AWS

Overview

Visualize and analyze AWS resources, tracking usage across services like EC2, S3, Kinesis, RDS, and IAM. Gain actionable insights into resource utilization, governance, and security posture. Support compliance monitoring against security benchmarks, detect potential vulnerabilities, and monitor configuration changes. Enable real-time visualizations and generate alerts to enhance visibility, streamline operations, and strengthen the compliance and security of AWS environments.

Configurations

Configuration

Description

Blueprint Account Name

A human-readable name for your account that will be used to identify this account across the application.

Access Key

AWS IAM Access Key output by CloudFormation. Details in the Permissions section.

Secret Key

AWS IAM Secret Key output by CloudFormation. Details in the Permissions section.

Regions

List of regions to be crawled.

SQS URL

SQS URL output by CloudFormation. This SQS is fed by CloudTrail events from all regions via a centralized EventBridge architecture. Details in the Permissions section.

Data Crawl Frequency

The frequency at which Kaleidoscope will crawl the account for resources.

Event Crawl Frequency

The frequency at which Kaleidoscope will crawl the account for CloudTrail events.

Resource Selection

Selectively include or exclude certain resources.

Permissions

The AWS blueprint requires the AWS Managed ReadOnlyAccess policy.

Overview

The AWS blueprint uses a CloudFormation template to provision the following resources:

Data Crawl Infrastructure (Central Region Only):
- IAM user with ReadOnlyAccess policy
- Access keys stored securely in Secrets Manager
Event Crawl Infrastructure:
- Central Region:
  - SQS queue for centralized event collection
  - Custom EventBridge bus for aggregating events
  - EventBridge rule to process events and forward to SQS
- All Regions:
  - Regional EventBridge rules to capture CloudTrail events
  - IAM roles for cross-region event forwarding
Optional CloudTrail Configuration (Central Region Only):
- S3 bucket for CloudTrail logs
- Multi-region CloudTrail capturing management and data events

Multi-Region Architecture

The template implements a centralized event collection architecture:

┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
│   us-east-1     │    │   us-west-2     │    │   eu-west-1     │
│                 │    │                 │    │                 │
│ EventBridge     │    │ EventBridge     │    │ EventBridge     │
│ Regional Rule   │    │ Regional Rule   │    │ Regional Rule   │
│ + IAM Role      │    │ + IAM Role      │    │ + IAM Role      │
└─────────┬───────┘    └─────────┬───────┘    └─────────┬───────┘
          │                      │                      │
          │   CloudTrail Events  │                      │
          └──────────────────────┼──────────────────────┘
                                 │
                ┌────────────────▼──────────────────┐
                │        us-east-2 (Central)        │
                │                                   │
                │  ┌─────────────────────────────┐  │
                │  │    Central EventBridge      │  │
                │  │         Bus                 │  │
                │  │  ({ResourcePrefix}-central- │  │
                │  │       event-bus)            │  │
                │  └─────────────┬───────────────┘  │
                │                │                  │
                │  ┌─────────────▼───────────────┐  │
                │  │    Central EventBridge      │  │
                │  │         Rule                │  │
                │  │  ({ResourcePrefix}-central- │  │
                │  │       event-rule)           │  │
                │  └─────────────┬───────────────┘  │
                │                │                  │
                │  ┌─────────────▼───────────────┐  │
                │  │        SQS Queue            │  │
                │  │     (Event Collection)      │  │
                │  │  ({ResourcePrefix}-trail-   │  │ 
                │  │        queue)               │  │
                │  └─────────────┬───────────────┘  │
                │                │                  │
                │  ┌─────────────▼────────────────┐ │
                │  │    Secrets Manager           │ │
                │  │   - IAM Access Key           │ │
                │  │   - IAM Secret Key           │ │
                │  │                              │ │
                │  │  ┌─────────────────────────┐ │ │
                │  │  │      IAM User           │ │ │
                │  │  │ ({ResourcePrefix}-      │ │ │
                │  │  │   crawl-user)           │ │ │
                │  │  │ ReadOnlyAccess Policy   │ │ │
                │  │  └─────────────────────────┘ │ │
                │  └──────────────────────────────┘ │
                │                                   │
                │  Optional (if CloudTrail          │
                │  creation enabled):               │
                │  ┌─────────────────────────────┐  │
                │  │    S3 Bucket + CloudTrail   │  │ 
                │  │  ({ResourcePrefix}-trail-   │  │
                │  │   bucket-{AccountId})       │  │
                │  └─────────────────────────────┘  │
                └───────────────────────────────────┘

Deployment Options

Option 1: Quick Deploy

Deploy this CloudFormation template in each AWS region where you want to capture events:

Deploy in Central Region First (us-east-2 by default):
- Creates central resources: SQS queue, EventBridge bus, IAM user, secrets
- Creates regional EventBridge rule for us-east-2
Deploy in Additional Regions:
- Creates only regional EventBridge rules and IAM roles
- Events are forwarded to the central EventBridge bus in us-east-2

Option 2: Manual Deployment

Download the CloudFormation template aws.yml
Sign in to the AWS Management Console
Navigate to CloudFormation
Create a new stack and upload the template in every region
Enter the required parameters

Configuration Parameters

Parameter

Description

Default

ResourcePrefix

Prefix for all resource names (customizable for multiple deployments)

kscope

CentralRegion

The AWS region where central resources (SQS, EventBridge bus, secrets) are created

us-east-2

CreateAccountLevelCloudTrail

Whether to create a new CloudTrail (only if no organization-level CloudTrail exists)

false

Infrastructure Created

Central Region (us-east-2 by default)

IAM user with ReadOnlyAccess policy
IAM access keys stored in Secrets Manager
SQS queue for centralized event collection
Custom EventBridge bus for event aggregation
EventBridge rule to process events from central bus and forward to SQS
Regional EventBridge rule to capture local CloudTrail events
IAM role for cross-region event forwarding
Optional: S3 bucket and CloudTrail (if CreateAccountLevelCloudTrail = true)

All Other Regions

Regional EventBridge rule to capture CloudTrail events
IAM role for forwarding events to central region

Usage Scenarios

Scenario 1: Organization with Existing CloudTrail (Recommended)

Use default settings with CreateAccountLevelCloudTrail = false. The template will capture events from your existing organizational CloudTrail.

Scenario 2: Account Without Organizational CloudTrail

Set CreateAccountLevelCloudTrail = true to create a new multi-region CloudTrail that captures both management and data events.

Resource Naming

All resources use the configurable ResourcePrefix parameter for naming:

IAM User: {ResourcePrefix}-crawl-user
SQS Queue: {ResourcePrefix}-trail-queue
EventBridge Bus: {ResourcePrefix}-central-event-bus
EventBridge Rules: {ResourcePrefix}-central-event-rule, {ResourcePrefix}-regional-event-rule
Secrets: /{ResourcePrefix}/crawler/access-key, /{ResourcePrefix}/crawler/secret-key

Outputs

After deployment, the stack provides the following outputs:

Central Region Only

AccessKeySecretName: Secrets Manager secret name containing the access key
SecretKeySecretName: Secrets Manager secret name containing the secret key
SQSURL: The centralized SQS queue endpoint for consuming events

To retrieve the actual credentials, use the AWS CLI:

# Get the access key
aws secretsmanager get-secret-value --secret-id "/kscope/crawler/access-key" --query SecretString --output text

# Get the secret key (requires appropriate permissions)
aws secretsmanager get-secret-value --secret-id "/kscope/crawler/secret-key" --query SecretString --output text

Required Permissions

Deployment Permissions

To deploy this template, you need permissions to create:

IAM users, roles, and policies
SQS queues and queue policies
EventBridge custom event buses, rules, and policies
Secrets Manager secrets
S3 buckets (if creating CloudTrail)
CloudTrail (if creating a new trail)

Best Practices

Deploy Central Region First: Always deploy in your chosen central region before deploying to other regions
Use Consistent ResourcePrefix: Use the same ResourcePrefix across all regional deployments
Security: IAM access keys are automatically stored in Secrets Manager for secure

SBOM Generation

The AWS blueprint includes SBOM (Software Bill of Materials) generation for container images stored in Amazon Elastic Container Registry (ECR). This provides comprehensive vulnerability scanning and dependency analysis for containerized applications.

For information about supported languages and package managers for SBOM generation, see: SBOM

Schema Model

Resources

Source Entity

Normalized Entity

Description

IAM Policy

aws.iam.Policy

Policy

An IAM policy defining permissions.

Inline IAM Policy

aws.iam.PolicyInline

Policy

An inline IAM policy directly attached to a resource.

IAM Policy Action

aws.iam.PolicyAction

Action

An action specified in an IAM policy.

IAM User

aws.iam.User

User

An IAM user in the AWS environment.

IAM Role

aws.iam.Role

Role

An IAM role used for delegating access.

IAM Service

iam

Service

IAM-related configurations and management.

IAM Policy Resource

aws.iam.PolicyResource

Resource

A resource associated with an IAM policy.

IAM Access Key

aws.iam.AccessKey

Key

An access key for an IAM user.

S3 Object

aws.s3.Object

File

An object stored in an S3 bucket.

S3 Bucket

aws.s3.Bucket

Storage

An S3 bucket for storing objects.

S3 Service

Service

S3-related configurations and management.

ECS Service

ecs

Service

ECS-related configurations and management.

ECS Cluster

aws.ecs.Cluster

Cluster

A cluster for managing ECS tasks.

ECS Service Instance

aws.ecs.Service

Service

A service running in an ECS cluster.

ECS Task

aws.ecs.Task

Task

A task running in an ECS cluster.

ECS Container Instance

aws.ecs.ContainerInstance

Container

A container instance in an ECS cluster.

ECS Task Definition

aws.ecs.TaskDefinition

Definition

A task definition in ECS.

Kinesis Service

kinesis

Service

Kinesis-related configurations and management.

Kinesis Stream

aws.kinesis.Stream

Stream

A data stream in AWS Kinesis.

CloudWatch Dashboard

cloudwatch.Dashboard

Dashboard

A dashboard in AWS CloudWatch.

CloudWatch Metric Alarm

cloudwatch.MetricAlarm

Alarm

A metric alarm in AWS CloudWatch.

CloudWatch

cloudwatch

Service

AWS CloudWatch monitoring service.

CloudWatch Log Group

cloudwatchlogs.LogGroup

LogGroup

A log group in AWS CloudWatch Logs.

CloudWatch Logs

cloudwatchlogs

Service

AWS CloudWatch Logs service.

CloudWatch Log Stream

cloudwatchlogs.LogStream

LogStream

A log stream in AWS CloudWatch Logs.

Metrics Dimension

metrics.Dimension

Dimension

A dimension associated with metrics.

Metrics Metric

metrics.Metric

Metric

A metric in AWS services.

DynamoDB

dynamodb

Database

AWS DynamoDB database service.

DynamoDB Service

dynamodb.AwsDynamoDB

Database

AWS DynamoDB service configuration.

DynamoDB Table

dynamodb.Table

Table

A table in AWS DynamoDB.

DynamoDB Attribute

dynamodb.AttributeDefinition

Attribute

Attribute definition for a DynamoDB table.

Lambda

lambda

Service

AWS Lambda serverless compute service.

Lambda Service

aws.lambda.AwsLambda

Service

AWS Lambda service configuration.

Lambda Function

aws.lambda.Function

Function

A serverless function in AWS Lambda.

Lambda Alias

aws.lambda.Alias

Alias

An alias for an AWS Lambda function.

SNS

sns

Service

AWS Simple Notification Service (SNS).

Region

aws.ec2.Region

Region

A geographical area containing AWS resources.

Volume

aws.ec2.Volume

Volume

A block storage volume in AWS EC2.

Subnet

aws.ec2.Subnet

Subnet

A subnet within a VPC in AWS EC2.

Instance Type Info

aws.ec2.InstanceTypeInfo

InstanceType

Information about EC2 instance types.

EC2 Service

ec2

Service

AWS EC2 service for compute resources.

VPC

aws.ec2.Vpc

VPC

A virtual private cloud in AWS.

Instance

aws.ec2.Instance

Instance

An individual EC2 instance.

Reserved Instances

aws.ec2.ReservedInstances

ReservedInstance

Reserved EC2 instances for cost savings.

Security Group

aws.ec2.SecurityGroup

SecurityGroup

A security group associated with EC2 resources.

Availability Zone

aws.ec2.AvailabilityZone

Zone

An availability zone within a region.

Local Zone

aws.ec2.LocalZone

Zone

A local zone in AWS for EC2 resources.

Volume Attachment

aws.ec2.VolumeAttachment

VolumeAttachment

Attachment information for an EC2 volume.

VPC CIDR Block Association

aws.ec2.VpcCidrBlockAssociation

CIDRBlock

CIDR block associations with a VPC.

ECR Service

ecr

Service

AWS ECR service for container registries.

ECR Repository

ecr.Repository

Repository

A repository in AWS ECR.

ECR Image

ecr.Image

Image

A container image stored in AWS ECR.

ECR Image Scan Finding

ecr.ImageScanFinding

ScanFinding

Findings from security scans of ECR images.

AWS API Gateway

aws.apigateway.RestAPI

API

A REST API in AWS API Gateway.

HTTP API Gateway

aws.apigateway.HttpAPI

HTTP API

HTTP API in AWS API Gateway.

API Gateway Integration

aws.apigateway.Integration

Integration

Integration settings for API Gateway.

API Gateway Stage

aws.apigateway.Stage

Stage

Deployment stage for API Gateway.

API Gateway Model

aws.apigateway.Model

Model

Model definition for API Gateway.

API Gateway Resource

aws.apigateway.Resource

Resource

API Gateway resource definition.

API Gateway Integration

aws.apigateway.Integration

Integration

API Gateway integration configuration.

API Gateway Method

aws.apigateway.Method

Method

HTTP method for API Gateway.

CloudWatch State Reason Data

cloudwatch.StateReasonData

StateReasonData

Represents state reason data in CloudWatch.

EC2 Disk Info

aws.ec2.DiskInfo

EC2DiskInfo

Information about EC2 instance disk.

EC2 Instance Storage Info

aws.ec2.InstanceStorageInfo

EC2InstanceStorage

Information about EC2 instance storage.

EC2 vCPU Info

aws.ec2.VCpuInfo

EC2vCPUInfo

Information about EC2 instance vCPUs.

ECS Port Mapping

aws.ecs.PortMapping

ECSPortMapping

Port mapping configuration for ECS containers.

ECS Container Definition

aws.ecs.ContainerDefinition

ECSContainerDefinition

ECS container configuration details.

IAM Group

aws.iam.Group

UserGroup

A group in AWS IAM.

IAM Resource

aws.iam.Resource

IAMResource

A resource managed by AWS IAM.

IAM Policy Document

aws.iam.PolicyDocument

IAMPolicyDocument

A document that defines IAM policy permissions.

IAM Policy Action Resource

aws.iam.PolicyActionResource

IAMPolicyActionResource

Defines actions in an IAM policy.

IAM Policy Statement

aws.iam.PolicyStatement

IAMPolicyStatement

A policy statement within an IAM policy.

Kinesis Shard

aws.kinesis.Shard

KinesisShard

A shard in AWS Kinesis stream.

SNS Topic

sns.Topic

SNSTopic

An SNS topic for message distribution.

SNS Subscription

sns.Subscription

SNSSubscription

A subscription to an SNS topic.

EC2 IAM Instance Profile

aws.ec2.IamInstanceProfile

EC2IamInstanceProfile

An IAM profile associated with an EC2 instance.

EC2 IAM Instance Profile Association

aws.ec2.IamInstanceProfileAssociation

EC2IamInstanceProfileAssociation

Association of an IAM instance profile with EC2.

IAM Instance Profile

aws.iam.InstanceProfile

IAMInstanceProfile

A profile for EC2 instances within IAM.

EC2 Instance Image

aws.ec2.InstanceImage

EC2InstanceImage

An image used to create EC2 instances.

AWS Cloud

AWS

AWSCloud

AWS cloud services and environment.

Cluster

cluster

Cluster

A computing cluster for resource management.

Entities

_Entities

Entity

General entities for data representation.

Common Tag

common.Tag

CommonTag

Tag used across multiple AWS resources.

Utility Property

util.Property

UtilityProperty

General utility properties.

Domain Schema

domainschema.Schema

DomainSchema

Schema for domain-related data structure.

Domain Element Type

domainschema.ElementType

DomainElementType

Element type within a domain schema.

Domain Element Property Type

domainschema.ElementPropertyType

DomainElementPropertyType

Property type within a domain schema.

ECS Container

aws.ecs.Container

ECSContainer

A container managed by ECS.

ECS Network Binding

aws.ecs.NetworkBinding

ECSNetworkBinding

Network binding for ECS containers.

IAM Policy Condition

aws.iam.PolicyCondition

IAMPolicyCondition

Condition applied in an IAM policy.

IAM Policy Principal

aws.iam.PolicyPrincipal

IAMPolicyPrincipal

Principal identifier for IAM policy.

S3 Encryption Info

aws.s3.EncryptionInfo

S3EncryptionInfo

Encryption settings for an S3 bucket.

RDS DB Cluster Member

aws.rds.DBClusterMember

DBClusterMember

A member of an AWS RDS DB cluster.

RDS DB Cluster

aws.rds.DBCluster

Cluster

AWS RDS database cluster.

RDS DB Cluster Endpoint

aws.rds.DBClusterEndpoint

DBClusterEndpoint

Endpoint for accessing an AWS RDS DB cluster.

RDS DB Parameter Group

aws.rds.DBParameterGroup

DBParameterGroup

AWS RDS DB parameter group.

RDS DB Instance

aws.rds.DBInstance

DBInstance

AWS RDS database instance.

RDS Availability Zone

aws.rds.AvailabilityZone

AvailabilityZone

AWS RDS availability zone.

RDS DB Subnet Group

aws.rds.DBSubnetGroup

DBSubnetGroup

AWS RDS DB subnet group.

RDS DB Parameter Group Status

aws.rds.DBParameterGroupStatus

DBParameterGroupStatus

AWS RDS DB parameter group status.

RDS DB Security Group

aws.rds.DBSecurityGroup

DBSecurityGroup

AWS RDS DB security group.

RDS Double Range

aws.rds.DoubleRange

DoubleRange

AWS RDS double range parameter.

RDS Event Categories Map

aws.rds.EventCategoriesMap

EventCategoriesMap

Mapping of event categories in AWS RDS.

RDS Endpoint

aws.rds.Endpoint

Endpoint

AWS RDS endpoint.

RDS Engine Defaults

aws.rds.EngineDefaults

EngineDefaults

Default settings for AWS RDS engine.

RDS Pending Modified Values

aws.rds.PendingModifiedValues

PendingModifiedValues

AWS RDS pending modifications.

RDS Range

aws.rds.Range

Range

AWS RDS range parameter.

RDS VPC Security Group Membership

aws.rds.VpcSecurityGroupMembership

VpcSecurityGroupMembership

AWS RDS VPC security group membership.

RDS Subnet

aws.rds.Subnet

Subnet

AWS RDS subnet.

RDS Valid DB Instance Modifications

aws.rds.ValidDBInstanceModificationsMessage

ValidDBInstanceModifications

Valid modifications for AWS RDS DB instances.

RDS Valid Storage Options

aws.rds.ValidStorageOptions

ValidStorageOptions

Valid storage options for AWS RDS.

RDS Parameter

aws.rds.Parameter

Parameter

Parameter for AWS RDS configuration.

RDS Option Group Membership

aws.rds.OptionGroupMembership

OptionGroupMembership

Membership in an AWS RDS option group.

RDS DB Snapshot

aws.rds.DBSnapshot

DBSnapshot

AWS RDS DB snapshot.

Redshift

aws.redshift.AwsRedshift

Cluster

AWS Redshift cluster.

Redshift Cluster Node

aws.redshift.ClusterNode

ClusterNode

Node in an AWS Redshift cluster.

Redshift Cluster

aws.redshift.Cluster

Cluster

AWS Redshift cluster.

Redshift Availability Zone

aws.redshift.AvailabilityZone

AvailabilityZone

Availability zone for AWS Redshift.

Redshift Cluster Parameter Group

aws.redshift.ClusterParameterGroup

ClusterParameterGroup

AWS Redshift cluster parameter group.

Redshift Cluster Parameter Group Status

aws.redshift.ClusterParameterGroupStatus

ClusterParameterGroupStatus

Status of AWS Redshift cluster parameter group.

Redshift Default Cluster Parameters

aws.redshift.DefaultClusterParameters

DefaultClusterParameters

Default parameters for AWS Redshift clusters.

Redshift Cluster Subnet Group

aws.redshift.ClusterSubnetGroup

ClusterSubnetGroup

AWS Redshift cluster subnet group.

Redshift Cluster Version

aws.redshift.ClusterVersion

ClusterVersion

AWS Redshift cluster version.

Redshift Endpoint

aws.redshift.Endpoint

Endpoint

AWS Redshift endpoint.

Redshift Reserved Node Offering

aws.redshift.ReservedNodeOffering

ReservedNodeOffering

Reserved node offering for AWS Redshift.

Redshift Subnet

aws.redshift.Subnet

Subnet

AWS Redshift subnet.

Redshift Recurring Charge

aws.redshift.RecurringCharge

RecurringCharge

Recurring charge for AWS Redshift.

Redshift Logging Status

aws.redshift.LoggingStatus

LoggingStatus

Logging status in AWS Redshift.

Redshift Parameter

aws.redshift.Parameter

Parameter

AWS Redshift configuration parameter.

Redshift Pending Modified Values

aws.redshift.PendingModifiedValues

PendingModifiedValues

Pending modified values in AWS Redshift.

Redshift VPC Security Group Membership

aws.redshift.VpcSecurityGroupMembership

VpcSecurityGroupMembership

Membership in AWS Redshift VPC security group.

EC2 VPC Peering Connection VPC Info

aws.ec2.VpcPeeringConnectionVpcInfo

VpcPeeringConnectionVpcInfo

VPC information for EC2 VPC peering connection.

EC2 VPC Peering Connection

aws.ec2.VpcPeeringConnection

VpcPeeringConnection

AWS EC2 VPC peering connection.

EC2 Route Table

aws.ec2.RouteTable

RouteTable

AWS EC2 route table.

EC2 Route Table Association

aws.ec2.RouteTableAssociation

RouteTableAssociation

Association of a route table in AWS EC2.

CloudFront Distribution

aws.cloudfront.Distribution

CloudFrontDistribution

A CloudFront distribution for delivering content.

CloudFront

cloudfront

CloudFront

A CloudFront service for content delivery.

AwsCloudfront

aws.cloudfront.AwsCloudfront

AwsCloudfront

AWS CloudFront service for managing distributions.

EC2 Network ACL

aws.ec2.NetworkACL

EC2NetworkACL

Network ACL for controlling traffic in AWS EC2.

EC2 Network ACL Entry

aws.ec2.NetworkACLEntry

EC2NetworkACLEntry

Entry in an EC2 Network ACL to define rules.

EC2 Network ACL Association

aws.ec2.NetworkACLAssociation

EC2NetworkACLAssociation

Association of an EC2 Network ACL to a subnet.

ELB Load Balancer

aws.elb.LoadBalancer

ELBLoadBalancer

A load balancer in AWS Elastic Load Balancing.

ELB Listener

aws.elb.Listener

ELBListener

A listener for an ELB to manage incoming traffic.

ELB

elb

ELB

AWS Elastic Load Balancer service.

Route53 Resource Record Set

aws.route53.ResourceRecordSet

Route53ResourceRecordSet

A set of resource records in AWS Route 53.

Route53 Resource Record

aws.route53.ResourceRecord

Route53ResourceRecord

A DNS resource record in AWS Route 53.

Route53 Alias Target

aws.route53.AliasTarget

Route53AliasTarget

A target for alias records in Route 53.

Route53

route53

Route53

AWS Route 53 for DNS management.

CloudTrail Trail

aws.cloudtrail.Trail

CloudTrailTrail

A CloudTrail trail to capture AWS account activity.

CloudTrail

aws.cloudtrail

CloudTrail

AWS CloudTrail service for monitoring API activity.

EC2 Address

aws.ec2.Address

EC2Address

A public IP address for an EC2 instance.

EC2 Key Pair Info

aws.ec2.KeyPairInfo

EC2KeyPairInfo

Information about an EC2 key pair for SSH access.

EC2 Snapshot

aws.ec2.Snapshot

EC2Snapshot

A snapshot of an EC2 instance's storage volume.

Lambda Layer

aws.lambda.Layer

LambdaLayer

A layer for AWS Lambda functions to share code.

Route53 Hosted Zone

aws.route53.HostedZone

Route53HostedZone

A hosted zone in AWS Route 53 for DNS records.

IAM MFA Device

aws.iam.MFADevice

IAMMFADevice

A multi-factor authentication device in IAM.

CloudFront Origin

aws.cloudfront.Origin

CloudFrontOrigin

Origin server for AWS CloudFront distributions.

IAM Password Policy

aws.iam.PasswordPolicy

Policy

Password policy settings for AWS IAM users.

Cognito Password Policy

cognitoidentityprovider.PasswordPolicy

Policy

A password policy for AWS Cognito identity pools.

Cognito User Pool Policy

cognitoidentityprovider.UserPoolPolicy

Policy

A policy for user pools in AWS Cognito.

Cognito User Pool

cognitoidentityprovider.UserPool

CognitoUserPool

A user pool in AWS Cognito for managing users.

Identity Pool

aws.cognitoidentity.IdentityPool

IdentityPool

An AWS Cognito identity pool for federated identities.

Cognito Provider

aws.cognitoidentity.Provider

CognitoProvider

An identity provider for AWS Cognito pools.

Cognito Identity

aws.cognitoidentity

CognitoIdentity

AWS Cognito identity service for user management.

Cognito User

cognitoidentityprovider.User

User

A user in AWS Cognito user pools.

Cognito Identity Provider

cognitoidentityprovider

CognitoIdentityProvider

An identity provider in AWS Cognito.

EC2 Nat Gateway

aws.ec2.NatGateway

EC2NatGateway

A NAT Gateway for AWS EC2 instances.

Route53 Domains

aws.route53domains.Domain

Route53Domains

A domain registered in AWS Route 53.

Route53Domains

route53domains

Route53Domains

AWS Route 53 domains service for domain management.

AwsRoute53Domains

aws.route53domains.AwsRoute53Domains

AwsRoute53Domains

AWS service for managing Route 53 domains.

Identity Store

identitystore

IdentityStore

An identity store service in AWS for user management.

Identity Store Entry

identitystore.IdentityStore

IdentityStoreEntry

A specific identity store entry in AWS.

Identity Store User

identitystore.User

User

A user within the identity store in AWS.

Identity Store Name

identitystore.Name

IdentityStoreName

A name entry within the AWS identity store.

Identity Store Group

identitystore.Group

IdentityStoreGroup

A user group within the AWS identity store.

Identity Store Group Membership

identitystore.GroupMembership

IdentityStoreGroupMembership

A membership within an identity store group.

Identity Store ExternalId

identitystore.ExternalId

IdentityStoreExternalId

An external ID for identity store integration.

EventBridge Event Bus

eventbridge.EventBus

EventBridgeEventBus

An event bus in AWS EventBridge for event routing.

EventBridge

eventbridge

EventBridge

AWS EventBridge service for event-driven applications.

EventBridge Rule

eventbridge.Rule

EventBridgeRule

A rule in AWS EventBridge for routing events.

EventBridge Target

eventbridge.Target

EventBridgeTarget

A target service for events in AWS EventBridge.

KMS

kms

KMS

AWS Key Management Service for managing encryption keys.

KMS Key Metadata

kms.KeyMetadata

KMSKeyMetadata

Metadata related to encryption keys in KMS.

SecretsManager Secret

secretsmanager.Secret

SecretsManagerSecret

A secret stored in AWS Secrets Manager.

SecretsManager

secretsmanager

SecretsManager

AWS Secrets Manager for managing sensitive data.

AwsSecrets

secretsmanager.AwsSecrets

AwsSecrets

AWS Secrets Manager service for secret management.

SES

aws.ses

SES

AWS Simple Email Service for email sending.

SES Identity

aws.ses.Identity

SESIdentity

An identity registered with AWS SES for email sending.

OpenSearch

aws.opensearch

OpenSearch

AWS OpenSearch service for search and analytics.

OpenSearch Domain

aws.opensearch.Domain

OpenSearchDomain

A domain within AWS OpenSearch for hosting indices.

Finding

sca.secretscan.Finding

Vulnerability

secret detected by gitleak

Events

Event

Description

GenerateDataKey

Generates a unique data key for encryption and returns the encrypted and plaintext versions.

PutObject

Adds an object to an S3 bucket.

LookupEvents

Queries and retrieves CloudTrail events for auditing purposes.

GetCallerIdentity

Retrieves details about the IAM identity making the request.

Decrypt

Decrypts ciphertext using a specified KMS key.

AssumeRole

Switches to a role, providing temporary security credentials.

GetObject

Retrieves an object from an S3 bucket.

ListObjects

Lists the objects in an S3 bucket.

BatchGetImage

Retrieves metadata about container images in Amazon Elastic Container Registry (ECR).

Encrypt

Encrypts plaintext into ciphertext using a specified KMS key.

CreateGrant

Creates a grant for a KMS key to allow access to the key.

CreateLogGroup

Creates a new log group in CloudWatch Logs.

HeadBucket

Checks if an S3 bucket exists and if the user has permissions to access it.

CreateLogStream

Creates a new log stream within a log group in CloudWatch Logs.

DeleteEmailIdentity

Deletes an email identity used for sending emails in SES.

CompleteMultipartUpload

Finalizes a multipart upload to S3 by assembling previously uploaded parts.

CreateMultipartUpload

Initiates a multipart upload to S3 for large objects.

UploadPart

Uploads a single part of a multipart upload to S3.

CreateSecurityGroup

Creates a security group, a virtual firewall for controlling inbound and outbound traffic.

HeadObject

Retrieves metadata of an object in S3 without downloading the object itself.

PreflightRequest

Checks CORS permissions before making a cross-origin request.

GenerateDataKeyWithoutPlaintext

Generates an encrypted data key without providing the plaintext key to the caller.

FilterLogEvents

Searches log events using filters in CloudWatch Logs.

CreateComputeEnvironment

Creates a compute environment for AWS Batch.

CreateRepository

Creates a new repository in Amazon Elastic Container Registry (ECR).

ReadFromRepository

Reads content or metadata from a repository in ECR.

GetObjectTagging

Retrieves the tags assigned to an object in an S3 bucket.

PreviousBlueprints NextJira

Last updated 6 minutes ago

Was this helpful?