AWS data mapping

The AWS Connected Assets and Risk connector incrementally synchronizes the contents of the AWS asset databases with the data that is managed by the Connected Assets and Risk service.

Elastic Beanstalk

The following table shows the Connected Assets and Risk connector to Elastic Beanstalk data mapping.

Table 1. Elastic Beanstalk data mapping
CAR vertex/edge CAR field Elastic Beanstalk field
Application _key App Resource -> ApplicationName
  Name App Resource -> ApplicationName
  external ID App Resource -> ApplicationArn
Asset Name EC2 response-> Tags->EnvironmentId - > value
  environment_ID EC2 response-> Tags->EnvironmentId - > value
  external ID EC2 response-> ResourceId
Asset_Application from_external_id EC2 response-> ResourceId
  to_external_id App Resource -> ApplicationArn
  active TRUE
  timestamp report -> timestamp
  source source -> _key
  report report -> _key
Asset_hostname from_external_id EC2 Resource -> ResourceId
  _to Environment Resource -> CNAME
  active TRUE
  timestamp report -> timestamp
  source source -> _key
  report report -> _key

Elastic Compute Cloud (EC2)

The following table shows the Connected Assets and Risk connector to EC2 data mapping.

Table 2. EC2 data mapping
CAR vertex/edge CAR field EC2 field
Asset Name EC2 resource -> Tags -> Name -> Value
  external ID arn:aws:ec2: + EC2 resource -> AvailabilityZone + account\_id + InstanceId
Hostname _key(PrivateDns) EC2 resource -> NetworkInterfaces -> PrivateDnsName
  _key(PublicDns) EC2 resource -> NetworkInterfaces -> PublicDnsName
Asset_Hostname from_external_id arn:aws:ec2:+ EC2 resource -> AvailabilityZone + account_id + InstanceId
  _to EC2 resource -> NetworkInterfaces -> PrivateDnsName
  active TRUE
  timestamp report -> timestamp
  source source -> _key
  report report -> _key
Geolocation external ID EC2 resource -> AvailabilityZone
  region EC2 resource -> AvailabilityZone
Asset_Geolocation from_external_id arn:aws:ec2:+ EC2 resource -> AvailabilityZone + account_id + InstanceId
  _to EC2 resource -> AvailabilityZone
  active TRUE
  timestamp report -> timestamp
  source source -> _key
  report report -> _key

The following table shows the Connected Assets and Risk connector to EC2 Network Profile data mapping.

Table 3. EC2 Network Profile data mapping
CAR vertex/edge CAR field EC2 Network Profile field
IPAddress(Private) _key EC2 Resource -> NetworkInterfaces -> privateIPAddress
IPAddress(Public) _key EC2 Resource -> NetworkInterfaces -> PublicIpAddress
MacAddress _key EC2 Resource-> NetworkInterfaces -> MacAddress
IPAddress_MacAddress _from ipaddress/_key(ipaddress node)
  _to macaddress/_key(macaddress node)
  active TRUE
  timestamp report -> timestamp
  source source -> _key
  report report -> _key
     
Asset_IPAddress from_external_id external_id of the asset (based on resource type)
  _to ipaddress/_key(ipaddress node)
  active TRUE
  timestamp report -> timestamp
  source source -> _key
  report report -> _key
Asset_MacAddress _from_external_id external_id of the asset
  _to macaddress/_key(macaddress node)
  active TRUE
  timestamp report -> timestamp
  source source -> _key
  report report -> _key

Elastic Container Service (ECS)

The following table shows the Connected Assets and Risk connector to ECS data mapping.

Table 4. ECS data mapping
CAR vertex/edge CAR field ECS field
Container external_ID container response -> task -> containers -> containerArn
  name container response -> task -> containers -> name
  image container response -> task -> containers -> image
  task_id container response -> task -> containers -> taskArn
  cluster_id container response -> task -> containers -> clusterArn
Asset Name EC2 response -> tags -> name
  external ID EC2 response -> resourceId
Asset_Container from_external_id EC2 response -> resourceId
  to_external_id container response -> task -> containers -> containerArn
  active TRUE
  timestamp report -> timestamp
  source source -> _key
  report report -> _key
Ipaddress_Container from container response -> task -> containers ->networkInterface ->privateIpv4Address
  _to_external_id container response -> task -> containers -> containerArn
  active TRUE
  timestamp report -> timestamp
  source source -> _key
  report report -> _key

Relational Database Service (RDS)

The following table shows the Connected Assets and Risk connector to RDS data mapping.

Table 5. RDS data mapping
CAR vertex/edge CAR field RDS field
Asset Name Database Instance -> DBInstanceIdentifier
  external ID Database Instance -> DBInstanceArn
  engine Database Instance -> Engine
  db_resource_id Database Instance -> DbiResourceId
Hostname _key(Address) Database Instance -> Endpoint-> Address
Asset_Hostname from_external_id Database Instance -> DBInstanceArn
  _to_external_id Database Instance -> Endpoint-> Address
  active TRUE
  timestamp report -> timestamp
  source source -> _key
  report report -> _key
GeoLocation external ID Database Instance -> AvailabilityZone
  region Database Instance -> AvailabilityZone
Asset_GeoLocation from_external_id Database Instance -> DBInstanceArn
  _to_external_id Database Instance -> AvailabilityZone
  active TRUE
  timestamp report -> timestamp
  source source -> _key
  report report -> _key
User _key Database Instance -> MasterUsername
  username Database Instance -> MasterUsername
  role TECHNICAL OWNER
Asset_user _from_external_id Database Instance -> DBInstanceArn
  _to Database Instance -> MasterUsername
  report report -> _key
  source source -> _key
  active TRUE
  timestamp report -> timestamp
Report_User _from report -> timestamp
  _to Database Instance -> MasterUsername
  report report -> _key
  source source -> _key
  active TRUE
  timestamp report -> timestamp
User_Database _from Database Instance -> MasterUsername
  _to_external_id Database Instance ->DbiResourceId
  report report -> _key
  source source -> _key
  active TRUE
  timestamp report -> timestamp
Database Name Database Instance -> DBInstanceIdentifier
  _key Database Instance -> DBInstanceIdentifier
  db_instance_id Database Instance -> DBInstanceArn
  scheduled_maintenance Database Instance -> applyImmediately
  external ID Database Instance -> DBIResourceId
Asset_Database from_external_id Database Instance -> DBInstanceArn
  _to_external_id Database Instance -> DBIResourceId
  active TRUE
  timestamp report -> timestamp
  source source -> _key
  report report -> _key

Security Hub

The following table shows the Connected Assets and Risk connector to EC2/Security Hub data mapping.

Table 6. EC2/Security Hub data mapping
CAR vertex/edge CAR field EC2 / Security Hub Network Profile field
Asset Name EC2 resource -> Tags -> Name -> Value
  external ID arn:aws:ec2: + EC2 resource -> AvailabilityZone + account_id + InstanceId
Vulnerability external_id Securityhub log -> Id
  name Securityhub log -> Title
  Description Securityhub log -> Description
  disclosed_on Securityhub log -> FirstObservedAt
  published_on Securityhub log -> CreatedAt
  base_score Securityhub log -> Severity -> Normalized
Asset_Vulnerability from_external_id external_id of the asset (based on resource type)
  to_external_id Securityhub log -> Id
  active TRUE
  timestamp Securityhub log -> CreatedAt
  source source -> _key
  report report -> _key
  last_modified Securityhub log -> UpdatedAt