Sections in this category

2021.73 Release

  • Updated


New Features and Improvements

  • Performance improvement: Mapped relationship operations are processed separately from other operations

  • AWS Resource Policy Net Permissions Analysis: this determines the effectiveness of your resource policy permissions in AWS by analyzing if the permissions are negated by deny statements and if the deny statements contain any exceptions (e.g. NotResource, StringNotEquals) throughout the configuration. Since AWS access policies can be long and complex, automating this saves time for the user and ensures there isn’t manual error in understanding if their controls are effective or have been overridden.

    See more details below in the Integrations > AWS section.

    Example query:

  /* identify allow statements that have been negated by a deny */
  find aws_vpc_endpoint
  that allows *
  where allows.effective = false
  return TREE
  • A lot more additional Azure and GCP support added. See below.



  • Fix mapped relationship for aws_route53_record CONNECTS aws_elb|aws_nlb|aws_alb that had a record dns name prepended with dualstack

  • Fix relationship from ACL to Cloudfront Distributions and Load Balancers.

  • Fix relationship from Cloudfront Distribution to Load Balancers

  • Added support for ingesting the following new resources:

    Service Resource / Entity
    ELB Listener aws_lb_listener
    ELB Listener Rule aws_lb_listener_rule

  • Added support for ingesting the following new relationships:

    Source _class Target
    aws_ecr_repository ALLOWS principal
    aws_ecr_repository DENIES principal
    aws_elb CONNECTS aws_lb_listener
    aws_lb CONNECTS aws_lb_listener
    aws_nlb CONNECTS aws_lb_listener
    aws_alb CONNECTS aws_lb_listener
    aws_lb_listener HAS aws_lb_listener_rule
    aws_shield_protection_group PROTECTS resource
    aws_shield_protection PROTECTS resource

  • (BETA) Analyze Allow and Deny statements on resource policy permissions to derive the net effectiveness on the Allow permissions. This results in the following flags to be set on the permission relationships:

    • effective: true if the permission is fully or partially effective (that is, not fully negated by a Deny statement)

    • partial: true if the permission is partially negated by a Deny statement (this is undefined when the permission is fully effective)

    • negatedActions: if partial is true, this property contains a stringified array of actions that are negated by Deny statements

  • (BETA) Parse NotResource property and StringNotEquals [aws:ResourceAccount or aws:SourceAccount] values from Deny statements, and create Allow permission relationships if covered by an Allow statement.

  • Update ARN regular expressions to include aws-cn and aws-us-gov partitions


  • Added support for ingesting the following new resources:

    Service Resource / Entity
    Gallery Image Version azure_shared_image_version

  • Added support for ingesting the following new relationships:

    Source _class Target
    azure_shared_image HAS azure_shared_image_version
    azure_vm USES azure_shared_image_version
    azure_vm GENERATED azure_shared_image_version
    azure_keyvault_service ALLOWS ANY_PRINCIPAL

  • New properties added to resources:

    Entity Properties
    azure_policy_definition Automatically convert metadata to J1 tags
    azure_policy_definition accountEnabled
    azure_role_assignment actions, dataActions, notActions, notDataActions
    azure_shared_image_version publishedDate, createdOn

  • Fixed a bug where the compute galleries execution handler was not invoked, and instead the VM images execution handler was invoked twice. This caused DuplicateKeyErrors in either the compute galleries step or the VM images step.

  • Changed the type azure_shared_image to azure_shared_image_definition, because shared images have both a definition, representing top-level metadata, and a number of versions, representing discrete images.

  • Changed the _class of azure_gallery from DataStore to Repository.

Google Cloud

  • Added support for ingesting the following new resources:

    Service Resource / Entity
    IAM Binding google_iam_binding
    Google Cloud google_cloud_organization
    BigQuery google_bigquery_model
    Cloud Resource Manager google_cloud_folder
    Access Context Manager google_access_context_manager_access_policy
    Access Context Manager google_access_context_manager_access_level
    Access Context Manager google_access_context_manager_service_perimeter
    Access Context Manager google_access_context_manager_service_perimeter_egress_policy
    Access Context Manager google_access_context_manager_service_perimeter_ingress_policy
    Access Context Manager google_access_context_manager_service_perimeter_api_operation
    Access Context Manager google_access_context_manager_service_perimeter_method_selector

  • Added support for ingesting the following new relationships:

    Source _class Target
    google_bigquery_dataset HAS google_bigquery_model
    google_cloud_organization HAS google_cloud_folder
    google_cloud_folder HAS google_cloud_folder
    google_cloud_organization HAS google_cloud_project
    google_cloud_folder HAS google_cloud_project
    google_access_context_manager_access_policy HAS google_access_context_manager_access_level
    google_access_context_manager_access_policy HAS google_access_context_manager_service_perimeter
    google_access_context_manager_service_perimeter HAS google_access_context_manager_service_perimeter_egress_policy
    google_access_context_manager_service_perimeter HAS google_access_context_manager_service_perimeter_ingress_policy
    google_access_context_manager_service_perimeter_egress_policy HAS google_access_context_manager_service_perimeter_api_operation
    google_access_context_manager_service_perimeter_ingress_policy HAS google_access_context_manager_service_perimeter_api_operation
    google_access_context_manager_service_perimeter_api_operation HAS google_access_context_manager_service_perimeter_method_selector
    google_access_context_manager_service_perimeter PROTECTS google_cloud_project
    google_access_context_manager_service_perimeter PROTECTS google_cloud_api_service

  • New properties added to resources:

    Entity Properties
    google_cloud_project id, projectId, webLink
    google_api_gateway_api function
    google_app_engine_version function
    google_cloud_run_service function
    google_compute_health_check function
    google_compute_backend_service function
    google_privateca_certificate_authority function
    google_pubsub_subscription function
    google_cloud_api_service function

  • #208 - Fixed incorrect projectId property being applied to entities when projectId is supplied in integration config

  • #239 - google_iam_role should assign the actual target project projectId instead of the org project

  • #237 - Prevent duplicate google_iam_binding _key values

Bug Fixes

  • Fixed bug in mapper that caused some network security group rules in Azure to not be ingested

Was this article helpful?

0 out of 0 found this helpful