cartography 0.103.0rc1__py3-none-any.whl → 0.104.0__py3-none-any.whl

cartography/intel/tailscale/users.py

@@ -0,0 +1,80 @@
+import logging
+from typing import Any
+from typing import Dict
+from typing import List
+
+import neo4j
+import requests
+
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.models.tailscale.user import TailscaleUserSchema
+from cartography.util import timeit
+
+logger = logging.getLogger(__name__)
+# Connect and read timeouts of 60 seconds each; see https://requests.readthedocs.io/en/master/user/advanced/#timeouts
+_TIMEOUT = (60, 60)
+
+
+@timeit
+def sync(
+    neo4j_session: neo4j.Session,
+    api_session: requests.Session,
+    common_job_parameters: Dict[str, Any],
+    org: str,
+) -> List[Dict]:
+    users = get(
+        api_session,
+        common_job_parameters["BASE_URL"],
+        org,
+    )
+    load_users(
+        neo4j_session,
+        users,
+        org,
+        common_job_parameters["UPDATE_TAG"],
+    )
+    cleanup(neo4j_session, common_job_parameters)
+    return users
+
+
+@timeit
+def get(
+    api_session: requests.Session,
+    base_url: str,
+    org: str,
+) -> List[Dict[str, Any]]:
+    results: List[Dict[str, Any]] = []
+    req = api_session.get(
+        f"{base_url}/tailnet/{org}/users",
+        timeout=_TIMEOUT,
+    )
+    req.raise_for_status()
+    results = req.json()["users"]
+    return results
+
+
+@timeit
+def load_users(
+    neo4j_session: neo4j.Session,
+    data: List[Dict[str, Any]],
+    org: str,
+    update_tag: int,
+) -> None:
+    logger.info(f"Loading {len(data)} Tailscale Users to the graph")
+    load(
+        neo4j_session,
+        TailscaleUserSchema(),
+        data,
+        lastupdated=update_tag,
+        org=org,
+    )
+
+
+@timeit
+def cleanup(
+    neo4j_session: neo4j.Session, common_job_parameters: Dict[str, Any]
+) -> None:
+    GraphJob.from_node_schema(TailscaleUserSchema(), common_job_parameters).run(
+        neo4j_session
+    )

cartography/intel/tailscale/utils.py

@@ -0,0 +1,132 @@
+import json
+import re
+from typing import Any
+from typing import Dict
+from typing import List
+
+
+class ACLParser:
+    """ACLParser is a class that parses Tailscale ACLs to extract data.
+
+    It removes comments and trailing commas from the ACL string
+    and converts it to a JSON object. It then provides methods
+    to extract groups and tags from the ACL.
+    The ACL string is expected to be in a format similar to JSON,
+    but with some Tailscale-specific syntax. The parser handles
+    single-line comments (//) and multi-line comments (/* */)
+    and removes trailing commas from the JSON-like structure.
+    The parser also handles Tailscale-specific syntax for groups
+    and tags, which may include user and group identifiers.
+    The parser is initialized with a raw ACL string, which is
+    processed to remove comments and trailing commas.
+
+    Args:
+        raw_acl (str): The raw ACL string to be parsed.
+
+    Attributes:
+        data (dict): The parsed JSON object representing the ACL.
+    """
+
+    RE_SINGLE_LINE_COMMENT = re.compile(r'("(?:(?=(\\?))\2.)*?")|(?:\/{2,}.*)')
+    RE_MULTI_LINE_COMMENT = re.compile(
+        r'("(?:(?=(\\?))\2.)*?")|(?:\/\*(?:(?!\*\/).)+\*\/)', flags=re.M | re.DOTALL
+    )
+    RE_TRAILING_COMMA = re.compile(r",(?=\s*?[\}\]])")
+
+    def __init__(self, raw_acl: str) -> None:
+        # Tailscale ACL use comments and trailing commas
+        # that are not valid JSON
+        filtered_json_string = self.RE_SINGLE_LINE_COMMENT.sub(r"\1", raw_acl)
+        filtered_json_string = self.RE_MULTI_LINE_COMMENT.sub(
+            r"\1", filtered_json_string
+        )
+        filtered_json_string = self.RE_TRAILING_COMMA.sub("", filtered_json_string)
+        self.data = json.loads(filtered_json_string)
+
+    def get_groups(self) -> List[Dict[str, Any]]:
+        """
+        Get all groups from the ACL
+
+        :return: list of groups
+        """
+        result: List[Dict[str, Any]] = []
+        groups = self.data.get("groups", {})
+        for group_id, members in groups.items():
+            group_name = group_id.split(":")[-1]
+            users_members = []
+            sub_groups = []
+            domain_members = []
+            for member in members:
+                if member.startswith("group:") or member.startswith("autogroup:"):
+                    sub_groups.append(member)
+                elif member.startswith("user:*@"):
+                    domain_members.append(member[7:])
+                elif member.startswith("user:"):
+                    users_members.append(member[5:])
+                else:
+                    users_members.append(member)
+            result.append(
+                {
+                    "id": group_id,
+                    "name": group_name,
+                    "members": users_members,
+                    "sub_groups": sub_groups,
+                    "domain_members": domain_members,
+                }
+            )
+        return result
+
+    def get_tags(self) -> List[Dict[str, Any]]:
+        """
+        Get all tags from the ACL
+
+        :return: list of tags
+        """
+        result: List[Dict[str, Any]] = []
+        for tag, owners in self.data.get("tagOwners", {}).items():
+            tag_name = tag.split(":")[-1]
+            user_owners = []
+            group_owners = []
+            domain_owners = []
+            for owner in owners:
+                if owner.startswith("group:") or owner.startswith("autogroup:"):
+                    group_owners.append(owner)
+                elif owner.startswith("user:*@"):
+                    domain_owners.append(owner[7:])
+                elif owner.startswith("user:"):
+                    user_owners.append(owner[5:])
+                else:
+                    user_owners.append(owner)
+            result.append(
+                {
+                    "id": tag,
+                    "name": tag_name,
+                    "owners": user_owners,
+                    "group_owners": group_owners,
+                    "domain_owners": domain_owners,
+                }
+            )
+        return result
+
+
+def role_to_group(role: str) -> list[str]:
+    """Convert Tailscale role to group
+
+    This function is used to convert Tailscale role to autogroup
+    group. The autogroup is used to manage the access control
+    in Tailscale.
+
+    Args:
+        role (str): The role of the user in Tailscale. (eg: owner, admin, member, etc)
+
+    Returns:
+        list[str]: The list of autogroup that the user belongs to. (eg: autogroup:admin, autogroup:member, etc)
+    """
+    result: list[str] = []
+    result.append(f"autogroup:{role}")
+    if role == "owner":
+        result.append("autogroup:admin")
+        result.append("autogroup:member")
+    elif role in ("admin", "auditor", "billing-admin", "it-admin", "network-admin"):
+        result.append("autogroup:member")
+    return result

cartography/models/anthropic/apikey.py

@@ -0,0 +1,90 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import OtherRelationships
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class AnthropicApiKeyNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef("id")
+    name: PropertyRef = PropertyRef("name")
+    status: PropertyRef = PropertyRef("status")
+    created_at: PropertyRef = PropertyRef("created_at")
+    last_used_at: PropertyRef = PropertyRef("last_used_at")
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class AnthropicApiKeyToOrganizationRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+# (:AnthropicOrganization)-[:RESOURCE]->(:AnthropicApiKey)
+class AnthropicApiKeyToOrganizationRel(CartographyRelSchema):
+    target_node_label: str = "AnthropicOrganization"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("ORG_ID", set_in_kwargs=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: AnthropicApiKeyToOrganizationRelProperties = (
+        AnthropicApiKeyToOrganizationRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class AnthropicApiKeyToUserRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+# (:AnthropicUser)-[:OWNS]->(:AnthropicApiKey)
+class AnthropicApiKeyToUserRel(CartographyRelSchema):
+    target_node_label: str = "AnthropicUser"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("created_by.id")},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "OWNS"
+    properties: AnthropicApiKeyToUserRelProperties = (
+        AnthropicApiKeyToUserRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class AnthropicApiKeyToWorkspaceRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+# (:AnthropicWorkspace)-[:CONTAINS]->(:AnthropicApiKey)
+class AnthropicApiKeyToWorkspaceRel(CartographyRelSchema):
+    target_node_label: str = "AnthropicWorkspace"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("workspace_id")},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "CONTAINS"
+    properties: AnthropicApiKeyToWorkspaceRelProperties = (
+        AnthropicApiKeyToWorkspaceRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class AnthropicApiKeySchema(CartographyNodeSchema):
+    label: str = "AnthropicApiKey"
+    properties: AnthropicApiKeyNodeProperties = AnthropicApiKeyNodeProperties()
+    sub_resource_relationship: AnthropicApiKeyToOrganizationRel = (
+        AnthropicApiKeyToOrganizationRel()
+    )
+    other_relationships: OtherRelationships = OtherRelationships(
+        [AnthropicApiKeyToUserRel(), AnthropicApiKeyToWorkspaceRel()],
+    )

cartography/models/anthropic/organization.py

@@ -0,0 +1,19 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+
+
+@dataclass(frozen=True)
+class AnthropicOrganizationNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef("id")
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class AnthropicOrganizationSchema(CartographyNodeSchema):
+    label: str = "AnthropicOrganization"
+    properties: AnthropicOrganizationNodeProperties = (
+        AnthropicOrganizationNodeProperties()
+    )

cartography/models/anthropic/user.py

@@ -0,0 +1,48 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class AnthropicUserNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef("id")
+    name: PropertyRef = PropertyRef("name")
+    email: PropertyRef = PropertyRef("email", extra_index=True)
+    role: PropertyRef = PropertyRef("role")
+    added_at: PropertyRef = PropertyRef("added_at")
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class AnthropicUserToOrganizationRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+# (:AnthropicOrganization)-[:RESOURCE]->(:AnthropicUser)
+class AnthropicUserToOrganizationRel(CartographyRelSchema):
+    target_node_label: str = "AnthropicOrganization"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("ORG_ID", set_in_kwargs=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: AnthropicUserToOrganizationRelProperties = (
+        AnthropicUserToOrganizationRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class AnthropicUserSchema(CartographyNodeSchema):
+    label: str = "AnthropicUser"
+    properties: AnthropicUserNodeProperties = AnthropicUserNodeProperties()
+    sub_resource_relationship: AnthropicUserToOrganizationRel = (
+        AnthropicUserToOrganizationRel()
+    )

cartography/models/anthropic/workspace.py

@@ -0,0 +1,90 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import OtherRelationships
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class AnthropicWorkspaceNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef("id")
+    name: PropertyRef = PropertyRef("name")
+    created_at: PropertyRef = PropertyRef("created_at")
+    archived_at: PropertyRef = PropertyRef("archived_at")
+    display_color: PropertyRef = PropertyRef("display_color")
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class AnthropicWorkspaceToOrganizationRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+# (:AnthropicOrganization)-[:RESOURCE]->(:AnthropicWorkspace)
+class AnthropicWorkspaceToOrganizationRel(CartographyRelSchema):
+    target_node_label: str = "AnthropicOrganization"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("ORG_ID", set_in_kwargs=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: AnthropicWorkspaceToOrganizationRelProperties = (
+        AnthropicWorkspaceToOrganizationRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class AnthropicWorkspaceToUserRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+# (:AnthropicUser)-[:MEMBER_OF]->(:AnthropicWorkspace)
+class AnthropicWorkspaceToUserRel(CartographyRelSchema):
+    target_node_label: str = "AnthropicUser"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("users", one_to_many=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "MEMBER_OF"
+    properties: AnthropicWorkspaceToUserRelProperties = (
+        AnthropicWorkspaceToUserRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class AnthropicWorkspaceToUserAdminRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+# (:AnthropicUser)-[:ADMIN_OF]->(:AnthropicWorkspace)
+class AnthropicWorkspaceToUserAdminRel(CartographyRelSchema):
+    target_node_label: str = "AnthropicUser"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("admins", one_to_many=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "ADMIN_OF"
+    properties: AnthropicWorkspaceToUserAdminRelProperties = (
+        AnthropicWorkspaceToUserAdminRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class AnthropicWorkspaceSchema(CartographyNodeSchema):
+    label: str = "AnthropicWorkspace"
+    properties: AnthropicWorkspaceNodeProperties = AnthropicWorkspaceNodeProperties()
+    sub_resource_relationship: AnthropicWorkspaceToOrganizationRel = (
+        AnthropicWorkspaceToOrganizationRel()
+    )
+    other_relationships: OtherRelationships = OtherRelationships(
+        [AnthropicWorkspaceToUserRel(), AnthropicWorkspaceToUserAdminRel()],
+    )

cartography/models/aws/cloudtrail/trail.py

@@ -7,6 +7,7 @@ from cartography.models.core.relationships import CartographyRelProperties
 from cartography.models.core.relationships import CartographyRelSchema
 from cartography.models.core.relationships import LinkDirection
 from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import OtherRelationships
 from cartography.models.core.relationships import TargetNodeMatcher
 
 
@@ -54,8 +55,31 @@ class CloudTrailToAWSAccountRel(CartographyRelSchema):
     )
 
 
+@dataclass(frozen=True)
+class CloudTrailTrailToS3BucketRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class CloudTrailTrailToS3BucketRel(CartographyRelSchema):
+    target_node_label: str = "S3Bucket"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"name": PropertyRef("S3BucketName")},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "LOGS_TO"
+    properties: CloudTrailTrailToS3BucketRelProperties = (
+        CloudTrailTrailToS3BucketRelProperties()
+    )
+
+
 @dataclass(frozen=True)
 class CloudTrailTrailSchema(CartographyNodeSchema):
     label: str = "CloudTrailTrail"
     properties: CloudTrailTrailNodeProperties = CloudTrailTrailNodeProperties()
     sub_resource_relationship: CloudTrailToAWSAccountRel = CloudTrailToAWSAccountRel()
+    other_relationships: OtherRelationships = OtherRelationships(
+        [
+            CloudTrailTrailToS3BucketRel(),
+        ]
+    )

cartography/models/aws/cloudwatch/loggroup.py

@@ -0,0 +1,52 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class CloudWatchLogGroupNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef("logGroupArn")
+    arn: PropertyRef = PropertyRef("logGroupArn", extra_index=True)
+    creation_time: PropertyRef = PropertyRef("creationTime")
+    data_protection_status: PropertyRef = PropertyRef("dataProtectionStatus")
+    inherited_properties: PropertyRef = PropertyRef("inheritedProperties")
+    kms_key_id: PropertyRef = PropertyRef("kmsKeyId")
+    log_group_arn: PropertyRef = PropertyRef("logGroupArn")
+    log_group_class: PropertyRef = PropertyRef("logGroupClass")
+    log_group_name: PropertyRef = PropertyRef("logGroupName")
+    metric_filter_count: PropertyRef = PropertyRef("metricFilterCount")
+    retention_in_days: PropertyRef = PropertyRef("retentionInDays")
+    stored_bytes: PropertyRef = PropertyRef("storedBytes")
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class CloudWatchLogGroupToAwsAccountRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class CloudWatchToAWSAccountRel(CartographyRelSchema):
+    target_node_label: str = "AWSAccount"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("AWS_ID", set_in_kwargs=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: CloudWatchLogGroupToAwsAccountRelProperties = (
+        CloudWatchLogGroupToAwsAccountRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class CloudWatchLogGroupSchema(CartographyNodeSchema):
+    label: str = "CloudWatchLogGroup"
+    properties: CloudWatchLogGroupNodeProperties = CloudWatchLogGroupNodeProperties()
+    sub_resource_relationship: CloudWatchToAWSAccountRel = CloudWatchToAWSAccountRel()

cartography/models/aws/secretsmanager/secret_version.py

@@ -0,0 +1,116 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import OtherRelationships
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class SecretsManagerSecretVersionNodeProperties(CartographyNodeProperties):
+    """
+    Properties for AWS Secrets Manager Secret Version
+    """
+
+    # Align property names with the actual keys in the data
+    id: PropertyRef = PropertyRef("ARN")
+    arn: PropertyRef = PropertyRef("ARN", extra_index=True)
+    secret_id: PropertyRef = PropertyRef("SecretId")
+    version_id: PropertyRef = PropertyRef("VersionId")
+    version_stages: PropertyRef = PropertyRef("VersionStages")
+    created_date: PropertyRef = PropertyRef("CreatedDate")
+    region: PropertyRef = PropertyRef("Region", set_in_kwargs=True)
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+    # Make KMS and tags properties without required=False parameter
+    kms_key_id: PropertyRef = PropertyRef("KmsKeyId")
+    tags: PropertyRef = PropertyRef("Tags")
+
+
+@dataclass(frozen=True)
+class SecretsManagerSecretVersionRelProperties(CartographyRelProperties):
+    """
+    Properties for relationships between Secret Version and other nodes
+    """
+
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class SecretsManagerSecretVersionToAWSAccountRel(CartographyRelSchema):
+    """
+    Relationship between Secret Version and AWS Account
+    """
+
+    target_node_label: str = "AWSAccount"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("AWS_ID", set_in_kwargs=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: SecretsManagerSecretVersionRelProperties = (
+        SecretsManagerSecretVersionRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class SecretsManagerSecretVersionToSecretRel(CartographyRelSchema):
+    """
+    Relationship between Secret Version and its parent Secret
+    """
+
+    target_node_label: str = "SecretsManagerSecret"
+    # Use only one matcher for the id field
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("SecretId")},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "VERSION_OF"
+    properties: SecretsManagerSecretVersionRelProperties = (
+        SecretsManagerSecretVersionRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class SecretsManagerSecretVersionToKMSKeyRel(CartographyRelSchema):
+    """
+    Relationship between Secret Version and its KMS key
+    Only created when KmsKeyId is present
+    """
+
+    target_node_label: str = "AWSKMSKey"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("KmsKeyId")},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "ENCRYPTED_BY"
+    properties: SecretsManagerSecretVersionRelProperties = (
+        SecretsManagerSecretVersionRelProperties()
+    )
+    # Only create this relationship if KmsKeyId exists
+    conditional_match_property: str = "KmsKeyId"
+
+
+@dataclass(frozen=True)
+class SecretsManagerSecretVersionSchema(CartographyNodeSchema):
+    """
+    Schema for AWS Secrets Manager Secret Version
+    """
+
+    label: str = "SecretsManagerSecretVersion"
+    properties: SecretsManagerSecretVersionNodeProperties = (
+        SecretsManagerSecretVersionNodeProperties()
+    )
+    sub_resource_relationship: SecretsManagerSecretVersionToAWSAccountRel = (
+        SecretsManagerSecretVersionToAWSAccountRel()
+    )
+    other_relationships: OtherRelationships = OtherRelationships(
+        [
+            SecretsManagerSecretVersionToSecretRel(),
+            SecretsManagerSecretVersionToKMSKeyRel(),
+        ],
+    )