A lot of work has been done to enable CloudTrail Event ingestion through EventBridge. See the JupiterOne AWS Cloudformation for EventBridge to learn more about which events are supported. More to come in 2021!
Last active
December 24, 2020 02:51
-
-
Save aiwilliams/0e31baf36192eebaccdd1ff603a954de to your computer and use it in GitHub Desktop.
JupiterOne AWS 2020
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/docs/docs-jupiterone-io/index.md b/docs/docs-jupiterone-io/index.md | |
index 3193b9c9..67b68829 100644 | |
--- a/docs/docs-jupiterone-io/index.md | |
+++ b/docs/docs-jupiterone-io/index.md | |
@@ -46,7 +46,7 @@ The following entity resources and their meta data (not actual contents) are | |
ingested when the integration runs: | |
| AWS Service | AWS Entity Resource | \_type : \_class of the Entity | | |
-| -------------- | ------------------------- | ------------------------------------------------------------ | | |
+| --------------- | ------------------------- | ------------------------------------------------------------------------ | | |
| Account | n/a | `aws_account` : `Account` | | |
| ACM | ACM Certificate | `aws_acm_certificate` : `Certificate` | | |
| API Gateway | REST API | `aws_api_gateway_rest_api` : `Gateway` | | |
@@ -54,9 +54,11 @@ ingested when the integration runs: | |
| | Batch Job | `aws_batch_job` : `Process`, `Task` | | |
| | Batch Job Definition | `aws_batch_job_definition` : `Configuration`, `Function` | | |
| | Batch Job Queue | `aws_batch_job_queue` : `Queue` | | |
-| CloudFormation | Stack | `aws_cloudfront_stack`: `Configuration` | | |
+| CloudFormation | Stack | `aws_cloudformation_stack`: `Configuration` | | |
| CloudFront | Distribution | `aws_cloudfront_distribution`: `Gateway` | | |
| CloudWatch | Event Rule | `aws_cloudwatch_event_rule` : `Task` | | |
+| | Metric Alarm | `aws_cloudwatch_metric_alarm` : `Monitor` | | |
+| | Log Group | `aws_cloudwatch_log_group` : `Logs` | | |
| Config | Config Rule | `aws_config_rule` : `ControlPolicy` | | |
| DynamoDB | DynamoDB Table | `aws_dynamodb_table` : `DataStore`, `Database` | | |
| EC2 | AMI Image | `aws_ami` : `Image` | | |
@@ -66,11 +68,14 @@ ingested when the integration runs: | |
| | EBS Volume Snapshot | `aws_ebs_snapshot` : `DataStore`, `Disk`, `Image` | | |
| | Elastic IP | `aws_eip` : `IpAddress` | | |
| | Internet Gateway | `aws_internet_gateway` : `Gateway` | | |
+| | NAT Gateway | `aws_nat_gateway` : `Gateway` | | |
| | Network ACL | `aws_network_acl` : `Firewall` | | |
| | Network Interface | `aws_eni` : `NetworkInterface` | | |
+| | Route Table | `aws_route_table` : `Configuration` | | |
| | Security Group | `aws_security_group` : `Firewall` | | |
-| | VPC | `aws_vpc` : `Network` | | |
| | Subnet | `aws_subnet` : `Network` | | |
+| | VPC | `aws_vpc` : `Network` | | |
+| | VPN Gateway | `aws_vpn_gateway` : `Gateway` | | |
| AutoScaling | Auto Scaling Group | `aws_autoscaling_group` : `Deployment`, `Group` | | |
| ECR | ECR Container Repository | `aws_ecr_repository` : `Repository` | | |
| | ECR Container Image | `aws_ecr_image` : `Image` | | |
@@ -80,11 +85,17 @@ ingested when the integration runs: | |
| | ECS Service | `aws_ecs_service` : `Service` | | |
| | ECS Task Definition | `aws_ecs_task_definition` : `Function`, `Configuration` | | |
| | ECS Task | `aws_ecs_task` : `Task`, `Process` | | |
+| EFS | EFS File System | `aws_efs_file_system` : `DataStore` | | |
+| | EFS Mount Target | `aws_efs_mount_target` : `NetworkEndpoint` | | |
| EKS | EKS Cluster | `aws_eks_cluster` : `Cluster` | | |
| ELB | Application Load Balancer | `aws_alb` : `Gateway` | | |
| | Network Load Balancer | `aws_nlb` : `Gateway` | | |
| | Classic Load Balancer | `aws_elb` : `Gateway` | | |
| | Target Group | `aws_lb_target_group` : `Group` | | |
+| ElastiCache | Cache Cluster (Memcached) | `aws_elasticache_memcached_cluster` : `Database`, `DataStore`, `Cluster` | | |
+| | Replication Group (Redis) | `aws_elasticache_redis_cluster` : `Database`, `DataStore`, `Cluster` | | |
+| | Node Group Member | `aws_elasticache_cluster_node` : `Database`, `DataStore`, `Host` | | |
+| Elasticsearch | Elasticsearch Domain | `aws_elasticsearch_domain` : `Database`, `DataStore`, `Cluster` | | |
| GuardDuty | GuardDuty Detector | `aws_guardduty_detector` : `Assessment`, `Scanner` | | |
| | GuardDuty Finding | `aws_guardduty_finding` : `Finding` | | |
| IAM | Account Password Policy | `aws_iam_account_password_policy` : `PasswordPolicy` | | |
@@ -98,6 +109,8 @@ ingested when the integration runs: | |
| | IAM Role Policy | `aws_iam_role_policy` : `AccessPolicy` | | |
| | IAM Managed Policy | `aws_iam_policy` : `AccessPolicy` | | |
| | IAM SAML Provider | `aws_iam_saml_provider` : `Service` | | |
+| Access Analyzer | Access Analyzer | `aws_accessanalyzer_analyzer` : `Accessment`, `Scanner` | | |
+| | Access Analyzer Finding | `aws_accessanalyzer_finding` : `Finding` | | |
| Inspector | Inspector Assessment Run | `aws_inspector_assessment` : `Assessment` | | |
| | Inspector Finding | `aws_inspector_finding` : `Finding` | | |
| KMS | KMS Key | `aws_kms_key` : `CryptoKey` | | |
@@ -108,13 +121,18 @@ ingested when the integration runs: | |
| | RDS DB Instance Snapshot | `aws_db_snapshot` : `DataStore`, `Database`, `Image` | | |
| | RDS DB Cluster Snapshot | `aws_db_cluster_snapshot` : `DataStore`, `Database`, `Image` | | |
| Route53 | Route53 Domain | `aws_route53_domain` : `Domain` | | |
-| | Route53 Hosted Zone | `aws_route53_zone` : `Domain`, `Zone` | | |
-| | Route53 RecordSet | `aws_route53_record` : `DomainRecord`, `Record` | | |
+| | Route53 Hosted Zone | `aws_route53_zone` : `DomainZone` | | |
+| | Route53 RecordSet | `aws_route53_record` : `DomainRecord`, | | |
| S3 | S3 Bucket | `aws_s3_bucket` : `DataStore` | | |
| | S3 Bucket Policy | `aws_s3_bucket_policy` : `AccessPolicy` | | |
+| SNS | SNS Subscription | `aws_sns_subscription` : `Subscription` | | |
+| | SNS Topic | `aws_sns_topic` : `Channel` | | |
+| SQS | SQS Queue | `aws_sqs_queue` : `Queue` | | |
| Transfer | Transfer Server (SFTP) | `aws_transfer_server` : `Host`, `Gateway` | | |
| | Transfer User (SFTP) | `aws_transfer_user` : `User` | | |
| WAF | Web ACL | `aws_waf_web_acl` : `Firewall` | | |
+| WorkSpaces | Workspace | `aws_workspace` : `Host` | | |
+| | Bundle | `aws_workspaces_bundle` : `Configuration` | | |
## Relationships | |
@@ -123,14 +141,9 @@ The following relationships are created/mapped: | |
### Basic relationships within the integration instance account/resources | |
| Relationships | | |
-| ---------------------------------------------------------------------- | | |
+| ------------------------------------------------------------------------- | | |
| `aws_account` (master) **HAS** `aws_account` (sub-account) | | |
-| `aws_account` **HAS** `aws_apigateway` | | |
-| `aws_account` **HAS** `aws` | | |
-| `aws_account` **HAS** `aws_iam` | | |
-| `aws_account` **HAS** `aws_lambda` | | |
-| `aws_account` **HAS** `aws_s3` | | |
-| `aws_account` **HAS** `aws_config` | | |
+| `aws_account` **HAS** `Service` (e.g. `aws_ec2`, `aws_iam`, ...) | | |
| `aws_acm` **HAS** `aws_acm_certificate` | | |
| `aws_batch` **HAS** `aws_batch_compute_environment` | | |
| `aws_batch` **HAS** `aws_batch_job_definition` | | |
@@ -168,9 +181,17 @@ The following relationships are created/mapped: | |
| `aws_ebs_volume` **USES** `aws_kms_key` | | |
| `aws_security_group` **PROTECTS** `aws_instance` | | |
| `aws_instance` **HAS** `aws_security_group` | | |
+| `aws_nat_gateway` **USES** `aws_eni` or `aws_eip` | | |
+| `aws_eni` **USES** `aws_eip` | | |
| `aws_vpc` **CONTAINS** `aws_subnet` | | |
+| `aws_vpc` **HAS** `aws_nat_gateway` | | |
+| `aws_vpc` **HAS** `aws_internet_gateway` | | |
+| `aws_vpc` **HAS** `aws_vpn_gateway` | | |
+| `aws_vpc` **HAS** `aws_route_table` | | |
| `aws_vpc` **LOGS** `aws_cloudwatch_log_group` | | |
| `aws_vpc` **LOGS** `aws_s3_bucket` | | |
+| `aws_subnet` **HAS** `aws_instance` | | |
+| `aws_subnet` **USES** `aws_route_table` | | |
| `aws_network_acl` **PROTECTS** `aws_subnet` | | |
| `aws_ecr` **HAS** `aws_ecr_repository` | | |
| `aws_ecr_repository` **HAS** `aws_ecr_image` | | |
@@ -186,8 +207,16 @@ The following relationships are created/mapped: | |
| `aws_ecs_task_definition` **DEFINES** `aws_ecs_task` | | |
| `aws_ecs_service` **TRIGGERS** `aws_ecs_task` | | |
| `aws_instance` **RUNS** `aws_ecs_container_instance` | | |
+| `aws_efs` **HAS** `aws_efs_file_system` | | |
+| `aws_efs_file_system` **HAS** `aws_efs_mount_point` | | |
+| `aws_efs_mount_point` **USES** `aws_eni` | | |
+| `aws_subnet` **HAS** `aws_efs_mount_point` | | |
+| `aws_security_group` **PROTECTS** `aws_efs_mount_point` | | |
| `aws_eks` **HAS** `aws_eks_cluster` | | |
| `aws_elasticloadbalancing` **HAS** `aws_alb` or `aws_nlb` or `aws_elb` | | |
+| `aws_elasticache_redis_cluster` **HAS** `aws_elasticache_cluster_node` | | |
+| `aws_security_group` **PROTECTS** `aws_elasticache_cluster_node` | | |
+| `aws_security_group` **PROTECTS** `aws_elasticsearch_domain` | | |
| `aws_alb` **USES** `aws_acm_certificate` | | |
| `aws_alb` or `aws_nlb` or `aws_elb` **CONNECTS** `aws_lb_target_group` | | |
| `aws_lb_target_group` **HAS** `aws_instance` or `aws_lambda_function` | | |
@@ -208,6 +237,7 @@ The following relationships are created/mapped: | |
| `aws_iam_role` **HAS** `aws_iam_managed_policy` | | |
| `aws_iam_user` **HAS** `aws_iam_managed_policy` | | |
| `aws_iam_user` **HAS** `aws_iam_user_policy` | | |
+| `aws_accessanalyzer_analyzer` **IDENTIFIED** `aws_accessanalyzer_finding` | | |
| `aws_inspector_assessment` **IDENTIFIED** `aws_inspector_finding` | | |
| `aws_instance` **HAS** `aws_inspector_finding` | | |
| `aws_lambda` **HAS** `aws_lambda_function` | | |
@@ -228,20 +258,24 @@ The following relationships are created/mapped: | |
| `aws_s3` **HAS** `aws_s3_bucket` | | |
| `aws_s3_bucket` **USES** `aws_kms_key` | | |
| `aws_s3_bucket` **HAS** `aws_s3_bucket_policy` | | |
+| `aws_sns_topic` **HAS** `aws_sns_subscription` | | |
| `aws_transfer_server` **HAS** `aws_transfer_user` | | |
| `aws_s3_bucket` **ALLOWS** `aws_transfer_user` | | |
| `aws_iam_role` **ASSIGNED** `aws_transfer_server` | | |
| `aws_iam_role` **ASSIGNED** `aws_transfer_user` | | |
| `aws_waf` **HAS** `aws_waf_web_acl` | | |
| `aws_waf_web_acl` **PROTECTS** `aws_cloudfront_distribution` | | |
+| `aws_workspace` **USES** `aws_workspaces_bundle` | | |
+| `aws_subnet` **HAS** `aws_workspace` | | |
### Mapped Relationships - connections to broader entity resources | |
| Relationships | | |
-| ----------------------------------------------------- | | |
+| ---------------------------------------------------------- | | |
| `aws_iam_user` **IS** `Person` _See Note 1_ | | |
| `aws_route53_record` **CONNECTS** `Host` or `Gateway` | | |
| `Domain` **HAS** `aws_route53_zone` _See Note 2_ | | |
+| `aws_vpc` **CONNECTS** `aws_vpc` (VPC Peering Connections) | | |
\*\*Note 1: This is mapped automatically only when the IAM user has an `Email` | |
tag, or the `username` of the IAM User is an email that matches that of a Person | |
@@ -257,9 +291,9 @@ The AWS integration performs analysis of security group rules, IAM policies, and | |
assume role trust policies to determine the following mapping: | |
| Relationships | | |
-| --------------------------------------------------------------------------------- | | |
-| `aws_iam_role` **TRUSTS** `aws_iam_user|aws_<service>` (within the same account) | | |
-| `aws_iam_role` **TRUSTS** `aws_iam_role|aws_iam_user|aws_account` (cross-account) | | |
+| ------------------------------------------------------------------------------------------- | | |
+| `aws_iam_role` **TRUSTS** `aws_iam_user` or `aws_<service>` (within the same account) | | |
+| `aws_iam_role` **TRUSTS** `aws_iam_role` or `aws_iam_user` or `aws_account` (cross-account) | | |
| `aws_iam_policy` **ALLOWS** `<Resource>` _See Note 3_ | | |
\*\*Note 3: This creates permission relationships from an IAM policy (including |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment