AWS: Node & Edge Schema
The AWS connection collects IAM and cloud infrastructure data from individual AWS accounts and from entire AWS Organizations, transforming them into a graph structure of nodes and relationships for analysis.
Node Types
| Node Type | Description |
|---|---|
AWSIAMUser | Represents an IAM user |
AWSIAMRole | Represents an IAM role |
AWSPolicy | IAM policy document attached to identities |
AWSAccount | The root account entity |
AWSGroup | Represents IAM groups |
AWSService | Logical representation of AWS services (e.g., EC2, Lambda) |
Resource | Abstract node for services or infrastructure |
AWS Organization
If you connected your entire AWS Organization, you will have some additional nodes:
| Node Type | Description |
|---|---|
AWSOrganizationRoot | The top-level root node of the AWS Organization |
AWSAccount | An individual AWS account (either management or member) |
Edge Relationships
These describe how entities relate or are allowed to interact.
| Edge Type | From Node | To Node | Description |
|---|---|---|---|
CAN_ASSUME | AWSIAMUser or AWSIAMRole | AWSIAMRole | Indicates ability to assume a role |
CAN_BE_ASSUMED_BY | AWSIAMRole | AWSIAMUser or AWSIAMRole | Reverse of CAN_ASSUME |
HAS_PERMISSION | AWSIAMUser, AWSIAMRole, or AWSGroup | AWSPolicy | Shows which identities have a policy |
IS_MEMBER_OF | AWSIAMUser | AWSGroup | Indicates that a user belongs to a group |
HAS_MEMBER | AWSGroup | AWSIAMUser | Inverse of IS_MEMBER_OF |
CAN_ACCESS | AWSIAMUser or AWSIAMRole | Resource | Represents access allowed to a resource or service |
AWS Organization
| Edge Type | From Node | To Node | Description |
|---|---|---|---|
IS_MEMBER_OF | AWSAccount | AWSOrganizationRoot | Indicates that an account belongs to the organization root |
HAS_MEMBER | AWSOrganizationRoot | AWSAccount | Inverse of IS_MEMBER_OF |
IS_MEMBER_OF | AWSAccount | AWSAccount (OU/parent) | An account is nested under another OU or account |
These relationships capture both flat membership under the root and nested relationships via parent/child links within the AWS Organization hierarchy.
Examples
Example graph relationships constructed by the AWS Account adapter:
(AWSIAMUser)-[:IS_MEMBER_OF]->(AWSGroup)
(AWSIAMUser)-[:HAS_PERMISSION]->(AWSPolicy)
(AWSIAMRole)-[:CAN_ASSUME]->(AWSIAMRole)
(AWSIAMRole)-[:CAN_ACCESS]->(Resource)
AWS Organization
(AWSAccount)-[:IS_MEMBER_OF]->(AWSOrganizationRoot)
(AWSOrganizationRoot)-[:HAS_MEMBER]->(AWSAccount)
(AWSAccount)-[:IS_MEMBER_OF]->(AWSAccount) // Nested under parent org/account
Notes
- Policies may be shared across users, roles, and groups, and are modeled as separate nodes for visibility.
Resourcenodes generalize access targets such as S3 buckets, Lambda functions, or EC2 instances.