cartography 0.99.0__py3-none-any.whl → 0.100.0__py3-none-any.whl

cartography/_version.py

@@ -1,8 +1,13 @@
-# file generated by setuptools_scm
+# file generated by setuptools-scm
 # don't change, don't track in version control
+
+__all__ = ["__version__", "__version_tuple__", "version", "version_tuple"]
+
 TYPE_CHECKING = False
 if TYPE_CHECKING:
-    from typing import Tuple, Union
+    from typing import Tuple
+    from typing import Union
+
     VERSION_TUPLE = Tuple[Union[int, str], ...]
 else:
     VERSION_TUPLE = object
@@ -12,5 +17,5 @@ __version__: str
 __version_tuple__: VERSION_TUPLE
 version_tuple: VERSION_TUPLE
 
-__version__ = version = '0.99.0'
-__version_tuple__ = version_tuple = (0, 99, 0)
+__version__ = version = '0.100.0'
+__version_tuple__ = version_tuple = (0, 100, 0)

cartography/cli.py

@@ -439,9 +439,10 @@ class CLI:
             '--gsuite-auth-method',
             type=str,
             default='delegated',
-            choices=['delegated', 'oauth'],
+            choices=['delegated', 'oauth', 'default'],
             help=(
-                'The method used by GSuite to authenticate. delegated is the legacy one.'
+                'GSuite authentication method. Can be "delegated" for service account or "oauth" for OAuth. '
+                '"Default" best if using gcloud CLI.'
             ),
         )
         parser.add_argument(

cartography/intel/aws/apigateway.py

@@ -12,8 +12,13 @@ import neo4j
 from botocore.exceptions import ClientError
 from policyuniverse.policy import Policy
 
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.models.aws.apigateway import APIGatewayRestAPISchema
+from cartography.models.aws.apigatewaycertificate import APIGatewayClientCertificateSchema
+from cartography.models.aws.apigatewayresource import APIGatewayResourceSchema
+from cartography.models.aws.apigatewaystage import APIGatewayStageSchema
 from cartography.util import aws_handle_regions
-from cartography.util import run_cleanup_job
 from cartography.util import timeit
 
 logger = logging.getLogger(__name__)
@@ -107,222 +112,146 @@ def get_rest_api_policy(api: Dict, client: botocore.client.BaseClient) -> Any:
     return policy
 
 
-@timeit
-def load_apigateway_rest_apis(
-    neo4j_session: neo4j.Session, rest_apis: List[Dict], region: str, current_aws_account_id: str,
-    aws_update_tag: int,
-) -> None:
-    """
-    Ingest the details of API Gateway REST APIs into neo4j.
+def transform_apigateway_rest_apis(
+    rest_apis: List[Dict], resource_policies: List[Dict], region: str, current_aws_account_id: str, aws_update_tag: int,
+) -> List[Dict]:
     """
-    ingest_rest_apis = """
-    UNWIND $rest_apis_list AS r
-    MERGE (rest_api:APIGatewayRestAPI{id:r.id})
-    ON CREATE SET rest_api.firstseen = timestamp(),
-    rest_api.createddate = r.createdDate
-    SET rest_api.version = r.version,
-    rest_api.minimumcompressionsize = r.minimumCompressionSize,
-    rest_api.disableexecuteapiendpoint = r.disableExecuteApiEndpoint,
-    rest_api.lastupdated = $aws_update_tag,
-    rest_api.region = $Region
-    WITH rest_api
-    MATCH (aa:AWSAccount{id: $AWS_ACCOUNT_ID})
-    MERGE (aa)-[r:RESOURCE]->(rest_api)
-    ON CREATE SET r.firstseen = timestamp()
-    SET r.lastupdated = $aws_update_tag
+    Transform API Gateway REST API data for ingestion, including policy analysis
     """
+    # Create a mapping of api_id to policy data for easier lookup
+    policy_map = {
+        policy['api_id']: policy
+        for policy in resource_policies
+    }
 
-    # neo4j does not accept datetime objects and values. This loop is used to convert
-    # these values to string.
+    transformed_apis = []
     for api in rest_apis:
-        api['createdDate'] = str(api['createdDate']) if 'createdDate' in api else None
-
-    neo4j_session.run(
-        ingest_rest_apis,
-        rest_apis_list=rest_apis,
-        aws_update_tag=aws_update_tag,
-        Region=region,
-        AWS_ACCOUNT_ID=current_aws_account_id,
-    )
+        policy_data = policy_map.get(api['id'], {})
+        transformed_api = {
+            'id': api['id'],
+            'createdDate': str(api['createdDate']) if 'createdDate' in api else None,
+            'version': api.get('version'),
+            'minimumCompressionSize': api.get('minimumCompressionSize'),
+            'disableExecuteApiEndpoint': api.get('disableExecuteApiEndpoint'),
+            # Set defaults in the transform function
+            'anonymous_access': policy_data.get('internet_accessible', False),
+            'anonymous_actions': policy_data.get('accessible_actions', []),
+            # TODO Issue #1452: clarify internet exposure vs anonymous access
+        }
+        transformed_apis.append(transformed_api)
+
+    return transformed_apis
 
 
 @timeit
-def _load_apigateway_policies(
-        neo4j_session: neo4j.Session, policies: List, update_tag: int,
+def load_apigateway_rest_apis(
+    neo4j_session: neo4j.Session, data: List[Dict], region: str, current_aws_account_id: str,
+    aws_update_tag: int,
 ) -> None:
     """
-    Ingest API Gateway REST API policy results into neo4j.
-    """
-    ingest_policies = """
-    UNWIND $policies as policy
-    MATCH (r:APIGatewayRestAPI) where r.name = policy.api_id
-    SET r.anonymous_access = (coalesce(r.anonymous_access, false) OR policy.internet_accessible),
-    r.anonymous_actions = coalesce(r.anonymous_actions, []) + policy.accessible_actions,
-    r.lastupdated = $UpdateTag
+    Ingest API Gateway REST API data into neo4j.
     """
-
-    neo4j_session.run(
-        ingest_policies,
-        policies=policies,
-        UpdateTag=update_tag,
-    )
-
-
-def _set_default_values(neo4j_session: neo4j.Session, aws_account_id: str) -> None:
-    set_defaults = """
-    MATCH (:AWSAccount{id: $AWS_ID})-[:RESOURCE]->(restApi:APIGatewayRestAPI)
-    where restApi.anonymous_actions IS NULL
-    SET restApi.anonymous_access = false, restApi.anonymous_actions = []
-    """
-
-    neo4j_session.run(
-        set_defaults,
-        AWS_ID=aws_account_id,
+    load(
+        neo4j_session,
+        APIGatewayRestAPISchema(),
+        data,
+        region=region,
+        lastupdated=aws_update_tag,
+        AWS_ID=current_aws_account_id,
     )
 
 
-@timeit
-def _load_apigateway_stages(
-        neo4j_session: neo4j.Session, stages: List, update_tag: int,
-) -> None:
+def transform_apigateway_stages(stages: List[Dict], update_tag: int) -> List[Dict]:
     """
-    Ingest the Stage resource details into neo4j.
+    Transform API Gateway Stage data for ingestion
     """
-    ingest_stages = """
-    UNWIND $stages_list AS stage
-    MERGE (s:APIGatewayStage{id: stage.arn})
-    ON CREATE SET s.firstseen = timestamp(), s.stagename = stage.stageName,
-    s.createddate = stage.createdDate
-    SET s.deploymentid = stage.deploymentId,
-    s.clientcertificateid = stage.clientCertificateId,
-    s.cacheclusterenabled = stage.cacheClusterEnabled,
-    s.cacheclusterstatus = stage.cacheClusterStatus,
-    s.tracingenabled = stage.tracingEnabled,
-    s.webaclarn = stage.webAclArn,
-    s.lastupdated = $UpdateTag
-    WITH s, stage
-    MATCH (rest_api:APIGatewayRestAPI{id: stage.apiId})
-    MERGE (rest_api)-[r:ASSOCIATED_WITH]->(s)
-    ON CREATE SET r.firstseen = timestamp()
-    SET r.lastupdated = $UpdateTag
-    """
-
-    # neo4j does not accept datetime objects and values. This loop is used to convert
-    # these values to string.
+    stage_data = []
     for stage in stages:
         stage['createdDate'] = str(stage['createdDate'])
-        stage['arn'] = "arn:aws:apigateway:::" + stage['apiId'] + "/" + stage['stageName']
-
-    neo4j_session.run(
-        ingest_stages,
-        stages_list=stages,
-        UpdateTag=update_tag,
-    )
+        stage['arn'] = f"arn:aws:apigateway:::{stage['apiId']}/{stage['stageName']}"
+        stage_data.append(stage)
+    return stage_data
 
 
-@timeit
-def _load_apigateway_certificates(
-        neo4j_session: neo4j.Session, certificates: List, update_tag: int,
-) -> None:
-    """
-    Ingest the API Gateway Client Certificate details into neo4j.
+def transform_apigateway_certificates(certificates: List[Dict], update_tag: int) -> List[Dict]:
     """
-    ingest_certificates = """
-    UNWIND $certificates_list as certificate
-    MERGE (c:APIGatewayClientCertificate{id: certificate.clientCertificateId})
-    ON CREATE SET c.firstseen = timestamp(), c.createddate = certificate.createdDate
-    SET c.lastupdated = $UpdateTag, c.expirationdate = certificate.expirationDate
-    WITH c, certificate
-    MATCH (stage:APIGatewayStage{id: certificate.stageArn})
-    MERGE (stage)-[r:HAS_CERTIFICATE]->(c)
-    ON CREATE SET r.firstseen = timestamp()
-    SET r.lastupdated = $UpdateTag
+    Transform API Gateway Client Certificate data for ingestion
     """
-
-    # neo4j does not accept datetime objects and values. This loop is used to convert
-    # these values to string.
+    cert_data = []
     for certificate in certificates:
         certificate['createdDate'] = str(certificate['createdDate'])
         certificate['expirationDate'] = str(certificate.get('expirationDate'))
-        certificate['stageArn'] = "arn:aws:apigateway:::" + certificate['apiId'] + "/" + certificate['stageName']
-
-    neo4j_session.run(
-        ingest_certificates,
-        certificates_list=certificates,
-        UpdateTag=update_tag,
-    )
-
-
-@timeit
-def _load_apigateway_resources(
-        neo4j_session: neo4j.Session, resources: List, update_tag: int,
-) -> None:
-    """
-    Ingest the API Gateway Resource details into neo4j.
-    """
-    ingest_resources = """
-    UNWIND $resources_list AS res
-    MERGE (s:APIGatewayResource{id: res.id})
-    ON CREATE SET s.firstseen = timestamp()
-    SET s.path = res.path,
-    s.pathpart = res.pathPart,
-    s.parentid = res.parentId,
-    s.lastupdated =$UpdateTag
-    WITH s, res
-    MATCH (rest_api:APIGatewayRestAPI{id: res.apiId})
-    MERGE (rest_api)-[r:RESOURCE]->(s)
-    ON CREATE SET r.firstseen = timestamp()
-    SET r.lastupdated = $UpdateTag
-    """
-
-    neo4j_session.run(
-        ingest_resources,
-        resources_list=resources,
-        UpdateTag=update_tag,
-    )
+        certificate['stageArn'] = f"arn:aws:apigateway:::{certificate['apiId']}/{certificate['stageName']}"
+        cert_data.append(certificate)
+    return cert_data
 
 
-@timeit
-def load_rest_api_details(
-        neo4j_session: neo4j.Session, stages_certificate_resources: List[Tuple[Any, Any, Any, Any, Any]],
-        aws_account_id: str, update_tag: int,
-) -> None:
+def transform_rest_api_details(
+    stages_certificate_resources: List[Tuple[Any, Any, Any, Any, Any]],
+) -> Tuple[List[Dict], List[Dict], List[Dict]]:
     """
-    Create dictionaries for Stages, Client certificates, policies and Resource resources
-    so we can import them in a single query
+    Transform Stage, Client Certificate, and Resource data for ingestion
     """
     stages: List[Dict] = []
     certificates: List[Dict] = []
     resources: List[Dict] = []
-    policies: List = []
-    for api_id, stage, certificate, resource, policy in stages_certificate_resources:
-        parsed_policy = parse_policy(api_id, policy)
-        if parsed_policy is not None:
-            policies.append(parsed_policy)
+
+    for api_id, stage, certificate, resource, _ in stages_certificate_resources:
         if len(stage) > 0:
             for s in stage:
                 s['apiId'] = api_id
+                s['createdDate'] = str(s['createdDate'])
+                s['arn'] = f"arn:aws:apigateway:::{api_id}/{s['stageName']}"
             stages.extend(stage)
+
+        if certificate:
+            certificate['apiId'] = api_id
+            certificate['createdDate'] = str(certificate['createdDate'])
+            certificate['expirationDate'] = str(certificate.get('expirationDate'))
+            certificate['stageArn'] = f"arn:aws:apigateway:::{api_id}/{certificate['stageName']}"
+            certificates.append(certificate)
+
         if len(resource) > 0:
             for r in resource:
                 r['apiId'] = api_id
             resources.extend(resource)
-        if certificate:
-            certificate['apiId'] = api_id
-            certificates.append(certificate)
 
-    # cleanup existing properties
-    run_cleanup_job(
-        'aws_apigateway_details.json',
+    return stages, certificates, resources
+
+
+@timeit
+def load_rest_api_details(
+    neo4j_session: neo4j.Session, stages_certificate_resources: List[Tuple[Any, Any, Any, Any, Any]],
+    aws_account_id: str, update_tag: int,
+) -> None:
+    """
+    Transform and load Stage, Client Certificate, and Resource data
+    """
+    stages, certificates, resources = transform_rest_api_details(stages_certificate_resources)
+
+    load(
         neo4j_session,
-        {'UPDATE_TAG': update_tag, 'AWS_ID': aws_account_id},
+        APIGatewayStageSchema(),
+        stages,
+        lastupdated=update_tag,
+        AWS_ID=aws_account_id,
     )
 
-    _load_apigateway_policies(neo4j_session, policies, update_tag)
-    _load_apigateway_stages(neo4j_session, stages, update_tag)
-    _load_apigateway_certificates(neo4j_session, certificates, update_tag)
-    _load_apigateway_resources(neo4j_session, resources, update_tag)
-    _set_default_values(neo4j_session, aws_account_id)
+    load(
+        neo4j_session,
+        APIGatewayClientCertificateSchema(),
+        certificates,
+        lastupdated=update_tag,
+        AWS_ID=aws_account_id,
+    )
+
+    load(
+        neo4j_session,
+        APIGatewayResourceSchema(),
+        resources,
+        lastupdated=update_tag,
+        AWS_ID=aws_account_id,
+    )
 
 
 @timeit
@@ -353,7 +282,27 @@ def parse_policy(api_id: str, policy: Policy) -> Optional[Dict[Any, Any]]:
 
 @timeit
 def cleanup(neo4j_session: neo4j.Session, common_job_parameters: Dict) -> None:
-    run_cleanup_job('aws_import_apigateway_cleanup.json', neo4j_session, common_job_parameters)
+    """
+    Delete out-of-date API Gateway resources and relationships.
+    Order matters - clean up certificates, stages, and resources before cleaning up the REST APIs they connect to.
+    """
+    logger.info("Running API Gateway cleanup job.")
+
+    # Clean up certificates first
+    cleanup_job = GraphJob.from_node_schema(APIGatewayClientCertificateSchema(), common_job_parameters)
+    cleanup_job.run(neo4j_session)
+
+    # Then stages
+    cleanup_job = GraphJob.from_node_schema(APIGatewayStageSchema(), common_job_parameters)
+    cleanup_job.run(neo4j_session)
+
+    # Then resources
+    cleanup_job = GraphJob.from_node_schema(APIGatewayResourceSchema(), common_job_parameters)
+    cleanup_job.run(neo4j_session)
+
+    # Finally REST APIs
+    cleanup_job = GraphJob.from_node_schema(APIGatewayRestAPISchema(), common_job_parameters)
+    cleanup_job.run(neo4j_session)
 
 
 @timeit
@@ -362,9 +311,23 @@ def sync_apigateway_rest_apis(
     aws_update_tag: int,
 ) -> None:
     rest_apis = get_apigateway_rest_apis(boto3_session, region)
-    load_apigateway_rest_apis(neo4j_session, rest_apis, region, current_aws_account_id, aws_update_tag)
-
     stages_certificate_resources = get_rest_api_details(boto3_session, rest_apis, region)
+
+    # Extract policies and transform the data
+    policies = []
+    for api_id, _, _, _, policy in stages_certificate_resources:
+        parsed_policy = parse_policy(api_id, policy)
+        if parsed_policy is not None:
+            policies.append(parsed_policy)
+
+    transformed_apis = transform_apigateway_rest_apis(
+        rest_apis,
+        policies,
+        region,
+        current_aws_account_id,
+        aws_update_tag,
+    )
+    load_apigateway_rest_apis(neo4j_session, transformed_apis, region, current_aws_account_id, aws_update_tag)
     load_rest_api_details(neo4j_session, stages_certificate_resources, current_aws_account_id, aws_update_tag)
 
 

cartography/intel/aws/ec2/images.py

@@ -8,6 +8,7 @@ import neo4j
 from botocore.exceptions import ClientError
 
 from cartography.client.core.tx import load
+from cartography.client.core.tx import read_list_of_values_tx
 from cartography.graph.job import GraphJob
 from cartography.intel.aws.ec2.util import get_botocore_config
 from cartography.models.aws.ec2.images import EC2ImageSchema
@@ -20,22 +21,26 @@ logger = logging.getLogger(__name__)
 @timeit
 def get_images_in_use(neo4j_session: neo4j.Session, region: str, current_aws_account_id: str) -> List[str]:
     get_images_query = """
+    CALL {
     MATCH (:AWSAccount{id: $AWS_ACCOUNT_ID})-[:RESOURCE]->(i:EC2Instance)
-    WHERE i.region = $Region
-    RETURN DISTINCT(i.imageid) as image
-    UNION
+    WHERE i.region = $Region AND i.imageid IS NOT NULL
+    RETURN i.imageid AS image
+    UNION ALL
     MATCH (:AWSAccount{id: $AWS_ACCOUNT_ID})-[:RESOURCE]->(lc:LaunchConfiguration)
-    WHERE lc.region = $Region
-    RETURN DISTINCT(lc.image_id) as image
-    UNION
+    WHERE lc.region = $Region AND lc.image_id IS NOT NULL
+    RETURN lc.image_id AS image
+    UNION ALL
     MATCH (:AWSAccount{id: $AWS_ACCOUNT_ID})-[:RESOURCE]->(ltv:LaunchTemplateVersion)
-    WHERE ltv.region = $Region
-    RETURN DISTINCT(ltv.image_id) as image
+    WHERE ltv.region = $Region AND ltv.image_id IS NOT NULL
+    RETURN ltv.image_id AS image
+    }
+    RETURN DISTINCT image;
     """
-    results = neo4j_session.run(get_images_query, AWS_ACCOUNT_ID=current_aws_account_id, Region=region)
-    images = []
-    for r in results:
-        images.append(r['image'])
+    result = read_list_of_values_tx(
+        neo4j_session, get_images_query,
+        AWS_ACCOUNT_ID=current_aws_account_id, Region=region,
+    )
+    images = [str(image) for image in result]
     return images
 
 
@@ -44,22 +49,23 @@ def get_images_in_use(neo4j_session: neo4j.Session, region: str, current_aws_acc
 def get_images(boto3_session: boto3.session.Session, region: str, image_ids: List[str]) -> List[Dict]:
     client = boto3_session.client('ec2', region_name=region, config=get_botocore_config())
     images = []
+    self_images = []
     try:
         self_images = client.describe_images(Owners=['self'])['Images']
-        images.extend(self_images)
-    except ClientError as e:
-        logger.warning(f"Failed retrieve images for region - {region}. Error - {e}")
-    try:
-        if image_ids:
-            image_ids = [image_id for image_id in image_ids if image_id is not None]
-            images_in_use = client.describe_images(ImageIds=image_ids)['Images']
-            # Ensure we're not adding duplicates
-            _ids = [image["ImageId"] for image in images]
-            for image in images_in_use:
-                if image["ImageId"] not in _ids:
-                    images.append(image)
     except ClientError as e:
-        logger.warning(f"Failed retrieve images for region - {region}. Error - {e}")
+        logger.warning(f"Failed retrieve self owned images for region - {region}. Error - {e}")
+    images.extend(self_images)
+    if image_ids:
+        self_image_ids = {image['ImageId'] for image in images}
+        # Go one by one to avoid losing all images if one fails
+        for image in image_ids:
+            if image in self_image_ids:
+                continue
+            try:
+                public_images = client.describe_images(ImageIds=[image])['Images']
+                images.extend(public_images)
+            except ClientError as e:
+                logger.warning(f"Failed retrieve image id {image} for region - {region}. Error - {e}")
     return images
 
 

cartography/intel/aws/ec2/launch_templates.py

@@ -3,7 +3,6 @@ from typing import Any
 
 import boto3
 import neo4j
-from botocore.exceptions import ClientError
 
 from .util import get_botocore_config
 from cartography.client.core.tx import load
@@ -21,27 +20,45 @@ logger = logging.getLogger(__name__)
 def get_launch_templates(
     boto3_session: boto3.session.Session,
     region: str,
-) -> tuple[list[dict[str, Any]], list[dict[str, Any]]]:
+) -> list[dict[str, Any]]:
     client = boto3_session.client('ec2', region_name=region, config=get_botocore_config())
     paginator = client.get_paginator('describe_launch_templates')
     templates: list[dict[str, Any]] = []
-    template_versions: list[dict[str, Any]] = []
     for page in paginator.paginate():
         paginated_templates = page['LaunchTemplates']
-        for template in paginated_templates:
-            template_id = template['LaunchTemplateId']
-            try:
-                versions = get_launch_template_versions_by_template(boto3_session, template_id, region)
-            except ClientError as e:
-                logger.warning(
-                    f"Failed to get launch template versions for {template_id}: {e}",
-                    exc_info=True,
-                )
-                versions = []
-            # Using a key not defined in latest boto3 documentation
-            template_versions.extend(versions)
         templates.extend(paginated_templates)
-    return templates, template_versions
+    return templates
+
+
+@timeit
+@aws_handle_regions
+def get_launch_template_versions(
+    boto3_session: boto3.session.Session,
+    region: str,
+    launch_templates: list[dict[str, Any]],
+) -> list[dict[str, Any]]:
+    template_versions: list[dict[str, Any]] = []
+    for template in launch_templates:
+        launch_template_id = template['LaunchTemplateId']
+        versions = get_launch_template_versions_by_template(boto3_session, launch_template_id, region)
+        template_versions.extend(versions)
+
+    return template_versions
+
+
+@timeit
+@aws_handle_regions
+def get_launch_template_versions_by_template(
+        boto3_session: boto3.session.Session,
+        launch_template_id: str,
+        region: str,
+) -> list[dict[str, Any]]:
+    client = boto3_session.client('ec2', region_name=region, config=get_botocore_config())
+    v_paginator = client.get_paginator('describe_launch_template_versions')
+    template_versions = []
+    for versions in v_paginator.paginate(LaunchTemplateId=launch_template_id):
+        template_versions.extend(versions['LaunchTemplateVersions'])
+    return template_versions
 
 
 def transform_launch_templates(templates: list[dict[str, Any]]) -> list[dict[str, Any]]:
@@ -71,21 +88,6 @@ def load_launch_templates(
     )
 
 
-@timeit
-@aws_handle_regions
-def get_launch_template_versions_by_template(
-        boto3_session: boto3.session.Session,
-        template: str,
-        region: str,
-) -> list[dict[str, Any]]:
-    client = boto3_session.client('ec2', region_name=region, config=get_botocore_config())
-    v_paginator = client.get_paginator('describe_launch_template_versions')
-    template_versions = []
-    for versions in v_paginator.paginate(LaunchTemplateId=template):
-        template_versions.extend(versions['LaunchTemplateVersions'])
-    return template_versions
-
-
 def transform_launch_template_versions(versions: list[dict[str, Any]]) -> list[dict[str, Any]]:
     result: list[dict[str, Any]] = []
     for version in versions:
@@ -153,7 +155,8 @@ def sync_ec2_launch_templates(
 ) -> None:
     for region in regions:
         logger.info(f"Syncing launch templates for region '{region}' in account '{current_aws_account_id}'.")
-        templates, versions = get_launch_templates(boto3_session, region)
+        templates = get_launch_templates(boto3_session, region)
+        versions = get_launch_template_versions(boto3_session, region, templates)
         templates = transform_launch_templates(templates)
         load_launch_templates(neo4j_session, templates, region, current_aws_account_id, update_tag)
         versions = transform_launch_template_versions(versions)

cartography/intel/aws/ecr.py

@@ -33,10 +33,21 @@ def get_ecr_repositories(boto3_session: boto3.session.Session, region: str) -> L
 def get_ecr_repository_images(boto3_session: boto3.session.Session, region: str, repository_name: str) -> List[Dict]:
     logger.debug("Getting ECR images in repository '%s' for region '%s'.", repository_name, region)
     client = boto3_session.client('ecr', region_name=region)
-    paginator = client.get_paginator('list_images')
+    list_paginator = client.get_paginator('list_images')
     ecr_repository_images: List[Dict] = []
-    for page in paginator.paginate(repositoryName=repository_name):
-        ecr_repository_images.extend(page['imageIds'])
+    for page in list_paginator.paginate(repositoryName=repository_name):
+        image_ids = page['imageIds']
+        if not image_ids:
+            continue
+        describe_paginator = client.get_paginator('describe_images')
+        describe_response = describe_paginator.paginate(repositoryName=repository_name, imageIds=image_ids)
+        for response in describe_response:
+            image_details = response['imageDetails']
+            image_details = [
+                {**detail, 'imageTag': detail['imageTags'][0]} if detail.get('imageTags') else detail
+                for detail in image_details
+            ]
+            ecr_repository_images.extend(image_details)
     return ecr_repository_images
 
 
@@ -103,7 +114,12 @@ def _load_ecr_repo_img_tx(
         ON CREATE SET ri.firstseen = timestamp()
         SET ri.lastupdated = $aws_update_tag,
             ri.tag = repo_img.imageTag,
-            ri.uri = repo_img.repo_uri + COALESCE(":" + repo_img.imageTag, '')
+            ri.uri = repo_img.repo_uri + COALESCE(":" + repo_img.imageTag, ''),
+            ri.image_size_bytes = repo_img.imageSizeInBytes,
+            ri.image_pushed_at = repo_img.imagePushedAt,
+            ri.image_manifest_media_type = repo_img.imageManifestMediaType,
+            ri.artifact_media_type = repo_img.artifactMediaType,
+            ri.last_recorded_pull_time = repo_img.lastRecordedPullTime
         WITH ri, repo_img
 
         MERGE (img:ECRImage{id: repo_img.imageDigest})