Skip to content

Connector Spec - AWS Discovery (v0)

Summary

Initial AWS discovery connector that enumerates IAM users and roles, plus managed and inline policies. Emits canonical entities/relationships with provenance and supports streaming batch output.

Auth

  • Access key credentials
  • access_key_id
  • secret_access_key
  • optional session_token
  • region (default us-east-1)

Scope Inputs

  • aws_accounts (array of account ids)

Tenancy & Isolation Requirements

  • Connector execution runs in the scope of a single tenant_id + workspace_id.
  • Credentials and scope inputs are resolved from the owning Connection in that scope.
  • Output records must preserve tenant/workspace context through normalization and storage.
  • A connector run must never read or write data for another tenant/workspace.

Required Permissions

  • sts:GetCallerIdentity
  • iam:ListAccountAliases
  • iam:ListUsers
  • iam:ListRoles
  • iam:ListAttachedUserPolicies
  • iam:ListAttachedRolePolicies
  • iam:ListUserPolicies
  • iam:GetUserPolicy
  • iam:ListRolePolicies
  • iam:GetRolePolicy

Entities Emitted

  • CloudAccountBoundary (AWS account)
  • Account (IAM users and IAM roles)
  • Principal (human for users, nonhuman for roles)
  • Entitlement
  • managed IAM policies
  • inline IAM policies (synthetic entitlements keyed by principal ARN + policy name)

Relationships Emitted

  • principal_represents_account (principal -> account)
  • account_assigned_entitlement (account -> entitlement)

Notes / Blind Spots

  • Resources and entitlement-to-resource relationships are not emitted yet.
  • Group-based policies (IAM groups) are not emitted yet.
  • Inline policy documents are decoded but not stored as evidence.