AWS
Visualize AWS cloud resources, map AWS users to employees, and monitor visibility, governance, and compliance against the AWS CIS Framework and security benchmarks. Additionally, monitor AWS vulnerabilities and findings and changes in AWS cloud resources through queries and alerts.
- Installation guide
- AWS data model
Installation
To install this integration, you will need to configure settings both within AWS and on JupiterOne. The integration instance configuration requires the customer's roleArn to assume in order to read infrastructure information through AWS APIs. The role is
configured to require an externalId; this also must be maintained in the instance configuration.
Information is ingested from all AWS regions that do not require additional contractual arrangements with AWS. Please submit a JupiterOne support request if you need to monitor additional regions.
info
This integration enables the creation of automated workflows within JupiterOne alerts using SNS and SQS to remediate configuration gaps in AWS.
Configuration on AWS
Detailed setup instructions and a pre-built CloudFormation Stack are provided in the application and maintained in the public JupiterOne AWS CloudFormation project on Github. Follow the steps under In JupiterOne to capture the auto-generated External ID specific to the integration instance.
Once the steps provided on the GitHub are completed, you can continue to finalizing the the integration instance on JupiterOne.
Configuration in JupiterOne
To install the AWS integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select AWS. Click New Instance to begin configuring the integration.
Creating an integration instance requires the following:
The Account Name used to identify the AWS account in JupiterOne. Ingested entities will have this value stored in
tag.AccountNamewhen theAccountNametoggle is enabled.Description to assist in identifying the integration instance, if desired.
Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as
DISABLEDand manually execute the integration.Enter the Role ARN of the IAM role to assume in order to authenticate with AWS.
Click Create once all values are provided to finalize the integration.
Set Permissions
The AWS integration requires security auditor permissions into the target AWS
account, as defined by a combination of the SecurityAudit IAM policy
managed by AWS, and a few additional List*, Get*, and Describe*
permissions missing from the AWS managed policy. The exact policy and permission
statements can be found in the public [JupiterOne AWS CloudFormation][1] project
on Github.
info
See the AWS data model map for more information about the IAM access and trusts.
Manage Sub-Accounts
After you have configured your AWS Organization master account in JupiterOne, and have attached specific policies and are using a specific external trust ID. When adding or configuring sub-accounts, remember to note the IAM role name, policies, and external trust ID that you have used for the master account.
Use your preferred infrastructure-as-code method to systematically generate an identical J1 IAM role in each of your sub-accounts. Ensure you name the IAM Role identically, attach the same policies, and use the same external trust ID as you used with the master account configuration.
In the JupiterOne Integrations UI, select a polling interval and the Auto-configure additional integrations... option in your master account configuration.
note
JupiterOne automatically ingests all sub-accounts from the Organization the next time it polls your environment.
To omit specific sub-accounts when auto-configuring J1 AWS integrations from an
Organizations master account, add the optional j1-integration: SKIP tag to the
sub-account in your infrastructure-as-code or from the AWS Organizations web
console.
Service Control Provider Issues
Errors may occur after configuring one or many AWS integrations if there is a Service Control Policy (SCP) blocking specified services or regions. Any AWS Services that JupiterOne cannot ingest are listed in logs of the Integration Jobs found in Integrations > Configurations > Settings > Jobs.
For each SCP that is blocking JupiterOne ingestion, add the following condition element to your SCP JSON:
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN": [
"arn:aws:iam::*:role/JupiterOne*"
]
}
}
Ensure this ARN matches the IAM Role ARN you used to configure your JupiterOne AWS integration.
info
See the AWS Service control policies documentation for the latest information.
S3 Bucket public Property
The aws_s3_bucket.public property is calculated based on the Access field shown in the AWS S3 console. Each different Access value corresponds to setting the aws_s3_bucket.public property to either true, false, or undefined as described in the table below:
| Access | aws_s3_bucket.public |
|---|---|
| Public | true |
| Objects can be public | undefined |
| Bucket and objects not public | false |
Next steps
Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.
Data Model
Entities
The following entities are created:
| Resources | Entity _type | Entity _class |
|---|---|---|
| ACM Certificate | aws_acm_certificate | Certificate |
| AWS ACM Service | aws_acm | Service |
| AWS AccessAnalyzer Service | aws_accessanalyzer | Service |
| AWS Account | aws_account | Account |
| AWS ApiGateway Service | aws_apigateway | Service |
| AWS Athena Service | aws_athena | Service |
| AWS Auto Scaling Plans Service | aws_autoscalingplans | Service |
| AWS Autoscaling Service | aws_autoscaling | Service |
| AWS Backup Copy Job | aws_backup_copy_job | Task |
| AWS Backup Job | aws_backup_job | Backup |
| AWS Backup Plan | aws_backup_plan | Backup |
| AWS Backup Recovery Point | aws_backup_recovery_point | Backup |
| AWS Backup Restore Job | aws_backup_restore_job | Task |
| AWS Backup Service | aws_backup | Service |
| AWS Backup Vault | aws_backup_vault | Backup |
| AWS Batch Compute Environment | aws_batch_compute_environment | Configuration |
| AWS Batch Job Definition | aws_batch_job_definition | Configuration, Function |
| AWS Batch Job Queue | aws_batch_job_queue | Queue |
| AWS Batch Service | aws_batch | Service |
| AWS Cloudformation Service | aws_cloudformation | Service |
| AWS Cloudformation Stacks | aws_cloudformation_stack | Configuration |
| AWS Cloudfront Distribution | aws_cloudfront_distribution | Gateway |
| AWS Cloudfront Distribution Origin | aws_cloudfront_distribution_origin | Configuration |
| AWS Cloudfront Key Group | aws_cloudfront_key_group | Group |
| AWS Cloudfront Public Key | aws_cloudfront_public_key | AccessKey, Key |
| AWS Cloudfront Service | aws_cloudfront | Service |
| AWS Cloudhsm Service | aws_cloudhsm | Service |
| AWS Cloudtrail Service | aws_cloudtrail | Service |
| AWS Cloudwatch Alarms | aws_cloudwatch_metric_alarm | Monitor |
| AWS Cloudwatch Event | aws_cloudwatch_events | Service |
| AWS Cloudwatch Logs Service | aws_cloudwatch_logs | Service |
| AWS Cloudwatch Service | aws_cloudwatch | Service |
| AWS CodeBuild Service | aws_codebuild | Service |
| AWS CodeCommit Service | aws_codecommit | Service |
| AWS CodePipeline Service | aws_codepipeline | Service |
| AWS Customer Gateway | aws_customer_gateway | Gateway |
| AWS Database Migration Service | aws_dms | Service |
| AWS Database Migration Service Endpoint | aws_dms_endpoint | ApplicationEndpoint |
| AWS Database Migration Service Instance | aws_dms_instance | Host |
| AWS Direct Connect BGP Peer | aws_directconnect_bgp_peer | Network |
| AWS Direct Connect Connection | aws_directconnect_connection | Network |
| AWS Direct Connect Gateway | aws_directconnect_gateway | Gateway |
| AWS Direct Connect LAG | aws_directconnect_lag | Network |
| AWS Direct Connect Service | aws_directconnect | Service |
| AWS Direct Connect Virtual Interface | aws_directconnect_virtual_interface | Network |
| AWS Directory Service | aws_ds | Service |
| AWS Directory Service Directory | aws_ds_directory | Directory |
| AWS DynamoDB Service | aws_dynamodb | Service |
| AWS EC2 Service | aws_ec2 | Service |
| AWS EC2 Settings | aws_ec2_settings | Configuration |
| AWS EC2 Transit Gateway | aws_ec2_transit_gateway | Gateway |
| AWS EC2 Transit Gateway VPC Attachment | aws_ec2_transit_gateway_vpc_attachment | Resource |
| AWS ECR Service | aws_ecr | Service |
| AWS ECS Service | aws_ecs | Service |
| AWS EFS Service | aws_efs | Service |
| AWS EIP Address | aws_eip | IpAddress |
| AWS EKS Service | aws_eks | Service |
| AWS ELB Service | aws_elasticloadbalancing | Service |
| AWS EMR Cluster | aws_elasticmapreduce_cluster | Cluster |
| AWS EMR Service | aws_elasticmapreduce | Service |
| AWS ElastiCache Service | aws_elasticache | Service |
| AWS Elasticsearch Service | aws_es | Service |
| AWS Firehose Delivery Stream | aws_firehose_delivery_stream | DataCollection, Queue |
| AWS Firehose Service | aws_firehose | Service |
| AWS Firewall Manager | aws_fms | Service |
| AWS Glacier Service | aws_glacier | Service |
| AWS Global Accelerator Accelerator | aws_global_accelerator_accelerator | Firewall |
| AWS Global Accelerator Service | aws_global_accelerator | Service |
| AWS Glue Catalog Database | aws_glue_catalog_database | Database |
| AWS Glue Connection | aws_glue_connection | DataStore |
| AWS Glue Data Catalog Encryption Settings | aws_glue_data_catalog_encryption_settings | Policy |
| AWS Glue Dev Endpoint | aws_glue_dev_endpoint | NetworkEndpoint |
| AWS Glue Job | aws_glue_job | Workflow |
| AWS Glue Security Configurations | aws_glue_security_configuration | Policy |
| AWS Glue Service | aws_glue | Service |
| AWS Glue Session | aws_glue_session | Task |
| AWS Guardduty Service | aws_guardduty | Service |
| AWS IAM Identity Center | aws_sso | Service |
| AWS IAM Identity Center Application | aws_sso_application | Application |
| AWS IAM Identity Center Group | aws_sso_group | UserGroup |
| AWS IAM Identity Center Instance | aws_sso_instance | Resource |
| AWS IAM Identity Center Permission Set | aws_sso_permission_set | AccessPolicy |
| AWS IAM Identity Center User | aws_sso_user | User |
| AWS IAM Service | aws_iam | Service |
| AWS Image | aws_ami | Resource, Image |
| AWS Inspector Assessment | aws_inspector_assessment | Assessment |
| AWS Inspector Service | aws_inspector | Service |
| AWS Inspector v2 Service | aws_inspectorv2 | Service |
| AWS Instance | aws_instance | Host |
| AWS Instance Application | aws_instance_application | Application |
| AWS Internet Gateway | aws_internet_gateway | Gateway |
| AWS KMS Key | aws_kms_key | CryptoKey, Key |
| AWS KMS Service | aws_kms | Service |
| AWS Key Pair | aws_key_pair | AccessKey, Key |
| AWS Kinesis Service | aws_kinesis | Service |
| AWS Kinesis Stream | aws_kinesis_stream | DataCollection, Queue |
| AWS Lambda Service | aws_lambda | Service |
| AWS Launch Template | aws_launch_template | Configuration |
| AWS Launch Template Version | aws_launch_template_version | Image |
| AWS Lex V2 Bot | aws_lexv2_bot | Model |
| AWS Lex V2 Bot Alias | aws_lexv2_bot_alias | Model |
| AWS Lex V2 Service | aws_lexv2 | Service |
| AWS MQ | aws_mq | Service |
| AWS MQ Broker | aws_mq_broker | Configuration |
| AWS MSK | aws_msk | Service |
| AWS MSK Cluster | aws_msk_cluster | Cluster |
| AWS MWAA Environment | aws_mwaa_environment | Configuration |
| AWS Macie Finding | aws_macie_finding | Finding |
| AWS Macie Service | aws_macie | Service |
| AWS NAT Gateway | aws_nat_gateway | Gateway |
| AWS Network ACL | aws_network_acl | Firewall |
| AWS Network Firewall Service | aws_networkfirewall | Service |
| AWS Network Interface | aws_eni | NetworkInterface |
| AWS Organization | aws_organization | Organization |
| AWS Organization Root | aws_organization_root | Organization, Group |
| AWS Organizational Unit | aws_organizational_unit | Organization, Group |
| AWS Prefix List | aws_prefix_list | Network |
| AWS Private Certificate Authority Service | aws_acm_pca | Service |
| AWS RDS Service | aws_rds | Service |
| AWS Redshift Serverless Service | aws_redshift_serverless | Service |
| AWS Redshift Service | aws_redshift | Service |
| AWS Restore Testing Plan | aws_backup_restore_testing_plan | Backup |
| AWS Route Table | aws_route_table | Configuration |
| AWS Route53 Domain | aws_route53_domain | Domain |
| AWS Route53 Hosted Zone | aws_route53_zone | DomainZone |
| AWS Route53 Resolver Rule | aws_route53_resolver_rule | Rule |
| AWS Route53 Service | aws_route53 | Service |
| AWS Route53 record | aws_route53_record | DomainRecord |
| AWS S3 Access Point | aws_s3_access_point | NetworkEndpoint |
| AWS S3 Bucket | aws_s3_bucket | DataStore |
| AWS S3 Bucket Policy | aws_s3_bucket_policy | AccessPolicy |
| AWS S3 Service | aws_s3 | Service |
| AWS S3 Website Configuration | aws_s3_website_config | Configuration |
| AWS SES Configuration Set | aws_ses_configuration_set | Configuration |
| AWS SES Identity | aws_ses_identity | Subscription |
| AWS SES Receipt Filter | aws_ses_receipt_filter | AccessPolicy |
| AWS SES Service | aws_ses | Service |
| AWS SNS Service | aws_sns | Service |
| AWS SNS Subscription | aws_sns_subscription | Subscription |
| AWS SNS Topic | aws_sns_topic | Channel |
| AWS SQS Service | aws_sqs | Service |
| AWS SSM Associations | aws_ssm_associations | Document |
| AWS SSM Compliance Summary | aws_ssm_compliance_summary | Finding |
| AWS SSM Instance Inventory | aws_instance_inventory | Configuration |
| AWS SSM Instance Patch State | aws_instance_patch_state | Logs |
| AWS SSM Patch Baseline | aws_patch_baseline | Configuration |
| AWS SSM Patch Group | aws_patch_group | Group |
| AWS SSM Secure String Parameter Metadata | aws_secure_string_parameter | Secret |
| AWS SSM Service | aws_ssm | Service |
| AWS SSM Session Document | aws_session_document | Document |
| AWS SageMaker | aws_sagemaker | Service |
| AWS SageMaker Notebook Instance | aws_sagemaker_notebook_instance | Host |
| AWS Secrets Manager Service | aws_secretsmanager | Service |
| AWS Security Group | aws_security_group | Firewall |
| AWS Security Hub | aws_securityhub | Service |
| AWS Security Hub Control | aws_securityhub_control | Control |
| AWS Security Hub Finding | aws_securityhub_finding | Finding |
| AWS Security Hub Standard | aws_securityhub_standard | Standard |
| AWS Shield Protection | aws_shield_protection | Firewall |
| AWS Shield Protection Group | aws_shield_protection_group | ResourceGroup |
| AWS Shield Service | aws_shield | Service |
| AWS Shield Subscription | aws_shield_subscription | Subscription |
| AWS Signer Service | aws_signer | Service |
| AWS Signer Signing Profile | aws_signer_signing_profile | Resource |
| AWS Snapshot | aws_ebs_snapshot | DataStore, Disk, Image, Backup |
| AWS States Service | aws_states | Service |
| AWS Subnet | aws_subnet | Network |
| AWS Transfer Server | aws_transfer_server | Host, Gateway |
| AWS Transfer Service | aws_transfer | Service |
| AWS Transfer User | aws_transfer_user | User |
| AWS VPC | aws_vpc | Network |
| AWS VPC Endpoint | aws_vpc_endpoint | NetworkEndpoint |
| AWS VPC Endpoint Service | aws_vpc_endpoint_service | Service |
| AWS VPC Service | aws_ec2_vpc | Service |
| AWS VPN Gateway | aws_vpn_gateway | Gateway |
| AWS Volume | aws_ebs_volume | DataStore, Disk |
| AWS WAF Classic Service | aws_waf | Service |
| AWS WAF Web ACL | aws_waf_web_acl | Firewall |
| AWS WAF v2 Service | aws_wafv2 | Service |
| AWS WAF v2 Web ACL | aws_waf_v2_web_acl | Firewall |
| AWS WAF v2 Web ACL Rule | aws_waf_v2_web_acl_rule | Rule |
| AWS WorkSpaces Bundle | aws_workspaces_bundle | Configuration |
| AWS WorkSpaces Service | aws_workspaces | Service |
| AWS WorkSpaces Workspace | aws_workspace | Host |
| AccessAnalyzer Analyzer | aws_accessanalyzer_analyzer | Assessment, Scanner |
| AccessAnalyzer Finding | aws_accessanalyzer_finding | Finding |
| ApiGateway Domain Name | aws_api_gateway_domain_name | Domain |
| ApiGateway Resource | aws_api_gateway_resource | Resource |
| ApiGateway Resource Method | aws_api_gateway_method | Resource |
| ApiGateway Rest Api | aws_api_gateway_rest_api | Gateway |
| ApiGateway Stage | aws_api_gateway_stage | Resource |
| ApiGatewayV2 Api | aws_api_gateway_v2_api | Gateway |
| ApiGatewayV2 Authorizer | aws_api_gateway_v2_authorizer | Configuration |
| ApiGatewayV2 Integration | aws_api_gateway_v2_integration | Configuration |
| ApiGatewayV2 Route | aws_api_gateway_v2_route | ApplicationEndpoint |
| Autoscaling Group | aws_autoscaling_group | Deployment, Group |
| Autoscaling Launch Configuration | aws_autoscaling_launch_configuration | Configuration |
| Autoscaling Policy | aws_autoscaling_policy | Configuration |
| Batch Job | aws_batch_job | Process, Task |
| Cloudhsm Backup | aws_cloudhsm_backup | Backup, Vault |
| Cloudhsm Cluster | aws_cloudhsm_cluster | Cluster, Vault |
| Cloudhsm Instance | aws_cloudhsm_instance | Host, Vault |
| Cloudwatch Events Rule | aws_cloudwatch_event_rule | Task |
| Cloudwatch Logs Destination | aws_cloudwatch_log_destination | Logs |
| Cloudwatch Logs Log Group | aws_cloudwatch_log_group | Logs |
| Cloudwatch Logs Subscription Filter | aws_cloudwatch_log_subscription_filter | Subscription |
| CodeBuild Project | aws_codebuild_project | Configuration |
| CodeBuild Report Group | aws_codebuild_report_group | Resource |
| CodeCommit Repository | aws_codecommit_repository | CodeRepo |
| CodePipeline Pipeline | aws_codepipeline_pipeline | Workflow |
| Configservice Rule | aws_config_rule | ControlPolicy |
| Configservice Service | aws_config | Service |
| DynamoDB Accelerator (DAX) Cluster | aws_dax_cluster | Cluster |
| DynamoDB Accelerator (DAX) Service | aws_dax | Service |
| DynamoDB Global Table | aws_dynamodb_global_table | DataStore, Database |
| DynamoDB Table | aws_dynamodb_table | DataStore, Database |
| ECR Image | aws_ecr_image | Image |
| ECR Image Finding | aws_ecr_image_scan_finding | Finding |
| ECR Repository | aws_ecr_repository | Repository |
| ECS Cluster | aws_ecs_cluster | Cluster |
| ECS Cluster Service | aws_ecs_service | Service |
| ECS Container Instance | aws_ecs_container_instance | Host, Container |
| ECS Task | aws_ecs_task | Task, Process |
| ECS Task Container Definition | aws_ecs_task_container_definition | Configuration |
| ECS Task Definition | aws_ecs_task_definition | Configuration, Function |
| EFS File System | aws_efs_file_system | DataStore |
| EFS Mount Target | aws_efs_mount_target | NetworkEndpoint |
| EKS Clusters | aws_eks_cluster | Cluster |
| EKS Node Group | aws_eks_node_group | Deployment, Group |
| ELB Application Load Balancer | aws_alb | Gateway |
| ELB Gateway Load Balancer | aws_elb | Gateway |
| ELB Listener | aws_lb_listener | ApplicationEndpoint |
| ELB Listener Rule | aws_lb_listener_rule | Rule |
| ELB Network Load Balancer | aws_nlb | Gateway |
| ELB Target Group | aws_lb_target_group | Group |
| Elasticache Cluster | aws_elasticache_memcached_cluster | Database, DataStore, Cluster |
| Elasticache Node | aws_elasticache_cluster_node | Database, DataStore, Host |
| Elasticache Redis Cluster | aws_elasticache_redis_cluster | Database, DataStore, Cluster |
| Elasticache Snapshot | aws_elasticache_snapshot | Database, DataStore, Image, Backup |
| Elasticsearch Domain | aws_elasticsearch_domain | Database, DataStore, Cluster |
| FMS Application List | aws_fms_application_list | Group |
| FMS Policy | aws_fms_policy | Policy |
| FMS Protocols List | aws_fms_protocols_list | Policy |
| FMS Resource Set | aws_fms_resource_set | Group |
| Firewall | aws_firewall | Firewall |
| Firewall Policy | aws_firewall_policy | Policy |
| Firewall Rule Group | aws_firewall_rule_group | Ruleset |
| Glacier Vault | aws_glacier_vault | DataStore |
| Guardduty Detector | aws_guardduty_detector | Assessment, Scanner |
| Guardduty Finding | aws_guardduty_finding | Finding |
| IAM Access Key | aws_iam_access_key | Key, AccessKey |
| IAM Account Password Policy | aws_iam_account_password_policy | PasswordPolicy |
| IAM Group | aws_iam_group | UserGroup |
| IAM Group Policy | aws_iam_group_policy | AccessPolicy |
| IAM Instance Profile | aws_iam_instance_profile | Policy |
| IAM MFA Device | mfa_device | Key, AccessKey |
| IAM OIDC Provider | aws_iam_oidc_provider | Service |
| IAM Policy | aws_iam_policy | AccessPolicy |
| IAM Role | aws_iam_role | AccessRole |
| IAM Role Policy | aws_iam_role_policy | AccessPolicy |
| IAM SAML Provider | aws_iam_saml_provider | Service |
| IAM Server Certificate | aws_iam_server_certificate | Certificate |
| IAM User | aws_iam_user | User |
| IAM User Policy | aws_iam_user_policy | AccessPolicy |
| Inspector Finding | aws_inspector_finding | Finding |
| Inspector v2 Finding | aws_inspectorv2_finding | Finding |
| Lambda Functions | aws_lambda_function | Function |
| Managed Workflows for Apache Airflow | aws_mwaa | Service |
| Organization Policy | aws_organization_policy | AccessPolicy |
| Private Certificate Authority | aws_acm_pca_certificate_authority | Certificate |
| RDS Cluster | aws_rds_cluster | Database, DataStore, Cluster |
| RDS DB Cluster Parameter Group | aws_rds_cluster_parameter_group | Configuration |
| RDS DB Cluster Snapshots | aws_db_cluster_snapshot | Database, DataStore, Image, Backup |
| RDS DB Instance | aws_db_instance | Database, DataStore, Host |
| RDS DB Option Group | aws_db_option_group | Configuration |
| RDS DB Parameter Group | aws_db_parameter_group | Configuration |
| RDS DB Proxy | aws_db_proxy | Network |
| RDS DB Proxy Target | aws_db_proxy_target | Configuration |
| RDS DB Proxy Target Group | aws_db_proxy_target_group | Configuration |
| RDS DB Snapshots | aws_db_snapshot | Database, DataStore, Image, Backup |
| RDS DB Subnet Group | aws_db_subnet_group | Configuration |
| Redshift Cluster | aws_redshift_cluster | Database, DataStore, Cluster |
| Redshift Cluster Parameter Group | aws_redshift_cluster_parameter_group | Configuration |
| Redshift Serverless Endpoint Access | aws_redshift_serverless_endpoint_access | NetworkEndpoint |
| Redshift Serverless Namespace | aws_redshift_serverless_namespace | Group |
| Redshift Serverless Recovery Point | aws_redshift_serverless_recovery_point | Backup |
| Redshift Serverless Snapshot | aws_redshift_serverless_snapshot | Backup |
| Redshift Serverless Usage Limit | aws_redshift_serverless_usage_limit | Configuration |
| Redshift Serverless Workgroup | aws_redshift_serverless_workgroup | Group |
| SQS Queue | aws_sqs_queue | Queue |
| Secret | aws_secret | Secret |
Relationships
The following relationships are created:
Source Entity _type | Relationship _class | Target Entity _type |
|---|---|---|
aws_accessanalyzer | HAS | aws_accessanalyzer_analyzer |
aws_accessanalyzer_analyzer | IDENTIFIED | aws_accessanalyzer_finding |
aws_accessanalyzer_finding | IDENTIFIED | aws_resource |
aws_account | HAS | aws_accessanalyzer |
aws_account | HAS | aws_acm |
aws_account | HAS | aws_acm_pca |
aws_account | HAS | aws_apigateway |
aws_account | HAS | aws_athena |
aws_account | HAS | aws_autoscaling |
aws_account | HAS | aws_autoscalingplans |
aws_account | HAS | aws_backup |
aws_account | HAS | aws_batch |
aws_account | HAS | aws_cloudformation |
aws_account | HAS | aws_cloudfront |
aws_account | HAS | aws_cloudhsm |
aws_account | HAS | aws_cloudtrail |
aws_account | HAS | aws_cloudwatch |
aws_account | HAS | aws_cloudwatch_events |
aws_account | HAS | aws_cloudwatch_logs |
aws_account | HAS | aws_codebuild |
aws_account | HAS | aws_codecommit |
aws_account | HAS | aws_codepipeline |
aws_account | HAS | aws_config |
aws_account | HAS | aws_dax |
aws_account | HAS | aws_db_instance |
aws_account | HAS | aws_directconnect |
aws_account | HAS | aws_dms |
aws_account | HAS | aws_ds |
aws_account | HAS | aws_dynamodb |
aws_account | HAS | aws_ec2 |
aws_account | HAS | aws_ec2_vpc |
aws_account | HAS | aws_ecr |
aws_account | HAS | aws_ecs |
aws_account | HAS | aws_efs |
aws_account | HAS | aws_eks |
aws_account | HAS | aws_elasticache |
aws_account | HAS | aws_elasticloadbalancing |
aws_account | HAS | aws_elasticmapreduce |
aws_account | HAS | aws_es |
aws_account | HAS | aws_firehose |
aws_account | HAS | aws_fms |
aws_account | HAS | aws_glacier |
aws_account | HAS | aws_global_accelerator |
aws_account | HAS | aws_glue |
aws_account | HAS | aws_guardduty |
aws_account | HAS | aws_iam |
aws_account | HAS | aws_inspector |
aws_account | HAS | aws_inspectorv2 |
aws_account | HAS | aws_kinesis |
aws_account | HAS | aws_kms |
aws_account | HAS | aws_lambda |
aws_account | HAS | aws_lexv2 |
aws_account | HAS | aws_macie |
aws_account | HAS | aws_mq |
aws_account | HAS | aws_msk |
aws_account | HAS | aws_mwaa |
aws_account | HAS | aws_networkfirewall |
aws_account | HAS | aws_rds |
aws_account | HAS | aws_redshift |
aws_account | HAS | aws_redshift_serverless |
aws_account | HAS | aws_route53 |
aws_account | HAS | aws_s3 |
aws_account | HAS | aws_sagemaker |
aws_account | HAS | aws_secretsmanager |
aws_account | HAS | aws_securityhub |
aws_account | HAS | aws_ses |
aws_account | HAS | aws_shield |
aws_account | HAS | aws_signer |
aws_account | HAS | aws_sns |
aws_account | HAS | aws_sqs |
aws_account | HAS | aws_ssm |
aws_account | HAS | aws_sso |
aws_account | OWNS | aws_sso_instance |
aws_account | HAS | aws_states |
aws_account | HAS | aws_transfer |
aws_account | HAS | aws_waf |
aws_account | HAS | aws_wafv2 |
aws_account | HAS | aws_workspaces |
aws_acm | HAS | aws_acm_certificate |
aws_acm_pca | HAS | aws_acm_pca_certificate_authority |
aws_alb | USES | aws_eni |
aws_alb | HAS | aws_lb_listener |
aws_alb | CONNECTS | aws_lb_target_group |
aws_alb | HAS | aws_security_group |
aws_ami | CONTAINS | aws_ebs_snapshot |
aws_api_gateway_domain_name | HAS | aws_acm_certificate |
aws_api_gateway_resource | HAS | aws_api_gateway_method |
aws_api_gateway_rest_api | USES | aws_api_gateway_domain_name |
aws_api_gateway_rest_api | HAS | aws_api_gateway_resource |
aws_api_gateway_rest_api | HAS | aws_api_gateway_stage |
aws_api_gateway_rest_api | TRIGGERS | aws_lambda_function |
aws_api_gateway_v2_api | USES | aws_api_gateway_domain_name |
aws_api_gateway_v2_api | HAS | aws_api_gateway_v2_route |
aws_api_gateway_v2_authorizer | CONNECTS | aws_lambda_function |
aws_api_gateway_v2_integration | CONNECTS | aws_lambda_function |
aws_api_gateway_v2_route | HAS | aws_api_gateway_v2_authorizer |
aws_api_gateway_v2_route | HAS | aws_api_gateway_v2_integration |
aws_apigateway | HAS | aws_api_gateway_domain_name |
aws_apigateway | HAS | aws_api_gateway_rest_api |
aws_apigateway | HAS | aws_api_gateway_v2_api |
aws_autoscaling | HAS | aws_autoscaling_group |
aws_autoscaling | HAS | aws_autoscaling_launch_configuration |
aws_autoscaling_group | USES | aws_autoscaling_launch_configuration |
aws_autoscaling_group | USES | aws_autoscaling_policy |
aws_autoscaling_group | HAS | aws_instance |
aws_autoscaling_group | USES | aws_launch_template |
aws_autoscaling_launch_configuration | USES | aws_ami |
aws_backup | HAS | aws_backup_plan |
aws_backup | HAS | aws_backup_restore_testing_plan |
aws_backup | HAS | aws_backup_vault |
aws_backup_plan | HAS | aws_backup_copy_job |
aws_backup_plan | HAS | aws_backup_job |
aws_backup_recovery_point | PROTECTS | aws_resource |
aws_backup_restore_job | HAS | aws_db_instance |
aws_backup_restore_job | HAS | aws_instance |
aws_backup_restore_testing_plan | HAS | aws_backup_restore_job |
aws_backup_vault | HAS | aws_backup_recovery_point |
aws_batch | HAS | aws_batch_job_definition |
aws_batch | HAS | aws_batch_job_queue |
aws_batch_compute_environment | USES | aws_ecs_cluster |
aws_batch_compute_environment | USES | aws_iam_role |
aws_batch_compute_environment | HAS | aws_security_group |
aws_batch_job_queue | HAS | aws_batch_job |
aws_cloudformation | HAS | aws_cloudformation_stack |
aws_cloudfront | HAS | aws_cloudfront_distribution |
aws_cloudfront | HAS | aws_cloudfront_key_group |
aws_cloudfront | HAS | aws_cloudfront_public_key |
aws_cloudfront_distribution | CONNECTS | aws_api_gateway_rest_api |
aws_cloudfront_distribution | HAS | aws_cloudfront_distribution_origin |
aws_cloudfront_distribution | CONNECTS | aws_elb |
aws_cloudfront_distribution | TRIGGERS | aws_lambda_function |
aws_cloudfront_key_group | HAS | aws_cloudfront_public_key |
aws_cloudhsm | HAS | aws_cloudhsm_cluster |
aws_cloudhsm_cluster | HAS | aws_cloudhsm_backup |
aws_cloudhsm_cluster | HAS | aws_cloudhsm_instance |
aws_cloudhsm_cluster | HAS | aws_security_group |
aws_cloudhsm_instance | HAS | aws_security_group |
aws_cloudwatch | HAS | aws_cloudwatch_metric_alarm |
aws_cloudwatch_event_rule | TRIGGERS | aws_resource |
aws_cloudwatch_events | HAS | aws_cloudwatch_event_rule |
aws_cloudwatch_log_group | USES | aws_kms_key |
aws_cloudwatch_logs | HAS | aws_cloudwatch_log_destination |
aws_cloudwatch_logs | HAS | aws_cloudwatch_log_group |
aws_cloudwatch_logs | HAS | aws_cloudwatch_log_subscription_filter |
aws_codebuild | HAS | aws_codebuild_project |
aws_codebuild | HAS | aws_codebuild_report_group |
aws_codecommit | HAS | aws_codecommit_repository |
aws_codepipeline | HAS | aws_codepipeline_pipeline |
aws_config | HAS | aws_config_rule |
aws_config_rule | EVALUATES | aws_resource |
aws_dax | HAS | aws_dax_cluster |
aws_db_cluster_snapshot | USES | aws_kms_key |
aws_db_instance | LOGS | aws_cloudwatch_log_group |
aws_db_instance | USES | aws_db_option_group |
aws_db_instance | USES | aws_db_parameter_group |
aws_db_instance | HAS | aws_db_snapshot |
aws_db_instance | USES | aws_db_subnet_group |
aws_db_instance | USES | aws_kms_key |
aws_db_instance | USES | aws_secret |
aws_db_instance | HAS | aws_security_group |
aws_db_proxy | HAS | aws_db_proxy_target_group |
aws_db_proxy | USES | aws_iam_role |
aws_db_proxy | USES | aws_secret |
aws_db_proxy | USES | aws_security_group |
aws_db_proxy | USES | aws_subnet |
aws_db_proxy_target | CONNECTS | aws_db_instance |
aws_db_proxy_target | CONNECTS | aws_rds_cluster |
aws_db_proxy_target_group | HAS | aws_db_proxy_target |
aws_db_snapshot | USES | aws_kms_key |
aws_db_subnet_group | USES | aws_subnet |
aws_directconnect | HAS | aws_directconnect_connection |
aws_directconnect | HAS | aws_directconnect_gateway |
aws_directconnect | HAS | aws_directconnect_lag |
aws_directconnect | HAS | aws_directconnect_virtual_interface |
aws_directconnect_lag | USES | aws_direct_connect_connection |
aws_directconnect_lag | HAS | aws_direct_connect_virtual_interface |
aws_directconnect_virtual_interface | USES | aws_direct_connect_gateway |
aws_directconnect_virtual_interface | HAS | aws_directconnect_bgp_peer |
aws_directconnect_virtual_interface | USES | aws_directconnect_lag |
aws_dms | HAS | aws_dms_endpoint |
aws_dms | HAS | aws_dms_instance |
aws_ds | HAS | aws_ds_directory |
aws_dynamodb | HAS | aws_dynamodb_global_table |
aws_dynamodb | HAS | aws_dynamodb_table |
aws_dynamodb_global_table | IS | aws_dynamodb_table |
aws_dynamodb_table | USES | aws_kms_key |
aws_ebs_snapshot | USES | aws_kms_key |
aws_ebs_volume | HAS | aws_ebs_snapshot |
aws_ebs_volume | USES | aws_ebs_snapshot |
aws_ebs_volume | USES | aws_kms_key |
aws_ec2 | HAS | aws_ebs_volume |
aws_ec2 | HAS | aws_ec2_settings |
aws_ec2 | HAS | aws_ec2_transit_gateway |
aws_ec2 | HAS | aws_instance |
aws_ec2 | HAS | aws_internet_gateway |
aws_ec2 | HAS | aws_key_pair |
aws_ec2 | USES | aws_kms_key |
aws_ec2 | HAS | aws_launch_template |
aws_ec2 | HAS | aws_network_acl |
aws_ec2 | HAS | aws_prefix_list |
aws_ec2 | HAS | aws_security_group |
aws_ec2 | HAS | aws_subnet |
aws_ec2 | HAS | aws_vpc |
aws_ec2 | HAS | aws_vpc_endpoint_service |
aws_ec2_transit_gateway | HAS | aws_ec2_transit_gateway_vpc_attachment |
aws_ec2_transit_gateway_vpc_attachment | USES | aws_vpc |
aws_ecr | HAS | aws_ecr_repository |
aws_ecr_image | HAS | aws_ecr_image_scan_finding |
aws_ecr_repository | HAS | aws_ecr_image |
aws_ecs | HAS | aws_ecs_cluster |
aws_ecs | HAS | aws_ecs_task_definition |
aws_ecs_cluster | HAS | aws_ecs_container_instance |
aws_ecs_cluster | HAS | aws_ecs_service |
aws_ecs_cluster | RUNS | aws_ecs_task |
aws_ecs_container_instance | RUNS | aws_ecs_task |
aws_ecs_service | HAS | aws_security_group |
aws_ecs_service | USES | aws_subnet |
aws_ecs_task_definition | DEFINES | aws_ecs_service |
aws_ecs_task_definition | DEFINES | aws_ecs_task |
aws_ecs_task_definition | HAS | aws_ecs_task_container_definition |
aws_ecs_task_definition | USES | aws_iam_role |
aws_efs | HAS | aws_efs_file_system |
aws_efs_file_system | HAS | aws_efs_mount_target |
aws_efs_file_system | USES | aws_kms_key |
aws_efs_mount_target | USES | aws_eni |
aws_efs_mount_target | HAS | aws_security_group |
aws_eks | HAS | aws_eks_cluster |
aws_eks_cluster | HAS | aws_eks_node_group |
aws_eks_cluster | HAS | aws_security_group |
aws_eks_node_group | USES | aws_iam_role |
aws_eks_node_group | HAS | aws_instance |
aws_elasticache | HAS | aws_elasticache_memcached_cluster |
aws_elasticache | HAS | aws_elasticache_redis_cluster |
aws_elasticache_cluster_node | USES | aws_eni |
aws_elasticache_cluster_node | HAS | aws_security_group |
aws_elasticache_memcached_cluster | HAS | aws_elasticache_snapshot |
aws_elasticache_memcached_cluster | USES | aws_eni |
aws_elasticache_memcached_cluster | HAS | aws_security_group |
aws_elasticache_redis_cluster | HAS | aws_elasticache_cluster_node |
aws_elasticache_redis_cluster | USES | aws_kms_key |
aws_elasticache_snapshot | USES | aws_kms_key |
aws_elasticloadbalancing | HAS | aws_alb |
aws_elasticloadbalancing | HAS | aws_elb |
aws_elasticloadbalancing | HAS | aws_nlb |
aws_elasticmapreduce | HAS | aws_elasticmapreduce_cluster |
aws_elasticmapreduce_cluster | HAS | aws_instance |
aws_elasticmapreduce_cluster | USES | aws_kms_key |
aws_elasticsearch_domain | USES | aws_eni |
aws_elasticsearch_domain | HAS | aws_security_group |
aws_elb | USES | aws_eni |
aws_elb | CONNECTS | aws_instance |
aws_elb | HAS | aws_lb_listener |
aws_elb | CONNECTS | aws_lb_target_group |
aws_elb | HAS | aws_security_group |
aws_eni | USES | aws_eip |
aws_eni | HAS | aws_security_group |
aws_es | HAS | aws_elasticsearch_domain |
aws_firehose | HAS | aws_firehose_delivery_stream |
aws_firehose_delivery_stream | USES | aws_kinesis_stream |
aws_firehose_delivery_stream | USES | aws_kms_key |
aws_firewall | HAS | aws_firewall_policy |
aws_firewall | PROTECTS | aws_vpc |
aws_firewall_policy | HAS | aws_firewall_rule_group |
aws_firewall_rule_group | USES | aws_prefix_list |
aws_fms | HAS | aws_fms_application_list |
aws_fms | HAS | aws_fms_policy |
aws_fms | HAS | aws_fms_protocols_list |
aws_fms | HAS | aws_fms_resource_set |
aws_fms_resource_set | HAS | aws_resource |
aws_glacier | HAS | aws_glacier_vault |
aws_global_accelerator | HAS | aws_global_accelerator_accelerator |
aws_glue | HAS | aws_glue_catalog_database |
aws_glue | HAS | aws_glue_connection |
aws_glue | HAS | aws_glue_data_catalog_encryption_settings |
aws_glue | HAS | aws_glue_job |
aws_glue | HAS | aws_glue_security_configuration |
aws_glue | HAS | aws_glue_session |
aws_glue_connection | USES | aws_subnet |
aws_glue_data_catalog_encryption_settings | USES | aws_kms_key |
aws_glue_job | USES | aws_glue_connection |
aws_glue_security_configuration | USES | aws_kms_key |
aws_guardduty | HAS | aws_guardduty_detector |
aws_guardduty_detector | IDENTIFIED | aws_guardduty_finding |
aws_iam | HAS | aws_iam_access_key |
aws_iam | HAS | aws_iam_account_password_policy |
aws_iam | HAS | aws_iam_group |
aws_iam | HAS | aws_iam_group_policy |
aws_iam | HAS | aws_iam_instance_profile |
aws_iam | HAS | aws_iam_oidc_provider |
aws_iam | HAS | aws_iam_policy |
aws_iam | HAS | aws_iam_role |
aws_iam | HAS | aws_iam_role_policy |
aws_iam | HAS | aws_iam_saml_provider |
aws_iam | HAS | aws_iam_server_certificate |
aws_iam | HAS | aws_iam_user |
aws_iam | HAS | aws_iam_user_policy |
aws_iam | HAS | aws_organization_policy |
aws_iam_group | ASSIGNED | aws_iam_group_policy |
aws_iam_group | ASSIGNED | aws_iam_policy |
aws_iam_group | HAS | aws_iam_user |
aws_iam_group_policy | ALLOWS | aws_resource |
aws_iam_group_policy | DENIES | aws_resource |
aws_iam_instance_profile | USES | aws_role |
aws_iam_policy | RESTRICTS | aws_iam_role |
aws_iam_policy | RESTRICTS | aws_iam_user |
aws_iam_policy | ALLOWS | aws_resource |
aws_iam_policy | DENIES | aws_resource |
aws_iam_role | ASSIGNED | aws_batch_compute_environment |
aws_iam_role | ASSIGNED | aws_ecs_task_definition |
aws_iam_role | ASSIGNED | aws_iam_policy |
aws_iam_role | ASSIGNED | aws_iam_role_policy |
aws_iam_role | ASSIGNED | aws_transfer_server |
aws_iam_role | ASSIGNED | aws_transfer_user |
aws_iam_role_policy | ALLOWS | aws_resource |
aws_iam_role_policy | DENIES | aws_resource |
aws_iam_user | HAS | aws_iam_access_key |
aws_iam_user | ASSIGNED | aws_iam_policy |
aws_iam_user | ASSIGNED | aws_iam_user_policy |
aws_iam_user | ASSIGNED | mfa_device |
aws_iam_user_policy | ALLOWS | aws_resource |
aws_iam_user_policy | DENIES | aws_resource |
aws_inspector | HAS | aws_inspector_assessment |
aws_inspector_assessment | IDENTIFIED | aws_inspector_finding |
aws_inspectorv2 | SCANS | aws_ecr_image |
aws_inspectorv2 | SCANS | aws_ecr_repository |
aws_inspectorv2 | IDENTIFIED | aws_inspectorv2_finding |
aws_inspectorv2 | SCANS | aws_instance |
aws_instance | USES | aws_ami |
aws_instance | USES | aws_ebs_volume |
aws_instance | USES | aws_eip |
aws_instance | USES | aws_eni |
aws_instance | USES | aws_iam_instance_profile |
aws_instance | INSTALLED | aws_instance_application |
aws_instance | HAS | aws_instance_inventory |
aws_instance | LOGS | aws_instance_patch_state |
aws_instance | USES | aws_key_pair |
aws_instance | HAS | aws_security_group |
aws_instance | HAS | aws_ssm_associations |
aws_instance | HAS | aws_ssm_compliance_summary |
aws_kinesis | HAS | aws_kinesis_stream |
aws_kinesis_stream | USES | aws_kms_key |
aws_kms | HAS | aws_kms_key |
aws_lambda | HAS | aws_lambda_function |
aws_lambda_function | LOGS | aws_cloudwatch_log_group |
aws_lambda_function | ASSIGNED | aws_iam_role |
aws_lambda_function | HAS | aws_security_group |
aws_lambda_function | USES | aws_signer_signing_profile |
aws_launch_template | HAS | aws_launch_template_version |
aws_launch_template_version | USES | aws_ami |
aws_lb_listener | USES | aws_acm_certificate |
aws_lb_listener | USES | aws_iam_server_certificate |
aws_lb_listener | HAS | aws_lb_listener_rule |
aws_lb_target_group | HAS | aws_instance |
aws_lb_target_group | HAS | aws_lambda_function |
aws_lexv2 | HAS | aws_lexv2_bot |
aws_lexv2_bot | HAS | aws_lexv2_bot_alias |
aws_mq | HAS | aws_mq_broker |
aws_mq_broker | USES | aws_kms_key |
aws_mq_broker | USES | aws_security_group |
aws_mq_broker | USES | aws_subnet |
aws_msk | HAS | aws_msk_cluster |
aws_mwaa | HAS | aws_mwaa_environment |
aws_nat_gateway | USES | aws_eni |
aws_network_acl | ALLOWS | aws_resource |
aws_network_acl | DENIES | aws_resource |
aws_network_acl | PROTECTS | aws_subnet |
aws_networkfirewall | HAS | aws_firewall |
aws_networkfirewall | HAS | aws_firewall_policy |
aws_networkfirewall | HAS | aws_firewall_rule_group |
aws_nlb | USES | aws_eni |
aws_nlb | HAS | aws_lb_listener |
aws_nlb | CONNECTS | aws_lb_target_group |
aws_nlb | HAS | aws_security_group |
aws_organization | HAS | aws_organization_root |
aws_organization_root | HAS | aws_organizational_unit |
aws_organizational_unit | HAS | aws_organizational_unit |
aws_patch_baseline | GENERATED | aws_instance_patch_state |
aws_patch_group | HAS | aws_instance |
aws_patch_group | USES | aws_patch_baseline |
aws_rds | HAS | aws_db_instance |
aws_rds | HAS | aws_db_proxy |
aws_rds | HAS | aws_db_subnet_group |
aws_rds | HAS | aws_rds_cluster |
aws_rds_cluster | HAS | aws_db_cluster_snapshot |
aws_rds_cluster | CONTAINS | aws_db_instance |
aws_rds_cluster | USES | aws_kms_key |
aws_rds_cluster | USES | aws_rds_cluster_parameter_group |
aws_rds_cluster | USES | aws_secret |
aws_rds_cluster | HAS | aws_security_group |
aws_redshift | HAS | aws_redshift_cluster |
aws_redshift_cluster | USES | aws_kms_key |
aws_redshift_cluster | USES | aws_redshift_cluster_parameter_group |
aws_redshift_cluster | HAS | aws_security_group |
aws_redshift_serverless | HAS | aws_redshift_serverless_namespace |
aws_redshift_serverless | HAS | aws_redshift_serverless_usage_limit |
aws_redshift_workgroup | HAS | aws_redshift_serverless_workgroup |
aws_resource | USES | aws_acm_certificate |
aws_resource | HAS | aws_inspectorv2_finding |
aws_resource | ALLOWS | aws_security_group |
aws_resource | HAS | aws_securityhub_finding |
aws_route53 | HAS | aws_route53_domain |
aws_route53 | HAS | aws_route53_resolver_rule |
aws_route53 | HAS | aws_route53_zone |
aws_route53_resolver_rule | USES | aws_vpc |
aws_route53_zone | HAS | aws_route53_record |
aws_route53_zone | USES | aws_vpc |
aws_route_table | USES | aws_prefix_list |
aws_s3 | HAS | aws_s3_bucket |
aws_s3_bucket | ALLOWS | aws_account |
aws_s3_bucket | USES | aws_kms_key |
aws_s3_bucket | NOTIFIES | aws_lambda_function |
aws_s3_bucket | HAS | aws_macie_finding |
aws_s3_bucket | ALLOWS | aws_s3 |
aws_s3_bucket | HAS | aws_s3_access_point |
aws_s3_bucket | HAS | aws_s3_bucket_policy |
aws_s3_bucket | HAS | aws_s3_website_config |
aws_s3_bucket | NOTIFIES | aws_sns_topic |
aws_s3_bucket | NOTIFIES | aws_sqs_queue |
aws_sagemaker | HAS | aws_sagemaker_notebook_instance |
aws_secret | USES | aws_kms_key |
aws_secretsmanager | HAS | aws_secret |
aws_security_group | PROTECTS | aws_alb |
aws_security_group | PROTECTS | aws_batch_compute_environment |
aws_security_group | PROTECTS | aws_cloudhsm_cluster |
aws_security_group | PROTECTS | aws_cloudhsm_instance |
aws_security_group | PROTECTS | aws_db_instance |
aws_security_group | PROTECTS | aws_ecs_service |
aws_security_group | PROTECTS | aws_efs_mount_target |
aws_security_group | PROTECTS | aws_eks_cluster |
aws_security_group | PROTECTS | aws_elasticache_cluster_node |
aws_security_group | PROTECTS | aws_elasticache_memcached_cluster |
aws_security_group | PROTECTS | aws_elasticsearch_domain |
aws_security_group | PROTECTS | aws_elb |
aws_security_group | PROTECTS | aws_eni |
aws_security_group | PROTECTS | aws_instance |
aws_security_group | PROTECTS | aws_lambda_function |
aws_security_group | PROTECTS | aws_nlb |
aws_security_group | ALLOWS | aws_prefix_list |
aws_security_group | USES | aws_prefix_list |
aws_security_group | PROTECTS | aws_rds_cluster |
aws_security_group | PROTECTS | aws_redshift_cluster |
aws_security_group | ALLOWS | aws_resource |
aws_security_group | PROTECTS | aws_vpc_endpoint |
aws_securityhub | HAS | aws_securityhub_standard |
aws_securityhub_control | IDENTIFIED | aws_securityhub_finding |
aws_securityhub_finding | CONNECTS | aws_securityhub_finding |
aws_securityhub_standard | HAS | aws_securityhub_control |
aws_securityhub_standard | IDENTIFIED | aws_securityhub_finding |
aws_ses | HAS | aws_ses_configuration_set |
aws_ses | HAS | aws_ses_identity |
aws_ses | HAS | aws_ses_receipt_filter |
aws_ses_identity | USES | aws_ses_configuration_set |
aws_session_document | USES | aws_cloudwatch_log_group |
aws_session_document | USES | aws_kms_key |
aws_session_document | USES | aws_s3_bucket |
aws_shield | HAS | aws_shield_protection |
aws_shield | HAS | aws_shield_protection_group |
aws_shield | HAS | aws_shield_subscription |
aws_shield_protection | PROTECTS | aws_resource |
aws_shield_protection_group | PROTECTS | aws_resource |
aws_signer | HAS | aws_signer_signing_profile |
aws_sns | HAS | aws_sns_topic |
aws_sns_topic | USES | aws_kms_key |
aws_sns_topic | HAS | aws_sns_subscription |
aws_sqs | HAS | aws_sqs_queue |
aws_sqs_queue | USES | aws_kms_key |
aws_sqs_queue | SENDS | aws_sqs_queue |
aws_ssm | MANAGES | aws_instance |
aws_ssm | HAS | aws_patch_baseline |
aws_ssm | HAS | aws_patch_group |
aws_ssm | MANAGES | aws_secure_string_parameter |
aws_ssm | HAS | aws_session_document |
aws_ssm | HAS | aws_ssm_associations |
aws_ssm | HAS | aws_ssm_compliance_summary |
aws_sso | HAS | aws_sso_instance |
aws_sso_group | HAS | aws_sso_user |
aws_sso_instance | HAS | aws_sso_application |
aws_sso_instance | HAS | aws_sso_group |
aws_sso_instance | HAS | aws_sso_permission_set |
aws_sso_instance | HAS | aws_sso_user |
aws_sso_permission_set | USES | aws_iam_policy |
aws_subnet | HAS | aws_cloudhsm_instance |
aws_subnet | HAS | aws_efs_mount_target |
aws_subnet | HAS | aws_elasticsearch_domain |
aws_subnet | CONNECTS | aws_eni |
aws_subnet | HAS | aws_instance |
aws_subnet | HAS | aws_lambda_function |
aws_subnet | USES | aws_msk_cluster |
aws_subnet | HAS | aws_nat_gateway |
aws_subnet | USES | aws_route_table |
aws_subnet | HAS | aws_workspace |
aws_transfer | HAS | aws_transfer_server |
aws_transfer_server | USES | aws_eip |
aws_transfer_server | HAS | aws_transfer_user |
aws_transfer_user | ALLOWS | aws_s3_bucket |
aws_vpc | HAS | aws_alb |
aws_vpc | HAS | aws_cloudhsm_cluster |
aws_vpc | HAS | aws_codebuild_project |
aws_vpc | HAS | aws_db_instance |
aws_vpc | HAS | aws_db_subnet_group |
aws_vpc | HAS | aws_eks_cluster |
aws_vpc | HAS | aws_elasticache_cluster_node |
aws_vpc | HAS | aws_elasticache_memcached_cluster |
aws_vpc | HAS | aws_elb |
aws_vpc | HAS | aws_glue_dev_endpoint |
aws_vpc | HAS | aws_internet_gateway |
aws_vpc | HAS | aws_nat_gateway |
aws_vpc | HAS | aws_network_acl |
aws_vpc | HAS | aws_nlb |
aws_vpc | HAS | aws_redshift_cluster |
aws_vpc | HAS | aws_redshift_serverless_workgroup |
aws_vpc | HAS | aws_route_table |
aws_vpc | HAS | aws_s3_access_point |
aws_vpc | HAS | aws_security_group |
aws_vpc | CONTAINS | aws_subnet |
aws_vpc | HAS | aws_transfer_server |
aws_vpc | HAS | aws_vpc_endpoint |
aws_vpc | HAS | aws_vpn_gateway |
aws_vpc_endpoint | USES | aws_eni |
aws_vpc_endpoint | USES | aws_eni |
aws_vpc_endpoint | HAS | aws_security_group |
aws_vpc_endpoint | USES | aws_subnet |
aws_vpc_endpoint_service | CONNECTS | aws_elb |
aws_vpc_endpoint_service | CONNECTS | aws_nlb |
aws_vpc_endpoint_service | ALLOWS | aws_resource |
aws_vpc_endpoint_service | CONNECTS | aws_vpc_endpoint |
aws_vpn_gateway | CONNECTS | aws_customer_gateway |
aws_waf | HAS | aws_waf_web_acl |
aws_waf_v2_web_acl | PROTECTS | aws_alb |
aws_waf_v2_web_acl | PROTECTS | aws_api_gateway_stage |
aws_waf_v2_web_acl | PROTECTS | aws_cloudfront_distribution |
aws_waf_v2_web_acl | LOGS | aws_cloudwatch_log_group |
aws_waf_v2_web_acl | LOGS | aws_firehose_delivery_stream |
aws_waf_v2_web_acl | LOGS | aws_s3_bucket |
aws_waf_v2_web_acl | HAS | aws_waf_v2_web_acl_rule |
aws_waf_web_acl | PROTECTS | aws_api_gateway_stage |
aws_waf_web_acl | PROTECTS | aws_cloudfront_distribution |
aws_wafv2 | HAS | aws_waf_v2_web_acl |
aws_workspace | USES | aws_workspaces_bundle |
aws_workspaces | HAS | aws_workspace |
Mapped Relationships
The following mapped relationships are created:
Source Entity _type | Relationship _class | Target Entity _type | Direction |
|---|---|---|---|
aws_accessanalyzer_finding | IDENTIFIED | *aws_resource* | FORWARD |
aws_account | HAS | *aws_account* | FORWARD |
aws_account | OWNS | *aws_sso_instance* | REVERSE |
aws_api_gateway_domain_name | HAS | *aws_acm_certificate* | FORWARD |
aws_api_gateway_rest_api | ALLOWS | *aws_resource* | FORWARD |
aws_api_gateway_rest_api | DENIES | *aws_resource* | FORWARD |
aws_autoscaling_launch_configuration | USES | *aws_ami* | FORWARD |
aws_backup_vault | ALLOWS | *aws_resource* | FORWARD |
aws_backup_vault | DENIES | *aws_resource* | FORWARD |
aws_batch_compute_environment | USES | *aws_ami* | FORWARD |
aws_cloudfront_distribution | CONNECTS | *aws_api_gateway_domain_name* | FORWARD |
aws_cloudfront_distribution | CONNECTS | *aws_api_gateway_rest_api* | FORWARD |
aws_cloudfront_distribution | CONNECTS | *aws_resource* | FORWARD |
aws_cloudfront_distribution | CONNECTS | *aws_s3_bucket* | FORWARD |
aws_cloudtrail | LOGS | *aws_cloudwatch_log_group* | FORWARD |
aws_cloudtrail | SENDS | *aws_dynamodb* | REVERSE |
aws_cloudtrail | SENDS | *aws_dynamodb_table* | REVERSE |
aws_cloudtrail | SENDS | *aws_lambda* | REVERSE |
aws_cloudtrail | SENDS | *aws_lambda_function* | REVERSE |
aws_cloudtrail | SENDS | *aws_s3* | REVERSE |
aws_cloudtrail | LOGS | *aws_s3_bucket* | FORWARD |
aws_cloudtrail | SENDS | *aws_s3_bucket* | REVERSE |
aws_ec2 | HAS | *aws_ec2_transit_gateway* | FORWARD |
aws_ec2_transit_gateway_vpc_attachment | USES | *aws_vpc* | FORWARD |
aws_ecr_repository | ALLOWS | *aws_resource* | REVERSE |
aws_ecr_repository | DENIES | *aws_resource* | REVERSE |
aws_ecs_task | USES | *aws_eni* | FORWARD |
aws_efs_file_system | ALLOWS | *aws_resource* | FORWARD |
aws_efs_file_system | DENIES | *aws_resource* | FORWARD |
aws_firewall_rule_group | USES | *aws_prefix_list* | FORWARD |
aws_fms_resource_set | HAS | *aws_resource* | FORWARD |
aws_glacier_vault | ALLOWS | *aws_resource* | FORWARD |
aws_glacier_vault | DENIES | *aws_resource* | FORWARD |
aws_glue_catalog_database | ALLOWS | *aws_resource* | FORWARD |
aws_glue_catalog_database | DENIES | *aws_resource* | FORWARD |
aws_iam_group_policy | ALLOWS | *aws_resource* | FORWARD |
aws_iam_group_policy | DENIES | *aws_resource* | FORWARD |
aws_iam_policy | ALLOWS | *aws_resource* | FORWARD |
aws_iam_policy | DENIES | *aws_resource* | FORWARD |
aws_iam_role | TRUSTS | *aws_resource* | FORWARD |
aws_iam_role | TRUSTS | *external_resource* | FORWARD |
aws_iam_role_policy | ALLOWS | *aws_resource* | FORWARD |
aws_iam_role_policy | DENIES | *aws_resource* | FORWARD |
aws_iam_saml_provider | IS | *external_resource* | FORWARD |
aws_iam_user_policy | ALLOWS | *aws_resource* | FORWARD |
aws_iam_user_policy | DENIES | *aws_resource* | FORWARD |
aws_inspectorv2_finding | IS | *cve* | FORWARD |
aws_instance | USES | *aws_ami* | FORWARD |
aws_instance_patch_state | GENERATED | *aws_patch_baseline* | REVERSE |
aws_internet_gateway | CONNECTS | *internet* | FORWARD |
aws_kinesis_stream | USES | *aws_kinesis_consumer* | REVERSE |
aws_kms_key | USES | *aws_cloudwatch_log_group* | REVERSE |
aws_kms_key | USES | *aws_db_cluster_snapshot* | REVERSE |
aws_kms_key | USES | *aws_db_instance* | REVERSE |
aws_kms_key | USES | *aws_db_snapshot* | REVERSE |
aws_kms_key | USES | *aws_dynamodb_table* | REVERSE |
aws_kms_key | USES | *aws_ebs_snapshot* | REVERSE |
aws_kms_key | USES | *aws_ebs_volume* | REVERSE |
aws_kms_key | USES | *aws_efs_file_system* | REVERSE |
aws_kms_key | USES | *aws_elasticache_redis_cluster* | REVERSE |
aws_kms_key | USES | *aws_elasticache_snapshot* | REVERSE |
aws_kms_key | USES | *aws_glue_security_configuration* | REVERSE |
aws_kms_key | USES | *aws_rds_cluster* | REVERSE |
aws_kms_key | USES | *aws_redshift_cluster* | REVERSE |
aws_kms_key | ALLOWS | *aws_resource* | FORWARD |
aws_kms_key | DENIES | *aws_resource* | FORWARD |
aws_kms_key | USES | *aws_s3_bucket* | REVERSE |
aws_kms_key | USES | *aws_sns_topic* | REVERSE |
aws_lambda_function | USES | *aws_lambda_layer* | FORWARD |
aws_lambda_function | ALLOWS | *aws_resource* | FORWARD |
aws_lambda_function | DENIES | *aws_resource* | FORWARD |
aws_lambda_function | USES | *aws_signer_signing_profile* | FORWARD |
aws_launch_template_version | USES | *aws_ami* | FORWARD |
aws_lb_target_group | HAS | *aws_eip* | FORWARD |
aws_lb_target_group | HAS | *aws_eni* | FORWARD |
aws_lexv2_bot | ALLOWS | *aws_resource* | FORWARD |
aws_lexv2_bot | DENIES | *aws_resource* | FORWARD |
aws_lexv2_bot_alias | ALLOWS | *aws_resource* | FORWARD |
aws_lexv2_bot_alias | DENIES | *aws_resource* | FORWARD |
aws_nat_gateway | USES | *aws_eip* | FORWARD |
aws_network_acl | ALLOWS | *aws_resource* | FORWARD |
aws_network_acl | ALLOWS | *aws_resource* | REVERSE |
aws_network_acl | DENIES | *aws_resource* | FORWARD |
aws_network_acl | DENIES | *aws_resource* | REVERSE |
aws_organization_root | HAS | *aws_account* | FORWARD |
aws_organizational_unit | HAS | *aws_account* | FORWARD |
aws_patch_group | USES | *aws_patch_baseline* | FORWARD |
aws_route53_record | CONNECTS | *aws_acm* | FORWARD |
aws_route53_record | CONNECTS | *aws_resource* | FORWARD |
aws_route53_record | CONNECTS | *aws_ses* | FORWARD |
aws_route53_zone | USES | *aws_vpc* | FORWARD |
aws_route_table | USES | *aws_prefix_list* | FORWARD |
aws_s3_bucket | ALLOWS | *aws_account* | FORWARD |
aws_s3_bucket | ALLOWS | *aws_account* | REVERSE |
aws_s3_bucket | ALLOWS | *aws_authenticated_users* | FORWARD |
aws_s3_bucket | ALLOWS | *aws_authenticated_users* | REVERSE |
aws_s3_bucket | ALLOWS | *aws_resource* | FORWARD |
aws_s3_bucket | DENIES | *aws_resource* | REVERSE |
aws_s3_bucket | ALLOWS | *aws_s3* | FORWARD |
aws_s3_bucket | ALLOWS | *aws_s3* | REVERSE |
aws_s3_bucket | HAS | *aws_s3_access_point* | REVERSE |
aws_s3_bucket | PUBLISHES | *aws_s3_bucket* | FORWARD |
aws_s3_bucket | ALLOWS | *everyone* | FORWARD |
aws_s3_bucket | ALLOWS | *everyone* | REVERSE |
aws_secret | ALLOWS | *aws_resource* | FORWARD |
aws_secret | DENIES | *aws_resource* | FORWARD |
aws_security_group | ALLOWS | *aws_prefix_list* | FORWARD |
aws_security_group | USES | *aws_prefix_list* | FORWARD |
aws_security_group | ALLOWS | *aws_resource* | FORWARD |
aws_security_group | ALLOWS | *aws_resource* | REVERSE |
aws_ses_identity | ALLOWS | *aws_resource* | FORWARD |
aws_ses_identity | DENIES | *aws_resource* | FORWARD |
aws_sns_subscription | HAS | *aws_resource* | FORWARD |
aws_sns_topic | ALLOWS | *aws_resource* | REVERSE |
aws_sns_topic | DENIES | *aws_resource* | REVERSE |
aws_sns_topic | NOTIFIES | *aws_resource* | FORWARD |
aws_sqs_queue | ALLOWS | *aws_resource* | REVERSE |
aws_sqs_queue | DENIES | *aws_resource* | REVERSE |
aws_vpc | LOGS | *aws_cloudwatch_log_group* | FORWARD |
aws_vpc | LOGS | *aws_s3_bucket* | FORWARD |
aws_vpc | CONNECTS | *aws_vpc* | FORWARD |
aws_vpc | CONNECTS | *aws_vpc* | REVERSE |
aws_vpc_endpoint | ALLOWS | *aws_resource* | FORWARD |
aws_vpc_endpoint | ALLOWS | *aws_resource* | REVERSE |
aws_vpc_endpoint | DENIES | *aws_resource* | FORWARD |
aws_vpc_endpoint | DENIES | *aws_resource* | REVERSE |