cartography 0.117.0__py3-none-any.whl → 0.119.0__py3-none-any.whl

cartography/rules/data/frameworks/mitre_attack/requirements/t1098_account_manipulation/__init__.py

@@ -12,32 +12,43 @@ _aws_account_manipulation_permissions = Fact(
     ),
     cypher_query="""
         MATCH (a:AWSAccount)-[:RESOURCE]->(principal:AWSPrincipal)
-        MATCH (principal)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+        MATCH (principal)-[:POLICY]->(policy:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
         WHERE NOT principal.name STARTS WITH 'AWSServiceRole'
         AND NOT principal.name CONTAINS 'QuickSetup'
         AND principal.name <> 'OrganizationAccountAccessRole'
         AND stmt.effect = 'Allow'
-        WITH a, principal, stmt,
-            // Return labels that are not the general "AWSPrincipal" label
+        WITH a, principal, stmt, policy,
             [label IN labels(principal) WHERE label <> 'AWSPrincipal'][0] AS principal_type,
-            // Define the list of IAM actions to match on
-            [p IN ['iam:Create','iam:Attach','iam:Put','iam:Update','iam:Add'] |
-                p] AS patterns
-        WITH a, principal, principal_type, stmt,
-            // Filter on the desired IAM actions
+            [p IN ['iam:Create','iam:Attach','iam:Put','iam:Update','iam:Add'] | p] AS patterns
+
+        // Match only Allow statements whose actions fit the patterns
+        WITH a, principal, principal_type, stmt, policy,
             [action IN stmt.action
                 WHERE ANY(prefix IN patterns WHERE action STARTS WITH prefix)
                 OR action = 'iam:*'
                 OR action = '*'
-            ] AS matched_actions
-        // Return only statement actions that we matched on
-        WHERE size(matched_actions) > 0
-        UNWIND matched_actions AS action
-        RETURN DISTINCT a.name AS account,
+            ] AS matched_allow_actions
+        WHERE size(matched_allow_actions) > 0
+
+        // Find explicit Deny statements for the same principal that overlap
+        OPTIONAL MATCH (principal)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(deny_stmt:AWSPolicyStatement {effect:"Deny"})
+        WHERE ANY(deny_action IN deny_stmt.action
+                    WHERE deny_action IN matched_allow_actions
+                    OR deny_action = 'iam:*'
+                    OR deny_action = '*')
+
+        // If a deny exists, exclude those principals
+        WITH a, principal, principal_type, policy, stmt, matched_allow_actions, deny_stmt
+        WHERE deny_stmt IS NULL
+
+        UNWIND matched_allow_actions AS action
+        RETURN DISTINCT
+            a.name AS account,
             principal.name AS principal_name,
             principal.arn AS principal_arn,
             principal_type,
-            collect(action) as action,
+            policy.name AS policy_name,
+            collect(DISTINCT action) AS action,
             stmt.resource AS resource
         ORDER BY account, principal_name
     """,
@@ -71,27 +82,42 @@ _aws_trust_relationship_manipulation = Fact(
     ),
     cypher_query="""
         MATCH (a:AWSAccount)-[:RESOURCE]->(principal:AWSPrincipal)
-        MATCH (principal)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
-        OPTIONAL MATCH (groupmember:AWSUser)
+        MATCH (principal)-[:POLICY]->(policy:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement {effect:"Allow"})
         WHERE NOT principal.name STARTS WITH 'AWSServiceRole'
         AND NOT principal.name CONTAINS 'QuickSetup'
         AND principal.name <> 'OrganizationAccountAccessRole'
-        AND stmt.effect = 'Allow'
-        WITH a, principal, stmt,
+        WITH a, principal, policy, stmt,
             [label IN labels(principal) WHERE label <> 'AWSPrincipal'][0] AS principal_type,
-            ['iam:UpdateAssumeRolePolicy','iam:CreateRole'] AS patterns
-        WITH a, principal, principal_type, stmt,
+            ['iam:UpdateAssumeRolePolicy', 'iam:CreateRole'] AS patterns
+
+        // Filter for matching Allow actions
+        WITH a, principal, principal_type, stmt, policy,
             [action IN stmt.action
                 WHERE ANY(p IN patterns WHERE action = p)
-                OR action = 'iam:*' OR action = '*'
-            ] AS matched_actions
-        WHERE size(matched_actions) > 0
-        UNWIND matched_actions AS action
-        RETURN DISTINCT a.name AS account,
+                OR action = 'iam:*'
+                OR action = '*'
+            ] AS matched_allow_actions
+        WHERE size(matched_allow_actions) > 0
+
+        // Look for any explicit Deny statement on same principal that matches those actions
+        OPTIONAL MATCH (principal)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(deny_stmt:AWSPolicyStatement {effect:"Deny"})
+        WHERE ANY(action IN deny_stmt.action
+                WHERE action IN matched_allow_actions
+                    OR action = 'iam:*'
+                    OR action = '*')
+
+        // Exclude principals with an explicit Deny that overlaps
+        WITH a, principal, principal_type, policy, stmt, matched_allow_actions, deny_stmt
+        WHERE deny_stmt IS NULL
+
+        UNWIND matched_allow_actions AS action
+        RETURN DISTINCT
+            a.name AS account,
             principal.name AS principal_name,
             principal.arn AS principal_arn,
+            policy.name AS policy_name,
             principal_type,
-            collect(distinct action) as action,
+            collect(DISTINCT action) AS action,
             stmt.resource AS resource
         ORDER BY account, principal_name
     """,
@@ -118,33 +144,58 @@ _aws_service_account_manipulation_via_ec2 = Fact(
         MATCH (a:AWSAccount)-[:RESOURCE]->(ec2:EC2Instance)
         MATCH (ec2)-[:INSTANCE_PROFILE]->(profile:AWSInstanceProfile)
         MATCH (profile)-[:ASSOCIATED_WITH]->(role:AWSRole)
-        MATCH (role)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
-        WHERE stmt.effect = 'Allow'
-        WITH a, ec2, role,
-            // Define the list of IAM actions to match on
-            ['iam:Create', 'iam:Attach', 'iam:Put', 'iam:Update'] AS patterns,
-            // Filter on the desired IAM actions
-            [action IN stmt.action
-                WHERE ANY(p IN ['iam:Create','iam:Attach','iam:Put','iam:Update', 'iam:Add'] WHERE action STARTS WITH p)
+        MATCH (role)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(allow_stmt:AWSPolicyStatement {effect:"Allow"})
+        WITH a, ec2, role, allow_stmt,
+            ['iam:Create','iam:Attach','iam:Put','iam:Update','iam:Add'] AS patterns
+
+        // Step 1: Collect allowed actions that match IAM modification patterns
+        WITH a, ec2, role, patterns,
+            [action IN allow_stmt.action
+                WHERE ANY(p IN patterns WHERE action STARTS WITH p)
                 OR action = 'iam:*'
                 OR action = '*'
-            ] AS actions
-        // For the instances that are internet open, include the SG and rules
-        OPTIONAL MATCH (ec2{exposed_internet:True})-[:MEMBER_OF_EC2_SECURITY_GROUP]->(sg:EC2SecurityGroup)<-[:MEMBER_OF_EC2_SECURITY_GROUP]-(ip:IpPermissionInbound)
-        // Return only statement actions that we matched on
-        WHERE size(actions) > 0
-        UNWIND actions AS flat_action
-        WITH a, ec2, role, sg, ip,
-            collect(DISTINCT flat_action) AS actions
-        RETURN DISTINCT a.name AS account,
-            a.id as account_id,
+            ] AS matched_allow_actions
+        WHERE size(matched_allow_actions) > 0
+
+        // Step 2: Collect deny statements for the same role
+        OPTIONAL MATCH (role)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(deny_stmt:AWSPolicyStatement {effect:"Deny"})
+        WITH a, ec2, role, patterns, matched_allow_actions,
+            // Flatten the deny action lists manually
+            REDUCE(acc = [], ds IN collect(deny_stmt.action) | acc + ds) AS all_deny_actions
+
+        // Step 3: Compute effective = allows minus denies
+        WITH a, ec2, role, matched_allow_actions, all_deny_actions,
+            [action IN matched_allow_actions
+                WHERE NOT (
+                    // Full wildcard Deny *
+                    '*' IN all_deny_actions OR
+                    // IAM category wildcard Deny iam:*
+                    'iam:*' IN all_deny_actions OR
+                    // Exact match deny
+                    action IN all_deny_actions OR
+                    // Prefix wildcards like Deny iam:Update*
+                    ANY(d IN all_deny_actions WHERE d ENDS WITH('*') AND action STARTS WITH split(d,'*')[0])
+                )
+            ] AS effective_actions
+        WHERE size(effective_actions) > 0
+
+        // Step 4: Optional internet exposure context
+        OPTIONAL MATCH (ec2 {exposed_internet: True})
+            -[:MEMBER_OF_EC2_SECURITY_GROUP]->(sg:EC2SecurityGroup)
+            <-[:MEMBER_OF_EC2_SECURITY_GROUP]-(ip:IpPermissionInbound)
+
+        UNWIND effective_actions AS action
+        WITH a, ec2, role, sg, ip, COLLECT(DISTINCT action) AS actions
+        RETURN DISTINCT
+            a.name AS account,
+            a.id AS account_id,
             ec2.instanceid AS instance_id,
             ec2.exposed_internet AS internet_accessible,
-            ec2.publicipaddress as public_ip_address,
+            ec2.publicipaddress AS public_ip_address,
             role.name AS role_name,
-            collect(actions) as action,
-            ip.fromport as from_port,
-            ip.toport as to_port
+            actions,
+            ip.fromport AS from_port,
+            ip.toport AS to_port
         ORDER BY account, instance_id, internet_accessible, from_port
     """,
     cypher_visual_query="""
@@ -177,27 +228,49 @@ _aws_service_account_manipulation_via_lambda = Fact(
         "AWS Lambda functions with IAM roles that can manipulate other AWS accounts."
     ),
     cypher_query="""
-        // Find Lambda functions with account manipulation capabilities
+        // Find Lambda functions with IAM modification or account manipulation capabilities
         MATCH (a:AWSAccount)-[:RESOURCE]->(lambda:AWSLambda)
         MATCH (lambda)-[:STS_ASSUMEROLE_ALLOW]->(role:AWSRole)
-        MATCH (role)-[:POLICY]->(policy:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
-        WHERE stmt.effect = 'Allow'
-        WITH a, lambda, role, stmt,
-            // Define the list of IAM actions to match on
-            ['iam:Create', 'iam:Attach', 'iam:Put', 'iam:Update'] AS patterns,
-            // Filter on the desired IAM actions
-            [action IN stmt.action
-                WHERE ANY(p IN ['iam:Create', 'iam:Attach', 'iam:Put', 'iam:Update', 'iam:Add'] WHERE action STARTS WITH p)
+        MATCH (role)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(allow_stmt:AWSPolicyStatement {effect:"Allow"})
+        WITH a, lambda, role, allow_stmt,
+            ['iam:Create','iam:Attach','iam:Put','iam:Update','iam:Add'] AS patterns
+
+        // Step 1: Gather allowed actions that match IAM modification patterns
+        WITH a, lambda, role, patterns,
+            [action IN allow_stmt.action
+                WHERE ANY(p IN patterns WHERE action STARTS WITH p)
                 OR action = 'iam:*'
                 OR action = '*'
-            ] AS actions
-        // Return only statement actions that we matched on
-        WHERE size(actions) > 0
-        UNWIND actions AS flat_action
-        WITH a, lambda, role, stmt,
-            collect(DISTINCT flat_action) AS actions
-        RETURN DISTINCT a.name AS account,
-            a.id as account_id,
+            ] AS matched_allow_actions
+        WHERE size(matched_allow_actions) > 0
+
+        // Step 2: Gather all deny actions from the same role
+        OPTIONAL MATCH (role)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(deny_stmt:AWSPolicyStatement {effect:"Deny"})
+        WITH a, lambda, role, patterns, matched_allow_actions,
+            REDUCE(acc = [], ds IN collect(deny_stmt.action) | acc + ds) AS all_deny_actions
+
+        // Step 3: Subtract Deny actions from Allow actions
+        WITH a, lambda, role, matched_allow_actions, all_deny_actions,
+            [action IN matched_allow_actions
+                WHERE NOT (
+                    // Global wildcard deny
+                    '*' IN all_deny_actions OR
+                    // IAM wildcard deny
+                    'iam:*' IN all_deny_actions OR
+                    // Exact match deny
+                    action IN all_deny_actions OR
+                    // Prefix wildcards like Deny iam:Update*
+                    ANY(d IN all_deny_actions WHERE d ENDS WITH('*') AND action STARTS WITH split(d,'*')[0])
+                )
+            ] AS effective_actions
+        WHERE size(effective_actions) > 0
+
+        // Step 4: Return only Lambdas with effective IAM modification capabilities
+        UNWIND effective_actions AS action
+        WITH a, lambda, role, COLLECT(DISTINCT action) AS actions
+        RETURN DISTINCT
+            a.name AS account,
+            a.id AS account_id,
             lambda.arn AS arn,
             lambda.description AS description,
             lambda.anonymous_access AS internet_accessible,
@@ -232,37 +305,51 @@ _aws_policy_manipulation_capabilities = Fact(
     ),
     cypher_query="""
         MATCH (a:AWSAccount)-[:RESOURCE]->(principal:AWSPrincipal)
-        MATCH (principal)-[:POLICY]->(policy:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+        MATCH (principal)-[:POLICY]->(policy:AWSPolicy)-[:STATEMENT]->(allow_stmt:AWSPolicyStatement {effect:"Allow"})
         WHERE NOT principal.name STARTS WITH 'AWSServiceRole'
         AND NOT principal.name CONTAINS 'QuickSetup'
         AND principal.name <> 'OrganizationAccountAccessRole'
-        AND stmt.effect = 'Allow'
-
-        WITH a, principal, stmt,
-            // Return labels that are not the general "AWSPrincipal" label
+        WITH a, principal, policy, allow_stmt,
             [label IN labels(principal) WHERE label <> 'AWSPrincipal'][0] AS principal_type,
-            // Define the list of IAM actions to match on
-            [p IN
-            ['iam:CreatePolicy', 'iam:CreatePolicyVersion', 'iam:AttachUserPolicy', 'iam:AttachRolePolicy', 'iam:AttachGroupPolicy',
-            'iam:AttachRolePolicy', 'iam:AttachGroupPolicy', 'iam:DetachUserPolicy', 'iam:DetachRolePolicy', 'iam:DetachGroupPolicy',
-            'iam:PutUserPolicy', 'iam:PutRolePolicy', 'iam:PutGroupPolicy'] |
-                p] AS patterns
+            [
+            'iam:CreatePolicy','iam:CreatePolicyVersion',
+            'iam:AttachUserPolicy','iam:AttachRolePolicy','iam:AttachGroupPolicy',
+            'iam:DetachUserPolicy','iam:DetachRolePolicy','iam:DetachGroupPolicy',
+            'iam:PutUserPolicy','iam:PutRolePolicy','iam:PutGroupPolicy'
+            ] AS patterns
 
-        // Return only statement actions that we matched on
-        WITH a, principal, principal_type, stmt,
-            [action IN stmt.action
-                WHERE ANY(p IN patterns WHERE action = p)
-                OR action = 'iam:*' OR action = '*'
-            ] AS matched_actions
-        WHERE size(matched_actions) > 0
-        UNWIND matched_actions AS action
-        RETURN DISTINCT a.name AS account,
+        // Step 1 – Collect (action, resource) pairs for allowed statements
+        UNWIND allow_stmt.action AS allow_action
+            WITH a, principal, principal_type, policy, allow_stmt, allow_action, patterns
+            WHERE ANY(p IN patterns WHERE allow_action = p)
+            OR allow_action = 'iam:*'
+            OR allow_action = '*'
+        WITH a, principal, principal_type, policy, allow_stmt, allow_action, allow_stmt.resource AS allow_resources
+
+        // Step 2 – Gather all Deny statements for the same principal
+        OPTIONAL MATCH (principal)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(deny_stmt:AWSPolicyStatement {effect:"Deny"})
+        WITH a, principal, principal_type, policy, allow_action, allow_resources,
+            REDUCE(acc = [], ds IN collect(deny_stmt.action) | acc + ds) AS all_deny_actions
+
+        // Step 3 – Filter out denied actions (handles *, iam:*, exact, and prefix wildcards)
+        WHERE NOT (
+            '*' IN all_deny_actions OR
+            'iam:*' IN all_deny_actions OR
+            allow_action IN all_deny_actions OR
+            ANY(d IN all_deny_actions WHERE d ENDS WITH('*') AND allow_action STARTS WITH split(d,'*')[0])
+        )
+
+        // Step 4 – Preserve (action, resource) mapping
+        UNWIND allow_resources AS resource
+        RETURN DISTINCT
+            a.name AS account,
             principal.name AS principal_name,
-            principal.arn AS principal_arn,
+            principal.arn  AS principal_arn,
             principal_type,
-            collect(action) as action,
-            stmt.resource AS resource
-        ORDER BY account, principal_name
+            policy.name    AS policy_name,
+            allow_action   AS action,
+            resource
+        ORDER BY account, principal_name, action, resource
     """,
     cypher_visual_query="""
     MATCH p1=(a:AWSAccount)-[:RESOURCE]->(principal:AWSPrincipal)

cartography/sync.py

@@ -36,6 +36,7 @@ import cartography.intel.kubernetes
 import cartography.intel.lastpass
 import cartography.intel.oci
 import cartography.intel.okta
+import cartography.intel.ontology
 import cartography.intel.openai
 import cartography.intel.pagerduty
 import cartography.intel.scaleway
@@ -52,7 +53,7 @@ from cartography.util import STATUS_SUCCESS
 logger = logging.getLogger(__name__)
 
 
-TOP_LEVEL_MODULES = OrderedDict(
+TOP_LEVEL_MODULES: OrderedDict[str, Callable[..., None]] = OrderedDict(
     {  # preserve order so that the default sync always runs `analysis` at the very end
         "create-indexes": cartography.intel.create_indexes.run,
         "airbyte": cartography.intel.airbyte.start_airbyte_ingestion,
@@ -84,6 +85,7 @@ TOP_LEVEL_MODULES = OrderedDict(
         "pagerduty": cartography.intel.pagerduty.start_pagerduty_ingestion,
         "trivy": cartography.intel.trivy.start_trivy_ingestion,
         "sentinelone": cartography.intel.sentinelone.start_sentinelone_ingestion,
+        "ontology": cartography.intel.ontology.run,
         # Analysis should be the last stage
         "analysis": cartography.intel.analysis.run,
     }
@@ -212,6 +214,7 @@ class Sync:
                         intel_module_info.name,
                     )
                 available_modules[intel_module_info.name] = v
+        available_modules["ontology"] = cartography.intel.ontology.run
         available_modules["analysis"] = cartography.intel.analysis.run
         return available_modules
 

cartography/util.py

@@ -35,6 +35,22 @@ from cartography.stats import ScopedStatsClient
 logger = logging.getLogger(__name__)
 
 
+def is_service_control_policy_explicit_deny(
+    error: botocore.exceptions.ClientError,
+) -> bool:
+    """Return True if the ClientError was caused by an explicit service control policy deny."""
+    error_code = error.response.get("Error", {}).get("Code")
+    if error_code not in {"AccessDenied", "AccessDeniedException"}:
+        return False
+
+    message = error.response.get("Error", {}).get("Message")
+    if not message:
+        return False
+
+    lowered = message.lower()
+    return "explicit deny" in lowered and "service control policy" in lowered
+
+
 STATUS_SUCCESS = 0
 STATUS_FAILURE = 1
 STATUS_KEYBOARD_INTERRUPT = 130
@@ -153,6 +169,9 @@ def merge_module_sync_metadata(
     :param synced_type: The sub-module's type
     :param update_tag: Timestamp used to determine data freshness
     """
+    # Import here to avoid circular import with cartography.client.core.tx
+    from cartography.client.core.tx import run_write_query
+
     template = Template(
         """
         MERGE (n:ModuleSyncMetadata{id:'${group_type}_${group_id}_${synced_type}'})
@@ -164,7 +183,8 @@ def merge_module_sync_metadata(
             n.lastupdated=$UPDATE_TAG
     """,
     )
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         template.safe_substitute(
             group_type=group_type,
             group_id=group_id,
@@ -255,6 +275,20 @@ def backoff_handler(details: Dict) -> None:
     )
 
 
+# Error codes that indicate a service is unavailable in a region or blocked by policies
+AWS_REGION_ACCESS_DENIED_ERROR_CODES = [
+    "AccessDenied",
+    "AccessDeniedException",
+    "AuthFailure",
+    "AuthorizationError",
+    "AuthorizationErrorException",
+    "InvalidClientTokenId",
+    "UnauthorizedOperation",
+    "UnrecognizedClientException",
+    "InternalServerErrorException",
+]
+
+
 # TODO Move this to cartography.intel.aws.util.common
 def aws_handle_regions(func: AWSGetFunc) -> AWSGetFunc:
     """
@@ -266,17 +300,6 @@ def aws_handle_regions(func: AWSGetFunc) -> AWSGetFunc:
 
     This should be used on `get_` functions that normally return a list of items.
     """
-    ERROR_CODES = [
-        "AccessDenied",
-        "AccessDeniedException",
-        "AuthFailure",
-        "AuthorizationError",
-        "AuthorizationErrorException",
-        "InvalidClientTokenId",
-        "UnauthorizedOperation",
-        "UnrecognizedClientException",
-        "InternalServerErrorException",
-    ]
 
     @wraps(func)
     # fix for AWS TooManyRequestsException
@@ -303,12 +326,20 @@ def aws_handle_regions(func: AWSGetFunc) -> AWSGetFunc:
                 ) from e
             # The account is not authorized to use this service in this region
             # so we can continue without raising an exception
-            if error_code in ERROR_CODES:
-                logger.warning(
-                    "{} in this region. Skipping...".format(
-                        e.response["Error"]["Message"],
-                    ),
-                )
+            if error_code in AWS_REGION_ACCESS_DENIED_ERROR_CODES:
+                error_message = e.response.get("Error", {}).get("Message")
+                if is_service_control_policy_explicit_deny(e):
+                    logger.warning(
+                        "Service control policy denied access while calling %s: %s",
+                        func.__name__,
+                        error_message,
+                    )
+                else:
+                    logger.warning(
+                        "{} in this region. Skipping...".format(
+                            error_message,
+                        ),
+                    )
                 return []
             else:
                 raise

{cartography-0.117.0.dist-info → cartography-0.119.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cartography
-Version: 0.117.0
+Version: 0.119.0
 Summary: Explore assets and their relationships across your technical infrastructure.
 Maintainer: Cartography Contributors
 License-Expression: Apache-2.0
@@ -59,7 +59,7 @@ Requires-Dist: python-dateutil
 Requires-Dist: xmltodict
 Requires-Dist: duo-client
 Requires-Dist: cloudflare<5.0.0,>=4.1.0
-Requires-Dist: scaleway>=2.9.0
+Requires-Dist: scaleway>=2.10.0
 Requires-Dist: google-cloud-resource-manager>=1.14.2
 Requires-Dist: types-aiobotocore-ecr
 Requires-Dist: typer>=0.9.0
@@ -89,7 +89,7 @@ You can learn more about the story behind Cartography in our [presentation at BS
 
 ## Supported platforms
 - [Airbyte](https://cartography-cncf.github.io/cartography/modules/airbyte/index.html) - Organization, Workspace, User, Source, Destination, Connection, Tag, Stream
-- [Amazon Web Services](https://cartography-cncf.github.io/cartography/modules/aws/index.html) - ACM, API Gateway, CloudWatch, CodeBuild, Config, Cognito, EC2, ECS, ECR (including image layers), EFS, Elasticsearch, Elastic Kubernetes Service (EKS), DynamoDB, Glue,  GuardDuty, IAM, Inspector, KMS, Lambda, RDS, Redshift, Route53, S3, Secrets Manager(Secret Versions), Security Hub, SNS, SQS, SSM, STS, Tags
+- [Amazon Web Services](https://cartography-cncf.github.io/cartography/modules/aws/index.html) - ACM, API Gateway, CloudWatch, CodeBuild, Config, Cognito, EC2, ECS, ECR (including multi-arch images, image layers, and attestations), EFS, Elasticsearch, Elastic Kubernetes Service (EKS), DynamoDB, Glue,  GuardDuty, IAM, Inspector, KMS, Lambda, RDS, Redshift, Route53, S3, Secrets Manager(Secret Versions), Security Hub, SNS, SQS, SSM, STS, Tags
 - [Anthropic](https://cartography-cncf.github.io/cartography/modules/anthropic/index.html) - Organization, ApiKey, User, Workspace
 - [BigFix](https://cartography-cncf.github.io/cartography/modules/bigfix/index.html) - Computers
 - [Cloudflare](https://cartography-cncf.github.io/cartography/modules/cloudflare/index.html) - Account, Role, Member, Zone, DNSRecord