and more in a single search tool across platforms. Read the announcement here. |
on 03/25/2024 10:58 AM
This article describes the Out of box AWS attribute mapping
AWS User Accounts mapping
Following are the AWS IAM user attributes/metadata stored in the ACCOUNTS table of SSM DB. (These are the attributes that you see when you open an account in SSM UI)
AWS IAM Metadata | ACCOUNTS table column |
userName | name |
userId | accountid |
arn | customProperty4 |
passwordLastUsed | lastlogondate |
createDate | created_on |
isMFADevice | customproperty5 |
Last Update Date | Customproperty6 |
Has Login Profile? | Customproperty15 |
Following AWS IAM user metadata is stored in the ACCOUNT_ATTRIBUTES table.
AWS IAM Metadata | ACCOUNTS_ATTRIBUTES table |
accessKeyMetadata | ATTRIBUTE_NAME/ATTRIBUTE_VALUE |
mfaDeviceInfo | ATTRIBUTE_NAME/ATTRIBUTE_VALUE |
Following AWS IAM user metadata is stored in the AWS_CREDREPORT.
AWS IAM Metadata | AWS_CREDREPORT table column |
userName | User |
Console Password Enabled | password_enabled |
arn | arn |
passwordLastUsed | passwordLastUsed |
password_last_changed | password_last_changed |
password_next_rotation | password_next_rotation |
mfa_active | mfa_active |
access_key_1_active | access_key_1_active |
access_key_1_last_rotated | access_key_1_last_rotated |
access_key_1_last_used_date | access_key_1_last_used_date |
access_key_1_last_used_region | access_key_1_last_used_region |
access_key_1_last_used_service | access_key_1_last_used_service |
access_key_2_active | access_key_2_active |
access_key_2_last_rotated | access_key_2_last_rotated |
access_key_2_last_used_date | access_key_2_last_used_date |
access_key_2_last_used_region | access_key_2_last_used_region |
access_key_2_last_used_service | access_key_2_last_used_service |
cert_1_active | cert_1_active |
cert_2_active | cert_2_active |
Following are the AWS root account attributes/metadata stored in the ACCOUNTS table of SSM DB. (These are the attributes that you see when you open an account in SSM UI).
AWS IAM Metadata | ACCOUNTS table column |
userName | name |
Users | customProperty1 |
GroupPolicySizeQuota | customProperty2 |
PolicyVersionsInUseQuota | customProperty3 |
ServerCertificatesQuota | customProperty5 |
isMFADevice | custompropety5 |
AccountSigningCertificatesPresent | Custompropety6 |
AccountAccessKeysPresent | customProperty7 |
Groups | customProperty8 |
UsersQuota | customProperty9 |
RolePolicySizeQuota | customProperty10 |
GroupsPerUserQuota | customProperty11 |
UserPolicySizeQuota | customProperty12 |
AssumeRolePolicySizeQuota | customProperty13 |
AttachedPoliciesPerGroupQuota | customProperty14 |
Roles | customProperty15 |
VersionsPerPolicyQuota | customProperty16 |
GroupsQuota | customProperty17 |
PolicySizeQuota | customProperty18 |
Policies | customProperty19 |
RolesQuota | customProperty20 |
AttachedPoliciesPerRoleQuota | customProperty21 |
ServerCertificates | customProperty22 |
MFADevicesInUse | customProperty23 |
PoliciesQuota | customProperty24 |
AccountMFAEnabled | customProperty25 |
Providers | customProperty26 |
InstanceProfilesQuota | customProperty27 |
MFADevices | customProperty28 |
AccessKeysPerUserQuota | customProperty29 |
AttachedPoliciesPerUserQuota | customProperty30 |
The name of the root account in SSM is stored in the format- AWSAccount-<AWS Account Id>.
For example- AWSAccount-661222050851, AWSAccount-53381135121 etc.
These are the settings that apply to the whole AWS account like Password Policy and Account level settings of S3 Block public access.
Following are the attributes stored for the Password Policy in ENTITLEMENT_VALUE table.
For this, the Entitlement Type will be ‘PasswordPolicy’ and the entitlement value will be ‘PasswordPolicy_<AWS Account ID>’. For example- PasswordPolicy_661222050851
Password Policy Metadata | ENTITLEMENT_VALUE table column |
minimumPasswordLength | customproperty1 |
requireSymbols | customproperty2 |
requireNumbers | customproperty3 |
requireUppercaseCharacters | customproperty4 |
requireLowercaseCharacters | customproperty5 |
isMFADevice | customproperty5 |
allowUsersToChangePassword | customproperty6 |
expirePasswords | customproperty7 |
hardExpiry | customproperty8 |
Following are the attributes stored for the Account level settings of S3 Block public access in the ENTITLEMENT_VALUE table.
For this, the Entitlement Type will be ‘AWSAccountSettings’ and the entitlement value will be ‘S3AccountLevelSettings’.
S3 Block public access settings | ENTITLEMENT_VALUE table column |
BlockPublicAcls | customproperty1 |
IgnorePublicAcls | customproperty2 |
BlockPublicPolicy | customproperty3 |
RestrictPublicBuckets | customproperty4 |