Metadata-Version: 2.1
Name: altimeter
Version: 6.4.22
Summary: Graph AWS resources in Neptune
Home-page: https://github.com/tableau/altimeter
Author: Tableau
License: UNKNOWN
Platform: UNKNOWN
Classifier: Programming Language :: Python :: 3
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Requires-Python: >=3.8,<3.10
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: MarkupSafe ==2.1.1
Requires-Dist: aws-requests-auth ==0.4.3
Requires-Dist: rdflib ==6.0.2
Requires-Dist: structlog ==20.2.0
Requires-Dist: boto3 ==1.28.80
Requires-Dist: jinja2 ==3.0.3
Requires-Dist: pydantic ==1.9.0
Requires-Dist: toml ==0.10.2
Requires-Dist: gremlinpython ==3.4.12
Requires-Dist: requests ==2.31.0
Requires-Dist: certifi ==2023.7.22
Requires-Dist: urllib3 ==1.26.18
Provides-Extra: qj
Requires-Dist: MarkupSafe ==2.1.1 ; extra == 'qj'
Requires-Dist: alembic ==1.4.2 ; extra == 'qj'
Requires-Dist: boto3 ==1.28.80 ; extra == 'qj'
Requires-Dist: fastapi ==0.96.0 ; extra == 'qj'
Requires-Dist: psycopg2-binary ==2.9.2 ; extra == 'qj'
Requires-Dist: sqlalchemy ==1.3.24 ; extra == 'qj'
Requires-Dist: tableauhyperapi ==0.0.18161 ; extra == 'qj'
Requires-Dist: tableauserverclient ==0.17.0 ; extra == 'qj'
Requires-Dist: uvicorn ==0.16.0 ; extra == 'qj'
Requires-Dist: urllib3 ==1.26.18 ; extra == 'qj'

# Altimeter

[![Community Supported](https://img.shields.io/badge/Support%20Level-Community%20Supported-457387.svg)](https://www.tableau.com/support-levels-it-and-developer-tools)
[![GitHub](https://img.shields.io/badge/license-MIT-brightgreen.svg)](https://raw.githubusercontent.com/Tableau/altimeter/master/LICENSE)

[![Python 3.8](https://img.shields.io/badge/python-3.8-blue.svg)](https://www.python.org/downloads/release/python-380/)

Altimeter is a system to graph and scan AWS resources across multiple
AWS Organizations and Accounts.

Altimeter generates RDF files which can be loaded into a triplestore
such as AWS Neptune for querying.

# Quickstart

## Installation

    pip install altimeter

## Configuration

Altimeter's behavior is driven by a toml configuration file.  A few sample
configuration files are included in the `conf/` directory:

* `current_single_account.toml` - scans the current account - this is the account
  for which the environment's currently configured AWS CLI credentials are.
* `current_master_multi_account.toml` - scans the current account and attempts to
  scan all organizational subaccounts - this configuration should be used if you
  are scanning  all accounts in an organization.  To do this the currently
  configured AWS CLI credentials should be pointing to an AWS Organizations
  master account.

To scan a subset of regions, set the region list parameter `regions` in the `scan`
section to a list of region names.

## Required IAM permissions

The following permissions are required for a scan of all supported resource types:

    acm:DescribeCertificate
    acm:ListCertificates
    cloudtrail:DescribeTrails
    dynamodb:DescribeContinuousBackups
    dynamodb:DescribeTable
    dynamodb:ListTables
    ec2:DescribeFlowLogs
    ec2:DescribeImages
    ec2:DescribeInstances
    ec2:DescribeInternetGateways
    ec2:DescribeNetworkInterfaces
    ec2:DescribeRegions
    ec2:DescribeRouteTables
    ec2:DescribeSecurityGroups
    ec2:DescribeSnapshots
    ec2:DescribeSubnets
    ec2:DescribeTransitGatways
    ec2:DescribeTransitGatwayAttachments
    ec2:DescribeVolumes
    ec2:DescribeVpcEndpoints
    ec2:DescribeVpcEndpointServiceConfigurations
    ec2:DescribeVpcPeeringConnections
    ec2:DescribeTransitGatewayVpcAttachments
    ec2:DescribeVpcs
    elasticloadbalancing:DescribeLoadBalancers
    elasticloadbalancing:DescribeLoadBalancerAttributes
    elasticloadbalancing:DescribeTargetGroups
    elasticloadbalancing:DescribeTargetGroupAttributes
    elasticloadbalancing:DescribeTargetHealth
    eks:ListClusters
    events:ListRules
    events:ListTargetsByRule
    events:DescribeEventBus
    guardduty:GetDetector
    guardduty:GetMasterAccount
    guardduty:ListDetectors
    guardduty:ListMembers
    iam:GetAccessKeyLastUsed
    iam:GetAccountPasswordPolicy
    iam:GetGroup
    iam:GetGroupPolicy
    iam:GetLoginProfile
    iam:GetOpenIDConnectProvider
    iam:GetPolicyVersion
    iam:GetRolePolicy
    iam:GetSAMLProvider
    iam:GetUserPolicy
    iam:ListAccessKeys
    iam:ListAttachedGroupPolicies
    iam:ListAttachedRolePolicies
    iam:ListAttachedUserPolicies
    iam:ListGroupPolicies
    iam:ListGroups
    iam:ListinstanceProfiles
    iam:ListMFADevices
    iam:ListOpenIDConnectProviders
    iam:ListPolicies
    iam:ListPolicies
    iam:ListRolePolicies
    iam:ListRoles
    iam:ListSAMLProviders
    iam:ListUserPolicies
    iam:ListUsers
    kms:ListKeys
    lambda:ListFunctions
    rds:DescribeDBInstances
    rds:DescribeDBInstanceAutomatedBackups
    rds:ListTagsForResource
    rds:DescribeDBSnapshots
    route53:ListHostedZones
    route53:ListResourceRecordSets
    s3:ListBuckets
    s3:GetBucketLocation
    s3:GetBucketEncryption
    s3:GetBucketTagging
    sts:GetCallerIdentity
    support:DescribeSeverityLevels

Additionally if you are doing multi-account scanning via an MPA master account you
will also need:

    organizations:DescribeOrganization
    organizations:ListAccounts
    organizations:ListAccountsForParent
    organizations:ListOrganizationalUnitsForParent
    organizations:ListRoots

## Generating the Graph

Assuming you have configured AWS CLI credentials
(see <https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html>),
run:

    altimeter <path-to-config>

This will scan all resources in regions specified in the config file.

The full path to the generated RDF file will printed, for example:

    Created /tmp/altimeter/20191018/1571425383/graph.rdf

This RDF file can then be loaded into a triplestore such as Neptune or
Blazegraph for querying.

For more user documentation see <https://tableau.github.io/altimeter/>


