Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.

Overview

aws-allowlister

Continuous Integration Tests

Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.

Overview

AWS Service Control Policies (SCPs) allow you to control which AWS Service APIs are allowed at the AWS Account level - so local administrators (not even the account's root user) can perform prohibited actions in a child account.

However, before aws-allowlister, it was very difficult and error-prone to create AWS AllowList SCPs - only giving accounts access to the compliant services that they need, and nothing else. Before aws-allowlister, the approach for creating an AllowList was:

  1. Create a spreadsheet πŸ™„ based on the AWS Services in Scope documentation, which have inconsistent naming and do not list the "IAM names"
  2. Create an AllowList.json by hand, based on that spreadsheet
  3. Roll it out to Dev/Stage/Production
  4. Whoever manages that spreadsheet now magically owns the AllowList policy due to ✨ tribal knowledge ✨ and any updates occur by pinging this person over Slack.

aws-allowlister takes care of this process for you. Instead of following the painful process above, just run the following command to generate an AWS SCP policy that meets PCI compliance:

aws-allowlister generate --pci

The policies generated by aws-allowlister are based off of official AWS documentation and are automatically kept up to date when new services achieve compliance or accreditation.

Support statuses

aws-allowlister currently supports:

Compliance Framework Support Status
PCI βœ…
SOC 1, 2, and 3 βœ…
ISO/IEC βœ…
HIPAA BAA βœ…
FedRAMP Moderate βœ…
FedRAMP High βœ…
DOD CC SRG (USA πŸ‡ΊπŸ‡Έ ) βœ…
HITRUST ⏱ Coming soon
IRAP (Australia πŸ‡¦πŸ‡Ί ) ⏱ Coming soon
C5 (Germany πŸ‡©πŸ‡ͺ ) ⏱ Coming soon
K-ISMS (Japan πŸ‡―πŸ‡΅ ) ⏱ Coming soon
ENS High (Spain πŸ‡ͺπŸ‡Έ ) ⏱ Coming soon

Forcibly include/exclude services

In addition to creating compliance-focused SCPs, aws-allowlister supports the ability to include or exclude services (IAM permissions) of your choice using the --include or --exclude flags. For more details related to policy customization, view the Arguments section.

Installation

  • Python Pip:
pip3 install aws-allowlister
  • Homebrew:
brew tap salesforce/aws-allowlister https://github.com/salesforce/aws-allowlister
brew install aws-allowlister

Usage

  • Generate an AllowList Policy using this command:
aws-allowlister generate

By default, it allows policies at the intersection of PCI, HIPAA, SOC, ISO, FedRAMP High, and FedRAMP Moderate.

The resulting policy will look like this:

Example AllowList Policy
{
    "Version": "2012-10-17",
    "Statement": {
        "Sid": "AllowList",
        "Effect": "Deny",
        "NotAction": [
            "account:*",
            "acm:*",
            "amplify:*",
            "amplifybackend:*",
            "apigateway:*",
            "application-autoscaling:*",
            "appstream:*",
            "appsync:*",
            "athena:*",
            "autoscaling:*",
            "aws-portal:*",
            "backup:*",
            "batch:*",
            "clouddirectory:*",
            "cloudformation:*",
            "cloudfront:*",
            "cloudhsm:*",
            "cloudtrail:*",
            "cloudwatch:*",
            "codebuild:*",
            "codecommit:*",
            "codedeploy:*",
            "codepipeline:*",
            "cognito-identity:*",
            "cognito-idp:*",
            "comprehend:*",
            "comprehendmedical:*",
            "config:*",
            "connect:*",
            "dataexchange:*",
            "datasync:*",
            "directconnect:*",
            "dms:*",
            "ds:*",
            "dynamodb:*",
            "ebs:*",
            "ec2:*",
            "ecr:*",
            "ecs:*",
            "eks:*",
            "elasticache:*",
            "elasticbeanstalk:*",
            "elasticfilesystem:*",
            "elasticmapreduce:*",
            "es:*",
            "events:*",
            "execute-api:*",
            "firehose:*",
            "fms:*",
            "forecast:*",
            "freertos:*",
            "fsx:*",
            "glacier:*",
            "globalaccelerator:*",
            "glue:*",
            "greengrass:*",
            "guardduty:*",
            "health:*",
            "iam:*",
            "inspector:*",
            "iot:*",
            "iot-device-tester:*",
            "iotdeviceadvisor:*",
            "iotevents:*",
            "iotwireless:*",
            "kafka:*",
            "kinesis:*",
            "kinesisanalytics:*",
            "kinesisvideo:*",
            "kms:*",
            "lambda:*",
            "lex:*",
            "logs:*",
            "macie2:*",
            "mediaconnect:*",
            "mediaconvert:*",
            "medialive:*",
            "mq:*",
            "neptune-db:*",
            "opsworks-cm:*",
            "organizations:*",
            "outposts:*",
            "personalize:*",
            "polly:*",
            "qldb:*",
            "quicksight:*",
            "rds:*",
            "rds-data:*",
            "rds-db:*",
            "redshift:*",
            "rekognition:*",
            "robomaker:*",
            "route53:*",
            "route53domains:*",
            "s3:*",
            "sagemaker:*",
            "secretsmanager:*",
            "securityhub:*",
            "serverlessrepo:*",
            "servicecatalog:*",
            "shield:*",
            "sms:*",
            "sms-voice:*",
            "snowball:*",
            "sns:*",
            "sqs:*",
            "ssm:*",
            "sso:*",
            "sso-directory:*",
            "states:*",
            "storagegateway:*",
            "sts:*",
            "support:*",
            "swf:*",
            "textract:*",
            "transcribe:*",
            "transfer:*",
            "translate:*",
            "waf:*",
            "waf-regional:*",
            "wafv2:*",
            "workdocs:*",
            "worklink:*",
            "workspaces:*",
            "xray:*"
        ],
        "Resource": "*"
    }
}
  • You can also specify the --table option to output the results in a Markdown Table format, as shown below:
aws-allowlister generate --pci --table

The results will look like this:

Example AllowList Policy
| Service Prefix          | Service Name                                    |
|-------------------------|-------------------------------------------------|
| account                 | AWS Accounts                                    |
| acm                     | AWS Certificate Manager                         |
| amplify                 | AWS Amplify                                     |
| amplifybackend          | AWS Amplify Admin                               |
| apigateway              | Manage Amazon API Gateway                       |
| application-autoscaling | Application Auto Scaling                        |
| appmesh                 | AWS App Mesh                                    |
| appstream               | Amazon AppStream 2.0                            |
| appsync                 | AWS AppSync                                     |
| athena                  | Amazon Athena                                   |
| autoscaling             | Amazon EC2 Auto Scaling                         |
| autoscaling-plans       | AWS Auto Scaling                                |
| aws-portal              | AWS Billing                                     |
| backup                  | AWS Backup                                      |
| batch                   | AWS Batch                                       |
| cassandra               | AWS Managed Apache Cassandra Service            |
| chatbot                 | AWS Chatbot                                     |
| clouddirectory          | Amazon Cloud Directory                          |
| cloudformation          | AWS CloudFormation                              |
| cloudfront              | Amazon CloudFront                               |
| cloudhsm                | AWS CloudHSM                                    |
| cloudtrail              | AWS CloudTrail                                  |
| cloudwatch              | Amazon CloudWatch                               |
| codebuild               | AWS CodeBuild                                   |
| codecommit              | AWS CodeCommit                                  |
| codedeploy              | AWS CodeDeploy                                  |
| codepipeline            | AWS CodePipeline                                |
| cognito-identity        | Amazon Cognito Identity                         |
| cognito-idp             | Amazon Cognito User Pools                       |
| cognito-sync            | Amazon Cognito Sync                             |
| comprehend              | Amazon Comprehend                               |
| comprehendmedical       | Comprehend Medical                              |
| config                  | AWS Config                                      |
| connect                 | Amazon Connect                                  |
| databrew                | AWS Glue DataBrew                               |
| dataexchange            | AWS Data Exchange                               |
| datasync                | DataSync                                        |
| directconnect           | AWS Direct Connect                              |
| dms                     | AWS Database Migration Service                  |
| ds                      | AWS Directory Service                           |
| dynamodb                | Amazon DynamoDB                                 |
| ebs                     | Amazon Elastic Block Store                      |
| ec2                     | Amazon EC2                                      |
| ec2messages             | Amazon Message Delivery Service                 |
| ecr                     | Amazon Elastic Container Registry               |
| ecs                     | Amazon Elastic Container Service                |
| eks                     | Amazon Elastic Container Service for Kubernetes |
| elasticache             | Amazon ElastiCache                              |
| elasticbeanstalk        | AWS Elastic Beanstalk                           |
| elasticfilesystem       | Amazon Elastic File System                      |
| elasticloadbalancing    | Elastic Load Balancing V2                       |
| elasticmapreduce        | Amazon Elastic MapReduce                        |
| es                      | Amazon Elasticsearch Service                    |
| events                  | Amazon EventBridge                              |
| execute-api             | Amazon API Gateway                              |
| firehose                | Amazon Kinesis Firehose                         |
| fms                     | AWS Firewall Manager                            |
| forecast                | Amazon Forecast                                 |
| freertos                | Amazon FreeRTOS                                 |
| fsx                     | Amazon FSx                                      |
| glacier                 | Amazon Glacier                                  |
| globalaccelerator       | AWS Global Accelerator                          |
| glue                    | AWS Glue                                        |
| greengrass              | AWS IoT Greengrass                              |
| groundstation           | AWS Ground Station                              |
| guardduty               | Amazon GuardDuty                                |
| health                  | AWS Health APIs and Notifications               |
| iam                     | Identity And Access Management                  |
| importexport            | AWS Import Export Disk Service                  |
| inspector               | Amazon Inspector                                |
| iot                     | AWS IoT                                         |
| iot-device-tester       | AWS IoT Device Tester                           |
| iotdeviceadvisor        | AWS IoT Core Device Advisor                     |
| iotevents               | AWS IoT Events                                  |
| iotwireless             | AWS IoT Core for LoRaWAN                        |
| kendra                  | Amazon Kendra                                   |
| kinesis                 | Amazon Kinesis                                  |
| kinesisanalytics        | Amazon Kinesis Analytics V2                     |
| kinesisvideo            | Amazon Kinesis Video Streams                    |
| kms                     | AWS Key Management Service                      |
| lakeformation           | AWS Lake Formation                              |
| lambda                  | AWS Lambda                                      |
| lex                     | Amazon Lex                                      |
| license-manager         | AWS License Manager                             |
| logs                    | Amazon CloudWatch Logs                          |
| macie                   | Amazon Macie Classic                            |
| macie2                  | Amazon Macie                                    |
| mediaconnect            | AWS Elemental MediaConnect                      |
| mediaconvert            | AWS Elemental MediaConvert                      |
| medialive               | AWS Elemental MediaLive                         |
| mobiletargeting         | Amazon Pinpoint                                 |
| mq                      | Amazon MQ                                       |
| neptune-db              | Amazon Neptune                                  |
| opsworks                | AWS OpsWorks                                    |
| opsworks-cm             | AWS OpsWorks Configuration Management           |
| organizations           | AWS Organizations                               |
| outposts                | AWS Outposts                                    |
| personalize             | Amazon Personalize                              |
| polly                   | Amazon Polly                                    |
| qldb                    | Amazon QLDB                                     |
| quicksight              | Amazon QuickSight                               |
| rds                     | Amazon RDS                                      |
| rds-data                | Amazon RDS Data API                             |
| rds-db                  | Amazon RDS IAM Authentication                   |
| redshift                | Amazon Redshift                                 |
| rekognition             | Amazon Rekognition                              |
| resource-groups         | AWS Resource Groups                             |
| robomaker               | AWS RoboMaker                                   |
| route53                 | Amazon Route 53                                 |
| route53domains          | Amazon Route53 Domains                          |
| s3                      | Amazon S3                                       |
| sagemaker               | Amazon SageMaker                                |
| sdb                     | Amazon SimpleDB                                 |
| secretsmanager          | AWS Secrets Manager                             |
| securityhub             | AWS Security Hub                                |
| serverlessrepo          | AWS Serverless Application Repository           |
| servicecatalog          | AWS Service Catalog                             |
| servicediscovery        | AWS Cloud Map                                   |
| shield                  | AWS Shield                                      |
| sms                     | AWS Server Migration Service                    |
| sms-voice               | Amazon Pinpoint SMS and Voice Service           |
| snowball                | AWS Snowball                                    |
| sns                     | Amazon SNS                                      |
| sqs                     | Amazon SQS                                      |
| ssm                     | AWS Systems Manager                             |
| ssmmessages             | Amazon Session Manager Message Gateway Service  |
| states                  | AWS Step Functions                              |
| storagegateway          | Amazon Storage Gateway                          |
| sts                     | AWS Security Token Service                      |
| support                 | AWS Support                                     |
| swf                     | Amazon Simple Workflow Service                  |
| textract                | Amazon Textract                                 |
| timestream              | AWS Timestream                                  |
| transcribe              | Amazon Transcribe                               |
| transfer                | AWS Transfer for SFTP                           |
| translate               | Amazon Translate                                |
| trustedadvisor          | AWS Trusted Advisor                             |
| waf                     | AWS WAF                                         |
| waf-regional            | AWS WAF Regional                                |
| wafv2                   | AWS WAF V2                                      |
| workdocs                | Amazon WorkDocs                                 |
| worklink                | Amazon WorkLink                                 |
| workspaces              | Amazon WorkSpaces                               |
| xray                    | AWS X-Ray                                       |

Arguments

aws-allowlister supports different arguments to generate fine-grained compliance focused Service Control Policy (SCP) AllowLists. You can specify individual flags for the compliance frameworks you care about.

Usage: aws-allowlister generate [OPTIONS]

Options:
  -a, --all                SOC, PCI, ISO, HIPAA, FedRAMP_High, and
                           FedRAMP_Moderate.

  -s, --soc                Include SOC-compliant services
  -p, --pci                Include PCI-compliant services
  -h, --hipaa              Include HIPAA-compliant services
  -i, --iso                Include ISO-compliant services
  -fh, --fedramp-high      Include FedRAMP High
  -fm, --fedramp-moderate  Include FedRAMP Moderate
  -d2e, --dodccsrg-il2-ew  Include DoD CC SRG IL2 (East/West)
  -d2g, --dodccsrg-il2-gc  Include DoD CC SRG IL2 (GovCloud)
  -d4g, --dodccsrg-il4-gc  Include DoD CC SRG IL4 (GovCloud)
  -d5g, --dodccsrg-il5-gc  Include DoD CC SRG IL5 (GovCloud)
  --include TEXT           Include specific AWS IAM services, specified in a
                           comma separated string.

  --exclude TEXT           Exclude specific AWS IAM services, specified in a
                           comma separated string.

  -q, --quiet
  --help                   Show this message and exit.
  • For example, to generate a PCI only Service Control Policy and save it to JSON:
aws-allowlister generate --pci --quiet > pci.json
  • You can also chain command flags together. For example, to generate a Policy for all the major compliance frameworks but FedRAMP:
aws-allowlister generate -sphi --quiet
  • Let's say your organization is not subject to FedRAMP or HIPAA, but you want to create a Policy for SOC, ISO, and PCI:
aws-allowlister generate -sip --quiet

Contributing

Setup

  • Set up the virtual environment
# Set up the virtual environment
python3 -m venv ./venv && source venv/bin/activate
pip3 install -r requirements.txt
  • Build the package
# To build only
make build

# To build and install
make install

# To run tests
make test

# To clean local dev environment
make clean

Authors and Contributors

🚨 Disclaimer 🚨

The policies generated by aws-allowlister do not guarantee that your AWS accounts will be compliant or that you will become accredited with the supported compliance frameworks. These policies are intended to be a useful tool to assist with restricting which service can or cannot be leveraged.

Comments
  • Go/Terraform Integration

    Go/Terraform Integration

    @kmcquade thanks for making this tool! I have a use case where Id like to run this through terraform, which currently I basically execute the pull into json and then soup it up, but I was wondering if there was any interest in making this part of a custom provider? This is somewhat a feature request, but due to the fact that its a completely different implementation strategy, feel free to close if you don't find interest in it!

    enhancement 
    opened by danquack 9
  • ssmmessages and ec2messages not included - seeking input on status with different frameworks

    ssmmessages and ec2messages not included - seeking input on status with different frameworks

    I'd like some feedback from others, please. See the diffchecker between All Services vs. aws-allowlister generate: https://www.diffchecker.com/nXTPUgkL

    Notice that ssmmessages and ec2messages is not in the policy. This could cause issues for those who rely on SSM heavily.

    Relevant links: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html

    If so, we need to specify those services in the overrides file. https://github.com/salesforce/aws-allowlister/blob/main/aws_allowlister/data/overrides.yml

    discussion 
    opened by kmcquade 9
  • Gif time

    Gif time

    What does this PR do?

    Closes #36

    Adds an example gif to the readme.

    What gif best describes this PR or how it makes you feel?

    gif

    Completion checklist

    enhancement cla:signed 
    opened by jdyke 7
  • added acm-pca under Certificate Manager

    added acm-pca under Certificate Manager

    What does this PR do?

    Adds acm-pca under the umbrella of acm. Our AWS TAM confirmed that it is covered as part of ACM for compliance purposes.

    What gif best describes this PR or how it makes you feel?

    Completion checklist

    cla:signed 
    opened by pkaeding 6
  • Add schedule to update database

    Add schedule to update database

    What does this PR do?

    Updates the database every morning. Closes #72

    What gif best describes this PR or how it makes you feel?

    updates

    Completion checklist

    cla:signed 
    opened by danquack 6
  • PCI Allowlist findings

    PCI Allowlist findings

    I did some QA against the PCI policy generated via aws-allowlister generate --pci and have recorded my thoughts below. I'll still need to test these to verify if A) they're required for the service to function properly (if its related to a different approved service) and B) how much wiggle room there is to throw those in if they are not approved.

    The following are included in the aws-allowlister JSON but are not in the list of PCI services (I did not include permissions like account and sts which are generally required to use AWS.

    • chime
    • ses
    • sso and sso-directory

    The following are approved services / programs and are not included in the JSON output file but should be.

    • appmesh (AWS App Mesh)
    • cassandra (Amazon Keyspaces (for Apache Cassandra)
    • chatbot (AWS Chatbot)
    • cognito-sync (Amazon Cognito Sync - not called out by service name but included in the SDK column for Amazon Cognito)
    • databrew - (AWS Glue DataBrew)
    • elasticloadbalancing - (Elastic Load Balancing)
    • groundstation - (AWS Ground Station)
    • kendra - (Amazon Kendra)
    • lakeformation - (AWS Glue)
    • license-manager - (AWS License Manager)
    • macie - (macie2 is included but not macie)
    • opsworks - (AWS OpsWorks Stacks)
    • resource-groups - (AWS Resource Groups)
    • sdb - (Amazon SimpleDB)
    • timestream - (Amazon Timestream)
    • trustedadvisor - (AWS Trusted Advisor)

    Let me know what you think about these.

    Thanks!

    qa 
    opened by jdyke 6
  • commenting out pandas writing to Excel

    commenting out pandas writing to Excel

    What does this PR do?

    essentially reverting https://github.com/salesforce/aws-allowlister/pull/37 to fix https://github.com/salesforce/aws-allowlister/issues/88

    What gif best describes this PR or how it makes you feel?

    panda

    Completion checklist

    cla:missing 
    opened by PatMyron 5
  • Add CLI option to force-include AWS services

    Add CLI option to force-include AWS services

    Just in case someone needs to include an AWS service but the tooling has not caught up.

    aws-allowlister generate --include serv1,serv2,serv3
    

    Maybe also an exclude option:

    aws-allowlister generate --exclude qldb
    

    @jdyke thoughts?

    enhancement discussion 
    opened by kmcquade 5
  • Add DOD CC SRG Support; Fix FedRAMP High bug

    Add DOD CC SRG Support; Fix FedRAMP High bug

    FedRAMP High (GovCloud) was pulling from FedRAMP Moderate (cell[1]) column instead of FedRAMP High (cell[2]).

    What does this PR do?

    FedRAMP High scraper was pulling from the wrong column and was listing FedRAMP Moderate services.

    What gif best describes this PR or how it makes you feel?

    Completion checklist

    cla:signed 
    opened by AMHesch 4
  • Update fedramp.py

    Update fedramp.py

    FedRAMP High (GovCloud) was pulling from FedRAMP Moderate (cell[1]) column instead of FedRAMP High (cell[2]).

    What does this PR do?

    FedRAMP High scraper was pulling from the wrong column and was listing FedRAMP Moderate services.

    What gif best describes this PR or how it makes you feel?

    Completion checklist

    cla:signed 
    opened by AMHesch 4
  • --all option fails

    --all option fails

    For some reason, the --all option fails.

     $ aws-allowlister generate -a
                                                                                                                                                                             
    aws_allowlister.command.generate [INFO] Note: to silence these logs, supply the argument '--quiet'
    aws_allowlister.command.generate [INFO] Policies for standard(s): 
    Traceback (most recent call last):
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/bin/aws-allowlister", line 8, in <module>
        sys.exit(main())
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/aws_allowlister/bin/cli.py", line 21, in main
        aws_allowlister()
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/click/core.py", line 829, in __call__
        return self.main(*args, **kwargs)
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/click/core.py", line 782, in main
        rv = self.invoke(ctx)
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/click/core.py", line 1259, in invoke
        return _process_result(sub_ctx.command.invoke(sub_ctx))
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/click/core.py", line 1066, in invoke
        return ctx.invoke(self.callback, **ctx.params)
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/click/core.py", line 610, in invoke
        return callback(*args, **kwargs)
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/aws_allowlister/command/generate.py", line 133, in generate
        results = generate_allowlist_scp(standards, include, exclude)
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/aws_allowlister/command/generate.py", line 151, in generate_allowlist_scp
        services = list(standard_results[0].intersection(*standard_results))
    IndexError: list index out of range
    

    I am about to fix this now. I will also expand the click unit tests so it covers all the options.

    bug 
    opened by kmcquade 4
  • Bump certifi from 2021.5.30 to 2022.12.7

    Bump certifi from 2021.5.30 to 2022.12.7

    Bumps certifi from 2021.5.30 to 2022.12.7.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • FedRAMP high services in 3PAO/JAB status are added to JSON policy

    FedRAMP high services in 3PAO/JAB status are added to JSON policy

    I used this tool to generate an SCP for FedRAMP High services restriction, and I noticed a few services that were added into the "NotAction" section in the resulting JSON that show a current status of "3PAO Assessment" or "JAB Review" on the AWS Services in Scope page for FedRAMP compliance. These should not have been added into the JSON, as they are not yet fully approved.

    In my case, as of the time of this issue creation, that included the following services:

    • application-autoscaling (JAB Review)
    • wafv2 (3PAO Assessment)

    Oddly, the Single Sign-On (sso) service which appears to be in JAB Review status did not get added to the resulting JSON.

    Steps to re-create: pip3 install aws-allowlister aws-allowlister generate --fedramp-high --quiet > fedramp-high.json

    Resulting JSON file zipped and attached.

    fedramp-high.json.zip

    opened by ndvrichaws 0
  • K-ISMS (Japan) support

    K-ISMS (Japan) support

    K-ISMS is not currently scraped or included. It uses a 2-column structure so it can't use the same standard_scraper, but should be pretty straightforward to adjust the approach from the other scrapers.

    enhancement help wanted 
    opened by kmcquade 0
Releases(0.2.14)
  • 0.2.14(Jul 14, 2022)

  • 0.2.13(Feb 15, 2022)

  • 0.2.12(Feb 2, 2022)

  • 0.2.11(Jan 27, 2022)

    Changes

    • Updates database @github-actions (#100)
    • commenting out pandas writing to Excel @PatMyron (#99)
    • Update README.md @jdyke (#98)
    • Add IRAP (Australia) support @HanselD (#96)
    • Add HITRUST CSF support @HanselD (#95)
    Source code(tar.gz)
    Source code(zip)
  • 0.2.10(Sep 27, 2021)

    Changes

    • Migrate to Pipenv @kmcquade (#90)
    • Updating Resource Groups @ld-jmertz (#91)

    πŸš€ Features

    • Add JSON list outputs @jmhale (#92)

    πŸ› Bug Fixes

    • Fixes #88 - AWS Compliance scraping failures @kmcquade (#93)
    Source code(tar.gz)
    Source code(zip)
  • 0.2.9(Jun 8, 2021)

    Changes

    • Updates database @github-actions (#85)
    • Updates database @github-actions (#84)
    • Updates database @github-actions (#83)
    • Updates database @github-actions (#82)
    • Updates database @github-actions (#78)
    • Updates database @github-actions (#76)

    Automation

    • Add schedule to update database @danquack (#75)
    • enhanced github action @jdyke (#80)

    πŸš€ Features

    • migrate to config + loop, add DOD requirements @danquack (#77)
    • added acm-pca under Certificate Manager @pkaeding (#81)
    • Adds --include-file and --exclude-file arguments as an alternative to supplying the arguments inline @kmcquade (#87)
    Source code(tar.gz)
    Source code(zip)
  • 0.2.8(Jun 8, 2021)

    Changes

    • Updates database @github-actions (#85)
    • Updates database @github-actions (#84)
    • Updates database @github-actions (#83)
    • Updates database @github-actions (#82)
    • Updates database @github-actions (#78)
    • Updates database @github-actions (#76)

    Automation

    • Add schedule to update database @danquack (#75)
    • enhanced github action @jdyke (#80)

    πŸš€ Features

    • migrate to config + loop, add DOD requirements @danquack (#77)
    • added acm-pca under Certificate Manager @pkaeding (#81)
    • Adds --include-file and --exclude-file arguments as an alternative to supplying the arguments inline @kmcquade (#87)
    Source code(tar.gz)
    Source code(zip)
  • 0.2.7(Apr 21, 2021)

  • 0.2.6(Apr 20, 2021)

  • 0.2.5(Mar 24, 2021)

  • 0.2.4(Mar 23, 2021)

    Changes

    • Changes to makefile to update with latest compliance data; added example AWS Commercial-only SCP @kmcquade (#66)

    πŸš€ Features

    • Adds --excluded-table flag to output a markdown formatted table of excluded services @kmcquade (#69)
    • Service Links are in Markdown table output @kmcquade (#68)
    Source code(tar.gz)
    Source code(zip)
  • 0.2.1(Mar 11, 2021)

  • 0.2.0(Feb 24, 2021)

    πŸš€ Features

    • Adds Markdown table output support; bump to version 0.2.0 @kmcquade (#62)
    • Add DOD CC SRG Support; Fix FedRAMP High bug @AMHesch (#58)

    πŸ› Bug Fixes

    • ssmmessages and ec2messages are compliant when SSM is compliant (fixes #48) @kmcquade (#50)

    πŸ“ Documentation

    • Update README with support statuses @kmcquade (#53)
    Source code(tar.gz)
    Source code(zip)
  • 0.1.3(Feb 4, 2021)

  • 0.1.2(Jan 27, 2021)

  • 0.1.1(Jan 27, 2021)

    Changes

    • SCP Generation script pushes examples into the 'latest' folder so we can view the diff between versions @kmcquade (#38)
    • Database update utility script generates excel spreadsheet, not just CSV @kmcquade (#37)

    πŸš€ Features

    • overview addition @jdyke (#41)

    πŸ› Bug Fixes

    • Update README.md @jdyke (#40)
    Source code(tar.gz)
    Source code(zip)
  • 0.1.0(Jan 25, 2021)

  • 0.0.4(Jan 25, 2021)

    Changes

    • GitHub action that runs aws-allowlister periodically and updates repository with the newest SCP JSONs. Fixes #12 - @kmcquade (#33)

    πŸ› Bug Fixes

    • Fixes --all argument @kmcquade (#32)
    Source code(tar.gz)
    Source code(zip)
  • 0.0.3(Jan 24, 2021)

    Changes

    • Lots of QA Fixes thanks to @jdyke (#26)
    • Update script now writes a new CSV file containing database contents so we can view it on GitHub @kmcquade (#24)
    • Added some maintainer friendly automation @kmcquade (#21)
    • SOC quality checks @kmcquade (#28)

    πŸš€ Features

    • Added FedRAMP @kmcquade (#27)
    • Adds ability to exclude and include AWS services via command line @kmcquade (#20)
    Source code(tar.gz)
    Source code(zip)
  • 0.0.2(Jan 23, 2021)

    Changes

    • Lots of QA Fixes thanks to @jdyke (#26)
    • Update script now writes a new CSV file containing database contents so we can view it on GitHub @kmcquade (#24)
    • Added some maintainer friendly automation @kmcquade (#21)

    πŸš€ Features

    • Added FedRAMP @kmcquade (#27)
    • Adds ability to exclude and include AWS services via command line @kmcquade (#20)
    Source code(tar.gz)
    Source code(zip)
Owner
Salesforce
A variety of vendor agnostic projects which power Salesforce
Salesforce
Tools untuk krek akun igeh :v

Instalasi pkg update && pkg upgrade -y pkg install python git -y rm -rf InstaCrack git clone https://github.com/AngCyber/InstaCrack pip install reques

Moch Aang Ardiansyah-XD 12 Apr 05, 2022
AuthGG is a Python library for dealing with Auth.gg apis

AuthGG AuthGG is a Python library for dealing with Auth.gg apis Installation Use the package manager pip to install requests Add the auth.py file in y

ExtremeDev 1 Dec 20, 2021
A very simple Salesforce.com REST API client for Python

Simple Salesforce Simple Salesforce is a basic Salesforce.com REST API client built for Python 3.5, 3.6, 3.7 and 3.8. The goal is to provide a very lo

simple salesforce 1.4k Dec 29, 2022
Crypto-trading-simulator - Cryptocurrency trading simulator using Python, Streamlit

Crypto Trading Simulator Run streamlit run main.py Dependency Python 3 streamli

Brad 12 Jul 02, 2022
Quot-a-lecture - Lecture transcript question extraction

Setup virtualenv venv source venv/bin/activate pip install -r requirements.txt

Pratyaksh Sharma 5 Sep 12, 2022
Telegram bot to stream videos in telegram voicechat for both groups and channels

Telegram bot to stream videos in telegram voicechat for both groups and channels. Supports live streams, YouTube videos and telegram media. With record stream support, Schedule streams, and many more

ALBY 9 Feb 20, 2022
Work with the AWS IP address ranges in native Python.

Amazon Web Services (AWS) publishes its current IP address ranges in JSON format. Python v3 provides an ipaddress module in the standard library that allows you to create, manipulate, and perform ope

AWS Samples 9 Aug 25, 2022
A Python Library to interface with Tumblr v2 REST API & OAuth

Tumblpy Tumblpy is a Python library to help interface with Tumblr v2 REST API & OAuth Features Retrieve user information and blog information Common T

Mike Helmick 125 Jun 20, 2022
Compulsory join Telegram Bot

mussjoin About Compulsory join Telegram Bot this Telegram Bot Application can be added users to Telegram Channel or Group compulsorily. in addition wh

Hamed Mohammadvand 4 Dec 03, 2021
Reddit bot for r/khiphop

khiphop-bot Description This project is a collection of scripts that better the state of the r/khiphop subreddit, which represents Korean Hip-Hop and

1 Dec 21, 2021
Materials for the AMS 2022 Student Conference Python Workshop.

AMS 2022 Student Conference Python Workshop Let's talk MetPy! Here you will find a collection of notebooks we will be demonstrating and working throug

Unidata 4 Dec 13, 2022
Bot to notify when vaccine appointments are available

Vaccine Watch Bot to notify when vaccine appointments are available. Supports checking Hy-Vee, Walgreens, CVS, Walmart, Cosentino's stores (KC), and B

Peter Carnesciali 37 Aug 13, 2022
A python crypto trading bot on Binance using RSI in 25 Lines πŸš€

RSI Crypto Trading Bot - Binance A Crypto Trading Bot on Binance trading BTCUSDT and ETHUSDT using RSI in 25 Lines of Code Getting Started Note Python

Blankly Finance 10 Dec 26, 2022
A program that generates discord.py code

discord-py-generator A program that generates discord.py code Setup in cmds.txt file add your user id, client id and bot token you can change the bot

3 Dec 15, 2022
Provide discord buttons feature for discord.py

dpy_buttons wrapper library for discord.py, providing discord buttons feature. Future of the library Will be merged into discord interaction api libra

Minjun Kim (Lapis0875) 17 Feb 02, 2022
Force-Subscribe-Bot - A Telegram Bot to force users to join a specific channel before sending messages in a group

Introduction A Telegram Bot to force users to join a specific channel before sen

LG Bot Updates 0 Jan 16, 2022
TESSARECT A Powerful Bot you'll ever need for anything

Tessarect TESSARECT A Powerful Bot you'll ever need for anything TESSARECT It is my First bot but very advanced and designed for all your needs , from

Prakarsh Prp 4 Aug 27, 2022
Discord Bot that can translate your text, count and reply to your messages with a personalised text

Discord Bot that can translate your text, count and reply to your messages with a personalised text

Grizz 2 Jan 26, 2022
A file-based quote bot written in Python

Let's Write a Python Quote Bot! This repository will get you started with building a quote bot in Python. It's meant to be used along with the Learnin

1 Dec 07, 2021
Hacktoberfest2021 - Submit Just 4 PRs to earn SWAGS and TshirtsπŸ”₯

dont contribute in this repo, contribute only in below mentioned repo Special Note For Everyone ''' always make more then 4 pull request lets you have

Keshav Singh 820 Jan 02, 2023