With cross-account STS-based authentication backed by SAML, this WoT failed to execute as the the two Arn's would never match. (The principal and the provider are not in the same account, by design.)
Here, we replicate the same behavior as before, but also add a fallback model of ensuring we actually trust the origin and target accounts. This allows WoT to graph the unidirectional trust for further inspection.
Additionally, web/style.json now includes labels to better understand what the colors mean at a glance. While this data is also available here, it's easier to share the WoT graph with all data present.
Lastly, ensured that any elasticsearch instance without an attached AccessPolicy be marked as ES_PUBLIC due to undocumented and unexpected behavior. Normally, AWS does not allow you to create a policy-less ES cluster, but there appears to be a way to create this state using the terraform provider.
With cross-account STS-based authentication backed by SAML, this WoT failed to execute as the the two Arn's would never match. (The principal and the provider are not in the same account, by design.)
Here, we replicate the same behavior as before, but also add a fallback model of ensuring we actually trust the origin and target accounts. This allows WoT to graph the unidirectional trust for further inspection.
Additionally,
web/style.json
now includes labels to better understand what the colors mean at a glance. While this data is also available here, it's easier to share the WoT graph with all data present.Lastly, ensured that any elasticsearch instance without an attached AccessPolicy be marked as
ES_PUBLIC
due to undocumented and unexpected behavior. Normally, AWS does not allow you to create a policy-less ES cluster, but there appears to be a way to create this state using the terraform provider.