cartography 0.104.0rc3__py3-none-any.whl → 0.105.0__py3-none-any.whl

cartography/intel/entra/ou.py

@@ -22,12 +22,28 @@ async def get_entra_ous(client: GraphServiceClient) -> list[AdministrativeUnit]:
     Get all OUs from Microsoft Graph API with pagination support
     """
     all_units: list[AdministrativeUnit] = []
-    request = client.directory.administrative_units.request()
 
-    while request:
-        response = await request.get()
-        all_units.extend(response.value)
-        request = response.odata_next_link if response.odata_next_link else None
+    # Initialize first page request
+    current_request = client.directory.administrative_units
+
+    while current_request:
+        try:
+            response = await current_request.get()
+            if response and response.value:
+                all_units.extend(response.value)
+
+                # Handle next page using OData link
+                if response.odata_next_link:
+                    current_request = client.directory.administrative_units.with_url(
+                        response.odata_next_link
+                    )
+                else:
+                    current_request = None
+            else:
+                current_request = None
+        except Exception as e:
+            logger.error(f"Failed to retrieve administrative units: {str(e)}")
+            current_request = None
 
     return all_units
 

cartography/intel/trivy/__init__.py

@@ -0,0 +1,161 @@
+import logging
+from typing import Any
+
+import boto3
+from neo4j import Session
+
+from cartography.client.aws import list_accounts
+from cartography.client.aws.ecr import get_ecr_images
+from cartography.config import Config
+from cartography.intel.trivy.scanner import cleanup
+from cartography.intel.trivy.scanner import get_json_files_in_s3
+from cartography.intel.trivy.scanner import sync_single_image_from_s3
+from cartography.stats import get_stats_client
+from cartography.util import timeit
+
+logger = logging.getLogger(__name__)
+stat_handler = get_stats_client("trivy.scanner")
+
+
+@timeit
+def get_scan_targets(
+    neo4j_session: Session,
+    account_ids: list[str] | None = None,
+) -> set[str]:
+    """
+    Return list of ECR images from all accounts in the graph.
+    """
+    if not account_ids:
+        aws_accounts = list_accounts(neo4j_session)
+    else:
+        aws_accounts = account_ids
+
+    ecr_images: set[str] = set()
+    for account_id in aws_accounts:
+        for _, _, image_uri, _, _ in get_ecr_images(neo4j_session, account_id):
+            ecr_images.add(image_uri)
+
+    return ecr_images
+
+
+def _get_intersection(
+    images_in_graph: set[str], json_files: set[str], trivy_s3_prefix: str
+) -> list[tuple[str, str]]:
+    """
+    Get the intersection of ECR images in the graph and S3 scan results.
+
+    Args:
+        images_in_graph: Set of ECR images in the graph
+        json_files: Set of S3 object keys for JSON files
+        trivy_s3_prefix: S3 prefix path containing scan results
+
+    Returns:
+        List of tuples (image_uri, s3_object_key)
+    """
+    intersection = []
+    prefix_len = len(trivy_s3_prefix)
+    for s3_object_key in json_files:
+        # Sample key "123456789012.dkr.ecr.us-west-2.amazonaws.com/other-repo:v1.0.json"
+        # Sample key "folder/derp/123456789012.dkr.ecr.us-west-2.amazonaws.com/other-repo:v1.0.json"
+        # Remove the prefix and the .json suffix
+        image_uri = s3_object_key[prefix_len:-5]
+
+        if image_uri in images_in_graph:
+            intersection.append((image_uri, s3_object_key))
+
+    return intersection
+
+
+@timeit
+def sync_trivy_aws_ecr_from_s3(
+    neo4j_session: Session,
+    trivy_s3_bucket: str,
+    trivy_s3_prefix: str,
+    update_tag: int,
+    common_job_parameters: dict[str, Any],
+    boto3_session: boto3.Session,
+) -> None:
+    """
+    Sync Trivy scan results from S3 for AWS ECR images.
+
+    Args:
+        neo4j_session: Neo4j session for database operations
+        trivy_s3_bucket: S3 bucket containing scan results
+        trivy_s3_prefix: S3 prefix path containing scan results
+        update_tag: Update tag for tracking
+        common_job_parameters: Common job parameters for cleanup
+        boto3_session: boto3 session for S3 operations
+    """
+    logger.info(
+        f"Using Trivy scan results from s3://{trivy_s3_bucket}/{trivy_s3_prefix}"
+    )
+
+    images_in_graph: set[str] = get_scan_targets(neo4j_session)
+    json_files: set[str] = get_json_files_in_s3(
+        trivy_s3_bucket, trivy_s3_prefix, boto3_session
+    )
+    intersection: list[tuple[str, str]] = _get_intersection(
+        images_in_graph, json_files, trivy_s3_prefix
+    )
+
+    if len(intersection) == 0:
+        logger.error(
+            f"Trivy sync was configured, but there are no ECR images with S3 json scan results in bucket "
+            f"'{trivy_s3_bucket}' with prefix '{trivy_s3_prefix}'. "
+            "Skipping Trivy sync to avoid potential data loss. "
+            "Please check the S3 bucket and prefix configuration. We expect the json files in s3 to be named "
+            f"`<image_uri>.json` and to be in the same bucket and prefix as the scan results. If the prefix is "
+            "a folder, it MUST end with a trailing slash '/'. "
+        )
+        logger.error(f"JSON files in S3: {json_files}")
+        raise ValueError("No ECR images with S3 json scan results found.")
+
+    logger.info(f"Processing {len(intersection)} ECR images with S3 scan results")
+    for image_uri, s3_object_key in intersection:
+        sync_single_image_from_s3(
+            neo4j_session,
+            image_uri,
+            update_tag,
+            trivy_s3_bucket,
+            s3_object_key,
+            boto3_session,
+        )
+
+    cleanup(neo4j_session, common_job_parameters)
+
+
+@timeit
+def start_trivy_ingestion(neo4j_session: Session, config: Config) -> None:
+    """
+    Start Trivy scan ingestion from S3.
+
+    Args:
+        neo4j_session: Neo4j session for database operations
+        config: Configuration object containing S3 settings
+    """
+    # Check if S3 configuration is provided
+    if not config.trivy_s3_bucket:
+        logger.info("Trivy S3 configuration not provided. Skipping Trivy ingestion.")
+        return
+
+    # Default to empty string if s3 prefix is not provided
+    if config.trivy_s3_prefix is None:
+        config.trivy_s3_prefix = ""
+
+    common_job_parameters = {
+        "UPDATE_TAG": config.update_tag,
+    }
+
+    # Get ECR images to scan
+    boto3_session = boto3.Session()
+
+    sync_trivy_aws_ecr_from_s3(
+        neo4j_session,
+        config.trivy_s3_bucket,
+        config.trivy_s3_prefix,
+        config.update_tag,
+        common_job_parameters,
+        boto3_session,
+    )
+
+    # Support other Trivy resource types here e.g. if Google Cloud has images.

cartography/intel/trivy/scanner.py

@@ -0,0 +1,363 @@
+import json
+import logging
+from typing import Any
+
+import boto3
+from neo4j import Session
+
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.models.trivy.findings import TrivyImageFindingSchema
+from cartography.models.trivy.fix import TrivyFixSchema
+from cartography.models.trivy.package import TrivyPackageSchema
+from cartography.stats import get_stats_client
+from cartography.util import timeit
+
+logger = logging.getLogger(__name__)
+stat_handler = get_stats_client(__name__)
+
+
+def _validate_packages(package_list: list[dict]) -> list[dict]:
+    """
+    Validates that each package has the required fields.
+    Returns only packages that have both InstalledVersion and PkgName.
+    """
+    validated_packages: list[dict] = []
+    for pkg in package_list:
+        if (
+            "InstalledVersion" in pkg
+            and pkg["InstalledVersion"]
+            and "PkgName" in pkg
+            and pkg["PkgName"]
+        ):
+            validated_packages.append(pkg)
+        else:
+            logger.warning(
+                "Package object does not have required fields `InstalledVersion` or `PkgName` - skipping."
+            )
+    return validated_packages
+
+
+def transform_scan_results(
+    results: list[dict], image_digest: str
+) -> tuple[list[dict], list[dict], list[dict]]:
+    """
+    Transform raw Trivy scan results into a format suitable for loading into Neo4j.
+    Returns a tuple of (findings_list, packages_list, fixes_list).
+    """
+    findings_list = []
+    packages_list = []
+    fixes_list = []
+
+    for scan_class in results:
+        # Sometimes a scan class will have no vulns and Trivy will leave the key undefined instead of showing [].
+        if "Vulnerabilities" in scan_class and scan_class["Vulnerabilities"]:
+            for result in scan_class["Vulnerabilities"]:
+                # Transform finding data
+                finding = {
+                    "id": f'TIF|{result["VulnerabilityID"]}',
+                    "VulnerabilityID": result["VulnerabilityID"],
+                    "cve_id": result["VulnerabilityID"],
+                    "Description": result.get("Description"),
+                    "LastModifiedDate": result.get("LastModifiedDate"),
+                    "PrimaryURL": result.get("PrimaryURL"),
+                    "PublishedDate": result.get("PublishedDate"),
+                    "Severity": result["Severity"],
+                    "SeveritySource": result.get("SeveritySource"),
+                    "Title": result.get("Title"),
+                    "nvd_v2_score": None,
+                    "nvd_v2_vector": None,
+                    "nvd_v3_score": None,
+                    "nvd_v3_vector": None,
+                    "redhat_v3_score": None,
+                    "redhat_v3_vector": None,
+                    "ubuntu_v3_score": None,
+                    "ubuntu_v3_vector": None,
+                    "Class": scan_class["Class"],
+                    "Type": scan_class["Type"],
+                    "ImageDigest": image_digest,  # For AFFECTS relationship
+                }
+
+                # Add CVSS scores if available
+                if "CVSS" in result:
+                    if "nvd" in result["CVSS"]:
+                        nvd = result["CVSS"]["nvd"]
+                        finding["nvd_v2_score"] = nvd.get("V2Score")
+                        finding["nvd_v2_vector"] = nvd.get("V2Vector")
+                        finding["nvd_v3_score"] = nvd.get("V3Score")
+                        finding["nvd_v3_vector"] = nvd.get("V3Vector")
+                    if "redhat" in result["CVSS"]:
+                        redhat = result["CVSS"]["redhat"]
+                        finding["redhat_v3_score"] = redhat.get("V3Score")
+                        finding["redhat_v3_vector"] = redhat.get("V3Vector")
+                    if "ubuntu" in result["CVSS"]:
+                        ubuntu = result["CVSS"]["ubuntu"]
+                        finding["ubuntu_v3_score"] = ubuntu.get("V3Score")
+                        finding["ubuntu_v3_vector"] = ubuntu.get("V3Vector")
+
+                findings_list.append(finding)
+
+                # Transform package data
+                package_id = f"{result['InstalledVersion']}|{result['PkgName']}"
+                packages_list.append(
+                    {
+                        "id": package_id,
+                        "InstalledVersion": result["InstalledVersion"],
+                        "PkgName": result["PkgName"],
+                        "Class": scan_class["Class"],
+                        "Type": scan_class["Type"],
+                        "ImageDigest": image_digest,  # For DEPLOYED relationship
+                        "FindingId": finding["id"],  # For AFFECTS relationship
+                    }
+                )
+
+                # Transform fix data if available
+                if result.get("FixedVersion") is not None:
+                    fixes_list.append(
+                        {
+                            "id": f"{result['FixedVersion']}|{result['PkgName']}",
+                            "FixedVersion": result["FixedVersion"],
+                            "PackageId": package_id,
+                            "FindingId": finding["id"],
+                        }
+                    )
+
+    # Validate packages before returning
+    packages_list = _validate_packages(packages_list)
+    return findings_list, packages_list, fixes_list
+
+
+@timeit
+def get_json_files_in_s3(
+    s3_bucket: str, s3_prefix: str, boto3_session: boto3.Session
+) -> set[str]:
+    """
+    List S3 objects in the S3 prefix.
+
+    Args:
+        s3_bucket: S3 bucket name containing scan results
+        s3_prefix: S3 prefix path containing scan results
+        boto3_session: boto3 session for dependency injection
+
+    Returns:
+        Set of S3 object keys for JSON files in the S3 prefix
+    """
+    s3_client = boto3_session.client("s3")
+
+    try:
+        # List objects in the S3 prefix
+        paginator = s3_client.get_paginator("list_objects_v2")
+        page_iterator = paginator.paginate(Bucket=s3_bucket, Prefix=s3_prefix)
+        results = set()
+
+        for page in page_iterator:
+            if "Contents" not in page:
+                continue
+
+            for obj in page["Contents"]:
+                object_key = obj["Key"]
+
+                # Skip non-JSON files
+                if not object_key.endswith(".json"):
+                    continue
+
+                # Skip files that don't start with our prefix
+                if not object_key.startswith(s3_prefix):
+                    continue
+
+                results.add(object_key)
+
+    except Exception as e:
+        logger.error(
+            f"Error listing S3 objects in bucket {s3_bucket} with prefix {s3_prefix}: {e}"
+        )
+        raise
+
+    logger.info(f"Found {len(results)} json files in s3://{s3_bucket}/{s3_prefix}")
+    return results
+
+
+@timeit
+def cleanup(neo4j_session: Session, common_job_parameters: dict[str, Any]) -> None:
+    """
+    Run cleanup jobs for Trivy nodes.
+    """
+    logger.info("Running Trivy cleanup")
+    GraphJob.from_node_schema(TrivyImageFindingSchema(), common_job_parameters).run(
+        neo4j_session
+    )
+    GraphJob.from_node_schema(TrivyPackageSchema(), common_job_parameters).run(
+        neo4j_session
+    )
+    GraphJob.from_node_schema(TrivyFixSchema(), common_job_parameters).run(
+        neo4j_session
+    )
+
+
+@timeit
+def load_scan_vulns(
+    neo4j_session: Session,
+    findings_list: list[dict[str, Any]],
+    update_tag: int,
+) -> None:
+    """
+    Load TrivyImageFinding nodes into Neo4j.
+    """
+    load(
+        neo4j_session,
+        TrivyImageFindingSchema(),
+        findings_list,
+        lastupdated=update_tag,
+    )
+
+
+@timeit
+def load_scan_packages(
+    neo4j_session: Session,
+    packages_list: list[dict[str, Any]],
+    update_tag: int,
+) -> None:
+    """
+    Load TrivyPackage nodes into Neo4j.
+    """
+    load(
+        neo4j_session,
+        TrivyPackageSchema(),
+        packages_list,
+        lastupdated=update_tag,
+    )
+
+
+@timeit
+def load_scan_fixes(
+    neo4j_session: Session,
+    fixes_list: list[dict[str, Any]],
+    update_tag: int,
+) -> None:
+    """
+    Load TrivyFix nodes into Neo4j.
+    """
+    load(
+        neo4j_session,
+        TrivyFixSchema(),
+        fixes_list,
+        lastupdated=update_tag,
+    )
+
+
+@timeit
+def read_scan_results_from_s3(
+    boto3_session: boto3.Session,
+    s3_bucket: str,
+    s3_object_key: str,
+    image_uri: str,
+) -> tuple[list[dict], str | None]:
+    """
+    Read and parse Trivy scan results from S3.
+
+    Args:
+        boto3_session: boto3 session for S3 operations
+        s3_bucket: S3 bucket containing scan results
+        s3_object_key: S3 object key for the scan results
+        image_uri: ECR image URI (for logging purposes)
+
+    Returns:
+        Tuple of (list of scan result dictionaries from the "Results" key, image digest)
+    """
+    s3_client = boto3_session.client("s3")
+
+    # Read JSON scan results from S3
+    logger.debug(f"Reading scan results from S3: s3://{s3_bucket}/{s3_object_key}")
+    response = s3_client.get_object(Bucket=s3_bucket, Key=s3_object_key)
+    scan_data_json = response["Body"].read().decode("utf-8")
+
+    # Parse JSON data
+    trivy_data = json.loads(scan_data_json)
+
+    # Extract results using the same logic as binary scanning
+    if "Results" in trivy_data and trivy_data["Results"]:
+        results = trivy_data["Results"]
+    else:
+        stat_handler.incr("image_scan_no_results_count")
+        logger.warning(
+            f"S3 scan data did not contain a `Results` key for URI = {image_uri}; continuing."
+        )
+        results = []
+
+    image_digest = None
+    if "Metadata" in trivy_data and trivy_data["Metadata"]:
+        repo_digests = trivy_data["Metadata"].get("RepoDigests", [])
+        if repo_digests:
+            # Sample input: 000000000000.dkr.ecr.us-east-1.amazonaws.com/test-repository@sha256:88016
+            # Sample output: sha256:88016
+            repo_digest = repo_digests[0]
+            if "@" in repo_digest:
+                image_digest = repo_digest.split("@")[1]
+
+    return results, image_digest
+
+
+@timeit
+def sync_single_image_from_s3(
+    neo4j_session: Session,
+    image_uri: str,
+    update_tag: int,
+    s3_bucket: str,
+    s3_object_key: str,
+    boto3_session: boto3.Session,
+) -> None:
+    """
+    Read Trivy scan results from S3 and sync to Neo4j.
+
+    Args:
+        neo4j_session: Neo4j session for database operations
+        image_uri: ECR image URI
+        update_tag: Update tag for tracking
+        s3_bucket: S3 bucket containing scan results
+        s3_object_key: S3 object key for this image's scan results
+        boto3_session: boto3 session for S3 operations
+    """
+    try:
+        # Read and parse scan results from S3
+        results, image_digest = read_scan_results_from_s3(
+            boto3_session,
+            s3_bucket,
+            s3_object_key,
+            image_uri,
+        )
+        if not image_digest:
+            logger.warning(f"No image digest found for {image_uri}; skipping over.")
+            return
+
+        # Transform all data in one pass using existing function
+        findings_list, packages_list, fixes_list = transform_scan_results(
+            results,
+            image_digest,
+        )
+
+        num_findings = len(findings_list)
+        stat_handler.incr("image_scan_cve_count", num_findings)
+
+        # Load the transformed data using existing functions
+        load_scan_vulns(
+            neo4j_session,
+            findings_list,
+            update_tag=update_tag,
+        )
+        load_scan_packages(
+            neo4j_session,
+            packages_list,
+            update_tag=update_tag,
+        )
+        load_scan_fixes(
+            neo4j_session,
+            fixes_list,
+            update_tag=update_tag,
+        )
+        stat_handler.incr("images_processed_count")
+
+    except Exception as e:
+        logger.error(
+            f"Failed to process S3 scan results for {image_uri} from {s3_object_key}: {e}"
+        )
+        raise

cartography/models/aws/acm/certificate.py

@@ -0,0 +1,75 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import OtherRelationships
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class ACMCertificateNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef("Arn")
+    arn: PropertyRef = PropertyRef("Arn", extra_index=True)
+    domainname: PropertyRef = PropertyRef("DomainName")
+    type: PropertyRef = PropertyRef("Type")
+    status: PropertyRef = PropertyRef("Status")
+    key_algorithm: PropertyRef = PropertyRef("KeyAlgorithm")
+    signature_algorithm: PropertyRef = PropertyRef("SignatureAlgorithm")
+    not_before: PropertyRef = PropertyRef("NotBefore")
+    not_after: PropertyRef = PropertyRef("NotAfter")
+    in_use_by: PropertyRef = PropertyRef("InUseBy")
+    region: PropertyRef = PropertyRef("Region", set_in_kwargs=True)
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class ACMCertificateToAWSAccountRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class ACMCertificateToAWSAccountRel(CartographyRelSchema):
+    target_node_label: str = "AWSAccount"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("AWS_ID", set_in_kwargs=True)}
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: ACMCertificateToAWSAccountRelProperties = (
+        ACMCertificateToAWSAccountRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class ACMCertificateToELBV2ListenerRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class ACMCertificateToELBV2ListenerRel(CartographyRelSchema):
+    target_node_label: str = "ELBV2Listener"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("ELBV2ListenerArns", one_to_many=True)}
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "USED_BY"
+    properties: ACMCertificateToELBV2ListenerRelProperties = (
+        ACMCertificateToELBV2ListenerRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class ACMCertificateSchema(CartographyNodeSchema):
+    label: str = "ACMCertificate"
+    properties: ACMCertificateNodeProperties = ACMCertificateNodeProperties()
+    sub_resource_relationship: ACMCertificateToAWSAccountRel = (
+        ACMCertificateToAWSAccountRel()
+    )
+    other_relationships: OtherRelationships = OtherRelationships(
+        [ACMCertificateToELBV2ListenerRel()]
+    )

cartography/models/aws/cloudtrail/trail.py

@@ -7,6 +7,7 @@ from cartography.models.core.relationships import CartographyRelProperties
 from cartography.models.core.relationships import CartographyRelSchema
 from cartography.models.core.relationships import LinkDirection
 from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import OtherRelationships
 from cartography.models.core.relationships import TargetNodeMatcher
 
 
@@ -54,8 +55,31 @@ class CloudTrailToAWSAccountRel(CartographyRelSchema):
     )
 
 
+@dataclass(frozen=True)
+class CloudTrailTrailToS3BucketRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class CloudTrailTrailToS3BucketRel(CartographyRelSchema):
+    target_node_label: str = "S3Bucket"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"name": PropertyRef("S3BucketName")},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "LOGS_TO"
+    properties: CloudTrailTrailToS3BucketRelProperties = (
+        CloudTrailTrailToS3BucketRelProperties()
+    )
+
+
 @dataclass(frozen=True)
 class CloudTrailTrailSchema(CartographyNodeSchema):
     label: str = "CloudTrailTrail"
     properties: CloudTrailTrailNodeProperties = CloudTrailTrailNodeProperties()
     sub_resource_relationship: CloudTrailToAWSAccountRel = CloudTrailToAWSAccountRel()
+    other_relationships: OtherRelationships = OtherRelationships(
+        [
+            CloudTrailTrailToS3BucketRel(),
+        ]
+    )

cartography/models/aws/s3/notification.py

@@ -0,0 +1,24 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class S3BucketToSNSTopicRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class S3BucketToSNSTopicRel(CartographyRelSchema):
+    target_node_label: str = "SNSTopic"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"arn": PropertyRef("TopicArn")},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "NOTIFIES"
+    properties: S3BucketToSNSTopicRelProperties = S3BucketToSNSTopicRelProperties()