosmosDBCassandraKeyspace.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The unique resource identifier of the ARM resource.

name

The name of the ARM resource.

type

The type of Azure resource.

location

The location of the resource group to which the resource belongs.

throughput

Value of the Cosmos DB resource throughput or autoscaleSettings.

maxthroughput

Represents maximum throughput, the resource can scale up to.

Relationships

  • Azure Database Account contains one or more Cassandra keyspace.

    ```
    (AzureCosmosDBAccount)-[CONTAINS]->(AzureCosmosDBCassandraKeyspace)
    ```
    
  • Cassandra Keyspace contains one or more Cassandra tables.

    ```
    (AzureCosmosDBCassandraKeyspace)-[CONTAINS]->(AzureCosmosDBCassandraTable)
    ```
    

AzureCosmosDBMongoDBDatabase

Representation of an AzureCosmosDBMongoDBDatabase.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The unique resource identifier of the ARM resource.

name

The name of the ARM resource.

type

The type of Azure resource.

location

The location of the resource group to which the resource belongs.

throughput

Value of the Cosmos DB resource throughput or autoscaleSettings.

maxthroughput

Represents maximum throughput, the resource can scale up to.

Relationships

  • Azure Database Account contains one or more MongoDB Database.

    ```
    (AzureCosmosDBAccount)-[CONTAINS]->(AzureCosmosDBMongoDBDatabase)
    ```
    
  • MongoDB database contains one or more MongoDB collections.

    ```
    (AzureCosmosDBMongoDBDatabase)-[CONTAINS]->(AzureCosmosDBMongoDBCollection)
    ```
    

AzureCosmosDBTableResource

Representation of an AzureCosmosDBTableResource.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The unique resource identifier of the ARM resource.

name

The name of the ARM resource.

type

The type of Azure resource.

location

The location of the resource group to which the resource belongs.

throughput

Value of the Cosmos DB resource throughput or autoscaleSettings.

maxthroughput

Represents maximum throughput, the resource can scale up to.

Relationships

  • Azure Database Account contains one or more table resource.

    ```
    (AzureCosmosDBAccount)-[CONTAINS]->(AzureCosmosDBTableResource)
    ```
    

AzureCosmosDBSqlContainer

Representation of an AzureCosmosDBSqlContainer.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The unique resource identifier of the ARM resource.

name

The name of the ARM resource.

type

The type of Azure resource.

location

The location of the resource group to which the resource belongs.

throughput

Value of the Cosmos DB resource throughput or autoscaleSettings.

maxthroughput

Represents maximum throughput, the resource can scale up to.

container

Name of the Cosmos DB SQL container.

defaultttl

Default time to live.

analyticalttl

Specifies the Analytical TTL.

isautomaticindexingpolicy

Indicates if the indexing policy is automatic.

indexingmode

Indicates the indexing mode.

conflictresolutionpolicymode

Indicates the conflict resolution mode.

Relationships

  • SQL Databases contain one or more SQL containers.

    ```
    (AzureCosmosDBSqlDatabase)-[CONTAINS]->(AzureCosmosDBSqlContainer)
    ```
    

AzureCosmosDBCassandraTable

Representation of an AzureCosmosDBCassandraTable.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The unique resource identifier of the ARM resource.

name

The name of the ARM resource.

type

The type of Azure resource.

location

The location of the resource group to which the resource belongs.

throughput

Value of the Cosmos DB resource throughput or autoscaleSettings.

maxthroughput

Represents maximum throughput, the resource can scale up to.

container

Name of the Cosmos DB Cassandra table.

defaultttl

Time to live of the Cosmos DB Cassandra table.

analyticalttl

Specifies the Analytical TTL.

Relationships

  • Cassandra Keyspace contains one or more Cassandra tables.

    ```
    (AzureCosmosDBCassandraKeyspace)-[CONTAINS]->(AzureCosmosDBCassandraTable)
    ```
    

AzureCosmosDBMongoDBCollection

Representation of an AzureCosmosDBMongoDBCollection.

Field

Description

firstseen

Timestamp of when a sync job discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The unique resource identifier of the ARM resource.

name

The name of the ARM resource.

type

The type of Azure resource.

location

The location of the resource group to which the resource belongs.

throughput

Value of the Cosmos DB resource throughput or autoscaleSettings.

maxthroughput

Represents maximum throughput, the resource can scale up to.

collectionname

Name of the Cosmos DB MongoDB collection.

analyticalttl

Specifies the Analytical TTL.

Relationships

  • MongoDB database contains one or more MongoDB collections.

    ```
    (AzureCosmosDBMongoDBDatabase)-[CONTAINS]->(AzureCosmosDBMongoDBCollection)
    ```
    

DigitalOcean Schema

DOAccount

Representation of a DigitalOcean Account object.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The UUID of the account

uuid

The UUID of the account (same value as id)

droplet_limit

Total number of droplets that the account can have at one time

floating_ip_limit

Total number of floating IPs the account may have

status

Status of the account

Relationships

  • DOAccount contains DOProjects.

    (DOAccount)-[RESOURCE]->(DOProjects)
    

DOProject

Representation of a DigitalOcean Project object.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The unique universal identifier of the project

account_id

Id of the DOAccount where this project belongs to

description

The description of the project

environment

The environment of the project’s resources

is_default

If true, all resources will be added to this project if no project is specified

name

The human-readable name for the project

owner_uuid

The unique universal identifier of the project’s owner

created_at

A time value given in ISO8601 combined date and time format that represents when the project was created

updated_at

A time value given in ISO8601 combined date and time format that represents when the project was updated

Relationships

  • DOProject has DODroplets as resource.

    (DOProject)-[RESOURCE]->(DODroplet)
    

DODroplet

Representation of a DigitalOcean Droplet object.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

A unique identifier for each Droplet instance

account_id

Id of the DOAccount where this Droplet belongs to

features

An array of features enabled on this Droplet

locked

A boolean value indicating whether the Droplet has been locked, preventing actions by users

image

The slug of the base image used to create the Droplet instance

ip_address

The v4 external ip address of this Droplet

ip_v6_address

The v6 external ip address of this Droplet

kernel

The current kernel image id

name

The human-readable name set for the Droplet instance

private_ip_address

The v4 internal ip address of this Droplet

project_id

Id of the DOProject where this Droplet belongs to

region

The region that the Droplet instance is deployed in

size

The current size object describing the Droplet

status

A status string indicating the state of the Droplet instance.This may be “new”, “active”, “off”, or “archive”

tags

An array of Tags the Droplet has been tagged with

volumes

A flat array including the unique identifier for each Block Storage volume attached to the Droplet

created_at

A time value given in ISO8601 combined date and time format that represents when the Droplet was created

Relationships

  • DODroplet is a resource of a DOProject.

    (DODroplet)<-[RESOURCE]-(DOProject)
    

GCP Schema

GCPOrganization

Representation of a GCP Organization object.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The name of the GCP Organization, e.g. “organizations/1234”

displayname

The “friendly name”, e.g. “My Company”

lifecyclestate

The organization’s current lifecycle state. Assigned by the server. See the official docs.

Relationships

  • GCPOrganizations contain GCPFolders.

    (GCPOrganization)-[RESOURCE]->(GCPFolder)
    
  • GCPOrganizations can contain GCPProjects.

    (GCPOrganization)-[RESOURCE]->(GCPProjects)
    

GCPFolder

Representation of a GCP Folder. An additional helpful reference is the Google Compute Platform resource hierarchy.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The name of the folder, e.g. “folders/1234”

displayname

A friendly name of the folder, e.g. “My Folder”.

lifecyclestate

The folder’s current lifecycle state. Assigned by the server. See the official docs.

Relationships

  • GCPOrganizations are parents of GCPFolders.

    (GCPOrganization)<-[PARENT]-(GCPFolder)
    
  • GCPFolders can contain GCPProjects

    (GCPFolder)-[RESOURCE]->(GCPProject)
    
  • GCPFolders can contain other GCPFolders.

    (GCPFolder)-[RESOURCE]->(GCPFolder)
    

GCPProject

Representation of a GCP Project. An additional helpful reference is the Google Compute Platform resource hierarchy.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ID of the project, e.g. “sys-12345”

projectnumber

The number uniquely identifying the project, e.g. ‘987654’

displayname

A friendly name of the project, e.g. “MyProject”.

lifecyclestate

The project’s current lifecycle state. Assigned by the server. See the official docs.

Relationships

  • GCPOrganizations contain GCPProjects.

    (GCPOrganization)-[RESOURCE]->(GCPProjects)
    
    • GCPFolders can contain GCPProjects

      (GCPFolder)-[RESOURCE]->(GCPProject)
      
  • GCPVpcs are part of GCPProjects

    (GCPProject)-[RESOURCE]->(GCPVpc)
    

GCPBucket

Representation of a GCP Storage Bucket.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ID of the storage bucket, e.g. “bucket-12345”

projectnumber

The number uniquely identifying the project associated with the storage bucket, e.g. ‘987654’

self_link

The URI of the storage bucket

kind

The kind of item this is. For storage buckets, this is always storage#bucket

location

The location of the bucket. Object data for objects in the bucket resides in physical storage within this region. Defaults to US. See Cloud Storage bucket locations for the authoritative list.

location_type

The type of location that the bucket resides in, as determined by the location property

meta_generation

The metadata generation of this bucket

storage_class

The bucket’s default storage class, used whenever no storageClass is specified for a newly-created object. For more information, see storage classes

time_created

The creation time of the bucket in RFC 3339 format

retention_period

The period of time, in seconds, that objects in the bucket must be retained and cannot be deleted, overwritten, or archived

iam_config_bucket_policy_only

The bucket’s Bucket Policy Only configuration

owner_entity

The entity, in the form project-owner-projectId

owner_entity_id

The ID for the entity

versioning_enabled

The bucket’s versioning configuration (if set to True, versioning is fully enabled for this bucket)

log_bucket

The destination bucket where the current bucket’s logs should be placed

requester_pays

The bucket’s billing configuration (if set to true, Requester Pays is enabled for this bucket)

default_kms_key_name

A Cloud KMS key that will be used to encrypt objects inserted into this bucket, if no encryption method is specified

Relationships

  • GCPBuckets are part of GCPProjects.

    (GCPProject)-[RESOURCE]->(GCPBucket)
    
  • GCPBuckets can be labelled with GCPBucketLabels.

    (GCPBucket)<-[LABELLED]-(GCPBucketLabels)
    

GCPDNSZone

Representation of a GCP DNS Zone.

Field

Description

created_at

The date and time the zone was created

description

An optional description of the zone

dns_name

The DNS name of this managed zone, for instance “example.com.”.

firstseen

Timestamp of when a sync job first discovered this node

id

Unique identifier

name

The name of the zone

nameservers

Virtual name servers the zone is delegated to

visibility

The zone’s visibility: public zones are exposed to the Internet, while private zones are visible only to Virtual Private Cloud resources.

Relationships

  • GKEClusters are resources of GCPProjects.

    (GCPProject)-[RESOURCE]->(GCPDNSZone)
    

Label: GCPBucketLabel

Representation of a GCP Storage Bucket Label. This node contains a key-value pair.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ID of the bucket label. Takes the form “GCPBucketLabel_{key}.”

key

The key of the bucket label.

value

The value of the bucket label.

  • GCPBuckets can be labeled with GCPBucketLabels.

    (GCPBucket)<-[LABELED]-(GCPBucketLabels)
    

GCPInstance

Representation of a GCP Instance. Additional references can be found in the official documentation.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The partial resource URI representing this instance. Has the form projects/{project_name}/zones/{zone_name}/instances/{instance_name}.

partial_uri

Same as id above.

self_link

The full resource URI representing this instance. Has the form https://www.googleapis.com/compute/v1/{partial_uri}

instancename

The name of the instance, e.g. “my-instance”

zone_name

The zone that the instance is installed on

hostname

If present, the hostname of the instance

exposed_internet

Set to True with exposed_internet_type = 'direct' if there is an ‘allow’ IPRule attached to one of the instance’s ingress firewalls with the following conditions: The ‘allow’ IpRule allows traffic from one or more TCP ports, and the ‘allow’ IpRule is not superceded by a ‘deny’ IPRule (in GCP, a firewall rule of priority 1 gets applied ahead of a firewall rule of priority 100, and ‘deny’ rules of the same priority are applied ahead of ‘allow’ rules)

status

The GCP Instance Lifecycle state of the instance

Relationships

  • GCPInstances are resources of GCPProjects.

    (GCPProject)-[RESOURCE]->(GCPInstance)
    
  • GCPNetworkInterfaces are attached to GCPInstances

    (GCPInstance)-[NETWORK_INTERFACE]->(GCPNetworkInterface)
    
  • GCP Instances may be members of one or more GCP VPCs.

       (GCPInstance)-[:MEMBER_OF_GCP_VPC]->(GCPVpc)
    
    Also note that this relationship is a shortcut for:
    
    (GCPInstance)-[:NETWORK_INTERFACE]->(:GCPNetworkInterface)-[:PART_OF_SUBNET]->(GCPSubnet)<-[:RESOURCE]-(GCPVpc)
    
  • GCP Instances may have GCP Tags defined on them for use in network firewall routing.

    (GCPInstance)-[:TAGGED]->(GCPNetworkTag)
    
  • GCP Firewalls allow ingress to GCP instances.

       (GCPFirewall)-[:FIREWALL_INGRESS]->(GCPInstance)
    
    Note that this relationship is a shortcut for:
    
       (vpc:GCPVpc)<-[MEMBER_OF_GCP_VPC]-(GCPInstance)-[TAGGED]->(GCPNetworkTag)-[TARGET_TAG]-(GCPFirewall{direction: 'INGRESS'})<-[RESOURCE]-(vpc)
    
    as well as
    
    MATCH (fw:GCPFirewall{direction: 'INGRESS', has_target_service_accounts: False}})
    WHERE NOT (fw)-[TARGET_TAG]->(GCPNetworkTag)
    MATCH (GCPInstance)-[MEMBER_OF_GCP_VPC]->(GCPVpc)-[RESOURCE]->(fw)
    

GCPNetworkTag

Representation of a Tag defined on a GCP Instance or GCP Firewall. Tags are defined on GCP instances for use in network firewall routing.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

GCP doesn’t define a resource URI for Tags so we define this as {instance resource URI}/tags/{tag value}

tag_id

same as id

value

The actual value of the tag

Relationships

  • GCP Instances can be labeled with tags.

    (GCPInstance)-[:TAGGED]->(GCPNetworkTag)
    
  • GCP Firewalls can be labeled with tags to direct traffic to or deny traffic to labeled GCPInstances

    (GCPFirewall)-[:TARGET_TAG]->(GCPNetworkTag)
    
  • GCPNetworkTags are defined on a VPC and only have effect on assets in that VPC

    (GCPVpc)-[DEFINED_IN]->(GCPNetworkTag)
    

GCPVpc

Representation of a GCP VPC. In GCP documentation this is also known simply as a “Network” object.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The partial resource URI representing this VPC. Has the form projects/{project_name}/global/networks/{vpc name}.

partial_uri

Same as id

self_link

The full resource URI representing this VPC. Has the form https://www.googleapis.com/compute/v1/{partial_uri}

name

The name of the VPC

project_id

The project ID that this VPC belongs to

auto_create_subnetworks

When set to true, the VPC network is created in “auto” mode. When set to false, the VPC network is created in “custom” mode. An auto mode VPC network starts with one subnet per region. Each subnet has a predetermined range as described in Auto mode VPC network IP ranges.

routing_confg_routing_mode

The network-wide routing mode to use. If set to REGIONAL, this network’s Cloud Routers will only advertise routes with subnets of this network in the same region as the router. If set to GLOBAL, this network’s Cloud Routers will advertise routes with all subnets of this network, across regions.

description

A description for the VPC

Relationships

  • GCPVpcs are part of projects

    (GCPProject)-[RESOURCE]->(GCPVpc)
    
  • GCPVpcs contain GCPSubnets

    (GCPVpc)-[RESOURCE]->(GCPSubnet)
    
  • GCPSubnets are part of GCP VPCs

    (GCPVpc)-[RESOURCE]->(GCPSubnet)
    
  • GCPNetworkTags are defined on a VPC and only have effect on assets in that VPC

    (GCPVpc)-[DEFINED_IN]->(GCPNetworkTag)
    
  • GCP Instances may be members of one or more GCP VPCs.

       (GCPInstance)-[:MEMBER_OF_GCP_VPC]->(GCPVpc)
    
    Also note that this relationship is a shortcut for:
    
    (GCPInstance)-[:NETWORK_INTERFACE]->(:GCPNetworkInterface)-[:PART_OF_SUBNET]->(GCPSubnet)<-[:RESOURCE]-(GCPVpc)
    

GCPNetworkInterface

Representation of a GCP Instance’s network interface (scroll down to the fields on “networkInterface”).

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

A partial resource URI representing this network interface. Note: GCP does not define a partial resource URI for network interfaces, so we create one so we can uniquely identify GCP network interfaces. Has the form projects/{project_name}/zones/{zone_name}/instances/{instance_name}/networkinterfaces/{network interface name}.

nic_id

Same as id

name

The name of the network interface

private_ip

The private IP address of this network interface. This IP is valid on the network interface’s VPC.

Relationships

  • GCPNetworkInterfaces are attached to GCPInstances

    (GCPInstance)-[NETWORK_INTERFACE]->(GCPNetworkInterface)
    
  • GCPNetworkInterfaces are connected to GCPSubnets

    (GCPNetworkInterface)-[PART_OF_SUBNET]->(GCPSubnet)
    
  • GCPNetworkInterfaces have GCPNicAccessConfig objects defined on them

    (GCPNetworkInterface)-[RESOURCE]->(GCPNicAccessConfig)
    

GCPNicAccessConfig

Representation of the AccessConfig object on a GCP Instance’s network interface (scroll down to the fields on “networkInterface”).

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

A partial resource URI representing this AccessConfig. Note: GCP does not define a partial resource URI for AccessConfigs, so we create one so we can uniquely identify GCP network interface access configs. Has the form projects/{project_name}/zones/{zone_name}/instances/{instance_name}/networkinterfaces/{network interface name}/accessconfigs/{access config type}.

partial_uri

Same as id

type

The type of configuration. GCP docs say: “The default and only option is ONE_TO_ONE_NAT.”

name

The name of this access configuration. The default and recommended name is External NAT, but you can use any arbitrary string, such as My external IP or Network Access.

public_ip

The external IP associated with this instance

set_public_ptr

Specifies whether a public DNS ‘PTR’ record should be created to map the external IP address of the instance to a DNS domain name.

public_ptr_domain_name

The DNS domain name for the public PTR record. You can set this field only if the setPublicPtr field is enabled.

network_tier

This signifies the networking tier used for configuring this access configuration and can only take the following values: PREMIUM, STANDARD.

Relationships

  • GCPNetworkInterfaces have GCPNicAccessConfig objects defined on them

    (GCPNetworkInterface)-[RESOURCE]->(GCPNicAccessConfig)
    

GCPRecordSet

Representation of a GCP Resource Record Set.

Field

Description

data

Data contained in the record

firstseen

Timestamp of when a sync job first discovered this node

id

Same as name

name

The name of the Resource Record Set

type

The identifier of a supported record type. See the list of Supported DNS record types.

ttl

Number of seconds that this ResourceRecordSet can be cached by resolvers.

Relationships

  • GCPRecordSets are records of GCPDNSZones.

    (GCPDNSZone)-[HAS_RECORD]->(GCPRecordSet)
    

GCPSubnet

Representation of a GCP Subnetwork.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

A partial resource URI representing this Subnet. Has the form projects/{project}/regions/{region}/subnetworks/{subnet name}.

partial_uri

Same as id

self_link

The full resource URI representing this subnet. Has the form https://www.googleapis.com/compute/v1/{partial_uri}

project_id

The project ID that this Subnet belongs to

name

The name of this Subnet

region

The region of this Subnet

gateway_address

Gateway IP address of this Subnet

ip_cidr_range

The CIDR range covered by this Subnet

vpc_partial_uri

The partial URI of the VPC that this Subnet is a part of

private_ip_google_access

Whether the VMs in this subnet can access Google services without assigned external IP addresses. This field can be both set at resource creation time and updated using setPrivateIpGoogleAccess.

Relationships

  • GCPSubnets are part of GCP VPCs

    (GCPVpc)-[RESOURCE]->(GCPSubnet)
    
  • GCPNetworkInterfaces are connected to GCPSubnets

    (GCPNetworkInterface)-[PART_OF_SUBNET]->(GCPSubnet)
    

GCPFirewall

Representation of a GCP Firewall.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

A partial resource URI representing this Firewall.

partial_uri

Same as id

direction

Either ‘INGRESS’ for inbound or ‘EGRESS’ for outbound

disabled

Whether this firewall object is disabled

priority

The priority of this firewall rule from 1 (apply this first)-65535 (apply this last)

self_link

The full resource URI to this firewall

has_target_service_accounts

Set to True if this Firewall has target service accounts defined. This field is currently a placeholder for future functionality to add GCP IAM objects to Cartography. If True, this firewall rule will only apply to GCP instances that use the specified target service account.

Relationships

  • Firewalls belong to VPCs

    (GCPVpc)-[RESOURCE]->(GCPFirewall)
    
  • Firewalls define rules that allow traffic

    (GcpIpRule)-[ALLOWED_BY]->(GCPFirewall)
    
  • Firewalls define rules that deny traffic

    (GcpIpRule)-[DENIED_BY]->(GCPFirewall)
    
  • GCP Firewalls can be labeled with tags to direct traffic to or deny traffic to labeled GCPInstances

    (GCPFirewall)-[:TARGET_TAG]->(GCPNetworkTag)
    
  • GCP Firewalls allow ingress to GCP instances.

       (GCPFirewall)-[:FIREWALL_INGRESS]->(GCPInstance)
    
    Note that this relationship is a shortcut for:
    
       (vpc:GCPVpc)<-[MEMBER_OF_GCP_VPC]-(GCPInstance)-[TAGGED]->(GCPNetworkTag)-[TARGET_TAG]-(GCPFirewall{direction: 'INGRESS'})<-[RESOURCE]-(vpc)
    
    as well as
    
    MATCH (fw:GCPFirewall{direction: 'INGRESS', has_target_service_accounts: False}})
    WHERE NOT (fw)-[TARGET_TAG]->(GCPNetworkTag)
    MATCH (GCPInstance)-[MEMBER_OF_GCP_VPC]->(GCPVpc)-[RESOURCE]->(fw)
    

GCPForwardingRule

Representation of GCP Forwarding Rules and Global Forwarding Rules.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

A partial resource URI representing this Forwarding Rule

partial_uri

Same as id

ip_address

IP address that this Forwarding Rule serves

ip_protocol

IP protocol to which this rule applies

load_balancing_scheme

Specifies the Forwarding Rule type

name

Name of the Forwarding Rule

network

A partial resource URI of the network this Forwarding Rule belongs to

port_range

Port range used in conjunction with a target resource. Only packets addressed to ports in the specified range will be forwarded to target configured

ports

Ports to forward to a backend service. Only packets addressed to these ports are forwarded to the backend services configured

project_id

The project ID that this Forwarding Rule belongs to

region

The region of this Forwarding Rule

self_link

Server-defined URL for the resource

subnetwork

A partial resource URI of the subnetwork this Forwarding Rule belongs to

target

A partial resource URI of the target resource to receive the traffic

Relationships

  • GCPForwardingRules can be a resource of a GCPVpc.

    (GCPVpc)-[RESOURCE]->(GCPForwardingRule)
    
  • GCPForwardingRules can be a resource of a GCPSubnet.

    (GCPSubnet)-[RESOURCE]->(GCPForwardingRule)
    

GKECluster

Representation of a GCP GKE Cluster.

Field

Description

basic_auth

Set to True if both masterauth_username and masterauth_password are set

created_at

The date and time the cluster was created

cluster_ipv4cidr

The IP address range of the container pods in the cluster

current_master_version

The current software version of the master endpoint

database_encryption

Configuration of etcd encryption

description

An optional description of the cluster

endpoint

The IP address of the cluster’s master endpoint. The endpoint can be accessed from the internet at https://username:password@endpoint/

exposed_internet

Set to True if at least among private_nodes, private_endpoint_enabled, or master_authorized_networks are disabled

firstseen

Timestamp of when a sync job first discovered this node

id

Same as self_link

initial_version

The initial Kubernetes version for the cluster

location

The name of the Google Compute Engine zone or region in which the cluster resides

logging_service

The logging service used to write logs. Available options: logging.googleapis.com/kubernetes, logging.googleapis.com, none

master_authorized_networks

If enabled, it disallows all external traffic to access Kubernetes master through HTTPS except traffic from the given CIDR blocks, Google Compute Engine Public IPs and Google Prod IPs

masterauth_username

The username to use for HTTP basic authentication to the master endpoint. For clusters v1.6.0 and later, basic authentication can be disabled by leaving username unspecified (or setting it to the empty string)

masterauth_password

The password to use for HTTP basic authentication to the master endpoint. If a password is provided for cluster creation, username must be non-empty

monitoring_service

The monitoring service used to write metrics. Available options: monitoring.googleapis.com/kubernetes, monitoring.googleapis.com, none

name

The name of the cluster

network

The name of the Google Compute Engine network to which the cluster is connected

network_policy

Set to True if a network policy provider has been enabled

private_endpoint_enabled

Whether the master’s internal IP address is used as the cluster endpoint

private_endpoint

The internal IP address of the cluster’s master endpoint

private_nodes

If enabled, all nodes are given only private addresses and communicate with the master via private networking

public_endpoint

The external IP address of the cluster’s master endpoint

self_link

Server-defined URL for the resource

services_ipv4cidr

The IP address range of the Kubernetes services in the cluster

shielded_nodes

Whether Shielded Nodes are enabled

status

The current status of the cluster

subnetwork

The name of the Google Compute Engine subnetwork to which the cluster is connected

zone

The name of the Google Compute Engine zone in which the cluster resides

Relationships

  • GKEClusters are resources of GCPProjects.

    (GCPProject)-[RESOURCE]->(GKECluster)
    

IpRule::IpPermissionInbound::GCPIpRule

An IpPermissionInbound node is a specific type of IpRule. It represents a generic inbound IP-based rules. The creation of this node is currently derived from ingesting AWS EC2 Security Group rules.

Field

Description

ruleid

{firewall_partial_uri}/{rule_type}/{port_range}{protocol}

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

protocol

The protocol this rule applies to

fromport

Lowest port in the range defined by this rule

toport

Highest port in the range defined by this rule

Relationships

  • GCP Firewall rules are defined on IpRange objects.

    (GCPIpRule, IpRule, IpPermissionInbound)<-[MEMBER_OF_IP_RULE)-(:IpRange)
    
  • Firewalls define rules that allow traffic

    (GcpIpRule)-[ALLOWED_BY]->(GCPFirewall)
    
  • Firewalls define rules that deny traffic

    (GcpIpRule)-[DENIED_BY]->(GCPFirewall)
    

IpRange

Representation of an IP range or subnet.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

CIDR notation for the IP range. E.g. “0.0.0.0/0” for the whole internet.

Relationships

  • GCP Firewall rules are defined on IpRange objects.

    (GCPIpRule, IpRule, IpPermissionInbound)<-[MEMBER_OF_IP_RULE)-(:IpRange)
    

Github Schema

GitHubRepository

Representation of a single GitHubRepository (repo) repository object. This node contains all data unique to the repo.

Field

Description

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

id

The GitHub repo id. These are not unique across GitHub instances, so are prepended with the API URL the id applies to

createdat

GitHub timestamp from when the repo was created

name

Name of the repo

fullname

Name of the organization and repo together

description

Text describing the repo

primarylanguage

The primary language used in the repo

homepage

The website used as a homepage for project information

defaultbranch

The default branch used by the repo, typically master

defaultbranchid

The unique identifier of the default branch

private

True if repo is private

disabled

True if repo is disabled

archived

True if repo is archived

locked

True if repo is locked

giturl

URL used to access the repo from git commandline

url

Web URL for viewing the repo

sshurl

URL for access the repo via SSH

updatedat

GitHub timestamp for last time repo was modified

Relationships

  • GitHubUsers or GitHubOrganizations own GitHubRepositories.

    (GitHubUser)-[OWNER]->(GitHubRepository)
    (GitHubOrganization)-[OWNER]->(GitHubRepository)
    
  • GitHubRepositories in an organization can have outside collaborators with different permissions, including ADMIN, WRITE, MAINTAIN, TRIAGE, and READ (Reference).

    (GitHubUser)-[:OUTSIDE_COLLAB_{ACTION}]->(GitHubRepository)
    
  • GitHubRepositories use ProgrammingLanguages

    (GitHubRepository)-[:LANGUAGE]->(ProgrammingLanguage)
    
  • GitHubRepositories have GitHubBranches

    (GitHubRepository)-[:BRANCH]->(GitHubBranch)
    
  • GitHubTeams can have various levels of access to GitHubRepositories.

    (GitHubTeam)-[ADMIN|READ|WRITE|TRIAGE|MAINTAIN]->(GitHubRepository)
    

GitHubOrganization

Representation of a single GitHubOrganization organization object. This node contains minimal data for the GitHub Organization.

Field

Description

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

id

The URL of the GitHub organization

username

Name of the organization

Relationships

  • GitHubOrganizations own GitHubRepositories.

    (GitHubOrganization)-[OWNER]->(GitHubRepository)
    
  • GitHubTeams are resources under GitHubOrganizations

    (GitHubOrganization)-[RESOURCE]->(GitHubTeam)
    

GitHubTeam

A GitHubTeam organization object.

Field

Description

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

id

The URL of the GitHub Team

name

The name (a.k.a URL slug) of the GitHub Team

description

Description of the GitHub team

Relationships

  • GitHubTeams can have various levels of access to GitHubRepositories.

    (GitHubTeam)-[ADMIN|READ|WRITE|TRIAGE|MAINTAIN]->(GitHubRepository)
    
  • GitHubTeams are resources under GitHubOrganizations

    (GitHubOrganization)-[RESOURCE]->(GitHubTeam)
    

GitHubUser

Representation of a single GitHubUser user object. This node contains minimal data for the GitHub User.

Field

Description

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

id

The URL of the GitHub user

username

Name of the user

fullname

The full name

has_2fa_enabled

Whether the user has 2-factor authentication enabled

role

Either ‘ADMIN’ (denoting that the user is an owner of a Github organization) or ‘MEMBER’

is_site_admin

Whether the user is a site admin

permission

Only present if the user is an outside collaborator of this repo.

permission is either ADMIN, MAINTAIN, READ, TRIAGE, or WRITE (ref). | email | The user’s publicly visible profile email. | company | The user’s public profile company.

Relationships

  • GitHubUsers own GitHubRepositories.

    (GitHubUser)-[OWNER]->(GitHubRepository)
    
  • GitHubRepositories in an organization can have outside collaborators with different permissions, including ADMIN, WRITE, MAINTAIN, TRIAGE, and READ (Reference).

    (GitHubUser)-[:OUTSIDE_COLLAB_{ACTION}]->(GitHubRepository)
    

GitHubBranch

Representation of a single GitHubBranch ref object. This node contains minimal data for a repository branch.

Field

Description

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

id

The GitHub branch id. These are not unique across GitHub instances, so are prepended with the API URL the id applies to

name

Name of the branch

Relationships

  • GitHubRepositories have GitHubBranches.

    (GitHubBranch)<-[BRANCH]-(GitHubRepository)
    

ProgrammingLanguage

Representation of a single Programming Language language object. This node contains programming language information.

Field

Description

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

id

Language ids need not be tracked across instances, so defaults to the name

name

Name of the language

Relationships

  • GitHubRepositories use ProgrammingLanguages.

    (ProgrammingLanguage)<-[LANGUAGE]-(GitHubRepository)
    

Dependency::PythonLibrary

Representation of a Python library as listed in a requirements.txt or setup.cfg file. Within a setup.cfg file, cartography will load everything from install_requires, setup_requires, and extras_require.

Field

Description

id

The canonicalized name of the library. If the library was pinned in a requirements file using the == operator, then id has the form {canonical name}|{pinned_version}.

name

The canonicalized name of the library.

version

The exact version of the library. This field is only present if the library was pinned in a requirements file using the == operator.

Relationships

  • Software on Github repos can import Python libraries by optionally specifying a version number.

    (GitHubRepository)-[:REQUIRES{specifier}]->(PythonLibrary)
    
    • specifier: A string describing this library’s version e.g. “<4.0,>=3.0” or “==1.0.2”. This field is only present on the :REQUIRES edge if the repo’s requirements file provided a version pin.

  • A Python Dependency is affected by a SemgrepSCAFinding (optional)

    (:SemgrepSCAFinding)-[:AFFECTS]->(:PythonLibrary)
    

GSuite Schema

GSuiteUser

Reference: https://developers.google.com/admin-sdk/directory/v1/reference/users#resource

Field

Description

id

The unique ID for the user as a string. A user id can be used as a user request URI’s userKey

user_id

duplicate of id.

agreed_to_terms

This property is true if the user has completed an initial login and accepted the Terms of Service agreement.

change_password_at_next_login

Indicates if the user is forced to change their password at next login. This setting doesn’t apply when the user signs in via a third-party identity provider.

creation_time

The time the user’s account was created. The value is in ISO 8601 date and time format. The time is the complete date plus hours, minutes, and seconds in the form YYYY-MM-DDThh:mm:ssTZD. For example, 2010-04-05T17:30:04+01:00.

customer_id

The customer ID to retrieve all account users. You can use the alias my_customer to represent your account’s customerId. As a reseller administrator, you can use the resold customer account’s customerId. To get a customerId, use the account’s primary domain in the domain parameter of a users.list request.

etag

ETag of the resource

include_in_global_address_list

Indicates if the user’s profile is visible in the G Suite global address list when the contact sharing feature is enabled for the domain. For more information about excluding user profiles, see the administration help center.

ip_whitelisted

If true, the user’s IP address is white listed.

is_admin

Indicates a user with super admininistrator privileges. The isAdmin property can only be edited in the Make a user an administrator operation (makeAdmin method). If edited in the user insert or update methods, the edit is ignored by the API service.

is_delegated_admin

Indicates if the user is a delegated administrator. Delegated administrators are supported by the API but cannot create or undelete users, or make users administrators. These requests are ignored by the API service. Roles and privileges for administrators are assigned using the Admin console.

is_enforced_in_2_sv

Is 2-step verification enforced (Read-only)

is_enrolled_in_2_sv

Is enrolled in 2-step verification (Read-only)

is_mailbox_setup

Indicates if the user’s Google mailbox is created. This property is only applicable if the user has been assigned a Gmail license.

kind

The type of the API resource. For Users resources, the value is admin#directory#user.

last_login_time

The last time the user logged into the user’s account. The value is in ISO 8601 date and time format. The time is the complete date plus hours, minutes, and seconds in the form YYYY-MM-DDThh:mm:ssTZD. For example, 2010-04-05T17:30:04+01:00.

name

First name + Last name

family_name

The user’s last name. Required when creating a user account.

given_name

The user’s first name. Required when creating a user account.

org_unit_path

The full path of the parent organization associated with the user. If the parent organization is the top-level, it is represented as a forward slash (/).

primary_email

The user’s primary email address. This property is required in a request to create a user account. The primaryEmail must be unique and cannot be an alias of another user.

suspended

Indicates if user is suspended

thumbnail_photo_etag

ETag of the user’s photo

thumbnail_photo_url

Photo Url of the user

lastupdated

Timestamp of when a sync job last updated this node

firstseen

Timestamp of when a sync job first discovered this node

Relationships

  • GSuiteUser is an identity for a Human

    (Human)-[IDENTITY_GSUITE]->(GSuiteUser)
    

GSuiteGroup

Reference: https://developers.google.com/admin-sdk/directory/v1/reference/groups

Field

Description

id

The unique ID of a group. A group id can be used as a group request URI’s groupKey.

admin_created

Value is true if this group was created by an administrator rather than a user.

description

An extended description to help users determine the purpose of a group. For example, you can include information about who should join the group, the types of messages to send to the group, links to FAQs about the group, or related groups. Maximum length is 4,096 characters.

direct_members_count

The number of users that are direct members of the group. If a group is a member (child) of this group (the parent), members of the child group are not counted in the directMembersCount property of the parent group

email

The group’s email address. If your account has multiple domains, select the appropriate domain for the email address. The email must be unique. This property is required when creating a group. Group email addresses are subject to the same character usage rules as usernames, see the administration help center for the details.

etag

ETag of the resource

kind

The type of the API resource. For Groups resources, the value is admin#directory#group.

name

The group’s display name.

lastupdated

Timestamp of when a sync job last updated this node

firstseen

Timestamp of when a sync job first discovered this node

Jamf Schema

JamfComputerGroup

Representation of a Jamf computer group.

Field

Description

id

The group id

name

The friendly name of the group

is_smart

Whether the group is smart

Relationships

  • Coming soon!

Kubernetes Schema

KubernetesCluster

Representation of a Kubernetes Cluster.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

Identifier for the cluster i.e. UID of kube-system namespace

name

Name assigned to the cluster which is derived from kubeconfig context

Relationships

  • KubernetesCluster has KubernetesNamespaces.

    (KubernetesCluster)-[HAS_NAMESPACE]->(KubernetesNamespace)
    
  • KubernetesCluster can have KubernetesPods.

    (KubernetesCluster)-[HAS_POD]->(KubernetesPod)
    

KubernetesNamespace

Representation of a Kubernetes Namespace.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

UID of the kubernetes namespace

name

Name of the kubernetes namespace

created_at

Timestamp of the creation time of the kubernetes namespace

deleted_at

Timestamp of the deletion time of the kubernetes namespace

Relationships

  • KubernetesNamespace can have KubernetesPods.

    (KubernetesNamespace)-[HAS_POD]->(KubernetesPod)
    
  • KubernetesNamespace can have KubernetesServices.

    (KubernetesNamespace)-[HAS_SERVICE]->(KubernetesService)
    
  • KubernetesNamespace can have KubernetesSecrets.

    (KubernetesNamespace)-[HAS_SECRET]->(KubernetesSecret)
    

KubernetesPod

Representation of a Kubernetes Pod.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

UID of the kubernetes pod

name

Name of the kubernetes pod

status_phase

The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle.

created_at

Timestamp of the creation time of the kubernetes pod

deleted_at

Timestamp of the deletion time of the kubernetes pod

Relationships

  • KubernetesPod has KubernetesContainers.

    (KubernetesPod)-[HAS_CONTAINER]->(KubernetesContainer)
    

KubernetesContainer

Representation of a Kubernetes Container.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

Identifier for the container which is derived from the UID of pod and the name of container

name

Name of the container in kubernetes pod

image

Docker image used in the container

status_image_id

ImageID of the container’s image.

status_image_sha

The SHA portion of the status_image_id

status_ready

Specifies whether the container has passed its readiness probe.

status_started

Specifies whether the container has passed its startup probe.

statys_state

State of the container (running, terminated, waiting)

Relationships

  • KubernetesPod has KubernetesContainers.

    (KubernetesPod)-[HAS_CONTAINER]->(KubernetesContainer)
    

KubernetesService

Representation of a Kubernetes Service.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

UID of the kubernetes service

name

Name of the kubernetes service

created_at

Timestamp of the creation time of the kubernetes service

deleted_at

Timestamp of the deletion time of the kubernetes service

type

Type of kubernetes service e.g. ClusterIP

load_balancer_ip

IP of the load balancer when service type is LoadBalancer

ingress_host

Hostname of the ingress endpoint, if any

ingress_ip

IP of the ingress endpoint, if any

Relationships

  • KubernetesService can serve KubernetesPods.

    (KubernetesService)-[SERVES_POD]->(KubernetesPod)
    

KubernetesSecret

Representation of a Kubernetes Secret.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

UID of the kubernetes secret

name

Name of the kubernetes secret

created_at

Timestamp of the creation time of the kubernetes secret

deleted_at

Timestamp of the deletion time of the kubernetes secret

type

Type of kubernetes secret e.g. Opaque

Relationships

  • KubernetesNamespace can have KubernetesSecrets.

    (KubernetesNamespace)-[HAS_SECRET]->(KubernetesSecret)
    

Okta Schema

OktaOrganization

Representation of an Okta Organization.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The name of the Okta Organization, e.g. “lyft”

name

The name of the Okta Organization, e.g. “lyft”

Relationships

  • An OktaOrganization contains OktaUsers

    (OktaOrganization)-[RESOURCE]->(OktaUser)
    
  • An OktaOrganization contains OktaGroups.

    (OktaOrganization)-[RESOURCE]->(OktaGroup)
    
  • An OktaOrganization contains OktaApplications

    (OktaOrganization)-[RESOURCE]->(OktaApplication)
    
  • An OktaOrganization has OktaTrustedOrigins

    (OktaOrganization)-[RESOURCE]->(OktaTrustedOrigin)
    
  • An OktaOrganization has OktaAdministrationRoles

    (OktaOrganization)-[RESOURCE]->(OktaAdministrationRole)
    

OktaUser

Representation of an Okta User.

Field

Description

id

user id

first_name

user first name

last_name

user last name

login

user usernmae used to login (usually email)

email

user email

second_email

user secondary email

mobile_phone

user mobile phone

created

date and time of creation

activated

date and time of activation

status_changed

date and time of the last state change

last_login

date and time of last login

okta_last_updated

date and time of last user property changes

password_changed

date and time of last password change

transition_to_status

date and time of last state transition change

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

Relationships

  • An OktaOrganization contains OktaUsers

    (OktaUser)<-[RESOURCE]->(OktaOrganization)
    
  • OktaUsers are assigned OktaApplication

    (OktaUser)-[APPLICATION]->(OktaApplication)
    
  • OktaUser is an identity for a Human

    (OktaUser)<-[IDENTITY_OKTA]-(Human)
    
  • An OktaUser can be a member of an OktaGroup

    (OktaUser)-[MEMBER_OF_OKTA_GROUP]->(OktaGroup)
    
  • An OktaUser can be a member of an OktaAdministrationRole

    (OktaUser)-[MEMBER_OF_OKTA_ROLE]->(OktaAdministrationRole)
    
  • OktaUsers can have authentication factors

    (OktaUser)-[FACTOR]->(OktaUserFactor)
    

OktaGroup

Representation of an Okta Group.

Field

Description

id

application id

name

group name

description

group description

sam_account_name

windows SAM account name mapped

dn

group dn

windows_domain_qualified_name

windows domain name

external_id

group foreign id

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

Relationships

  • OktaOrganizations contain OktaGroups

    (OktaGroup)<-[RESOURCE]->(OktaOrganizations)
    
  • OktaApplications can be assigned to OktaGroups

    (OktaGroup)-[APPLICATION]->(OktaApplication)
    
  • An OktaUser can be a member of an OktaGroup

    (OktaUser)-[MEMBER_OF_OKTA_GROUP]->(OktaGroup)
    
  • An OktaGroup can be a member of an OktaAdministrationRole

    (OktaGroup)-[MEMBER_OF_OKTA_ROLE]->(OktaAdministrationRole)
    
    • Members of an Okta group can assume associated AWS roles if Okta SAML is configured with AWS.

      (AWSRole)-[ALLOWED_BY]->(OktaGroup)
      

OktaApplication

Representation of an Okta Application.

Field

Description

id

application id

name

application name

label

application label

created

application creation date

okta_last_updated

date and time of last application property changes

status

application status

activated

application activation state

features

application features

sign_on_mode

application signon mode

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

Relationships

  • OktaApplication is a resource of an OktaOrganization

    (OktaApplication)<-[RESOURCE]->(OktaOrganization)
    
    • OktaGroups can be assigned OktaApplications

    (OktaGroup)-[APPLICATION]->(OktaApplication)
    
    • OktaUsers are assigned OktaApplications

    (OktaUser)-[APPLICATION]->(OktaApplication)
    
    • OktaApplications have ReplyUris

    (ReplyUri)-[REPLYURI]->(OktaApplication)
    

OktaUserFactor

Representation of Okta User authentication Factors.

Field

Description

id

factor id

factor_type

factor type

provider

factor provider

status

factor status

created

factor creation date and time

okta_last_updated

date and time of last property changes

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

Relationships

  • OktaUsers can have authentication Factors

    (OktaUser)-[FACTOR]->(OktaUserFactor)
    

OktaTrustedOrigin

Representation of an Okta Trusted Origin for login/logout or recovery operations.

Field

Description

id

trusted origin id

name

name

scopes

array of scope

status

status

created

date & time of creation in okta

create_by

id of user who created the trusted origin

okta_last_updated

date and time of last property changes

okta_last_updated_by

id of user who last updated the trusted origin

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

Relationships

  • An OktaOrganization has OktaTrustedOrigins.

    (OktaOrganization)-[RESOURCE]->(OktaTrustedOrigin)
    

OktaAdministrationRole

Representation of an Okta Administration Role.

Field

Description

id

role id mapped to the type

type

role type

label

role label

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

Relationships

  • OktaUsers can be members of OktaAdministrationRoles

    (OktaUser)-[MEMBER_OF_OKTA_ROLE]->(OktaAdministrationRole)
    
  • An OktaGroup can be a member of an OktaAdministrationRolee

    (OktaGroup)-[MEMBER_OF_OKTA_ROLE]->(OktaAdministrationRole)
    
    • An OktaOrganization contains OktaAdministrationRoles

      (OktaOrganization)-[RESOURCE]->(OktaAdministrationRole)
      

Reply Uri

Representation of Okta Application ReplyUri.

Field

Description

id

uri the app can send the reply to

uri

uri the app can send the reply to

valid

is the DNS of the reply uri valid. Invalid replyuris can lead to oath phishing

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

Relationships

  • OktaApplications have ReplyUris

    (ReplyUri)-[REPLYURI]->(OktaApplication)
    

Pagerduty Schema

PagerDutyEscalationPolicy

Representation of a PagerDuty Escalation Policy

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ID of the escalation policy

html_url

the API show URL at which the object is accessible

type

The type of this pagerduty object (escalation_policy)

summary

A short-form, server-generated string that provides succinct, important information about an object suitable for primary labeling of an entity in a client. In many cases, this will be identical to name, though it is not intended to be an identifier.

on_call_handoff_notifications

Determines how on call handoff notifications will be sent for users on the escalation policy. Defaults to “if_has_services”.

name

The name of the escalation policy.

num_loops

The number of times the escalation policy will repeat after reaching the end of its escalation.

Relationships

  • A PagerDutyEscalationPolicy has PagerDutyEscalationPolicyRules

    (PagerDutyEscalationPolicy)-[HAS\_RULE]->(PagerDutyEscalationPolicyRule)
    
  • A PagerDutyEscalationPolicy is associated with PagerDutyUsers

    (PagerDutyEscalationPolicy)-[ASSOCIATED\_WITH]->(PagerDutyUser)
    
  • A PagerDutyEscalationPolicy is associated with PagerDutySchedules

    (PagerDutyEscalationPolicy)-[ASSOCIATED\_WITH]->(PagerDutySchedule)
    
  • A PagerDutyEscalationPolicy is associated with PagerDutyServices

    (PagerDutyEscalationPolicy)-[ASSOCIATED\_WITH]->(PagerDutyService)
    
  • A PagerDutyEscalationPolicy is associated with PagerDutyTeams

    (PagerDutyEscalationPolicy)-[ASSOCIATED\_WITH]->(PagerDutyTeam)
    

PagerDutySchedule

Representation of a PagerDuty Schedule

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ID of the schedule

html_url

the API show URL at which the object is accessible

type

The type of this pagerduty object (schedule)

summary

A short-form, server-generated string that provides succinct, important information about an object suitable for primary labeling of an entity in a client. In many cases, this will be identical to name, though it is not intended to be an identifier.

name

The name of the schedule.

time_zone

The time zone of the schedule

description

The description of the schedule

Relationships

  • A PagerDutySchedule has PagerDutyScheduleLayers

    (PagerDutySchedule)-[HAS\_LAYER]->(PagerDutyScheduleLayer)
    

PagerDutyScheduleLayer

Representation of a layer in a PagerDuty Schedule

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ID of the schedule layer

schedule_id

The ID of the schedule this layer is attached to.

start

The start time of this layer

end

The end time of this layer. If null, the layer does not end.

rotation_virtual_start

The effective start time of the layer. This can be before the start time of the schedule.

rotation_turn_length_seconds

The duration of each on-call shift in seconds.

Relationships

No relationships originating from PagerDutyScheduleLayer

PagerDutyService

Representation of a PagerDuty Service

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ID of the service

html_url

the API show URL at which the object is accessible

type

The type of this pagerduty object (service)

summary

A short-form, server-generated string that provides succinct, important information about an object suitable for primary labeling of an entity in a client. In many cases, this will be identical to name, though it is not intended to be an identifier.

name

The name of this service

description

The user-provided description of the service.

auto_resolve_timeout

Time in seconds that an incident is automatically resolved if left open for that long. Value is null if the feature is disabled. Value must not be negative. Setting this field to 0, null (or unset in POST request) will disable the feature.

acknowledgement_timeout

Time in seconds that an incident changes to the Triggered State after being Acknowledged. Value is null if the feature is disabled. Value must not be negative. Setting this field to 0, null (or unset in POST request) will disable the feature.

created_at

The date/time when this service was created

status

The current state of the Service.

alert_creation

Whether a service creates only incidents, or both alerts and incidents. A service must create alerts in order to enable incident merging.

alert_grouping_parameters_type

The type of Alert Grouping.

incident_urgency_rule_type

The type of incident urgency: whether it’s constant, or it’s dependent on the support hours.

incident_urgency_rule_during_support_hours_type

The type of incident urgency: whether it’s constant, or it’s dependent on the support hours.

incident_urgency_rule_during_support_hours_urgency

The incidents’ urgency, if type is constant.

incident_urgency_rule_outside_support_hours_type

The type of incident urgency: whether it’s constant, or it’s dependent on the support hours.

incident_urgency_rule_outside_support_hours_urgency

The incidents’ urgency, if type is constant.

support_hours_type

The type of support hours

support_hours_time_zone

The time zone for the support hours

support_hours_start_time

The support hours’ starting time of day (date portion is ignored)

support_hours_end_time

support_hours_end_time

support_hours_days_of_week

(no description)

Relationships

  • A PagerDutyService has PagerDutyIntegrations

    (PagerDutyService)-[HAS\_INTEGRATION]->(PagerDutyIntegration)
    

PagerDutyIntegration

Representation of a PagerDuty Integration

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ID of the integration

html_url

the API show URL at which the object is accessible

type

The type of this pagerduty object (integration)

summary

A short-form, server-generated string that provides succinct, important information about an object suitable for primary labeling of an entity in a client. In many cases, this will be identical to name, though it is not intended to be an identifier.

name

The name of this integration

created_at

The date/time when this integration was created.

Relationships

  • A PagerDutyIntegration has PagerDutyVendors

    (PagerDutyIntegration)-[HAS\_VENDOR]->(PagerDutyVendor)
    

PagerDutyTeam

Representation of a PagerDuty Team

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ID of the team

html_url

the API show URL at which the object is accessible

type

The type of this pagerduty object (team)

summary

A short-form, server-generated string that provides succinct, important information about an object suitable for primary labeling of an entity in a client. In many cases, this will be identical to name, though it is not intended to be an identifier.

name

The name of the team

description

The description of the team

default_role

(no description, but returned by API)

Relationships

  • A PagerDutyTeam is associated with PagerDutyServices

    (PagerDutyTeam)-[ASSOCIATED\_WITH]->(PagerDutyServices)
    

PagerDutyUser

Representation of a PagerDuty User

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The ID of the user

html_url

the API show URL at which the object is accessible

type

The type of this pagerduty object (user)

summary

A short-form, server-generated string that provides succinct, important information about an object suitable for primary labeling of an entity in a client. In many cases, this will be identical to name, though it is not intended to be an identifier.

name

The name of the user

email

The user’s email address

time_zone

The preferred time zone name. If null, the account’s time zone will be used.

color

The schedule color

role

The user role. Account must have the read_only_users ability to set a user as a read_only_user or a read_only_limited_user, and must have advanced permissions abilities to set a user as observer or restricted_access.

avatar_url

The URL of the user’s avatar.

description

The user’s bio.

invitation_sent

If true, the user has an outstanding invitation.

job_title

The user’s title

Relationships

  • A PagerDutyUser is a member of PagerDutySchedules

    (PagerDutyUser)-[MEMBER\_OF]->(PagerDutySchedule)
    
  • A PagerDutyUser is a member of PagerDutyScheduleLayers

    (PagerDutyUser)-[MEMBER\_OF]->(PagerDutyScheduleLayer)
    
  • A PagerDutyUser is a member of PagerDutyTeams

    (PagerDutyUser)-[MEMBER\_OF]->(PagerDutyTeam)