Notorious Puppy Memes

    TypeScript icon, indicating that this package has built-in type declarations

    0.82.0 • Public • Published

    CloudGraph AWS Provider

    Use the CloudGraph AWS Provider to scan and normalize cloud infrastructure using the AWS SDK


    CloudGraph Readme

    💻 Full CloudGraph Documentation Including AWS Examples


    Install the aws provider in CloudGraph

    cg init aws


    Authenticate the CloudGraph AWS Provider any of the following ways:

    • Credentials from env variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
    • Credentials found in the credentials under ~/.aws (any profile, defaults to default)

    CloudGraph needs read permissions in order to ingest your data. To keep things easy you can use the same permissions that we use internally when we run CloudGraph to power AutoCloud. Here are the AWS Docs for generating the correct Role (feel free to leave out AutoCloud specific configuration).

    Multi Account

    CloudGraph is able to scan multiple AWS accounts at once. This is done by setting up multiple profiles in your ~/.aws/credentials file and then selecting all the profiles you want to crawl when running cg init. All resources will be tagged with an accountId so you can query resources specific to an account or query resources across accounts!


    CloudGraph creates a configuration file at:

    • UNIX: ~/.config/cloudgraph/.cloud-graphrc.json
    • Windows: %LOCALAPPDATA%\cloudgraph/.cloud-graphrc.json

    NOTE: CloudGraph will output where it stores the configuration file and provider data as part of the cg init command

    CloudGraph will generate this configuration file when you run cg init aws. You may update it manually or by running cg init aws again.

    "aws": {
      "profileApprovedList": [
        ], // Optional, defaults to the default profile
        "regions": "us-east-1,us-east-2,us-west-2",
        "resources": "alb,apiGatewayResource,apiGatewayRestApi,apiGatewayStage,appSync,asg,billing,cognitoIdentityPool,cognitoUserPool,cloudFormationStack,cloudFormationStackSet,cloudfront,cloudwatch,ebs,ec2Instance,eip,elb,igw,kinesisFirehose,kinesisStream,kms,lambda,nat,networkInterface,route53HostedZone,route53Record,routeTable,sg,vpc,sqs,s3"

    CloudGraph AWS Provider will ask you what regions you would like to crawl and will by default crawl for all supported resources in selected regions in the default account. You can update the regions, resources, or profile fields in the cloud-graphrc.json file to change this behavior. You can also select which resources to crawl in the cg init aws command by passing the the -r flag: cg init aws -r

    Supported Services

    Service Relations
    alb ec2, elasticBeanstalkEnv, route53Record, securityGroup, subnet, vpc, wafV2WebAcl
    apiGatewayDomainName apiGatewayHttpApi, apiGatewayRestApi
    apiGatewayHttpApi apiGatewayDomainName
    apiGatewayRestApi apiGatewayDomainName, apiGatewayResource, apiGatewayStage, route53Record
    apiGatewayStage apiGatewayRestApi, wafV2WebAcl
    apiGatewayResource apiGatewayRestApi
    appSync cognitoUserPool, dynamodb, iamRole, lambda, rdsCluster, wafV2WebAcl
    asg ebs, ec2, elasticBeanstalkEnv, iamRole, securityGroup, subnet
    clientVpnEndpoint securityGroup
    cloudformationStack cloudformationStack, iamRole, sns
    cloudformationStackSet iamRole
    cloudfront cloudwatch, elb, s3
    cloudtrail cloudwatch, cloudwatchLog, kms, s3, sns
    cloudwatch cloudfront, cloudtrail, cloudwatchLog, sns
    cloudwatchLog cloudtrail, cloudwatch, ecsCluster, elasticSearchDomain, kms, managedAirflow, rdsDbInstance
    codebuild iamRole, kms, vpc, securityGroup, subnet
    cognitoIdentityPool iamRole, iamOpenIdConnectProvider, iamSamlProvider, elasticSearchDomain
    cognitoUserPool appSync, elasticSearchDomain, lambda
    configurationRecorder iamRole
    customerGateway vpnConnection
    dynamodb appSync, iamRole, kms
    dmsReplicationInstance securityGroup, subnet, vpc, kms
    ebs asg, ec2, emrInstance
    ec2 alb, asg, ebs, eip, emrInstance, eksCluster, elasticBeanstalkEnv, iamInstanceProfile, iamRole, networkInterface, securityGroup, subnet, systemsManagerInstance, vpc, ecsContainer
    ecsCluster cloudwatchLog, ecsService, ecsTask, ecsTaskSet, kms, s3
    ecsContainer ecsTask, ec2
    ecsService ecsCluster, ecsTaskDefinition, ecsTaskSet, elb, iamRole, securityGroup, subnet, vpc
    ecsTask ecsContainer, ecsCluster, ecsTaskDefinition, iamRole
    ecsTaskDefinition ecsService, ecsTask, ecsTaskSet, iamRole
    ecsTaskSet ecsCluster, ecsService, ecsTaskDefinition
    efs kms
    efsMountTarget networkInterface, subnet, vpc
    eip ec2, networkInterface, vpc
    eksCluster ec2, iamRole, kms, securityGroup, subnet, vpc
    elastiCacheCluster securityGroup, subnet, vpc
    elastiCacheReplicationGroup kms
    elasticBeanstalkApp elasticBeanstalkEnv, iamRole
    elasticBeanstalkEnv alb, asg, ec2, elb, elasticBeanstalkApp, iamRole, sqs
    elasticSearchDomain cloudwatchLog, cognitoIdentityPool, cognitoUserPool, iamRole, kms, securityGroup, subnet, vpc
    elb cloudfront, ecsService, elasticBeanstalkEnv, securityGroup, subnet, vpc
    emrCluster iamRole, kms, subnet
    emrInstance ebs, ec2
    flowLog vpc, iamRole, subnet, networkInterface
    glueJob iamRole
    guardDutyDetector iamRole
    iamInstanceProfile ec2, iamRole
    iamSamlProvider cognitoIdentityPool
    iamOpenIdConnectProvider cognitoIdentityPool
    iamUser iamGroup
    iamPolicy iamRole, iamGroup
    iamRole appSync, asg, cloudformationStackSet, codebuild, cognitoIdentityPool, configurationRecorder, ec2, ecsTask, ecsTaskDefinition,iamInstanceProfile, iamPolicy, eksCluster, ecsService, emrCluster, flowLog, glueJob, managedAirflow, s3, sageMakerNotebookInstance, systemsManagerInstance, guardDutyDetector, lambda, kinesisFirehose, rdsCluster, rdsDbInstance, elasticBeanstalkApp, elasticBeanstalkEnv, elasticSearchDomain
    iamGroup iamUser, iamPolicy
    igw vpc
    kinesisFirehose kinesisStream, s3, iamRole
    kinesisStream kinesisFirehose
    kms cloudtrail, cloudwatchLog, codebuild, ecsCluster, efs, eksCluster, elastiCacheReplicationGroup, elasticSearchDomain, emrCluster, managedAirflow, lambda, rdsCluster, rdsClusterSnapshot, rdsDbInstance, sns, sageMakerNotebookInstance, secretsManager, dmsReplicationInstance, redshiftCluster
    lambda appSync, cognitoUserPool, kms, s3, secretsManager, securityGroup, subnet, vpc, iamRole
    managedAirflow cloudwatchLog, iamRole, kms, securityGroups, subnet, s3
    nacl vpc
    natGateway networkInterface, subnet, vpc
    networkInterface ec2, eip, efsMountTarget, natGateway, sageMakerNotebookInstance, subnet, vpc, vpcEndpoint, flowLog, securityGroup
    rdsCluster appSync, rdsClusterSnapshot, rdsDbInstance, route53HostedZone, securityGroup, subnet, iamRole, kms
    rdsClusterSnapshot kms, rdsCluster, vpc
    rdsDbInstance kms, iamRole, rdsCluster, securityGroup, vpc, subnet, cloudwatchLog
    redshiftCluster kms, vpc
    route53Record alb, apiGatewayRestApi, elb, route53HostedZone
    route53HostedZone rdsCluster, route53Record, vpc
    routeTable subnet, vpc, vpcEndpoint
    sageMakerNotebookInstance iamRole, kms, networkInterface, subnet, securityGroup
    s3 cloudfront, cloudtrail, ecsCluster, iamRole, kinesisFirehose, lambda, managedAirflow, sns, sqs
    secretsManager kms, lambda
    securityGroup alb, asg, clientVpnEndpoint, codebuild, dmsReplicationInstance, ecsService, lambda, ec2, elasticSearchDomain, elb, rdsCluster, rdsDbInstance, eksCluster, elastiCacheCluster, managedAirflow, sageMakerNotebookInstance, networkInterface, vpcEndpoint
    sns kms, cloudtrail, cloudwatch, s3
    sqs elasticBeanstalkEnv, s3
    subnet alb, asg, codebuild, dmsReplicationInstance, ec2, ecsService, efsMountTarget, elastiCacheCluster, elasticSearchDomain, elb, lambda, managedAirflow, natGateway, networkInterface, rdsCluster, sageMakerNotebookInstance, routeTable, vpc, vpcEndpoint, eksCluster, emrCluster, flowLog
    systemsManagerInstance ec2, iamRole
    transitGateway transitGatewayAttachment, transitGatewayRouteTable, vpnConnection
    transitGatewayAttachment transitGateway, transitGatewayRouteTable, vpc, vpnConnection
    transitGatewayRouteTable transitGateway, transitGatewayAttachment
    vpc alb, codebuild, dmsReplicationInstance, ec2, eip, elb, ecsService, efsMountTarget, eksCluster igw, elastiCacheCluster, elasticSearchDomain, lambda, nacl, natGateway, networkInterface, rdsClusterSnapshot, rdsDbInstance, redshiftCluster, route53HostedZone, routeTable, subnet, flowLog, vpnGateway, transitGatewayAttachment, vpcEndpoint, vpcPeeringConnection
    vpcEndpoint networkInterface, routeTable, securityGroup, subnet, vpc
    vpcPeeringConnection vpc
    vpnConnection customerGateway, transitGateway, transitGatewayAttachment, vpnGateway
    vpnGateway vpc, vpnConnection
    wafV2WebAcl appSync, apiGatewayStage, alb




    npm i @cloudgraph/cg-provider-aws

    DownloadsWeekly Downloads






    Unpacked Size

    2.03 MB

    Total Files


    Last publish


    • ckoning