Supported entity types and more information about the Veza-AWS connector.
Veza integrates with AWS to parse service and resource metadata using native API calls. You can enable a read-only connection via an IAM user, an assumed IAM role, or using an Insight Point running on EC2.
Veza creates entities in the data catalog to represent discovered resources and identities, including tags and attributes applied within AWS. To gather granular metadata for database services such as RDS, Veza requires additional permissions to connect as a local user and execute queries when data APIs aren't available.
Veza analyzes cross-service connections between discovered entities, calculates effective permissions, and identifies authorization paths, including the cumulative effects of permission boundaries, service control policies, group memberships, and hierarchical policy statements. These relationships can be searched in the Authorization Graph, or audited using Workflows or the Query Builder.
To show external identities with access to AWS resources, Veza supports identity federation, displaying permissions for external users and groups from providers such as Okta, Azure AD, and custom identity providers.
Note that by default, all regions and services are extracted. Allow/deny lists can contain string lists (including wildcards) of resources names to ignore.
Supported entities:
Cognito Service
Cognito Identity Pool
Supported entities:
EC2 Service
EC2 VPC
EC2 Security Group
EC2 Instance
As of Veza
2021.2.1, EC2 discovery is supported for up to 1000 instances per AWS account.
Supported entities:
ECR Service
ECR Private Registry
ECR Private Repository
ECR Public Registry
ECR Public Repository
Supported entities:
EKS Service
EKS Cluster
Supported entities:
EMR Service
EMR Cluster
EMR Node
EMR Studio
EMR Notebook Execution
The EMR service to discover must use EC2 (EMR on EKS isn't yet supported). See EMR for more details.
Supported entities:
Redshift Cluster
Redshift Database
Redshift Schema
Redshift Effective Permission
Redshift Local User
Redshift Database Instance
Redshift Group
Redshift Table
Redshift Service
The default policy only includes API permissions to get authorization metadata for Redshift clusters. To connect to Redshift databases for full discovery, a local Redshift user with the
redshift:GetClusterCredentialsIAM privilege must be available.
Supported entities:
S3 Service
S3 Bucket
S3 Bucket Policies
S3 Bucket Policy Statement
As of release
2022.2.1, effective permissions to S3 now consider object-level permissions granted via IAM policy. Access Points are not yet supported. S3 bucket objects can have individual Access Control Lists. Since Veza doesn't parse individual bucket objects, object-level permissions may not be authoritative for buckets allowing ACLs.
Supported entities:
DynamoDB Service
DynamoDB Table
DynamoDB Secondary Index
DynamoDB Stream
See DynamoDB for more information.
Identity and Access Management
Supported entities:
AWS Accounts
IAM Groups
IAM Users
IAM Roles
IAM Policies
IAM Permissions
AWS IAM Policy entities have the attribute Permissions Boundary Usage Count, enabling queries on unused policies with no relationship to any principals.
Supported entities:
Identity Center Service
Identity Center User
Identity Center Group
Identity Center Permission Set
Identity Center is a service only available in the management account of an organization. To discover Identity Center entities, the region configured for the AWS account integration must match the region IAM Identity Center is enabled in. For example, if the IAM Identity Center is enabled in
us-east-1, the AWS Integration must have theus-east-1region defined. Otherwise, AWS IAM Identity Center will not appear as a Data Source.
Supported entities:
KMS Service
KMS Customer Managed Key (CMK)
KMS Policy
KMS Policy Statements
KMS Permissions
KMS Customer Managed Key Permissions
In order for a CMK to be discoverable, its Key Policy must have IAM permissions enabled, or grant the Veza AWS IAM principal directly.
Supported entities:
Lambda Service
Lambda Function
Supported entities:
AWS Organization Unit
AWS Organization Account
You can track org unit accounts not yet configured for discovery using the assessments
AWS Accounts that are part of an organization but not managed.
Supported entities:
RDS Service
RDS Instance
RDS Cluster
RDS Cluster Instance
RDS MySQL
Supported entities:
RDS MySQL Database
RDS MySQL Function
RDS MySQL Instance
RDS MySQL Local User
RDS MySQL Local User Instance
RDS MySQL Procedure
RDS MySQL Role
RDS MySQL Role Instance
RDS MySQL Service
RDS MySQL Table
RDS MySQL Trigger
RDS PostgreSQL
Supported entities:
PostgreSQL User
PostgreSQL Database
PostgreSQL Group
PostgreSQL Instance
PostgreSQL Schema
PostgreSQL Table
PostgreSQL Procedure
PostgreSQL Trigger
PostgreSQL Permissions
To get database-level metadata, users, and privileges, Veza will need to execute database queries as a local Postgres or MySQL user.
Supported entities:
Secrets Manager Service
Secrets Manager Secret
The Authorization Graph includes some additional support for searching AWS entities:
To see the native AWS permissions for an Effective Permission, select an ungrouped EP node and choose Explain Effective Permissions on the actions sidebar
To view an AWS IAM policy, select a Policy node and choose Show JSON Document from the actions sidebar
AWS IAM Role relationships may be nested (a role assignment can imply membership in another). When this is the case, an icon will indicate that the node has a hierarchical relationship. Choose Show Hierarchy to open a detailed view. Entities will have a hierarchical_level to enable search on nested nodes.
When multiple AWS accounts are connected, entities with the same name (such as built-in IAM roles) are numbered for differentiation. Toggle the AWS Account Label search option to add additional color-coding by account name.
You can highlight authorization paths available via role assumption using the Entities of Interest graph search option.
Following best practices for AWS client applications, Veza implements an exponential backoff mechanism for requests (see the AWS documentation on Error Retries and Exponential Backoff for more information). This should prevent hitting endpoint rate limits, and provide ample room for other services to consume the same APIs.
By default, exponential backoff is configured for up to 10 attempts, with a max wait of 300 seconds.
You can use the management API to configure AWS connectors programmatically.
For example:
curl -X POST '{baseurl}/api/v1/providers/aws
-d {
"values": [
{
"name": "AWS-Org",
"type": "AWS",
"data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
"status": "SUCCESS",
"account_id": "123456789010",
"credentials_type": "ASSUME_CUSTOMER_ROLE",
"access_key_id": null,
"assume_role_name": "veza-connector",
"assume_role_external_id": "0477997275",
"regions": [],
"db_user": "veza_db_user",
"services": [],
"redshift_database_allow_list": [],
"redshift_database_deny_list": [],
"rds_database_allow_list": [],
"rds_database_deny_list": [],
"s3_bucket_allow_list": [],
"s3_bucket_deny_list": []
}
]
}Note that by default, all regions and services are extracted. Allow/deny lists can contain string lists (including wildcards) of resources names to ignore.
Veza does not currently support all AWS policy conditions operators and keys.
The unsupported conditions include ones that are difficult to parse or meaningless in Veza's graph representation, such as DateGreaterThan:aws:CurrentTime. However, unsupported conditions CAN have a meaningful impact on the actual access granted to principals shown in Graph.
When Veza detects an unsupported condition, the boolean property Unsupported Condition is set to True for the corresponding Policy Statement and Permission nodes.
This property can be included in an Attribute Filter to display query results that are or are not impacted by unsupported conditions.