Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.

Last update: Dec 08, 2022

Overview

aws-allowlister

Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.

Overview

AWS Service Control Policies (SCPs) allow you to control which AWS Service APIs are allowed at the AWS Account level - so local administrators (not even the account's root user) can perform prohibited actions in a child account.

However, before aws-allowlister, it was very difficult and error-prone to create AWS AllowList SCPs - only giving accounts access to the compliant services that they need, and nothing else. Before aws-allowlister, the approach for creating an AllowList was:

Create a spreadsheet 🙄 based on the AWS Services in Scope documentation, which have inconsistent naming and do not list the "IAM names"
Create an AllowList.json by hand, based on that spreadsheet
Roll it out to Dev/Stage/Production
Whoever manages that spreadsheet now magically owns the AllowList policy due to ✨ tribal knowledge ✨ and any updates occur by pinging this person over Slack.

aws-allowlister takes care of this process for you. Instead of following the painful process above, just run the following command to generate an AWS SCP policy that meets PCI compliance:

aws-allowlister generate --pci

The policies generated by aws-allowlister are based off of official AWS documentation and are automatically kept up to date when new services achieve compliance or accreditation.

Support statuses

aws-allowlister currently supports:

Compliance Framework	Support Status
PCI	✅
SOC 1, 2, and 3	✅
ISO/IEC	✅
HIPAA BAA	✅
FedRAMP Moderate	✅
FedRAMP High	✅
DOD CC SRG (USA 🇺🇸 )	✅
HITRUST	⏱ Coming soon
IRAP (Australia 🇦🇺 )	⏱ Coming soon
C5 (Germany 🇩🇪 )	⏱ Coming soon
K-ISMS (Japan 🇯🇵 )	⏱ Coming soon
ENS High (Spain 🇪🇸 )	⏱ Coming soon

Forcibly include/exclude services

In addition to creating compliance-focused SCPs, aws-allowlister supports the ability to include or exclude services (IAM permissions) of your choice using the --include or --exclude flags. For more details related to policy customization, view the Arguments section.

Installation

Python Pip:

pip3 install aws-allowlister

Homebrew:

brew tap salesforce/aws-allowlister https://github.com/salesforce/aws-allowlister
brew install aws-allowlister

Usage

Generate an AllowList Policy using this command:

aws-allowlister generate

By default, it allows policies at the intersection of PCI, HIPAA, SOC, ISO, FedRAMP High, and FedRAMP Moderate.

The resulting policy will look like this:

Example AllowList Policy

{
    "Version": "2012-10-17",
    "Statement": {
        "Sid": "AllowList",
        "Effect": "Deny",
        "NotAction": [
            "account:*",
            "acm:*",
            "amplify:*",
            "amplifybackend:*",
            "apigateway:*",
            "application-autoscaling:*",
            "appstream:*",
            "appsync:*",
            "athena:*",
            "autoscaling:*",
            "aws-portal:*",
            "backup:*",
            "batch:*",
            "clouddirectory:*",
            "cloudformation:*",
            "cloudfront:*",
            "cloudhsm:*",
            "cloudtrail:*",
            "cloudwatch:*",
            "codebuild:*",
            "codecommit:*",
            "codedeploy:*",
            "codepipeline:*",
            "cognito-identity:*",
            "cognito-idp:*",
            "comprehend:*",
            "comprehendmedical:*",
            "config:*",
            "connect:*",
            "dataexchange:*",
            "datasync:*",
            "directconnect:*",
            "dms:*",
            "ds:*",
            "dynamodb:*",
            "ebs:*",
            "ec2:*",
            "ecr:*",
            "ecs:*",
            "eks:*",
            "elasticache:*",
            "elasticbeanstalk:*",
            "elasticfilesystem:*",
            "elasticmapreduce:*",
            "es:*",
            "events:*",
            "execute-api:*",
            "firehose:*",
            "fms:*",
            "forecast:*",
            "freertos:*",
            "fsx:*",
            "glacier:*",
            "globalaccelerator:*",
            "glue:*",
            "greengrass:*",
            "guardduty:*",
            "health:*",
            "iam:*",
            "inspector:*",
            "iot:*",
            "iot-device-tester:*",
            "iotdeviceadvisor:*",
            "iotevents:*",
            "iotwireless:*",
            "kafka:*",
            "kinesis:*",
            "kinesisanalytics:*",
            "kinesisvideo:*",
            "kms:*",
            "lambda:*",
            "lex:*",
            "logs:*",
            "macie2:*",
            "mediaconnect:*",
            "mediaconvert:*",
            "medialive:*",
            "mq:*",
            "neptune-db:*",
            "opsworks-cm:*",
            "organizations:*",
            "outposts:*",
            "personalize:*",
            "polly:*",
            "qldb:*",
            "quicksight:*",
            "rds:*",
            "rds-data:*",
            "rds-db:*",
            "redshift:*",
            "rekognition:*",
            "robomaker:*",
            "route53:*",
            "route53domains:*",
            "s3:*",
            "sagemaker:*",
            "secretsmanager:*",
            "securityhub:*",
            "serverlessrepo:*",
            "servicecatalog:*",
            "shield:*",
            "sms:*",
            "sms-voice:*",
            "snowball:*",
            "sns:*",
            "sqs:*",
            "ssm:*",
            "sso:*",
            "sso-directory:*",
            "states:*",
            "storagegateway:*",
            "sts:*",
            "support:*",
            "swf:*",
            "textract:*",
            "transcribe:*",
            "transfer:*",
            "translate:*",
            "waf:*",
            "waf-regional:*",
            "wafv2:*",
            "workdocs:*",
            "worklink:*",
            "workspaces:*",
            "xray:*"
        ],
        "Resource": "*"
    }
}

You can also specify the --table option to output the results in a Markdown Table format, as shown below:

aws-allowlister generate --pci --table

The results will look like this:

Example AllowList Policy

| Service Prefix          | Service Name                                    |
|-------------------------|-------------------------------------------------|
| account                 | AWS Accounts                                    |
| acm                     | AWS Certificate Manager                         |
| amplify                 | AWS Amplify                                     |
| amplifybackend          | AWS Amplify Admin                               |
| apigateway              | Manage Amazon API Gateway                       |
| application-autoscaling | Application Auto Scaling                        |
| appmesh                 | AWS App Mesh                                    |
| appstream               | Amazon AppStream 2.0                            |
| appsync                 | AWS AppSync                                     |
| athena                  | Amazon Athena                                   |
| autoscaling             | Amazon EC2 Auto Scaling                         |
| autoscaling-plans       | AWS Auto Scaling                                |
| aws-portal              | AWS Billing                                     |
| backup                  | AWS Backup                                      |
| batch                   | AWS Batch                                       |
| cassandra               | AWS Managed Apache Cassandra Service            |
| chatbot                 | AWS Chatbot                                     |
| clouddirectory          | Amazon Cloud Directory                          |
| cloudformation          | AWS CloudFormation                              |
| cloudfront              | Amazon CloudFront                               |
| cloudhsm                | AWS CloudHSM                                    |
| cloudtrail              | AWS CloudTrail                                  |
| cloudwatch              | Amazon CloudWatch                               |
| codebuild               | AWS CodeBuild                                   |
| codecommit              | AWS CodeCommit                                  |
| codedeploy              | AWS CodeDeploy                                  |
| codepipeline            | AWS CodePipeline                                |
| cognito-identity        | Amazon Cognito Identity                         |
| cognito-idp             | Amazon Cognito User Pools                       |
| cognito-sync            | Amazon Cognito Sync                             |
| comprehend              | Amazon Comprehend                               |
| comprehendmedical       | Comprehend Medical                              |
| config                  | AWS Config                                      |
| connect                 | Amazon Connect                                  |
| databrew                | AWS Glue DataBrew                               |
| dataexchange            | AWS Data Exchange                               |
| datasync                | DataSync                                        |
| directconnect           | AWS Direct Connect                              |
| dms                     | AWS Database Migration Service                  |
| ds                      | AWS Directory Service                           |
| dynamodb                | Amazon DynamoDB                                 |
| ebs                     | Amazon Elastic Block Store                      |
| ec2                     | Amazon EC2                                      |
| ec2messages             | Amazon Message Delivery Service                 |
| ecr                     | Amazon Elastic Container Registry               |
| ecs                     | Amazon Elastic Container Service                |
| eks                     | Amazon Elastic Container Service for Kubernetes |
| elasticache             | Amazon ElastiCache                              |
| elasticbeanstalk        | AWS Elastic Beanstalk                           |
| elasticfilesystem       | Amazon Elastic File System                      |
| elasticloadbalancing    | Elastic Load Balancing V2                       |
| elasticmapreduce        | Amazon Elastic MapReduce                        |
| es                      | Amazon Elasticsearch Service                    |
| events                  | Amazon EventBridge                              |
| execute-api             | Amazon API Gateway                              |
| firehose                | Amazon Kinesis Firehose                         |
| fms                     | AWS Firewall Manager                            |
| forecast                | Amazon Forecast                                 |
| freertos                | Amazon FreeRTOS                                 |
| fsx                     | Amazon FSx                                      |
| glacier                 | Amazon Glacier                                  |
| globalaccelerator       | AWS Global Accelerator                          |
| glue                    | AWS Glue                                        |
| greengrass              | AWS IoT Greengrass                              |
| groundstation           | AWS Ground Station                              |
| guardduty               | Amazon GuardDuty                                |
| health                  | AWS Health APIs and Notifications               |
| iam                     | Identity And Access Management                  |
| importexport            | AWS Import Export Disk Service                  |
| inspector               | Amazon Inspector                                |
| iot                     | AWS IoT                                         |
| iot-device-tester       | AWS IoT Device Tester                           |
| iotdeviceadvisor        | AWS IoT Core Device Advisor                     |
| iotevents               | AWS IoT Events                                  |
| iotwireless             | AWS IoT Core for LoRaWAN                        |
| kendra                  | Amazon Kendra                                   |
| kinesis                 | Amazon Kinesis                                  |
| kinesisanalytics        | Amazon Kinesis Analytics V2                     |
| kinesisvideo            | Amazon Kinesis Video Streams                    |
| kms                     | AWS Key Management Service                      |
| lakeformation           | AWS Lake Formation                              |
| lambda                  | AWS Lambda                                      |
| lex                     | Amazon Lex                                      |
| license-manager         | AWS License Manager                             |
| logs                    | Amazon CloudWatch Logs                          |
| macie                   | Amazon Macie Classic                            |
| macie2                  | Amazon Macie                                    |
| mediaconnect            | AWS Elemental MediaConnect                      |
| mediaconvert            | AWS Elemental MediaConvert                      |
| medialive               | AWS Elemental MediaLive                         |
| mobiletargeting         | Amazon Pinpoint                                 |
| mq                      | Amazon MQ                                       |
| neptune-db              | Amazon Neptune                                  |
| opsworks                | AWS OpsWorks                                    |
| opsworks-cm             | AWS OpsWorks Configuration Management           |
| organizations           | AWS Organizations                               |
| outposts                | AWS Outposts                                    |
| personalize             | Amazon Personalize                              |
| polly                   | Amazon Polly                                    |
| qldb                    | Amazon QLDB                                     |
| quicksight              | Amazon QuickSight                               |
| rds                     | Amazon RDS                                      |
| rds-data                | Amazon RDS Data API                             |
| rds-db                  | Amazon RDS IAM Authentication                   |
| redshift                | Amazon Redshift                                 |
| rekognition             | Amazon Rekognition                              |
| resource-groups         | AWS Resource Groups                             |
| robomaker               | AWS RoboMaker                                   |
| route53                 | Amazon Route 53                                 |
| route53domains          | Amazon Route53 Domains                          |
| s3                      | Amazon S3                                       |
| sagemaker               | Amazon SageMaker                                |
| sdb                     | Amazon SimpleDB                                 |
| secretsmanager          | AWS Secrets Manager                             |
| securityhub             | AWS Security Hub                                |
| serverlessrepo          | AWS Serverless Application Repository           |
| servicecatalog          | AWS Service Catalog                             |
| servicediscovery        | AWS Cloud Map                                   |
| shield                  | AWS Shield                                      |
| sms                     | AWS Server Migration Service                    |
| sms-voice               | Amazon Pinpoint SMS and Voice Service           |
| snowball                | AWS Snowball                                    |
| sns                     | Amazon SNS                                      |
| sqs                     | Amazon SQS                                      |
| ssm                     | AWS Systems Manager                             |
| ssmmessages             | Amazon Session Manager Message Gateway Service  |
| states                  | AWS Step Functions                              |
| storagegateway          | Amazon Storage Gateway                          |
| sts                     | AWS Security Token Service                      |
| support                 | AWS Support                                     |
| swf                     | Amazon Simple Workflow Service                  |
| textract                | Amazon Textract                                 |
| timestream              | AWS Timestream                                  |
| transcribe              | Amazon Transcribe                               |
| transfer                | AWS Transfer for SFTP                           |
| translate               | Amazon Translate                                |
| trustedadvisor          | AWS Trusted Advisor                             |
| waf                     | AWS WAF                                         |
| waf-regional            | AWS WAF Regional                                |
| wafv2                   | AWS WAF V2                                      |
| workdocs                | Amazon WorkDocs                                 |
| worklink                | Amazon WorkLink                                 |
| workspaces              | Amazon WorkSpaces                               |
| xray                    | AWS X-Ray                                       |

Arguments

aws-allowlister supports different arguments to generate fine-grained compliance focused Service Control Policy (SCP) AllowLists. You can specify individual flags for the compliance frameworks you care about.

Usage: aws-allowlister generate [OPTIONS]

Options:
  -a, --all                SOC, PCI, ISO, HIPAA, FedRAMP_High, and
                           FedRAMP_Moderate.

  -s, --soc                Include SOC-compliant services
  -p, --pci                Include PCI-compliant services
  -h, --hipaa              Include HIPAA-compliant services
  -i, --iso                Include ISO-compliant services
  -fh, --fedramp-high      Include FedRAMP High
  -fm, --fedramp-moderate  Include FedRAMP Moderate
  -d2e, --dodccsrg-il2-ew  Include DoD CC SRG IL2 (East/West)
  -d2g, --dodccsrg-il2-gc  Include DoD CC SRG IL2 (GovCloud)
  -d4g, --dodccsrg-il4-gc  Include DoD CC SRG IL4 (GovCloud)
  -d5g, --dodccsrg-il5-gc  Include DoD CC SRG IL5 (GovCloud)
  --include TEXT           Include specific AWS IAM services, specified in a
                           comma separated string.

  --exclude TEXT           Exclude specific AWS IAM services, specified in a
                           comma separated string.

  -q, --quiet
  --help                   Show this message and exit.

For example, to generate a PCI only Service Control Policy and save it to JSON:

aws-allowlister generate --pci --quiet > pci.json

You can also chain command flags together. For example, to generate a Policy for all the major compliance frameworks but FedRAMP:

aws-allowlister generate -sphi --quiet

Let's say your organization is not subject to FedRAMP or HIPAA, but you want to create a Policy for SOC, ISO, and PCI:

aws-allowlister generate -sip --quiet

Contributing

Setup

Set up the virtual environment

# Set up the virtual environment
python3 -m venv ./venv && source venv/bin/activate
pip3 install -r requirements.txt

Build the package

# To build only
make build

# To build and install
make install

# To run tests
make test

# To clean local dev environment
make clean

Authors and Contributors

Kinnaird McQuade (@kmcquade3), Salesforce - Author
Jason Dyke (@jasonadyke), ScaleSec - Contributor

🚨 Disclaimer 🚨

The policies generated by aws-allowlister do not guarantee that your AWS accounts will be compliant or that you will become accredited with the supported compliance frameworks. These policies are intended to be a useful tool to assist with restricting which service can or cannot be leveraged.

Comments

Go/Terraform Integration

@kmcquade thanks for making this tool! I have a use case where Id like to run this through terraform, which currently I basically execute the pull into json and then soup it up, but I was wondering if there was any interest in making this part of a custom provider? This is somewhat a feature request, but due to the fact that its a completely different implementation strategy, feel free to close if you don't find interest in it!
enhancement

opened by danquack 9
ssmmessages and ec2messages not included - seeking input on status with different frameworks

I'd like some feedback from others, please. See the diffchecker between All Services vs. aws-allowlister generate: https://www.diffchecker.com/nXTPUgkL

Notice that ssmmessages and ec2messages is not in the policy. This could cause issues for those who rely on SSM heavily.

Relevant links: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html

If so, we need to specify those services in the overrides file. https://github.com/salesforce/aws-allowlister/blob/main/aws_allowlister/data/overrides.yml
discussion

opened by kmcquade 9
Gif time
What does this PR do?

Closes #36

Adds an example gif to the readme.

What gif best describes this PR or how it makes you feel?

Completion checklist

[X] Additions and changes have unit tests

[X] Unit tests, Pylint, security testing, and Integration tests are passing.. GitHub actions does this automatically

[X] The pull request has been appropriately labeled using the provided PR labels

enhancement cla:signed
opened by jdyke 7
added acm-pca under Certificate Manager
What does this PR do?

Adds acm-pca under the umbrella of acm. Our AWS TAM confirmed that it is covered as part of ACM for compliance purposes.

What gif best describes this PR or how it makes you feel?

Completion checklist

[ ] Additions and changes have unit tests

[ ] Unit tests, Pylint, security testing, and Integration tests are passing.. GitHub actions does this automatically

[ ] The pull request has been appropriately labeled using the provided PR labels

cla:signed
opened by pkaeding 6
Add schedule to update database
What does this PR do?

Updates the database every morning. Closes #72

What gif best describes this PR or how it makes you feel?

Completion checklist

[x] Additions and changes have unit tests

[x] Unit tests, Pylint, security testing, and Integration tests are passing.. GitHub actions does this automatically

[x] The pull request has been appropriately labeled using the provided PR labels

cla:signed
opened by danquack 6
PCI Allowlist findings
I did some QA against the PCI policy generated via aws-allowlister generate --pci and have recorded my thoughts below. I'll still need to test these to verify if A) they're required for the service to function properly (if its related to a different approved service) and B) how much wiggle room there is to throw those in if they are not approved.

The following are included in the aws-allowlister JSON but are not in the list of PCI services (I did not include permissions like account and sts which are generally required to use AWS.

chime

ses

sso and sso-directory

The following are approved services / programs and are not included in the JSON output file but should be.

appmesh (AWS App Mesh)

cassandra (Amazon Keyspaces (for Apache Cassandra)

chatbot (AWS Chatbot)

cognito-sync (Amazon Cognito Sync - not called out by service name but included in the SDK column for Amazon Cognito)

databrew - (AWS Glue DataBrew)

elasticloadbalancing - (Elastic Load Balancing)

groundstation - (AWS Ground Station)

kendra - (Amazon Kendra)

lakeformation - (AWS Glue)

license-manager - (AWS License Manager)

macie - (macie2 is included but not macie)

opsworks - (AWS OpsWorks Stacks)

resource-groups - (AWS Resource Groups)

sdb - (Amazon SimpleDB)

timestream - (Amazon Timestream)

trustedadvisor - (AWS Trusted Advisor)

Let me know what you think about these.

Thanks!
qa
opened by jdyke 6
commenting out pandas writing to Excel
What does this PR do?

essentially reverting https://github.com/salesforce/aws-allowlister/pull/37 to fix https://github.com/salesforce/aws-allowlister/issues/88

What gif best describes this PR or how it makes you feel?

Completion checklist

[x] tested in my fork: https://github.com/PatMyron/aws-allowlister/pull/3

[x] Unit tests, Pylint, security testing, and Integration tests are passing.. GitHub actions does this automatically

[x] The pull request has been appropriately labeled using the provided PR labels

[x] signed the CLA, does that CLA check need to be re-run? @kmcquade

cla:missing
opened by PatMyron 5
Add CLI option to force-include AWS services
Just in case someone needs to include an AWS service but the tooling has not caught up.

aws-allowlister generate --include serv1,serv2,serv3

Maybe also an exclude option:

aws-allowlister generate --exclude qldb

@jdyke thoughts?
enhancement discussion
opened by kmcquade 5
Add DOD CC SRG Support; Fix FedRAMP High bug
FedRAMP High (GovCloud) was pulling from FedRAMP Moderate (cell[1]) column instead of FedRAMP High (cell[2]).

What does this PR do?

FedRAMP High scraper was pulling from the wrong column and was listing FedRAMP Moderate services.

What gif best describes this PR or how it makes you feel?

Completion checklist

[ X ] Additions and changes have unit tests

[ X ] Unit tests, Pylint, security testing, and Integration tests are passing.. GitHub actions does this automatically

[ X ] The pull request has been appropriately labeled using the provided PR labels

cla:signed
opened by AMHesch 4
Update fedramp.py
FedRAMP High (GovCloud) was pulling from FedRAMP Moderate (cell[1]) column instead of FedRAMP High (cell[2]).

What does this PR do?

FedRAMP High scraper was pulling from the wrong column and was listing FedRAMP Moderate services.

What gif best describes this PR or how it makes you feel?

Completion checklist

[ X ] Additions and changes have unit tests

[ X ] Unit tests, Pylint, security testing, and Integration tests are passing.. GitHub actions does this automatically

[ X ] The pull request has been appropriately labeled using the provided PR labels

cla:signed
opened by AMHesch 4

--all option fails

For some reason, the --all option fails.

 $ aws-allowlister generate -a
                                                                                                                                                                         
aws_allowlister.command.generate [INFO] Note: to silence these logs, supply the argument '--quiet'
aws_allowlister.command.generate [INFO] Policies for standard(s): 
Traceback (most recent call last):
  File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/bin/aws-allowlister", line 8, in <module>
    sys.exit(main())
  File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/aws_allowlister/bin/cli.py", line 21, in main
    aws_allowlister()
  File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/click/core.py", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/click/core.py", line 782, in main
    rv = self.invoke(ctx)
  File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/click/core.py", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/click/core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/click/core.py", line 610, in invoke
    return callback(*args, **kwargs)
  File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/aws_allowlister/command/generate.py", line 133, in generate
    results = generate_allowlist_scp(standards, include, exclude)
  File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/aws_allowlister/command/generate.py", line 151, in generate_allowlist_scp
    services = list(standard_results[0].intersection(*standard_results))
IndexError: list index out of range

I am about to fix this now. I will also expand the click unit tests so it covers all the options.

bug

opened by kmcquade 4

Bump certifi from 2021.5.30 to 2022.12.7
Bumps certifi from 2021.5.30 to 2022.12.7.

Commits

9e9e840 2022.12.07

b81bdb2 2022.09.24

939a28f 2022.09.14

aca828a 2022.06.15.2

de0eae1 Only use importlib.resources's new files() / Traversable API on Python ≥3.11 ...

b8eb5e9 2022.06.15.1

47fb7ab Fix deprecation warning on Python 3.11 (#199)

b0b48e0 fixes #198 -- update link in license

9d514b4 2022.06.15

4151e88 Add py.typed to MANIFEST.in to package in sdist (#196)

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies
opened by dependabot[bot] 0
FedRAMP high services in 3PAO/JAB status are added to JSON policy
I used this tool to generate an SCP for FedRAMP High services restriction, and I noticed a few services that were added into the "NotAction" section in the resulting JSON that show a current status of "3PAO Assessment" or "JAB Review" on the AWS Services in Scope page for FedRAMP compliance. These should not have been added into the JSON, as they are not yet fully approved.

In my case, as of the time of this issue creation, that included the following services:

application-autoscaling (JAB Review)

wafv2 (3PAO Assessment)

Oddly, the Single Sign-On (sso) service which appears to be in JAB Review status did not get added to the resulting JSON.

Steps to re-create: pip3 install aws-allowlister aws-allowlister generate --fedramp-high --quiet > fedramp-high.json

Resulting JSON file zipped and attached.

fedramp-high.json.zip
opened by ndvrichaws 0
K-ISMS (Japan) support

K-ISMS is not currently scraped or included. It uses a 2-column structure so it can't use the same standard_scraper, but should be pretty straightforward to adjust the approach from the other scrapers.
enhancement help wanted

opened by kmcquade 0

Releases(0.2.14)

0.2.14(Jul 14, 2022)
Changes

Updates database @github-actions (#103)

Source code(tar.gz)
Source code(zip)
0.2.13(Feb 15, 2022)
Changes

Updates database @github-actions (#102)

Source code(tar.gz)
Source code(zip)
0.2.12(Feb 2, 2022)
Changes

Updates database @github-actions (#101)

Source code(tar.gz)
Source code(zip)
0.2.11(Jan 27, 2022)
Changes

Updates database @github-actions (#100)

commenting out pandas writing to Excel @PatMyron (#99)

Update README.md @jdyke (#98)

Add IRAP (Australia) support @HanselD (#96)

Add HITRUST CSF support @HanselD (#95)

Source code(tar.gz)
Source code(zip)
0.2.10(Sep 27, 2021)
Changes

Migrate to Pipenv @kmcquade (#90)

Updating Resource Groups @ld-jmertz (#91)

🚀 Features

Add JSON list outputs @jmhale (#92)

🐛 Bug Fixes

Fixes #88 - AWS Compliance scraping failures @kmcquade (#93)

Source code(tar.gz)
Source code(zip)
0.2.9(Jun 8, 2021)
Changes

Updates database @github-actions (#85)

Updates database @github-actions (#84)

Updates database @github-actions (#83)

Updates database @github-actions (#82)

Updates database @github-actions (#78)

Updates database @github-actions (#76)

Automation

Add schedule to update database @danquack (#75)

enhanced github action @jdyke (#80)

🚀 Features

migrate to config + loop, add DOD requirements @danquack (#77)

added acm-pca under Certificate Manager @pkaeding (#81)

Adds --include-file and --exclude-file arguments as an alternative to supplying the arguments inline @kmcquade (#87)

Source code(tar.gz)
Source code(zip)
0.2.8(Jun 8, 2021)
Changes

Updates database @github-actions (#85)

Updates database @github-actions (#84)

Updates database @github-actions (#83)

Updates database @github-actions (#82)

Updates database @github-actions (#78)

Updates database @github-actions (#76)

Automation

Add schedule to update database @danquack (#75)

enhanced github action @jdyke (#80)

🚀 Features

migrate to config + loop, add DOD requirements @danquack (#77)

added acm-pca under Certificate Manager @pkaeding (#81)

Adds --include-file and --exclude-file arguments as an alternative to supplying the arguments inline @kmcquade (#87)

Source code(tar.gz)
Source code(zip)
0.2.7(Apr 21, 2021)
Changes

Add version bump automation @kmcquade (#73)

Source code(tar.gz)
Source code(zip)
0.2.6(Apr 20, 2021)
Changes

Initial Update @kmcquade (#71)

Fix PyUp with GitHub actions workaround @kmcquade (#70)

Source code(tar.gz)
Source code(zip)
0.2.5(Mar 24, 2021)
Changes

No changes; pushing a new version for Homebrew updates

Source code(tar.gz)
Source code(zip)
0.2.4(Mar 23, 2021)
Changes

Changes to makefile to update with latest compliance data; added example AWS Commercial-only SCP @kmcquade (#66)

🚀 Features

Adds --excluded-table flag to output a markdown formatted table of excluded services @kmcquade (#69)

Service Links are in Markdown table output @kmcquade (#68)

Source code(tar.gz)
Source code(zip)
0.2.1(Mar 11, 2021)
Changes

Update overrides to include access-analyzer @alsmola (#63)

Source code(tar.gz)
Source code(zip)
0.2.0(Feb 24, 2021)
🚀 Features

Adds Markdown table output support; bump to version 0.2.0 @kmcquade (#62)

Add DOD CC SRG Support; Fix FedRAMP High bug @AMHesch (#58)

🐛 Bug Fixes

ssmmessages and ec2messages are compliant when SSM is compliant (fixes #48) @kmcquade (#50)

📝 Documentation

Update README with support statuses @kmcquade (#53)

Source code(tar.gz)
Source code(zip)
0.1.3(Feb 4, 2021)
🚀 Features

Reduce whitespaces in the SCP by making the NotAction lists all in one line @kmcquade (#45)

Source code(tar.gz)
Source code(zip)
0.1.2(Jan 27, 2021)
Changes

Remove rebuild command @kmcquade (#44)

Remove "open source info" @jdyke (#43)

Improve the README @kmcquade (#42)

Source code(tar.gz)
Source code(zip)
0.1.1(Jan 27, 2021)
Changes

SCP Generation script pushes examples into the 'latest' folder so we can view the diff between versions @kmcquade (#38)

Database update utility script generates excel spreadsheet, not just CSV @kmcquade (#37)

🚀 Features

overview addition @jdyke (#41)

🐛 Bug Fixes

Update README.md @jdyke (#40)

Source code(tar.gz)
Source code(zip)
0.1.0(Jan 25, 2021)
Changes

Click unit tests now include all arguments to make sure nothing breaks @kmcquade (#35)

Source code(tar.gz)
Source code(zip)
0.0.4(Jan 25, 2021)
Changes

GitHub action that runs aws-allowlister periodically and updates repository with the newest SCP JSONs. Fixes #12 - @kmcquade (#33)

🐛 Bug Fixes

Fixes --all argument @kmcquade (#32)

Source code(tar.gz)
Source code(zip)
0.0.3(Jan 24, 2021)
Changes

Lots of QA Fixes thanks to @jdyke (#26)

Update script now writes a new CSV file containing database contents so we can view it on GitHub @kmcquade (#24)

Added some maintainer friendly automation @kmcquade (#21)

SOC quality checks @kmcquade (#28)

🚀 Features

Added FedRAMP @kmcquade (#27)

Adds ability to exclude and include AWS services via command line @kmcquade (#20)

Source code(tar.gz)
Source code(zip)
0.0.2(Jan 23, 2021)
Changes

Lots of QA Fixes thanks to @jdyke (#26)

Update script now writes a new CSV file containing database contents so we can view it on GitHub @kmcquade (#24)

Added some maintainer friendly automation @kmcquade (#21)

🚀 Features

Added FedRAMP @kmcquade (#27)

Adds ability to exclude and include AWS services via command line @kmcquade (#20)

Source code(tar.gz)
Source code(zip)

Owner

Salesforce

A variety of vendor agnostic projects which power Salesforce

GitHub Repository

Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.

Related tags

Overview

aws-allowlister

Overview

Support statuses

Forcibly include/exclude services

Installation

Usage

Arguments

Contributing

Setup

Authors and Contributors

🚨 Disclaimer 🚨

Comments

What does this PR do?

What gif best describes this PR or how it makes you feel?

Completion checklist

What does this PR do?

What gif best describes this PR or how it makes you feel?

Completion checklist

What does this PR do?

What gif best describes this PR or how it makes you feel?

Completion checklist

What does this PR do?

What gif best describes this PR or how it makes you feel?

Completion checklist

What does this PR do?

What gif best describes this PR or how it makes you feel?

Completion checklist

What does this PR do?

What gif best describes this PR or how it makes you feel?

Completion checklist

Releases(0.2.14)

0.2.14(Jul 14, 2022)

Changes

0.2.13(Feb 15, 2022)

Changes

0.2.12(Feb 2, 2022)

Changes

0.2.11(Jan 27, 2022)

Changes

0.2.10(Sep 27, 2021)

Changes

🚀 Features

🐛 Bug Fixes

0.2.9(Jun 8, 2021)

Changes

Automation

🚀 Features

0.2.8(Jun 8, 2021)

Changes

Automation

🚀 Features

0.2.7(Apr 21, 2021)

Changes

0.2.6(Apr 20, 2021)

Changes

0.2.5(Mar 24, 2021)

Changes

0.2.4(Mar 23, 2021)

Changes

🚀 Features

0.2.1(Mar 11, 2021)

Changes

0.2.0(Feb 24, 2021)

🚀 Features

🐛 Bug Fixes

📝 Documentation

0.1.3(Feb 4, 2021)

🚀 Features

0.1.2(Jan 27, 2021)

Changes

0.1.1(Jan 27, 2021)

Changes

🚀 Features

🐛 Bug Fixes

0.1.0(Jan 25, 2021)

Changes

0.0.4(Jan 25, 2021)