Knowledge Tree

AWS Discovery

Discover AWS resources including EC2, VPC, RDS, S3, IAM, ELB, Lambda, and Route 53 using least-privilege IAM policies.

Overview

The AWS plugin discovers resources across EC2, VPC, RDS, S3, IAM, ELB, Lambda, EKS, DynamoDB, ElastiCache, SQS, SNS, CloudFront, API Gateway, Kinesis, Route 53, and KMS. It uses the AWS SDK and supports standard credential chains (environment variables, instance profiles, assumed roles).

Configuration

discovery:
  plugins:
    - name: "aws"
      enabled: true
      config:
        region: "us-east-1"
        profile: "default"
        # Optional: assume a cross-account role
        # role_arn: "arn:aws:iam::123456789012:role/KnowledgeTreeDiscovery"

IAM Policy

The plugin requires read-only access. Use this minimum IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "rds:Describe*",
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation",
        "lambda:ListFunctions",
        "lambda:GetFunction",
        "elasticloadbalancing:Describe*",
        "eks:ListClusters",
        "eks:DescribeCluster",
        "iam:ListRoles",
        "iam:ListPolicies",
        "dynamodb:ListTables",
        "dynamodb:DescribeTable",
        "elasticache:Describe*",
        "sqs:ListQueues",
        "sns:ListTopics",
        "cloudfront:ListDistributions",
        "apigateway:GET",
        "kinesis:ListStreams",
        "route53:ListHostedZones",
        "route53:ListResourceRecordSets",
        "kms:ListKeys",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    }
  ]
}
Least Privilege
For production, restrict the Resource field to specific ARNs instead of *. Use an instance profile or assumed role rather than long-lived access keys.

Discovered Resource Types

CategoryTypes
Computeaws.ec2.instance, aws.lambda.function, aws.eks.cluster
Networkingaws.vpc, aws.subnet, aws.elb.load_balancer, aws.nat_gateway, aws.internet_gateway
Storageaws.s3.bucket, aws.ec2.volume
Databaseaws.rds.instance, aws.rds.cluster, aws.dynamodb.table, aws.elasticache.cluster
Messagingaws.sqs.queue, aws.sns.topic, aws.kinesis.stream
Securityaws.iam.role, aws.iam.policy, aws.kms.key
DNSaws.route53.hosted_zone, aws.route53.record_set

Multi-Region

To discover multiple regions, create a separate scope for each:

# Scope for us-east-1
curl -X POST .../discovery/scopes -d '{
  "name": "aws-us-east-1",
  "plugin": "aws",
  "config": {"region": "us-east-1"}
}'

# Scope for eu-west-1
curl -X POST .../discovery/scopes -d '{
  "name": "aws-eu-west-1",
  "plugin": "aws",
  "config": {"region": "eu-west-1"}
}'