Skip to content

Instantly share code, notes, and snippets.

@aiwilliams

aiwilliams/jupiterone-aws-2020.diff

Last active December 24, 2020 02:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save aiwilliams/0e31baf36192eebaccdd1ff603a954de to your computer and use it in GitHub Desktop.
Save aiwilliams/0e31baf36192eebaccdd1ff603a954de to your computer and use it in GitHub Desktop.
Download ZIP
JupiterOne AWS 2020
Raw
jupiterone-aws-2020.diff
diff --git a/docs/docs-jupiterone-io/index.md b/docs/docs-jupiterone-io/index.md
index 3193b9c9..67b68829 100644
--- a/docs/docs-jupiterone-io/index.md
+++ b/docs/docs-jupiterone-io/index.md
@@ -46,7 +46,7 @@ The following entity resources and their meta data (not actual contents) are
ingested when the integration runs:
| AWS Service | AWS Entity Resource | \_type : \_class of the Entity |
-| -------------- | ------------------------- | ------------------------------------------------------------ |
+| --------------- | ------------------------- | ------------------------------------------------------------------------ |
| Account | n/a | `aws_account` : `Account` |
| ACM | ACM Certificate | `aws_acm_certificate` : `Certificate` |
| API Gateway | REST API | `aws_api_gateway_rest_api` : `Gateway` |
@@ -54,9 +54,11 @@ ingested when the integration runs:
| | Batch Job | `aws_batch_job` : `Process`, `Task` |
| | Batch Job Definition | `aws_batch_job_definition` : `Configuration`, `Function` |
| | Batch Job Queue | `aws_batch_job_queue` : `Queue` |
-| CloudFormation | Stack | `aws_cloudfront_stack`: `Configuration` |
+| CloudFormation | Stack | `aws_cloudformation_stack`: `Configuration` |
| CloudFront | Distribution | `aws_cloudfront_distribution`: `Gateway` |
| CloudWatch | Event Rule | `aws_cloudwatch_event_rule` : `Task` |
+| | Metric Alarm | `aws_cloudwatch_metric_alarm` : `Monitor` |
+| | Log Group | `aws_cloudwatch_log_group` : `Logs` |
| Config | Config Rule | `aws_config_rule` : `ControlPolicy` |
| DynamoDB | DynamoDB Table | `aws_dynamodb_table` : `DataStore`, `Database` |
| EC2 | AMI Image | `aws_ami` : `Image` |
@@ -66,11 +68,14 @@ ingested when the integration runs:
| | EBS Volume Snapshot | `aws_ebs_snapshot` : `DataStore`, `Disk`, `Image` |
| | Elastic IP | `aws_eip` : `IpAddress` |
| | Internet Gateway | `aws_internet_gateway` : `Gateway` |
+| | NAT Gateway | `aws_nat_gateway` : `Gateway` |
| | Network ACL | `aws_network_acl` : `Firewall` |
| | Network Interface | `aws_eni` : `NetworkInterface` |
+| | Route Table | `aws_route_table` : `Configuration` |
| | Security Group | `aws_security_group` : `Firewall` |
-| | VPC | `aws_vpc` : `Network` |
| | Subnet | `aws_subnet` : `Network` |
+| | VPC | `aws_vpc` : `Network` |
+| | VPN Gateway | `aws_vpn_gateway` : `Gateway` |
| AutoScaling | Auto Scaling Group | `aws_autoscaling_group` : `Deployment`, `Group` |
| ECR | ECR Container Repository | `aws_ecr_repository` : `Repository` |
| | ECR Container Image | `aws_ecr_image` : `Image` |
@@ -80,11 +85,17 @@ ingested when the integration runs:
| | ECS Service | `aws_ecs_service` : `Service` |
| | ECS Task Definition | `aws_ecs_task_definition` : `Function`, `Configuration` |
| | ECS Task | `aws_ecs_task` : `Task`, `Process` |
+| EFS | EFS File System | `aws_efs_file_system` : `DataStore` |
+| | EFS Mount Target | `aws_efs_mount_target` : `NetworkEndpoint` |
| EKS | EKS Cluster | `aws_eks_cluster` : `Cluster` |
| ELB | Application Load Balancer | `aws_alb` : `Gateway` |
| | Network Load Balancer | `aws_nlb` : `Gateway` |
| | Classic Load Balancer | `aws_elb` : `Gateway` |
| | Target Group | `aws_lb_target_group` : `Group` |
+| ElastiCache | Cache Cluster (Memcached) | `aws_elasticache_memcached_cluster` : `Database`, `DataStore`, `Cluster` |
+| | Replication Group (Redis) | `aws_elasticache_redis_cluster` : `Database`, `DataStore`, `Cluster` |
+| | Node Group Member | `aws_elasticache_cluster_node` : `Database`, `DataStore`, `Host` |
+| Elasticsearch | Elasticsearch Domain | `aws_elasticsearch_domain` : `Database`, `DataStore`, `Cluster` |
| GuardDuty | GuardDuty Detector | `aws_guardduty_detector` : `Assessment`, `Scanner` |
| | GuardDuty Finding | `aws_guardduty_finding` : `Finding` |
| IAM | Account Password Policy | `aws_iam_account_password_policy` : `PasswordPolicy` |
@@ -98,6 +109,8 @@ ingested when the integration runs:
| | IAM Role Policy | `aws_iam_role_policy` : `AccessPolicy` |
| | IAM Managed Policy | `aws_iam_policy` : `AccessPolicy` |
| | IAM SAML Provider | `aws_iam_saml_provider` : `Service` |
+| Access Analyzer | Access Analyzer | `aws_accessanalyzer_analyzer` : `Accessment`, `Scanner` |
+| | Access Analyzer Finding | `aws_accessanalyzer_finding` : `Finding` |
| Inspector | Inspector Assessment Run | `aws_inspector_assessment` : `Assessment` |
| | Inspector Finding | `aws_inspector_finding` : `Finding` |
| KMS | KMS Key | `aws_kms_key` : `CryptoKey` |
@@ -108,13 +121,18 @@ ingested when the integration runs:
| | RDS DB Instance Snapshot | `aws_db_snapshot` : `DataStore`, `Database`, `Image` |
| | RDS DB Cluster Snapshot | `aws_db_cluster_snapshot` : `DataStore`, `Database`, `Image` |
| Route53 | Route53 Domain | `aws_route53_domain` : `Domain` |
-| | Route53 Hosted Zone | `aws_route53_zone` : `Domain`, `Zone` |
-| | Route53 RecordSet | `aws_route53_record` : `DomainRecord`, `Record` |
+| | Route53 Hosted Zone | `aws_route53_zone` : `DomainZone` |
+| | Route53 RecordSet | `aws_route53_record` : `DomainRecord`, |
| S3 | S3 Bucket | `aws_s3_bucket` : `DataStore` |
| | S3 Bucket Policy | `aws_s3_bucket_policy` : `AccessPolicy` |
+| SNS | SNS Subscription | `aws_sns_subscription` : `Subscription` |
+| | SNS Topic | `aws_sns_topic` : `Channel` |
+| SQS | SQS Queue | `aws_sqs_queue` : `Queue` |
| Transfer | Transfer Server (SFTP) | `aws_transfer_server` : `Host`, `Gateway` |
| | Transfer User (SFTP) | `aws_transfer_user` : `User` |
| WAF | Web ACL | `aws_waf_web_acl` : `Firewall` |
+| WorkSpaces | Workspace | `aws_workspace` : `Host` |
+| | Bundle | `aws_workspaces_bundle` : `Configuration` |
## Relationships
@@ -123,14 +141,9 @@ The following relationships are created/mapped:
### Basic relationships within the integration instance account/resources
| Relationships |
-| ---------------------------------------------------------------------- |
+| ------------------------------------------------------------------------- |
| `aws_account` (master) **HAS** `aws_account` (sub-account) |
-| `aws_account` **HAS** `aws_apigateway` |
-| `aws_account` **HAS** `aws` |
-| `aws_account` **HAS** `aws_iam` |
-| `aws_account` **HAS** `aws_lambda` |
-| `aws_account` **HAS** `aws_s3` |
-| `aws_account` **HAS** `aws_config` |
+| `aws_account` **HAS** `Service` (e.g. `aws_ec2`, `aws_iam`, ...) |
| `aws_acm` **HAS** `aws_acm_certificate` |
| `aws_batch` **HAS** `aws_batch_compute_environment` |
| `aws_batch` **HAS** `aws_batch_job_definition` |
@@ -168,9 +181,17 @@ The following relationships are created/mapped:
| `aws_ebs_volume` **USES** `aws_kms_key` |
| `aws_security_group` **PROTECTS** `aws_instance` |
| `aws_instance` **HAS** `aws_security_group` |
+| `aws_nat_gateway` **USES** `aws_eni` or `aws_eip` |
+| `aws_eni` **USES** `aws_eip` |
| `aws_vpc` **CONTAINS** `aws_subnet` |
+| `aws_vpc` **HAS** `aws_nat_gateway` |
+| `aws_vpc` **HAS** `aws_internet_gateway` |
+| `aws_vpc` **HAS** `aws_vpn_gateway` |
+| `aws_vpc` **HAS** `aws_route_table` |
| `aws_vpc` **LOGS** `aws_cloudwatch_log_group` |
| `aws_vpc` **LOGS** `aws_s3_bucket` |
+| `aws_subnet` **HAS** `aws_instance` |
+| `aws_subnet` **USES** `aws_route_table` |
| `aws_network_acl` **PROTECTS** `aws_subnet` |
| `aws_ecr` **HAS** `aws_ecr_repository` |
| `aws_ecr_repository` **HAS** `aws_ecr_image` |
@@ -186,8 +207,16 @@ The following relationships are created/mapped:
| `aws_ecs_task_definition` **DEFINES** `aws_ecs_task` |
| `aws_ecs_service` **TRIGGERS** `aws_ecs_task` |
| `aws_instance` **RUNS** `aws_ecs_container_instance` |
+| `aws_efs` **HAS** `aws_efs_file_system` |
+| `aws_efs_file_system` **HAS** `aws_efs_mount_point` |
+| `aws_efs_mount_point` **USES** `aws_eni` |
+| `aws_subnet` **HAS** `aws_efs_mount_point` |
+| `aws_security_group` **PROTECTS** `aws_efs_mount_point` |
| `aws_eks` **HAS** `aws_eks_cluster` |
| `aws_elasticloadbalancing` **HAS** `aws_alb` or `aws_nlb` or `aws_elb` |
+| `aws_elasticache_redis_cluster` **HAS** `aws_elasticache_cluster_node` |
+| `aws_security_group` **PROTECTS** `aws_elasticache_cluster_node` |
+| `aws_security_group` **PROTECTS** `aws_elasticsearch_domain` |
| `aws_alb` **USES** `aws_acm_certificate` |
| `aws_alb` or `aws_nlb` or `aws_elb` **CONNECTS** `aws_lb_target_group` |
| `aws_lb_target_group` **HAS** `aws_instance` or `aws_lambda_function` |
@@ -208,6 +237,7 @@ The following relationships are created/mapped:
| `aws_iam_role` **HAS** `aws_iam_managed_policy` |
| `aws_iam_user` **HAS** `aws_iam_managed_policy` |
| `aws_iam_user` **HAS** `aws_iam_user_policy` |
+| `aws_accessanalyzer_analyzer` **IDENTIFIED** `aws_accessanalyzer_finding` |
| `aws_inspector_assessment` **IDENTIFIED** `aws_inspector_finding` |
| `aws_instance` **HAS** `aws_inspector_finding` |
| `aws_lambda` **HAS** `aws_lambda_function` |
@@ -228,20 +258,24 @@ The following relationships are created/mapped:
| `aws_s3` **HAS** `aws_s3_bucket` |
| `aws_s3_bucket` **USES** `aws_kms_key` |
| `aws_s3_bucket` **HAS** `aws_s3_bucket_policy` |
+| `aws_sns_topic` **HAS** `aws_sns_subscription` |
| `aws_transfer_server` **HAS** `aws_transfer_user` |
| `aws_s3_bucket` **ALLOWS** `aws_transfer_user` |
| `aws_iam_role` **ASSIGNED** `aws_transfer_server` |
| `aws_iam_role` **ASSIGNED** `aws_transfer_user` |
| `aws_waf` **HAS** `aws_waf_web_acl` |
| `aws_waf_web_acl` **PROTECTS** `aws_cloudfront_distribution` |
+| `aws_workspace` **USES** `aws_workspaces_bundle` |
+| `aws_subnet` **HAS** `aws_workspace` |
### Mapped Relationships - connections to broader entity resources
| Relationships |
-| ----------------------------------------------------- |
+| ---------------------------------------------------------- |
| `aws_iam_user` **IS** `Person` _See Note 1_ |
| `aws_route53_record` **CONNECTS** `Host` or `Gateway` |
| `Domain` **HAS** `aws_route53_zone` _See Note 2_ |
+| `aws_vpc` **CONNECTS** `aws_vpc` (VPC Peering Connections) |
\*\*Note 1: This is mapped automatically only when the IAM user has an `Email`
tag, or the `username` of the IAM User is an email that matches that of a Person
@@ -257,9 +291,9 @@ The AWS integration performs analysis of security group rules, IAM policies, and
assume role trust policies to determine the following mapping:
| Relationships |
-| --------------------------------------------------------------------------------- |
-| `aws_iam_role` **TRUSTS** `aws_iam_user|aws_<service>` (within the same account) |
-| `aws_iam_role` **TRUSTS** `aws_iam_role|aws_iam_user|aws_account` (cross-account) |
+| ------------------------------------------------------------------------------------------- |
+| `aws_iam_role` **TRUSTS** `aws_iam_user` or `aws_<service>` (within the same account) |
+| `aws_iam_role` **TRUSTS** `aws_iam_role` or `aws_iam_user` or `aws_account` (cross-account) |
| `aws_iam_policy` **ALLOWS** `<Resource>` _See Note 3_ |
\*\*Note 3: This creates permission relationships from an IAM policy (including
Raw
jupiterone-aws-2020.md
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment