AWS Schema¶

AWSAccount¶

Representation of an AWS Account.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
name	The name of the account
inscope	Indicates that the account is part of the sync scope (true or false).
foreign	Indicates if the account is not part of the sync scope (true or false). One such example is an account that is trusted as part of cross-account AWSRole trust not in scope for sync.
lastupdated	Timestamp of the last time the node was updated
id	The AWS Account ID number

Relationships¶

Many node types belong to an AWSAccount.

```
(AWSAccount)-[RESOURCE]->(AWSDNSZone,
                      AWSGroup,
                      AWSInspectorFinding,
                      AWSInspectorPackage,
                      AWSLambda,
                      AWSPrincipal,
                      AWSUser,
                      AWSVpc,
                      AutoScalingGroup,
                      DNSZone,
                      DynamoDBTable,
                      EBSSnapshot,
                      EBSVolume,
                      EC2Image,
                      EC2Instance,
                      EC2Reservation,
                      EC2ReservedInstance,
                      EC2SecurityGroup,
                      ElasticIPAddress,
                      ESDomain,
                      LaunchConfiguration,
                      LaunchTemplate,
                      LaunchTemplateVersion,
                      LoadBalancer,
                      RDSCluster,
                      RDSInstance,
                      RDSSnapshot,
                      SecretsManagerSecret,
                      SecurityHub,
                      SQSQueue
                      SSMInstanceInformation,
                      SSMInstancePatch)
```

An AWSPolicy node is defined for an AWSAccount.

```
(AWSAccount)-[RESOURCE]->(AWSPolicy)
```

AWSRole nodes are defined in AWSAccount nodes.

```
(AWSAccount)-[RESOURCE]->(AWSRole)
```

AWSCidrBlock¶

AWSIpv4CidrBlock¶

AWSIpv6CidrBlock¶

Representation of an AWS CidrBlock used in VPC configuration. The AWSCidrBlock defines the base label type for AWSIpv4CidrBlock and AWSIpv6CidrBlock

Field	Description
firstseen	Timestamp of when a sync job discovered this node
cidr_block	The CIDR block
block_state	The state of the block
association_id	the association id if the block is associated to a VPC
lastupdated	Timestamp of the last time the node was updated
id	Unique identifier defined with the VPC association and the cidr_block

Relationships¶

AWSVpc association

(AWSVpc)-[BLOCK_ASSOCIATION]->(AWSCidrBlock)

Peering connection where AWSCidrBlock is an accepter or requester cidr.

(AWSCidrBlock)<-[REQUESTER_CIDR]-(AWSPeeringConnection)
(AWSCidrBlock)<-[ACCEPTER_CIDR]-(AWSPeeringConnection)

Example of high level view of peering (without security group permissions)

MATCH p=(:AWSAccount)-[:RESOURCE|BLOCK_ASSOCIATION*..]->(:AWSCidrBlock)<-[:ACCEPTER_CIDR]-(:AWSPeeringConnection)-[:REQUESTER_CIDR]->(:AWSCidrBlock)<-[:RESOURCE|BLOCK_ASSOCIATION*..]-(:AWSAccount)
RETURN p

Exploring detailed inbound peering rules

MATCH (outbound_account:AWSAccount)-[:RESOURCE|BLOCK_ASSOCIATION*..]->(:AWSCidrBlock)<-[:ACCEPTER_CIDR]-(:AWSPeeringConnection)-[:REQUESTER_CIDR]->(inbound_block:AWSCidrBlock)<-[:BLOCK_ASSOCIATION]-(inbound_vpc:AWSVpc)<-[:RESOURCE]-(inbound_account:AWSAccount)
WITH inbound_vpc, inbound_block, outbound_account, inbound_account
MATCH (inbound_range:IpRange{id: inbound_block.cidr_block})-[:MEMBER_OF_IP_RULE]->(inbound_rule:IpPermissionInbound)-[:MEMBER_OF_EC2_SECURITY_GROUP]->(inbound_group:EC2SecurityGroup)<-[:MEMBER_OF_EC2_SECURITY_GROUP]-(inbound_vpc)
RETURN outbound_account.name, inbound_account.name, inbound_range.range, inbound_rule.fromport, inbound_rule.toport, inbound_rule.protocol, inbound_group.name, inbound_vpc.id

AWSGroup¶

Representation of AWS IAM Groups.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
path	The path to the group (IAM identifier, see linked docs above for details)
groupid	Unique string identifying the group
name	The friendly name that identifies the group
createdate	ISO 8601 date-time string when the group was created
arn	The AWS-global identifier for this group

Relationships¶

Objects part of an AWSGroup may assume AWSRoles.

```
(AWSGroup)-[STS_ASSUMEROLE_ALLOW]->(AWSRole)
```

AWSUsers and AWSPrincipals can be members of AWSGroups.

```
(AWSUser, AWSPrincipal)-[MEMBER_AWS_GROUP]->(AWSGroup)
```

AWSGroups belong to AWSAccounts.

```
(AWSAccount)-[RESOURCE]->(AWSGroup)
```

AWSInspectorFinding¶

Representation of an AWS Inspector Finding

Relationships¶

AWSInspectorFinding may affect EC2 Instances

(AWSInspectorFinding)-[:AFFECTS]->(EC2Instance)

AWSInspectorFinding may affect ECR Repositories

(AWSInspectorFinding)-[:AFFECTS]->(ECRRepository)

AWSInspectorFinding may affect ECR Images

(AWSInspectorFinding)-[:AFFECTS]->(ECRImage)

AWSInspectorFindings belong to AWSAccounts.

```
(AWSAccount)-[RESOURCE]->(AWSInspectorFinding)
```

AWSInspectorPackage¶

Representation of an AWS Inspector Finding Package

Relationships¶

AWSInspectorFindings have AWSInspectorPackages.

```
(AWSInspectorFindings)-[HAS]->(AWSInspectorPackages)
```

AWSInspectorPackages belong to AWSAccounts.

```
(AWSAccount)-[RESOURCE]->(AWSInspectorPackages)
```

AWSLambda¶

Representation of an AWS Lambda Function.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The arn of the lambda function
name	The name of the lambda function
modifieddate	Timestamp of the last time the function was last updated
runtime	The runtime environment for the Lambda function
description	The description of the Lambda function
timeout	The amount of time in seconds that Lambda allows a function to run before stopping it
memory	The memory that’s allocated to the function
codesize	The size of the function’s deployment package, in bytes.
handler	The function that Lambda calls to begin executing your function.
version	The version of the Lambda function.
tracingconfigmode	The function’s AWS X-Ray tracing configuration mode.
revisionid	The latest updated revision of the function or alias.
state	The current state of the function.
statereason	The reason for the function’s current state.
statereasoncode	The reason code for the function’s current state.
lastupdatestatus	The status of the last update that was performed on the function.
lastupdatestatusreason	The reason for the last update that was performed on the function.
lastupdatestatusreasoncode	The reason code for the last update that was performed on the function.
packagetype	The type of deployment package.
signingprofileversionarn	The ARN of the signing profile version.
signingjobarn	The ARN of the signing job.
codesha256	The SHA256 hash of the function’s deployment package.
architectures	The instruction set architecture that the function supports. Architecture is a string array with one of the valid values.
masterarn	For Lambda@Edge functions, the ARN of the main function.
kmskeyarn	The KMS key that’s used to encrypt the function’s environment variables. This key is only returned if you’ve configured a customer managed key.

Relationships¶

AWSLambda function are resources in an AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(AWSLambda)
```
```
AWSLambda functions may act as AWSPrincipals via role assumption.
```
```
(AWSLambda)-[STS_ASSUME_ROLE_ALLOW]->(AWSPrincipal)
```
```

AWSLambda functions may also have aliases.

```
(AWSLambda)-[KNOWN_AS]->(AWSLambdaFunctionAlias)
```

AWSLambda functions may have the resource AWSLambdaEventSourceMapping.
```
```
(AWSLambda)-[RESOURCE]->(AWSLambdaEventSourceMapping)
```
```

AWSLambda functions has AWS Lambda Layers.

```
(AWSLambda)-[HAS]->(AWSLambdaLayer)
```

AWSLambda functions has AWS ECR Images.
```
```
(AWSLambda)-[HAS]->(ECRImage)
```
```

AWSLambdaFunctionAlias¶

Representation of an AWSLambdaFunctionAlias.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The arn of the lambda function alias
name	The name of the lambda function alias
functionversion	The function version that the alias invokes.
revisionid	A unique identifier that changes when you update the alias.
description	The description of the alias.

Relationships¶

AWSLambda functions may also have aliases.

```
(AWSLambda)-[KNOWN_AS]->(AWSLambdaFunctionAlias)
```

AWSLambdaEventSourceMapping¶

Representation of an AWSLambdaEventSourceMapping.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The id of the event source mapping
batchsize	The maximum number of items to retrieve in a single batch.
startingposition	The position in a stream from which to start reading.
startingpositiontimestamp	The time from which to start reading.
parallelizationfactor	The number of batches to process from each shard concurrently.
maximumbatchingwindowinseconds	The maximum amount of time to gather records before invoking the function, in seconds.
eventsourcearn	The Amazon Resource Name (ARN) of the event source.
lastmodified	The date that the event source mapping was last updated, or its state changed.
state	The state of the event source mapping.
maximumrecordage	Discard records older than the specified age.
bisectbatchonfunctionerror	If the function returns an error, split the batch in two and retry.
maximumretryattempts	Discard records after the specified number of retries.
tumblingwindowinseconds	The duration in seconds of a processing window.
lastprocessingresult	The result of the last AWS Lambda invocation of your Lambda function.

Relationships¶

AWSLambda functions may have the resource AWSLambdaEventSourceMapping.
```
```
(AWSLambda)-[RESOURCE]->(AWSLambdaEventSourceMapping)
```
```

AWSLambdaLayer¶

Representation of an AWSLambdaLayer.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The arn of the lambda function layer
codesize	The size of the layer archive in bytes.
signingprofileversionarn	The Amazon Resource Name (ARN) for a signing profile version.
signingjobarn	The Amazon Resource Name (ARN) of a signing job.

Relationships¶

AWSLambda functions has AWS Lambda Layers.

```
(AWSLambda)-[HAS]->(AWSLambdaLayer)
```

AWSPolicy¶

Representation of an AWS Policy.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
name	The friendly name (not ARN) identifying the policy
createdate	ISO 8601 date-time when the policy was created
type	“inline” or “managed” - the type of policy it is
arn	The arn for this object
id	The unique identifer for a policy. If the policy is managed this will be the Arn. If the policy is inline this will calculated as AWSPrincipal/inline_policy/PolicyName

Relationships¶

AWSPrincipal contains AWSPolicy

```
(AWSPrincipal)-[POLICY]->(AWSPolicy)
```

AWSPolicy contains AWSPolicyStatement

```
(AWSPolicy)-[STATEMENTS]->(AWSPolicyStatement)
```

AWSPolicyStatement¶

Representation of an AWS Policy Statement.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
resources	(array) The resources the statement is applied to. Can contain wildcards
actions	(array) The permissions allowed or denied by the statement. Can contain wildcards
notactions	(array) The permission explicitly not matched by the statement
effect	“Allow” or “Deny” - the effect of this statement
id	The unique identifier for a statement. If the statement has an Sid the id will be calculated as AWSPolicy.id/statements/Sid. If the statement has no Sid the id will be calculated as AWSPolicy.id/statements/index of statement in statement list

Relationships¶

AWSPolicy contains AWSPolicyStatement

```
(AWSPolicy)-[STATEMENTS]->(AWSPolicyStatement)
```

AWSPrincipal¶

Representation of an AWSPrincipal.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
path	The path to the principal
name	The friendly name of the principal
createdate	ISO 8601 date-time when the principal was created
arn	AWS-unique identifier for this object
userid	The stable and unique string identifying the principal.
passwordlastused	Datetime when this principal’s password was last used

Relationships¶

AWS Principals can be members of AWS Groups.

```
(AWSPrincipal)-[MEMBER_AWS_GROUP]->(AWSGroup)
```

This AccountAccessKey is used to authenticate to this AWSPrincipal.
```
```
(AWSPrincipal)-[AWS_ACCESS_KEY]->(AccountAccessKey)
```
```

AWS Roles can trust AWS Principals.

(AWSRole)-[TRUSTS_AWS_PRINCIPAL]->(AWSPrincipal)

AWS Accounts contain AWS Principals.

```
(AWSAccount)-[RESOURCE]->(AWSPrincipal)
```

Redshift clusters may assume IAM roles. See this article.

(RedshiftCluster)-[STS_ASSUMEROLE_ALLOW]->(AWSPrincipal)

AWSPrincipal::AWSUser¶

Representation of an AWSUser. An AWS User is a type of AWS Principal.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
path	The path to the user
name	The friendly name of the user
createdate	ISO 8601 date-time when the user was created
arn	AWS-unique identifier for this object
userid	The stable and unique string identifying the user.
passwordlastused	Datetime when this user’s password was last used

Relationships¶

AWS Users can be members of AWS Groups.

```
(AWSUser)-[MEMBER_AWS_GROUP]->(AWSGroup)
```

AWS Users can assume AWS Roles.

```
(AWSUser)-[STS_ASSUMEROLE_ALLOW]->(AWSRole)
```

This AccountAccessKey is used to authenticate to this AWSUser
```
```
(AWSUser)-[AWS_ACCESS_KEY]->(AccountAccessKey)
```
```

AWS Accounts contain AWS Users.

```
(AWSAccount)-[RESOURCE]->(AWSUser)
```

AWSPrincipal::AWSRole¶

Representation of an AWS IAM Role. An AWS Role is a type of AWS Principal.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
roleid	The stable and unique string identifying the role.
name	The friendly name that identifies the role.
createdate	The date and time, in ISO 8601 date-time format, when the role was created.
arn	AWS-unique identifier for this object

Relationships¶

Some AWS Groups, Users, Principals, and EC2 Instances can assume AWS Roles.
```
(AWSGroup, AWSUser, EC2Instance)-[STS_ASSUMEROLE_ALLOW]->(AWSRole)
```

Some AWS Roles can assume other AWS Roles.

(AWSRole)-[STS_ASSUMEROLE_ALLOW]->(AWSRole)

Some AWS Roles trust AWS Principals.

(AWSRole)-[TRUSTS_AWS_PRINCIPAL]->(AWSPrincipal)

AWS Roles are defined in AWS Accounts.
```
(AWSAccount)-[RESOURCE]->(AWSRole)
```

AWSTransitGateway¶

Representation of an AWS Transit Gateway.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
owner_id	The ID of the AWS account that owns the transit gateway
description	Transit Gateway description
state	Can be one of `pending \| available \| modifying \| deleting \| deleted`
tgw_id	Unique identifier of the Transit Gateway
id	Unique identifier of the Transit Gateway
arn	AWS-unique identifier for this object (same as `id`)

Relationships¶

Transit Gateways belong to one AWSAccount…

(AWSAccount)-[RESOURCE]->(AWSTransitGateway)

… and can be shared with other accounts

(AWSAccount)<-[SHARED_WITH]-(AWSTransitGateway)

AWSTag
```
(AWSTransitGateway)-[TAGGED]->(AWSTag)
```

AWSTransitGatewayAttachment¶

Representation of an AWS Transit Gateway Attachment.

Field	Description
firstseen	Timestamp of when a sync job discovered this node
lastupdated	Timestamp of the last time the node was updated
resource_type	Can be one of `vpc \| vpn \| direct-connect-gateway \| tgw-peering`
state	Can be one of `initiating \| pendingAcceptance \| rollingBack \| pending \| available \| modifying \| deleting \| deleted \| failed \| rejected \| rejecting \| failing`
id	Unique identifier of the Transit Gateway Attachment

Relationships¶

AWSAccount

(AWSAccount)-[RESOURCE]->(AWSTransitGatewayAttachment)

AWSVpc (for VPC attachments)

(AWSVpc)-[RESOURCE]->(AWSTransitGatewayAttachment {resource_type: 'vpc'})

AWSTransitGateway attachment

(AWSTransitGateway)<-[ATTACHED_TO]-(AWSTransitGatewayAttachment)

AWSTag

(AWSTransitGatewayAttachment)-[TAGGED]->(AWSTag)

AWSVpc¶

Representation of an AWS CidrBlock used in VPC configuration. More information on https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-vpcs.html

Field	Description
firstseen	Timestamp of when a sync job discovered this node
vpcid	The VPC unique identifier
primary_cidr_block	The primary IPv4 CIDR block for the VPC.
instance_tenancy	The allowed tenancy of instances launched into the VPC.
state	The current state of the VPC.
region	(optional) the region of this VPC. This field is only available on VPCs in your account. It is not available on VPCs that are external to your account and linked via a VPC peering relationship.
id	Unique identifier defined VPC node (vpcid)

Relationships¶

AWSAccount resource
```
(AWSAccount)-[RESOURCE]->(AWSVpc)
```

AWSVpc and AWSCidrBlock association

(AWSVpc)-[BLOCK_ASSOCIATION]->(AWSCidrBlock)

AWSVpc and EC2SecurityGroup membership association

(AWSVpc)<-[MEMBER_OF_EC2_SECURITY_GROUP]-(EC2SecurityGroup)

AWS VPCs can be tagged with AWSTags.
```
(AWSVpc)-[TAGGED]->(AWSTag)
```

Redshift clusters can be members of AWSVpcs.

(RedshiftCluster)-[MEMBER_OF_AWS_VPC]->(AWSVpc)

Peering connection where AWSVpc is an accepter or requester vpc.

(AWSVpc)<-[REQUESTER_VPC]-(AWSPeeringConnection)
(AWSVpc)<-[ACCEPTER_VPC]-(AWSPeeringConnection)

Tag::AWSTag ¶

Representation of an AWS Tag. AWS Tags can be applied to many objects.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	This tag’s unique identifier of the format `{TagKey}:{TagValue}`. We fabricated this ID.
key	One part of a key-value pair that makes up a tag.
value	One part of a key-value pair that makes up a tag.
region	The region where this tag was discovered.

Relationships¶

AWS VPCs, DB Subnet Groups, EC2 Instances, EC2 SecurityGroups, EC2 Subnets, EC2 Network Interfaces, RDS Instances, and S3 Buckets can be tagged with AWSTags.
```
(AWSVpc, DBSubnetGroup, EC2Instance, EC2SecurityGroup, EC2Subnet, NetworkInterface, RDSInstance, S3Bucket)-[TAGGED]->(AWSTag)
```

AccountAccessKey¶

Representation of an AWS Access Key.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
createdate	Date when access key was created
status	Active: valid for API calls. Inactive: not valid for API calls
lastuseddate	Date when the key was last used
lastusedservice	The service that was last used with the access key
lastusedregion	The region where the access key was last used
accesskeyid	The ID for this access key

Relationships¶

Account Access Keys may authenticate AWS Users and AWS Principal objects.
```
```
(AWSUser, AWSPrincipal)-[AWS_ACCESS_KEY]->(AccountAccessKey)
```
```

DBSubnetGroup¶

Representation of an RDS DB Subnet Group. For more information on how RDS instances interact with these, please see this article.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
id	The ARN of the DBSubnetGroup
name	The name of DBSubnetGroup
lastupdated	Timestamp of the last time the node was updated
description	Description of the DB Subnet Group
status	The status of the group
vpc_id	The ID of the VPC (Virtual Private Cloud) that this DB Subnet Group is associated with.
value	The IP address that the DNSRecord points to

Relationships¶

RDS Instances are part of DB Subnet Groups

(RDSInstance)-[:MEMBER_OF_DB_SUBNET_GROUP]->(DBSubnetGroup)

DB Subnet Groups consist of EC2 Subnets

(DBSubnetGroup)-[:RESOURCE]->(EC2Subnet)

DB Subnet Groups can be tagged with AWSTags.

```
(DBSubnetGroup)-[TAGGED]->(AWSTag)
```

DNSRecord¶

Representation of a generic DNSRecord.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
name	The name of the DNSRecord
lastupdated	Timestamp of the last time the node was updated
id	The name of the DNSRecord concatenated with the record type
type	The record type of the DNS record
value	The IP address that the DNSRecord points to

Relationships¶

DNSRecords can point to IP addresses.

```
(DNSRecord)-[DNS_POINTS_TO]->(Ip)
```

DNSRecords/AWSDNSRecords can point to each other.

```
(AWSDNSRecord, DNSRecord)-[DNS_POINTS_TO]->(AWSDNSRecord, DNSRecord)
```

DNSRecords can point to LoadBalancers.

```
(DNSRecord)-[DNS_POINTS_TO]->(LoadBalancer)
```

DNSRecords can be members of DNSZones.

```
(DNSRecord)-[MEMBER_OF_DNS_ZONE]->(DNSZone)
```

DNSRecord::AWSDNSRecord¶

Representation of an AWS DNS ResourceRecordSet.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
name	The name of the DNSRecord
lastupdated	Timestamp of the last time the node was updated
id	The zoneid for the record, the value of the record, and the type concatenated together
type	The record type of the DNS record
value	If it is an A, ALIAS, or CNAME record, this is the IP address that the DNSRecord points to. If it is an NS record, the `name` is used here.

Relationships¶

DNSRecords/AWSDNSRecords can point to each other.

```
(AWSDNSRecord, DNSRecord)-[DNS_POINTS_TO]->(AWSDNSRecord, DNSRecord)
```

AWSDNSRecords can point to LoadBalancers.

```
(AWSDNSRecord)-[DNS_POINTS_TO]->(LoadBalancer, ESDomain)
```

AWSDNSRecords can be members of AWSDNSZones.

```
(AWSDNSRecord)-[MEMBER_OF_DNS_ZONE]->(AWSDNSZone)
```

DNSZone¶

Representation of a generic DNS Zone.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
name	the name of the DNS zone
comment	Comments about the zone

Relationships¶

DNSRecords can be members of DNSZones.

```
(DNSRecord)-[MEMBER_OF_DNS_ZONE]->(DNSZone)
```

DNSZone::AWSDNSZone¶

Representation of an AWS DNS HostedZone.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
name	the name of the DNS zone
zoneid	The zoneid defined by Amazon Route53
lastupdated	Timestamp of the last time the node was updated
comment	Comments about the zone
privatezone	Whether or not this is a private DNS zone

Relationships¶

AWSDNSZones and DNSZones can be part of AWSAccounts.
```
```
(AWSAccount)-[RESOURCE]->(AWSDNSZone)
```
```

AWSDNSRecords can be members of AWSDNSZones.

```
(AWSDNSRecord)-[MEMBER_OF_DNS_ZONE]->(AWSDNSZone)
```

AWSDNSZone can have subzones hosted by another AWSDNSZone
```
```
(AWSDNSZone)<-[SUBZONE]-(AWSDNSZone)
```
```

DynamoDBTable¶

Representation of an AWS DynamoDBTable.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
name	The name of the table
id	The ARN of the table
region	The AWS region of the table
arn	The AWS-unique identifier

Relationships¶

DynamoDBTables belong to AWS Accounts.

```
(AWSAccount)-[RESOURCE]->(DynamoDBTable)
```

EC2Instance¶

Our representation of an AWS EC2 Instance.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	Same as `instanceid` below.
instanceid	The instance id provided by AWS. This is globally unique
publicdnsname	The public DNS name assigned to the instance
publicipaddress	The public IPv4 address assigned to the instance if applicable
privateipaddress	The private IPv4 address assigned to the instance
imageid	The ID of the Amazon Machine Image used to launch the instance
subnetid	The ID of the EC2Subnet associated with this instance
instancetype	The instance type. See API docs linked above for specifics.
iaminstanceprofile	The IAM instance profile associated with the instance, if applicable.
launchtime	The time the instance was launched
monitoringstate	Whether monitoring is enabled. Valid Values: disabled, disabling, enabled, pending.
state	The current state of the instance.
launchtimeunix	The time the instance was launched in unix time
region	The AWS region this Instance is running in
exposed_internet	The `exposed_internet` flag on an EC2 instance is set to `True` when (1) the instance is part of an EC2 security group or is connected to a network interface connected to an EC2 security group that allows connectivity from the 0.0.0.0/0 subnet or (2) the instance is connected to an Elastic Load Balancer that has its own `exposed_internet` flag set to `True`.
availabilityzone	The Availability Zone of the instance.
tenancy	The tenancy of the instance.
hostresourcegrouparn	The ARN of the host resource group in which to launch the instances.
platform	The value is `Windows` for Windows instances; otherwise blank.
architecture	The architecture of the image.
ebsoptimized	Indicates whether the instance is optimized for Amazon EBS I/O.
bootmode	The boot mode of the instance.
instancelifecycle	Indicates whether this is a Spot Instance or a Scheduled Instance.
hibernationoptions	Indicates whether the instance is enabled for hibernation.

Relationships¶

EC2 Instances can be part of subnets

```
(EC2Instance)-[PART_OF_SUBNET]->(EC2Subnet)
```

EC2 Instances can have NetworkInterfaces connected to them

```
(EC2Instance)-[NETWORK_INTERFACE]->(NetworkInterface)
```

EC2 Instances may be members of EC2 Reservations

```
(EC2Instance)-[MEMBER_OF_EC2_RESERVATION]->(EC2Reservation)
```

EC2 Instances can be part of EC2 Security Groups

```
(EC2Instance)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
```

Load Balancers can expose (be connected to) EC2 Instances
```
```
(LoadBalancer)-[EXPOSE]->(EC2Instance)
```
```
Package and Dependency nodes can be deployed in EC2 Instances.
```
```
(Package, Dependency)-[DEPLOYED]->(EC2Instance)
```
```

AWS Accounts contain EC2 Instances.

```
(AWSAccount)-[RESOURCE]->(EC2Instance)
```

EC2 Instances can be tagged with AWSTags.

```
(EC2Instance)-[TAGGED]->(AWSTag)
```

AWS EBS Volumes are attached to an EC2 Instance

```
(EBSVolume)-[ATTACHED_TO]->(EC2Instance)
```

EC2 Instances can assume IAM Roles.

```
(EC2Instance)-[STS_ASSUMEROLE_ALLOW]->(AWSRole)
```

EC2Instances can have SSMInstanceInformation

```
(EC2Instance)-[HAS_INFORMATION]->(SSMInstanceInformation)
```

EC2Instances can have SSMInstancePatches

```
(EC2Instance)-[HAS_PATCH]->(SSMInstancePatch)
```

EC2KeyPair¶

Representation of an AWS EC2 Key Pair

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
keyname	The name of the key pair
keyfingerprint	The fingerprint of the public key
region	The AWS region
arn	AWS-unique identifier for this object
id	same as `arn`
user_uploaded	`user_uploaded` is set to `True` if the the KeyPair was uploaded to AWS. Uploaded KeyPairs will have 128-bit MD5 hashed `keyfingerprint`, and KeyPairs from AWS will have 160-bit SHA-1 hashed `keyfingerprint`s.
duplicate_keyfingerprint	`duplicate_keyfingerprint` is set to `True` if the KeyPair has the same `keyfingerprint` as another KeyPair.

Relationships¶

EC2 key pairs are contained in AWS Accounts.

```
(AWSAccount)-[RESOURCE]->(EC2KeyPair)
```

EC2 key pairs can be used to log in to AWS EC2 isntances.
```
```
(EC2KeyPair)-[SSH_LOGIN_TO]->(EC2Instance)
```
```

EC2 key pairs have matching keyfingerprint.

```
(EC2KeyPair)-[MATCHING_FINGERPRINT]->(EC2KeyPair)
```

EC2PrivateIp¶

Representation of an AWS EC2 InstancePrivateIpAddress

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
network_interface_id	id of the network interface with which the IP is associated with
primary	Indicates whether this IPv4 address is the primary private IP address of the network interface.
private_ip_address	The private IPv4 address of the network interface.
public_ip	The public IP address or Elastic IP address bound to the network interface.
ip_owner_id	Id of the owner, e.g. `amazon-elb` for ELBs

Relationships¶

EC2PrivateIps are connected with NetworkInterfaces.

```
(NetworkInterface)-[PRIVATE_IP_ADDRESS]->(EC2PrivateIp)
```

EC2Reservation¶

Representation of an AWS EC2 Reservation.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
requesterid	The ID of the requester that launched the instances on your behalf
reservationid	The ID of the reservation.
region	The AWS region
ownerid	The ID of the AWS account that owns the reservation.

Relationships¶

EC2 reservations are contained in AWS Accounts.

```
(AWSAccount)-[RESOURCE]->(EC2Reservation)
```

EC2 Instances are members of EC2 reservations.

```
(EC2Instance)-[MEMBER_OF_EC2_RESERVATION]->(EC2Reservation)
```

EC2SecurityGroup¶

Representation of an AWS EC2 Security Group.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
groupid	The ID of the security group
name	The name of the security group
description	A description of the security group
id	Same as `groupid`
region	The AWS region this security group is installed in

Relationships¶

EC2 Instances, Network Interfaces, Load Balancers, Elastic Search Domains, IP Rules, IP Permission Inbound nodes, and RDS Instances can be members of EC2 Security Groups.

```
(EC2Instance,
 NetworkInterface,
 LoadBalancer,
 ESDomain,
 IpRule,
 IpPermissionInbound,
 RDSInstance,
 AWSVpc)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
```

Load balancers can define inbound Source Security Groups.

```
(LoadBalancer)-[SOURCE_SECURITY_GROUP]->(EC2SecurityGroup)
```

AWS Accounts contain EC2 Security Groups.

```
(AWSAccount)-[RESOURCE]->(EC2SecurityGroup)
```

EC2 SecurityGroups can be tagged with AWSTags.

```
(EC2SecurityGroup)-[TAGGED]->(AWSTag)
```

Redshift clusters can be members of EC2 Security Groups.

(RedshiftCluster)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)

EC2Subnet¶

Representation of an AWS EC2 Subnet.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
subnetid	The ID of the subnet
id	same as subnetid
region	The AWS region the subnet is installed on
name	The IPv4 CIDR block assigned to the subnet
cidr_block	The IPv4 CIDR block assigned to the subnet
available_ip_address_count	The number of unused private IPv4 addresses in the subnet. The IPv4 addresses for any stopped instances are considered unavailable
default_for_az	Indicates whether this is the default subnet for the Availability Zone.
map_customer_owned_ip_on_launch	Indicates whether a network interface created in this subnet (including a network interface created by RunInstances ) receives a customer-owned IPv4 address
map_public_ip_on_launch	Indicates whether instances launched in this subnet receive a public IPv4 address
subnet_arn	The Amazon Resource Name (ARN) of the subnet
availability_zone	The Availability Zone of the subnet
availability_zone_id	The AZ ID of the subnet
state	The current state of the subnet.
assignipv6addressoncreation	Indicates whether a network interface created in this subnet (including a network interface created by RunInstances ) receives an IPv6 address.

Relationships¶

A Network Interface can be part of an EC2 Subnet.

```
(NetworkInterface)-[PART_OF_SUBNET]->(EC2Subnet)
```

An EC2 Instance can be part of an EC2 Subnet.

```
(EC2Instance)-[PART_OF_SUBNET]->(EC2Subnet)
```

A LoadBalancer can be part of an EC2 Subnet.

```
(LoadBalancer)-[SUBNET]->(EC2Subnet)

```

A LoadBalancer can be part of an EC2 Subnet.

```
(LoadBalancer)-[PART_OF_SUBNET]->(EC2Subnet)
```

A LoadBalancerV2 can be part of an EC2 Subnet.

```
(LoadBalancerV2)-[PART_OF_SUBNET]->(EC2Subnet)
```

DB Subnet Groups consist of EC2 Subnets

(DBSubnetGroup)-[RESOURCE]->(EC2Subnet)

EC2 Subnets can be tagged with AWSTags.
```
```
(EC2Subnet)-[TAGGED]->(AWSTag)
```
```

EC2 Subnets are member of a VPC.

```
(EC2Subnet)-[MEMBER_OF_AWS_VPC]->(AWSVpc)
```

EC2 Subnets belong to AWS Accounts

```
(AWSAccount)-[RESOURCE]->(EC2Subnet)
```

EC2PrivateIps are connected with NetworkInterfaces.

(NetworkInterface)-[PRIVATE_IP_ADDRESS]->(EC2PrivateIp)

AWSInternetGateway¶

Representation of an AWS Interent Gateway.

Field	Description
id	Internet gateway ID
arn	Amazon Resource Name
region	The region of the gateway

Relationships¶

Internet Gateways are attached to a VPC.

```
(AWSInternetGateway)-[ATTACHED_TO]->(AWSVpc)
```

Internet Gateways belong to AWS Accounts

```
(AWSAccount)-[RESOURCE]->(AWSInternetGateway)
```

ECRRepository¶

Representation of an AWS Elastic Container Registry Repository.

Field	Description
id	Same as ARN
arn	The ARN of the repository
name	The name of the repository
region	The region of the repository
created_at	Date and time when the repository was created

Relationships¶

An ECRRepository contains ECRRepositoryImages:

(:ECRRepository)-[:REPO_IMAGE]->(:ECRRepositoryImage)

ECRRepositoryImage¶

An ECR image may be referenced and tagged by more than one ECR Repository. To best represent this, we’ve created an ECRRepositoryImage node as a layer of indirection between the repo and the image.

More concretely explained, we run ``ecr.list_images()` <https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_ImageIdentifier.html>`_, and then store the image tag on an ECRRepositoryImage node and the image digest hash on a separate ECRImage node.

This way, more than one ECRRepositoryImage can reference/be connected to the same ECRImage.

Field	Description
tag	The tag applied to the repository image, e.g. “latest”
uri	The URI where the repository image is stored
id	same as uri

Relationships¶

An ECRRepository contains ECRRepositoryImages:

(:ECRRepository)-[:REPO_IMAGE]->(:ECRRepositoryImage)

ECRRepositoryImages reference ECRImages

(:ECRRepositoryImage)-[:IMAGE]->(:ECRImage)

ECRImage¶

Representation of an ECR image identified by its digest (e.g. a SHA hash). Specifically, this is the “digest part” of ``ecr.list_images()` <https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_ImageIdentifier.html>`_. Also see ECRRepositoryImage.

Field	Description
digest	The hash of this ECR image
id	Same as digest

Relationships¶

ECRRepositoryImages reference ECRImages

(:ECRRepositoryImage)-[:IMAGE]->(:ECRImage)

Software packages are a part of ECR Images
```
(:Package)-[:DEPLOYED]->(:ECRImage)
```

Package¶

Representation of a software package, as found by an AWS ECR vulnerability scan.

Field	Description
id	Concatenation of `{version}\|{name}`
version	The version of the package, includes the Linux distro that it was built for
name	The name of the package

Relationships¶

Software packages are a part of ECR Images
```
(:Package)-[:DEPLOYED]->(:ECRImage)
```
AWS ECR scans yield ECRScanFindings that affect software packages
```
(:ECRScanFindings)-[:AFFECTS]->(:Package)
```

ECRScanFinding (:Risk:CVE)¶

Representation of a scan finding from AWS ECR. This is the result output of ``ecr.describe_image_scan_findings()` <https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_DescribeImageScanFindings.html>`_.

Field	Description
name	The name of the ECR scan finding, e.g. a CVE name
id	Same as name
severity	The severity of the risk
uri	A URI link to a descriptive article on the risk

Relationships¶

AWS ECR scans yield ECRScanFindings that affect software packages
```
(:ECRScanFindings)-[:AFFECTS]->(:Package)
```

EKSCluster¶

Representation of an AWS EKS Cluster.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
created_at	The date and time the cluster was created
region	The AWS region
arn	AWS-unique identifier for this object
id	same as `arn`
name	Name of the EKS Cluster
endpoint	The endpoint for the Kubernetes API server.
endpoint_public_access	Indicates whether the Amazon EKS public API server endpoint is enabled
exposed_internet	Set to True if the EKS Cluster public API server endpoint is enabled
rolearn	The ARN of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API
version	Kubernetes version running
platform_version	Version of EKS
status	Status of the cluster. Valid Values: creating, active, deleting, failed, updating
audit_logging	Whether audit logging is enabled

Relationships¶

EKS Clusters belong to AWS Accounts.

```
(AWSAccount)-[RESOURCE]->(EKSCluster)
```

EMRCluster¶

Representation of an AWS EMR Cluster.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
region	The AWS region
arn	AWS-unique identifier for this object
id	The Id of the EMR Cluster.
instance_collection_type	The instance group configuration of the cluster. A value of INSTANCE_GROUP indicates a uniform instance group configuration. A value of INSTANCE_FLEET indicates an instance fleets configuration.
log_encryption_kms_key_id	The KMS key used for encrypting log files.
requested_ami_version	The AMI version requested for this cluster.
running_ami_version	The AMI version running on this cluster.
release_label	The Amazon EMR release label, which determines the version of open-source application packages installed on the cluster.
auto_terminate	Specifies whether the cluster should terminate after completing all steps.
termination_protected	Indicates whether Amazon EMR will lock the cluster to prevent the EC2 instances from being terminated by an API call or user intervention, or in the event of a cluster error.
visible_to_all_users	Indicates whether the cluster is visible to IAM principals in the Amazon Web Services account associated with the cluster.
master_public_dns_name	The DNS name of the master node. If the cluster is on a private subnet, this is the private DNS name. On a public subnet, this is the public DNS name.
security_configuration	The name of the security configuration applied to the cluster.
autoscaling_role	An IAM role for automatic scaling policies.
scale_down_behavior	The way that individual Amazon EC2 instances terminate when an automatic scale-in activity occurs or an instance group is resized.
custom_ami_id	The ID of a custom Amazon EBS-backed Linux AMI if the cluster uses a custom AMI.
repo_upgrade_on_boot	Specifies the type of updates that are applied from the Amazon Linux AMI package repositories when an instance boots using the AMI.
outpost_arn	The Amazon Resource Name (ARN) of the Outpost where the cluster is launched.
log_uri	The path to the Amazon S3 location where logs for this cluster are stored.
servicerole	Service Role of the EMR Cluster

Relationships¶

EMR Clusters belong to AWS Accounts.

```
(AWSAccount)-[RESOURCE]->(EMRCluster)
```

ESDomain¶

Representation of an AWS ElasticSearch Domain (see ElasticsearchDomainConfig).

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
elasticsearch_cluster_config_instancetype	The instancetype
elasticsearch_version	The version of elasticsearch
elasticsearch_cluster_config_zoneawarenessenabled	Indicates whether multiple Availability Zones are enabled.
elasticsearch_cluster_config_dedicatedmasterenabled	Indicates whether dedicated master nodes are enabled for the cluster. True if the cluster will use a dedicated master node. False if the cluster will not.
elasticsearch_cluster_config_dedicatedmastercount	Number of dedicated master nodes in the cluster.
elasticsearch_cluster_config_dedicatedmastertype	Amazon ES instance type of the dedicated master nodes in the cluster.
domainid	Unique identifier for an Amazon ES domain.
encryption_at_rest_options_enabled	Specify true to enable encryption at rest.
deleted	Status of the deletion of an Amazon ES domain. True if deletion of the domain is complete. False if domain deletion is still in progress.
id	same as `domainid`
arn	Amazon Resource Name (ARN) of an Amazon ES domain.
exposed_internet	`exposed_internet` is set to `True` if the ElasticSearch domain has a policy applied to it that makes it internet-accessible. This policy determination is made by using the policyuniverse library. The code for this augmentation is implemented at `cartography.intel.aws.elasticsearch._process_access_policy()`.

Relationships¶

Elastic Search domains can be members of EC2 Security Groups.

```
(ESDomain)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
```

Elastic Search domains belong to AWS Accounts.
```
(AWSAccount)-[RESOURCE]->(ESDomain)
```

DNS Records can point to Elastic Search domains.

```
(DNSRecord)-[DNS_POINTS_TO]->(ESDomain)
```

Endpoint¶

Representation of a generic network endpoint.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
protocol	The protocol of this endpoint
port	The port of this endpoint

Relationships¶

Endpoints can be installed load balancers, though more specifically we would refer to these Endpoint nodes as ELBListeners.
```
```
(LoadBalancer)-[ELB_LISTENER]->(Endpoint)
```
```

Endpoint::ELBListener¶

Representation of an AWS Elastic Load Balancer Listener. Here, an ELBListener is a more specific type of Endpoint. Here’a good introduction.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
protocol	The protocol of this endpoint
port	The port of this endpoint
policy_names	A list of SSL policy names set on the listener.
id	The ELB ID. This is a concatenation of the DNS name, port, and protocol.
instance_port	The port open on the EC2 instance that this listener is connected to
instance_protocol	The protocol defined on the EC2 instance that this listener is connected to

Relationships¶

A ELBListener is installed on a load balancer.

```
(LoadBalancer)-[ELB_LISTENER]->(ELBListener)
```

Endpoint::ELBV2Listener¶

Representation of an AWS Elastic Load Balancer V2 Listener.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
protocol	The protocol of this endpoint - One of `'HTTP''HTTPS''TCP''TLS''UDP''TCP_UDP'`
port	The port of this endpoint
ssl_policy	Only set for HTTPS or TLS listener. The security policy that defines which protocols and ciphers are supported.
targetgrouparn	The ARN of the Target Group, if the Action type is `forward`.

Relationships¶

A ELBV2Listener is installed on a LoadBalancerV2.

```
(elbv2)-[r:ELBV2_LISTENER]->(ELBV2Listener)
```

Ip¶

Represents a generic IP address.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
ip	The IPv4 address
id	Same as `ip`

Relationships¶

DNSRecords can point to IP addresses.

```
(DNSRecord)-[DNS_POINTS_TO]->(Ip)
```

IpRule¶

Represents a generic IP rule. The creation of this node is currently derived from ingesting AWS EC2 Security Group rules.

Field	Description
ruleid	`{group_id}/{rule_type}/{from_port}{to_port}{protocol}`
groupid	The groupid of the EC2 Security Group that this was derived from
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
protocol	The protocol this rule applies to
fromport	Lowest port in the range defined by this rule
toport	Highest port in the range defined by this rule

Relationships¶

IpRules are defined from EC2SecurityGroups.

```
(IpRule, IpPermissionInbound)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
```

IpRule::IpPermissionInbound¶

An IpPermissionInbound node is a specific type of IpRule. It represents a generic inbound IP-based rules. The creation of this node is currently derived from ingesting AWS EC2 Security Group rules.

Field	Description
ruleid	`{group_id}/{rule_type}/{from_port}{to_port}{protocol}`
groupid	The groupid of the EC2 Security Group that this was derived from
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
protocol	The protocol this rule applies to
fromport	Lowest port in the range defined by this rule
toport	Highest port in the range defined by this rule

Relationships¶

IpPermissionInbound rules are defined from EC2SecurityGroups.

```
(IpRule, IpPermissionInbound)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
```

LoadBalancer¶

Represents an AWS Elastic Load Balancer. See spec for details.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
scheme	The type of load balancer. Valid only for load balancers in a VPC. If scheme is `internet-facing`, the load balancer has a public DNS name that resolves to a public IP address. If scheme is `internal`, the load balancer has a public DNS name that resolves to a private IP address.
name	The name of the load balancer
dnsname	The DNS name of the load balancer.
canonicalhostedzonename	The DNS name of the load balancer
id	Currently set to the `dnsname` of the load balancer.
region	The region of the load balancer
createdtime	The date and time the load balancer was created.
canonicalhostedzonenameid	The ID of the Amazon Route 53 hosted zone for the load balancer.
exposed_internet	The `exposed_internet` flag is set to `True` when the load balancer’s `scheme` field is set to `internet-facing`. This indicates that the load balancer has a public DNS name that resolves to a public IP address.

Relationships¶

LoadBalancers can be connected to EC2Instances and therefore expose them.
```
```
(LoadBalancer)-[EXPOSE]->(EC2Instance)
```
```

LoadBalancers can have source security groups configured.

```
(LoadBalancer)-[SOURCE_SECURITY_GROUP]->(EC2SecurityGroup)
```

LoadBalancers can be part of EC2SecurityGroups.

```
(LoadBalancer)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
```

LoadBalancers can be part of EC2 Subnets

```
(LoadBalancer)-[SUBNET]->(EC2Subnet)
```

LoadBalancers can be part of EC2 Subnets

```
(LoadBalancer)-[PART_OF_SUBNET]->(EC2Subnet)
```

LoadBalancers can have listeners configured to accept connections from clients (good introduction).
```
```
(LoadBalancer)-[ELB_LISTENER]->(Endpoint, ELBListener)
```
```

LoadBalancers are part of AWSAccounts.

```
(AWSAccount)-[RESOURCE]->(LoadBalancer)
```

AWSDNSRecords and DNSRecords point to LoadBalancers.

```
(AWSDNSRecord, DNSRecord)-[DNS_POINTS_TO]->(LoadBalancer)
```

LoadBalancerV2¶

Represents an Elastic Load Balancer V2 (Application Load Balancer or Network Load Balancer.) API reference here.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
scheme	The type of load balancer. If scheme is `internet-facing`, the load balancer has a public DNS name that resolves to a public IP address. If scheme is `internal`, the load balancer has a public DNS name that resolves to a private IP address.
name	The name of the load balancer
dnsname	The DNS name of the load balancer.
exposed_internet	The `exposed_internet` flag is set to `True` when the load balancer’s `scheme` field is set to `internet-facing`. This indicates that the load balancer has a public DNS name that resolves to a public IP address.
id	Currently set to the `dnsname` of the load balancer.
type	Can be `application` or `network`
region	The region of the load balancer
createdtime	The date and time the load balancer was created.
canonicalhostedzonenameid	The ID of the Amazon Route 53 hosted zone for the load balancer.

Relationships¶

LoadBalancerV2’s can be connected to EC2Instances and therefore expose them.
```
```
(LoadBalancerV2)-[EXPOSE]->(EC2Instance)
```
```
EXPOSE relationshiohip also holds the protocol, port and TargetGroupArn the load balancer points to.
LoadBalancerV2’s can be part of EC2SecurityGroups but only if their type = “application”. NLBs don’t have SGs.
```
```
(LoadBalancerV2)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
```
```

LoadBalancerV2’s can be part of EC2 Subnets

```
(LoadBalancerV2)-[SUBNET]->(EC2Subnet)
```

LoadBalancerV2’s can be part of EC2 Subnets

```
(LoadBalancerV2)-[PART_OF_SUBNET]->(EC2Subnet)
```

LoadBalancerV2’s have listeners:

```
(LoadBalancerV2)-[ELBV2_LISTENER]->(ELBV2Listener)
```

Nameserver¶

Represents a DNS nameserver. | Field | Description | |-------|————-| | firstseen| Timestamp of when a sync job first discovered this node | | lastupdated | Timestamp of the last time the node was updated | | id | The address of the nameserver| | name | The name or address of the nameserver|

Relationships¶

Nameservers are nameservers for to DNSZone.

```
(Nameserver)-[NAMESERVER]->(DNSZone)
```

NetworkInterface¶

Representation of a generic Network Interface. Currently however, we only create NetworkInterface nodes from AWS EC2 Instances. The spec for an AWS EC2 network interface is here.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
mac_address	The MAC address of the network interface
description	Description of the network interface
private_ip_address	The primary IPv4 address of the network interface within the subnet
id	The ID of the network interface. (known as `networkInterfaceId` in EC2)
private_dns_name	The private DNS name
status	Status of the network interface. Valid Values: `available \| associated \| attaching \| in-use \| detaching`
subnetid	The ID of the subnet
interface_type	Describes the type of network interface. Valid values: `interface \| efa`
requester_id	Id of the requester, e.g. `amazon-elb` for ELBs
requester_managed	Indicates whether the interface is managed by the requester
source_dest_check	Indicates whether to validate network traffic to or from this network interface.
public_ip	Public IPv4 address attached to the interface

Relationships¶

EC2 Network Interfaces belong to AWS accounts.

(NetworkInterface)<-[:RESOURCE]->(:AWSAccount)

Network interfaces can be connected to EC2Subnets.

```
(NetworkInterface)-[PART_OF_SUBNET]->(EC2Subnet)
```

Network interfaces can be members of EC2SecurityGroups.

```
(NetworkInterface)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)
```

EC2Instances can have NetworkInterfaces connected to them.

```
(EC2Instance)-[NETWORK_INTERFACE]->(NetworkInterface)
```

LoadBalancers can have NetworkInterfaces connected to them.

```
(LoadBalancer)-[NETWORK_INTERFACE]->(NetworkInterface)
```

LoadBalancerV2s can have NetworkInterfaces connected to them.

```
(LoadBalancerV2)-[NETWORK_INTERFACE]->(NetworkInterface)
```

EC2PrivateIps are connected to a NetworkInterface.

```
(NetworkInterface)-[PRIVATE_IP_ADDRESS]->(EC2PrivateIp)
```

EC2 Network Interfaces can be tagged with AWSTags.
```
```
(NetworkInterface)-[TAGGED]->(AWSTag)
```
```

AWSPeeringConnection¶

Representation of an AWS PeeringConnection implementing an AWS VpcPeeringConnection object.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	vpcPeeringConnectionId, The ID of the VPC peering connection.
allow_dns_resolution_from_remote_vpc	Indicates whether a local VPC can resolve public DNS hostnames to private IP addresses when queried from instances in a peer VPC.
allow_egress_from_local_classic_link_to_remote_vpc	Indicates whether a local ClassicLink connection can communicate with the peer VPC over the VPC peering connection.
allow_egress_from_local_vpc_to_remote_classic_link	Indicates whether a local VPC can communicate with a ClassicLink connection in the peer VPC over the VPC peering connection.
requester_region	Peering requester region
accepter_region	Peering accepter region
status_code	The status of the VPC peering connection.
status_message	A message that provides more information about the status, if applicable.

Relationships¶

AWSVpc is an accepter or requester vpc.

(AWSVpc)<-[REQUESTER_VPC]-(AWSPeeringConnection)
(AWSVpc)<-[ACCEPTER_VPC]-(AWSPeeringConnection)

AWSCidrBlock is an accepter or requester cidr.

(AWSCidrBlock)<-[REQUESTER_CIDR]-(AWSPeeringConnection)
(AWSCidrBlock)<-[ACCEPTER_CIDR]-(AWSPeeringConnection)

RedshiftCluster¶

Representation of an AWS RedshiftCluster.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
arn	The Amazon Resource Name (ARN) for the Redshift cluster
id	Same as arn
availability_zone	Specifies the name of the Availability Zone the cluster is located in
cluster_create_time	Provides the date and time the cluster was created
cluster_identifier	The unique identifier of the cluster.
cluster_revision_number	The specific revision number of the database in the cluster.
db_name	The name of the initial database that was created when the cluster was created. This same name is returned for the life of the cluster. If an initial database was not specified, a database named devdev was created by default.
encrypted	Specifies whether the cluster has encryption enabled
cluster_status	The current state of the cluster.
endpoint_address	DNS name of the Redshift cluster endpoint
endpoint_port	The port that the Redshift cluster’s endpoint is listening on
master_username	The master user name for the cluster. This name is used to connect to the database that is specified in the DBName parameter.
node_type	The node type for the nodes in the cluster.
number_of_nodes	The number of compute nodes in the cluster.
publicly_accessible	A boolean value that, if true, indicates that the cluster can be accessed from a public network.
vpc_id	The identifier of the VPC the cluster is in, if the cluster is in a VPC.

Relationships¶

Redshift clusters are part of AWS Accounts.

```
(AWSAccount)-[RESOURCE]->(RedshiftCluster)
```

Redshift clusters can be members of EC2 Security Groups.

(RedshiftCluster)-[MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)

Redshift clusters may assume IAM roles. See this article.

(RedshiftCluster)-[STS_ASSUMEROLE_ALLOW]->(AWSPrincipal)

Redshift clusters can be members of AWSVpcs.

(RedshiftCluster)-[MEMBER_OF_AWS_VPC]->(AWSVpc)

RDSCluster¶

Representation of an AWS Relational Database Service DBCluster

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	Same as ARN
arn	The Amazon Resource Name (ARN) for the DB cluster.
allocated_storage	For all database engines except Amazon Aurora, AllocatedStorage specifies the allocated storage size in gibibytes (GiB). For Aurora, AllocatedStorage always returns 1, because Aurora DB cluster storage size isn’t fixed, but instead automatically adjusts as needed.
availability_zones	Provides the list of Availability Zones (AZs) where instances in the DB cluster can be created.
backup_retention_period	Specifies the number of days for which automatic DB snapshots are retained.
character_set_name	If present, specifies the name of the character set that this cluster is associated with.
database_name	Contains the name of the initial database of this DB cluster that was provided at create time, if one was specified when the DB cluster was created. This same name is returned for the life of the DB cluster.
db_cluster_identifier	Contains a user-supplied DB cluster identifier. This identifier is the unique key that identifies a DB cluster.
db_parameter_group	Specifies the name of the DB cluster parameter group for the DB cluster.
status	Specifies the current state of this DB cluster.
earliest_restorable_time	The earliest time to which a database can be restored with point-in-time restore.
endpoint	Specifies the connection endpoint for the primary instance of the DB cluster.
reader_endpoint	The reader endpoint for the DB cluster. The reader endpoint for a DB cluster load-balances connections across the Aurora Replicas that are available in a DB cluster. As clients request new connections to the reader endpoint, Aurora distributes the connection requests among the Aurora Replicas in the DB cluster. This functionality can help balance your read workload across multiple Aurora Replicas in your DB cluster. If a failover occurs, and the Aurora Replica that you are connected to is promoted to be the primary instance, your connection is dropped. To continue sending your read workload to other Aurora Replicas in the cluster, you can then reconnect to the reader endpoint.
multi_az	Specifies whether the DB cluster has instances in multiple Availability Zones.
engine	The name of the database engine to be used for this DB cluster.
engine_version	Indicates the database engine version.
latest_restorable_time	Specifies the latest time to which a database can be restored with point-in-time restore.
port	Specifies the port that the database engine is listening on.
master_username	Contains the master username for the DB cluster.
preferred_backup_window	Specifies the daily time range during which automated backups are created if automated backups are enabled, as determined by the BackupRetentionPeriod.
preferred_maintenance_window	Specifies the weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC).
hosted_zone_id	Specifies the ID that Amazon Route 53 assigns when you create a hosted zone.
storage_encrypted	Specifies whether the DB cluster is encrypted.
kms_key_id	If StorageEncrypted is enabled, the AWS KMS key identifier for the encrypted DB cluster. The AWS KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the AWS KMS customer master key (CMK).
db_cluster_resource_id	The AWS Region-unique, immutable identifier for the DB cluster. This identifier is found in AWS CloudTrail log entries whenever the AWS KMS CMK for the DB cluster is accessed.
clone_group_id	Identifies the clone group to which the DB cluster is associated.
cluster_create_time	Specifies the time when the DB cluster was created, in Universal Coordinated Time (UTC).
earliest_backtrack_time	The earliest time to which a DB cluster can be backtracked.
backtrack_window	The target backtrack window, in seconds. If this value is set to 0, backtracking is disabled for the DB cluster. Otherwise, backtracking is enabled.
backtrack_consumed_change_records	The number of change records stored for Backtrack.
capacity	The current capacity of an Aurora Serverless DB cluster. The capacity is 0 (zero) when the cluster is paused.
engine_mode	The DB engine mode of the DB cluster, either provisioned, serverless, parallelquery, global, or multimaster.
scaling_configuration_info_min_capacity	The minimum capacity for the Aurora DB cluster in serverless DB engine mode.
scaling_configuration_info_max_capacity	The maximum capacity for an Aurora DB cluster in serverless DB engine mode.
scaling_configuration_info_auto_pause	A value that indicates whether automatic pause is allowed for the Aurora DB cluster in serverless DB engine mode.
deletion_protection	Indicates if the DB cluster has deletion protection enabled. The database can’t be deleted when deletion protection is enabled.

Relationships¶

RDS Clusters are part of AWS Accounts.

```
(AWSAccount)-[RESOURCE]->(RDSCluster)
```

Some RDS instances are cluster members.

(replica:RDSInstance)-[IS_CLUSTER_MEMBER_OF]->(source:RDSCluster)

RDSInstance¶

Representation of an AWS Relational Database Service DBInstance.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	Same as ARN
arn	The Amazon Resource Name (ARN) for the DB instance.
db_instance_identifier	Contains a user-supplied database identifier. This identifier is the unique key that identifies a DB instance.
availability_zone	Specifies the name of the Availability Zone the DB instance is located in.
backup_retention_period	Specifies the number of days for which automatic DB snapshots are retained.
preferred_backup_window	Specifies the daily time range during which automated backups are created if automated backups are enabled, as determined by the BackupRetentionPeriod.
ca_certificate_identifier	The identifier of the CA certificate for this DB instance.
db_cluster_identifier	If the DB instance is a member of a DB cluster, contains the name of the DB cluster that the DB instance is a member of.
db_instance_class	Contains the name of the compute and memory capacity class of the DB instance.
db_instance_port	Specifies the port that the DB instance listens on.
dbi_resource_id	The AWS Region-unique, immutable identifier for the DB instance. This identifier is found in AWS CloudTrail log entries whenever the AWS KMS key for the DB instance is accessed.
db_name	The meaning of this parameter differs according to the database engine you use. For example, this value returns MySQL, MariaDB, or PostgreSQL information when returning values from CreateDBInstanceReadReplica since Read Replicas are only supported for these engines. MySQL, MariaDB, SQL Server, PostgreSQL: Contains the name of the initial database of this instance that was provided at create time, if one was specified when the DB instance was created. This same name is returned for the life of the DB instance. Oracle: Contains the Oracle System ID (SID) of the created DB instance. Not shown when the returned parameters do not apply to an Oracle DB instance.
engine	Provides the name of the database engine to be used for this DB instance.
engine_version	Indicates the database engine version.
enhanced_monitoring_resource_arn	The Amazon Resource Name (ARN) of the Amazon CloudWatch Logs log stream that receives the Enhanced Monitoring metrics data for the DB instance.
instance_create_time	Provides the date and time the DB instance was created.
kms_key_id	If StorageEncrypted is true, the AWS KMS key identifier for the encrypted DB instance.
master_username	Contains the master username for the DB instance.
monitoring_role_arn	The ARN for the IAM role that permits RDS to send Enhanced Monitoring metrics to Amazon CloudWatch Logs.
multi_az	Specifies if the DB instance is a Multi-AZ deployment.
performance_insights_enabled	True if Performance Insights is enabled for the DB instance, and otherwise false.
preferred_maintenance_window	Specifies the weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC).
publicly_accessible	Specifies the accessibility options for the DB instance. A value of true specifies an Internet-facing instance with a publicly resolvable DNS name, which resolves to a public IP address. A value of false specifies an internal instance with a DNS name that resolves to a private IP address.
storage_encrypted	Specifies whether the DB instance is encrypted.
endpoint_address	DNS name of the RDS instance
endpoint_port	The port that the RDS instance is listening on
endpoint_hostedzoneid	The AWS DNS Zone ID that is associated with the RDS instance’s DNS entry
auto_minor_version_upgrade	Specifies whether minor version upgrades are applied automatically to the DB instance during the maintenance window
iam_database_authentication_enabled	Specifies if mapping of AWS Identity and Access Management (IAM) accounts to database accounts is enabled

Relationships¶

RDS Instances are part of AWS Accounts.

```
(AWSAccount)-[RESOURCE]->(RDSInstance)
```

Some RDS instances are Read Replicas.

(replica:RDSInstance)-[IS_READ_REPLICA_OF]->(source:RDSInstance)

RDS Instances can be members of EC2 Security Groups.

(RDSInstance)-[m:MEMBER_OF_EC2_SECURITY_GROUP]->(EC2SecurityGroup)

RDS Instances are connected to DB Subnet Groups.

(RDSInstance)-[:MEMBER_OF_DB_SUBNET_GROUP]->(DBSubnetGroup)

RDS Instances can be tagged with AWSTags.

```
(RDSInstance)-[TAGGED]->(AWSTag)
```

RDSSnapshot¶

Representation of an AWS Relational Database Service DBSnapshot.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	Same as ARN
arn	The Amazon Resource Name (ARN) for the DB snapshot.
db_snapshot_identifier	Specifies the identifier for the DB snapshot.
db_instance_identifier	Specifies the DB instance identifier of the DB instance this DB snapshot was created from.
snapshot_create_time	Specifies when the snapshot was taken in Coordinated Universal Time (UTC). Changes for the copy when the snapshot is copied.
engine	Specifies the name of the database engine.
allocated_storage	Specifies the allocated storage size in gibibytes (GiB).
status	Specifies the status of this DB snapshot.
port	Specifies the port that the database engine was listening on at the time of the snapshot.
availability_zone	Specifies the name of the Availability Zone the DB instance was located in at the time of the DB snapshot.
vpc_id	Provides the VPC ID associated with the DB snapshot.
instance_create_time	Specifies the time in Coordinated Universal Time (UTC) when the DB instance, from which the snapshot was taken, was created.
master_username	Provides the master username for the DB snapshot.
engine_version	Specifies the version of the database engine.
license_model	License model information for the restored DB instance.
snapshot_type	Provides the type of the DB snapshot.
iops	Specifies the Provisioned IOPS (I/O operations per second) value of the DB instance at the time of the snapshot.
option_group_name	Provides the option group name for the DB snapshot.
percent_progress	The percentage of the estimated data that has been transferred.
source_region	The AWS Region that the DB snapshot was created in or copied from.
source_db_snapshot_identifier	The DB snapshot Amazon Resource Name (ARN) that the DB snapshot was copied from. It only has a value in the case of a cross-account or cross-Region copy.
storage_type	Specifies the storage type associated with DB snapshot.
tde_credential_arn	The ARN from the key store with which to associate the instance for TDE encryption.
encrypted	Specifies whether the DB snapshot is encrypted.
kms_key_id	If Encrypted is true, the AWS KMS key identifier for the encrypted DB snapshot. The AWS KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.
timezone	The time zone of the DB snapshot. In most cases, the Timezone element is empty. Timezone content appears only for snapshots taken from Microsoft SQL Server DB instances that were created with a time zone specified.
iam_database_authentication_enabled	True if mapping of AWS Identity and Access Management (IAM) accounts to database accounts is enabled, and otherwise false.
processor_features	The number of CPU cores and the number of threads per core for the DB instance class of the DB instance when the DB snapshot was created.
dbi_resource_id	The identifier for the source DB instance, which can’t be changed and which is unique to an AWS Region.
original_snapshot_create_time	Specifies the time of the CreateDBSnapshot operation in Coordinated Universal Time (UTC). Doesn’t change when the snapshot is copied.
snapshot_database_time	The timestamp of the most recent transaction applied to the database that you’re backing up. Thus, if you restore a snapshot, SnapshotDatabaseTime is the most recent transaction in the restored DB instance. In contrast, originalSnapshotCreateTime specifies the system time that the snapshot completed. If you back up a read replica, you can determine the replica lag by comparing SnapshotDatabaseTime with originalSnapshotCreateTime. For example, if originalSnapshotCreateTime is two hours later than SnapshotDatabaseTime, then the replica lag is two hours.
snapshot_target	Specifies where manual snapshots are stored: AWS Outposts or the AWS Region.
storage_throughput
region	The AWS region of the snapshot

Relationships¶

RDS Snapshots are part of AWS Accounts.

```
(AWSAccount)-[RESOURCE]->(RDSSnapshot)
```

RDS Snapshots are connected to DB Instances.

(RDSSnapshot)-[:IS_SNAPSHOT_SOURCE]->(RDSInstance)

RDS Snapshots can be tagged with AWSTags.

```
(RDSSnapshot)-[TAGGED]->(AWSTag)
```

S3Acl¶

Representation of an AWS S3 Access Control List.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
granteeid	The ID of the grantee as defined here
displayname	Optional display name for the ACL
permission	Valid values: `FULL_CONTROL \| READ \| WRITE \| READ_ACP \| WRITE_ACP` (ACP = Access Control Policy)
id	The ID of this ACL
type	The type of the grantee. Either `CanonicalUser \| AmazonCustomerByEmail \| Group`.
ownerid	The ACL’s owner ID as defined here

Relationships¶

S3 Access Control Lists apply to S3 buckets.
```
```
(S3Acl)-[APPLIES_TO]->(S3Bucket)
```
```

S3Bucket¶

Representation of an AWS S3 Bucket.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
creationdate	Date-time when the bucket was created
id	Same as `name`, as seen below
name	The name of the bucket. This is guaranteed to be globally unique
anonymous_actions	List of anonymous internet accessible actions that may be run on the bucket. This list is taken by running policyuniverse on the policy that applies to the bucket.
anonymous_access	True if this bucket has a policy applied to it that allows anonymous access or if it is open to the internet. These policy determinations are made by using the policyuniverse library.
region	The region that the bucket is in. Only defined if the S3 bucket has a location constraint
default_encryption	True if this bucket has default encryption enabled.
encryption_algorithm	The encryption algorithm used for default encryption. Only defined if the S3 bucket has default encryption enabled.
encryption_key_id	The KMS key ID used for default encryption. Only defined if the S3 bucket has SSE-KMS enabled as the default encryption method.
bucket_key_enabled	True if a bucket key is enabled, when using SSE-KMS as the default encryption method.
versioning_status	The versioning state of the bucket.
mfa_delete	Specifies whether MFA delete is enabled in the bucket versioning configuration.
block_public_acls	Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket.
ignore_public_acls	Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket.
block_public_acls	Specifies whether Amazon S3 should block public bucket policies for this bucket.
restrict_public_buckets	Specifies whether Amazon S3 should restrict public bucket policies for this bucket.

Relationships¶

S3Buckets are resources in an AWS Account.

```
(AWSAccount)-[RESOURCE]->(S3Bucket)
```

S3 Access Control Lists apply to S3 buckets.
```
```
(S3Acl)-[APPLIES_TO]->(S3Bucket)
```
```
S3 Buckets can be tagged with AWSTags.
```
```
(S3Bucket)-[TAGGED]->(AWSTag)
```
```

S3PolicyStatement¶

Representation of an AWS S3 Bucket Policy Statements for controlling ownership of objects and ACLs of the bucket.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
policy_id	Optional string “Id” for the bucket’s policy
policy_version	Version of the bucket’s policy
id	The unique identifier for a bucket policy statement. If the statement has an Sid the id will be calculated as S3Bucket.id/policy_statement/index of statement in statement/Sid. If the statement has no Sid the id will be calculated as S3Bucket.id/policy_statement/index of statement in statement/
effect	Specifies “Deny” or “Allow” for the policy statement
action	Specifies permissions that policy statement applies to, as defined here
resource	Specifies the resource the bucket policy statement is based on
condition	Specifies conditions where permissions are granted: examples
sid	Optional string to label the specific bucket policy statement

Relationships¶

S3PolicyStatements define the policy for S3 Buckets.

```
(:S3Bucket)-[:POLICY_STATEMENT]->(:S3PolicyStatement)
```

KMSKey¶

Representation of an AWS KMS Key.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The id of the key
name	The name of the key
description	The description of the key
enabled	Whether the key is enabled
region	The region where key is created
anonymous_actions	List of anonymous internet accessible actions that may be run on the key.
anonymous_access	True if this key has a policy applied to it that allows anonymous access or if it is open to the internet.

Relationships¶

AWS KMS Keys are resources in an AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(KMSKey)
```
```
AWS KMS Key may also be refered as KMSAlias via aliases.
```
```
(KMSKey)-[KNOWN_AS]->(KMSAlias)
```
```
AWS KMS Key may also have KMSGrant based on grants.
```
```
(KMSGrant)-[APPLIED_ON]->(KMSKey)
```
```

KMSAlias¶

Representation of an AWS KMS Key Alias.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The arn of the alias
aliasname	The name of the alias
targetkeyid	The kms key id associated via this alias

Relationships¶

AWS KMS Key may also be refered as KMSAlias via aliases.
```
```
(KMSKey)-[KNOWN_AS]->(KMSAlias)
```
```

KMSGrant¶

Representation of an AWS KMS Key Grant.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The id of the key grant
name	The name of the key grant
granteeprincipal	The principal associated with the key grant
creationdate	ISO 8601 date-time string when the grant was created

Relationships¶

AWS KMS Key may also have KMSGrant based on grants.
```
```
(KMSGrant)-[APPLIED_ON]->(KMSKey)
```
```

APIGatewayRestAPI¶

Representation of an AWS API Gateway REST API.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The id of the REST API
createddate	The timestamp when the REST API was created
version	The version identifier for the API
minimumcompressionsize	A nullable integer that is used to enable or disable the compression of the REST API
disableexecuteapiendpoint	Specifies whether clients can invoke your API by using the default `execute-api` endpoint
region	The region where the REST API is created
anonymous_actions	List of anonymous internet accessible actions that may be run on the API.
anonymous_access	True if this API has a policy applied to it that allows anonymous access or if it is open to the internet.

Relationships¶

AWS API Gateway REST APIs are resources in an AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(APIGatewayRestAPI)
```
```
AWS API Gateway REST APIs may be associated with an API Gateway Stage.
```
```
(APIGatewayRestAPI)-[ASSOCIATED_WITH]->(APIGatewayStage)
```
```
AWS API Gateway REST APIs may also have API Gateway Resource resources.
```
```
(APIGatewayRestAPI)-[RESOURCE]->(APIGatewayResource)
```
```

APIGatewayStage¶

Representation of an AWS API Gateway Stage.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The name of the API Gateway Stage
createddate	The timestamp when the stage was created
deploymentid	The identifier of the Deployment that the stage points to.
clientcertificateid	The identifier of a client certificate for an API stage.
cacheclusterenabled	Specifies whether a cache cluster is enabled for the stage.
cacheclusterstatus	The status of the cache cluster for the stage, if enabled.
tracingenabled	Specifies whether active tracing with X-ray is enabled for the Stage
webaclarn	The ARN of the WebAcl associated with the Stage

Relationships¶

AWS API Gateway REST APIs may be associated with an API Gateway Stage.
```
```
(APIGatewayRestAPI)-[ASSOCIATED_WITH]->(APIGatewayStage)
```
```

AWS API Gateway Stage may also contain a Client Certificate.

```
(APIGatewayStage)-[HAS_CERTIFICATE]->(APIGatewayClientCertificate)
```

APIGatewayClientCertificate¶

Representation of an AWS API Gateway Client Certificate.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The identifier of the client certificate
createddate	The timestamp when the client certificate was created
expirationdate	The timestamp when the client certificate will expire

Relationships¶

AWS API Gateway Stage may also contain a Client Certificate.

```
(APIGatewayStage)-[HAS_CERTIFICATE]->(APIGatewayClientCertificate)
```

APIGatewayResource¶

Representation of an AWS API Gateway Resource.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The id of the REST API
path	The timestamp when the REST API was created
pathpart	The version identifier for the API
parentid	A nullable integer that is used to enable or disable the compression of the REST API

Relationships¶

AWS API Gateway REST APIs may also have API Gateway Resource resources.
```
```
(APIGatewayRestAPI)-[RESOURCE]->(APIGatewayResource)
```
```

AutoScalingGroup¶

Representation of an AWS Auto Scaling Group Resource.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
arn	The ARN of the Auto Scaling Group
name	The name of the Auto Scaling group.
createdtime	The date and time the group was created.
launchconfigurationname	The name of the associated launch configuration.
launchtemplatename	The name of the launch template.
launchtemplateid	The ID of the launch template.
launchtemplateversion	The version number of the launch template.
maxsize	The maximum size of the group.
minsize	The minimum size of the group.
defaultcooldown	The duration of the default cooldown period, in seconds.
desiredcapacity	The desired size of the group.
healthchecktype	The service to use for the health checks.
healthcheckgraceperiod	The amount of time, in seconds, that Amazon EC2 Auto Scaling waits before checking the health status of an EC2 instance that has come into service.
status	The current state of the group when the DeleteAutoScalingGroup operation is in progress.
newinstancesprotectedfromscalein	Indicates whether newly launched instances are protected from termination by Amazon EC2 Auto Scaling when scaling in.
maxinstancelifetime	The maximum amount of time, in seconds, that an instance can be in service.
capacityrebalance	Indicates whether Capacity Rebalancing is enabled.
region	The region of the auto scaling group.

Link to API Documentation of AWS Auto Scaling Groups

Relationships¶

AWS Auto Scaling Groups are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(AutoScalingGroup)
```
```
AWS Auto Scaling Groups has one or more subnets/vpc identifiers.
```
```
(AutoScalingGroup)-[VPC_IDENTIFIER]->(EC2Subnet)
```
```

AWS EC2 Instances are members of one or more AWS Auto Scaling Groups.

```
(EC2Instance)-[MEMBER_AUTO_SCALE_GROUP]->(AutoScalingGroup)
```

AWS Auto Scaling Groups have Launch Configurations

```
(AutoScalingGroup)-[HAS_LAUNCH_CONFIG]->(LaunchConfiguration)
```

AWS Auto Scaling Groups have Launch Templates

```
(AutoScalingGroup)-[HAS_LAUNCH_TEMPLATE]->(LaunchTemplate)
```

EC2Image¶

Representation of an AWS EC2 Images (AMIs).

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ID of the AMI.
name	The name of the AMI that was provided during image creation.
creationdate	The date and time the image was created.
architecture	The architecture of the image.
location	The location of the AMI.
type	The type of image.
ispublic	Indicates whether the image has public launch permissions.
platform	This value is set to `windows` for Windows AMIs; otherwise, it is blank.
usageoperation	The operation of the Amazon EC2 instance and the billing code that is associated with the AMI.
state	The current state of the AMI.
description	The description of the AMI that was provided during image creation.
enasupport	Specifies whether enhanced networking with ENA is enabled.
hypervisor	The hypervisor type of the image.
rootdevicename	The device name of the root device volume (for example, `/dev/sda1` ).
rootdevicetype	The type of root device used by the AMI.
virtualizationtype	The type of virtualization of the AMI.
bootmode	The boot mode of the image.
region	The region of the image.

Link to API Documentation of EC2 Images

Relationships¶

AWS EC2 Images (AMIs) are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(EC2Image)
```
```

EC2ReservedInstance¶

Representation of an AWS EC2 Reserved Instance.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ID of the Reserved Instance.
availabilityzone	The Availability Zone in which the Reserved Instance can be used.
duration	The duration of the Reserved Instance, in seconds.
end	The time when the Reserved Instance expires.
start	The date and time the Reserved Instance started.
count	The number of reservations purchased.
type	The instance type on which the Reserved Instance can be used.
productdescription	The Reserved Instance product platform description.
state	The state of the Reserved Instance purchase.
currencycode	The currency of the Reserved Instance. It’s specified using ISO 4217 standard currency codes.
instancetenancy	The tenancy of the instance.
offeringclass	The offering class of the Reserved Instance.
offeringtype	The Reserved Instance offering type.
scope	The scope of the Reserved Instance.
fixedprice	The purchase price of the Reserved Instance.
region	The region of the reserved instance.

Relationships¶

AWS EC2 Reserved Instances are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(EC2ReservedInstance)
```
```

SecretsManagerSecret¶

Representation of an AWS Secrets Manager Secret

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The arn of the secret.
created_date	The date and time when a secret was created.
deleted_date	The date and time the deletion of the secret occurred. Not present on active secrets. The secret can be recovered until the number of days in the recovery window has passed, as specified in the RecoveryWindowInDays parameter of the DeleteSecret operation.
description	The user-provided description of the secret.
kms_key_id	The ARN or alias of the AWS KMS customer master key (CMK) used to encrypt the SecretString and SecretBinary fields in each version of the secret. If you don’t provide a key, then Secrets Manager defaults to encrypting the secret fields with the default KMS CMK, the key named awssecretsmanager, for this account.
last_accessed_date	The last date that this secret was accessed. This value is truncated to midnight of the date and therefore shows only the date, not the time.
last_changed_date	The last date and time that this secret was modified in any way.
last_rotated_date	The most recent date and time that the Secrets Manager rotation process was successfully completed. This value is null if the secret hasn’t ever rotated.
name	The friendly name of the secret. You can use forward slashes in the name to represent a path hierarchy. For example, /prod/databases/dbserver1 could represent the secret for a server named dbserver1 in the folder databases in the folder prod.
owning_service	Returns the name of the service that created the secret.
primary_region	The Region where Secrets Manager originated the secret.
rotation_enabled	Indicates whether automatic, scheduled rotation is enabled for this secret.
rotation_lambda_arn	The ARN of an AWS Lambda function invoked by Secrets Manager to rotate and expire the secret either automatically per the schedule or manually by a call to RotateSecret.
rotation_rules_automatically_after_days	Specifies the number of days between automatic scheduled rotations of the secret.

Relationships¶

AWS Secrets Manager Secrets are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(SecretsManagerSecret)
```
```

EBSVolume¶

Representation of an AWS EBS Volume.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ID of the EBS Volume.
availabilityzone	The Availability Zone for the volume.
createtime	The time stamp when volume creation was initiated.
encrypted	Indicates whether the volume is encrypted.
size	The size of the volume, in GiBs.
state	The volume state.
outpostarn	The Amazon Resource Name (ARN) of the Outpost.
snapshotid	The snapshot ID.
iops	The number of I/O operations per second (IOPS).
type	The volume type.
fastrestored	Indicates whether the volume was created using fast snapshot restore.
multiattachenabled	Indicates whether Amazon EBS Multi-Attach is enabled.
throughput	The throughput that the volume supports, in MiB/s.
kmskeyid	The Amazon Resource Name (ARN) of the AWS Key Management Service (AWS KMS) customer master key (CMK) that was used to protect the volume encryption key for the volume.
deleteontermination	Indicates whether the volume is deleted on instance termination.
region	The region of the volume.

Relationships¶

AWS EBS Volumes are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(EBSVolume)
```
```

AWS EBS Snapshots are created using EBS Volumes

```
(EBSSnapshot)-[CREATED_FROM]->(EBSVolume)
```

AWS EBS Volumes are attached to an EC2 Instance

```
(EBSVolume)-[ATTACHED_TO_EC2_INSTANCE]->(EC2Instance)
```

AWSTag
```
```
(EBSVolume)-[TAGGED]->(AWSTag)
```
```

EBSSnapshot¶

Representation of an AWS EBS Snapshot.

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ID of the EBS Snapshot.
description	The description of the snapshot.
progress	The progress of the snapshot, as a percentage.
encrypted	Indicates whether the snapshot is encrypted.
starttime	The time stamp when the snapshot was initiated.
state	The snapshot state.
statemessage	Encrypted Amazon EBS snapshots are copied asynchronously. If a snapshot copy operation fails (for example, if the proper AWS Key Management Service (AWS KMS) permissions are not obtained) this field displays error state details to help you diagnose why the error occurred. This parameter is only returned by DescribeSnapshots .
volumeid	The volume ID.
volumesize	The size of the volume, in GiB.
outpostarn	The ARN of the AWS Outpost on which the snapshot is stored.
dataencryptionkeyid	The data encryption key identifier for the snapshot.
kmskeyid	The Amazon Resource Name (ARN) of the AWS Key Management Service (AWS KMS) customer master key (CMK) that was used to protect the volume encryption key for the parent volume.
region	The region of the snapshot.

Relationships¶

AWS EBS Snapshots are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(EBSSnapshot)
```
```

AWS EBS Snapshots are created using EBS Volumes

```
(EBSSnapshot)-[CREATED_FROM]->(EBSVolume)
```

SQSQueue¶

Representation of an AWS SQS Queue

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The arn of the sqs queue.
created_timestamp	The time when the queue was created in seconds
delay_seconds	The default delay on the queue in seconds.
last_modified_timestamp	The time when the queue was last changed in seconds.
maximum_message_size	The limit of how many bytes a message can contain before Amazon SQS rejects it.
message_retention_period	he length of time, in seconds, for which Amazon SQS retains a message.
policy	The IAM policy of the queue.
arn	The arn of the sqs queue.
receive_message_wait_time_seconds	The length of time, in seconds, for which the ReceiveMessage action waits for a message to arrive.
redrive_policy_dead_letter_target_arn	The Amazon Resource Name (ARN) of the dead-letter queue to which Amazon SQS moves messages after the value of maxReceiveCount is exceeded.
redrive_policy_max_receive_count	The number of times a message is delivered to the source queue before being moved to the dead-letter queue. When the ReceiveCount for a message exceeds the maxReceiveCount for a queue, Amazon SQS moves the message to the dead-letter-queue.
visibility_timeout	The visibility timeout for the queue.
kms_master_key_id	The ID of an AWS managed customer master key (CMK) for Amazon SQS or a custom CMK.
kms_data_key_reuse_period_seconds	The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again.
fifo_queue	Whether or not the queue is FIFO.
content_based_deduplication	Whether or not content-based deduplication is enabled for the queue.
deduplication_scope	Specifies whether message deduplication occurs at the message group or queue level.
fifo_throughput_limit	Specifies whether the FIFO queue throughput quota applies to the entire queue or per message group.

Relationships¶

AWS SQS Queues are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(SQSQueue)
```
```
AWS SQS Queues can have other SQS Queues configured as dead letter queues
```
```
(SQSQueue)-[HAS_DEADLETTER_QUEUE]->(SQSQueue)
```
```

SecurityHub¶

Representation of the configuration of AWS Security Hub

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The arn of the hub resource.
subscribed_at	The date and time when Security Hub was enabled in the account.
auto_enable_controls	Whether to automatically enable new controls when they are added to standards that are enabled.

Relationships¶

AWS Security Hub nodes are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(SecurityHub)
```
```

AWSConfigurationRecorder¶

Representation of an AWS Config Configuration Recorder

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	A combination of name:account_id:region
name	The name of the recorder.
role_arn	Amazon Resource Name (ARN) of the IAM role used to describe the AWS resources associated with the account.
recording_group_all_supported	Specifies whether AWS Config records configuration changes for every supported type of regional resource.
recording_group_include_global_resource_types	Specifies whether AWS Config includes all supported types of global resources (for example, IAM resources) with the resources that it records.
recording_group_resource_types	A comma-separated list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail).
region	The region of the configuration recorder.

Relationships¶

AWS Configuration Recorders are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(AWSConfigurationRecorder)
```
```

AWSConfigDeliveryChannel¶

Representation of an AWS Config Delivery Channel

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	A combination of name:account_id:region
name	The name of the delivery channel.
s3_bucket_name	The name of the Amazon S3 bucket to which AWS Config delivers configuration snapshots and configuration history files.
s3_key_prefix	The prefix for the specified Amazon S3 bucket.
s3_kms_key_arn	The Amazon Resource Name (ARN) of the AWS Key Management Service (KMS) customer managed key (CMK) used to encrypt objects delivered by AWS Config. Must belong to the same Region as the destination S3 bucket.
sns_topic_arn	The Amazon Resource Name (ARN) of the Amazon SNS topic to which AWS Config sends notifications about configuration changes.
config_snapshot_delivery_properties_delivery_frequency	The frequency with which AWS Config delivers configuration snapshots.
region	The region of the delivery channel.

Relationships¶

AWS Config Delivery Channels are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(AWSConfigDeliveryChannel)
```
```

AWSConfigRule¶

Representation of an AWS Config Rule

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ARN of the config rule.
name	The name of the delivery channel.
description	The description that you provide for the AWS Config rule.
arn	The ARN of the config rule.
rule_id	The ID of the AWS Config rule.
scope_compliance_resource_types	The resource types of only those AWS resources that you want to trigger an evaluation for the rule. You can only specify one type if you also specify a resource ID for ComplianceResourceId.
scope_tag_key	The tag key that is applied to only those AWS resources that you want to trigger an evaluation for the rule.
scope_tag_value	The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule. If you specify a value for TagValue, you must also specify a value for TagKey.
scope_tag_compliance_resource_id	The resource types of only those AWS resources that you want to trigger an evaluation for the rule. You can only specify one type if you also specify a resource ID for ComplianceResourceId.
source_owner	Indicates whether AWS or the customer owns and manages the AWS Config rule.
source_identifier	For AWS Config managed rules, a predefined identifier from a list. For example, IAM_PASSWORD_POLICY is a managed rule.
source_details	Provides the source and type of the event that causes AWS Config to evaluate your AWS resources.
input_parameters	A string, in JSON format, that is passed to the AWS Config rule Lambda function.
maximum_execution_frequency	The maximum frequency with which AWS Config runs evaluations for a rule.
created_by	Service principal name of the service that created the rule.
region	The region of the delivery channel.

Relationships¶

AWS Config Rules are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(AWSConfigRule)
```
```

LaunchConfiguration¶

Representation of an AWS Launch Configuration

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ARN of the launch configuration.
name	The name of the launch configuration.
arn	The ARN of the launch configuration.
created_time	The creation date and time for the launch configuration.
image_id	The ID of the Amazon Machine Image (AMI) to use to launch your EC2 instances.
key_name	The name of the key pair.
security_groups	A list that contains the security groups to assign to the instances in the Auto Scaling group.
instance_type	The instance type for the instances.
kernel_id	The ID of the kernel associated with the AMI.
ramdisk_id	The ID of the RAM disk associated with the AMI.
instance_monitoring_enabled	If true, detailed monitoring is enabled. Otherwise, basic monitoring is enabled.
spot_price	The maximum hourly price to be paid for any Spot Instance launched to fulfill the request.
iam_instance_profile	The name or the Amazon Resource Name (ARN) of the instance profile associated with the IAM role for the instance.
ebs_optimized	Specifies whether the launch configuration is optimized for EBS I/O (true) or not (false).
associate_public_ip_address	For Auto Scaling groups that are running in a VPC, specifies whether to assign a public IP address to the group’s instances.
placement_tenancy	The tenancy of the instance, either default or dedicated. An instance with dedicated tenancy runs on isolated, single-tenant hardware and can only be launched into a VPC.
region	The region of the launch configuration.

Relationships¶

Launch Configurations are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(LaunchConfiguration)
```
```

LaunchTemplate¶

Representation of an AWS Launch Template

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ID of the launch template.
name	The name of the launch template.
create_time	The time launch template was created.
created_by	The principal that created the launch template.
default_version_number	The version number of the default version of the launch template.
latest_version_number	The version number of the latest version of the launch template.
region	The region of the launch template.

Relationships¶

Launch Templates are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(LaunchTemplate)
```
```

Launch templates have Launch Template Versions

```
(LaunchTemplate)-[VERSION]->(LaunchTemplateVersion)
```

LaunchTemplateVersion¶

Representation of an AWS Launch Template Version

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ID of the launch template version (ID-version).
name	The name of the launch template.
create_time	The time the version was created.
created_by	The principal that created the version.
default_version	Indicates whether the version is the default version.
version_number	The version number.
version_description	The description of the version.
kernel_id	The ID of the kernel, if applicable.
ebs_optimized	Indicates whether the instance is optimized for Amazon EBS I/O.
iam_instance_profile_arn	The Amazon Resource Name (ARN) of the instance profile.
iam_instance_profile_name	The name of the instance profile.
image_id	The ID of the AMI that was used to launch the instance.
instance_type	The instance type.
key_name	The name of the key pair.
monitoring_enabled	Indicates whether detailed monitoring is enabled. Otherwise, basic monitoring is enabled.
ramdisk_id	The ID of the RAM disk, if applicable.
disable_api_termination	If set to true, indicates that the instance cannot be terminated using the Amazon EC2 console, command line tool, or API.
instance_initiated_shutdown_behavior	Indicates whether an instance stops or terminates when you initiate shutdown from the instance (using the operating system command for system shutdown).
security_group_ids	The security group IDs.
security_groups	The security group names.
region	The region of the launch template.

Relationships¶

Launch Template Versions are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(LaunchTemplateVersion)
```
```

ElasticIPAddress¶

Representation of an AWS EC2 Elastic IP address

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The Elastic IP address
instance_id	The ID of the instance that the address is associated with (if any).
public_ip	The Elastic IP address.
allocation_id	The ID representing the allocation of the address for use with EC2-VPC.
association_id	The ID representing the association of the address with an instance in a VPC.
domain	Indicates whether this Elastic IP address is for use with instances in EC2-Classic (standard) or instances in a VPC (vpc).
network_interface_id	The ID of the network interface.
private_ip_address	The private IP address associated with the Elastic IP address.
public_ipv4_pool	The ID of an address pool.
network_border_group	The name of the unique set of Availability Zones, Local Zones, or Wavelength Zones from which AWS advertises IP addresses.
customer_owned_ip	The customer-owned IP address.
customer_owned_ipv4_pool	The ID of the customer-owned address pool.
carrier_ip	The carrier IP address associated. This option is only available for network interfaces which reside in a subnet in a Wavelength Zone (for example an EC2 instance).
region	The region of the IP.

Relationships¶

Elastic IPs are a resource under the AWS Account.

```
(AWSAccount)-[RESOURCE]->(ElasticIPAddress)
```

Elastic IPs can be attached to EC2 instances

```
(EC2Instance)-[ELASTIC_IP_ADDRESS]->(ElasticIPAddress)
```

Elastic IPs can be attached to NetworkInterfaces

```
(NetworkInterface)-[ELASTIC_IP_ADDRESS]->(ElasticIPAddress)
```

ECSCluster¶

Representation of an AWS ECS Cluster

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ARN of the cluster
region	The region of the cluster.
name	A user-generated string that you use to identify your cluster.
arn	The ARN of the cluster
ecc_kms_key_id	An AWS Key Management Service key ID to encrypt the data between the local client and the container.
ecc_logging	The log setting to use for redirecting logs for your execute command results.
ecc_log_configuration_cloud_watch_log_group_name	The name of the CloudWatch log group to send logs to.
ecc_log_configuration_cloud_watch_encryption_enabled	Determines whether to enable encryption on the CloudWatch logs.
ecc_log_configuration_s3_bucket_name	The name of the S3 bucket to send logs to.
ecc_log_configuration_s3_encryption_enabled	Determines whether to use encryption on the S3 logs.
ecc_log_configuration_s3_key_prefix	An optional folder in the S3 bucket to place logs in.
status	The status of the cluster
settings_container_insights	If enabled is specified, CloudWatch Container Insights will be enabled for the cluster, otherwise it will be disabled unless the containerInsights account setting is enabled.
capacity_providers	The capacity providers associated with the cluster.
attachments_status	The status of the capacity providers associated with the cluster.

Relationships¶

ECSClusters are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(ECSCluster)
```
```

ECSContainerInstance¶

Representation of an AWS ECS Container Instance

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ARN of the container instance
region	The region of the container instance.
ec2_instance_id	The ID of the container instance. For Amazon EC2 instances, this value is the Amazon EC2 instance ID. For external instances, this value is the AWS Systems Manager managed instance ID.
arn	The ARN of the container instance
capacity_provider_name	The capacity provider that’s associated with the container instance.
version	The version counter for the container instance.
version_info_agent_version	The version number of the Amazon ECS container agent.
version_info_agent_hash	The Git commit hash for the Amazon ECS container agent build on the amazon-ecs-agent GitHub repository.
version_info_agent_docker_version	The Docker version that’s running on the container instance.
status	The status of the container instance.
status_reason	The reason that the container instance reached its current status.
agent_connected	This parameter returns true if the agent is connected to Amazon ECS. Registered instances with an agent that may be unhealthy or stopped return false.
agent_update_status	The status of the most recent agent update. If an update wasn’t ever requested, this value is NULL.
registered_at	The Unix timestamp for the time when the container instance was registered.

Relationships¶

An ECSCluster has ECSContainerInstances

```
(ECSCluster)-[HAS_CONTAINER_INSTANCE]->(ECSContainerInstance)
```

ECSContainerInstances have ECSTasks

```
(ECSContainerInstance)-[HAS_TASK]->(ECSTask)
```

ECSService¶

Representation of an AWS ECS Service

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ARN of the service
region	The region of the service.
name	The name of your service.
arn	The ARN of the service
cluster_arn	The Amazon Resource Name (ARN) of the cluster that hosts the service.
status	The status of the service.
desired_count	The desired number of instantiations of the task definition to keep running on the service.
running_count	The number of tasks in the cluster that are in the RUNNING state.
pending_count	The number of tasks in the cluster that are in the PENDING state.
launch_type	The launch type the service is using.
platform_version	The platform version to run your service on. A platform version is only specified for tasks that are hosted on AWS Fargate.
platform_family	The operating system that your tasks in the service run on. A platform family is specified only for tasks using the Fargate launch type.
task_definition	The task definition to use for tasks in the service.
deployment_config_circuit_breaker_enable	Determines whether to enable the deployment circuit breaker logic for the service.
deployment_config_circuit_breaker_rollback	Determines whether to enable Amazon ECS to roll back the service if a service deployment fails.
deployment_config_maximum_percent	If a service is using the rolling update (ECS) deployment type, the maximum percent parameter represents an upper limit on the number of tasks in a service that are allowed in the RUNNING or PENDING state during a deployment, as a percentage of the desired number of tasks (rounded down to the nearest integer), and while any container instances are in the DRAINING state if the service contains tasks using the EC2 launch type.
deployment_config_minimum_healthy_percent	If a service is using the rolling update (ECS) deployment type, the minimum healthy percent represents a lower limit on the number of tasks in a service that must remain in the RUNNING state during a deployment, as a percentage of the desired number of tasks (rounded up to the nearest integer), and while any container instances are in the DRAINING state if the service contains tasks using the EC2 launch type.
role_arn	The ARN of the IAM role that’s associated with the service.
created_at	The Unix timestamp for the time when the service was created.
health_check_grace_period_seconds	The period of time, in seconds, that the Amazon ECS service scheduler ignores unhealthy Elastic Load Balancing target health checks after a task has first started.
created_by	The principal that created the service.
enable_ecs_managed_tags	Determines whether to enable Amazon ECS managed tags for the tasks in the service.
propagate_tags	Determines whether to propagate the tags from the task definition or the service to the task.
enable_execute_command	Determines whether the execute command functionality is enabled for the service.

Relationships¶

An ECSCluster has ECSService

```
(ECSCluster)-[HAS_SERVICE]->(ECSService)
```

An ECSCluster has ECSContainerInstances

```
(ECSCluster)-[HAS_CONTAINER_INSTANCE]->(ECSContainerInstance)
```

ECSTaskDefinition¶

Representation of an AWS ECS Task Definition

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ARN of the task definition
region	The region of the task definition.
family	The name of a family that this task definition is registered to.
task_role_arn	The short name or full Amazon Resource Name (ARN) of the AWS Identity and Access Management role that grants containers in the task permission to call AWS APIs on your behalf.
execution_role_arn	The Amazon Resource Name (ARN) of the task execution role that grants the Amazon ECS container agent permission to make AWS API calls on your behalf.
network_mode	The Docker networking mode to use for the containers in the task. The valid values are none, bridge, awsvpc, and host. If no network mode is specified, the default is bridge.
revision	The revision of the task in a particular family.
status	The status of the task definition.
compatibilities	The task launch types the task definition validated against during task definition registration.
runtime_platform_cpu_architecture	The CPU architecture.
runtime_platform_operating_system_family	The operating system.
requires_compatibilities	The task launch types the task definition was validated against.
cpu	The number of cpu units used by the task.
memory	The amount (in MiB) of memory used by the task.
pid_mode	The process namespace to use for the containers in the task.
ipc_mode	The IPC resource namespace to use for the containers in the task.
proxy_configuration_type	The proxy type.
proxy_configuration_container_name	The name of the container that will serve as the App Mesh proxy.
registered_at	The Unix timestamp for the time when the task definition was registered.
deregistered_at	The Unix timestamp for the time when the task definition was deregistered.
registered_by	The principal that registered the task definition.
ephemeral_storage_size_in_gib	The total amount, in GiB, of ephemeral storage to set for the task.

Relationships¶

ECSTaskDefinition are a resource under the AWS Account.
```
```
(AWSAccount)-[RESOURCE]->(ECSTaskDefinition)
```
```

An ECSTask has an ECSTaskDefinition.

```
(ECSTask)-[HAS_TASK_DEFINITION]->(ECSTaskDefinition)
```

ECSContainerDefinition¶

Representation of an AWS ECS Container Definition

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ARN of the task definition, plus the container definition name
region	The region of the container definition.
name	The name of a container.
image	The image used to start a container. This string is passed directly to the Docker daemon.
cpu	The number of cpu units reserved for the container.
memory	The amount (in MiB) of memory to present to the container.
memory_reservation	The soft limit (in MiB) of memory to reserve for the container.
links	The links parameter allows containers to communicate with each other without the need for port mappings.
essential	If the essential parameter of a container is marked as true, and that container fails or stops for any reason, all other containers that are part of the task are stopped.
entry_point	The entry point that’s passed to the container.
command	The command that’s passed to the container.
start_timeout	Time duration (in seconds) to wait before giving up on resolving dependencies for a container.
stop_timeout	Time duration (in seconds) to wait before the container is forcefully killed if it doesn’t exit normally on its own.
hostname	The hostname to use for your container.
user	The user to use inside the container.
working_directory	The working directory to run commands inside the container in.
disable_networking	When this parameter is true, networking is disabled within the container.
privileged	When this parameter is true, the container is given elevated privileges on the host container instance (similar to the root user).
readonly_root_filesystem	When this parameter is true, the container is given read-only access to its root file system.
dns_servers	A list of DNS servers that are presented to the container.
dns_search_domains	A list of DNS search domains that are presented to the container.
docker_security_options	A list of strings to provide custom labels for SELinux and AppArmor multi-level security systems. This field isn’t valid for containers in tasks using the Fargate launch type.
interactive	When this parameter is true, you can deploy containerized applications that require stdin or a tty to be allocated.
pseudo_terminal	When this parameter is true, a TTY is allocated.

Relationships¶

ECSTaskDefinitions have ECSContainerDefinitions

```
(ECSTaskDefinition)-[HAS_CONTAINER_DEFINITION]->(ECSContainerDefinition)
```

ECSTask¶

Representation of an AWS ECS Task

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ARN of the task
region	The region of the task.
arn	The arn of the task.
availability_zone	The Availability Zone for the task.
capacity_provider_name	The capacity provider that’s associated with the task.
cluster_arn	The ARN of the cluster that hosts the task.
connectivity	The connectivity status of a task.
connectivity_at	The Unix timestamp for the time when the task last went into CONNECTED status.
container_instance_arn	The ARN of the container instances that host the task.
cpu	The number of CPU units used by the task as expressed in a task definition.
created_at	The Unix timestamp for the time when the task was created. More specifically, it’s for the time when the task entered the PENDING state.
desired_status	The desired status of the task.
enable_execute_command	Determines whether execute command functionality is enabled for this task.
execution_stopped_at	The Unix timestamp for the time when the task execution stopped.
group	The name of the task group that’s associated with the task.
health_status	The health status for the task.
last_status	The last known status for the task.
launch_type	The infrastructure where your task runs on.
memory	The amount of memory (in MiB) that the task uses as expressed in a task definition.
platform_version	The platform version where your task runs on.
platform_family	The operating system that your tasks are running on.
pull_started_at	The Unix timestamp for the time when the container image pull began.
pull_stopped_at	The Unix timestamp for the time when the container image pull completed.
started_at	The Unix timestamp for the time when the task started. More specifically, it’s for the time when the task transitioned from the PENDING state to the RUNNING state.
started_by	The tag specified when a task is started. If an Amazon ECS service started the task, the startedBy parameter contains the deployment ID of that service.
stop_code	The stop code indicating why a task was stopped.
stopped_at	The Unix timestamp for the time when the task was stopped. More specifically, it’s for the time when the task transitioned from the RUNNING state to the STOPPED state.
stopped_reason	The reason that the task was stopped.
stopping_at	The Unix timestamp for the time when the task stops. More specifically, it’s for the time when the task transitions from the RUNNING state to STOPPED.
task_definition_arn	The ARN of the task definition that creates the task.
version	The version counter for the task.
ephemeral_storage_size_in_gib	The total amount, in GiB, of ephemeral storage to set for the task.

Relationships¶

ECSClusters have ECSTasks

```
(ECSCluster)-[HAS_TASK]->(ECSTask)
```

ECSContainerInstances have ECSTasks

```
(ECSContainerInstance)-[HAS_TASK]->(ECSTask)
```

ECSTasks have ECSTaskDefinitions

```
(ECSTask)-[HAS_TASK_DEFINITION]->(ECSTaskDefinition)
```

ECSContainer¶

Representation of an AWS ECS Container

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ARN of the container
region	The region of the container.
arn	The arn of the container.
task_arn	The ARN of the task.
name	The name of the container.
image	The image used for the container.
image_digest	The container image manifest digest.
runtime_id	The ID of the Docker container.
last_status	The last known status of the container.
exit_code	The exit code returned from the container.
reason	A short (255 max characters) human-readable string to provide additional details about a running or stopped container.
health_status	The health status of the container.
cpu	The number of CPU units set for the container.
memory	The hard limit (in MiB) of memory set for the container.
memory_reservation	The soft limit (in MiB) of memory set for the container.
gpu_ids	The IDs of each GPU assigned to the container.

Relationships¶

ECSTasks have ECSContainers

```
(ECSTask)-[HAS_CONTAINER]->(ECSContainer)
```

SSMInstanceInformation¶

Representation of an AWS SSM InstanceInformation

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ARN of the instance information
region	The region of the instance information.
instance_id	The managed node ID.
ping_status	Connection status of SSM Agent.
last_ping_date_time	The date and time when the agent last pinged the Systems Manager service.
agent_version	The version of SSM Agent running on your Linux managed node.
is_latest_version	Indicates whether the latest version of SSM Agent is running on your Linux managed node. This field doesn’t indicate whether or not the latest version is installed on Windows managed nodes, because some older versions of Windows Server use the EC2Config service to process Systems Manager requests.
platform_type	The operating system platform type.
platform_name	The name of the operating system platform running on your managed node.
platform_version	The version of the OS platform running on your managed node.
activation_id	The activation ID created by AWS Systems Manager when the server or virtual machine (VM) was registered.
iam_role	The AWS Identity and Access Management (IAM) role assigned to the on-premises Systems Manager managed node. This call doesn’t return the IAM role for Amazon Elastic Compute Cloud (Amazon EC2) instances.
registration_date	The date the server or VM was registered with AWS as a managed node.
resource_type	The type of instance. Instances are either EC2 instances or managed instances.
name	The name assigned to an on-premises server, edge device, or virtual machine (VM) when it is activated as a Systems Manager managed node. The name is specified as the DefaultInstanceName property using the CreateActivation command.
ip_address	The IP address of the managed node.
computer_name	The fully qualified host name of the managed node.
association_status	The status of the association.
last_association_execution_date	The date the association was last run.
last_successful_association_execution_date	The last date the association was successfully run.
source_id	The ID of the source resource. For AWS IoT Greengrass devices, SourceId is the Thing name.
source_type	The type of the source resource. For AWS IoT Greengrass devices, SourceType is AWS::IoT::Thing.

Relationships¶

SSMInstanceInformation is a resource under the AWS Account.

```
(AWSAccount)-[RESOURCE]->(SSMInstanceInformation)
```

SSMInstanceInformation is a resource of an EC2Instance

```
(EC2Instance)-[HAS_INFORMATION]->(SSMInstanceInformation)
```

SSMInstancePatch¶

Representation of an AWS SSM PatchComplianceData

Field	Description
firstseen	Timestamp of when a sync job first discovered this node
lastupdated	Timestamp of the last time the node was updated
id	The ARN of the instance patch
region	The region of the instance patch.
instance_id	The managed node ID.
title	The title of the patch.
kb_id	The operating system-specific ID of the patch.
classification	The classification of the patch, such as SecurityUpdates, Updates, and CriticalUpdates.
severity	The severity of the patch such as Critical, Important, and Moderate.
state	The state of the patch on the managed node, such as INSTALLED or FAILED.
installed_time	The date/time the patch was installed on the managed node. Not all operating systems provide this level of information.
cve_ids	The IDs of one or more Common Vulnerabilities and Exposure (CVE) issues that are resolved by the patch.

Relationships¶

SSMInstancePatch is a resource under the AWS Account.

```
(AWSAccount)-[RESOURCE]->(SSMInstancePatch)
```

EC2Instances have SSMInstancePatches

```
(EC2Instance)-[HAS_INFORMATION]->(SSMInstancePatch)
```

AWS Schema¶

AWSAccount¶

Relationships¶

AWSCidrBlock¶

AWSIpv4CidrBlock¶

AWSIpv6CidrBlock¶

Relationships¶

AWSGroup¶

Relationships¶

AWSInspectorFinding¶

Relationships¶

AWSInspectorPackage¶

Relationships¶

AWSLambda¶

Relationships¶

AWSLambdaFunctionAlias¶

Relationships¶

AWSLambdaEventSourceMapping¶

Relationships¶

AWSLambdaLayer¶

Relationships¶

AWSPolicy¶

Relationships¶

AWSPolicyStatement¶

Relationships¶

AWSPrincipal¶

Relationships¶

AWSPrincipal::AWSUser¶

Relationships¶

AWSPrincipal::AWSRole¶

Relationships¶

AWSTransitGateway¶

Relationships¶

AWSTransitGatewayAttachment¶

Relationships¶

AWSVpc¶

Relationships¶

Tag::AWSTag¶

Relationships¶

AccountAccessKey¶

Relationships¶

DBSubnetGroup¶

Relationships¶

DNSRecord¶

Relationships¶

DNSRecord::AWSDNSRecord¶

Relationships¶

DNSZone¶

Relationships¶

DNSZone::AWSDNSZone¶

Relationships¶

DynamoDBTable¶

Relationships¶

EC2Instance¶

Relationships¶

EC2KeyPair¶

Relationships¶

EC2PrivateIp¶

Relationships¶

EC2Reservation¶

Relationships¶

EC2SecurityGroup¶

Relationships¶

EC2Subnet¶

Relationships¶

AWSInternetGateway¶

Relationships¶

ECRRepository¶

Relationships¶

ECRRepositoryImage¶

Relationships¶

ECRImage¶

Relationships¶

Package¶

Relationships¶

ECRScanFinding (:Risk:CVE)¶

Relationships¶

EKSCluster¶

Relationships¶

EMRCluster¶

Tag::AWSTag ¶