cartography 0.108.0rc1__py3-none-any.whl → 0.108.0rc2__py3-none-any.whl

cartography/intel/aws/cloudwatch.py

@@ -13,6 +13,7 @@ from cartography.models.aws.cloudwatch.log_metric_filter import (
     CloudWatchLogMetricFilterSchema,
 )
 from cartography.models.aws.cloudwatch.loggroup import CloudWatchLogGroupSchema
+from cartography.models.aws.cloudwatch.metric_alarm import CloudWatchMetricAlarmSchema
 from cartography.util import aws_handle_regions
 from cartography.util import timeit
 
@@ -75,6 +76,43 @@ def transform_metric_filters(
     return transformed_filters
 
 
+@timeit
+@aws_handle_regions
+def get_cloudwatch_metric_alarms(
+    boto3_session: boto3.Session, region: str
+) -> List[Dict[str, Any]]:
+    client = boto3_session.client(
+        "cloudwatch", region_name=region, config=get_botocore_config()
+    )
+    paginator = client.get_paginator("describe_alarms")
+    alarms = []
+    for page in paginator.paginate():
+        alarms.extend(page["MetricAlarms"])
+    return alarms
+
+
+def transform_metric_alarms(
+    metric_alarms: List[Dict[str, Any]], region: str
+) -> List[Dict[str, Any]]:
+    """
+    Transform CloudWatch metric alarm data for ingestion into Neo4j.
+    """
+    transformed_alarms = []
+    for alarm in metric_alarms:
+        transformed_alarm = {
+            "AlarmArn": alarm["AlarmArn"],
+            "AlarmName": alarm.get("AlarmName"),
+            "AlarmDescription": alarm.get("AlarmDescription"),
+            "StateValue": alarm.get("StateValue"),
+            "StateReason": alarm.get("StateReason"),
+            "ActionsEnabled": alarm.get("ActionsEnabled"),
+            "ComparisonOperator": alarm.get("ComparisonOperator"),
+            "Region": region,
+        }
+        transformed_alarms.append(transformed_alarm)
+    return transformed_alarms
+
+
 @timeit
 def load_cloudwatch_log_groups(
     neo4j_session: neo4j.Session,
@@ -117,6 +155,27 @@ def load_cloudwatch_log_metric_filters(
     )
 
 
+@timeit
+def load_cloudwatch_metric_alarms(
+    neo4j_session: neo4j.Session,
+    data: List[Dict[str, Any]],
+    region: str,
+    current_aws_account_id: str,
+    aws_update_tag: int,
+) -> None:
+    logger.info(
+        f"Loading CloudWatch {len(data)} metric alarms for region '{region}' into graph.",
+    )
+    load(
+        neo4j_session,
+        CloudWatchMetricAlarmSchema(),
+        data,
+        lastupdated=aws_update_tag,
+        Region=region,
+        AWS_ID=current_aws_account_id,
+    )
+
+
 @timeit
 def cleanup(
     neo4j_session: neo4j.Session,
@@ -130,6 +189,9 @@ def cleanup(
     GraphJob.from_node_schema(
         CloudWatchLogMetricFilterSchema(), common_job_parameters
     ).run(neo4j_session)
+    GraphJob.from_node_schema(CloudWatchMetricAlarmSchema(), common_job_parameters).run(
+        neo4j_session
+    )
 
 
 @timeit
@@ -146,13 +208,10 @@ def sync(
             f"Syncing CloudWatch for region '{region}' in account '{current_aws_account_id}'.",
         )
         logGroups = get_cloudwatch_log_groups(boto3_session, region)
-        group_data: List[Dict[str, Any]] = []
-        for logGroup in logGroups:
-            group_data.append(logGroup)
 
         load_cloudwatch_log_groups(
             neo4j_session,
-            group_data,
+            logGroups,
             region,
             current_aws_account_id,
             update_tag,
@@ -167,4 +226,14 @@ def sync(
             current_aws_account_id,
             update_tag,
         )
+
+        metric_alarms = get_cloudwatch_metric_alarms(boto3_session, region)
+        transformed_alarms = transform_metric_alarms(metric_alarms, region)
+        load_cloudwatch_metric_alarms(
+            neo4j_session,
+            transformed_alarms,
+            region,
+            current_aws_account_id,
+            update_tag,
+        )
     cleanup(neo4j_session, common_job_parameters)

cartography/intel/aws/ec2/subnets.py

@@ -1,17 +1,17 @@
 import logging
-from typing import Dict
-from typing import List
+from typing import Any
 
 import boto3
 import neo4j
 
+from cartography.client.core.tx import load
 from cartography.graph.job import GraphJob
 from cartography.models.aws.ec2.auto_scaling_groups import (
     EC2SubnetAutoScalingGroupSchema,
 )
 from cartography.models.aws.ec2.subnet_instance import EC2SubnetInstanceSchema
+from cartography.models.aws.ec2.subnets import EC2SubnetSchema
 from cartography.util import aws_handle_regions
-from cartography.util import run_cleanup_job
 from cartography.util import timeit
 
 from .util import get_botocore_config
@@ -21,86 +21,53 @@ logger = logging.getLogger(__name__)
 
 @timeit
 @aws_handle_regions
-def get_subnet_data(boto3_session: boto3.session.Session, region: str) -> List[Dict]:
+def get_subnet_data(
+    boto3_session: boto3.session.Session, region: str
+) -> list[dict[str, Any]]:
     client = boto3_session.client(
         "ec2",
         region_name=region,
         config=get_botocore_config(),
     )
     paginator = client.get_paginator("describe_subnets")
-    subnets: List[Dict] = []
+    subnets: list[dict[str, Any]] = []
     for page in paginator.paginate():
         subnets.extend(page["Subnets"])
     return subnets
 
 
+def transform_subnet_data(subnets: list[dict[str, Any]]) -> list[dict[str, Any]]:
+    """Transform subnet data into a loadable format."""
+    transformed: list[dict[str, Any]] = []
+    for subnet in subnets:
+        transformed.append(subnet.copy())
+    return transformed
+
+
 @timeit
 def load_subnets(
     neo4j_session: neo4j.Session,
-    data: List[Dict],
+    data: list[dict[str, Any]],
     region: str,
     aws_account_id: str,
     aws_update_tag: int,
 ) -> None:
-
-    ingest_subnets = """
-    UNWIND $subnets as subnet
-    MERGE (snet:EC2Subnet{subnetid: subnet.SubnetId})
-    ON CREATE SET snet.firstseen = timestamp()
-    SET snet.lastupdated = $aws_update_tag, snet.name = subnet.CidrBlock, snet.cidr_block = subnet.CidrBlock,
-    snet.available_ip_address_count = subnet.AvailableIpAddressCount, snet.default_for_az = subnet.DefaultForAz,
-    snet.map_customer_owned_ip_on_launch = subnet.MapCustomerOwnedIpOnLaunch,
-    snet.state = subnet.State, snet.assignipv6addressoncreation = subnet.AssignIpv6AddressOnCreation,
-    snet.map_public_ip_on_launch = subnet.MapPublicIpOnLaunch, snet.subnet_arn = subnet.SubnetArn,
-    snet.availability_zone = subnet.AvailabilityZone, snet.availability_zone_id = subnet.AvailabilityZoneId,
-    snet.subnet_id = subnet.SubnetId
-    """
-
-    ingest_subnet_vpc_relations = """
-    UNWIND $subnets as subnet
-    MATCH (snet:EC2Subnet{subnetid: subnet.SubnetId}), (vpc:AWSVpc{id: subnet.VpcId})
-    MERGE (snet)-[r:MEMBER_OF_AWS_VPC]->(vpc)
-    ON CREATE SET r.firstseen = timestamp()
-    SET r.lastupdated = $aws_update_tag
-    """
-
-    ingest_subnet_aws_account_relations = """
-    UNWIND $subnets as subnet
-    MATCH (snet:EC2Subnet{subnetid: subnet.SubnetId}), (aws:AWSAccount{id: $aws_account_id})
-    MERGE (aws)-[r:RESOURCE]->(snet)
-    ON CREATE SET r.firstseen = timestamp()
-    SET r.lastupdated = $aws_update_tag
-    """
-
-    neo4j_session.run(
-        ingest_subnets,
-        subnets=data,
-        aws_update_tag=aws_update_tag,
-        region=region,
-        aws_account_id=aws_account_id,
-    )
-    neo4j_session.run(
-        ingest_subnet_vpc_relations,
-        subnets=data,
-        aws_update_tag=aws_update_tag,
-        region=region,
-        aws_account_id=aws_account_id,
-    )
-    neo4j_session.run(
-        ingest_subnet_aws_account_relations,
-        subnets=data,
-        aws_update_tag=aws_update_tag,
-        region=region,
-        aws_account_id=aws_account_id,
+    load(
+        neo4j_session,
+        EC2SubnetSchema(),
+        data,
+        Region=region,
+        AWS_ID=aws_account_id,
+        lastupdated=aws_update_tag,
     )
 
 
 @timeit
-def cleanup_subnets(neo4j_session: neo4j.Session, common_job_parameters: Dict) -> None:
-    run_cleanup_job(
-        "aws_ingest_subnets_cleanup.json",
+def cleanup_subnets(
+    neo4j_session: neo4j.Session, common_job_parameters: dict[str, Any]
+) -> None:
+    GraphJob.from_node_schema(EC2SubnetSchema(), common_job_parameters).run(
         neo4j_session,
-        common_job_parameters,
     )
     GraphJob.from_node_schema(EC2SubnetInstanceSchema(), common_job_parameters).run(
         neo4j_session,
@@ -115,10 +82,10 @@ def cleanup_subnets(neo4j_session: neo4j.Session, common_job_parameters: Dict) -
 def sync_subnets(
     neo4j_session: neo4j.Session,
     boto3_session: boto3.session.Session,
-    regions: List[str],
+    regions: list[str],
     current_aws_account_id: str,
     update_tag: int,
-    common_job_parameters: Dict,
+    common_job_parameters: dict[str, Any],
 ) -> None:
     for region in regions:
         logger.info(
@@ -127,5 +94,12 @@ def sync_subnets(
             current_aws_account_id,
         )
         data = get_subnet_data(boto3_session, region)
-        load_subnets(neo4j_session, data, region, current_aws_account_id, update_tag)
+        transformed = transform_subnet_data(data)
+        load_subnets(
+            neo4j_session,
+            transformed,
+            region,
+            current_aws_account_id,
+            update_tag,
+        )
     cleanup_subnets(neo4j_session, common_job_parameters)

cartography/intel/aws/elasticache.py

@@ -1,118 +1,132 @@
 import logging
-from typing import Dict
-from typing import List
-from typing import Set
+from typing import Any
 
 import boto3
 import neo4j
 
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.models.aws.elasticache.cluster import ElasticacheClusterSchema
+from cartography.models.aws.elasticache.topic import ElasticacheTopicSchema
 from cartography.stats import get_stats_client
 from cartography.util import aws_handle_regions
 from cartography.util import merge_module_sync_metadata
-from cartography.util import run_cleanup_job
 from cartography.util import timeit
 
 logger = logging.getLogger(__name__)
 stat_handler = get_stats_client(__name__)
 
 
-def _get_topic(cluster: Dict) -> Dict:
-    return cluster["NotificationConfiguration"]
-
-
-def transform_elasticache_topics(cluster_data: List[Dict]) -> List[Dict]:
-    """
-    Collect unique TopicArns from the cluster data
-    """
-    seen: Set[str] = set()
-    topics: List[Dict] = []
-    for cluster in cluster_data:
-        topic = _get_topic(cluster)
-        topic_arn = topic["TopicArn"]
-        if topic_arn not in seen:
-            seen.add(topic_arn)
-            topics.append(topic)
-    return topics
-
-
 @timeit
 @aws_handle_regions
 def get_elasticache_clusters(
     boto3_session: boto3.session.Session,
     region: str,
-) -> List[Dict]:
-    logger.debug(f"Getting ElastiCache Clusters in region '{region}'.")
+) -> list[dict[str, Any]]:
     client = boto3_session.client("elasticache", region_name=region)
     paginator = client.get_paginator("describe_cache_clusters")
-    clusters: List[Dict] = []
+    clusters: list[dict[str, Any]] = []
     for page in paginator.paginate():
-        clusters.extend(page["CacheClusters"])
+        clusters.extend(page.get("CacheClusters", []))
     return clusters
 
 
+def transform_elasticache_clusters(
+    clusters: list[dict[str, Any]], region: str
+) -> tuple[list[dict[str, Any]], list[dict[str, Any]]]:
+    cluster_data: list[dict[str, Any]] = []
+    topics: dict[str, dict[str, Any]] = {}
+
+    for cluster in clusters:
+        notification = cluster.get("NotificationConfiguration", {})
+        topic_arn = notification.get("TopicArn")
+        cluster_record = {
+            "ARN": cluster["ARN"],
+            "CacheClusterId": cluster["CacheClusterId"],
+            "CacheNodeType": cluster.get("CacheNodeType"),
+            "Engine": cluster.get("Engine"),
+            "EngineVersion": cluster.get("EngineVersion"),
+            "CacheClusterStatus": cluster.get("CacheClusterStatus"),
+            "NumCacheNodes": cluster.get("NumCacheNodes"),
+            "PreferredAvailabilityZone": cluster.get("PreferredAvailabilityZone"),
+            "PreferredMaintenanceWindow": cluster.get("PreferredMaintenanceWindow"),
+            "CacheClusterCreateTime": cluster.get("CacheClusterCreateTime"),
+            "CacheSubnetGroupName": cluster.get("CacheSubnetGroupName"),
+            "AutoMinorVersionUpgrade": cluster.get("AutoMinorVersionUpgrade"),
+            "ReplicationGroupId": cluster.get("ReplicationGroupId"),
+            "SnapshotRetentionLimit": cluster.get("SnapshotRetentionLimit"),
+            "SnapshotWindow": cluster.get("SnapshotWindow"),
+            "AuthTokenEnabled": cluster.get("AuthTokenEnabled"),
+            "TransitEncryptionEnabled": cluster.get("TransitEncryptionEnabled"),
+            "AtRestEncryptionEnabled": cluster.get("AtRestEncryptionEnabled"),
+            "TopicArn": topic_arn,
+            "Region": region,
+        }
+        cluster_data.append(cluster_record)
+
+        if topic_arn:
+            topics.setdefault(
+                topic_arn,
+                {
+                    "TopicArn": topic_arn,
+                    "TopicStatus": notification.get("TopicStatus"),
+                    "cluster_arns": [],
+                },
+            )["cluster_arns"].append(cluster["ARN"])
+
+    return cluster_data, list(topics.values())
+
+
 @timeit
 def load_elasticache_clusters(
     neo4j_session: neo4j.Session,
-    clusters: List[Dict],
+    clusters: list[dict[str, Any]],
     region: str,
     aws_account_id: str,
     update_tag: int,
 ) -> None:
-    query = """
-    UNWIND $clusters as elasticache_cluster
-        MERGE (cluster:ElasticacheCluster{id:elasticache_cluster.ARN})
-        ON CREATE SET cluster.firstseen = timestamp(),
-            cluster.arn = elasticache_cluster.ARN,
-            cluster.topic_arn = elasticache_cluster.NotificationConfiguration.TopicArn,
-            cluster.id = elasticache_cluster.CacheClusterId,
-            cluster.region = $region
-        SET cluster.lastupdated = $aws_update_tag
-
-        WITH cluster, elasticache_cluster
-        MATCH (owner:AWSAccount{id: $aws_account_id})
-        MERGE (owner)-[r3:RESOURCE]->(cluster)
-        ON CREATE SET r3.firstseen = timestamp()
-        SET r3.lastupdated = $aws_update_tag
-
-        WITH elasticache_cluster, owner
-        WHERE NOT elasticache_cluster.NotificationConfiguration IS NULL
-        MERGE (topic:ElasticacheTopic{id: elasticache_cluster.NotificationConfiguration.TopicArn})
-        ON CREATE SET topic.firstseen = timestamp(),
-            topic.arn = elasticache_cluster.NotificationConfiguration.TopicArn
-        SET topic.lastupdated = $aws_update_tag,
-            topic.status = elasticache_cluster.NotificationConfiguration.Status
-
-        MERGE (topic)-[r:CACHE_CLUSTER]->(cluster)
-        ON CREATE SET r.firstseen = timestamp()
-        SET r.lastupdated = $aws_update_tag
-        WITH cluster, topic
-
-        MERGE (owner)-[r2:RESOURCE]->(topic)
-        ON CREATE SET r2.firstseen = timestamp()
-        SET r2.lastupdated = $aws_update_tag
-    """
     logger.info(
-        f"Loading f{len(clusters)} ElastiCache clusters for region '{region}' into graph.",
+        f"Loading {len(clusters)} ElastiCache clusters for region '{region}' into graph."
     )
-    neo4j_session.run(
-        query,
-        clusters=clusters,
-        region=region,
-        aws_update_tag=update_tag,
-        aws_account_id=aws_account_id,
+    load(
+        neo4j_session,
+        ElasticacheClusterSchema(),
+        clusters,
+        lastupdated=update_tag,
+        Region=region,
+        AWS_ID=aws_account_id,
     )
 
 
 @timeit
-def cleanup(
+def load_elasticache_topics(
     neo4j_session: neo4j.Session,
-    current_aws_account_id: str,
+    topics: list[dict[str, Any]],
+    aws_account_id: str,
     update_tag: int,
 ) -> None:
-    run_cleanup_job(
-        "aws_import_elasticache_cleanup.json",
+    if not topics:
+        return
+    logger.info(f"Loading {len(topics)} ElastiCache topics into graph.")
+    load(
         neo4j_session,
-        {"UPDATE_TAG": update_tag, "AWS_ID": current_aws_account_id},
+        ElasticacheTopicSchema(),
+        topics,
+        lastupdated=update_tag,
+        AWS_ID=aws_account_id,
+    )
+
+
+@timeit
+def cleanup(
+    neo4j_session: neo4j.Session,
+    common_job_parameters: dict[str, Any],
+) -> None:
+    GraphJob.from_node_schema(ElasticacheClusterSchema(), common_job_parameters).run(
+        neo4j_session
+    )
+    GraphJob.from_node_schema(ElasticacheTopicSchema(), common_job_parameters).run(
+        neo4j_session
     )
 
 
@@ -120,24 +134,33 @@ def cleanup(
 def sync(
     neo4j_session: neo4j.Session,
     boto3_session: boto3.session.Session,
-    regions: List[str],
+    regions: list[str],
     current_aws_account_id: str,
     update_tag: int,
-    common_job_parameters: Dict,
+    common_job_parameters: dict[str, Any],
 ) -> None:
     for region in regions:
         logger.info(
-            f"Syncing ElastiCache clusters for region '{region}' in account {current_aws_account_id}",
+            "Syncing ElastiCache clusters for region '%s' in account '%s'.",
+            region,
+            current_aws_account_id,
         )
-        clusters = get_elasticache_clusters(boto3_session, region)
+        raw_clusters = get_elasticache_clusters(boto3_session, region)
+        cluster_data, topic_data = transform_elasticache_clusters(raw_clusters, region)
         load_elasticache_clusters(
             neo4j_session,
-            clusters,
+            cluster_data,
             region,
             current_aws_account_id,
             update_tag,
         )
-    cleanup(neo4j_session, current_aws_account_id, update_tag)
+        load_elasticache_topics(
+            neo4j_session,
+            topic_data,
+            current_aws_account_id,
+            update_tag,
+        )
+    cleanup(neo4j_session, common_job_parameters)
     merge_module_sync_metadata(
         neo4j_session,
         group_type="AWSAccount",

cartography/models/aws/cloudtrail/management_events.py

@@ -29,12 +29,6 @@ class AssumedRoleRelProperties(CartographyRelProperties):
     times_used: PropertyRef = PropertyRef("times_used")
     first_seen_in_time_window: PropertyRef = PropertyRef("first_seen_in_time_window")
 
-    # Event type tracking properties
-    event_types: PropertyRef = PropertyRef("event_types")
-    assume_role_count: PropertyRef = PropertyRef("assume_role_count")
-    saml_count: PropertyRef = PropertyRef("saml_count")
-    web_identity_count: PropertyRef = PropertyRef("web_identity_count")
-
 
 @dataclass(frozen=True)
 class AssumedRoleMatchLink(CartographyRelSchema):
@@ -62,3 +56,98 @@ class AssumedRoleMatchLink(CartographyRelSchema):
     direction: LinkDirection = LinkDirection.OUTWARD
     rel_label: str = "ASSUMED_ROLE"
     properties: AssumedRoleRelProperties = AssumedRoleRelProperties()
+
+
+@dataclass(frozen=True)
+class AssumedRoleWithSAMLRelProperties(CartographyRelProperties):
+    """
+    Properties for the ASSUMED_ROLE_WITH_SAML relationship representing SAML-based role assumption events.
+    Focuses specifically on SAML federated identity role assumptions.
+    """
+
+    # Mandatory fields for MatchLinks
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+    _sub_resource_label: PropertyRef = PropertyRef(
+        "_sub_resource_label", set_in_kwargs=True
+    )
+    _sub_resource_id: PropertyRef = PropertyRef("_sub_resource_id", set_in_kwargs=True)
+
+    # CloudTrail-specific relationship properties
+    last_used: PropertyRef = PropertyRef("last_used")
+    times_used: PropertyRef = PropertyRef("times_used")
+    first_seen_in_time_window: PropertyRef = PropertyRef("first_seen_in_time_window")
+
+
+@dataclass(frozen=True)
+class AssumedRoleWithSAMLMatchLink(CartographyRelSchema):
+    """
+    MatchLink schema for ASSUMED_ROLE_WITH_SAML relationships from CloudTrail SAML events.
+    Creates relationships like: (AWSRole)-[:ASSUMED_ROLE_WITH_SAML]->(AWSRole)
+
+    This MatchLink handles SAML-based role assumption relationships discovered via CloudTrail
+    AssumeRoleWithSAML events. It creates separate relationships from regular AssumeRole events
+    to preserve visibility into authentication methods used.
+    """
+
+    # MatchLink-specific fields
+    source_node_label: str = "AWSSSOUser"  # Match against AWS SSO User nodes
+    source_node_matcher: SourceNodeMatcher = make_source_node_matcher(
+        {"user_name": PropertyRef("source_principal_arn")},
+    )
+
+    # Standard CartographyRelSchema fields
+    target_node_label: str = "AWSRole"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"arn": PropertyRef("destination_principal_arn")},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "ASSUMED_ROLE_WITH_SAML"
+    properties: AssumedRoleWithSAMLRelProperties = AssumedRoleWithSAMLRelProperties()
+
+
+@dataclass(frozen=True)
+class AssumeRoleWithWebIdentityRelProperties(CartographyRelProperties):
+    """
+    Properties for the ASSUMED_ROLE_WITH_WEB_IDENTITY relationship representing web identity-based role assumption events.
+    Focuses specifically on web identity federation role assumptions (Google, Amazon, Facebook, etc.).
+    """
+
+    # Mandatory fields for MatchLinks
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+    _sub_resource_label: PropertyRef = PropertyRef(
+        "_sub_resource_label", set_in_kwargs=True
+    )
+    _sub_resource_id: PropertyRef = PropertyRef("_sub_resource_id", set_in_kwargs=True)
+
+    # CloudTrail-specific relationship properties
+    last_used: PropertyRef = PropertyRef("last_used")
+    times_used: PropertyRef = PropertyRef("times_used")
+    first_seen_in_time_window: PropertyRef = PropertyRef("first_seen_in_time_window")
+
+
+@dataclass(frozen=True)
+class GitHubRepoAssumeRoleWithWebIdentityMatchLink(CartographyRelSchema):
+    """
+    MatchLink schema for ASSUMED_ROLE_WITH_WEB_IDENTITY relationships from GitHub Actions to AWS roles.
+    Creates relationships like: (GitHubRepository)-[:ASSUMED_ROLE_WITH_WEB_IDENTITY]->(AWSRole)
+
+    This MatchLink provides granular visibility into which specific GitHub repositories are assuming
+    AWS roles via GitHub Actions OIDC, rather than just showing provider-level relationships.
+    """
+
+    # MatchLink-specific fields for GitHub repositories
+    source_node_label: str = "GitHubRepository"
+    source_node_matcher: SourceNodeMatcher = make_source_node_matcher(
+        {"fullname": PropertyRef("source_repo_fullname")},
+    )
+
+    # Standard CartographyRelSchema fields
+    target_node_label: str = "AWSRole"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"arn": PropertyRef("destination_principal_arn")},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "ASSUMED_ROLE_WITH_WEB_IDENTITY"
+    properties: AssumeRoleWithWebIdentityRelProperties = (
+        AssumeRoleWithWebIdentityRelProperties()
+    )

cartography/models/aws/cloudtrail/trail.py

@@ -73,6 +73,26 @@ class CloudTrailTrailToS3BucketRel(CartographyRelSchema):
     )
 
 
+@dataclass(frozen=True)
+class CloudTrailTrailToCloudWatchLogGroupRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class CloudTrailTrailToCloudWatchLogGroupRel(CartographyRelSchema):
+    target_node_label: str = "CloudWatchLogGroup"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {
+            "id": PropertyRef("CloudWatchLogsLogGroupArn"),
+        }
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "SENDS_LOGS_TO_CLOUDWATCH"
+    properties: CloudTrailTrailToCloudWatchLogGroupRelProperties = (
+        CloudTrailTrailToCloudWatchLogGroupRelProperties()
+    )
+
+
 @dataclass(frozen=True)
 class CloudTrailTrailSchema(CartographyNodeSchema):
     label: str = "CloudTrailTrail"
@@ -81,5 +101,6 @@ class CloudTrailTrailSchema(CartographyNodeSchema):
     other_relationships: OtherRelationships = OtherRelationships(
         [
             CloudTrailTrailToS3BucketRel(),
+            CloudTrailTrailToCloudWatchLogGroupRel(),
         ]
     )