cartography 0.102.0rc1__py3-none-any.whl → 0.103.0rc1__py3-none-any.whl

cartography/intel/aws/iam.py

@@ -24,8 +24,8 @@ stat_handler = get_stats_client(__name__)
 
 
 class PolicyType(enum.Enum):
-    managed = 'managed'
-    inline = 'inline'
+    managed = "managed"
+    inline = "inline"
 
 
 def get_policy_name_from_arn(arn: str) -> str:
@@ -34,49 +34,66 @@ def get_policy_name_from_arn(arn: str) -> str:
 
 @timeit
 def get_group_policies(boto3_session: boto3.session.Session, group_name: str) -> Dict:
-    client = boto3_session.client('iam')
-    paginator = client.get_paginator('list_group_policies')
+    client = boto3_session.client("iam")
+    paginator = client.get_paginator("list_group_policies")
     policy_names: List[Dict] = []
     for page in paginator.paginate(GroupName=group_name):
-        policy_names.extend(page['PolicyNames'])
-    return {'PolicyNames': policy_names}
+        policy_names.extend(page["PolicyNames"])
+    return {"PolicyNames": policy_names}
 
 
 @timeit
 def get_group_policy_info(
-        boto3_session: boto3.session.Session, group_name: str, policy_name: str,
+    boto3_session: boto3.session.Session,
+    group_name: str,
+    policy_name: str,
 ) -> Any:
-    client = boto3_session.client('iam')
+    client = boto3_session.client("iam")
     return client.get_group_policy(GroupName=group_name, PolicyName=policy_name)
 
 
 @timeit
-def get_group_membership_data(boto3_session: boto3.session.Session, group_name: str) -> Dict:
-    client = boto3_session.client('iam')
+def get_group_membership_data(
+    boto3_session: boto3.session.Session,
+    group_name: str,
+) -> Dict:
+    client = boto3_session.client("iam")
     try:
         memberships = client.get_group(GroupName=group_name)
         return memberships
     except client.exceptions.NoSuchEntityException:
         # Avoid crashing the sync
-        logger.warning("client.get_group(GroupName='%s') failed with NoSuchEntityException; skipping.", group_name)
+        logger.warning(
+            "client.get_group(GroupName='%s') failed with NoSuchEntityException; skipping.",
+            group_name,
+        )
         return {}
 
 
 @timeit
-def get_group_policy_data(boto3_session: boto3.session.Session, group_list: List[Dict]) -> Dict:
-    resource_client = boto3_session.resource('iam')
+def get_group_policy_data(
+    boto3_session: boto3.session.Session,
+    group_list: List[Dict],
+) -> Dict:
+    resource_client = boto3_session.resource("iam")
     policies = {}
     for group in group_list:
         name = group["GroupName"]
         arn = group["Arn"]
         resource_group = resource_client.Group(name)
-        policies[arn] = policies[arn] = {p.name: p.policy_document["Statement"] for p in resource_group.policies.all()}
+        policies[arn] = policies[arn] = {
+            p.name: p.policy_document["Statement"]
+            for p in resource_group.policies.all()
+        }
     return policies
 
 
 @timeit
-def get_group_managed_policy_data(boto3_session: boto3.session.Session, group_list: List[Dict]) -> Dict:
-    resource_client = boto3_session.resource('iam')
+def get_group_managed_policy_data(
+    boto3_session: boto3.session.Session,
+    group_list: List[Dict],
+) -> Dict:
+    resource_client = boto3_session.resource("iam")
     policies = {}
     for group in group_list:
         name = group["GroupName"]
@@ -90,15 +107,21 @@ def get_group_managed_policy_data(boto3_session: boto3.session.Session, group_li
 
 
 @timeit
-def get_user_policy_data(boto3_session: boto3.session.Session, user_list: List[Dict]) -> Dict:
-    resource_client = boto3_session.resource('iam')
+def get_user_policy_data(
+    boto3_session: boto3.session.Session,
+    user_list: List[Dict],
+) -> Dict:
+    resource_client = boto3_session.resource("iam")
     policies = {}
     for user in user_list:
         name = user["UserName"]
         arn = user["Arn"]
         resource_user = resource_client.User(name)
         try:
-            policies[arn] = {p.name: p.policy_document["Statement"] for p in resource_user.policies.all()}
+            policies[arn] = {
+                p.name: p.policy_document["Statement"]
+                for p in resource_user.policies.all()
+            }
         except resource_client.meta.client.exceptions.NoSuchEntityException:
             logger.warning(
                 f"Could not get policies for user {name} due to NoSuchEntityException; skipping.",
@@ -107,8 +130,11 @@ def get_user_policy_data(boto3_session: boto3.session.Session, user_list: List[D
 
 
 @timeit
-def get_user_managed_policy_data(boto3_session: boto3.session.Session, user_list: List[Dict]) -> Dict:
-    resource_client = boto3_session.resource('iam')
+def get_user_managed_policy_data(
+    boto3_session: boto3.session.Session,
+    user_list: List[Dict],
+) -> Dict:
+    resource_client = boto3_session.resource("iam")
     policies = {}
     for user in user_list:
         name = user["UserName"]
@@ -127,15 +153,21 @@ def get_user_managed_policy_data(boto3_session: boto3.session.Session, user_list
 
 
 @timeit
-def get_role_policy_data(boto3_session: boto3.session.Session, role_list: List[Dict]) -> Dict:
-    resource_client = boto3_session.resource('iam')
+def get_role_policy_data(
+    boto3_session: boto3.session.Session,
+    role_list: List[Dict],
+) -> Dict:
+    resource_client = boto3_session.resource("iam")
     policies = {}
     for role in role_list:
         name = role["RoleName"]
         arn = role["Arn"]
         resource_role = resource_client.Role(name)
         try:
-            policies[arn] = {p.name: p.policy_document["Statement"] for p in resource_role.policies.all()}
+            policies[arn] = {
+                p.name: p.policy_document["Statement"]
+                for p in resource_role.policies.all()
+            }
         except resource_client.meta.client.exceptions.NoSuchEntityException:
             logger.warning(
                 f"Could not get policies for role {name} due to NoSuchEntityException; skipping.",
@@ -144,8 +176,11 @@ def get_role_policy_data(boto3_session: boto3.session.Session, role_list: List[D
 
 
 @timeit
-def get_role_managed_policy_data(boto3_session: boto3.session.Session, role_list: List[Dict]) -> Dict:
-    resource_client = boto3_session.resource('iam')
+def get_role_managed_policy_data(
+    boto3_session: boto3.session.Session,
+    role_list: List[Dict],
+) -> Dict:
+    resource_client = boto3_session.resource("iam")
     policies = {}
     for role in role_list:
         name = role["RoleName"]
@@ -165,8 +200,8 @@ def get_role_managed_policy_data(boto3_session: boto3.session.Session, role_list
 
 @timeit
 def get_role_tags(boto3_session: boto3.session.Session) -> List[Dict]:
-    role_list = get_role_list_data(boto3_session)['Roles']
-    resource_client = boto3_session.resource('iam')
+    role_list = get_role_list_data(boto3_session)["Roles"]
+    resource_client = boto3_session.resource("iam")
     role_tag_data: List[Dict] = []
     for role in role_list:
         name = role["RoleName"]
@@ -177,8 +212,8 @@ def get_role_tags(boto3_session: boto3.session.Session) -> List[Dict]:
             continue
 
         tag_data = {
-            'ResourceARN': role_arn,
-            'Tags': resource_role.tags,
+            "ResourceARN": role_arn,
+            "Tags": resource_role.tags,
         }
         role_tag_data.append(tag_data)
 
@@ -187,38 +222,41 @@ def get_role_tags(boto3_session: boto3.session.Session) -> List[Dict]:
 
 @timeit
 def get_user_list_data(boto3_session: boto3.session.Session) -> Dict:
-    client = boto3_session.client('iam')
+    client = boto3_session.client("iam")
 
-    paginator = client.get_paginator('list_users')
+    paginator = client.get_paginator("list_users")
     users: List[Dict] = []
     for page in paginator.paginate():
-        users.extend(page['Users'])
-    return {'Users': users}
+        users.extend(page["Users"])
+    return {"Users": users}
 
 
 @timeit
 def get_group_list_data(boto3_session: boto3.session.Session) -> Dict:
-    client = boto3_session.client('iam')
-    paginator = client.get_paginator('list_groups')
+    client = boto3_session.client("iam")
+    paginator = client.get_paginator("list_groups")
     groups: List[Dict] = []
     for page in paginator.paginate():
-        groups.extend(page['Groups'])
-    return {'Groups': groups}
+        groups.extend(page["Groups"])
+    return {"Groups": groups}
 
 
 @timeit
 def get_role_list_data(boto3_session: boto3.session.Session) -> Dict:
-    client = boto3_session.client('iam')
-    paginator = client.get_paginator('list_roles')
+    client = boto3_session.client("iam")
+    paginator = client.get_paginator("list_roles")
     roles: List[Dict] = []
     for page in paginator.paginate():
-        roles.extend(page['Roles'])
-    return {'Roles': roles}
+        roles.extend(page["Roles"])
+    return {"Roles": roles}
 
 
 @timeit
-def get_account_access_key_data(boto3_session: boto3.session.Session, username: str) -> Dict:
-    client = boto3_session.client('iam')
+def get_account_access_key_data(
+    boto3_session: boto3.session.Session,
+    username: str,
+) -> Dict:
+    client = boto3_session.client("iam")
     # NOTE we can get away without using a paginator here because users are limited to two access keys
     access_keys: Dict = {}
     try:
@@ -228,22 +266,25 @@ def get_account_access_key_data(boto3_session: boto3.session.Session, username:
             f"Could not get access key for user {username} due to NoSuchEntityException; skipping.",
         )
         return access_keys
-    for access_key in access_keys['AccessKeyMetadata']:
-        access_key_id = access_key['AccessKeyId']
+    for access_key in access_keys["AccessKeyMetadata"]:
+        access_key_id = access_key["AccessKeyId"]
         last_used_info = client.get_access_key_last_used(
             AccessKeyId=access_key_id,
-        )['AccessKeyLastUsed']
+        )["AccessKeyLastUsed"]
         # only LastUsedDate may be null
         # https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam/client/get_access_key_last_used.html
-        access_key['LastUsedDate'] = last_used_info.get('LastUsedDate')
-        access_key['LastUsedService'] = last_used_info['ServiceName']
-        access_key['LastUsedRegion'] = last_used_info['Region']
+        access_key["LastUsedDate"] = last_used_info.get("LastUsedDate")
+        access_key["LastUsedService"] = last_used_info["ServiceName"]
+        access_key["LastUsedRegion"] = last_used_info["Region"]
     return access_keys
 
 
 @timeit
 def load_users(
-    neo4j_session: neo4j.Session, users: List[Dict], current_aws_account_id: str, aws_update_tag: int,
+    neo4j_session: neo4j.Session,
+    users: List[Dict],
+    current_aws_account_id: str,
+    aws_update_tag: int,
 ) -> None:
     ingest_user = """
     MERGE (unode:AWSUser{arn: $ARN})
@@ -274,7 +315,10 @@ def load_users(
 
 @timeit
 def load_groups(
-    neo4j_session: neo4j.Session, groups: List[Dict], current_aws_account_id: str, aws_update_tag: int,
+    neo4j_session: neo4j.Session,
+    groups: List[Dict],
+    current_aws_account_id: str,
+    aws_update_tag: int,
 ) -> None:
     ingest_group = """
     MERGE (gnode:AWSGroup{arn: $ARN})
@@ -317,7 +361,10 @@ def _parse_principal_entries(principal: Dict) -> List[Tuple[Any, Any]]:
 
 @timeit
 def load_roles(
-    neo4j_session: neo4j.Session, roles: List[Dict], current_aws_account_id: str, aws_update_tag: int,
+    neo4j_session: neo4j.Session,
+    roles: List[Dict],
+    current_aws_account_id: str,
+    aws_update_tag: int,
 ) -> None:
     ingest_role = """
     MERGE (rnode:AWSPrincipal{arn: $Arn})
@@ -387,7 +434,7 @@ def load_roles(
                     ingest_policy_statement,
                     SpnArn=principal_value,
                     SpnType=principal_type,
-                    RoleArn=role['Arn'],
+                    RoleArn=role["Arn"],
                     aws_update_tag=aws_update_tag,
                 )
                 spn_arn = get_account_from_arn(principal_value)
@@ -401,7 +448,11 @@ def load_roles(
 
 
 @timeit
-def load_group_memberships(neo4j_session: neo4j.Session, group_memberships: Dict, aws_update_tag: int) -> None:
+def load_group_memberships(
+    neo4j_session: neo4j.Session,
+    group_memberships: Dict,
+    aws_update_tag: int,
+) -> None:
     ingest_membership = """
     MATCH (group:AWSGroup{arn: $GroupArn})
     WITH group
@@ -427,7 +478,10 @@ def load_group_memberships(neo4j_session: neo4j.Session, group_memberships: Dict
 
 
 @timeit
-def get_policies_for_principal(neo4j_session: neo4j.Session, principal_arn: str) -> Dict:
+def get_policies_for_principal(
+    neo4j_session: neo4j.Session,
+    principal_arn: str,
+) -> Dict:
     get_policy_query = """
     MATCH
     (principal:AWSPrincipal{arn:$Arn})-[:POLICY]->
@@ -447,12 +501,17 @@ def get_policies_for_principal(neo4j_session: neo4j.Session, principal_arn: str)
 
 @timeit
 def sync_assumerole_relationships(
-    neo4j_session: neo4j.Session, current_aws_account_id: str, aws_update_tag: int,
+    neo4j_session: neo4j.Session,
+    current_aws_account_id: str,
+    aws_update_tag: int,
     common_job_parameters: Dict,
 ) -> None:
     # Must be called after load_role
     # Computes and syncs the STS_ASSUME_ROLE allow relationship
-    logger.info("Syncing assume role mappings for account '%s'.", current_aws_account_id)
+    logger.info(
+        "Syncing assume role mappings for account '%s'.",
+        current_aws_account_id,
+    )
     query_potential_matches = """
     MATCH (:AWSAccount{id:$AccountId})-[:RESOURCE]->(target:AWSRole)-[:TRUSTS_AWS_PRINCIPAL]->(source:AWSPrincipal)
     WHERE NOT source.arn ENDS WITH 'root'
@@ -487,14 +546,18 @@ def sync_assumerole_relationships(
                 aws_update_tag=aws_update_tag,
             )
     run_cleanup_job(
-        'aws_import_roles_policy_cleanup.json',
+        "aws_import_roles_policy_cleanup.json",
         neo4j_session,
         common_job_parameters,
     )
 
 
 @timeit
-def load_user_access_keys(neo4j_session: neo4j.Session, user_access_keys: Dict, aws_update_tag: int) -> None:
+def load_user_access_keys(
+    neo4j_session: neo4j.Session,
+    user_access_keys: Dict,
+    aws_update_tag: int,
+) -> None:
     # TODO change the node label to reflect that this is a user access key, not an account access key
     ingest_account_key = """
     MATCH (user:AWSUser{arn: $UserARN})
@@ -514,16 +577,16 @@ def load_user_access_keys(neo4j_session: neo4j.Session, user_access_keys: Dict,
 
     for arn, access_keys in user_access_keys.items():
         for key in access_keys["AccessKeyMetadata"]:
-            if key.get('AccessKeyId'):
+            if key.get("AccessKeyId"):
                 neo4j_session.run(
                     ingest_account_key,
                     UserARN=arn,
-                    AccessKeyId=key['AccessKeyId'],
-                    CreateDate=str(key['CreateDate']),
-                    Status=key['Status'],
-                    LastUsedDate=key['LastUsedDate'],
-                    LastUsedService=key['LastUsedService'],
-                    LastUsedRegion=key['LastUsedRegion'],
+                    AccessKeyId=key["AccessKeyId"],
+                    CreateDate=str(key["CreateDate"]),
+                    Status=key["Status"],
+                    LastUsedDate=key["LastUsedDate"],
+                    LastUsedService=key["LastUsedService"],
+                    LastUsedRegion=key["LastUsedRegion"],
                     aws_update_tag=aws_update_tag,
                 )
 
@@ -561,14 +624,23 @@ def _transform_policy_statements(statements: Any, policy_id: str) -> List[Dict]:
 
 def transform_policy_data(policy_map: Dict, policy_type: str) -> None:
     for principal_arn, policy_statement_map in policy_map.items():
-        logger.debug(f"Transforming IAM {policy_type} policies for principal {principal_arn}")
+        logger.debug(
+            f"Transforming IAM {policy_type} policies for principal {principal_arn}",
+        )
         for policy_key, statements in policy_statement_map.items():
-            policy_id = transform_policy_id(
-                principal_arn,
-                policy_type,
-                policy_key,
-            ) if policy_type == PolicyType.inline.value else policy_key
-            policy_statement_map[policy_key] = _transform_policy_statements(statements, policy_id)
+            policy_id = (
+                transform_policy_id(
+                    principal_arn,
+                    policy_type,
+                    policy_key,
+                )
+                if policy_type == PolicyType.inline.value
+                else policy_key
+            )
+            policy_statement_map[policy_key] = _transform_policy_statements(
+                statements,
+                policy_id,
+            )
 
 
 def transform_policy_id(principal_arn: str, policy_type: str, name: str) -> str:
@@ -576,7 +648,11 @@ def transform_policy_id(principal_arn: str, policy_type: str, name: str) -> str:
 
 
 def _load_policy_tx(
-    tx: neo4j.Transaction, policy_id: str, policy_name: str, policy_type: str, principal_arn: str,
+    tx: neo4j.Transaction,
+    policy_id: str,
+    policy_name: str,
+    policy_type: str,
+    principal_arn: str,
     aws_update_tag: int,
 ) -> None:
     ingest_policy = """
@@ -603,15 +679,29 @@ def _load_policy_tx(
 
 @timeit
 def load_policy(
-    neo4j_session: neo4j.Session, policy_id: str, policy_name: str, policy_type: str, principal_arn: str,
+    neo4j_session: neo4j.Session,
+    policy_id: str,
+    policy_name: str,
+    policy_type: str,
+    principal_arn: str,
     aws_update_tag: int,
 ) -> None:
-    neo4j_session.write_transaction(_load_policy_tx, policy_id, policy_name, policy_type, principal_arn, aws_update_tag)
+    neo4j_session.write_transaction(
+        _load_policy_tx,
+        policy_id,
+        policy_name,
+        policy_type,
+        principal_arn,
+        aws_update_tag,
+    )
 
 
 @timeit
 def load_policy_statements(
-    neo4j_session: neo4j.Session, policy_id: str, policy_name: str, statements: Any,
+    neo4j_session: neo4j.Session,
+    policy_id: str,
+    policy_name: str,
+    statements: Any,
     aws_update_tag: int,
 ) -> None:
     ingest_policy_statement = """
@@ -643,143 +733,258 @@ def load_policy_statements(
 
 @timeit
 def load_policy_data(
-        neo4j_session: neo4j.Session,
-        principal_policy_map: Dict[str, Dict[str, Any]],
-        policy_type: str,
-        aws_update_tag: int,
+    neo4j_session: neo4j.Session,
+    principal_policy_map: Dict[str, Dict[str, Any]],
+    policy_type: str,
+    aws_update_tag: int,
 ) -> None:
     for principal_arn, policy_statement_map in principal_policy_map.items():
         logger.debug(f"Loading policies for principal {principal_arn}")
         for policy_key, statements in policy_statement_map.items():
-            policy_name = policy_key if policy_type == PolicyType.inline.value else get_policy_name_from_arn(policy_key)
-            policy_id = transform_policy_id(
-                principal_arn,
+            policy_name = (
+                policy_key
+                if policy_type == PolicyType.inline.value
+                else get_policy_name_from_arn(policy_key)
+            )
+            policy_id = (
+                transform_policy_id(
+                    principal_arn,
+                    policy_type,
+                    policy_key,
+                )
+                if policy_type == PolicyType.inline.value
+                else policy_key
+            )
+            load_policy(
+                neo4j_session,
+                policy_id,
+                policy_name,
                 policy_type,
-                policy_key,
-            ) if policy_type == PolicyType.inline.value else policy_key
-            load_policy(neo4j_session, policy_id, policy_name, policy_type, principal_arn, aws_update_tag)
-            load_policy_statements(neo4j_session, policy_id, policy_name, statements, aws_update_tag)
+                principal_arn,
+                aws_update_tag,
+            )
+            load_policy_statements(
+                neo4j_session,
+                policy_id,
+                policy_name,
+                statements,
+                aws_update_tag,
+            )
 
 
 @timeit
 def sync_users(
-    neo4j_session: neo4j.Session, boto3_session: boto3.session.Session, current_aws_account_id: str,
-    aws_update_tag: int, common_job_parameters: Dict,
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    current_aws_account_id: str,
+    aws_update_tag: int,
+    common_job_parameters: Dict,
 ) -> None:
     logger.info("Syncing IAM users for account '%s'.", current_aws_account_id)
     data = get_user_list_data(boto3_session)
-    load_users(neo4j_session, data['Users'], current_aws_account_id, aws_update_tag)
+    load_users(neo4j_session, data["Users"], current_aws_account_id, aws_update_tag)
 
     sync_user_inline_policies(boto3_session, data, neo4j_session, aws_update_tag)
 
     sync_user_managed_policies(boto3_session, data, neo4j_session, aws_update_tag)
 
-    run_cleanup_job('aws_import_users_cleanup.json', neo4j_session, common_job_parameters)
+    run_cleanup_job(
+        "aws_import_users_cleanup.json",
+        neo4j_session,
+        common_job_parameters,
+    )
 
 
 @timeit
 def sync_user_managed_policies(
-    boto3_session: boto3.session.Session, data: Dict, neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    data: Dict,
+    neo4j_session: neo4j.Session,
     aws_update_tag: int,
 ) -> None:
-    managed_policy_data = get_user_managed_policy_data(boto3_session, data['Users'])
+    managed_policy_data = get_user_managed_policy_data(boto3_session, data["Users"])
     transform_policy_data(managed_policy_data, PolicyType.managed.value)
-    load_policy_data(neo4j_session, managed_policy_data, PolicyType.managed.value, aws_update_tag)
+    load_policy_data(
+        neo4j_session,
+        managed_policy_data,
+        PolicyType.managed.value,
+        aws_update_tag,
+    )
 
 
 @timeit
 def sync_user_inline_policies(
-    boto3_session: boto3.session.Session, data: Dict, neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    data: Dict,
+    neo4j_session: neo4j.Session,
     aws_update_tag: int,
 ) -> None:
-    policy_data = get_user_policy_data(boto3_session, data['Users'])
+    policy_data = get_user_policy_data(boto3_session, data["Users"])
     transform_policy_data(policy_data, PolicyType.inline.value)
-    load_policy_data(neo4j_session, policy_data, PolicyType.inline.value, aws_update_tag)
+    load_policy_data(
+        neo4j_session,
+        policy_data,
+        PolicyType.inline.value,
+        aws_update_tag,
+    )
 
 
 @timeit
 def sync_groups(
-    neo4j_session: neo4j.Session, boto3_session: boto3.session.Session, current_aws_account_id: str,
-    aws_update_tag: int, common_job_parameters: Dict,
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    current_aws_account_id: str,
+    aws_update_tag: int,
+    common_job_parameters: Dict,
 ) -> None:
     logger.info("Syncing IAM groups for account '%s'.", current_aws_account_id)
     data = get_group_list_data(boto3_session)
-    load_groups(neo4j_session, data['Groups'], current_aws_account_id, aws_update_tag)
+    load_groups(neo4j_session, data["Groups"], current_aws_account_id, aws_update_tag)
 
     sync_groups_inline_policies(boto3_session, data, neo4j_session, aws_update_tag)
 
     sync_group_managed_policies(boto3_session, data, neo4j_session, aws_update_tag)
 
-    run_cleanup_job('aws_import_groups_cleanup.json', neo4j_session, common_job_parameters)
+    run_cleanup_job(
+        "aws_import_groups_cleanup.json",
+        neo4j_session,
+        common_job_parameters,
+    )
 
 
 def sync_group_managed_policies(
-    boto3_session: boto3.session.Session, data: Dict, neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    data: Dict,
+    neo4j_session: neo4j.Session,
     aws_update_tag: int,
 ) -> None:
     managed_policy_data = get_group_managed_policy_data(boto3_session, data["Groups"])
     transform_policy_data(managed_policy_data, PolicyType.managed.value)
-    load_policy_data(neo4j_session, managed_policy_data, PolicyType.managed.value, aws_update_tag)
+    load_policy_data(
+        neo4j_session,
+        managed_policy_data,
+        PolicyType.managed.value,
+        aws_update_tag,
+    )
 
 
 def sync_groups_inline_policies(
-    boto3_session: boto3.session.Session, data: Dict, neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    data: Dict,
+    neo4j_session: neo4j.Session,
     aws_update_tag: int,
 ) -> None:
     policy_data = get_group_policy_data(boto3_session, data["Groups"])
     transform_policy_data(policy_data, PolicyType.inline.value)
-    load_policy_data(neo4j_session, policy_data, PolicyType.inline.value, aws_update_tag)
+    load_policy_data(
+        neo4j_session,
+        policy_data,
+        PolicyType.inline.value,
+        aws_update_tag,
+    )
 
 
 @timeit
 def sync_roles(
-    neo4j_session: neo4j.Session, boto3_session: boto3.session.Session, current_aws_account_id: str,
-    aws_update_tag: int, common_job_parameters: Dict,
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    current_aws_account_id: str,
+    aws_update_tag: int,
+    common_job_parameters: Dict,
 ) -> None:
     logger.info("Syncing IAM roles for account '%s'.", current_aws_account_id)
     data = get_role_list_data(boto3_session)
-    load_roles(neo4j_session, data['Roles'], current_aws_account_id, aws_update_tag)
+    load_roles(neo4j_session, data["Roles"], current_aws_account_id, aws_update_tag)
 
-    sync_role_inline_policies(current_aws_account_id, boto3_session, data, neo4j_session, aws_update_tag)
+    sync_role_inline_policies(
+        current_aws_account_id,
+        boto3_session,
+        data,
+        neo4j_session,
+        aws_update_tag,
+    )
 
-    sync_role_managed_policies(current_aws_account_id, boto3_session, data, neo4j_session, aws_update_tag)
+    sync_role_managed_policies(
+        current_aws_account_id,
+        boto3_session,
+        data,
+        neo4j_session,
+        aws_update_tag,
+    )
 
-    run_cleanup_job('aws_import_roles_cleanup.json', neo4j_session, common_job_parameters)
+    run_cleanup_job(
+        "aws_import_roles_cleanup.json",
+        neo4j_session,
+        common_job_parameters,
+    )
 
 
 def sync_role_managed_policies(
-    current_aws_account_id: str, boto3_session: boto3.session.Session, data: Dict,
-    neo4j_session: neo4j.Session, aws_update_tag: int,
+    current_aws_account_id: str,
+    boto3_session: boto3.session.Session,
+    data: Dict,
+    neo4j_session: neo4j.Session,
+    aws_update_tag: int,
 ) -> None:
-    logger.info("Syncing IAM role managed policies for account '%s'.", current_aws_account_id)
+    logger.info(
+        "Syncing IAM role managed policies for account '%s'.",
+        current_aws_account_id,
+    )
     managed_policy_data = get_role_managed_policy_data(boto3_session, data["Roles"])
     transform_policy_data(managed_policy_data, PolicyType.managed.value)
-    load_policy_data(neo4j_session, managed_policy_data, PolicyType.managed.value, aws_update_tag)
+    load_policy_data(
+        neo4j_session,
+        managed_policy_data,
+        PolicyType.managed.value,
+        aws_update_tag,
+    )
 
 
 def sync_role_inline_policies(
-    current_aws_account_id: str, boto3_session: boto3.session.Session, data: Dict,
-    neo4j_session: neo4j.Session, aws_update_tag: int,
+    current_aws_account_id: str,
+    boto3_session: boto3.session.Session,
+    data: Dict,
+    neo4j_session: neo4j.Session,
+    aws_update_tag: int,
 ) -> None:
-    logger.info("Syncing IAM role inline policies for account '%s'.", current_aws_account_id)
+    logger.info(
+        "Syncing IAM role inline policies for account '%s'.",
+        current_aws_account_id,
+    )
     inline_policy_data = get_role_policy_data(boto3_session, data["Roles"])
     transform_policy_data(inline_policy_data, PolicyType.inline.value)
-    load_policy_data(neo4j_session, inline_policy_data, PolicyType.inline.value, aws_update_tag)
+    load_policy_data(
+        neo4j_session,
+        inline_policy_data,
+        PolicyType.inline.value,
+        aws_update_tag,
+    )
 
 
 @timeit
 def sync_group_memberships(
-    neo4j_session: neo4j.Session, boto3_session: boto3.session.Session,
-    current_aws_account_id: str, aws_update_tag: int, common_job_parameters: Dict,
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    current_aws_account_id: str,
+    aws_update_tag: int,
+    common_job_parameters: Dict,
 ) -> None:
-    logger.info("Syncing IAM group membership for account '%s'.", current_aws_account_id)
-    query = "MATCH (group:AWSGroup)<-[:RESOURCE]-(:AWSAccount{id: $AWS_ACCOUNT_ID}) " \
-            "return group.name as name, group.arn as arn;"
+    logger.info(
+        "Syncing IAM group membership for account '%s'.",
+        current_aws_account_id,
+    )
+    query = (
+        "MATCH (group:AWSGroup)<-[:RESOURCE]-(:AWSAccount{id: $AWS_ACCOUNT_ID}) "
+        "return group.name as name, group.arn as arn;"
+    )
     groups = neo4j_session.run(query, AWS_ACCOUNT_ID=current_aws_account_id)
-    groups_membership = {group["arn"]: get_group_membership_data(boto3_session, group["name"]) for group in groups}
+    groups_membership = {
+        group["arn"]: get_group_membership_data(boto3_session, group["name"])
+        for group in groups
+    }
     load_group_memberships(neo4j_session, groups_membership, aws_update_tag)
     run_cleanup_job(
-        'aws_import_groups_membership_cleanup.json',
+        "aws_import_groups_membership_cleanup.json",
         neo4j_session,
         common_job_parameters,
     )
@@ -787,19 +992,27 @@ def sync_group_memberships(
 
 @timeit
 def sync_user_access_keys(
-    neo4j_session: neo4j.Session, boto3_session: boto3.session.Session,
-    current_aws_account_id: str, aws_update_tag: int, common_job_parameters: Dict,
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    current_aws_account_id: str,
+    aws_update_tag: int,
+    common_job_parameters: Dict,
 ) -> None:
-    logger.info("Syncing IAM user access keys for account '%s'.", current_aws_account_id)
-    query = "MATCH (user:AWSUser)<-[:RESOURCE]-(:AWSAccount{id: $AWS_ACCOUNT_ID}) " \
-            "RETURN user.name as name, user.arn as arn"
+    logger.info(
+        "Syncing IAM user access keys for account '%s'.",
+        current_aws_account_id,
+    )
+    query = (
+        "MATCH (user:AWSUser)<-[:RESOURCE]-(:AWSAccount{id: $AWS_ACCOUNT_ID}) "
+        "RETURN user.name as name, user.arn as arn"
+    )
     for user in neo4j_session.run(query, AWS_ACCOUNT_ID=current_aws_account_id):
         access_keys = get_account_access_key_data(boto3_session, user["name"])
         if access_keys:
             account_access_keys = {user["arn"]: access_keys}
             load_user_access_keys(neo4j_session, account_access_keys, aws_update_tag)
     run_cleanup_job(
-        'aws_import_account_access_key_cleanup.json',
+        "aws_import_account_access_key_cleanup.json",
         neo4j_session,
         common_job_parameters,
     )
@@ -807,24 +1020,67 @@ def sync_user_access_keys(
 
 @timeit
 def sync(
-    neo4j_session: neo4j.Session, boto3_session: boto3.session.Session, regions: List[str], current_aws_account_id: str,
-    update_tag: int, common_job_parameters: Dict,
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    regions: List[str],
+    current_aws_account_id: str,
+    update_tag: int,
+    common_job_parameters: Dict,
 ) -> None:
     logger.info("Syncing IAM for account '%s'.", current_aws_account_id)
     # This module only syncs IAM information that is in use.
     # As such only policies that are attached to a user, role or group are synced
-    sync_users(neo4j_session, boto3_session, current_aws_account_id, update_tag, common_job_parameters)
-    sync_groups(neo4j_session, boto3_session, current_aws_account_id, update_tag, common_job_parameters)
-    sync_roles(neo4j_session, boto3_session, current_aws_account_id, update_tag, common_job_parameters)
-    sync_group_memberships(neo4j_session, boto3_session, current_aws_account_id, update_tag, common_job_parameters)
-    sync_assumerole_relationships(neo4j_session, current_aws_account_id, update_tag, common_job_parameters)
-    sync_user_access_keys(neo4j_session, boto3_session, current_aws_account_id, update_tag, common_job_parameters)
-    run_cleanup_job('aws_import_principals_cleanup.json', neo4j_session, common_job_parameters)
+    sync_users(
+        neo4j_session,
+        boto3_session,
+        current_aws_account_id,
+        update_tag,
+        common_job_parameters,
+    )
+    sync_groups(
+        neo4j_session,
+        boto3_session,
+        current_aws_account_id,
+        update_tag,
+        common_job_parameters,
+    )
+    sync_roles(
+        neo4j_session,
+        boto3_session,
+        current_aws_account_id,
+        update_tag,
+        common_job_parameters,
+    )
+    sync_group_memberships(
+        neo4j_session,
+        boto3_session,
+        current_aws_account_id,
+        update_tag,
+        common_job_parameters,
+    )
+    sync_assumerole_relationships(
+        neo4j_session,
+        current_aws_account_id,
+        update_tag,
+        common_job_parameters,
+    )
+    sync_user_access_keys(
+        neo4j_session,
+        boto3_session,
+        current_aws_account_id,
+        update_tag,
+        common_job_parameters,
+    )
+    run_cleanup_job(
+        "aws_import_principals_cleanup.json",
+        neo4j_session,
+        common_job_parameters,
+    )
     merge_module_sync_metadata(
         neo4j_session,
-        group_type='AWSAccount',
+        group_type="AWSAccount",
         group_id=current_aws_account_id,
-        synced_type='AWSPrincipal',
+        synced_type="AWSPrincipal",
         update_tag=update_tag,
         stat_handler=stat_handler,
     )