Resources
Fix Security has a unified data model (UDM) with support for static typing and inheritance.
When working with multiple clouds, it can be tedious to what resource kinds and attributes are named. To implement org policies (such as "no unencrypted storage volumes" or "every compute instance must have a cost center tag"), you don't want to rewrite those checks for every cloud provider.
While Fix Security has knowledge of cloud-specific resource kinds like aws_ec2_volume and gcp_disk, both of those kinds inherit from the base volume kind, which in turn inherits from the resource base kind:
-
The
resourcekind defines basic attributes common to all resources (e.g., name, creation time, etc.). -
The
volumekind defines properties that are common to most storage volumes. -
The
aws_ec2_volumeandgcp_diskkinds define properties that are specific to AWS and Google Cloud, respectively.
The information whether a volume is encrypted or not comes from a boolean of the volume kind.
When searching for unencrypted volumes, search is(volume) and encrypted = false will find any unencrypted volume, no matter which cloud they were created in.
You can also perform searches using virtual attributes like age across all resources without having to worry about provider-specific naming of the creation timestamp.
At the same time, you can still search by cloud provider-specific properties (e.g., AWS KMS Key ID or Google Cloud "last attach" timestamp).
Supported resource types
Fix Security has built-in support for resource types from AWS and Google Cloud.
🗃️ AWS
43 items
🗃️ Azure
18 items
🗃️ Google Cloud
7 items
resource base kind
Every resource collected by Fix Security has the resource base kind, which defines properties common to all resources.
| Property | Description |
|---|---|
id | Resource identifier (does not need to be unique across all resources) |
name | Cloud-specific resource name |
kind | Resource kind in Fix Security Example AWS EC2 Volumes are of kind aws_ec2_volume. |
tags | Key-value string pairs held in a dictionary |
ctime | Resource creation time note Fix Security uses the time this resource was first discovered when the cloud provider does not provide this value. |
atime | Last accessed time as of the most recent resource collection note Fix Security attempts to synthesize the last access timestamp when the cloud provider does not provide this value. |
mtime | Last modified time as of the most recent resource collection note Fix Security attempts to synthesize the last modified timestamp when the cloud provider does not provide this value. |
Resource hierarchy
Fix Security's resource hierarchy abstracts over data models from different cloud providers to deliver a unified data model that allows for data retrieval across clouds.
Every resource in Fix Security has the resource base kind as its root.
Fix Security also introduces abstract model classes for different resource types, making it easy to query and reason about common data.
📄️ Base kinds
Fix Security's resource hierarchy abstracts over data models from different cloud providers to deliver a unified data model that allows for data retrieval across clouds.
Example
-
aws_ec2_volumeinherits from the basevolumekind, which itself inherits all properties fromresource.As such,
aws_ec2_volumehas all properties ofvolumeandresource, in addition to its own properties:
-
A Google Cloud Disk resource is conceptually similar to an AWS EC2 Volume and the two resource types have many properties in common.
Resource kinds
Complex and simple kinds
We have looked at complex kinds so far: a complex kind has a name and a set of properties.
Each property has a name and also a kind. The kind of such a property can be a complex or a simple kind.
There are several simple kinds that are available in Fix Security out of the box:
| Kind | JSON Type | Example |
|---|---|---|
string | string | "foo", "bla", "some long string" |
boolean | boolean | true, false |
null | null | null |
int32 | number | 1234, 4321, -123 |
int64 | number | 1234, 4321, -123 |
float | number | 12, 12.1234, -23.123 |
double | number | 12, 12.1234, -23.123 |
datetime | string | "2021-03-15T23:04:56Z", "2021-03-15", "-3d" |
date | string | "2021-03-15", "03/15/2021", "-3d" |
any | any of the above * | null, true, "test", 123, -12.43 |
* The special type any is only used in scenarios where the type is really not known and could be anything. Coercing is not possible for such a type.
Since Fix Security uses JSON in order to exchange data, all the different simple types have to be expressed as simple type.
Fix Security also introduces some additional simple types like datetime or date. The reason for this is the ability to coerce proper values from values given to Fix Security.
Example
Assume a user wants to query a resource by creation time.
According to the model, we would need to filter for the ctime property. Since Fix Security knows the type ctime (which is of kind datetime), it can interpret the value given by the user.
ctime < "2018-09-28"
ctime is of type datetime. datetime values in Fix Security are always stored as ISO-formatted datetime strings, so "2018-09-28" is coerced into a valid datetime. Depending on the server time, the value would be evaluated to something like:
ctime < "2021-09-28T22:00:00Z"
This also allows the usage of relative times. If we want to query resources that have been created in the last 3 days, we could express this with a relative datetime string:
ctime > "-3d"
This translates "-3d" using the current server time into a valid datetime string.