Network Resources
Network resources are available in InsightCloudSec as the fourth section (tab) under the Resource landing page. These resources are related to network functionality and include resources like load balancers, route tables, and internet gateways.
Network resources are displayed alphabetically using the InsightCloudSec normalized terminology. Hovering over an individual resource provides the CSP-specific terminology with the associated logo to help users confirm the displayed information. For example in InsightCloudSec a Network refers to Amazon "VPC", Azure's "Virtual Network" and Google's "VPC", etc.
For a detailed reference of this normalized terminology check out our Resource Terminology.
Some attributes may not be included in these lists
A large number of Resource Attributes are offered for the resources outlined here. Because we are continuously expanding our supported resources the attributes and details included here can not be guaranteed to include every resource or every attribute.
If you need information about the attributes of a particular resource we are happy to help get those details for you - reach out to us through the Customer Support Portal with any questions!
Access Lists
Access List
Access Lists are used to protect any ingress/egress traffic to cloud resources (e.g. Security Groups/NACLs).
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| access_list_id | The provider ID for the access list |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The name of the region in which the access list resides |
| access_list_type | The type of the access list |
| name | The name of the access list |
| parent_resource_id | The resource ID of the parent network |
| creation_date | The date the access list was created |
| description | The description of the Access List |
| default_acl | Boolean value denoting if the access list is provider default |
| association_count | The number of resources the resource access list is associated with |
| flow_logs_enabled | Denotes if the access list has flow logs enabled (Azure only) |
| namespace_id | The provider-specific namespace ID |
| relationships | The list of resources associated with the access list |
| network_tags | A list of network tags that this firewall is associated with (GCP only) |
Access List Flow Logs
Access List Flow Logs (Azure NSG Flow Logs) allow users to log information about IP traffic flowing through a Network Security Group (e.g. Azure NSG). Data that is logged is stored and can be exported.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The name of the region in which the access list resides |
| name | The name of the Access List Flow Log |
| namespace_id | The fully qualified ID of the resource, including the resource name and resource type |
| provisioning_state | The provisioning state (e.g., succeeded) of the Access List Flow Log |
| target_resource_id | The Access List Flow Log target resource identifier |
| storage_id | The Access List Flow Log storage identifier |
| retention_enabled | Boolean value denoting if retention is enabled |
| retention_time | The Access List Flow Log retention time (in days) |
| traffic_analytics_enabled | Boolean value denoting if traffic analytics is enabled |
| traffic_analytics_interval | Traffic interval in minutes which specifies how frequently TA service should do flow analytics |
Access List Rule
Access List Rules are Ingress/Egress traffic rules for Security Groups/NACLs. They contain basic information about a single rule entry in an access list resource.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| rule_id | The provider ID of the access list rule |
| organization_service_id | The ID of the parent organization service (cloud) |
| parent_resource_id | The resource ID of the parent service access list rule |
| access_list_name | The name of the parent access list |
| region_name | The region the rule resides in |
| name | The name of the Rule |
| rule_action | Denotes if traffic is allowed or denied |
| direction | The direction of traffic (ingress or egress) |
| priority | The rule priority, applies to type network ACLs only |
| ip_protocol | The protocol to which this rule applies (TCP, UDP, ICMP) |
| source_from_port | The Source Port Range :The start of the Traffic Mirror port range. This applies to the TCP and UDP protocols. |
| source_to_port | The Source Port Range : The end of the Traffic Mirror port range. This applies to the TCP and UDP protocols. |
| destination_from_port | The destination Port Range : The start of the Traffic Mirror port range. This applies to the TCP and UDP protocols. |
| destination_to_port | The destination Port Range: The end of the Traffic Mirror port range. This applies to the TCP and UDP protocols. |
| icmp_code | The number denoting ICMP code |
| icmp_type | The number denoting ICMP type |
| source_network | The source network ID |
| source_network_from_ip | The start of IP range associated with source network. |
| source_network_to_ip | The end of IP range associated with source network |
| destination_network | Denotes the type of network |
| destination_network_from_ip | The start of the IP range associated with destination network |
| destination_network_to_ip | The end of the IP range associated with destination network. |
| is_temporary | The bool for true/false. |
| schedule_data_create_rule | Denotes association of a create rule. |
| schedule_data_delete_rule | Denotes association of a delete rule |
| scheduled_event_id_create_rule | The event id of a create rule execution |
| scheduled_event_id_delete_rule | The event id of a delete rule execution |
Applications
Application Gateway
An Application Gateway is an application program that runs on a firewall system between two networks, for example an AWS API Gateway or Azure API Management Service.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The name of the region |
| api_id | The API identifier |
| name | The name of the API |
| description | The description of the resource |
| version | The version of the application gateway |
| creation_date | The date the API was created |
| api_key_source | The API key source |
| endpoint_configuration | The endpoint configuration of the API |
| policy | The policy associated with the application gateway |
| trusted_accounts | The list of trusted accounts |
| minimum_compression_size | Minimum compression size (in bytes) for the application gateway |
| protocol | The protocol to be used with the application gateway |
| relationships | List of resources associated with the application gateway |
| custom_domains | Custom domains configured for the application gateway |
| public_ip_addresses | A list of public IP addresses associated with the application gateway |
| full_tls_10 | Indicates if TLS 1.0 is enabled for an API resource |
| full_tls_11 | Indicates if TLS 1.1 is enabled for an API resource |
| full_tls_12 | Indicates if TLS 1.2 is enabled for an API resource |
| full_ssl_30 | Indicates if SSL 3.0 is enabled for an API resource |
Application Gateway Domain
An application gateway domain is a domain name typically designated and configured for use with an API Gateway. An example of this type of resource is AWS API Gateway Domain.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The name of the region in which the application gateway domain resides |
| domain_name | The domain name of the application gateway domain |
| certificate_arn | The certificate arn for the application gateway domain |
| endpoint_type | The endpoint type (e.g., 'edge', 'regional') for the application gateway domain |
| security_policy | The security policy for the application gateway domain (e.g., 'TLS_1_0', 'TLS_1_2') |
| version | The version of the application gateway domain (e.g., 'v2') |
Application Key
Application Keys or AWS API Gateway keys are alphanumeric string values that you distribute to application developer customers to grant access to your API.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The name of the region |
| key_id | The provider id for the encryption key |
| name | The name of the REST API Key |
| customer_id | The customer id of the API key |
| description | The description of the resource |
| enabled | Denotes whether or not the secret is enabled |
| creation_date | The time the REST API Key was created |
| last_updated | The time the REST API Key was last updated |
Application Stage
The Application Stage is a resource (often used in CloudFormation templates) to create a stage for a deployment.
| Attribute | Description |
|---|---|
| resource_id | primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The name of the region |
| stage_id | The ID of the application stage |
| parent_resource_id | The ID of the parent resource |
| name | The name of the application stage |
| gateway_name | The name of the associated gateway |
| description | The description of the resource |
| certificate_id | The certificate value |
| cache_cluster_size | The size of the cache data if its enabled |
| cache_data_encrypted | Denotes whether or not cache data is encrypted |
| access_logging | Denotes the stage logs access requests |
| tracing_enabled | Boolean value to denote if tracing is turned on or off |
| web_acl_id | The value for the web access control list |
| creation_date | The date when resource was created |
| last_updated | The date when resource was last updated |
| arn | The ARN being used with the corresponding resource |
| throttling_burst_limit | The throttling burst limit of the stage |
| throttling_rate_limit | The throttling rate limit of the stage |
Backend Services
Backend Services
In GCP, a backend service that contains configuration values for Google Cloud Platform load balancing services.
| Attribute | Description |
|---|---|
| resource_id | primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The name of the region |
| name | The name of the Backend Service |
| kind | The kind of backend service |
| storage_container_resource_id | The value for the storage container resource |
| protocol | The protocol of the backend service |
| port_name | The name of the port being used |
| port | The port number being used |
| description | The description of the resource |
| created_time | The time resource was created |
| scheme | The backend service scheme |
| security_policy | The security policy in use |
| backends | The JSON of the Backend Service |
Bastion Host
Bastion Host
Bastion Hosts are part of a service that allows seamless and secure connection to your virtual machines.
| Attribute | Description |
|---|---|
| resource_id | Primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The identifier of the parent organization service (cloud) |
| name | The name of the host |
| state | The state of the host |
| namespace_id | The provider-specific namespace ID for the host |
| enable_ip_connect | Denotes whether IP-based connection is enabled |
| enable_shareable_link | Denotes whether shareable link is enabled |
| private_ip_allocation_method | The private IP allocation method |
| tier | The tier of the host |
Content Delivery Network
Content Delivery Network
Content Delivery Networks is a system of servers that delivers content to users based on geographic location. This class inherits from TopLevelResource and has direct access to the resource's database object.
| Attribute | Description |
|---|---|
| resource_id | primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The identifier of the parent organization service (cloud) |
| distribution_id | The provider given of the CDN |
| domain_name | The name of the domain being used with by the resource |
| alternate_domain_names | The alternate domain names that can be used with resource |
| delivery_method | The delivery method of the CDN (web, RMTP, etc) |
| root_object | The object you want the CDN to request from your origin |
| status | The status of the CDN (inprogress, deployed, etc) |
| state | The state of the CDN (enabled, disabled, etc)" |
| http_versions | The supported versions of HTTPs |
| https_required | Boolean value on if HTTPS is required |
| ipv6_enabled | Boolean value on if IPv6 is enabled in the CDN |
| last_modified | The date of last resource modification |
| log_bucket | The bucket to store logs in |
| origins | The location from which you want the CDN to get objects. RMPT only has one origin |
| origin_access_identities | Used to configure origins so that viewers can only access objects through the CDN |
| origin_info_list | JSON list of information about the origin |
| security_policy | The security policy being used |
| certificate | The SSL certificate of the CDN |
| certificate_resource_id | The value for the SSL certificate of the CDN |
| web_acl_id | The web access lists ID of the CD |
| price_class | The price class. Costs vary based on performance |
| comment | The users can leave comments/descriptions on their CDN |
| arn | The ARN being used with the corresponding resource |
| logging | Boolean value to denote if logging is enabled or disabled |
| cookie_logging | The log denoting if cookies are enabled or disabled |
| geo_whitelist | The list of whitelisted countries to the CDN |
| geo_blacklist | The list of blacklisted countries to the CDN |
| viewer_protocol_policy | The protocol that viewers can use to access the files in the origin |
| trusted_signers | The list of accounts of active key pairs that can be used to verify signatures of signed URLs and cookies |
| trusted_key_groups | The list of key groups that can be used to verify the signatures of signed URLs and cookies |
| relationships | List of resources associated with the CDN |
| cloud_functions | Cloud function(s) associated with the CDN |
| function_body_access | Denotes if a cloud function has request body access |
| origin_type | Denotes the type of origin attached to the CDN |
| cdn_policy | The policy associated with the CDN |
| storage_container_resource_id | The ID for the storage container resource associated with the CDN |
| backend_service_resource_id | The ID for the backend service resource associated with the CDN |
| waf_resource_id | The ID for the WAF resource associated with the CDN |
| default_cache_policy_id | The ID for the default cache policy associated with the CDN |
Database Migration Endpoint
Database Migration Endpoint
A Database Migration Endpoint is used to connect to a data store and migrate data from a source endpoint to a target endpoint.
| Attribute | Description |
|---|---|
| resource_id | primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The region in which the endpoint resides |
| endpoint_id | The ID for the endpoint |
| endpoint_type | The type for the endpoint |
| state | The state of the endpoint |
| server_name | The name of the database instance |
| engine_name | The provider-specific name of the database instance engine |
| engine_display_name | The display name of the database instance engine |
| key_resource_id | The resource ID for the encryption key associated with the endpoint |
| certificate_resource_id | The resource ID for the certificate associated with the endpoint |
| role_resource_id | The resource ID for the role associated with the endpoint |
| ssl_mode | The mode, if any, of SSL used by the endpoint |
| namespace_id | The provider-specific namespace ID for the endpoint |
DDOS Protection
DDoS Protection
DDoS Protection is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on your CSP.
| resource_id | primary resource identifier that takes the form of a prefix followed by numbers and letters |
| protection_id | The value for identifying which unique protection is being used |
| ref_resource_type | The resource type identifier |
| ref_resource_id | The value for the category of protection that is being used |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The name of the region |
| arn | The ARN associated with this resource |
| ref_resource_arn | Provider-specific namespace ID of the protected resource |
| name | The name of the DDoS Protection resource |
| enabled | Boolean value denoting if resource is enabled or disabled |
| last_attack_start_time | The start time of the most recent DDoS attack |
| last_attack_end_time | The end time of the most recent DDoS attack |
| last_attack_types | The type(s) of DDoS attack used |
| namespace_id | The provider-specific namespace ID for the DDoS Protection instance |
Direct Connect
Direct Connect
Direct Connect is a private connection between environments to reduce network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based connections. (See AWS Direct Connect, Azure Express Route Circuit)
| resource_id | primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | the ID of the parent organization service (cloud) |
| region_name | The name of the region |
| connection_id | The value used to denote unique connection |
| name | The name of the direct connect resource |
| state | Denotes if the resource is active or inactive |
| location | The direct connection file is location |
| direct_connect_type | The type of direct connection being used |
| creation_timestamp | The time the direct connection was created |
| bandwidth | The range of frequencies for the Direct Connect |
DNS Zone
DNS Zone
DNS Zones are responsible for housing all zone and record information associated for a particular zone. This resource inherits from Resource and has direct access to the resource’s database object.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| id | The provider ID of the zone |
| domain | The domain that the zone controls |
| comment | The descriptive comment about the zone |
| private_zone | Denotes whether or not this is a private zone |
| records | The listing of DNS records associated with this zone |
| networks | The listing of private networks that are associated with this zone |
| dns_security | The JSON of the DNS Security policy |
class DivvyResource.Resources.dnszone.DnsZone(resource_id)
Bases: DivvyResource.Resources.toplevelresource.TopLevelResource
delete(user_resource_id=None)
Delete this resource. If wrapped in a with JobQueue() block, this will queue the deletion job to the wrapped queue, otherwise it calls immediately.
dns_zone
static get_db_class()
get_domain()
Retrieve the domain of the DNS zone.
get_networks()
Retrieve the networks associated with a private zone.
get_private_zone()
Retrieve the value of the private zone boolean.
static get_provider_id_field()
get_resource_name()
static get_resource_name_field()
static get_resource_type()
get_supported_actions()
handle_resource_created(user_resource_id=None, project_resource_id=None)
This should be called when a resource is created/discovered after the basic data is added to the database. This gives an opportunity for post-addition hooks (assignment to groups, alerts, etc).
handle_resource_destroyed(user_resource_id=None)
This should be called when a resource is destroyed before the basic data is removed from the database. This gives an opportunity for pre-destruction hooks (removal from groups, alerts, etc).
handle_resource_modified(resource, *args, **kwargs)
This should be called when a resource is modified after the new data has been updated in the DB session. This gives an opportunity for post-modification hooks.
top_level_resource = True
zone_id
Forwarding Rules
Forwarding Rules
Forwarding rules or in the case of Azure, a Load Balancer rule, is used to define how traffic is distributed to the VMs. (See also GCP's Load Balancer Forwarding Rules).
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The name of the region |
| name | The name of the Forwarding Rule |
| load_balancer_resource_id | The load balancer resource identifier |
| target_proxy_resource_id | The target proxy resource identifier |
| ip_address | The unique internet protocol address of the machine |
| ip_protocol | The ip protocol used |
| ip_version | The ip version used |
| network_tier | The network tier |
| description | The description of the resource |
| created_time | The time port forward rules were created |
| scheme | The forwarding rule scheme |
Global Load Balancer
Global Load Balancer
A global, scalable entry-point that uses a global edge network to create fast, secure, and widely scalable web applications.
| Attribute | Description |
|---|---|
| name | The name of the global load balancer |
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| global_load_balancer_id | The provider ID of the global load balancer |
| region_name | The region that the instance resides in |
| state | The state of the global load balancer (e.g., Enabled) |
| all_session_affinity_enabled | An indicator of the enabled status of "all session affinity" of the global load balancer ('0' or '1') |
| all_health_probes_enabled | An indicator of the enabled status of "all health probes" of the global load balancer ('0' or '1') |
| only_https_accepted_protocol | An indicator of the enabled status of "only https accepted protocol" of the global load balancer ('0' or '1') |
| only_https_forwarding_protocol | An indicator of the enabled status of "only https forwarding protocol" of the global load balancer ('0' or '1') |
| waf_enabled | An indicator of the enabled status of "WAF" of the global load balancer ('0' or '1') |
| all_load_balancers_enabled | An indicator of the enabled status of "all load balancers" associated with the global load balancer ('0' or '1') |
| domain_names | The domain names of the associated frontend endpoints for a global load balancer |
| ip_address_type | The IP address type (v4, v6) of the global load balancer |
| arn | The ARN associated with the global load balancer |
| enabled | Denotes whether the global load balancer is enabled |
| ip_sets | The IP sets associated to the global load balancer |
| listeners | The listeners configured for the global load balancer |
| dns_name | The DNS name for the global load balancer |
| creation_time | The timestamp for when the global load balancer was created |
| last_updated_time | The timestamp for when the global load balancer was last updated |
| flowlogs_enabled | Denotes whether flow logs are enabled for the global load balancer |
| flowlogs_s3_bucket | The S3 bucket where flow logs are stored |
| flowlogs_s3_prefix | The prefix of the s3 bucket where flow logs are stored |
| rules_engines | The names of both rules engine configurations and their individual rules |
Internet Gateway
Internet Gateway
Network Gateway resources allow communication between instances in your network and the internet. This resource inherits from Resource and has direct access to the resource's database object.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| gateway_id | The unique value denoted for the internet gateway |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The name of the region |
| name | The name of the internet gateway |
| network_resource_id | The unique value provided for the internet gateway resource id |
| state | The state of the spanner |
Load Balancer
Load Balancer
Load balancers are used in multi-tier apps to distribute load across a variety of compute instances. This class inherits from TopLevelResource and has direct access to the resource’s database object.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| load_balancer_id | The provider ID of the load balancer |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The region that the instance resides in |
| name | The name of the load balancer |
| created_time | The time the resource was created |
| fqdn | The fully qualified domain name of the load balancer |
| scheme | The load balancing scheme |
| arn | The ARN associated with this load balancer |
| lb_type | The type of load balancer |
| attributes | The load balancer attributes |
| target_count | The number of targets for the load balancer |
| ssl_policies | The SSL policies associated with the load balancer |
| security_group_ids | List of IDs for security groups associated with the load balancer |
| multi_az | Denotes whether the load balancer is configured in multiple availability zones |
| supports_redirects | Denotes whether the load balancer supports redirects |
| tier | The load balancer tier |
| waf_enabled | Denotes whether WAF is enabled for the load balancer |
| listener_config | Configuration for the listener associated with the load balancer |
| ip_address_type | The type of IP address associated with the load balancer |
| relationships | List of resources associated with the load balancer |
| ssl_protocols | The SSL protocols associated with the load balancer |
| waf_mode | The current mode of the Web Application Firewall attached to the Load Balancer |
class DivvyResource.Resources.loadbalancer.LoadBalancer(resource_id)
Bases: DivvyResource.Resources.toplevelresource.TopLevelResource
LoadBalancer Operations
delete(user_resource_id=None)
Delete this resource. If wrapped in a with JobQueue() block, this will queue the deletion job to the wrapped queue, otherwise it calls immediately.
classmethod filter_query_for_global_search(query, search_string)
Apply the query filters that will restrict a provided query to the provided global search string and return the modified query.
Parameters:
query (sqlalchemy.orm.query) – Original query that includes this resource type
search_string (basestring) – Single string to search for across all important text fields for this resource
Returns: Modified query including filters that match search string
Return type: sqlalchemy.orm.query
get_date_created()
Retrieve the time from the provider that this resource was created (if available).
static get_db_class()
static get_provider_id_field()
static get_resource_type()
get_supported_actions()
Retrieve all the actions which are supported by this resource.
NAT Gateway
NAT Gateway
Enables instances in a private network to forward traffic to the Internet (e.g. AWS Nat Gateway VPC, GCP Cloud NAT, Azure NAT Gateway).
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| gateway_id | The service-provided ID for this NAT gateway |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The name of the region |
| name | The name of the NAT gateway |
| network_resource_id | The resource ID of the network to which this NAT gateway belongs. Not used for some cloud providers |
| subnet_resource_id | The resource ID of the subntet to which this NAT gateway belongs. Not used for some cloud providers |
| network_interface_resource_id | The resource id of the network interface to which this nat gateway belongs. Not used for some cloud providers |
| public_ip | The public-facing internet address for this NAT gateway |
| private_ip | The internal address for this NAT gateway |
| state | The state of this NAT gateway |
| create_time | The creation time for this NAT gateway |
Network
Network
Logically isolated virtual environment within a Cloud Provider (AWS VPC, Azure Virtual Network, Google VPC, etc.)
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| network_id | The provider id of the network |
| region_name | The name of the region |
| name | The name of network |
| state | The state of the network |
| cidr | The limiting IP address range for the network. Apples to AWS (optional) |
| prefix | The optional sub-directory to begin with |
| user_defined | The indicator of whether this network is user defined or default |
| type | The network type |
| shared | Denotes whether or not this is a shared network |
| default_network | The specified default network |
| dhcp_options_id | The DhcpOptions ID, if applicable (AWS Only) |
| associations | The list of the resource IDs that are associated |
Network Address Group
A Network Address Group provides visibility into defined network address prefixes (AWS Managed Prefix List, Azure IP Group).
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The name of the region |
| name | The name of the Network Address Group |
| group_id | The primary group identifier that takes the form of a prefix followed by numbers and letters |
| state | The state of the Network Address Group |
| addresses | The list of addresses associated with the Network Address Group |
| customer_managed | Denotes whether the Network Address Group is managed by the customer |
| namespace_id | The ARN associated with the Network Address Group |
| associations | Lists the number of resources associated with the Network Address Group |
Network Endpoint
A Network Endpoint endpoint enables you to privately connect your VPC to supported services. In AWS the VPC endpoint services are powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. In Azure, Service endpoints provide the ability to secure Azure service resources to your virtual network by extending VNet identity to the service.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The name of the region |
| endpoint_id | The provider ID of the network endpoint |
| name | The name of the Network Endpoint |
| endpoint_type | The endpoint type of the resource |
| state | The ID of the requester VPC |
| service_name | The service name that the endpoint connects to |
| network_id | The CIDR block of the requester VPC |
| policy | The the IAM access policy of the resource |
| trusted_accounts | The trusted accounts that can interact with the peer |
| public_access | Denotes whether the network peer is exposed to the public |
| owner_id | The ID of the network endpoint owner |
| creation_date | The time when network endpoint was created |
| private_dns_enabled | Denotes whether private DNS is supported |
Network Endpoint Service
Network Endpoint Services enable you to privately connect your VPC to supported provider services (AWS VPC Endpoint Services, Azure Private Link Service).
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The name of the region |
| service_id | The ID for the network endpoint service |
| name | The local name of the network endpoint service |
| service_type | The type of the network endpoint service, e.g., 'interface' |
| state | The state of the network endpoint service, e.g., 'available' |
| service_name | The full name of the network endpoint service |
| trusted_accounts | The trusted accounts associated with the network endpoint service |
| publicly_accessible | An indicator of the public accessibility of the network endpoint service (''0' or '1') |
| acceptance_required | An indicator of whether or not VPC endpoint connection requests to the service must be accepted by the service owner ('0' or '1') |
| manages_vpc_endpoints | An indicator of whether the network endpoint service manages VPC endpoints ('0' or '1') |
| load_balancer_count | The number of load balancers associated with the network endpoint service |
| availability_zones | A list of availability zones for the network endpoint service, e.g., "us-east-1a" |
| connections | A list of key:value pairs identifying the connections for the network endpoint service, e.g., "endpoint_id:<_endpoint ID_>", "connection_state:available" |
| connections_count | The number of connections associated with the network endpoint service |
| relationships | A list of relationships between the Network Endpoint Service and other services |
Network Firewall
A managed, cloud-based network-security service that protects network resources. An example of this resource is Azure Network Firewall.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The region where the instance resides |
| name | The name of the network firewall resource |
| firewall_id | The ID of the network firewall resource |
| state | The state of the network firewall resource |
| firewall_type | The type of the network firewall resource |
| zones | The zones associated with the network firewall |
| threat_intel_mode | The threat intel mode for the network firewall resource |
| dns_proxy_enabled | An indicator showing whether the DNS proxy is enabled |
| dns_servers | The DNS servers associated with the network firewall resource |
| network_resource_id | The ID for the network resource associated with the network firewall resource |
| subnet_resource_id | The ID for the subnet resource associated with the network firewall resource |
| management_subnet_resource_id | The ID for the management subnet resource |
| management_ip_resource_id | The ID for the management IP resource associated with the network firewall resource |
| namespace_id | The ID os the namespace associated with the network firewall resource |
| relationships | The list of resources associated with the network firewall |
| policy_arn | The ARN for the policy associated with the network firewall |
| delete_protection | Denotes if the network firewall has delete protection enabled |
| subnet_change_protection | Denotes if the network firewall has subnet change protection enabled |
| encryption_configuration | The configuration for the encryption on the network firewall |
Network Firewall Rule
A network firewall rule is a firewall rule that can include NAT rules, network rules, and applications rules. An example of this type of resource is Azure Firewall Rule.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The region where the instance resides |
| rule_list_resource_id | The ID of the rule list resource |
| rule_list_type | The rule type of the network firewall rule |
| name | The name of the network firewall rule |
| description | A description of the network firewall rule. |
| protocols | An array of application rule protocols for the network firewall rule |
| source_address_groups | An array of source address groups associated with the network firewall rule |
| service_tags | An list of service tags associated with the network firewall rule |
| destination_address_groups | A list of destination address groups associated with the network firewall rule |
| destination_fqdns | A list of destination FQDNs associated with the network firewall rule |
| translated_address | The translated address for the network firewall rule |
| translated_port | The translated port for the network firewall rule |
| priority | The priority of the rule |
| direction | The direction of the rule |
| action | The actions of the rule |
| custom_actions | The configured custom actions of the rule |
Network Firewall Rule List
Firewall rule collections processed according to the rule type in priority order. An example of this type of resource is Azure Firewall Rule Collection.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The region where the instance resides |
| name | The name of the network firewall rule list |
| firewall_resource_id | The ID of the firewall resource |
| list_type | The type of the network firewall rule list |
| priority | The priority of the network firewall rule list |
| action | The action type of the network firewall rule list |
| namespace_id | The ID of the namespace associated with the network firewall rule list |
| capacity | The capacity of the rule list |
| status | The status of the rule list |
| stateless_full_packet_actions | The stateless full-packet actions of the rule list |
| stateless_fragmented_packet_actions | The stateless fragmented-packet actions of the rule list |
| stateful_evaluation_order | The stateful rule evaluation order of the rule list |
| stateful_default_actions | The stateful default actions of the rule list |
| stateful_rule_variables | The list of rule variables of the rule list |
| stateful_ip_references | The list of IP references of the rule list |
Network Flow Log
Network flow log resources store configuration and delivery information regarding traffic flows between networking components in a cloud network. This resource inherits from Resource and has direct access to the resource's database object.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The region where the instance resides |
| flow_log_id | The provider ID of the flow log |
| name | The name of the flow log |
| log_group_name | The name of the logging group |
| bucket_name | The name of the bucket where logs are delivered |
| traffic_type | The type of traffic being logged |
| provider_id | The provider ID of the flow log's parent |
| parent_resource_id | The provider resource ID of the flow log's parent |
| status | The status of log delivery (active, inactive) |
| delivery_status | The logging status of the flow log (success, failed) |
| delivery_error | The delivery error description |
| creation_time | The time the flow log was created |
| log_format | The log format of the flow log data published to a storage container |
| max_aggregation_interval | The maximum aggregation interval of the flow log |
| file_format | The file format of the flow log data published to a storage container |
| hive_compatible_partitions | The number of hive-compatible partitions for the flow log |
| per_hour_partition | The number of per-hour partitions for the flow log |
| namespace_id | The provider-specific namespace ID |
| retention_days | The number of days logs are retaine |
class DivvyResource.Resources.networkflowlog.NetworkFlowLog(resource_id)
Bases: DivvyResource.Resources.resource.Resource
Network Flow Log Operations
flow_log
flow_log_id
static get_db_class()
get_parent_resource_id()
static get_provider_id_field()
get_resource_name()
static get_resource_name_field()
Network flow logs don’t have a name so we will use the log_group_name as the name.
static get_resource_type()
handle_resource_created(user_resource_id=None, project_resource_id=None)
This should be called when a resource is created/discovered after the basic data is added to the database. This gives an opportunity for post-addition hooks (assignment to projects/groups, alerts, etc).
handle_resource_destroyed(user_resource_id=None, project_resource_id=None)
This should be called when a resource is destroyed before the basic data is removed from the database. This gives an opportunity for pre-destruction hooks (removal from projects/groups, alerts, etc).
handle_resource_modified(resource, *args, **kwargs)
This should be called when a resource is modified after the new data has been updated in the DB session. This gives an opportunity for post-modification hooks.
Network Interface
Network Interface resources store configuration and delivery information regarding traffic flows between networking components in a cloud network. This resource inherits from Resource Class and has direct access to the resource's database object.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| network_interface_id | The cloud id for the network interface |
| name | The name of the network interface |
| description | The optional description of the network interface |
| subnet_resource_id | The resource id for the subnet that the interface is attached |
| network_resource_id | The resource id for the network this interface is attached to |
| region_name | The name of the region |
| zone | The availability zone where the interface is deployed |
| instance_resource_id | The instance identifier that the interface belongs to |
| device_index | The device index of the interface |
| mac_address | The MAC/hardware address of the interface |
| private_ip_address | The Private IP address associated with this network interface |
| private_dns_name | The private DNS name of the interface |
| public_ip_address | The Public IP address associated with this network interface |
| public_dns_name | The public DNS name of the interface |
| attachment_id | The ID of the attached resource, if known |
| owner_id | The owner of the image |
| interface_type | The type of an nsx edge interface |
| ipv6_address | The IPv6 Address associated with this interface |
| source_dest_check | Denotes if source/destination checking is enabled for this device |
Network Peer
Network peer resources interconnect two private networks. This resource inherits from Resource Class and has direct access to the resource’s database object.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The region that the network resides in |
| peer_id | The ID of the network |
| name | The name of the network |
| status | The state of the network peer status |
| requester_vpc_owner | The owner of the network requesting peering access |
| requester_vpc_id | The ID of the network requesting peering access |
| requester_vpc_cidr | The CIDR block of the network requesting peering access |
| accepter_vpc_owner | The owner of the network accepting the peer request |
| accepter_vpc_id | The ID of the network accepting the peer request |
| accepter_vpc_cidr | The CIDR block of the network accepting the peer request |
| allow_egress_classic | Denotes if you’ve enabled any EC2-Classic instances to communicate with instances in the peered network |
| allow_egress_vpc | Denotes if your network is a source or destination for ingress or egress rules in your resource access lists |
| allow_dns_resolution | Denotes if your network peer connection has enabled DNS hostname resolution |
class DivvyResource.Resources.networkpeer.NetworkPeer(resource_id)
Bases: DivvyResource.Resources.resource.Resource
Network Peer Operations
static get_db_class()
get_parent_resource_id()
static get_provider_id_field()
static get_resource_type()
handle_resource_created(user_resource_id=None, project_resource_id=None)
This should be called when a resource is created/discovered after the basic data is added to the database. This gives an opportunity for post-addition hooks (assignment to projects/groups, alerts, etc).
handle_resource_destroyed(user_resource_id=None, project_resource_id=None)
This should be called when a resource is destroyed before the basic data is removed from the database. This gives an opportunity for pre-destruction hooks (removal from projects/groups, alerts, etc).
handle_resource_modified(resource, *args, **kwargs)
This should be called when a resource is modified after the new data has been updated in the DB session. This gives an opportunity for post-modification hooks.
network_peer
peer_id
Private Subnet
Private Subnet
Private logical subdivision of a network.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| subnet_id | The subnet id that the interface belongs to |
| network_resource_id | The resource id of the network to detach |
| name | The name of the private subnet |
| cidr | The classless inter-domain routing of the network |
| prefix | The optional sub-directory to begin at |
| available_ips | The number of available IPs in the subnet |
| availability_zone | The availability zone in which the cluster is located |
| region_name | The name of the region |
| gateway_address | The route configuration gateway address |
| public_ip_on_launch | The public ip address when subnet is initially launched |
Public IP
Public IP
Public IP addresses are used to communicate over the Internet. Examples of these include AWS Elastic IPs. This class inherits from TopLevelResource and has direct access to the resource’s database object.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| public_ip | The publicly accessible IP address |
| private_ip | The private IP that this public IP will pass through to |
| domain | The domain associated with this public IP |
| network_interface_resource_id | The resource ID of the network interface the IP is associated to |
| allocation_id | The provider allocation ID of the public IP |
| region_name | The region that the public IP resides in |
| association_id | The provider association ID |
| allocation_type | Denotes an ephemeral vs persistent IP address |
| name | The name associated with the Public IP |
| provider_id | The provider-specific ID associated with the Public IP |
| fqdn | The fully-qualified domain name associated with the Public IP |
| namespace_id | The provider's namespace ID for the public IP |
class DivvyResource.Resources.publicip.PublicIp(resource_id)
Bases: DivvyResource.Resources.toplevelresource.TopLevelResource
IP Address Operations (Elastic/Floating/Public IPs)
allocation_id
delete(user_resource_id=None)
Delete this resource. If wrapped in a with JobQueue() block, this will queue the deletion job to the wrapped queue, otherwise it calls immediately.
get_attached_instance()
Retrieve the attached instance (Resource object).
get_attached_network_interface()
Retrieve the network interface (Resource object) this IP is attached to, or None if not attached.
static get_db_class()
get_domain()
Retrieve the domain of the resource (e.g., vpc)
static get_provider_id_field()
get_resource_name()
Public IPs are not named by the user. We return the ip address itself.
static get_resource_name_field()
static get_resource_type()
get_supported_actions()
handle_resource_created(user_resource_id=None, project_resource_id=None)
This should be called when a resource is created/discovered after the basic data is added to the database. This gives an opportunity for post-addition hooks (assignment to projects/groups, alerts, etc).
handle_resource_destroyed(user_resource_id=None)
This should be called when a resource is destroyed before the basic data is removed from the database. This gives an opportunity for pre-destruction hooks (removal from projects/groups, alerts, etc).
handle_resource_modified(resource, *args, **kwargs)
This should be called when a resource is modified after the new data has been updated in the DB session. This gives an opportunity for post-modification hooks.
ip_address
is_ephemeral
public_ip
top_level_resource = True
Query Log
Query Log Config
Query Log Config enables DNS query resolution across entire hybrid clouds (e.g., AWS Route53Resolver Configuration).
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the organization service (cloud) this access list belongs to |
| region_name | The region where this resource resides |
| config_id | The ID for the query logging configuration |
| name | The name of the query logging configuration resource |
| arn | The ARN for the query logging configuration |
| association_count | The number of VPCs associated with the query logging configuration |
| owner_id | The account ID for the account that created the query logging configuration |
| destination_arn | The ARN of the resource where you want to send query logs |
| destination_type | The type of resource where query logs will be received (e.g., S3, CloudWatch Logs) |
| create_time | The time the query logging configuration was created |
| status | The status of the query logging configuration (e.g., 'Created', 'Creating', 'Deleted', and 'Failed') |
Route
Route
The Route resource is used to determine where network traffic from your subnet or gateway is directed (e.g., AWS Route, Azure Route).
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the organization service (cloud) this access list belongs to |
| region_name | The region where this resource resides |
| route_table_resource_id | The ID for the route table resource |
| cidr | The Classless Inter-domain Routing (CIDR) address of the Route resource |
| target_id | The ID of the target, e.g., 'Internet' |
| target_type | The target type, e.g., 'gateway' |
| state | The state of the route resource, e.g., 'active' |
Route Table
Network route tables contain a set of rules, called routes, that are used to determine where network traffic is directed. Each subnet in your VPC must be associated with a route table; the table controls the routing for the subnet. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table. This class inherits from Resource and has direct access to the resource’s database object.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the organization service (cloud) this access list belongs to |
| region_name | The region where this resource resides |
| name | The name of this route table |
| network_resource_id | The resource ID of the parent (network) |
| vpc_association_id | The the virtual private cloud that this route table is associated with |
| routes | The routes that belong to this table |
class DivvyResource.Resources.routetable.RouteTable(resource_id)
Bases: DivvyResource.Resources.resource.Resource
Route Table Operations
delete(user_resource_id=None)
Delete this resource. If wrapped in a with JobQueue() block, this will queue the deletion job to the wrapped queue, otherwise it calls immediately.
static get_db_class()
get_network_id()
Retrieve the network ID that the route table belongs to.
static get_provider_id_field()
static get_resource_type()
get_supported_actions()
get_vpc_association_id()
Retrieve the VPC association ID of the route.
handle_resource_created(user_resource_id=None, project_resource_id=None)
This should be called when a resource is created/discovered after the basic data is added to the database. This gives an opportunity for post-addition hooks (assignment to groups, alerts, etc).
handle_resource_destroyed(user_resource_id=None)
This should be called when a resource is destroyed before the basic data is removed from the database. This gives an opportunity for pre-destruction hooks (removal from groups, alerts, etc).
handle_resource_modified(resource, *args, **kwargs)
This should be called when a resource is modified after the new data has been updated in the DB session. This gives an opportunity for post-modification hooks.
route_table
route_table_id
Site-to-Site VPN
Site-to-Site VPN
A Site-to-Site VPN connection offers two VPN tunnels between a virtual private gateway or a transit gateway on the cloud provider side and a customer gateway on the remote (on-premises) side.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The name of the region |
| vpn_id | The ID of the VPN |
| name | The name of Site To Site VPN |
| state | The route state |
| category | The check category |
| static_route_count | The number of routes contained within the route table |
| bgp_route_count | The Border Gateway Protocol (BGP) route count, if applicable |
| static_routes | The static route count |
| options | The list of specific user-defined options |
| customer_gateway_id | The ID of the associated Customer Gateway |
| virtual_gateway_id | The identifier of the virtual gateway ID hat the route table is associated with |
| transit_gateway_id | The ID of the associated Transit Gateway |
| last_updated | The time resource was updated last |
Target Proxies
Target Proxies
In GCP target proxies are referenced by one or more forwarding rules. In the case of HTTP(S) load balancing, proxies route incoming requests to a URL map.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The name of the region |
| name | The name of target proxy |
| kind | The kind of backend service |
| load_balancer_resource_id | The load balancer resource identifier |
| service_resource_id | The backend service resource identifier |
| description | The target proxy description |
| created_time | The time target proxy was created |
Traffic
Traffic Manager
A Traffic Manager is a DNS-based network traffic load balancer, distributing network traffic evenly across your environment.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| traffic_manager_id | The ID for the traffic manager |
| region_name | The name of the region the traffic manager is deployed in |
| status | That status of the profile of the traffic manager |
| fqdn | The fully-qualified domain name for the traffic manager |
| routing_method | The routing method for the traffic manager |
| profile_monitor_status | The profile monitor status for the traffic manager |
| protocol | The protocol of monitor configuration in the traffic manager |
| port | The port of monitor configuration in the traffic manager |
| interval_in_seconds | Interval (in seconds) for the monitor configuration in the traffic manager |
| tolerated_number_of_failures | Tolerated number of failures for the monitor configuration in the traffic manager |
| timeout_in_seconds | Timeout in seconds for the monitor configuration in the traffic manager |
| endpoints | The list of endpoints for the traffic manager |
| traffic_view_enrollment_status | The traffic view enrollment status for the traffic manager |
Traffic Mirror Target
A Traffic Mirror is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface of Amazon EC2 instances. You can then send the traffic to out-of-band security and monitoring appliances for: content inspection, threat monitoring, and troubleshooting (e.g. AWS VPC Traffic Mirror Target)
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The name of the region |
| target_id | The identifier of the target |
| name | The name of the target |
| type | The type of target |
| source | The provider id of the source |
| source_resource_id | The source resource identifier |
| source_name | The name of the source |
| description | The description of the mirror target |
| owner_id | The owner account identifier of the target |
| cross_account | Denotes whether or not the target spans accounts |
Transit Gateway
Transit Gateway
A Transit Gateway enables customers to connect private clouds (e.g. Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The name of the region |
| transit_gateway_id | The service provided ID for this transit gateway |
| name | The name of the Transit Gateway |
| owner_account_id | The resource ID of the subnet to which this NAT gateway belongs. Not used for some cloud providers |
| create_time | The time the Transit Gateway was created |
| state | The state of this Transit Gateway |
| dns_support | Denotes if the Transit Gateway has DNS support |
| associated_route_table_id | The ID of the associated route table, if applicable |
| auto_accept_shared_attachments | The resource id of the subnet to which this Transit Gateway belongs. Not used for some cloud providers |
| attachment_count | The number of attachments to the Transit Gateway |
| provider_asn | The provider ASN associated with the Transit Gateway |
URL Maps
URL Maps
A URL Map is a set of rules for routing incoming HTTP(S) requests to specific services.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| urlmap_id | The ID for the URL Map |
| name | Name of the URL Map |
| description | Description of the URL Map |
| creation_timestamp | The timestamp for when the URL Map was created |
| host_rules | A set of hosts to match requests against |
| region | The region in which the URL Map is located |
Virtual Private Gateway
Virtual Private Gateway
A private gateway is a logical, fully redundant distributed edge routing function at the edge of a virtual computing resource, for example, an AWS VPC.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The name of the region |
| availability_zone | The availability zone for the virtual private gateway |
| gateway_id | The ID for the virtual private gateway |
| gateway_type | The type of virtual private gateway, e.g., 'ipsec.1' |
| name | The name of the virtual private gateway |
| state | The state of the virtual private gateway, e.g., 'available' |
| asn | The autonomous system number (ASN) for the virtual private gateway |
| attachment_count | The number of gateways attached to the virtual private gateway region |
Web Application Firewall
Web Application Firewall
A Web Application Firewall is a resource that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources, for example the AWS WAF or Google Cloud Armor.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The name of the region |
| firewall_id | The provider ID of the web application firewall |
| name | The name of the web application firewall |
| metric_name | The user defined metrics put in place on the WAF |
| default_action | The default action to take |
| arn | The amazon resource name for the WAF |
| resource_count | The compute/build type of the project |
| rule_count | Denotes whether the project has elevated privileges |
| rules | A list of rules associated with the WAF |
| sql_injection_rule_count | The rule count that matches SQL |
| geo_match_rule_count | The rule count that matches by GeoIP |
| xss_match_rule_count | The rule count that filters by XSS |
| ip_match_count | The rule count that filters traffic by IP |
| version | The installed version of the web application firewall |
| preprocess_rule_groups | The pre-process groups associated with the WAF |
| preprocess_rule_names | The pre-process rule names associated with the WAF |
| postprocess_rule_groups | The post-process groups associated with the WAF |
| postprocess_rule_names | The post-process rule names associated with the WAF |
| rule_names | The names of the WAF rules |
| managed_rule_names | The managed rule names associated with the ACL |
| logging | Indicates if the WAF is logging |
| centrally_managed | Indicates if the WAF is centrally-managed |
| relationships | The list of resources associated with the WAF |
| namespace_id | The provider-specific unique namespace value |
| waf_type | The type of WAF |
| provisioning_state | The provisioning state of the WAF |
| associations | The list of associations for the WAF |
| managed_rules | The managed rules associated with the WAF |
| managed_rule_count | The count of managed rules associated with the WAF |
| policy_tier | The pricing policy tier of the WAF |
| cloudwatch_metrics_enabled | Denotes if WAF Roles/Role Groups have CloudWatch metrics enabled |
Web Application Firewall Rule
A Web Application Firewall Rule governs how incoming HTTP(S) requests are inspected and handled.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The name of the region where the rule is located |
| rule_id | A unique ID for the rule |
| firewall_resource_id | The resource ID for the firewall the rule is associated with |
| action | The action for the rule |
| type | The type of rule |
| rule_group_resource_id | The resource ID for the web application firewall rule group the rule is associated with |
| rule_name | The name of the rule |
| conditions | The conditions for the rule to activate |
| priority | The priority of the rule |
Web Application Firewall Rule Group
A Web Application Firewall Rule Group is a set of rules that can be added to an access control list.
| Attribute | Description |
|---|---|
| resource_id | The primary resource identifier that takes the form of a prefix followed by numbers and letters |
| organization_service_id | The ID of the parent organization service (cloud) |
| region_name | The name of the region where the rule group is located |
| rule_group_id | A unique ID for the rule group |
| rule_group_name | The name of the rule group |
| firewall_resource_id | The resource ID for the firewall the rule group is associated with |
| priority | The priority of the rule group |