Identity & Management Resources

Summaries and Attributes of InsightCloudSec Identity & Management Resources

Identity and Management resources are available in InsightCloudSec as the fifth section (tab) under the Resource landing page. These resources are related to identity and management functionality and include resources like cloud alarms, cloud roles, and cloud users.

Identity and Management resources are displayed alphabetically using the InsightCloudSec normalized terminology. Hovering over an individual resource provides the CSP-specific term with the associated logo to help users confirm the displayed information. For example, a Cloud Policy refers to Amazon's "IAM Policy", Google's "Role Permission Set", and Azure's "Role Definition".

For a detailed reference of this normalized terminology check out our section on Resource Terminology.

1689

Identity and Management Resources

🚧

A Note About Resource Attributes

A large number of Resource Attributes are offered for the resources outlined here. Because we are continuously expanding our supported resources the attributes and details included here can not be guaranteed to include every resource or every attribute.

If you need information about the attributes of a particular resource we are happy to help get those details for you - reach out to us through the Customer Support Portal with any questions!

Access Analyzer

Resources like the AWS IAM Access Analyzer can help identify resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that may be shared with an external source. This can help identify risks associated with unintended access to your resources and data.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region in which this analyzer resides
analyzer_idThe provider ID of the analyzer
create_timeThe time when this analyzer was created
last_scan_timeThe time when the analyzer last ran a scan
active_finding_countThe list of active findings by the analyzer
public_finding_countThe list of public findings by the analyzer
cross_account_countThe list of cross account findings by the analyzer
unknown_account_countThe list of unknown account findings
arnThe ARN associated with the access analyzer
account_mappingThe accounts connected to the access analyzer

Activity Log Alerts

An activity log alert monitors a resource by checking its logs for a new event that matches defined conditions.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
activity_log_alert_idThe provider ID for the alert
nameThe name of the activity log alert
region_nameThe region in which the alert resides
enabledDenotes whether the alert is enabled or not
descriptionA description of the alert
categoryThe category for the alert
azure_resource_typeThe resource type the alert is applied to
operation_nameThe name of operation the alert is listening for
levelsThe levels of severity set for the alert
statusesThe statuses set for the alert
namespace_idThe unique composite ID of the provider ID for the resource

API Access Key

API Access Keys are used within organization services. They are used to provide programmatic access to the cloud environment. They can be associated with a user that can be an individual, e.g., Jane Doe, or an application, e.g., InsightCloudSec. This class inherits from Resource and has direct access to the resource’s database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
access_key_idThe provider id for the API access key
organization_service_id The ID of the parent organization service (cloud)
statusWhether the key is active or inactive
user_resource_idThe ID of the user associated with the key
user_nameThe username of the user associated with the API Access Key
role_resource_idThe provider identifier of the role
role_nameThe short name of the role
app_resource_idThe resource ID of the application associated with the access key
app_nameThe application associated with the access key
create_dateThe date the API access key was created
last_used_dateThe date the API access key was last used or None
expiration_dateThe date the API access key expires
user_managedDenotes if the key is managed by a user
namespace_idThe unique composite ID of the provider ID for the resource
key_usage_obtainedIndicates if key usage data is available

class DivvyResource.Resources.serviceaccesskey.ServiceAccessKey(resource_id)
Bases: DivvyResource.Resources.resource.Resource

API Access Key Operations

delete(user_resource_id=None)
Delete this resource. If wrapped in a with JobQueue() block, this will queue the deletion job to the wrapped queue, otherwise it calls immediately.

get_date_created()
Retrieve the time from the provider that this resource was created (if available).

static get_db_class()

get_db_pk()

static get_provider_id_field()

get_resource_name()
Returns the ID of the access key as there is no name

static get_resource_name_field()
Overrides parent function and returns the description field of this resource. This is required because not all resource types have a field explicitly called name.

static get_resource_type()

get_supported_actions()
Retrieve all the actions which are supported by this resource.

handle_resource_created(user_resource_id=None, project_resource_id=None)
This should be called when a resource is created/discovered after the basic data is added to the database. This gives an opportunity for post-addition hooks (assignment to groups, alerts, etc).

handle_resource_destroyed(user_resource_id=None)
This should be called when a resource is destroyed before the basic data is removed from the database. This gives an opportunity for pre-destruction hooks (removal from groups, alerts, etc).

handle_resource_modified(resource, *args, **kwargs)
This should be called when a resource is modified after the new data has been updated in the DB session. This gives an opportunity for post-modification hooks.

update_status(status, user_resource_id=None)
Delete this resource. If wrapped in a with JobQueue() block, this will queue the deletion job to the wrapped queue, otherwise it calls immediately.

API Accounting Config

API Accounting Configs represent cloud API audit trail configurations. An example of such a service would be AWS CloudTrail. This class inherits from TopLevelResource and has direct access to the resource’s database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
accounting_config_idThe provider ID of the accounting configuration
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region where the API configuration resides
nameThe name of the config
parent_resource_idThe resource ID of the parent that this trail is associated with
multi_regionDenotes whether or not the configuration spans all regions
is_loggingWhether the Api Accounting Config is currently logging API calls.
is_organization_trailDenotes if a trail is logging events in that organization
key_resource_idThe provider ID of the key used for the API Accounting Config
configJSON output of configurations (If logging enabled, log file validation enabled, S3 bucket name)
logged_resourcesThe destination of the logs

class DivvyResource.Resources.apiaccountingconfig.ApiAccountingConfig(resource_id)
Bases: DivvyResource.Resources.resource.Resource

ApiAccountingConfig Operations

accounting_config_id

api_accounting_config

delete(user_resource_id=None)
Delete this resource. If wrapped in a with JobQueue() block, this will queue the deletion job to the wrapped queue, otherwise it calls immediately.

get_arn()

static get_db_class()

static get_provider_id_field()

static get_resource_type()

get_supported_actions()
Retrieve all the actions which are supported by this resource.

handle_resource_created(user_resource_id=None, project_resource_id=None)
This should be called when a resource is created/discovered after the basic data is added to the database. This gives an opportunity for post-addition hooks (assignment to projects/groups, alerts, etc).

handle_resource_destroyed(user_resource_id=None, project_resource_id=None)
This should be called when a resource is destroyed before the basic data is removed from the database. This gives an opportunity for pre-destruction hooks (removal from projects/groups, alerts, etc).

handle_resource_modified(resource, *args, **kwargs)
This should be called when a resource is modified after the new data has been updated in the DB session. This gives an opportunity for post-modification hooks.

Azure Policy

Azure Policy helps businesses enforce and assess standards and compliance at scale.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
policy_idThe provider ID for the Azure policy
namespace_idThe provider ID for the Azure policy, including name and version
typeThe type of resource used by the policy
descriptionA description of the policy
display_nameThe display name of the policy definition

Business Intelligence Subscription

Business Intelligence Subscriptions are a feature that connect and combine data sources for cloud to create a single data dashboard for easier user management. (AWS QuickSight)

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region in which the Cloud Access Point resides
nameThe Account name of the subscription
editionThe edition of the subscription
authentication_typeThe authentication type of the subscription
public_sharingDenotes whether public sharing is enabled on the subscription
default_namespaceDenotes default namespace which is default
notification_emailDenotes email for sending notification emails for the subscription
statusDenotes the status of the subscription
ip_restrictionsDenotes IP restrictions enabled for the subscription
user_countDenotes the count of users configured within the subscription
usersUsers associated with the subscription (JSON)

Cloud Access Point

Cloud Access Point is a feature to simplify managing data access at scale for applications using shared data sets (AWS S3 Access Point).

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region in which the Cloud Access Point resides
nameThe name of the Cloud Access Point
originThe origin of the Cloud Access Point (internet, private)
policyThe policy associated with the Cloud Access Point
parent_resourceThe name of the parent resource of the Cloud Access Point
parent_resource_idThe ID of the parent resource of the Cloud Access Point
network_resourceThe name of the network resource associated with the Cloud Access Point
network_resource_idThe network resource ID associated with the Cloud Access Point
publicThe status of the Cloud Access Point (e.g. public or private)

Cloud Account

Secure, world-wide storage and retrieval of any amount of data at any time.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
account_idThe provider account identifier associated with the account
nameThe name of the cloud account
joined_timestampThe time the account was added to InsightCloudSec
statusDenotes the status of the account
cloud_type_idThe primary cloud provider

Cloud Advisor Check

A recommendation guide that analyzes your configuration and usage (for example: AWS Trusted Advisor).

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
check_idThe provider ID of the cloud advisor check
nameThe provider name for the check
categoryThe category of the cloud advisor check
statusDenotes the status of the cloud advisor check
descriptionThe description of the cloud advisor check
estimated_monthly_savingsThe estimated monthly savings associated with the check
resource_countThe count of resources associated with the check

Cloud Alarm

A cloud provider alarm within an organization service. An example of this would be AWS CloudWatch alarms. This class inherits from TopLevelResource and has direct access to the resource's database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region in which the cloud alarm resides
alarm_idThe provider ID for the cloud alarm
nameThe name of the cloud alarm
descriptionThe description of the cloud alarm
namespaceThe namespace of the cloud alarm
metric_nameThe name of the metric alarm
thresholdThe value of the metric relative to a threshold over a number of time periods
evaluation_periodsThe evaluation period of the event
updated_timestampThe time the alarm was last updated
state_valueDenotes the state of the cloud alarm
state_reasonDenotes the state status
state_reason_dataThe reason for the state of the cloud alarm
state_updated_timestampThe time the alarm state was updated
periodThe length of the time to evaluate the metric or expression
statisticThe statistic for the metric associated with the alarm, other than percentile
comparison_operatorThe comparison to the threshold
actions_enabledDenotes the actions enabled state

Cloud App

A Cloup App manages application objects (definition of the application) that allows services to understand how to issue tokens to the application based on settings. (e.g., Azure App Registration)

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
app_idThe ID of the application
nameThe display name for the app
allow_guestsDenotes if guests are allowed
allow_passthroughDenotes if passthrough is allowed
homepageURL of the cloud app homepage if applicable
publisher_domainIdentifies the publisher domain
sign_in_audienceSpecifies what accounts are supported for the current application.
device_only_authSpecifies whether the app can support device_only_auth
oauth2_allow_implicit_flowSpecifies whether this web app can request OAuth2.0 implicit flow access tokens. The default is false.
public_clientSpecifies the fallback application type. (Azure AD infers the application type from the replyUrlsWithType by default.)
cert_credentialsHolds references to app-assigned cert credentials including key_id, end_date, and start_date.
password_credentialsHolds references to app-assigned password credentials including key_id, end_date, and start_date.

Cloud Credentials

A set of credentials (or API key) used to access applications or services within your environment.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
credential_idThe ID for the credential
nameThe name of the key
create_timeThe time the key was created
update_timeThe time the key was last updated
restrictionsThe number of service restrictions for the key

Cloud Domain Group

A cloud domain group within an organization service. This class inherits from TopLevelResource and has direct access to the resource's database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
group_idThe provider identifier of the group
nameThe name of the cloud domain group
emailThe email associated with the domain group
create_dateThe date the domain group was created

Cloud Domain User

A cloud provider user that spans an entire domain. Examples of this would be Google Cloud Platform users. This class inherits from TopLevelResource and has direct access to the resource's database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
user_idThe provider ID for the user account
user_namehe provider user name for the user account
create_dateThe time this user was created
password_last_usedThe last time the user logged in
two_factor_enabledDenotes if two-factor is enabled
emailAn optional email associated with the account
descriptionAn optional description of the account
adminDenotes if this is an admin account
disabledDenotes if this account is in a disabled state

Cloud Event Bus

This is a serverless event bus that facilitates connecting applications together using data from your own (SaaS or other) applications or services (AWS EventBridge).

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region in which the Cloud Event Bus resides
event_bus_idThe ID associated with the Cloud Event Bus
arnThe ARN associated with the Cloud Event Bus
policyThe policy associated with the Cloud Event Bus
trusted_accountsThe identifier of the trusted accounts associated with the Cloud Event Bus
publicly_accessibleThe status of the public accessibility for the Cloud Event Bus

Cloud Event Rule

A Cloud Event Rule matches incoming Cloud Alarms ("events") and routes them to targets for processing (AWS CloudWatch Rule).

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_idThe ID of the parent organization service (cloud)
region_nameThe region in which the event rule resides
rule_idThe ID for the rule
descriptionA description for the rule
arnThe ARN associated with the rule
role_arnThe ARN for the role associated with the rule
event_patternPattern used to match events that will trigger the rule
target_arnsThe ARNs associated with the targets for the rule
schedule_expressionExpression indicating the schedule at which the rule is evaluated
disabledIndicates whether the rule is disabled
invalid_jsonIndicates whether the event pattern is invalid JSON

Cloud Group

A cloud provider group within an organization service. This class inherits from TopLevelResource and has direct access to the resource's database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
group_idThe provider ID for the group
nameThe name of the group
create_dateThe day the group was created
inline_policiesThe number of inline policies
arnThe ARN associated with the group
pathThe path of the resource (optional)
policy_countThe number of policies
managed_policy_countThe number of managed policies

Cloud Limit

Describes a cloud provider limit within a organization service.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
limit_idThe provider id for the limit
region_nameThe region that the service resides in
nameThe provider name for the limit
limitThe limit value
usageThe current usage value
statusThe status of the limit

Cloud Log Destination

A physical resource that enables you to subscribe to a stream of log events. An example of a Cloud Log Destination is an AWS CloudWatch Logs Destination.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region that the resource resides in
destination_nameThe destination name associated with the cloud log destination
target_arnThe target ARN associated with the cloud log destination
role_arnThe ARN associated with the role
access_policyThe access policy associated with the cloud log destination
trusted_accountsThe list of trusted accounts (optional)
arnThe ARN associated with the resource
creation_timeThe time the cloud log destination was created

Cloud Outpost

Delivers fully managed services on premise for hybrid clouds.

AttributesDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region that the service resides in
outpost_idThe ID associated with the outpost
site_idThe site ID associated with the outpost
nameThe name of the outpost
descriptionThe description of the outpost
statusThe status of the outpost
availability_zoneThe availability zone associated with the outpost
availability_zone_idThe availability zone ID associated with the outpost
arnThe ARN associated with the outpost

Cloud Policy

A policy that will give specific permissions to Cloud Users, Groups, or Roles (AWS IAM).

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
policy_idPolicy of ID of service policy
policy_nameName of service policy
attachment_countThe number of resources this policy is attached to
create_dateThe date the policy was created
update_dateThe date the policy was last updated
descriptionThe description of the policy
disabledDenotes if you’ve disabled the policy
arnThe ARN associated with the policy
attachableThe can be attached to a resource

Cloud Region

Service Regions consists of low-latency linked Availability Zones, which consist of multiple,
linked data centers. For example, AWS's us-east-1 Service Region consists of (at the moment),
Availability Zones us-east-1a through us-east-1e and each Availability Zone consists of 1 to 6 data centers, each of which typically houses several thousand servers. This class inherits from Resource and has direct access to the resource's database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
nameThe name of the region
region_stateThe state of the region ('ACTIVE','DISABLED','DELETED')
harvest_rate_multiplierThe rate at which the harvest rate multiplies

Cloud Resource Group

Used for related resources (e.g., Azure Resource Group).

AttributeDescription
resource_group_idThe ID of the resource group
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_idThe organization ID associated with the resource group
owner_idThe owner ID associated with the resource group
nameThe name of the resource group
descriptionThe description of the resource group
date_createdThe date the resource group was created
categoryThe category of the resource group
resource_countsResource counts associated with the resource group (e.g. total, by_type, by_region, etc.)
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region that the service resides in

Cloud Role

A cloud provider role within an organization service. This class inherits from TopLevelResource and has direct access to the resource's database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
role_idThe provider ID for the role
nameThe provider name of the role
descriptionAn optional description for the role
role_typeThe type of the role
max_durationThe max session duration for the role
create_dateThe date the policy was created
assume_role_policyDenotes the status of the assume role policy
trusted_accountsThe list of trusted accounts (optional)
inline_policiesNumber of inline policies
boundary_namespace_idThe provider identifier of the permission boundary
role_arnThe ARN associated with the role
pathThe path of the resource (optional)
policy_countThe number of polices attached to the role
managed_policy_countThe number of managed policies
last_used_dateThe date the policy was last used
instance_profile_idsThe provider identifier of the instance profile

Cloud Service Cost

Describes monthly service costs within an organization service.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
cost_idProvider ID of the service cost
account_idThe primary account identifier
line_itemThe name of the charge
current_month_spendThe current spend for this month
projected_month_spendThe projected spend for this month
previous_month_spendThe total spend for the previous month
total_spendThe total amount spent
months_trackedThe number of months the resource was tracked

Cloud User

A cloud provider user within an organization service. Examples of this would be administrators and
basic users. This class inherits from TopLevelResource and has direct access to the resource's database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
user_idThe ID of the users account
user_nameThe name of the users account
create_dateThe date the user account was created
password_last_usedThe last time the user logged in
two_factor_enabledChecks if multi-factor authentication (MFA) is enabled
login_profileDenotes whether or not the account has a login profile
emailThe root account users email
descriptionAn optional description of the account
adminChecks to see if the account has admin capabilitiy
disabledDenotes if you’ve disabled the user
inline_policiesThe list of policies that are attached with an IAM identity
boundary_namespace_idThe provider identifier of the permission boundary
active_api_keysThe number of active API credentials for this user
inactive_api_keysThe number of inactive API credentials for this user
guestThe guest status of the account
arnThe ARN associated with this user
pathThe path of the resource (optional)
policy_countThe number of policies
managed_policy_countThe number of provider managed policies
last_activityDate and time of user's last activity

Code Repository

A secure, managed source code service that hosts private Git repositories.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region in which the code repository resides
arnThe ARN associated with the code repository
nameThe name of the code repository
repo_idThe unique ID for the code repository
repo_descriptionA description for the code repository
creation_dateThe date the code repository was created
modified_dateThe date the code repository was last modified
clone_url_httpThe repository clone URL via HTTP
clone_url_sshThe repository clone URL via SSH
branch_countThe number of branches in the repository

Configs

Config provides details into the resources in your account, including information on configuration, relationships between resources, and how those both configuration and relationships change over time.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region where the resource resides
region_resource_idThe resource identifier associated with the region
delivery_channel_createdDenotes if a delivery channel has been created for the Config
configuration_recorder_createdDenotes if a configuration recorder has been created for the Config
auditing_has_begunDenotes if auditing has begun for the Config
auditing_is_enabledDenotes if auditing is enabled for the Config
policyThe policy associated with the Config
channelsA list of delivery channels for the Config
cross_accountDenotes if the Config is cross account
unknown_accountDenotes if the Config is an unknown account
all_resourcesDenotes if the Config is tracking all resources (regionally)
global_resource_typesDenotes if the Config is tracking global resource types

Diagnostic Settings

Configuration profile that enables sending platform metrics and logs to various destinations. An example of this type of resource is Azure Diagnostic Settings.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
setting_idThe ID for the diagnostic settings instance
nameThe name for the diagnostic settings instance
target_resource_idThe resource ID for the target of the diagnostic settings
target_resource_nameThe name for the target of the diagnostic settings
storage_account_resource_idThe resource ID for the storage account to which logs will be sent
storage_account_nameThe name for the storage account to which logs will be sent
workspace_resource_idThe resource ID of the Log Analytics workspace to which logs will be sent
workspace_nameThe name of the Log Analytics workspace to which logs will be sent
logsObject containing various log settings
enabled_log_typesNumber of log types enabled
disabled_log_typesNumber of log types disabled
metricsObject containing various metric settings
enabled_metricsNumber of metrics enabled
disabled_metricsNumber of metrics disabled

Directory Service

Managed domain services (for example: AWS A) that allows you to manage Users, Computers, and Groups.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region in which the instance resides
namespace_idThe service namespace
nameThe name of the directory service
short_nameThe short name of the service
access_urlThe URL to access the service
descriptionThe description of the service
create_timeThe time the service was created
sso_enabledDenotes if you’ve enabled SSO
share_methodThe method used when sharing a directory

DNS Domain

Service such as AWS Route 53 and GCP Cloud Domain that is used to route end users to Internet applications by translating names like website URL into the numeric IP addresses.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region in which the instance resides
nameThe name of the Directory Service
admin_contact_emailThe contact email of the administrator
abuse_contact_emailThe contact for abuse email
auto_renewThe auto renew status of the service
transfer_lockThe lock/unlock status of the lock
creation_timestampThe time the service was created
expiration_dateThe date the service expired
last_changed_dateThe last updated date of the domain as found in the response to a WHOIS query. The date and time is in Coordinated Universal time (UTC)
extra_parametersThe additional parameters for that specific domain (JSON)
dnssec_enabledIndicates whether a domain has DNSSEC enabled
registrant_privacy_protectionIndicates whether the information for a registrant available for querying in the WHOIS database is restricted

Encryption Key

Service Encryption Keys are used within organization services. They are used to encrypt data stored within file systems, e.g., Volumes and Shared File Systems, object-level storage, e.g., Storage Containers, back-ups, e.g., Snapshots, and other services, e.g., API Accounting Config. This class inherits from Resource and has direct access to the resource's database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
region_nameThe region in which the instance resides
key_idThe provider identifier of the encryption key
nameThe name of the encryption key
arnThe ARN associated with the encryption key
descriptionThe description of the encryption key
organization_service_idThe ID of the parent organization service (cloud)
stateThe enabled/disabled state of the encryption key
create_dateThe date the encryption key was created
scheduled_deletion_dateThe date the key is scheduled to be deleted
key_rotationThe status of the key rotation
enabledDenotes if you’ve enabled the encryption key
resource_countThe list of resources using the encryption key
policyThe policies in use by the encryption key
trusted_accountsThe list of trusted accounts using the encryption key
customer_managedThe key is managed by the customer
parent_resource_idThe parent resource identifier that takes the form of a prefix followed by numbers and letters
rotation_periodThe number of days that the key will be rotated
activation_dateThe date the encryption key was activated
modified_dateThe date the encryption key was modified
originThe origin of the key, customer managed vs provider managed
alias_arnsList of alias ARNs associated with the encryption key
key_specThe specification for the encryption key, e.g., asymmetric, symmetric
multi_regionDenotes if the encryption key is multi-region
multi_region_key_typeThe type of multi-region encryption key
publicDenotes if the encryption key is public

Encryption Key Vault

A tool for securely storing and accessing secrets such as API keys, passwords, or certificates. For example Azure Key Vault.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region in which the encryption key vault resides in
create_timeThe time the encryption key vault was created
nameThe name of the encryption key vault
vault_typeThe type of the encryption key vault
key_countThe number of encryption keys used to encrypt your data.
key_harvest_impairedDenotes if the key harvester is in an impaired state
secret_countThe number of secrets within the encryption key vault
certificate_countThe number of certificates within the encryption key vault
certificate_harvest_impairedDenotes if the certificate harvester is in an impaired state
secret_harvest_impairedDenotes if the secret harvester is in an impaired state
modified_timeThe time the encryption key vault was last modified
access_policyThe access policy associated with the encryption key vault
purge_protection_enabledDenotes if you’ve enabled purge protection
soft_delete_enabledDenotes if you’ve enabled soft delete

Federated Group

Azure Groups that have federated access to AWS SSO via Azure AD. See Resources for details.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
group_idThe provider ID for the group
organization_service_idThe ID of the parent organization service (cloud)
common_nameThe common name for the group
account_nameThe display name for the group
distinguished_nameThe distinguished name for the group
managed_byThe manager of the group
manual_retrievalIndicates if manual retrieval is enabled
serviceThe federated service destination of the group

Federated User

Azure Users that have federated access to AWS SSO via Azure AD. See Resources for details.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
user_idThe provider ID for the user
organization_service_idThe ID of the parent organization service (cloud)
common_nameThe common name for the user
display_nameThe display name for the user
distinguished_nameThe distinguished name for the user
mailThe email address for the user account
employee_typeThe employee type for the user
managed_byThe manager of the user
lower_display_nameThe display name for the user in lowercase letters
manual_retrievalIndicates if manual retrieval is enabled
serviceThe federated service destination for the user

Identity Provider

Creates, maintains, and manages identity information, providing authentication (SAML, AD)

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
provider_idThe provider given ID of the identity provider
arnThe ARN of the identity provider
create_dateThe time the identity provider was created
expiration_dateThe time the identity provider expires
configurationThe configuration of the identity provider

Log Analytics Workspace

Container used for storing and analyzing log data and configuration (Azure Log Analytics Workspace)

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
workspace_idThe ID of the workspace
nameThe name of the workspace
region_nameThe name of the region in which the workspace is located
stateThe current provisioning state of the workspace
skuThe pricing SKU for the workspace
namespace_idThe namespace ID for the workspace

Log Group

Log groups define groups of log streams that share the same retention, monitoring, and access control settings.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region in which the log group resides
group_idThe provider identifier of the log group
nameThe name of the log group
namespace_idThe log group namespace
creation_timeThe time this log group was created
retention_policyThe retention policy in days for the logs
stored_bytesThe size in GB of the logs
key_resource_idThe resource ID of the key that encrypts the logs
parent_resource_idThe resource ID of the parent that created the log group
propertiesThe properties associated with the log group
data_protection_statusThe current data protection status for the log group

Lookout Project

Lookout Projects comprise three facets: Metrics, Equipment, and Vision. Lookout Metrics finds root causes for anomalies in data. Lookout Equipment monitors physical equipment for abnormal behavior and potential failures. Lookout Vision finds visual defects in industrial products, like missing components, physical damage, irregularities, and defects (e.g., Amazon Lookout).

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region in which the lookoout project resides
nameThe name of the lookout project
project_typeThe type of the lookout project
statusThe status of the lookout project
createdThe timestamp for when the lookout project was created
key_resource_idThe resource ID of the key that encrypts the project
arnThe ARN associated with the lookout project

Recommendation

Recommendations are machine-generated product and resource usage optimizations. Examples include GCP Project Recommendations.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
recommendation_idThe provider ID for the recommendation
descriptionA description of the recommendation
subtypeThe recommender subtype for the recommendation
categoryThe category for the recommendation
stateThe state of the recommendation
priorityThe priority of the recommendation
last_refresh_timeThe last refresh time for the recommendation

Recommendation Finding

Findings are important patterns and details about your resource usage. Examples include GCP Project Insights.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
recommendation_finding_idThe provider ID for the finding
descriptionA description of the finding
subtypeThe recommender subtype of the recommendation finding
categoryThe category for the finding
stateThe state of the finding
severityThe severity of the finding
last_refresh_timeThe last refresh time for the finding

Secret

Secrets are string of cryptographically strong random numbers and letters suitable for managing data such as passwords, account authentication, security tokens, and related secrets.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region in which the secret resides
namethe name of the secret
descriptionthe description of the secret
key_resource_idthe provider identifier of the key
arnThe ARN associated with the key
rotation_daysThe number of days the key should be rotated
rotation_enabledDenotes the enabled status of the secret rotation
rotation_lambda_arnThe lambda ARN used for secret rotation
last_accessed_dateThe date the secret was last accessed
last_changed_dateThe last date and time the secret was modified in any way
deleted_dateThe value exists if the secret is scheduled for deletion
policyThe policy associated with the secret
publicDenotes if the secret is exposed to the public
trusted_accountsThe trusted accounts that can access the secret
parent_resource_idThe resource identifier of the parent service encryption key vault
create_dateThe date the secret was created
expiration_dateThe date the secret is scheduled to expire
activation_dateThe date the secret is scheduled for activation
content_typeThe content type of the secret
enabledDenotes whether or not the secret is enabled
customer_managedDenotes whether or not the secret is managed by the customer
namespaceThe unique composite ID of the provider ID for the secret
annotationsAdditional information or tags for the secret

Security Posture

Security Posture assists in assessing and strengthening your security across multi-cloud and hybrid environments.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
posture_idThe unique ID for the policy
nameThe provider name for the check
namespace_idThe unique composite ID of the provider ID for the resource
categoryThe check category
severityThe check severity
descriptionA description of the recommendation finding
resource_countThe count of resources associated with the check

Service Control Policy

Control policies that ensure accounts stay within your organization’s access control guidelines.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
nameThe name of the resource
policy_idThe provider ID for the policy
arnThe ARN associated with this access analyzer
descriptionCommon properties for all (most) resource types.
service_managedDenotes whether or not the policy is service managed
contentThe policy content to add to the new policy
targetsWhat the service control policy is pointing at

Service Detector

A detector is a property of a threat detection service. For example, a detector is required for Amazon GuardDuty to become operational.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region that this resource resides in
detector_idThe ID of the service detector
role_resource_idThe resource id of the role associated with the detector
statusThe status of the detector
create_dateThe date the detector was created
master_account_idThe ID of the master account associated with the detector
membersThe members of the service detector

SSH Key Pair

SSH key pairs are the public and private keys associated with a cloud provider within an organization service. This class inherits from TopLevelResource and has direct access to the resource’s database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region this SSH key pair resides in
keypair_idThe ID of the key pair
fingerprintThe fingerprint of this key pair
nameThe name of this SSH key pair

class DivvyResource.Resources.sshkeypair.SshKeyPair(resource_id)
Bases: DivvyResource.Resources.toplevelresource.TopLevelResource

SSH Key Pair Operations

delete(user_resource_id=None)
Delete this resource. If wrapped in a with JobQueue() block, this will queue the deletion job to the wrapped queue, otherwise it calls immediately.

static get_db_class()

get_fingerprint()
Retrieve the fingerprint of the SSH Keypair.

static get_provider_id_field()

static get_resource_type()

get_supported_actions()

handle_resource_created(user_resource_id=None)
This should be called when a resource is created/discovered after the basic data is added to the database. This gives an opportunity for post-addition hooks (assignment to groups, alerts, etc).

handle_resource_destroyed(user_resource_id=None)
This should be called when a resource is destroyed before the basic data is removed from the database. This gives an opportunity for pre-destruction hooks (removal from projects/groups, alerts, etc).

handle_resource_modified(resource, *args, **kwargs)
This should be called when a resource is modified after the new data has been updated in the DB session. This gives an opportunity for post-modification hooks.

key_name

key_pair

top_level_resource = True

SSL Certificate

A certificate bound to a load balancer to facilitate secure client/server communication.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region in which the certificate resides
certificate_idThe provider ID for the certificate
nameThe name of the certificate
domain_nameThe domain that the certificate is associated with
pathThe path of the SSL Certificate
arnThe ARN associated with the certificate
upload_dateTime this certificate was uploaded
expiration_dateTime this certificate expires
cert_typeType of certificate
parent_resource_idResource id of parent service encryption key vault
thumbprintThe thumbprint of the certificate
activation_dateThe date of the scheduled activation of the certificate
modified_dateThe last modified date of the certificate
enabledDenotes whether or not the certificate is enabled
issuerThe issuer of the certificate
key_algorithmThe key algorithm of the certificate
signature_algorithmThe signature algorithm of the certificate
typeThe type of certificate
used_byWho the certificate is used by
issued_atThe time the certificate was issued
key_usagesThe usages of the certificate
renewal_statusThe renewal status of the certificate
renewal_status_reasonThe reason for renewing the certificate
validation_emailsThe Email addresses who validate the certificate
validation_methodThe validation method of the certificate
validation_statusThe validation status of the certificate
validation_recordThe validation DNS record of the certificate
validation_record_typeThe validation record type
statusThe status of the certificate
serialThe serial number of the certificate
renewal_eligibilityDenotes whether the certificate is eligible for renewal

SSL Certificate Authority

SSL Certificate Authorities issue digital certificates to help identify websites, people, and devices.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe name of the region in which the certificate authority resides
authority_idThe provider ID for the certificate authority
nameThe common name set on the certificate authority
arnThe ARN associated with the certificate authority
typeThe type of certificate authority
serialThe serial number of the certificate authority
stateThe status of the certificate authority
certificate_authority_configurationThe configuration of the certificate authority
revocation_configurationThe revocation configuration of the certificate authority
trusted_accountsThe list of trusted accounts in the resource policy attached to the certificate authority
policyThe policy associated with the certificate authority
usage_modeThe usage mode for the certificate authority
key_storage_security_standardThe security standard of the key associated with the certificate authority
created_atThe time the certificate authority was created
last_state_change_atThe time of the last state change on the certificate authority
not_beforeThe time the certificate authority is valid from
not_afterThe time the certificate authority is not valid after

Sink

A sink controls how logs are routed throughout your environment.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe name of the region in which the sink resides
nameThe name of the sink
destinationThe sink's destination
policyThe policy associated with the sink
trusted_accountsThe list of accounts that can interact with the sink
filter_configThe filter configuration for the sink (if any)
writer_identityThe identity under which exported log entries are written to the sink's destination.
create_timeThe timestamp for when the sink was created
update_timeThe timestamp for when the sink was last updated

Threat Findings

A threat detection service which constantly monitors the activity in your cloud network for anomalous behavior which could indicate cyber attacks or other unauthorized uses. Examples of this service include AWS GuardDuty and Microsoft Defender for Cloud.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region in which the threat is occurring
threat_finding_idThe ID of the threat finding
nameThe name of the threat finding
countThe number of impacted resources
severityThe severity level of the finding
last_seenThe time the threat finding last saw threats
descriptionA description of the threat finding
direct_linkA link to more information about the threat finding
finding_sourceThe source of the threat finding

User Pool

A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito. Your users can also sign in through social identity providers like Google, Facebook, Amazon, or Apple, and through SAML identity providers. Whether your users sign in directly or through a third party, all members of the user pool have a directory profile that you can access through a Software Development Kit (SDK).

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region in which the user pool resides
pool_idThe provider ID for the user pool
nameThe name given to the user pool
statusDenotes whether the user pool is enabled or disabled
auto_verify_attributesThe auto-verification attributes for this pool. Can be set to email, phone number, either, or both
username_attributesSpecifies whether email addresses or phone numbers can be specified as usernames when a user signs up.
alias_attributesSpecifies the attributes that are aliased in a user pool.
password_policyJSON describing the password policy of the user pool
create_dateThe creation date of the user pool
mfa_configurationDenotes whether multifactor authentication is on, off, or optional
estimated_number_of_usersThe estimated number of users in the user pool
domainHolds the domain prefix if the user pool has a domain associated with it.
custom_domainA custom domain name that you provide to Amazon Cognito. This parameter applies only if you use a custom domain to host the sign-up and sign-in pages for your application.
advanced_securityDenotes whether advanced security settings are enforced, off, or in audit mode
arnThe ARN associated with the user pool
identity_providersJSON describing the Identity Provider Attributes