Skip to main content

Resource models

Fix Security has a unified data model (UDM) with support for static typing and inheritance.

When working with multiple clouds, it can be tedious to what resource kinds and attributes are named. To implement org policies (such as "no unencrypted storage volumes" or "every compute instance must have a cost center tag"), you don't want to rewrite those checks for every cloud provider.

While Fix Security has knowledge of cloud-specific resource kinds like aws_ec2_volume and gcp_disk, both of those kinds inherit from the base volume kind, which in turn inherits from the resource base kind:

  • The resource kind defines basic attributes common to all resources (e.g., name, creation time, etc.).

  • The volume kind defines properties that are common to most storage volumes.

  • The aws_ec2_volume and gcp_disk kinds define properties that are specific to AWS and Google Cloud, respectively.

The information whether a volume is encrypted or not comes from a boolean of the volume kind.

When searching for unencrypted volumes, search is(volume) and encrypted = false will find any unencrypted volume, no matter which cloud they were created in.

You can also perform searches using virtual attributes like age across all resources without having to worry about provider-specific naming of the creation timestamp.

At the same time, you can still search by cloud provider-specific properties (e.g., AWS KMS Key ID or Google Cloud "last attach" timestamp).

Supported resource types

Fix Security has built-in support for resource types from AWS and Google Cloud.

resource base kind

Every resource collected by Fix Security has the resource base kind, which defines properties common to all resources.

Base resource data model

idResource identifier (does not need to be unique across all resources)
nameCloud-specific resource name
kindResource kind in Fix Security

tagsKey-value string pairs held in a dictionary
ctimeResource creation time

Fix Security uses the time this resource was first discovered when the cloud provider does not provide this value.
atimeLast accessed time as of the most recent resource collection

Fix Security attempts to synthesize the last access timestamp when the cloud provider does not provide this value.
mtimeLast modified time as of the most recent resource collection

Fix Security attempts to synthesize the last modified timestamp when the cloud provider does not provide this value.

Resource hierarchy

Fix Security's resource hierarchy abstracts over data models from different cloud providers to deliver a unified data model that allows for data retrieval across clouds.

Every resource in Fix Security has the resource base kind as its root.

Fix Security also introduces abstract model classes for different resource types, making it easy to query and reason about common data.


Example Resource Model

Resource kinds

Complex and simple kinds

We have looked at complex kinds so far: a complex kind has a name and a set of properties.

Each property has a name and also a kind. The kind of such a property can be a complex or a simple kind.

There are several simple kinds that are available in Fix Security out of the box:

KindJSON TypeExample
stringstring"foo", "bla", "some long string"
booleanbooleantrue, false
int32number1234, 4321, -123
int64number1234, 4321, -123
floatnumber12, 12.1234, -23.123
doublenumber12, 12.1234, -23.123
datetimestring"2021-03-15T23:04:56Z", "2021-03-15", "-3d"
datestring"2021-03-15", "03/15/2021", "-3d"
anyany of the above *null, true, "test", 123, -12.43

* The special type any is only used in scenarios where the type is really not known and could be anything. Coercing is not possible for such a type.

Since Fix Security uses JSON in order to exchange data, all the different simple types have to be expressed as simple type.

Fix Security also introduces some additional simple types like datetime or date. The reason for this is the ability to coerce proper values from values given to Fix Security.


Assume a user wants to query a resource by creation time.

According to the model, we would need to filter for the ctime property. Since Fix Security knows the type ctime (which is of kind datetime), it can interpret the value given by the user.

ctime < "2018-09-28"

ctime is of type datetime. datetime values in Fix Security are always stored as ISO-formatted datetime strings, so "2018-09-28" is coerced into a valid datetime. Depending on the server time, the value would be evaluated to something like:

ctime < "2021-09-28T22:00:00Z"

This also allows the usage of relative times. If we want to query resources that have been created in the last 3 days, we could express this with a relative datetime string:

ctime > "-3d"

This translates "-3d" using the current server time into a valid datetime string.