AWS

Overview

Visualize and analyze AWS resources, tracking usage across services like EC2, S3, Kinesis, RDS, IAM, MemoryDB, and Lake Formation. Gain actionable insights into resource utilization, governance, and security posture. Support compliance monitoring against security benchmarks, detect potential vulnerabilities, and monitor configuration changes. Enable real-time visualizations and generate alerts to enhance visibility, streamline operations, and strengthen the compliance and security of AWS environments.

Configurations

Configuration	Description
Blueprint Account Name	A human-readable name for your account that will be used to identify this account across the application.
IAM Role ARN	The ARN of the IAM role created by the CloudFormation template that Kscope will assume for resource crawling. Details in the Permissions section.
External ID	The external ID required to assume the IAM role. This is automatically generated by the CloudFormation template and stored in AWS Secrets Manager. Retrieve it from the Secrets Manager console using the secret name provided in the stack outputs. Details in the Permissions section.
Regions	List of regions to be crawled.
Data Crawl Frequency	The frequency at which Kscope will crawl the account for resources.
Resource Selection	Selectively include or exclude certain resources.
Crawl config id	Crawl configuration id for events for the crawled account
Source event bridge bus role arn	ARN of the EventBridge Bus role to be used to allow sending events from central region to the ingress sqs queue
Cost Explorer Lookback Days	Number of days of historical cost data to fetch from AWS Cost Explorer (default: 30, must be a positive integer). Applies to all cost queries including anomaly detection.

Permissions

The AWS blueprint requires the AWS Managed ReadOnlyAccess policy along with two additional custom policies for specific access requirements.

Overview

The AWS blueprint uses a CloudFormation template to provision the following resources:

1. Data Crawl Infrastructure (Central Region Only):

   • IAM role with the following policies:
     • ReadOnlyAccess managed policy for general AWS resource access
     • Custom SQS queue access policy for consuming CloudTrail events
     • Custom Bedrock access policy for AI/ML model information
   • Auto-generated External ID stored in AWS Secrets Manager
   • Cross-account assume role permissions with external ID for enhanced security

2. Remediation Infrastructure (Central Region Only):

   • IAM remediator role with CloudFormation change set creation permissions
   • Cross-account assume role permissions with the same external ID for enhanced security

3. Event Crawl Infrastructure:

   • Central Region:
     • SQS queue for centralized event collection
     • Custom EventBridge bus for aggregating events
     • EventBridge rule to process events and forward to SQS
   • All Regions:
     • Regional EventBridge rules to capture CloudTrail events
     • IAM roles for cross-region event forwarding

4. Optional CloudTrail Configuration (Central Region Only):

   • S3 bucket for CloudTrail logs
   • Multi-region CloudTrail capturing management and data events

IAM Role Permissions

The IAM role created by the CloudFormation template includes:

1. AWS Managed ReadOnlyAccess Policy

Provides read-only access to all AWS services and resources for comprehensive resource crawling.

2. Custom SQS Queue Access Policy

Grants permissions to:

• Receive CloudTrail events from the centralized SQS queue
• Delete processed messages to prevent re-processing
• Retrieve queue metadata and configuration

Required permissions: sqs:ReceiveMessage, sqs:DeleteMessage, sqs:GetQueueAttributes, sqs:GetQueueUrl

3. Custom Bedrock Access Policy

Grants permissions to:

• Discover and catalog custom AI/ML models deployed in Amazon Bedrock
• Retrieve metadata about imported models and their deployments
• Provide visibility into your organization's AI/ML infrastructure

Required permissions: bedrock:GetImportedModel, bedrock:ListImportedModels, bedrock:ListCustomModelDeployments, bedrock:GetCustomModelDeployment

4. Custom Cost Explorer Access Policy

Grants permissions to:

• Retrieve service-level, account-level, region-level, availability zone-level, and usage type-level cost breakdowns
• Retrieve reserved instance coverage and utilization data
• Retrieve savings plan coverage and utilization data
• Retrieve credits and refunds applied to the account
• Retrieve cost forecasts for future spend projection
• Detect cost anomalies using AWS native anomaly detection

Required permissions: ce:GetCostAndUsage, ce:GetReservationCoverage, ce:GetReservationUtilization, ce:GetSavingsPlansCoverage, ce:GetSavingsPlansUtilization, ce:GetCostForecast, ce:GetAnomalies

5. Custom AWS Backup Access Policy

Grants permissions to:

• Discover and catalog all resources protected by AWS Backup plans
• Provide visibility into which databases, storage volumes, and other resources have active backup coverage
• Enable backup-aware security insights (e.g., suppressing low-backup-retention alerts for resources with AWS Backup integration)

Required permissions: backup:ListProtectedResources

6. Custom MQ Access Policy

Grants permissions to:

• Discover and list AWS MQ message brokers
• Retrieve metadata about broker configurations, engine types, and network settings

Required permissions: mq:ListBrokers, mq:DescribeBroker

7. Custom MSK Access Policy

Grants permissions to:

• Discover and list Amazon Managed Streaming for Apache Kafka (MSK) clusters
• Provide visibility into Kafka cluster configurations and security group attachments

Required permissions: kafka:ListClusters

8. Custom Directory Service Access Policy

Grants permissions to:

• Discover and list AWS Directory Service directories (Simple AD, Microsoft AD, AD Connector)
• Provide visibility into directory configurations, VPC attachments, and security group memberships

Required permissions: ds:DescribeDirectories

9. Custom WorkSpaces Access Policy

Grants permissions to:

• Discover and list Amazon WorkSpaces directory configurations
• Provide visibility into WorkSpaces deployments and their associated security groups

Required permissions: workspaces:DescribeWorkspaceDirectories

[!NOTE] AWS Cost Explorer is a global service and is always queried against the us-east-1 endpoint regardless of the regions configured for resource crawling.

IAM Remediator Role Permissions

The remediator role is a separate IAM role created by the CloudFormation template specifically for automated remediation capabilities. It includes:

CloudFormation Change Set Policy

Grants permissions to:

• Create CloudFormation change sets for remediation of security and compliance issues
• Generate infrastructure-as-code artifacts that can be reviewed before deployment

Required permissions: cloudformation:CreateChangeSet

[!NOTE] The remediator role intentionally uses minimal permissions. It can only create change sets, not execute them. This ensures that all remediation actions require explicit approval through AWS native workflows before any infrastructure changes are applied.

Security Considerations

• Principle of Least Privilege: The custom policies grant only the minimum permissions required for specific functionality
• Resource-Specific Access: The SQS policy is scoped to the specific queue created by the template
• Cross-Account Security: External ID validation ensures only authorized Kscope accounts can assume the role
• Remediation Safety: The remediator role can only create change sets, requiring manual approval before any changes are applied

Multi-Region Architecture

The template implements a centralized event collection architecture:

┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
│   us-east-1     │    │   us-west-2     │    │   eu-west-1     │
│                 │    │                 │    │                 │
│ EventBridge     │    │ EventBridge     │    │ EventBridge     │
│ Regional Rule   │    │ Regional Rule   │    │ Regional Rule   │
│ + IAM Role      │    │ + IAM Role      │    │ + IAM Role      │
└─────────┬───────┘    └─────────┬───────┘    └─────────┬───────┘
          │                      │                      │
          │   CloudTrail Events  │                      │
          └──────────────────────┼──────────────────────┘
                                 │
                ┌────────────────▼──────────────────┐
                │        us-east-2 (Central)        │
                │                                   │
                │  ┌─────────────────────────────┐  │
                │  │    Central EventBridge      │  │
                │  │         Bus                 │  │
                │  │  ({ResourcePrefix}-central- │  │
                │  │       event-bus)            │  │
                │  └─────────────┬───────────────┘  │
                │                │                  │
                │  ┌─────────────▼───────────────┐  │
                │  │    Central EventBridge      │  │
                │  │         Rule                │  │
                │  │  ({ResourcePrefix}-central- │  │
                │  │       event-rule)           │  │
                │  └─────────────┬───────────────┘  │
                │                │                  │
                │  ┌─────────────▼───────────────┐  │
                │  │        SQS Queue            │  │
                │  │     (Event Collection)      │  │
                │  │  ({ResourcePrefix}-trail-   │  │ 
                │  │        queue)               │  │
                │  └─────────────┬───────────────┘  │
                │                │                  │
                │  ┌─────────────▼────────────────┐ │
                │  │  ┌─────────────────────────┐ │ │
                │  │  │      IAM Role           │ │ │
                │  │  │ ({ResourcePrefix}-      │ │ │
                │  │  │   crawl-role)           │ │ │
                │  │  │ ReadOnlyAccess Policy   │ │ │
                │  │  └─────────────────────────┘ │ │
                │  │  ┌─────────────────────────┐ │ │
                │  │  │   IAM Remediator Role   │ │ │
                │  │  │ ({ResourcePrefix}-      │ │ │
                │  │  │   remediator-role)      │ │ │
                │  │  │ CloudFormation Policy   │ │ │
                │  │  └─────────────────────────┘ │ │
                │  └──────────────────────────────┘ │
                │                                   │
                │  Optional (if CloudTrail          │
                │  creation enabled):               │
                │  ┌─────────────────────────────┐  │
                │  │    S3 Bucket + CloudTrail   │  │ 
                │  │  ({ResourcePrefix}-trail-   │  │
                │  │   bucket-{AccountId})       │  │
                │  └─────────────────────────────┘  │
                └───────────────────────────────────┘

Deployment Options

Before deploying the CloudFormation template, you will need to get the Trusted Account ID. Copy the AWS account ID from the Kscope blueprint configuration page. This is the account that will be authorized to assume the IAM role for resource crawling.

Option 1: Quick Deploy

Deploy this CloudFormation template in each AWS region where you want to capture events:

1. Deploy in Central Region First (us-east-2 by default):

   • Creates central resources: EventBridge bus, IAM role
   • Creates regional EventBridge rule for us-east-2

2. Deploy in Additional Regions:

   • Creates only regional EventBridge rules and IAM roles
   • Events are forwarded to the central EventBridge bus in us-east-2

[!NOTE] This CloudFormation template is intended for initial stack creation only. If you need to update the stack or modify its resources after deployment, you will need to update the stack manually through the AWS CloudFormation console or AWS CLI.

Option 2: Manual Deployment

1. Download the CloudFormation template aws.yml
2. Sign in to the AWS Management Console
3. Navigate to CloudFormation
4. Create a new stack and upload the template in every region
5. Enter the required parameters

Configuration Parameters

Parameter	Description	Default
ResourcePrefix	Prefix for all resource names (customizable for multiple deployments)	kscope
CentralRegion	The AWS region where central resources (SQS, EventBridge bus, IAM role) are created	us-east-2
CreateAccountLevelCloudTrail	Whether to create a new CloudTrail (only if no organization-level CloudTrail exists)	false
CrawlConfigId	Crawl configuration id created in the kscope platform
IngressQueueArn	Ingress queue arn from the kscope platform

Infrastructure Created

Central Region (us-east-2 by default)

• IAM crawl role with ReadOnlyAccess policy
• IAM remediator role with CloudFormation change set permissions
• Custom EventBridge bus for event aggregation
• EventBridge rule to process events from central bus and forward to SQS
• Regional EventBridge rule to capture local CloudTrail events
• IAM role for cross-region event forwarding
• Optional: S3 bucket and CloudTrail (if CreateAccountLevelCloudTrail = true)

All Other Regions

• Regional EventBridge rule to capture CloudTrail events
• IAM role for forwarding events to central region

Usage Scenarios

Scenario 1: Organization with Existing CloudTrail (Recommended)

Use default settings with CreateAccountLevelCloudTrail = false. The template will capture events from your existing organizational CloudTrail.

Scenario 2: Account Without Organizational CloudTrail

Set CreateAccountLevelCloudTrail = true to create a new multi-region CloudTrail that captures both management and data events.

Resource Naming

All resources use the configurable ResourcePrefix parameter for naming:

• IAM Crawl Role: {ResourcePrefix}-crawl-role
• IAM Remediator Role: {ResourcePrefix}-remediator-role
• External ID Secret: /{ResourcePrefix}/crawler/external-id
• EventBridge Bus: {ResourcePrefix}-central-event-bus
• EventBridge Rules: {ResourcePrefix}-central-event-rule, {ResourcePrefix}-regional-event-rule
• IAM Role (for the central Event Bridge Bus which push events to the Kscope queue): ${ResourcePrefix}-eventbridge-to-sqs-role

Outputs

After deployment, the stack provides the following outputs:

Central Region Only

• CrawlRoleArn: The ARN of the IAM crawl role to be assumed by the trusted account for resource discovery
• RemediatorRoleArn: The ARN of the IAM remediator role to be assumed by the trusted account for creating remediation artifacts
• ExternalIdSecretName: The name of the AWS Secrets Manager secret containing the auto-generated External ID
• SourceEventBridgeRoleArn: The ARN of the IAM role to be assumed by the central EventBridge bus to forward events to the regional EventBridge rules

Retrieving Configuration Values

To retrieve the External ID from AWS Secrets Manager:

1. Using AWS Console:

   • Navigate to AWS Secrets Manager in your central region
   • Find the secret with the name from ExternalIdSecretName output (e.g., /{ResourcePrefix}/crawler/external-id)
   • Click "Retrieve secret value" to view the External ID

2. Using AWS CLI:

   aws secretsmanager get-secret-value --secret-id "/{ResourcePrefix}/crawler/external-id" --query SecretString --output text

Updating the Stack

If you need to update the CloudFormation stack after the initial deployment (e.g., to update permissions, modify configurations, or deploy to additional regions), follow these steps:

[!NOTE] The Quick Deploy button is only for initial stack creation. For updates, you must manually update the stack through the AWS CloudFormation console.

1. Navigate to CloudFormation Console:

   • Sign in to the AWS Management Console
   • Go to the CloudFormation service in the appropriate region
   • Select the stack you want to update (e.g., aws-blueprint)

2. Initiate Stack Update:

   • Click Update button at the top
   • Select Replace current template
   • Choose Amazon S3 URL and enter: https://kaleidoscope-blueprint-configurator.s3.amazonaws.com/aws/aws-latest.yml
   • Click Next

3. Review Parameters:

   • Review and modify stack parameters if needed
   • Click Next

4. Configure Stack Options:

   • Review stack options (tags, permissions, etc.)
   • Click Next

5. Create Change Set:

   • Review the changes that will be made
   • Check the box to acknowledge that AWS CloudFormation might create IAM resources
   • Click Create change set
   • Wait for the change set to be created

6. Execute Change Set:

   • Review the change set details to ensure the changes are correct
   • Click Execute change set
   • Confirm the execution
   • Wait for the stack update to complete

7. Verify Update:

   • Check the stack status shows UPDATE_COMPLETE
   • Review the Events tab to ensure no errors occurred
   • Verify the Outputs tab for any updated values

[!ATTENTION] If you deployed the stack to multiple regions, repeat this process for each regional stack to ensure consistency across your multi-region deployment.

Automated Remediation

The AWS blueprint includes automated remediation capabilities that generate infrastructure-as-code artifacts to fix security and compliance issues discovered during resource crawling.

Overview

When Kscope identifies security or compliance issues, it can automatically generate remediation artifacts rather than directly modifying resources. This approach provides:

• Safe Remediation: Changes are proposed via CloudFormation change sets, requiring explicit approval before execution
• Audit Trail: All remediation actions are tracked through AWS native CloudFormation history
• Infrastructure-as-Code Best Practices: Fixes are applied through proper IaC workflows, maintaining consistency with existing deployment practices

How It Works

1. Issue Detection: Kscope crawlers identify security or compliance issues in your AWS environment
2. Change Set Generation: The remediator role creates a CloudFormation change set containing the proposed fix
3. Review & Approval: You review the change set in the AWS Console to understand the exact changes
4. Execution: After approval, execute the change set to apply the remediation

Remediator Role

The remediator role ({ResourcePrefix}-remediator-role) is specifically designed for remediation tasks:

• Minimal Permissions: Only has cloudformation:CreateChangeSet permission
• No Direct Changes: Cannot directly modify any AWS resources
• Same External ID: Uses the same External ID as the crawl role for consistent security

Required Permissions

Deployment Permissions

To deploy this template, you need permissions to create:

• IAM roles and policies
• AWS Secrets Manager secrets
• SQS queues and queue policies
• EventBridge custom event buses, rules, and policies
• S3 buckets (if creating CloudTrail)
• CloudTrail (if creating a new trail)

Best Practices

1. Deploy Central Region First: Always deploy in your chosen central region before deploying to other regions
2. Use Consistent ResourcePrefix: Use the same ResourcePrefix across all regional deployments
3. External ID Security: The External ID is automatically generated and securely stored in AWS Secrets Manager - do not share this value outside of the Kscope configuration process

SBOM Generation

The AWS blueprint includes SBOM (Software Bill of Materials) generation for container images stored in Amazon Elastic Container Registry (ECR). This provides comprehensive vulnerability scanning and dependency analysis for containerized applications.

For information about supported languages and package managers for SBOM generation, see: SBOM

Schema Model

Resources	Source Entity	Normalized Entity	Description
IAM Policy	aws.iam.Policy	Policy	An IAM policy defining permissions.
Inline IAM Policy	aws.iam.PolicyInline	Policy	An inline IAM policy directly attached to a resource.
IAM Policy Action	aws.iam.PolicyAction	Action	An action specified in an IAM policy.
IAM User	aws.iam.User	User	An IAM user in the AWS environment.
IAM Role	aws.iam.Role	Role	An IAM role used for delegating access.
IAM Service	iam	Service	IAM-related configurations and management.
IAM Policy Resource	aws.iam.PolicyResource	Resource	A resource associated with an IAM policy.
IAM Access Key	aws.iam.AccessKey	Key	An access key for an IAM user.
S3 Object	aws.s3.Object	File	An object stored in an S3 bucket.
S3 Bucket	aws.s3.Bucket	Storage	An S3 bucket for storing objects.
S3 Service	s3	Service	S3-related configurations and management.
ECS Service	ecs	Service	ECS-related configurations and management.
ECS Cluster	aws.ecs.Cluster	Cluster	A cluster for managing ECS tasks.
ECS Service Instance	aws.ecs.Service	Service	A service running in an ECS cluster.
ECS Task	aws.ecs.Task	Task	A task running in an ECS cluster.
ECS Container Instance	aws.ecs.ContainerInstance	Container	A container instance in an ECS cluster.
ECS Task Definition	aws.ecs.TaskDefinition	Definition	A task definition in ECS.
Kinesis Service	kinesis	Service	Kinesis-related configurations and management.
Kinesis Stream	aws.kinesis.Stream	Stream	A data stream in AWS Kinesis.
CloudWatch Dashboard	cloudwatch.Dashboard	Dashboard	A dashboard in AWS CloudWatch.
CloudWatch Metric Alarm	cloudwatch.MetricAlarm	Alarm	A metric alarm in AWS CloudWatch.
CloudWatch	cloudwatch	Service	AWS CloudWatch monitoring service.
CloudWatch Log Group	cloudwatchlogs.LogGroup	LogGroup	A log group in AWS CloudWatch Logs.
CloudWatch Logs	cloudwatchlogs	Service	AWS CloudWatch Logs service.
CloudWatch Log Stream	cloudwatchlogs.LogStream	LogStream	A log stream in AWS CloudWatch Logs.
Metrics Dimension	metrics.Dimension	Dimension	A dimension associated with metrics.
Metrics Metric	metrics.Metric	Metric	A metric in AWS services.
DynamoDB	dynamodb	Database	AWS DynamoDB database service.
DynamoDB Service	dynamodb.AwsDynamoDB	Database	AWS DynamoDB service configuration.
DynamoDB Table	dynamodb.Table	Table	A table in AWS DynamoDB.
DynamoDB Attribute	dynamodb.AttributeDefinition	Attribute	Attribute definition for a DynamoDB table.
Lambda	lambda	Service	AWS Lambda serverless compute service.
Lambda Service	aws.lambda.AwsLambda	Service	AWS Lambda service configuration.
Lambda Function	aws.lambda.Function	Function	A serverless function in AWS Lambda.
Lambda Alias	aws.lambda.Alias	Alias	An alias for an AWS Lambda function.
SNS	sns	Service	AWS Simple Notification Service (SNS).
Region	aws.ec2.Region	Region	A geographical area containing AWS resources.
Volume	aws.ec2.Volume	Volume	A block storage volume in AWS EC2.
Subnet	aws.ec2.Subnet	Subnet	A subnet within a VPC in AWS EC2.
Instance Type Info	aws.ec2.InstanceTypeInfo	InstanceType	Information about EC2 instance types.
EC2 Service	ec2	Service	AWS EC2 service for compute resources.
VPC	aws.ec2.Vpc	VPC	A virtual private cloud in AWS.
Instance	aws.ec2.Instance	Instance	An individual EC2 instance.
Reserved Instances	aws.ec2.ReservedInstances	ReservedInstance	Reserved EC2 instances for cost savings.
Security Group	aws.ec2.SecurityGroup	SecurityGroup	A security group associated with EC2 resources.
Availability Zone	aws.ec2.AvailabilityZone	Zone	An availability zone within a region.
Local Zone	aws.ec2.LocalZone	Zone	A local zone in AWS for EC2 resources.
Volume Attachment	aws.ec2.VolumeAttachment	VolumeAttachment	Attachment information for an EC2 volume.
VPC CIDR Block Association	aws.ec2.VpcCidrBlockAssociation	CIDRBlock	CIDR block associations with a VPC.
ECR Service	ecr	Service	AWS ECR service for container registries.
ECR Repository	ecr.Repository	Repository	A repository in AWS ECR.
ECR Image	ecr.Image	Image	A container image stored in AWS ECR.
ECR Image Scan Finding	ecr.ImageScanFinding	ScanFinding	Findings from security scans of ECR images.
AWS API Gateway	aws.apigateway.RestAPI	API	A REST API in AWS API Gateway.
HTTP API Gateway	aws.apigateway.HTTPAPI	HTTP API	HTTP API in AWS API Gateway.
API Gateway Integration	aws.apigateway.Integration	Integration	Integration settings for API Gateway.
API Gateway Stage	aws.apigateway.Stage	Stage	Deployment stage for API Gateway.
API Gateway Model	aws.apigateway.Model	Model	Model definition for API Gateway.
API Gateway Resource	aws.apigateway.Resource	Resource	API Gateway resource definition.
API Gateway Integration	aws.apigateway.Integration	Integration	API Gateway integration configuration.
API Gateway Method	aws.apigateway.Method	Method	HTTP method for API Gateway.
CloudWatch State Reason Data	cloudwatch.StateReasonData	StateReasonData	Represents state reason data in CloudWatch.
EC2 Disk Info	aws.ec2.DiskInfo	EC2DiskInfo	Information about EC2 instance disk.
EC2 Instance Storage Info	aws.ec2.InstanceStorageInfo	EC2InstanceStorage	Information about EC2 instance storage.
EC2 vCPU Info	aws.ec2.VCpuInfo	EC2vCPUInfo	Information about EC2 instance vCPUs.
ECS Port Mapping	aws.ecs.PortMapping	ECSPortMapping	Port mapping configuration for ECS containers.
ECS Container Definition	aws.ecs.ContainerDefinition	ECSContainerDefinition	ECS container configuration details.
IAM Group	aws.iam.Group	UserGroup	A group in AWS IAM.
IAM Resource	aws.iam.Resource	IAMResource	A resource managed by AWS IAM.
IAM Policy Document	aws.iam.PolicyDocument	IAMPolicyDocument	A document that defines IAM policy permissions.
IAM Policy Action Resource	aws.iam.PolicyActionResource	IAMPolicyActionResource	Defines actions in an IAM policy.
IAM Policy Statement	aws.iam.PolicyStatement	IAMPolicyStatement	A policy statement within an IAM policy.
Kinesis Shard	aws.kinesis.Shard	KinesisShard	A shard in AWS Kinesis stream.
SNS Topic	sns.Topic	SNSTopic	An SNS topic for message distribution.
SNS Subscription	sns.Subscription	SNSSubscription	A subscription to an SNS topic.
EC2 IAM Instance Profile	aws.ec2.IamInstanceProfile	EC2IamInstanceProfile	An IAM profile associated with an EC2 instance.
EC2 IAM Instance Profile Association	aws.ec2.IamInstanceProfileAssociation	EC2IamInstanceProfileAssociation	Association of an IAM instance profile with EC2.
IAM Instance Profile	aws.iam.InstanceProfile	IAMInstanceProfile	A profile for EC2 instances within IAM.
EC2 Instance Image	aws.ec2.InstanceImage	EC2InstanceImage	An image used to create EC2 instances.
AWS Cloud	AWS	AWSCloud	AWS cloud services and environment.
Cluster	cluster	Cluster	A computing cluster for resource management.
Entities	_Entities	Entity	General entities for data representation.
Common Tag	common.Tag	CommonTag	Tag used across multiple AWS resources.
Utility Property	util.Property	UtilityProperty	General utility properties.
Domain Schema	domainschema.Schema	DomainSchema	Schema for domain-related data structure.
Domain Element Type	domainschema.ElementType	DomainElementType	Element type within a domain schema.
Domain Element Property Type	domainschema.ElementPropertyType	DomainElementPropertyType	Property type within a domain schema.
ECS Container	aws.ecs.Container	ECSContainer	A container managed by ECS.
ECS Network Binding	aws.ecs.NetworkBinding	ECSNetworkBinding	Network binding for ECS containers.
IAM Policy Condition	aws.iam.PolicyCondition	IAMPolicyCondition	Condition applied in an IAM policy.
IAM Policy Principal	aws.iam.PolicyPrincipal	IAMPolicyPrincipal	Principal identifier for IAM policy.
S3 Encryption Info	aws.s3.EncryptionInfo	S3EncryptionInfo	Encryption settings for an S3 bucket.
RDS DB Cluster Member	aws.rds.DBClusterMember	DBClusterMember	A member of an AWS RDS DB cluster.
RDS DB Cluster	aws.rds.DBCluster	Cluster	AWS RDS database cluster.
RDS DB Cluster Endpoint	aws.rds.DBClusterEndpoint	DBClusterEndpoint	Endpoint for accessing an AWS RDS DB cluster.
RDS DB Parameter Group	aws.rds.DBParameterGroup	DBParameterGroup	AWS RDS DB parameter group.
RDS DB Instance	aws.rds.DBInstance	DBInstance	AWS RDS database instance.
RDS Availability Zone	aws.rds.AvailabilityZone	AvailabilityZone	AWS RDS availability zone.
RDS DB Subnet Group	aws.rds.DBSubnetGroup	DBSubnetGroup	AWS RDS DB subnet group.
RDS DB Parameter Group Status	aws.rds.DBParameterGroupStatus	DBParameterGroupStatus	AWS RDS DB parameter group status.
RDS DB Security Group	aws.rds.DBSecurityGroup	DBSecurityGroup	AWS RDS DB security group.
RDS Double Range	aws.rds.DoubleRange	DoubleRange	AWS RDS double range parameter.
RDS Event Categories Map	aws.rds.EventCategoriesMap	EventCategoriesMap	Mapping of event categories in AWS RDS.
RDS Endpoint	aws.rds.Endpoint	Endpoint	AWS RDS endpoint.
RDS Engine Defaults	aws.rds.EngineDefaults	EngineDefaults	Default settings for AWS RDS engine.
RDS Pending Modified Values	aws.rds.PendingModifiedValues	PendingModifiedValues	AWS RDS pending modifications.
RDS Range	aws.rds.Range	Range	AWS RDS range parameter.
RDS VPC Security Group Membership	aws.rds.VpcSecurityGroupMembership	VpcSecurityGroupMembership	AWS RDS VPC security group membership.
RDS Subnet	aws.rds.Subnet	Subnet	AWS RDS subnet.
RDS Valid DB Instance Modifications	aws.rds.ValidDBInstanceModificationsMessage	ValidDBInstanceModifications	Valid modifications for AWS RDS DB instances.
RDS Valid Storage Options	aws.rds.ValidStorageOptions	ValidStorageOptions	Valid storage options for AWS RDS.
RDS Parameter	aws.rds.Parameter	Parameter	Parameter for AWS RDS configuration.
RDS Option Group Membership	aws.rds.OptionGroupMembership	OptionGroupMembership	Membership in an AWS RDS option group.
RDS DB Snapshot	aws.rds.DBSnapshot	DBSnapshot	AWS RDS DB snapshot.
Redshift	aws.redshift.AwsRedshift	Cluster	AWS Redshift cluster.
Redshift Cluster Node	aws.redshift.ClusterNode	ClusterNode	Node in an AWS Redshift cluster.
Redshift Cluster	aws.redshift.Cluster	Cluster	AWS Redshift cluster.
Redshift Availability Zone	aws.redshift.AvailabilityZone	AvailabilityZone	Availability zone for AWS Redshift.
Redshift Cluster Parameter Group	aws.redshift.ClusterParameterGroup	ClusterParameterGroup	AWS Redshift cluster parameter group.
Redshift Cluster Parameter Group Status	aws.redshift.ClusterParameterGroupStatus	ClusterParameterGroupStatus	Status of AWS Redshift cluster parameter group.
Redshift Default Cluster Parameters	aws.redshift.DefaultClusterParameters	DefaultClusterParameters	Default parameters for AWS Redshift clusters.
Redshift Cluster Subnet Group	aws.redshift.ClusterSubnetGroup	ClusterSubnetGroup	AWS Redshift cluster subnet group.
Redshift Cluster Version	aws.redshift.ClusterVersion	ClusterVersion	AWS Redshift cluster version.
Redshift Endpoint	aws.redshift.Endpoint	Endpoint	AWS Redshift endpoint.
Redshift Reserved Node Offering	aws.redshift.ReservedNodeOffering	ReservedNodeOffering	Reserved node offering for AWS Redshift.
Redshift Subnet	aws.redshift.Subnet	Subnet	AWS Redshift subnet.
Redshift Recurring Charge	aws.redshift.RecurringCharge	RecurringCharge	Recurring charge for AWS Redshift.
Redshift Logging Status	aws.redshift.LoggingStatus	LoggingStatus	Logging status in AWS Redshift.
Redshift Parameter	aws.redshift.Parameter	Parameter	AWS Redshift configuration parameter.
Redshift Pending Modified Values	aws.redshift.PendingModifiedValues	PendingModifiedValues	Pending modified values in AWS Redshift.
Redshift VPC Security Group Membership	aws.redshift.VpcSecurityGroupMembership	VpcSecurityGroupMembership	Membership in AWS Redshift VPC security group.
EC2 VPC Peering Connection VPC Info	aws.ec2.VpcPeeringConnectionVpcInfo	VpcPeeringConnectionVpcInfo	VPC information for EC2 VPC peering connection.
EC2 VPC Peering Connection	aws.ec2.VpcPeeringConnection	VpcPeeringConnection	AWS EC2 VPC peering connection.
EC2 Route Table	aws.ec2.RouteTable	RouteTable	AWS EC2 route table.
EC2 Route Table Association	aws.ec2.RouteTableAssociation	RouteTableAssociation	Association of a route table in AWS EC2.
CloudFront Distribution	aws.cloudfront.Distribution	CloudFrontDistribution	A CloudFront distribution for delivering content.
CloudFront	cloudfront	CloudFront	A CloudFront service for content delivery.
AwsCloudfront	aws.cloudfront.AwsCloudfront	AwsCloudfront	AWS CloudFront service for managing distributions.
EC2 Network ACL	aws.ec2.NetworkACL	EC2NetworkACL	Network ACL for controlling traffic in AWS EC2.
EC2 Network ACL Entry	aws.ec2.NetworkACLEntry	EC2NetworkACLEntry	Entry in an EC2 Network ACL to define rules.
EC2 Network ACL Association	aws.ec2.NetworkACLAssociation	EC2NetworkACLAssociation	Association of an EC2 Network ACL to a subnet.
ELB Load Balancer	aws.elb.LoadBalancer	ELBLoadBalancer	A load balancer in AWS Elastic Load Balancing.
ELB Listener	aws.elb.Listener	ELBListener	A listener for an ELB to manage incoming traffic.
ELB	elb	ELB	AWS Elastic Load Balancer service.
Route53 Resource Record Set	aws.route53.ResourceRecordSet	Route53ResourceRecordSet	A set of resource records in AWS Route 53.
Route53 Resource Record	aws.route53.ResourceRecord	Route53ResourceRecord	A DNS resource record in AWS Route 53.
Route53 Alias Target	aws.route53.AliasTarget	Route53AliasTarget	A target for alias records in Route 53.
Route53	route53	Route53	AWS Route 53 for DNS management.
CloudTrail Trail	aws.cloudtrail.Trail	CloudTrailTrail	A CloudTrail trail to capture AWS account activity.
CloudTrail	aws.cloudtrail	CloudTrail	AWS CloudTrail service for monitoring API activity.
EC2 Address	aws.ec2.Address	EC2Address	A public IP address for an EC2 instance.
EC2 Key Pair Info	aws.ec2.KeyPairInfo	EC2KeyPairInfo	Information about an EC2 key pair for SSH access.
EC2 Snapshot	aws.ec2.Snapshot	EC2Snapshot	A snapshot of an EC2 instance's storage volume.
Lambda Layer	aws.lambda.Layer	LambdaLayer	A layer for AWS Lambda functions to share code.
Route53 Hosted Zone	aws.route53.HostedZone	Route53HostedZone	A hosted zone in AWS Route 53 for DNS records.
IAM MFA Device	aws.iam.MFADevice	IAMMFADevice	A multi-factor authentication device in IAM.
CloudFront Origin	aws.cloudfront.Origin	CloudFrontOrigin	Origin server for AWS CloudFront distributions.
IAM Password Policy	aws.iam.PasswordPolicy	Policy	Password policy settings for AWS IAM users.
Cognito Password Policy	cognitoidentityprovider.PasswordPolicy	Policy	A password policy for AWS Cognito identity pools.
Cognito User Pool Policy	cognitoidentityprovider.UserPoolPolicy	Policy	A policy for user pools in AWS Cognito.
Cognito User Pool	cognitoidentityprovider.UserPool	CognitoUserPool	A user pool in AWS Cognito for managing users.
Identity Pool	aws.cognitoidentity.IdentityPool	IdentityPool	An AWS Cognito identity pool for federated identities.
Cognito Provider	aws.cognitoidentity.Provider	CognitoProvider	An identity provider for AWS Cognito pools.
Cognito Identity	aws.cognitoidentity	CognitoIdentity	AWS Cognito identity service for user management.
Cognito User	cognitoidentityprovider.User	User	A user in AWS Cognito user pools.
Cognito Identity Provider	cognitoidentityprovider	CognitoIdentityProvider	An identity provider in AWS Cognito.
EC2 Nat Gateway	aws.ec2.NatGateway	EC2NatGateway	A NAT Gateway for AWS EC2 instances.
Route53 Domains	aws.route53domains.Domain	Route53Domains	A domain registered in AWS Route 53.
Route53Domains	route53domains	Route53Domains	AWS Route 53 domains service for domain management.
AwsRoute53Domains	aws.route53domains.AwsRoute53Domains	AwsRoute53Domains	AWS service for managing Route 53 domains.
Identity Store	identitystore	IdentityStore	An identity store service in AWS for user management.
Identity Store Entry	identitystore.IdentityStore	IdentityStoreEntry	A specific identity store entry in AWS.
Identity Store User	identitystore.User	User	A user within the identity store in AWS.
Identity Store Name	identitystore.Name	IdentityStoreName	A name entry within the AWS identity store.
Identity Store Group	identitystore.Group	IdentityStoreGroup	A user group within the AWS identity store.
Identity Store Group Membership	identitystore.GroupMembership	IdentityStoreGroupMembership	A membership within an identity store group.
Identity Store ExternalId	identitystore.ExternalId	IdentityStoreExternalId	An external ID for identity store integration.
EventBridge Event Bus	eventbridge.EventBus	EventBridgeEventBus	An event bus in AWS EventBridge for event routing.
EventBridge	eventbridge	EventBridge	AWS EventBridge service for event-driven applications.
EventBridge Rule	eventbridge.Rule	EventBridgeRule	A rule in AWS EventBridge for routing events.
EventBridge Target	eventbridge.Target	EventBridgeTarget	A target service for events in AWS EventBridge.
KMS	kms	KMS	AWS Key Management Service for managing encryption keys.
KMS Key Metadata	kms.KeyMetadata	KMSKeyMetadata	Metadata related to encryption keys in KMS.
SecretsManager Secret	secretsmanager.Secret	SecretsManagerSecret	A secret stored in AWS Secrets Manager.
SecretsManager	secretsmanager	SecretsManager	AWS Secrets Manager for managing sensitive data.
AwsSecrets	secretsmanager.AwsSecrets	AwsSecrets	AWS Secrets Manager service for secret management.
SES	aws.ses	SES	AWS Simple Email Service for email sending.
SES Identity	aws.ses.Identity	SESIdentity	An identity registered with AWS SES for email sending.
OpenSearch	aws.opensearch	OpenSearch	AWS OpenSearch service for search and analytics.
OpenSearch Domain	aws.opensearch.Domain	OpenSearchDomain	A domain within AWS OpenSearch for hosting indices.
MemoryDB	aws.memorydb	MemoryDB	AWS MemoryDB service for Redis-compatible in-memory databases.
MemoryDB Service	aws.memorydb.AwsMemoryDB	MemoryDB	AWS MemoryDB service configuration.
MemoryDB Cluster	aws.memorydb.Cluster	Cluster	An AWS MemoryDB cluster for Redis-compatible in-memory storage.
Lake Formation	aws.lakeformation	LakeFormation	AWS Lake Formation service for data lake governance.
Lake Formation Service	aws.lakeformation.AwsLakeFormation	LakeFormation	AWS Lake Formation service configuration.
Lake Formation Settings	aws.lakeformation.Settings	Settings	Data lake settings for AWS Lake Formation.
Lake Formation Resource	aws.lakeformation.Resource	Resource	A resource registered with AWS Lake Formation.
Finding	sca.secretscan.Finding	Vulnerability	secret detected by gitleak
CloudFormation Stack	aws.cloudformation.Stack	Stack	A CloudFormation stack.
CloudFormation Stack Resource	aws.cloudformation.StackResource	StackResource	A resource within a CloudFormation stack.
CloudFormation Stack Parameter	aws.cloudformation.StackParameter	StackParameter	A parameter defined in a CloudFormation stack.
CloudFormation Stack Output	aws.cloudformation.StackOutput	StackOutput	An output from a CloudFormation stack.

IaC Resource Relationships

The blueprint automatically correlates Infrastructure as Code (IaC) resources with the actual cloud resources they manage:

• iac.DeployedAs — Links IaC source code resources (CloudFormation templates, CDK constructs scanned from repositories) to their deployed CloudFormation stack resources, matching by logical resource name.
• iac.ManagesResource — Links CloudFormation stack resources to the actual AWS cloud resources they provision (S3 buckets, EC2 instances, Lambda functions, IAM roles, etc.), matching by PhysicalResourceID.

This creates a full traceability chain: IaC source code → CloudFormation stack resource → actual cloud resource.

Security Insights (CSPM)

Insight	Severity	Description
IAM Service Accounts With Admin Privileges	Critical	Detects IAM service accounts that have admin privileges, posing a security risk from overprivileged non-interactive accounts.
EC2 Instances Exposing Non-Public S3 Buckets To Public	Critical	Detects EC2 instances that expose non-public S3 buckets to the public, risking unauthorized data access.
IAM Users With Direct Admin Access	Critical	Detects IAM users with direct admin access, violating least privilege principles.
EC2 Instances That Can Expose S3 Buckets To Public	Critical	Detects EC2 instances capable of exposing S3 buckets to the public through misconfigured network paths.
Cognito User Pools Without MFA Enabled	Critical	Detects Cognito user pools without multi-factor authentication, allowing single-factor access to user identities.
Lambda Functions With Unauthenticated Public URL	Critical	Detects Lambda functions with publicly accessible URLs that require no authentication.
Redshift Clusters Are Publicly Accessible	Critical	Detects Redshift clusters exposed to the internet, risking unauthorized access to data warehouse contents.
RDS Database Instances Are Publicly Accessible	Critical	Detects RDS database instances that are publicly accessible from the internet.
OpenSearch Domains With Anonymous Authentication Enabled	Critical	Detects OpenSearch domains allowing anonymous authentication, exposing search indexes without credentials.
EBS Snapshots Publicly Shared	Critical	Detects EBS snapshots shared publicly, potentially exposing sensitive volume data.
Root Users With Active Access Keys	Critical	Detects AWS root accounts with active access keys, creating a high-risk credential exposure.
CloudTrail Trails Without KMS Encryption	High	Detects CloudTrail trails without KMS encryption, leaving audit logs unprotected at rest.
CloudTrail Trails Without Log File Validation	High	Detects CloudTrail trails without log file validation, preventing tamper detection of audit logs.
CloudTrail Trails Not Configured for Multi-Region	High	Detects CloudTrail trails not configured for multi-region logging, creating gaps in audit coverage.
CloudFront Distributions Without WAF Protection	High	Detects CloudFront distributions without WAF, leaving web applications unprotected from common attacks.
Neptune Clusters Without IAM Authentication	High	Detects Neptune clusters without IAM authentication enabled, relying solely on network-level controls.
Neptune Clusters Without Storage Encryption	High	Detects Neptune clusters without storage encryption, leaving graph data unprotected at rest.
ElastiCache Clusters Without Authentication	High	Detects ElastiCache clusters without AUTH token authentication, allowing unauthenticated access.
ElastiCache Clusters Without At-Rest Encryption	High	Detects ElastiCache clusters without at-rest encryption, leaving cached data unprotected on disk.
ElastiCache Clusters Without Transit Encryption	High	Detects ElastiCache clusters without in-transit encryption, exposing data during network transmission.
Redshift Clusters Without Encryption	High	Detects Redshift clusters without encryption enabled, leaving data warehouse contents unprotected.
DynamoDB Tables Without Point-in-Time Recovery	High	Detects DynamoDB tables without point-in-time recovery, limiting disaster recovery options.
AWS MemoryDB Clusters Without TLS Encryption	High	Detects MemoryDB clusters without TLS encryption, allowing unencrypted network traffic.
Load Balancers Allowing HTTP Traffic	High	Detects load balancers with HTTP listeners, allowing unencrypted traffic to backend services.
IAM Users Without MFA Enabled	High	Detects IAM users without multi-factor authentication, increasing the risk of unauthorized access.
IAM Users With Two Active Access Keys	High	Detects IAM users with two active access keys, increasing credential exposure risk.
IAM Access Keys Not Used In Last 30 Days	High	Detects unused IAM access keys that should be removed to reduce the attack surface.
IAM Users With Console Password But No MFA	High	Detects IAM users with console passwords but no MFA, leaving accounts vulnerable to credential theft.
Password Policies Not Following CIS Foundations Benchmark	High	Detects password policies not meeting CIS AWS Foundations Benchmark standards.
Unrotated IAM Access Keys	High	Detects IAM access keys that have not been rotated, increasing credential compromise risk.
EC2 Security Groups Allowing Public Access On Non-Standard Ports	High	Detects security groups allowing public access on non-standard ports (outside 22, 80, 443).
S3 Buckets Without Embedded Policy	High	Detects S3 buckets without an embedded bucket policy, limiting access control enforcement.
RDS Database Instances With Storage Encryption Disabled	High	Detects RDS instances with storage encryption disabled, leaving database data unprotected at rest.
RDS Database Instances Without SSL Configuration	High	Detects RDS instances without SSL configuration, allowing unencrypted database connections.
RDS Database Instances Without IAM Authentication	High	Detects RDS instances without IAM authentication, relying solely on database-level credentials.
Unencrypted RDS Database Instance Snapshots	High	Detects unencrypted RDS snapshots, exposing database backups to unauthorized access.
S3 Buckets Without Public Access Block	High	Detects S3 buckets without public access block configuration, risking unintended public exposure.
IAM Policies Allow Assume Role Permissions Across All Services	High	Detects IAM policies that allow assuming roles across all services, violating least privilege.
IAM Users Have Console Access Without MFA Enabled	High	Detects IAM users with console access but no MFA, leaving accounts vulnerable.
S3 Buckets That Have Encryption Disabled	High	Detects S3 buckets with encryption disabled, leaving stored data unprotected.
AWS Accounts Lack CloudWatch Alarms For IAM Policy Changes	High	Detects AWS accounts without CloudWatch alarms monitoring IAM policy changes.
Overly Permissive Lambda Layer Versions Have Been Identified	High	Detects Lambda layer versions with overly permissive IAM policies.
Root Users With MFA Disabled	High	Detects root users without MFA enabled, leaving the most privileged account unprotected.
Unused IAM Roles	High	Detects unused IAM roles that should be removed to reduce the potential for unintended access.
Secrets Manager Secrets Without Automatic Rotation	High	Detects Secrets Manager secrets without automatic rotation, increasing credential compromise risk.
Lambda Functions Running Deprecated Runtimes	High	Detects Lambda functions using deprecated runtimes that no longer receive security patches.
Kinesis Streams Without Encryption	High	Detects Kinesis data streams without encryption, leaving streaming data unprotected.
SageMaker Notebooks Without KMS Encryption	High	Detects SageMaker notebook instances without KMS encryption for data protection.
SageMaker Notebooks With Root Access Enabled	High	Detects SageMaker notebook instances with root access enabled, increasing the attack surface.
SageMaker Notebooks With Direct Internet Access	High	Detects SageMaker notebook instances with direct internet access, exposing them to external threats.
EBS Volumes Without Encryption	High	Detects EBS volumes without encryption, leaving block storage data unprotected at rest.
EBS Snapshots Without Encryption	High	Detects EBS snapshots without encryption, exposing volume backup data.
Lake Formation Settings Without Data Lake Administrators	High	Detects Lake Formation settings with no data lake administrators configured, leaving governance gaps.
Lake Formation Settings With Permissive Default Permissions	High	Detects Lake Formation settings with overly permissive defaults (IAMAllowedPrincipals), bypassing fine-grained access controls.
DocumentDB Clusters Without Storage Encryption	High	Detects DocumentDB clusters without storage encryption, leaving document data unprotected at rest.
Agents With Hardcoded Secrets	High	Detects AI agents containing hardcoded secrets in their code.
Agents with Sensitive Data Exposure	High	Detects AI agents with sensitive data exposure in their code or prompts.
KMS Customer Managed Keys Without Automatic Rotation	Medium	Detects KMS customer-managed keys without automatic rotation, increasing key compromise risk.
CloudTrail Trails Without CloudWatch Integration	Medium	Detects CloudTrail trails not integrated with CloudWatch, limiting real-time monitoring of API activity.
S3 Buckets Without Tags	Medium	Detects S3 buckets without tags, hindering resource organization and access control management.
IAM Users Without Groups	Medium	Detects IAM users not assigned to groups, complicating access control management.
Empty IAM Groups	Medium	Detects empty IAM groups that should be removed for a clean access structure.
IAM Users Inactive For 30 Days	Medium	Detects IAM users inactive for 30 days that may need to be reviewed or deactivated.
Empty S3 Buckets	Medium	Detects empty S3 buckets that should be reviewed for proper resource utilization.
IAM Users Not Logged In For 90 Days	Medium	Detects IAM users who have not logged in for 90 days, indicating potentially orphaned accounts.
VPCs Without Private Subnet	Medium	Detects VPCs without private subnets, limiting network segmentation options.
VPCs Without Public Subnet	Medium	Detects VPCs without public subnets, which may indicate incomplete network architecture.
Dangling EC2 Security Groups	Medium	Detects security groups not attached to any resources that should be removed.
VPCs Without Resources	Medium	Detects empty VPCs with no associated resources that should be cleaned up.
EC2 Security Groups Without Resources	Medium	Detects security groups without associated resources that add unnecessary complexity.
S3 Buckets With Versioning Disabled	Medium	Detects S3 buckets with versioning disabled, preventing recovery of overwritten or deleted objects.
IAM Managed Policies Violating Least Privilege Principle	Medium	Detects IAM managed policies that grant overly broad permissions, violating least privilege.
S3 Buckets Without Lifecycle Policy	Medium	Detects S3 buckets without lifecycle policies, leading to unbounded data growth and cost.
S3 Buckets Without Server Access Logging	Medium	Detects S3 buckets without server access logging, creating blind spots in data access monitoring.
RDS Instances With Low Backup Retention	Medium	Detects RDS instances with backup retention less than 7 days, limiting recovery options.
ElastiCache Clusters Without Automatic Backups	Medium	Detects ElastiCache clusters without automatic backups, risking data loss.
ElastiCache Replication Groups Without Multi-AZ Deployment	Medium	Detects ElastiCache replication groups without Multi-AZ, reducing high availability.
Neptune Clusters Without Multi-AZ Deployment	Medium	Detects Neptune clusters without Multi-AZ deployment, reducing availability during AZ failures.
Neptune Clusters Without Deletion Protection	Medium	Detects Neptune clusters without deletion protection, risking accidental data loss.
Neptune Clusters With Low Backup Retention	Medium	Detects Neptune clusters with backup retention less than 7 days.
AWS MemoryDB Clusters Without Customer-Managed Encryption	Medium	Detects MemoryDB clusters without customer-managed KMS encryption, limiting key management control.
AWS MemoryDB Clusters With Low Snapshot Retention	Medium	Detects MemoryDB clusters with low snapshot retention, limiting recovery windows.
Redshift Clusters Without Enhanced VPC Routing	Medium	Detects Redshift clusters without enhanced VPC routing, allowing data traffic to bypass VPC controls.
DynamoDB Tables Without Deletion Protection	Medium	Detects DynamoDB tables without deletion protection, risking accidental data loss.
SNS Topics Without KMS Encryption	Medium	Detects SNS topics without KMS encryption, leaving message data unprotected.
CloudWatch Log Groups Without Encryption	Medium	Detects CloudWatch log groups without encryption, leaving log data unprotected at rest.
CloudWatch Log Groups Without Retention Policy	Medium	Detects CloudWatch log groups without retention policies, causing unbounded log accumulation.
CloudFormation Stacks With Configuration Drift	Medium	Detects CloudFormation stacks with configuration drift, indicating out-of-band resource changes.
CloudFormation Stacks Without Termination Protection	Medium	Detects CloudFormation stacks without termination protection, risking accidental deletion.
Default VPCs In Use	Medium	Detects default VPCs in use, which have permissive default configurations.
RDS Database Instances Without Multi-AZ Deployment	Medium	Detects RDS instances without Multi-AZ deployment, reducing database availability.
RDS Database Instances Without Deletion Protection	Medium	Detects RDS instances without deletion protection, risking accidental data loss.
Load Balancers Without Access Logs	Medium	Detects load balancers without access logging, limiting traffic analysis capabilities.
Load Balancers Without Deletion Protection	Medium	Detects load balancers without deletion protection, risking accidental removal.
DocumentDB Clusters Without Multi-AZ Deployment	Medium	Detects DocumentDB clusters without Multi-AZ deployment, reducing high availability.
DocumentDB Clusters Without Deletion Protection	Medium	Detects DocumentDB clusters without deletion protection, risking accidental data loss.
AWS Glue Jobs Without Security Configuration	Medium	Detects Glue jobs without security configuration, leaving ETL data processing unencrypted.
Lambda Functions Not Connected to Asset Registry	Medium	Detects Lambda functions not connected to an application via source code repositories.
Batch Job Definitions Not Connected to Asset Registry	Medium	Detects Batch job definitions not connected to an application via source code repositories.
Bedrock Agent Runtimes Not Connected to Asset Registry	Medium	Detects Bedrock Agent Runtimes not connected to an application via source code repositories.
SageMaker Models Not Connected to Asset Registry	Medium	Detects SageMaker models not connected to an application via source code repositories.
AppRunner Services Not Connected to Asset Registry	Medium	Detects App Runner services not connected to an application via source code repositories.
CodeBuild Project Environments Not Connected to Asset Registry	Medium	Detects CodeBuild project environments not connected to an application via source code repositories.
Lightsail Container Services Not Connected to Asset Registry	Medium	Detects Lightsail container services not connected to an application via source code repositories.
EC2 Instances Not Connected to Asset Registry	Medium	Detects EC2 instances not connected to an application via source code repositories.
DynamoDB Tables Without Customer-Managed KMS Encryption	Low	Detects DynamoDB tables not encrypted with a customer-managed KMS key, limiting key management control.
DynamoDB Tables Without Time-to-Live	Low	Detects DynamoDB tables without TTL configured, causing stale data to accumulate indefinitely.
RDS Database Instances Without Enhanced Monitoring	Low	Detects RDS instances without enhanced monitoring, limiting OS-level performance visibility.
RDS Database Instances Without Performance Insights	Low	Detects RDS instances without Performance Insights, limiting database performance analysis.
Lambda Functions Without X-Ray Active Tracing	Low	Detects Lambda functions without X-Ray tracing, limiting distributed tracing capabilities.
KMS Keys Disabled or Pending Deletion	Low	Detects KMS keys that are disabled or pending deletion, which may disrupt dependent services.

Events

Event	Description
GenerateDataKey	Generates a unique data key for encryption and returns the encrypted and plaintext versions.
PutObject	Adds an object to an S3 bucket.
LookupEvents	Queries and retrieves CloudTrail events for auditing purposes.
GetCallerIdentity	Retrieves details about the IAM identity making the request.
Decrypt	Decrypts ciphertext using a specified KMS key.
AssumeRole	Switches to a role, providing temporary security credentials.
GetObject	Retrieves an object from an S3 bucket.
ListObjects	Lists the objects in an S3 bucket.
BatchGetImage	Retrieves metadata about container images in Amazon Elastic Container Registry (ECR).
Encrypt	Encrypts plaintext into ciphertext using a specified KMS key.
CreateGrant	Creates a grant for a KMS key to allow access to the key.
CreateLogGroup	Creates a new log group in CloudWatch Logs.
HeadBucket	Checks if an S3 bucket exists and if the user has permissions to access it.
CreateLogStream	Creates a new log stream within a log group in CloudWatch Logs.
DeleteEmailIdentity	Deletes an email identity used for sending emails in SES.
CompleteMultipartUpload	Finalizes a multipart upload to S3 by assembling previously uploaded parts.
CreateMultipartUpload	Initiates a multipart upload to S3 for large objects.
UploadPart	Uploads a single part of a multipart upload to S3.
CreateSecurityGroup	Creates a security group, a virtual firewall for controlling inbound and outbound traffic.
HeadObject	Retrieves metadata of an object in S3 without downloading the object itself.
PreflightRequest	Checks CORS permissions before making a cross-origin request.
GenerateDataKeyWithoutPlaintext	Generates an encrypted data key without providing the plaintext key to the caller.
FilterLogEvents	Searches log events using filters in CloudWatch Logs.
CreateComputeEnvironment	Creates a compute environment for AWS Batch.
CreateRepository	Creates a new repository in Amazon Elastic Container Registry (ECR).
ReadFromRepository	Reads content or metadata from a repository in ECR.
GetObjectTagging	Retrieves the tags assigned to an object in an S3 bucket.

FinOps (Cost Explorer)

The following 13 node types are collected from the AWS Cost Explorer API. All sub-API failures are non-fatal — a missing Reserved Instance or Savings Plan subscription will not abort the crawl. ExternalIDs for time-bucketed nodes include the time period to prevent graph collisions when the lookback window spans multiple months.

Resources	Source Entity	Normalized Entity	Description
Cost Explorer Service	aws.costexplorer.AwsCostExplorer	CostExplorer	Root node aggregating all AWS Cost Explorer data for an account.
Cost by Service	aws.costexplorer.ServiceCost	ServiceCost	Total net amortized cost grouped by AWS service (e.g., Amazon EC2, Amazon S3) for the lookback period.
Cost by Linked Account	aws.costexplorer.LinkedAccountCost	LinkedAccountCost	Total cost grouped by linked AWS account for the lookback period.
Cost by Region	aws.costexplorer.RegionCost	RegionCost	Total cost grouped by AWS region for the lookback period.
Cost by Availability Zone	aws.costexplorer.AZCost	AZCost	Total cost grouped by availability zone for the lookback period.
Cost by Usage Type	aws.costexplorer.UsageTypeCost	UsageTypeCost	Total cost grouped by usage type (e.g., BoxUsage, DataTransfer-Out-Bytes) for the lookback period.
RI Coverage	aws.costexplorer.ReservationCoverage	ReservationCoverage	Percentage of instance hours covered by reserved instances vs on-demand for the lookback period.
RI Utilization	aws.costexplorer.ReservationUtilization	ReservationUtilization	Utilization percentage, purchased hours, unused hours, and net RI savings for the lookback period.
Savings Plan Coverage	aws.costexplorer.SavingsPlanCoverage	SavingsPlanCoverage	Percentage of spend covered by savings plans vs on-demand for the lookback period.
Savings Plan Utilization	aws.costexplorer.SavingsPlanUtilization	SavingsPlanUtilization	Utilization percentage, used/unused commitment, and net savings from savings plans for the lookback period.
Credits and Refunds	aws.costexplorer.CreditAndRefund	CreditAndRefund	AWS credits and refunds applied to the account grouped by record type for the lookback period.
Cost Forecast	aws.costexplorer.CostForecast	CostForecast	Projected spend for the next 30 days based on historical usage patterns.
Cost Anomaly	aws.costexplorer.CostAnomaly	CostAnomaly	AWS-detected cost anomalies including impact, expected vs actual spend, and root cause for the lookback period.