@cloudgraph/cg-provider-aws
Advanced tools
cloud-graph provider plugin for AWS used to fetch AWS cloud data.
Use the CloudGraph AWS Provider to scan and normalize cloud infrastructure using the AWS SDK
💻 Full CloudGraph Documentation Including AWS Examples
Install the aws provider in CloudGraph
cg init aws
Authenticate the CloudGraph AWS Provider any of the following ways:
AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKENcredentials under ~/.aws (any profile, defaults to default)CloudGraph needs read permissions in order to ingest your data. To keep things easy you can use the same permissions that we use internally when we run CloudGraph to power AutoCloud. Here are the AWS Docs for generating the correct Role (feel free to leave out AutoCloud specific configuration).
CloudGraph is able to scan multiple AWS accounts at once. This is done by setting up multiple profiles in your ~/.aws/credentials file and then selecting all the profiles you want to crawl when running cg init. All resources will be tagged with an accountId so you can query resources specific to an account or query resources across accounts!
CloudGraph creates a configuration file at:
~/.config/cloudgraph/.cloud-graphrc.json%LOCALAPPDATA%\cloudgraph/.cloud-graphrc.jsonNOTE: CloudGraph will output where it stores the configuration file and provider data as part of the cg init command
CloudGraph will generate this configuration file when you run cg init aws. You may update it manually or by running cg init aws again.
"aws": {
"profileApprovedList": [
"default",
"master",
"sandbox"
], // Optional, defaults to the default profile
"regions": "us-east-1,us-east-2,us-west-2",
"resources": "alb,apiGatewayResource,apiGatewayRestApi,apiGatewayStage,appSync,asg,billing,cognitoIdentityPool,cognitoUserPool,cloudFormationStack,cloudFormationStackSet,cloudfront,cloudwatch,ebs,ec2Instance,eip,elb,igw,kinesisFirehose,kinesisStream,kms,lambda,nat,networkInterface,route53HostedZone,route53Record,routeTable,sg,vpc,sqs,s3"
}
CloudGraph AWS Provider will ask you what regions you would like to crawl and will by default crawl for all supported resources in selected regions in the default account. You can update the regions, resources, or profile fields in the cloud-graphrc.json file to change this behavior. You can also select which resources to crawl in the cg init aws command by passing the the -r flag: cg init aws -r
| Service | Relations |
|---|---|
| acm | |
| alb | ec2, elasticBeanstalkEnv, route53Record, securityGroup, subnet, vpc, wafV2WebAcl |
| apiGatewayApiKey | |
| apiGatewayDomainName | apiGatewayHttpApi, apiGatewayRestApi |
| apiGatewayHttpApi | apiGatewayDomainName |
| apiGatewayRestApi | apiGatewayDomainName, apiGatewayResource, apiGatewayStage, route53Record |
| apiGatewayStage | apiGatewayRestApi, wafV2WebAcl |
| apiGatewayResource | apiGatewayRestApi |
| apiGatewayUsagePlan | |
| apiGatewayVpcLink | |
| appSync | cognitoUserPool, dynamodb, iamRole, lambda, rdsCluster, wafV2WebAcl |
| asg | ebs, ec2, elasticBeanstalkEnv, iamRole, securityGroup, subnet |
| athenaDataCatalog | |
| clientVpnEndpoint | securityGroup |
| cloud9 | |
| cloudformationStack | cloudformationStack, iamRole, sns |
| cloudformationStackSet | iamRole |
| cloudfront | cloudwatch, elb, s3 |
| cloudtrail | cloudwatch, cloudwatchLog, kms, s3, sns |
| cloudwatch | cloudfront, cloudtrail, cloudwatchLog, sns |
| cloudwatchLog | cloudtrail, cloudwatch, ecsCluster, elasticSearchDomain, kms, managedAirflow, rdsDbInstance |
| codeCommitRepository | |
| codebuild | iamRole, kms, vpc, securityGroup, subnet |
| codePipeline | |
| codePipelineWebhook | |
| cognitoIdentityPool | iamRole, iamOpenIdConnectProvider, iamSamlProvider, elasticSearchDomain |
| cognitoUserPool | appSync, elasticSearchDomain, lambda |
| configurationDeliveryChannel | |
| configurationRecorder | iamRole |
| configurationRule | |
| customerGateway | vpnConnection |
| dynamodb | appSync, iamRole, kms |
| docdbCluster | |
| dmsReplicationInstance | securityGroup, subnet, vpc, kms |
| ebs | asg, ec2, emrInstance, ebsSnapshot |
| ebsSnapshot | ebs, kms |
| ec2 | alb, asg, ebs, eip, emrInstance, eksCluster, elasticBeanstalkEnv, iamInstanceProfile, iamRole, networkInterface, securityGroup, subnet, systemsManagerInstance, vpc, ecsContainer |
| ecr | |
| ecsCluster | cloudwatchLog, ecsService, ecsTask, ecsTaskSet, kms, s3 |
| ecsContainer | ecsTask, ec2 |
| ecsService | ecsCluster, ecsTaskDefinition, ecsTaskSet, elb, iamRole, securityGroup, subnet, vpc |
| ecsTask | ecsContainer, ecsCluster, ecsTaskDefinition, iamRole |
| ecsTaskDefinition | ecsService, ecsTask, ecsTaskSet, iamRole |
| ecsTaskSet | ecsCluster, ecsService, ecsTaskDefinition |
| efs | kms |
| efsAccessPoint | |
| efsMountTarget | networkInterface, subnet, vpc |
| eip | ec2, networkInterface, vpc |
| eksCluster | ec2, iamRole, kms, securityGroup, subnet, vpc |
| elastiCacheCluster | securityGroup, subnet, vpc |
| elastiCacheReplicationGroup | kms |
| elasticBeanstalkApp | elasticBeanstalkEnv, iamRole |
| elasticBeanstalkEnv | alb, asg, ec2, elb, elasticBeanstalkApp, iamRole, sqs |
| elasticSearchDomain | cloudwatchLog, cognitoIdentityPool, cognitoUserPool, iamRole, kms, securityGroup, subnet, vpc |
| elb | cloudfront, ecsService, elasticBeanstalkEnv, securityGroup, subnet, vpc |
| emrCluster | iamRole, kms, subnet |
| emrInstance | ebs, ec2 |
| emrStep | |
| flowLog | vpc, iamRole, subnet, networkInterface |
| glueCrawler | |
| glueDatabase | |
| glueJob | iamRole |
| glueRegistry | |
| glueTrigger | |
| guardDutyDetector | iamRole |
| iamAccessAnalyzer | |
| iamInstanceProfile | ec2, iamRole |
| iamPasswordPolicy | |
| iamSamlProvider | cognitoIdentityPool |
| iamOpenIdConnectProvider | cognitoIdentityPool |
| iamServerCertificate | |
| iamUser | iamGroup |
| iamPolicy | iamRole, iamGroup |
| iamRole | appSync, asg, cloudformationStackSet, codebuild, cognitoIdentityPool, configurationRecorder, ec2, ecsTask, ecsTaskDefinition,iamInstanceProfile, iamPolicy, eksCluster, ecsService, emrCluster, flowLog, glueJob, managedAirflow, s3, sageMakerNotebookInstance, systemsManagerInstance, guardDutyDetector, lambda, kinesisFirehose, rdsCluster, rdsDbInstance, elasticBeanstalkApp, elasticBeanstalkEnv, elasticSearchDomain |
| iamGroup | iamUser, iamPolicy |
| igw | vpc |
| iot | |
| kinesisFirehose | kinesisStream, s3, iamRole |
| kinesisStream | kinesisFirehose |
| kms | cloudtrail, cloudwatchLog, codebuild, ecsCluster, efs, eksCluster, elastiCacheReplicationGroup, elasticSearchDomain, emrCluster, managedAirflow, lambda, rdsCluster, rdsClusterSnapshot, rdsDbInstance, sns, sageMakerNotebookInstance, secretsManager, dmsReplicationInstance, redshiftCluster, s3, ebsSnapshot |
| lambda | appSync, cognitoUserPool, kms, s3, secretsManager, securityGroup, subnet, vpc, iamRole |
| managedAirflow | cloudwatchLog, iamRole, kms, securityGroups, subnet, s3 |
| managedPrefixList | |
| mskCluster | securityGroup, subnet |
| nacl | vpc |
| natGateway | networkInterface, subnet, vpc |
| networkInterface | ec2, eip, efsMountTarget, natGateway, sageMakerNotebookInstance, subnet, vpc, vpcEndpoint, flowLog, securityGroup |
| organization | |
| rdsCluster | appSync, rdsClusterSnapshot, rdsDbInstance, route53HostedZone, securityGroup, subnet, iamRole, kms |
| rdsClusterSnapshot | kms, rdsCluster, vpc |
| rdsDbProxies | |
| rdsEventSubscription | |
| rdsGlobalCluster | |
| rdsDbInstance | kms, iamRole, rdsCluster, securityGroup, vpc, subnet, cloudwatchLog |
| redshiftCluster | kms, vpc |
| route53Record | alb, apiGatewayRestApi, elb, route53HostedZone |
| route53HostedZone | rdsCluster, route53Record, vpc |
| routeTable | subnet, vpc, vpcEndpoint |
| sageMakerExperiment | |
| sageMakerNotebookInstance | iamRole, kms, networkInterface, subnet, securityGroup |
| sageMakerProject | |
| s3 | cloudfront, cloudtrail, ecsCluster, iamRole, kinesisFirehose, kms, lambda, managedAirflow, sns, sqs |
| secretsManager | kms, lambda |
| securityGroup | alb, asg, clientVpnEndpoint, codebuild, dmsReplicationInstance, ecsService, lambda, ec2, elasticSearchDomain, elb, rdsCluster, rdsDbInstance, eksCluster, elastiCacheCluster, managedAirflow, sageMakerNotebookInstance, networkInterface, vpcEndpoint, mskCluster |
| securityHub | |
| securityHubMember | |
| securityHubStandardSubscription | |
| ses | |
| sesReceiptRuleSet | |
| sesDomain | |
| sesEmail | cognitoUserPool |
| sns | kms, cloudtrail, cloudwatch, s3 |
| sqs | elasticBeanstalkEnv, s3 |
| subnet | alb, asg, codebuild, dmsReplicationInstance, ec2, ecsService, efsMountTarget, elastiCacheCluster, elasticSearchDomain, elb, lambda, managedAirflow, natGateway, networkInterface, rdsCluster, sageMakerNotebookInstance, routeTable, vpc, vpcEndpoint, eksCluster, emrCluster, flowLog, mskCluster |
| systemsManagerInstance | ec2, iamRole |
| systemsManagerDocument | |
| systemsManagerParameter | |
| transitGateway | transitGatewayAttachment, transitGatewayRouteTable, vpnConnection |
| transitGatewayAttachment | transitGateway, transitGatewayRouteTable, vpc, vpnConnection |
| transitGatewayRouteTable | transitGateway, transitGatewayAttachment |
| vpc | alb, codebuild, dmsReplicationInstance, ec2, eip, elb, ecsService, efsMountTarget, eksCluster igw, elastiCacheCluster, elasticSearchDomain, lambda, nacl, natGateway, networkInterface, rdsClusterSnapshot, rdsDbInstance, redshiftCluster, route53HostedZone, routeTable, subnet, flowLog, vpnGateway, transitGatewayAttachment, vpcEndpoint, vpcPeeringConnection |
| vpcEndpoint | networkInterface, routeTable, securityGroup, subnet, vpc |
| vpcPeeringConnection | vpc |
| vpnConnection | customerGateway, transitGateway, transitGatewayAttachment, vpnGateway |
| vpnGateway | vpc, vpnConnection |
| wafV2WebAcl | appSync, apiGatewayStage, alb |
FAQs
cloud-graph provider plugin for AWS used to fetch AWS cloud data.
The npm package @cloudgraph/cg-provider-aws receives a total of 6 weekly downloads. As such, @cloudgraph/cg-provider-aws popularity was classified as not popular.
We found that @cloudgraph/cg-provider-aws demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.