Edge Types

Overview of all edge types that are generated.

When two cloud resource are in relation to each other, CodeShield’s cloud model will compute an edge connecting the two resources in the cloud model. There are different types of edges as the connection may stem from different sources. For example, there are edges that stem from definitions of networks or file systems, some edges that are generated based on attachments of policies to roles or users that belong to groups.

In the table below, all edge types are listed.

Edge Types

Edge Type Source Type Target Type Semantics
APIReference AWS::ApiGateway::RestApi or AWS::ApiGateway::Resource or AWS::ApiGatewayV2::Api AWS::Resource Models the connection between an api route and the resource which will handle the request depending on the HTTP method used in the request.
AttachedPolicyReference AWS::Resource AWS::IAM::Policy Models that the source resource has the target policy attached.
AttachedRoleReference AWS::Resource AWS::IAM::Role Models that the source resource has the target role attached
AuthorizerRef AWS::ApiGateway::Resource AWS::Lambda::Function or AWS::Cognito::UserPool Models that the source function uses the target UserPool as authorizer for HTTP request.
CloudWatchAlarmEvent AWS::CloudWatch::Alarm AWS::Resource Models that the source alarm triggers the target resource with an alarm event.
ContainerReference AWS::ECS::Service AWS::ECS::TaskDefinition Models that the source Service uses the target TaskDefinition for spawning ECS instances.
DocDBReference AWS::DocDB::DBCluster AWS::DocDB::DBInstance Models that the source DBCluster contains the target DBInstance
FSMountReference AWS::Resource AWS::EFS::FileSystem Models that the source Resource has the target EFS filesystem mounted.
GroupMembership AWS::IAM::User AWS::IAM::Group Models that the source User is a member of the target Group.
NetworkReference AWS::Resource AWS::Resource Models that the source Resource can communicate over a VPC network to the target Resource. Contains information about the defining network configuration (security group, port, etc.).
PolicyReference AWS::Resource AWS::Resource Models that the source Resource has IAM permissions to access the target Resource. These permissions are extracted by collecting and evaluating all related Policies against each other. I.e., the relevantActions of this edge define the actually allowed IAM actions that source can conduct on target after all policies have been evaluated against each other. Thereby, also models if a principal can assume a Role, if the relevant actions contain the sts:AssumeRole action.
QueryEvent AWS::AppSync::DataSource AWS::DynamoDB::Table Models that the source DataSource is backed by the target table.
S3NotificationEvent AWS::S3::Bucket AWS::SNS::Topic or AWS::SQS::Queue or AWS::Lambda::Function Models that the source bucket triggers the target Resource on change.
SnsConsumeEvent AWS::SNS::Topic AWS::Resource Models that the source Topic triggers the target resource when a message is published to the source topic.
SnsPublishEvent AWS::Lambda::Function AWS::SNS::Topic Models that the source function publishes a message to the target SNS topic.
TaskReference AWS::ECS::TaskSet AWS::ECS::TaskDefinition Models that the source TaskSet contains the target TaskDefinition.
TriggerEvent AWS::Resource AWS::Resource Models that the source Resource triggers the target Resource execution. E.g., an AWS::AppSync::DataSource or DynamoDB table triggers a Lambda on change.
TrustRelationship AWS::Resource AWS::Resource Models that the source has a trust relation to the target. E.g., a Role defines the source resource as principal of its trust policy, so that the source is trusted to assume the target role. Or, a resource-based policy allows the source resource in its principal section, so that the source is trusted to access the target DynamoDB table. Note that the allowed actions of a TrustRelationship are not yet policy evaluated, i.e., even-though a target Role might trust the source resource to assume it, another policy might DENY the source to assume the target role. To definitely check if the trusted access is granted, there needs to be a PolicyReference between source and target that allows the action (e.g. sts:AssumeRole).
UserPoolReference AWS::Cognito::UserPoolClient AWS::Cognito::UserPool Models that the source UserPoolClient operates on the target UserPool.
Last modified September 23, 2022