Edge Types
When two cloud resources are with each other, CodeShield's cloud model will compute an edge connecting the two resources in the cloud model. There are different types of edges as the connection may stem from different sources. For example, some edges stem from definitions of networks or file systems, and some edges are generated based on attachments of policies to roles or users that belong to groups.
In the table below, all edge types are listed.
Edge Types
| Edge Type | Source Type | Target Type | Semantics |
|---|---|---|---|
| APIReference | AWS::ApiGateway::RestApi or AWS::ApiGateway::Resource or AWS::ApiGatewayV2::Api | AWS::Resource | Models the connection between an api route and the resource which will handle the request depending on the HTTP method used in the request. |
| AccessRef | AWS::Resource | AWS::Resource | Models that the source Resource has IAM permissions to access the target Resource. These permissions are extracted by collecting and evaluating all related Policies against each other. I.e., the effectiveActions of this edge define the actually allowed IAM actions that source can conduct on target after all policies have been evaluated against each other. Thereby, also models if a principal can assume a Role, if the relevant actions contain the sts:AssumeRole action. |
| AlarmEvent | AWS::CloudWatch::Alarm | AWS::Resource | Models that the source alarm triggers the target resource with an alarm event. |
| AttachedKey | AWS::Resource | AWS::KMS::Key | Models a AWS::KMS::Key attachment to another resource. |
| AttachedNodeGroup | AWS::EKS::Cluster | AWS::EKS::NodeGroup | Models a AWS::EKS::NodeGroup attachment to an EKS cluster. |
| AttachedPolicy | AWS::Resource | AWS::IAM::Policy | Models that the source resource has the target policy attached. |
| AttachedRole | AWS::Resource | AWS::IAM::Role | Models that the source resource has the target role attached |
| AttachedSecret | AWS::Resource | AWS::SecretsManager::Secret | Models a AWS::SecretsManager::Secret attachment to another resource. |
| AuthorizerRef | AWS::ApiGateway::Resource | AWS::Lambda::Function or AWS::Cognito::UserPool | Models that the source function uses the target UserPool as authorizer for HTTP request. |
| DocDBReference | AWS::DocDB::DBCluster | AWS::DocDB::DBInstance | Models that the source DBCluster contains the target DBInstance |
| FSMountReference | AWS::Resource | AWS::EFS::FileSystem | Models that the source Resource has the target EFS filesystem mounted. |
| GroupMembership | AWS::IAM::User | AWS::IAM::Group | Models that the source User is a member of the target Group. |
| NetworkReference | AWS::Resource | AWS::Resource | Models that the source Resource can communicate over a VPC network to the target Resource. Contains information about the defining network configuration (security group, port, etc.). |
| ParentOf | AWS::Organizations::OrganizationalUnit | AWS::Organizations::OrganizationalUnit | AWS::Organizations::Account |
| PolicyRef | AWS::Policy | AWS::Resource | Models the reference of a resource by a policy. This is not policy evaluated yet as no resource-based policies, permissions-boundaries, or SCPs are involved. AccessReferences model the actual access that is possible between two resources after all corresponding policies were evaluated. |
| PubliclyReachable | Attacker | AWS::Resource | Models the entry points to a cloud environment, i.e., publicly reachable resources by an outsider. |
| QueryEvent | AWS::AppSync::DataSource | AWS::DynamoDB::Table | Models that the source DataSource is backed by the target table. |
| S3NotificationEvent | AWS::S3::Bucket | AWS::SNS::Topic or AWS::SQS::Queue or AWS::Lambda::Function | Models that the source bucket triggers the target Resource on change. |
| SessionRef | AWS::IAM::Role | AWS::IAM::AssumedRole | Models that a role has a role session which is referenced as principal in a trust policy |
| SnsConsumeEvent | AWS::SNS::Topic | AWS::Resource | Models that the source Topic triggers the target resource when a message is published to the source topic. |
| SnsPublishEvent | AWS::Lambda::Function | AWS::SNS::Topic | Models that the source function publishes a message to the target SNS topic. |
| TaskReference | AWS::ECS::TaskSet | AWS::ECS::Service | AWS::ECS::TaskDefinition |
| TriggerEvent | AWS::Resource | AWS::Resource | Models that the source Resource triggers the target Resource execution. E.g., an AWS::AppSync::DataSource or DynamoDB table triggers a Lambda on change. |
| TrustRelationship | AWS::Resource | AWS::Resource | Models that the source has a trust relation to the target. E.g., a Role defines the source resource as principal of its trust policy, so that the source is trusted to assume the target role. Or, a resource-based policy allows the source resource in its principal section, so that the source is trusted to access the target DynamoDB table. Note that the allowed actions of a TrustRelationship are not yet policy evaluated, i.e., even-though a target Role might trust the source resource to assume it, another policy might DENY the source to assume the target role. To definitely check if the trusted access is granted, there needs to be a PolicyReference between source and target that allows the action (e.g. sts:AssumeRole). |
| UserPoolReference | AWS::Cognito::UserPoolClient | AWS::Cognito::UserPool | Models that the source UserPoolClient operates on the target UserPool. |