cartography 0.113.0__py3-none-any.whl → 0.115.0__py3-none-any.whl

cartography/intel/gsuite/api.py

@@ -6,6 +6,7 @@ import neo4j
 from googleapiclient.discovery import Resource
 from googleapiclient.errors import HttpError
 
+from cartography.client.core.tx import run_write_query
 from cartography.util import run_cleanup_job
 from cartography.util import timeit
 
@@ -171,7 +172,12 @@ def load_gsuite_groups(
         g.lastupdated = $UpdateTag
     """
     logger.info(f"Ingesting {len(groups)} gsuite groups")
-    neo4j_session.run(ingestion_qry, GroupData=groups, UpdateTag=gsuite_update_tag)
+    run_write_query(
+        neo4j_session,
+        ingestion_qry,
+        GroupData=groups,
+        UpdateTag=gsuite_update_tag,
+    )
 
 
 @timeit
@@ -215,7 +221,12 @@ def load_gsuite_users(
         u.lastupdated = $UpdateTag
     """
     logger.info(f"Ingesting {len(users)} gsuite users")
-    neo4j_session.run(ingestion_qry, UserData=users, UpdateTag=gsuite_update_tag)
+    run_write_query(
+        neo4j_session,
+        ingestion_qry,
+        UserData=users,
+        UpdateTag=gsuite_update_tag,
+    )
 
 
 @timeit
@@ -234,7 +245,8 @@ def load_gsuite_members(
         SET
         r.lastupdated = $UpdateTag
     """
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingestion_qry,
         MemberData=members,
         GroupID=group.get("id"),
@@ -249,7 +261,8 @@ def load_gsuite_members(
         SET
         r.lastupdated = $UpdateTag
     """
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         membership_qry,
         MemberData=members,
         GroupID=group.get("id"),

cartography/intel/okta/applications.py

@@ -10,6 +10,7 @@ import neo4j
 from okta.framework.ApiClient import ApiClient
 from okta.framework.OktaError import OktaError
 
+from cartography.client.core.tx import run_write_query
 from cartography.intel.okta.utils import check_rate_limit
 from cartography.intel.okta.utils import create_api_client
 from cartography.intel.okta.utils import is_last_page
@@ -293,7 +294,8 @@ def _load_okta_applications(
     SET org_r.lastupdated = $okta_update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest_statement,
         ORG_ID=okta_org_id,
         APP_LIST=app_list,
@@ -327,7 +329,8 @@ def _load_application_user(
     SET r.lastupdated = $okta_update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest,
         APP_ID=app_id,
         USER_LIST=user_list,
@@ -361,7 +364,8 @@ def _load_application_group(
     SET r.lastupdated = $okta_update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest,
         APP_ID=app_id,
         GROUP_LIST=group_list,
@@ -400,7 +404,8 @@ def _load_application_reply_urls(
     SET r.lastupdated = $okta_update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest,
         APP_ID=app_id,
         URL_LIST=reply_urls,

cartography/intel/okta/awssaml.py

@@ -10,6 +10,7 @@ import neo4j
 
 from cartography.client.core.tx import read_list_of_dicts_tx
 from cartography.client.core.tx import read_single_value_tx
+from cartography.client.core.tx import run_write_query
 from cartography.util import timeit
 
 AccountRole = namedtuple("AccountRole", ["account_id", "role_name"])
@@ -116,7 +117,8 @@ def _load_okta_group_to_aws_roles(
     SET r.lastupdated = $okta_update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest_statement,
         GROUP_TO_ROLE=group_to_role,
         okta_update_tag=okta_update_tag,
@@ -140,7 +142,8 @@ def _load_human_can_assume_role(
     SET r.lastupdated = $okta_update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest_statement,
         okta_update_tag=okta_update_tag,
     )

cartography/intel/okta/factors.py

@@ -8,6 +8,7 @@ from okta import FactorsClient
 from okta.framework.OktaError import OktaError
 from okta.models.factor.Factor import Factor
 
+from cartography.client.core.tx import run_write_query
 from cartography.intel.okta.sync_state import OktaSyncState
 from cartography.util import timeit
 
@@ -130,7 +131,8 @@ def _load_user_factors(
     SET r.lastupdated = $okta_update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest,
         USER_ID=user_id,
         FACTOR_LIST=factors,

cartography/intel/okta/groups.py

@@ -11,6 +11,7 @@ from okta.framework.OktaError import OktaError
 from okta.framework.PagedResults import PagedResults
 from okta.models.usergroup import UserGroup
 
+from cartography.client.core.tx import run_write_query
 from cartography.intel.okta.sync_state import OktaSyncState
 from cartography.intel.okta.utils import check_rate_limit
 from cartography.intel.okta.utils import create_api_client
@@ -204,7 +205,8 @@ def _load_okta_groups(
     SET org_r.lastupdated = $okta_update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest_statement,
         ORG_ID=okta_org_id,
         GROUP_LIST=group_list,
@@ -251,7 +253,8 @@ def load_okta_group_members(
         SET r.lastupdated = $okta_update_tag
     """
     logging.info(f"Loading {len(member_list)} members of group {group_id}")
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest,
         GROUP_ID=group_id,
         MEMBER_LIST=member_list,

cartography/intel/okta/organization.py

@@ -3,6 +3,7 @@ import logging
 
 import neo4j
 
+from cartography.client.core.tx import run_write_query
 from cartography.util import timeit
 
 logger = logging.getLogger(__name__)
@@ -27,7 +28,8 @@ def create_okta_organization(
     SET org.lastupdated = $okta_update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest,
         ORG_NAME=organization,
         okta_update_tag=okta_update_tag,

cartography/intel/okta/origins.py

@@ -7,6 +7,7 @@ from typing import List
 import neo4j
 from okta.framework.ApiClient import ApiClient
 
+from cartography.client.core.tx import run_write_query
 from cartography.intel.okta.utils import create_api_client
 from cartography.util import timeit
 
@@ -96,7 +97,8 @@ def _load_trusted_origins(
     SET r.lastupdated = $okta_update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest,
         ORG_ID=okta_org_id,
         TRUSTED_LIST=trusted_list,

cartography/intel/okta/roles.py

@@ -7,6 +7,7 @@ from typing import List
 import neo4j
 from okta.framework.ApiClient import ApiClient
 
+from cartography.client.core.tx import run_write_query
 from cartography.intel.okta.sync_state import OktaSyncState
 from cartography.intel.okta.utils import check_rate_limit
 from cartography.intel.okta.utils import create_api_client
@@ -117,7 +118,8 @@ def _load_user_role(
     SET r2.lastupdated = $okta_update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest,
         USER_ID=user_id,
         ROLES_DATA=roles_data,
@@ -149,7 +151,8 @@ def _load_group_role(
     SET r2.lastupdated = $okta_update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest,
         GROUP_ID=group_id,
         ROLES_DATA=roles_data,

cartography/intel/okta/users.py

@@ -8,6 +8,7 @@ import neo4j
 from okta import UsersClient
 from okta.models.user import User
 
+from cartography.client.core.tx import run_write_query
 from cartography.intel.okta.sync_state import OktaSyncState
 from cartography.intel.okta.utils import check_rate_limit
 from cartography.util import timeit
@@ -174,7 +175,8 @@ def _load_okta_users(
     SET h.lastupdated = $okta_update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest_statement,
         ORG_ID=okta_org_id,
         USER_LIST=user_list,

cartography/models/aws/iam/access_key.py

@@ -0,0 +1,103 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import OtherRelationships
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class AccountAccessKeyNodeProperties(CartographyNodeProperties):
+    # Required unique identifier
+    id: PropertyRef = PropertyRef("accesskeyid")
+    accesskeyid: PropertyRef = PropertyRef("accesskeyid", extra_index=True)
+
+    # Automatic fields (set by cartography)
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+    # Business fields from AWS IAM access keys
+    createdate: PropertyRef = PropertyRef("createdate")
+    status: PropertyRef = PropertyRef("status")
+    lastuseddate: PropertyRef = PropertyRef("lastuseddate")
+    lastusedservice: PropertyRef = PropertyRef("lastusedservice")
+    lastusedregion: PropertyRef = PropertyRef("lastusedregion")
+
+
+@dataclass(frozen=True)
+class AWSUserToAccountAccessKeyRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class AWSUserToAccountAccessKeyRel(CartographyRelSchema):
+    target_node_label: str = "AccountAccessKey"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {
+            "accesskeyid": PropertyRef("accesskeyid"),
+        }
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "AWS_ACCESS_KEY"
+    properties: AWSUserToAccountAccessKeyRelProperties = (
+        AWSUserToAccountAccessKeyRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class AccountAccessKeyToAWSUserRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class AccountAccessKeyToAWSUserRel(CartographyRelSchema):
+    target_node_label: str = "AWSUser"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {
+            "arn": PropertyRef("user_arn"),
+        }
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "AWS_ACCESS_KEY"
+    properties: AccountAccessKeyToAWSUserRelProperties = (
+        AccountAccessKeyToAWSUserRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class AccountAccessKeyToAWSAccountRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class AccountAccessKeyToAWSAccountRel(CartographyRelSchema):
+    target_node_label: str = "AWSAccount"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {
+            "id": PropertyRef("AWS_ID", set_in_kwargs=True),
+        }
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: AccountAccessKeyToAWSAccountRelProperties = (
+        AccountAccessKeyToAWSAccountRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class AccountAccessKeySchema(CartographyNodeSchema):
+    label: str = "AccountAccessKey"
+    properties: AccountAccessKeyNodeProperties = AccountAccessKeyNodeProperties()
+    sub_resource_relationship: AccountAccessKeyToAWSAccountRel = (
+        AccountAccessKeyToAWSAccountRel()
+    )
+    other_relationships: OtherRelationships = OtherRelationships(
+        [
+            AccountAccessKeyToAWSUserRel(),
+            AccountAccessKeyToAWSAccountRel(),
+        ]
+    )

cartography/models/aws/iam/account_role.py

@@ -0,0 +1,24 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+
+
+@dataclass(frozen=True)
+class AWSAccountAWSRoleNodeProperties(CartographyNodeProperties):
+    # Required unique identifier
+    id: PropertyRef = PropertyRef("id")
+
+    # Automatic fields (set by cartography)
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class AWSAccountAWSRoleSchema(CartographyNodeSchema):
+    """
+    An AWSAccount that was discovered from a trusted principal in an IAM role.
+    """
+
+    label: str = "AWSAccount"
+    properties: AWSAccountAWSRoleNodeProperties = AWSAccountAWSRoleNodeProperties()

cartography/models/aws/iam/federated_principal.py

@@ -0,0 +1,60 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.nodes import ExtraNodeLabels
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class AWSFederatedPrincipalNodeProperties(CartographyNodeProperties):
+    # Required unique identifier
+    id: PropertyRef = PropertyRef("arn")
+    arn: PropertyRef = PropertyRef("arn", extra_index=True)
+
+    # Automatic fields (set by cartography)
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+    # Business fields from AWS IAM federated principals
+    type: PropertyRef = PropertyRef("type")
+
+
+@dataclass(frozen=True)
+class AWSFederatedPrincipalToAWSAccountRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class AWSFederatedPrincipalToAWSAccountRel(CartographyRelSchema):
+    target_node_label: str = "AWSAccount"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {
+            "id": PropertyRef("AWS_ID", set_in_kwargs=True),
+        }
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: AWSFederatedPrincipalToAWSAccountRelProperties = (
+        AWSFederatedPrincipalToAWSAccountRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class AWSFederatedPrincipalSchema(CartographyNodeSchema):
+    """
+    E.g. "arn:aws:iam::123456789012:saml-provider/my-saml-provider".
+    """
+
+    label: str = "AWSFederatedPrincipal"
+    properties: AWSFederatedPrincipalNodeProperties = (
+        AWSFederatedPrincipalNodeProperties()
+    )
+    sub_resource_relationship: AWSFederatedPrincipalToAWSAccountRel = (
+        AWSFederatedPrincipalToAWSAccountRel()
+    )
+    extra_node_labels: ExtraNodeLabels = ExtraNodeLabels(["AWSPrincipal"])

cartography/models/aws/iam/group.py

@@ -0,0 +1,60 @@
+from dataclasses import dataclass
+
+from cartography.models.aws.iam.group_membership import AWSGroupToAWSUserRel
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.nodes import ExtraNodeLabels
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import OtherRelationships
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class AWSGroupNodeProperties(CartographyNodeProperties):
+    # Required unique identifier
+    id: PropertyRef = PropertyRef("arn")
+    arn: PropertyRef = PropertyRef("arn", extra_index=True)
+
+    # Automatic fields (set by cartography)
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+    # Business fields from AWS IAM groups
+    groupid: PropertyRef = PropertyRef("groupid")
+    name: PropertyRef = PropertyRef("name")
+    path: PropertyRef = PropertyRef("path")
+    createdate: PropertyRef = PropertyRef("createdate")
+
+
+@dataclass(frozen=True)
+class AWSGroupToAWSAccountRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class AWSGroupToAWSAccountRel(CartographyRelSchema):
+    target_node_label: str = "AWSAccount"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {
+            "id": PropertyRef("AWS_ID", set_in_kwargs=True),
+        }
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: AWSGroupToAWSAccountRelProperties = AWSGroupToAWSAccountRelProperties()
+
+
+@dataclass(frozen=True)
+class AWSGroupSchema(CartographyNodeSchema):
+    label: str = "AWSGroup"
+    properties: AWSGroupNodeProperties = AWSGroupNodeProperties()
+    sub_resource_relationship: AWSGroupToAWSAccountRel = AWSGroupToAWSAccountRel()
+    other_relationships: OtherRelationships = OtherRelationships(
+        [
+            AWSGroupToAWSUserRel(),
+        ]
+    )
+    extra_node_labels: ExtraNodeLabels = ExtraNodeLabels(["AWSPrincipal"])

cartography/models/aws/iam/group_membership.py

@@ -0,0 +1,26 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class AWSGroupToAWSUserRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class AWSGroupToAWSUserRel(CartographyRelSchema):
+    target_node_label: str = "AWSUser"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {
+            "arn": PropertyRef("user_arn"),
+        }
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "MEMBER_AWS_GROUP"
+    properties: AWSGroupToAWSUserRelProperties = AWSGroupToAWSUserRelProperties()

cartography/models/aws/iam/inline_policy.py

@@ -0,0 +1,78 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.nodes import ExtraNodeLabels
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import OtherRelationships
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class AWSInlinePolicyNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef("id")
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+    name: PropertyRef = PropertyRef("name")
+    type: PropertyRef = PropertyRef("type")
+    arn: PropertyRef = PropertyRef("arn", extra_index=True)
+
+
+@dataclass(frozen=True)
+class AWSInlinePolicyToAWSPrincipalRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class AWSInlinePolicyToAWSPrincipalRel(CartographyRelSchema):
+    target_node_label: str = "AWSPrincipal"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {
+            "arn": PropertyRef("principal_arns", one_to_many=True),
+        }
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "POLICY"
+    properties: AWSInlinePolicyToAWSPrincipalRelProperties = (
+        AWSInlinePolicyToAWSPrincipalRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class AWSInlinePolicyToAWSAccountRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class AWSInlinePolicyToAWSAccountRel(CartographyRelSchema):
+    target_node_label: str = "AWSAccount"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {
+            "id": PropertyRef("AWS_ID", set_in_kwargs=True),
+        }
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: AWSInlinePolicyToAWSAccountRelProperties = (
+        AWSInlinePolicyToAWSAccountRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class AWSInlinePolicySchema(CartographyNodeSchema):
+    """
+    Inline policies are defined on the given principal and are therefore scoped to that principal's account.
+    """
+
+    label: str = "AWSInlinePolicy"
+    properties: AWSInlinePolicyNodeProperties = AWSInlinePolicyNodeProperties()
+    sub_resource_relationship: AWSInlinePolicyToAWSAccountRel = (
+        AWSInlinePolicyToAWSAccountRel()
+    )
+    other_relationships: OtherRelationships = OtherRelationships(
+        [AWSInlinePolicyToAWSPrincipalRel()]
+    )
+    extra_node_labels: ExtraNodeLabels = ExtraNodeLabels(["AWSPolicy"])

cartography/models/aws/iam/managed_policy.py

@@ -0,0 +1,51 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.nodes import ExtraNodeLabels
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import OtherRelationships
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class AWSManagedPolicyNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef("id")
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+    name: PropertyRef = PropertyRef("name")
+    type: PropertyRef = PropertyRef("type")
+    arn: PropertyRef = PropertyRef("arn", extra_index=True)
+
+
+@dataclass(frozen=True)
+class AWSManagedPolicyToAWSPrincipalRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class AWSManagedPolicyToAWSPrincipalRel(CartographyRelSchema):
+    target_node_label: str = "AWSPrincipal"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {
+            "arn": PropertyRef("principal_arns", one_to_many=True),
+        }
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "POLICY"
+    properties: AWSManagedPolicyToAWSPrincipalRelProperties = (
+        AWSManagedPolicyToAWSPrincipalRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class AWSManagedPolicySchema(CartographyNodeSchema):
+    label: str = "AWSManagedPolicy"
+    properties: AWSManagedPolicyNodeProperties = AWSManagedPolicyNodeProperties()
+    other_relationships: OtherRelationships = OtherRelationships(
+        [AWSManagedPolicyToAWSPrincipalRel()]
+    )
+    extra_node_labels: ExtraNodeLabels = ExtraNodeLabels(["AWSPolicy"])