Home

Awesome

CloudGraph AWS Provider

Use the CloudGraph AWS Provider to scan and normalize cloud infrastructure using the AWS SDK

<!-- toc --> <!-- tocstop -->

Docs

CloudGraph Readme

💻 Full CloudGraph Documentation Including AWS Examples

Install

Install the aws provider in CloudGraph

cg init aws

Authentication

Authenticate the CloudGraph AWS Provider any of the following ways:

CloudGraph needs read permissions in order to ingest your data. To keep things easy you can use the same permissions that we use internally when we run CloudGraph to power AutoCloud. Here are the AWS Docs for generating the correct Role (feel free to leave out AutoCloud specific configuration).

Multi Account

CloudGraph is able to scan multiple AWS accounts at once. This is done by setting up multiple profiles in your ~/.aws/credentials file and then selecting all the profiles you want to crawl when running cg init. All resources will be tagged with an accountId so you can query resources specific to an account or query resources across accounts!

Configuration

CloudGraph creates a configuration file at:

NOTE: CloudGraph will output where it stores the configuration file and provider data as part of the cg init command

CloudGraph will generate this configuration file when you run cg init aws. You may update it manually or by running cg init aws again.

"aws": {
  "profileApprovedList": [
      "default",
      "master",
      "sandbox"
    ], // Optional, defaults to the default profile
    "regions": "us-east-1,us-east-2,us-west-2",
    "resources": "alb,apiGatewayResource,apiGatewayRestApi,apiGatewayStage,appSync,asg,billing,cognitoIdentityPool,cognitoUserPool,cloudFormationStack,cloudFormationStackSet,cloudfront,cloudwatch,ebs,ec2Instance,eip,elb,igw,kinesisFirehose,kinesisStream,kms,lambda,nat,networkInterface,route53HostedZone,route53Record,routeTable,sg,vpc,sqs,s3"
}

CloudGraph AWS Provider will ask you what regions you would like to crawl and will by default crawl for all supported resources in selected regions in the default account. You can update the regions, resources, or profile fields in the cloud-graphrc.json file to change this behavior. You can also select which resources to crawl in the cg init aws command by passing the the -r flag: cg init aws -r

Supported Services

ServiceRelations
acm
albec2, elasticBeanstalkEnv, route53Record, securityGroup, subnet, vpc, wafV2WebAcl
apiGatewayApiKey
apiGatewayDomainNameapiGatewayHttpApi, apiGatewayRestApi
apiGatewayHttpApiapiGatewayDomainName
apiGatewayRestApiapiGatewayDomainName, apiGatewayResource, apiGatewayStage, route53Record
apiGatewayStageapiGatewayRestApi, wafV2WebAcl
apiGatewayResourceapiGatewayRestApi
apiGatewayUsagePlan
apiGatewayVpcLink
appSynccognitoUserPool, dynamodb, iamRole, lambda, rdsCluster, wafV2WebAcl
asgebs, ec2, elasticBeanstalkEnv, iamRole, securityGroup, subnet
athenaDataCatalog
clientVpnEndpointsecurityGroup
cloud9
cloudformationStackcloudformationStack, iamRole, sns
cloudformationStackSetiamRole
cloudfrontcloudwatch, elb, s3
cloudtrailcloudwatch, cloudwatchLog, kms, s3, sns
cloudwatchcloudfront, cloudtrail, cloudwatchLog, sns
cloudwatchLogcloudtrail, cloudwatch, ecsCluster, elasticSearchDomain, kms, managedAirflow, rdsDbInstance
codeCommitRepository
codebuildiamRole, kms, vpc, securityGroup, subnet
codePipeline
codePipelineWebhook
cognitoIdentityPooliamRole, iamOpenIdConnectProvider, iamSamlProvider, elasticSearchDomain
cognitoUserPoolappSync, elasticSearchDomain, lambda
configurationDeliveryChannel
configurationRecorderiamRole
configurationRule
customerGatewayvpnConnection
dynamodbappSync, iamRole, kms
docdbCluster
dmsReplicationInstancesecurityGroup, subnet, vpc, kms
ebsasg, ec2, emrInstance, ebsSnapshot
ebsSnapshotebs, kms
ec2alb, asg, ebs, eip, emrInstance, eksCluster, elasticBeanstalkEnv, iamInstanceProfile, iamRole, networkInterface, securityGroup, subnet, systemsManagerInstance, vpc, ecsContainer
ecr
ecsClustercloudwatchLog, ecsService, ecsTask, ecsTaskSet, kms, s3
ecsContainerecsTask, ec2
ecsServiceecsCluster, ecsTaskDefinition, ecsTaskSet, elb, iamRole, securityGroup, subnet, vpc
ecsTaskecsContainer, ecsCluster, ecsTaskDefinition, iamRole
ecsTaskDefinitionecsService, ecsTask, ecsTaskSet, iamRole
ecsTaskSetecsCluster, ecsService, ecsTaskDefinition
efskms
efsAccessPoint
efsMountTargetnetworkInterface, subnet, vpc
eipec2, networkInterface, vpc
eksClusterec2, iamRole, kms, securityGroup, subnet, vpc
elastiCacheClustersecurityGroup, subnet, vpc
elastiCacheReplicationGroupkms
elasticBeanstalkAppelasticBeanstalkEnv, iamRole
elasticBeanstalkEnvalb, asg, ec2, elb, elasticBeanstalkApp, iamRole, sqs
elasticSearchDomaincloudwatchLog, cognitoIdentityPool, cognitoUserPool, iamRole, kms, securityGroup, subnet, vpc
elbcloudfront, ecsService, elasticBeanstalkEnv, securityGroup, subnet, vpc
emrClusteriamRole, kms, subnet
emrInstanceebs, ec2
emrStep
flowLogvpc, iamRole, subnet, networkInterface
glueCrawler
glueDatabase
glueJobiamRole
glueRegistry
glueTrigger
guardDutyDetectoriamRole
iamAccessAnalyzer
iamInstanceProfileec2, iamRole
iamPasswordPolicy
iamSamlProvidercognitoIdentityPool
iamOpenIdConnectProvidercognitoIdentityPool
iamServerCertificate
iamUseriamGroup
iamPolicyiamRole, iamGroup
iamRoleappSync, asg, cloudformationStackSet, codebuild, cognitoIdentityPool, configurationRecorder, ec2, ecsTask, ecsTaskDefinition,iamInstanceProfile, iamPolicy, eksCluster, ecsService, emrCluster, flowLog, glueJob, managedAirflow, s3, sageMakerNotebookInstance, systemsManagerInstance, guardDutyDetector, lambda, kinesisFirehose, rdsCluster, rdsDbInstance, elasticBeanstalkApp, elasticBeanstalkEnv, elasticSearchDomain
iamGroupiamUser, iamPolicy
igwvpc
iot
kinesisFirehosekinesisStream, s3, iamRole
kinesisStreamkinesisFirehose
kmscloudtrail, cloudwatchLog, codebuild, ecsCluster, efs, eksCluster, elastiCacheReplicationGroup, elasticSearchDomain, emrCluster, managedAirflow, lambda, rdsCluster, rdsClusterSnapshot, rdsDbInstance, sns, sageMakerNotebookInstance, secretsManager, dmsReplicationInstance, redshiftCluster, s3, ebsSnapshot
lambdaappSync, cognitoUserPool, kms, s3, secretsManager, securityGroup, subnet, vpc, iamRole
managedAirflowcloudwatchLog, iamRole, kms, securityGroups, subnet, s3
managedPrefixList
mskClustersecurityGroup, subnet
naclvpc
natGatewaynetworkInterface, subnet, vpc
networkInterfaceec2, eip, efsMountTarget, natGateway, sageMakerNotebookInstance, subnet, vpc, vpcEndpoint, flowLog, securityGroup
organization
rdsClusterappSync, rdsClusterSnapshot, rdsDbInstance, route53HostedZone, securityGroup, subnet, iamRole, kms
rdsClusterSnapshotkms, rdsCluster, vpc
rdsDbProxies
rdsEventSubscription
rdsGlobalCluster
rdsDbInstancekms, iamRole, rdsCluster, securityGroup, vpc, subnet, cloudwatchLog
redshiftClusterkms, vpc
route53Recordalb, apiGatewayRestApi, elb, route53HostedZone
route53HostedZonerdsCluster, route53Record, vpc
routeTablesubnet, vpc, vpcEndpoint
sageMakerExperiment
sageMakerNotebookInstanceiamRole, kms, networkInterface, subnet, securityGroup
sageMakerProject
s3cloudfront, cloudtrail, ecsCluster, iamRole, kinesisFirehose, kms, lambda, managedAirflow, sns, sqs
secretsManagerkms, lambda
securityGroupalb, asg, clientVpnEndpoint, codebuild, dmsReplicationInstance, ecsService, lambda, ec2, elasticSearchDomain, elb, rdsCluster, rdsDbInstance, eksCluster, elastiCacheCluster, managedAirflow, sageMakerNotebookInstance, networkInterface, vpcEndpoint, mskCluster
securityHub
securityHubMember
securityHubStandardSubscription
ses
sesReceiptRuleSet
sesDomain
sesEmailcognitoUserPool
snskms, cloudtrail, cloudwatch, s3
sqselasticBeanstalkEnv, s3
subnetalb, asg, codebuild, dmsReplicationInstance, ec2, ecsService, efsMountTarget, elastiCacheCluster, elasticSearchDomain, elb, lambda, managedAirflow, natGateway, networkInterface, rdsCluster, sageMakerNotebookInstance, routeTable, vpc, vpcEndpoint, eksCluster, emrCluster, flowLog, mskCluster
systemsManagerInstanceec2, iamRole
systemsManagerDocument
systemsManagerParameter
transitGatewaytransitGatewayAttachment, transitGatewayRouteTable, vpnConnection
transitGatewayAttachmenttransitGateway, transitGatewayRouteTable, vpc, vpnConnection
transitGatewayRouteTabletransitGateway, transitGatewayAttachment
vpcalb, codebuild, dmsReplicationInstance, ec2, eip, elb, ecsService, efsMountTarget, eksCluster igw, elastiCacheCluster, elasticSearchDomain, lambda, nacl, natGateway, networkInterface, rdsClusterSnapshot, rdsDbInstance, redshiftCluster, route53HostedZone, routeTable, subnet, flowLog, vpnGateway, transitGatewayAttachment, vpcEndpoint, vpcPeeringConnection
vpcEndpointnetworkInterface, routeTable, securityGroup, subnet, vpc
vpcPeeringConnectionvpc
vpnConnectioncustomerGateway, transitGateway, transitGatewayAttachment, vpnGateway
vpnGatewayvpc, vpnConnection
wafV2WebAclappSync, apiGatewayStage, alb