Data Model
Introduction
Workload Discovery on AWS relies on AWS Config when discovering the vast majority of its resources. We will follow the modelling that Config provides and extend it to the resources that Perspective discovers using AWS SDK calls also.
Applying The Config Model
Workload Discovery on AWS uses a graph database as its persistence layer, as such the main entities we are concerned with are the vertices and the edges that describe the relationships between individual vertexes.
Vertices
Neptune allows us to label vertices, we will use the ResourceType value returned by config, which also maps to the
resource type used by CloudFormation, e.g, AWS::EC2::Instance. It thus makes sense to use this CloudFormation
naming scheme for Perspectives non-Config resources.
Edges
For many resource types, AWS Config also gives us information about the relationships between the resources it returns
and annotates these with a relationship type, e.g., is contained in or is associated with. We will reuse these as
edge labels between the vertices in the graph. We will follow the convention of labeling edge in Upper Case, e.g.,
`IS_CONTAINED_IN. For non-Config resources, we will follow relationship types Config provides and map them where
appropriate.
Relationship Types
AWS Config
| Resource Type | Relationship Type | Related Resource Type |
|---|---|---|
AWS::ApiGateway::RestApi |
CONTAINS |
AWS::ApiGateway::Stage |
AWS::ApiGateway::Stage |
IS_CONTAINED_IN |
AWS::ApiGateway::RestApi |
IS_ASSOCIATED_WITH |
AWS::WAF::WebACL |
|
AWS::ApiGatewayV2::Api |
CONTAINS |
AWS::ApiGateway::Stage |
AWS::ApiGatewayV2::Stage |
IS_CONTAINED_IN |
AWS::ApiGatewayV2::Api |
AWS::CloudFront::Distribution |
IS_ASSOCIATED_WITH |
AWS::WAF::WebACL |
IS_ASSOCIATED_WITH |
AWS::ACM::Certificate |
|
IS_ASSOCIATED_WITH |
AWS::S3::Bucket |
|
IS_ASSOCIATED_WITH |
AWS::IAM::ServerCertificate |
|
AWS::CloudFront::StreamingDistribution |
IS_ASSOCIATED_WITH |
AWS::WAF::WebACL |
IS_ASSOCIATED_WITH |
AWS::ACM::Certificate |
|
IS_ASSOCIATED_WITH |
AWS::S3::Bucket |
|
IS_ASSOCIATED_WITH |
AWS::IAM::ServerCertificate |
|
AWS::EC2::Volume |
IS_ATTACHED_TO |
AWS::EC2::Instance |
AWS::EC2::Host |
CONTAINS |
AWS::EC2::Instance |
AWS::EC2::EIP |
IS_ATTACHED_TO |
AWS::EC2::Instance |
AWS::EC2::Instance |
CONTAINS |
AWS::EC2::NetworkInterface |
IS_ASSOCIATED_WITH |
AWS::EC2::SecurityGroup |
|
IS_ATTACHED_TO |
AWS::EC2::Volume |
|
IS_ATTACHED_TO |
AWS::EC2::EIP |
|
IS_CONTAINED_IN |
AWS::EC2::Host |
|
IS_CONTAINED_IN |
AWS::EC2::RouteTable |
|
IS_CONTAINED_IN |
AWS::EC2::Subnet |
|
IS_CONTAINED_IN |
AWS::EC2::VPC |
|
AWS::EC2::NetworkInterface |
IS_ASSOCIATED_WITH |
AWS::EC2::SecurityGroup |
IS_ATTACHED_TO |
AWS::EC2::EIP |
|
IS_ATTACHED_TO |
AWS::EC2::Instance |
|
IS_CONTAINED_IN |
AWS::EC2::Host |
|
IS_CONTAINED_IN |
AWS::EC2::Subnet |
|
IS_CONTAINED_IN |
AWS::EC2::VPC |
|
AWS::EC2::SecurityGroup |
IS_ASSOCIATED_WITH |
AWS::EC2::Instance |
IS_ASSOCIATED_WITH |
AWS::EC2::NetworkInterface |
|
IS_ASSOCIATED_WITH |
AWS::EC2::VPC |
|
AWS::EC2::NatGateway |
IS_CONTAINED_IN |
AWS::EC2::Subnet |
AWS::EC2::EgressOnlyInternetGateway |
IS_CONTAINED_IN |
AWS::EC2::VPC |
AWS::EC2::VPCEndpoint |
IS_CONTAINED_IN |
AWS::EC2::VPC |
IS_CONTAINED_IN |
AWS::EC2::Subnet |
|
IS_ATTACHED_TO |
AWS::EC2::NetworkInterface |
|
AWS::EC2::VPCEndpointService |
IS_ASSOCIATED_WITH |
AWS::ElasticLoadBalancingV2::LoadBalancer |
AWS::EC2::VPCPeeringConnection |
IS_ASSOCIATED_WITH |
AWS::EC2::VPC |
AWS::EC2::RegisteredHAInstance |
IS_ASSOCIATED_WITH |
AWS::EC2::Instance |
AWS::Elasticsearch::Domain |
IS_ASSOCIATED_WITH |
AWS::KMS::Key |
IS_ASSOCIATED_WITH |
AWS::EC2::SecurityGroup |
|
IS_ASSOCIATED_WITH |
AWS::EC2::Subnet |
|
IS_ASSOCIATED_WITH |
AWS::EC2::VPC |
|
AWS::Redshift::Cluster |
IS_ASSOCIATED_WITH |
AWS::Redshift::ClusterParameterGroup |
IS_ASSOCIATED_WITH |
AWS::Redshift::ClusterSecurityGroup |
|
IS_ASSOCIATED_WITH |
AWS::Redshift::ClusterSubnetGroup |
|
IS_ASSOCIATED_WITH |
AWS::EC2::VPC |
|
AWS::Redshift::ClusterSnapshot |
IS_ASSOCIATED_WITH |
AWS::Redshift::Cluster |
IS_ASSOCIATED_WITH |
AWS::EC2::VPC |
|
AWS::Redshift::ClusterSubnetGroup |
IS_ASSOCIATED_WITH |
AWS::Redshift::Cluster |
IS_ASSOCIATED_WITH |
AWS::EC2::VPC |
|
AWS::RDS::DBInstance |
IS_ASSOCIATED_WITH |
AWS::EC2::SecurityGroup |
IS_ASSOCIATED_WITH |
AWS::RDS::DBSecurityGroup |
|
IS_ASSOCIATED_WITH |
AWS::RDS::DBSubnetGroup |
|
AWS::RDS::DBSecurityGroup |
IS_ASSOCIATED_WITH |
AWS::EC2::SecurityGroup |
IS_ASSOCIATED_WITH |
AWS::EC2::VPC |
|
AWS::RDS::DBSnapshot |
IS_ASSOCIATED_WITH |
AWS::EC2::VPC |
AWS::RDS::DBSubnetGroup |
IS_ASSOCIATED_WITH |
AWS::EC2::SecurityGroup |
IS_ASSOCIATED_WITH |
AWS::EC2::VPC |
|
AWS::RDS::DBCluster |
CONTAINS |
AWS::RDS::DBInstance |
IS_ASSOCIATED_WITH |
AWS::RDS::DBSubnetGroup |
|
IS_ASSOCIATED_WITH |
AWS::EC2::SecurityGroup |
|
AWS::RDS::DBClusterSnapshot |
IS_ASSOCIATED_WITH |
AWS::RDS::DBCluster |
IS_ASSOCIATED_WITH |
AWS::EC2::VPC |
|
AWS::EC2::CustomerGateway |
IS_ATTACHED_TO |
AWS::EC2::VPNConnection |
AWS::EC2::InternetGateway |
IS_ATTACHED_TO |
AWS::EC2::VPC |
AWS::EC2::RouteTable |
CONTAINS |
AWS::EC2::Instance |
CONTAINS |
AWS::EC2::NetworkInterface |
|
CONTAINS |
AWS::EC2::Subnet |
|
CONTAINS |
AWS::EC2::VPNGateway |
|
AWS::EC2::Subnet |
CONTAINS |
AWS::EC2::Instance |
CONTAINS |
AWS::EC2::NetworkInterface |
|
IS_ATTACHED_TO |
AWS::EC2::NetworkAcl |
|
IS_CONTAINED_IN |
AWS::EC2::RouteTable |
|
IS_CONTAINED_IN |
AWS::EC2::VPC |
|
AWS::EC2::VPC |
CONTAINS |
AWS::EC2::Instance |
CONTAINS |
AWS::EC2::NetworkInterface |
|
CONTAINS |
AWS::EC2::NetworkAcl |
|
CONTAINS |
AWS::EC2::RouteTable |
|
CONTAINS |
AWS::EC2::Subnet |
|
AWS::EC2::VPNConnection |
IS_ATTACHED_TO |
AWS::EC2::CustomerGateway |
IS_ATTACHED_TO |
AWS::EC2::VPNGateway |
|
AWS::EC2::VPNGateway |
IS_ATTACHED_TO |
AWS::EC2::VPNConnection |
IS_ATTACHED_TO |
AWS::EC2::VPC |
|
IS_CONTAINED_IN |
AWS::EC2::RouteTable |
|
AWS::AutoScaling::AutoScalingGroup |
CONTAINS |
AWS::EC2::Instance |
IS_ASSOCIATED_WITH |
AWS::ElasticLoadBalancing::LoadBalancer |
|
IS_ASSOCIATED_WITH |
AWS::AutoScaling::LaunchConfiguration |
|
IS_ASSOCIATED_WITH |
AWS::EC2::Subnet |
|
AWS::AutoScaling::LaunchConfiguration |
IS_ASSOCIATED_WITH |
AWS::EC2::SecurityGroup |
AWS::AutoScaling::ScalingPolicy |
IS_ASSOCIATED_WITH |
AWS::AutoScaling::AutoScalingGroup |
IS_ASSOCIATED_WITH |
AWS::CloudWatch::Alarm |
|
AWS::AutoScaling::ScheduledAction |
IS_ASSOCIATED_WITH |
AWS::AutoScaling::AutoScalingGroup |
AWS::CloudFormation::Stack |
CONTAINS |
AWS::* |
AWS::CodeBuild::Project |
IS_ASSOCIATED_WITH |
AWS::S3::Bucket |
IS_ASSOCIATED_WITH |
AWS::IAM::Role |
|
AWS::CodePipeline::Pipeline |
IS_ATTACHED_TO |
AWS::S3::Bucket |
IS_ASSOCIATED_WITH |
AWS::IAM::Role |
|
IS_ASSOCIATED_WITH |
AWS::CodeBuild::Project |
|
IS_ASSOCIATED_WITH |
AWS::Lambda::Function |
|
IS_ASSOCIATED_WITH |
AWS::CloudFormation::Stack |
|
IS_ASSOCIATED_WITH |
AWS::ElasticBeanstalk::Application |
|
AWS::Config::ResourceCompliance |
IS_ASSOCIATED_WITH |
AWS::* |
AWS::ElasticBeanstalk::Application |
CONTAINS |
AWS::ElasticBeanstalk::ApplicationVersion |
CONTAINS |
AWS::ElasticBeanstalk::Environment |
|
CONTAINS |
AWS::IAM::Role |
|
AWS::ElasticBeanstalk::ApplicationVersion |
IS_CONTAINED_IN |
AWS::ElasticBeanstalk::Application |
IS_ASSOCIATED_WITH |
AWS::ElasticBeanstalk::Environment |
|
IS_ASSOCIATED_WITH |
AWS::S3::Bucket |
|
AWS::ElasticBeanstalk::Environment |
IS_CONTAINED_IN |
AWS::ElasticBeanstalk::Application |
IS_ASSOCIATED_WITH |
AWS::ElasticBeanstalk::ApplicationVersion |
|
IS_ASSOCIATED_WITH |
AWS::IAM::Role |
|
CONTAINS |
AWS::CloudFormation::Stack |
|
AWS::IAM::User |
IS_ATTACHED_TO |
AWS::IAM::Group |
AWS::IAM::Group |
CONTAINS |
AWS::IAM::User |
AWS::IAM::User |
IS_ATTACHED_TO |
AWS::IAM::Group |
IS_ATTACHED_TO |
AWS::IAM::User |
|
IS_ATTACHED_TO |
AWS::IAM::Role |
|
AWS::Lambda::Function |
IS_ASSOCIATED_WITH |
AWS::IAM::Role |
IS_ASSOCIATED_WITH |
AWS::EC2::SecurityGroup |
|
IS_CONTAINED_IN |
AWS::EC2::Subnet |
|
AWS::NetworkFirewall::Firewall |
IS_ATTACHED_TO |
AWS::EC2::Subnet |
IS_ASSOCIATED_WITH |
AWS::NetworkFirewall::FirewallPolicy |
|
AWS::NetworkFirewall::FirewallPolicy |
IS_ASSOCIATED_WITH |
AWS::NetworkFirewall::RuleGroup |
AWS::SecretsManager::Secret |
IS_ASSOCIATED_WITH |
AWS::KMS::Key |
IS_ASSOCIATED_WITH |
AWS::Lambda::Function |
|
AWS::ServiceCatalog::CloudFormationProduct |
IS_ASSOCIATED_WITH |
AWS::ServiceCatalog::CloudFormationProvisionedProduct |
IS_CONTAINED_IN |
AWS::ServiceCatalog::Portfolio |
|
AWS::ServiceCatalog::CloudFormationProvisionedProduct |
IS_ASSOCIATED_WITH |
AWS::ServiceCatalog::Portfolio |
IS_ASSOCIATED_WITH |
AWS::ServiceCatalog::CloudFormationProduct |
|
IS_ASSOCIATED_WITH |
AWS::CloudFormation::Stack |
|
AWS::ServiceCatalog::Portfolio |
CONTAINS |
AWS::ServiceCatalog::CloudFormationProduct |
AWS::Shield::Protection |
IS_ASSOCIATED_WITH |
AWS::CloudFront::Distribution |
AWS::ShieldRegional::Protection |
IS_ASSOCIATED_WITH |
AWS::EC2::EIP |
IS_ASSOCIATED_WITH |
AWS::ElasticLoadBalancing::LoadBalancer |
|
IS_ASSOCIATED_WITH |
AWS::ElasticLoadBalancingV2::LoadBalancer |
|
AWS::SSM::ManagedInstanceInventory |
IS_ASSOCIATED_WITH |
AWS::EC2::Instance |
AWS::SSM::PatchCompliance |
IS_ASSOCIATED_WITH |
AWS::SSM::ManagedInstanceInventory |
AWS::SSM::AssociationCompliance |
IS_ASSOCIATED_WITH |
AWS::SSM::ManagedInstanceInventory |
AWS::SSM::FileData |
IS_ASSOCIATED_WITH |
AWS::SSM::ManagedInstanceInventory |
AWS::WAF::WebACL |
IS_ASSOCIATED_WITH |
AWS::WAF::Rule |
IS_ASSOCIATED_WITH |
AWS::WAFRegional::RateBasedRule |
|
IS_ASSOCIATED_WITH |
AWS::WAF::RuleGroup |
|
AWS::WAF::RuleGroup |
IS_ASSOCIATED_WITH |
AWS::WAF::Rule |
AWS::WAFRegional::WebACL |
IS_ASSOCIATED_WITH |
AWS::WAFRegional::Rule |
IS_ASSOCIATED_WITH |
AWS::WAFRegional::RateBasedRule |
|
IS_ASSOCIATED_WITH |
AWS::WAFRegional::RuleGroup |
|
IS_ASSOCIATED_WITH |
AWS::ElasticLoadBalancingV2::LoadBalancer |
|
AWS::WAFRegional::RuleGroup |
IS_ASSOCIATED_WITH |
AWS::WAFRegional::Rule |
AWS::WAFv2::WebACL |
IS_ASSOCIATED_WITH |
AWS::WAFv2::RuleGroup |
IS_ASSOCIATED_WITH |
AWS::WAFv2::IPSet |
|
IS_ASSOCIATED_WITH |
AWS::WAFv2::ManagedRuleSet |
|
IS_ASSOCIATED_WITH |
AWS::WAFv2::RegexPatternSet |
|
IS_ASSOCIATED_WITH |
AWS::ApiGateway::Stage |
|
IS_ASSOCIATED_WITH |
AWS::ElasticLoadBalancingV2::LoadBalancer |
|
AWS::WAFv2::RuleGroup |
IS_ASSOCIATED_WITH |
AWS::WAFv2::IPSet |
IS_ASSOCIATED_WITH |
AWS::WAFv2::RegexPatternSet |
|
AWS::WAFv2::ManagedRuleSet |
IS_ASSOCIATED_WITH |
AWS::WAFv2::RuleGroup |
AWS::ElasticLoadBalancingV2::LoadBalancer |
IS_CONTAINED_IN |
AWS::EC2::VPC |
IS_ASSOCIATED_WITH |
AWS::EC2::SecurityGroup |
|
IS_ATTACHED_TO |
AWS::EC2::Subnet |
|
AWS::ElasticLoadBalancing::LoadBalancer |
IS_CONTAINED_IN |
AWS::EC2::VPC |
IS_ASSOCIATED_WITH |
AWS::EC2::SecurityGroup |
|
IS_ATTACHED_TO |
AWS::EC2::Subnet |
AWS SDK
| Resource Type | Relationship Type | Related Resource Type |
|---|---|---|
AWS::ApiGateway::RestApi |
CONTAINS |
AWS::ApiGateway::Resource |
AWS::ApiGateway::Resource |
IS_CONTAINED_IN |
AWS::ApiGateway::RestApi |
CONTAINS |
AWS::ApiGateway::Method |
|
AWS::ApiGateway::Method |
IS_CONTAINED_IN |
AWS::ApiGateway::Resource |
AWS::EC2::SpotFleet |
CONTAINS |
AWS::EC2::Spot |
AWS::EC2::Spot |
IS_CONTAINED_IN |
AWS::EC2::SpotFleet |
IS_ASSOCIATED_WITH |
AWS::EC2::Instance |
|
AWS::ECS::Cluster |
CONTAINS |
AWS::ECS::Service |
AWS::ECS::Service |
IS_CONTAINED_IN |
AWS::ECS::Cluster |
CONTAINS |
AWS::ECS::Task |
|
IS_ASSOCIATED_WITH |
AWS::ElasticLoadBalancingV2::LoadBalancer |
|
IS_ASSOCIATED_WITH |
AWS::EC2::SecurityGroup |
|
IS_ASSOCIATED_WITH |
AWS::IAM::Role |
|
AWS::ECS::Task |
IS_CONTAINED_IN |
AWS::ECS::Service |
AWS::ECS::TaskDefinition |
IS_ASSOCIATED_WITH |
AWS::ECS::Task |
AWS::IAM::AWSManagedPolicy |
IS_ASSOCIATED_WITH |
AWS::IAM::Role |
IS_ASSOCIATED_WITH |
AWS::IAM::User |
|
IS_ASSOCIATED_WITH |
AWS::IAM::Group |
|
AWS::Lambda::EnvironmentVariable |
IS_CONTAINED_IN |
AWS::Lambda::Function |
AWS::Lambda::Function |
CONTAINS |
AWS::Lambda::EnvironmentVariable |
AWS::VPC::Endpoint |
IS_ASSOCIATED_WITH |
AWS::EC2::NetworkInterface |