Last updated
Was this helpful?
GetAssessmentQuerySpecDestinationNodes returns the related destination nodes, including effective permissions, for a single entity in the results of a saved query.
Sample request:
The request must include the full query spec object, and the source_node_id of the query result to return destination nodes for. You can additionally provide a snapshot_id to query against historical data.
curl -X 'POST' "$BASE_URL/api/v1/assessments/query_spec:destination_nodes?page_size=0&page_token=" \
-H "authorization: Bearer $VEZA_TOKEN" \
-d '{
"spec": {
"query_type": "SOURCE_TO_DESTINATION",
"include_nodes": true,
"source_node_types": {
"nodes": [
{
"node_type": "AwsIamUser"
}
]
},
"destination_node_types": {
"nodes": [
{
"node_type": "S3Bucket"
}
]
},
"no_relation": false,
"raw_permissions": {
"operator": "OR",
"values": [
"s3:PutBucketAcl"
]
}
},
"source_node_id": "arn:aws:iam::877042069677:user/j.smith",
"snapshot_id": "1690182000"
}'Sample response:
{
"values": [
{
"id": "arn:aws:s3:::aws-cloudtrail-logs-877042069677-a35f269d",
"type": "S3Bucket",
"properties": {
"allows_acls": true,
"aws_account_id": "877042069677",
"block_public_access_enabled": true,
"block_public_acls": true,
"block_public_policy": true,
"created_at": "2022-02-07T20:33:19Z",
"datasource_id": "877042069677:s3",
"default_encryption_enabled": true,
"default_retention_mode": "DISABLED",
"hosts_website": false,
"ignore_public_acls": true,
"name": "aws-cloudtrail-logs-877042069677-a35f269d",
"object_lock_enabled": false,
"object_ownership_controls": "ObjectWriter",
"provider_id": "877042069677",
"region": "us-east-1",
"replication_rules_count": 0,
"request_payer": "BucketOwner",
"restrict_public_buckets": true,
"server_access_logs_enabled": false
},
"destination_node_count": 0,
"permissions": [
{
"id": "arn:aws:iam::877042069677:user/j.smith::eperm::877042069677/S3Bucket/9e5c59f46ddc58231c08bc23534d1a83c0bffe87",
"type": "AwsIamEffectivePermission",
"properties": {
"aws_account_id": "877042069677",
"datasource_id": "877042069677::eperm::877042069677:s3",
"name": "Create,Write,Delete,Read,Metadata,NonData",
"permissions": [
"s3:AbortMultipartUpload",
"s3:BypassGovernanceRetention",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteBucketWebsite",
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersion",
"s3:DeleteObjectVersionTagging",
"s3:GetAccelerateConfiguration",
"s3:GetAnalyticsConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectLegalHold",
"s3:GetObjectRetention",
"s3:GetObjectTagging",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionTagging",
"s3:GetObjectVersionTorrent",
"s3:GetReplicationConfiguration",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:ListMultipartUploadParts",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:PutAccelerateConfiguration",
"s3:PutAnalyticsConfiguration",
"s3:PutBucketAcl",
"s3:PutBucketCORS",
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:PutBucketObjectLockConfiguration",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketRequestPayment",
"s3:PutBucketTagging",
"s3:PutBucketVersioning",
"s3:PutBucketWebsite",
"s3:PutEncryptionConfiguration",
"s3:PutInventoryConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutMetricsConfiguration",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:PutObjectVersionAcl",
"s3:PutObjectVersionTagging",
"s3:ReplicateDelete",
"s3:ReplicateObject",
"s3:ReplicateTags",
"s3:RestoreObject"
],
"provider_id": "877042069677"
},
"destination_node_count": 0,
"permissions": [],
"engagement_access_stats": null,
"access_stats": null,
"destination_node_ids": [],
"risk_level": "NONE",
"raw_permissions": [],
"effective_permissions": []
}
],
"engagement_access_stats": null,
"access_stats": null,
"destination_node_ids": [],
"risk_level": "NONE",
"raw_permissions": [
"s3:AbortMultipartUpload",
"s3:BypassGovernanceRetention",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteBucketWebsite",
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersion",
"s3:DeleteObjectVersionTagging",
"s3:GetAccelerateConfiguration",
"s3:GetAnalyticsConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectLegalHold",
"s3:GetObjectRetention",
"s3:GetObjectTagging",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionTagging",
"s3:GetObjectVersionTorrent",
"s3:GetReplicationConfiguration",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:ListMultipartUploadParts",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:PutAccelerateConfiguration",
"s3:PutAnalyticsConfiguration",
"s3:PutBucketAcl",
"s3:PutBucketCORS",
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:PutBucketObjectLockConfiguration",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketRequestPayment",
"s3:PutBucketTagging",
"s3:PutBucketVersioning",
"s3:PutBucketWebsite",
"s3:PutEncryptionConfiguration",
"s3:PutInventoryConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutMetricsConfiguration",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:PutObjectVersionAcl",
"s3:PutObjectVersionTagging",
"s3:ReplicateDelete",
"s3:ReplicateObject",
"s3:ReplicateTags",
"s3:RestoreObject"
],
"effective_permissions": [
"Create",
"Delete",
"Metadata",
"NonData",
"Read",
"Write"
]
}
],
"path_values": [],
"next_page_token": "",
"has_more": false
}/api/v1/assessments/query_spec:destination_nodes
risk_score ASC/DESC are valid values
The maximum number of results to be returned. Fewer results may be returned even when more pages exist.
The token specifying the specific page of results to retrieve.
curl -L \
--request POST \
--url '/api/v1/assessments/query_spec:destination_nodes' \
--header 'Bearer: YOUR_API_KEY' \
--header 'Content-Type: application/json' \
--data '{
"spec": {
"query_type": "SYSTEM_CREATED",
"source_node_types": {
"nodes": "[Circular Reference]",
"nodes_operator": "AND"
},
"destination_node_types": {
"nodes": "[Circular Reference]",
"nodes_operator": "AND"
},
"required_intermediate_node_types": {
"nodes": "[Circular Reference]",
"nodes_operator": "AND"
},
"avoided_intermediate_node_types": {
"nodes": "[Circular Reference]",
"nodes_operator": "AND"
},
"raw_permissions": {
"values": [
"text"
],
"operator": "AND"
},
"effective_permissions": {
"values": [
"METADATA_WRITE"
],
"operator": "AND"
},
"customized_variables": [
{
"key": "text",
"value": "text"
}
],
"no_relation": true,
"snapshot_id": "text",
"node_relationship_type": "EFFECTIVE_ACCESS",
"relates_to_exp": {
"specs": "[Circular Reference]",
"child_expressions": "[Circular Reference]",
"operator": "AND",
"not": true,
"and_op_type": "INFERRED"
},
"path_summary_node_types": {
"nodes": "[Circular Reference]",
"nodes_operator": "AND"
},
"all_entity_condition": {
"specs": [
{
"fn": "EQ",
"property": "text",
"value": null,
"not": true,
"value_property_name": "text",
"value_property_from_other_node": true
}
],
"child_expressions": "[Circular Reference]",
"operator": "AND",
"not": true
},
"path_summary_count_conditions": {
"conditions": [
{
"fn": "EQ",
"value": "text",
"value_as": "COUNT"
}
]
},
"result_value_type": "UNDEFINED",
"page_size": "text",
"page_token": "text"
},
"source_node_id": "text",
"snapshot_id": "text"
}'{
"values": [
{
"id": "text",
"type": "text",
"properties": {},
"destination_node_count": 1,
"permissions": "[Circular Reference]",
"engagement_access_stats": {
"engagement_score": 1,
"over_provisioned_score": 1,
"total_count": "text",
"accessed_count": "text"
},
"access_stats": {
"last_used": "2025-03-09T02:39:07.583Z",
"count": 1,
"concrete_permissions": [
"text"
],
"canonical_permissions": [
"text"
]
},
"destination_node_ids": [
"text"
],
"risk_level": "NONE",
"raw_permissions": [
"text"
],
"effective_permissions": [
"text"
],
"destination_node_percentage_of_total": 1
}
],
"path_values": [
{
"source": "[Circular Reference]",
"abstract_permissions": [
"text"
],
"concrete_permissions": [
"text"
],
"destination": "[Circular Reference]",
"path_summary_nodes": "[Circular Reference]",
"results_truncated": true
}
],
"next_page_token": "text",
"has_more": true
}A successful response.