Awesome
CloudGraph AWS Provider
Use the CloudGraph AWS Provider to scan and normalize cloud infrastructure using the AWS SDK
<!-- toc --> <!-- tocstop -->Docs
💻 Full CloudGraph Documentation Including AWS Examples
Install
Install the aws provider in CloudGraph
cg init aws
Authentication
Authenticate the CloudGraph AWS Provider any of the following ways:
- Credentials from env variables:
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
,AWS_SESSION_TOKEN
- Credentials found in the
credentials
under~/.aws
(any profile, defaults todefault
)
CloudGraph needs read permissions in order to ingest your data. To keep things easy you can use the same permissions that we use internally when we run CloudGraph to power AutoCloud. Here are the AWS Docs for generating the correct Role (feel free to leave out AutoCloud specific configuration).
Multi Account
CloudGraph is able to scan multiple AWS accounts at once. This is done by setting up multiple profiles in your ~/.aws/credentials
file and then selecting all the profiles you want to crawl when running cg init
. All resources will be tagged with an accountId
so you can query resources specific to an account or query resources across accounts!
Configuration
CloudGraph creates a configuration file at:
- UNIX:
~/.config/cloudgraph/.cloud-graphrc.json
- Windows:
%LOCALAPPDATA%\cloudgraph/.cloud-graphrc.json
NOTE: CloudGraph will output where it stores the configuration file and provider data as part of the cg init
command
CloudGraph will generate this configuration file when you run cg init aws
. You may update it manually or by running cg init aws
again.
"aws": {
"profileApprovedList": [
"default",
"master",
"sandbox"
], // Optional, defaults to the default profile
"regions": "us-east-1,us-east-2,us-west-2",
"resources": "alb,apiGatewayResource,apiGatewayRestApi,apiGatewayStage,appSync,asg,billing,cognitoIdentityPool,cognitoUserPool,cloudFormationStack,cloudFormationStackSet,cloudfront,cloudwatch,ebs,ec2Instance,eip,elb,igw,kinesisFirehose,kinesisStream,kms,lambda,nat,networkInterface,route53HostedZone,route53Record,routeTable,sg,vpc,sqs,s3"
}
CloudGraph AWS Provider will ask you what regions you would like to crawl and will by default crawl for all supported resources in selected regions in the default account. You can update the regions
, resources
, or profile
fields in the cloud-graphrc.json
file to change this behavior. You can also select which resources
to crawl in the cg init aws
command by passing the the -r
flag: cg init aws -r
Supported Services
Service | Relations |
---|---|
acm | |
alb | ec2, elasticBeanstalkEnv, route53Record, securityGroup, subnet, vpc, wafV2WebAcl |
apiGatewayApiKey | |
apiGatewayDomainName | apiGatewayHttpApi, apiGatewayRestApi |
apiGatewayHttpApi | apiGatewayDomainName |
apiGatewayRestApi | apiGatewayDomainName, apiGatewayResource, apiGatewayStage, route53Record |
apiGatewayStage | apiGatewayRestApi, wafV2WebAcl |
apiGatewayResource | apiGatewayRestApi |
apiGatewayUsagePlan | |
apiGatewayVpcLink | |
appSync | cognitoUserPool, dynamodb, iamRole, lambda, rdsCluster, wafV2WebAcl |
asg | ebs, ec2, elasticBeanstalkEnv, iamRole, securityGroup, subnet |
athenaDataCatalog | |
clientVpnEndpoint | securityGroup |
cloud9 | |
cloudformationStack | cloudformationStack, iamRole, sns |
cloudformationStackSet | iamRole |
cloudfront | cloudwatch, elb, s3 |
cloudtrail | cloudwatch, cloudwatchLog, kms, s3, sns |
cloudwatch | cloudfront, cloudtrail, cloudwatchLog, sns |
cloudwatchLog | cloudtrail, cloudwatch, ecsCluster, elasticSearchDomain, kms, managedAirflow, rdsDbInstance |
codeCommitRepository | |
codebuild | iamRole, kms, vpc, securityGroup, subnet |
codePipeline | |
codePipelineWebhook | |
cognitoIdentityPool | iamRole, iamOpenIdConnectProvider, iamSamlProvider, elasticSearchDomain |
cognitoUserPool | appSync, elasticSearchDomain, lambda |
configurationDeliveryChannel | |
configurationRecorder | iamRole |
configurationRule | |
customerGateway | vpnConnection |
dynamodb | appSync, iamRole, kms |
docdbCluster | |
dmsReplicationInstance | securityGroup, subnet, vpc, kms |
ebs | asg, ec2, emrInstance, ebsSnapshot |
ebsSnapshot | ebs, kms |
ec2 | alb, asg, ebs, eip, emrInstance, eksCluster, elasticBeanstalkEnv, iamInstanceProfile, iamRole, networkInterface, securityGroup, subnet, systemsManagerInstance, vpc, ecsContainer |
ecr | |
ecsCluster | cloudwatchLog, ecsService, ecsTask, ecsTaskSet, kms, s3 |
ecsContainer | ecsTask, ec2 |
ecsService | ecsCluster, ecsTaskDefinition, ecsTaskSet, elb, iamRole, securityGroup, subnet, vpc |
ecsTask | ecsContainer, ecsCluster, ecsTaskDefinition, iamRole |
ecsTaskDefinition | ecsService, ecsTask, ecsTaskSet, iamRole |
ecsTaskSet | ecsCluster, ecsService, ecsTaskDefinition |
efs | kms |
efsAccessPoint | |
efsMountTarget | networkInterface, subnet, vpc |
eip | ec2, networkInterface, vpc |
eksCluster | ec2, iamRole, kms, securityGroup, subnet, vpc |
elastiCacheCluster | securityGroup, subnet, vpc |
elastiCacheReplicationGroup | kms |
elasticBeanstalkApp | elasticBeanstalkEnv, iamRole |
elasticBeanstalkEnv | alb, asg, ec2, elb, elasticBeanstalkApp, iamRole, sqs |
elasticSearchDomain | cloudwatchLog, cognitoIdentityPool, cognitoUserPool, iamRole, kms, securityGroup, subnet, vpc |
elb | cloudfront, ecsService, elasticBeanstalkEnv, securityGroup, subnet, vpc |
emrCluster | iamRole, kms, subnet |
emrInstance | ebs, ec2 |
emrStep | |
flowLog | vpc, iamRole, subnet, networkInterface |
glueCrawler | |
glueDatabase | |
glueJob | iamRole |
glueRegistry | |
glueTrigger | |
guardDutyDetector | iamRole |
iamAccessAnalyzer | |
iamInstanceProfile | ec2, iamRole |
iamPasswordPolicy | |
iamSamlProvider | cognitoIdentityPool |
iamOpenIdConnectProvider | cognitoIdentityPool |
iamServerCertificate | |
iamUser | iamGroup |
iamPolicy | iamRole, iamGroup |
iamRole | appSync, asg, cloudformationStackSet, codebuild, cognitoIdentityPool, configurationRecorder, ec2, ecsTask, ecsTaskDefinition,iamInstanceProfile, iamPolicy, eksCluster, ecsService, emrCluster, flowLog, glueJob, managedAirflow, s3, sageMakerNotebookInstance, systemsManagerInstance, guardDutyDetector, lambda, kinesisFirehose, rdsCluster, rdsDbInstance, elasticBeanstalkApp, elasticBeanstalkEnv, elasticSearchDomain |
iamGroup | iamUser, iamPolicy |
igw | vpc |
iot | |
kinesisFirehose | kinesisStream, s3, iamRole |
kinesisStream | kinesisFirehose |
kms | cloudtrail, cloudwatchLog, codebuild, ecsCluster, efs, eksCluster, elastiCacheReplicationGroup, elasticSearchDomain, emrCluster, managedAirflow, lambda, rdsCluster, rdsClusterSnapshot, rdsDbInstance, sns, sageMakerNotebookInstance, secretsManager, dmsReplicationInstance, redshiftCluster, s3, ebsSnapshot |
lambda | appSync, cognitoUserPool, kms, s3, secretsManager, securityGroup, subnet, vpc, iamRole |
managedAirflow | cloudwatchLog, iamRole, kms, securityGroups, subnet, s3 |
managedPrefixList | |
mskCluster | securityGroup, subnet |
nacl | vpc |
natGateway | networkInterface, subnet, vpc |
networkInterface | ec2, eip, efsMountTarget, natGateway, sageMakerNotebookInstance, subnet, vpc, vpcEndpoint, flowLog, securityGroup |
organization | |
rdsCluster | appSync, rdsClusterSnapshot, rdsDbInstance, route53HostedZone, securityGroup, subnet, iamRole, kms |
rdsClusterSnapshot | kms, rdsCluster, vpc |
rdsDbProxies | |
rdsEventSubscription | |
rdsGlobalCluster | |
rdsDbInstance | kms, iamRole, rdsCluster, securityGroup, vpc, subnet, cloudwatchLog |
redshiftCluster | kms, vpc |
route53Record | alb, apiGatewayRestApi, elb, route53HostedZone |
route53HostedZone | rdsCluster, route53Record, vpc |
routeTable | subnet, vpc, vpcEndpoint |
sageMakerExperiment | |
sageMakerNotebookInstance | iamRole, kms, networkInterface, subnet, securityGroup |
sageMakerProject | |
s3 | cloudfront, cloudtrail, ecsCluster, iamRole, kinesisFirehose, kms, lambda, managedAirflow, sns, sqs |
secretsManager | kms, lambda |
securityGroup | alb, asg, clientVpnEndpoint, codebuild, dmsReplicationInstance, ecsService, lambda, ec2, elasticSearchDomain, elb, rdsCluster, rdsDbInstance, eksCluster, elastiCacheCluster, managedAirflow, sageMakerNotebookInstance, networkInterface, vpcEndpoint, mskCluster |
securityHub | |
securityHubMember | |
securityHubStandardSubscription | |
ses | |
sesReceiptRuleSet | |
sesDomain | |
sesEmail | cognitoUserPool |
sns | kms, cloudtrail, cloudwatch, s3 |
sqs | elasticBeanstalkEnv, s3 |
subnet | alb, asg, codebuild, dmsReplicationInstance, ec2, ecsService, efsMountTarget, elastiCacheCluster, elasticSearchDomain, elb, lambda, managedAirflow, natGateway, networkInterface, rdsCluster, sageMakerNotebookInstance, routeTable, vpc, vpcEndpoint, eksCluster, emrCluster, flowLog, mskCluster |
systemsManagerInstance | ec2, iamRole |
systemsManagerDocument | |
systemsManagerParameter | |
transitGateway | transitGatewayAttachment, transitGatewayRouteTable, vpnConnection |
transitGatewayAttachment | transitGateway, transitGatewayRouteTable, vpc, vpnConnection |
transitGatewayRouteTable | transitGateway, transitGatewayAttachment |
vpc | alb, codebuild, dmsReplicationInstance, ec2, eip, elb, ecsService, efsMountTarget, eksCluster igw, elastiCacheCluster, elasticSearchDomain, lambda, nacl, natGateway, networkInterface, rdsClusterSnapshot, rdsDbInstance, redshiftCluster, route53HostedZone, routeTable, subnet, flowLog, vpnGateway, transitGatewayAttachment, vpcEndpoint, vpcPeeringConnection |
vpcEndpoint | networkInterface, routeTable, securityGroup, subnet, vpc |
vpcPeeringConnection | vpc |
vpnConnection | customerGateway, transitGateway, transitGatewayAttachment, vpnGateway |
vpnGateway | vpc, vpnConnection |
wafV2WebAcl | appSync, apiGatewayStage, alb |