Skip to main content

Edge Types

When two cloud resources are with each other, CodeShield's cloud model will compute an edge connecting the two resources in the cloud model. There are different types of edges as the connection may stem from different sources. For example, some edges stem from definitions of networks or file systems, and some edges are generated based on attachments of policies to roles or users that belong to groups.

In the table below, all edge types are listed.

Edge Types

Edge TypeSource TypeTarget TypeSemantics
APIReferenceAWS::ApiGateway::RestApi or AWS::ApiGateway::Resource or AWS::ApiGatewayV2::ApiAWS::ResourceModels the connection between an api route and the resource which will handle the request depending on the HTTP method used in the request.
AccessRefAWS::ResourceAWS::ResourceModels that the source Resource has IAM permissions to access the target Resource. These permissions are extracted by collecting and evaluating all related Policies against each other. I.e., the effectiveActions of this edge define the actually allowed IAM actions that source can conduct on target after all policies have been evaluated against each other. Thereby, also models if a principal can assume a Role, if the relevant actions contain the sts:AssumeRole action.
AlarmEventAWS::CloudWatch::AlarmAWS::ResourceModels that the source alarm triggers the target resource with an alarm event.
AttachedKeyAWS::ResourceAWS::KMS::KeyModels a AWS::KMS::Key attachment to another resource.
AttachedPolicyAWS::ResourceAWS::IAM::PolicyModels that the source resource has the target policy attached.
AttachedRoleAWS::ResourceAWS::IAM::RoleModels that the source resource has the target role attached
AttachedSecretAWS::ResourceAWS::SecretsManager::SecretModels a AWS::SecretsManager::Secret attachment to another resource.
AuthorizerRefAWS::ApiGateway::ResourceAWS::Lambda::Function or AWS::Cognito::UserPoolModels that the source function uses the target UserPool as authorizer for HTTP request.
ContainerReferenceAWS::ECS::ServiceAWS::ECS::TaskDefinitionModels that the source Service uses the target TaskDefinition for spawning ECS instances.
DocDBReferenceAWS::DocDB::DBClusterAWS::DocDB::DBInstanceModels that the source DBCluster contains the target DBInstance
FSMountReferenceAWS::ResourceAWS::EFS::FileSystemModels that the source Resource has the target EFS filesystem mounted.
GroupMembershipAWS::IAM::UserAWS::IAM::GroupModels that the source User is a member of the target Group.
NetworkReferenceAWS::ResourceAWS::ResourceModels that the source Resource can communicate over a VPC network to the target Resource. Contains information about the defining network configuration (security group, port, etc.).
PolicyRefAWS::PolicyAWS::ResourceModels the reference of a resource by a policy. This is not policy evaluated yet as no resource-based policies, permissions-boundaries, or SCPs are involved. AccessReferences model the actual access that is possible between two resources after all corresponding policies were evaluated.
PubliclyReachableAttackerAWS::ResourceModels the entry points to a cloud environment, i.e., publicly reachable resources by an outsider.
QueryEventAWS::AppSync::DataSourceAWS::DynamoDB::TableModels that the source DataSource is backed by the target table.
S3NotificationEventAWS::S3::BucketAWS::SNS::Topic or AWS::SQS::Queue or AWS::Lambda::FunctionModels that the source bucket triggers the target Resource on change.
SessionRefAWS::IAM::RoleAWS::IAM::AssumedRoleModels that a role has a role session which is referenced as principal in a trust policy
SnsConsumeEventAWS::SNS::TopicAWS::ResourceModels that the source Topic triggers the target resource when a message is published to the source topic.
SnsPublishEventAWS::Lambda::FunctionAWS::SNS::TopicModels that the source function publishes a message to the target SNS topic.
TaskReferenceAWS::ECS::TaskSetAWS::ECS::TaskDefinitionModels that the source TaskSet contains the target TaskDefinition.
TriggerEventAWS::ResourceAWS::ResourceModels that the source Resource triggers the target Resource execution. E.g., an AWS::AppSync::DataSource or DynamoDB table triggers a Lambda on change.
TrustRelationshipAWS::ResourceAWS::ResourceModels that the source has a trust relation to the target. E.g., a Role defines the source resource as principal of its trust policy, so that the source is trusted to assume the target role. Or, a resource-based policy allows the source resource in its principal section, so that the source is trusted to access the target DynamoDB table. Note that the allowed actions of a TrustRelationship are not yet policy evaluated, i.e., even-though a target Role might trust the source resource to assume it, another policy might DENY the source to assume the target role. To definitely check if the trusted access is granted, there needs to be a PolicyReference between source and target that allows the action (e.g. sts:AssumeRole).
UserPoolReferenceAWS::Cognito::UserPoolClientAWS::Cognito::UserPoolModels that the source UserPoolClient operates on the target UserPool.