Generate AWS AllowList SCPs

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for kinnairdm from gravatar.com kinnairdm Avatar for mattyjones from gravatar.com mattyjones

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: MIT License

Author: Kinnaird McQuade

Tags aws, iam, roles, policy, policies, privileges, security

Requires: Python >=3.6

Classifiers

Project description

aws-allowlister

Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your selected frameworks. Supports SOC, PCI, HIPAA, ISO, FedRAMP High, and FedRAMP Moderate.

Installation

  • This command sets up the virtual environment, builds the python package and installs the package so you can run it from command line.
make install

Usage

  • Generate an AllowList Policy using this command:
aws-allowlister generate

By default, it allows policies at the intersection of PCI, HIPAA, SOC, ISO.

The resulting policy will look like this:

Example AllowList Policy 
{
    "Version": "2012-10-17",
    "Statement": {
        "Sid": "AllowList",
        "Effect": "Deny",
        "NotAction": [
            "account:*",
            "acm:*",
            "amplify:*",
            "amplifybackend:*",
            "apigateway:*",
            "application-autoscaling:*",
            "appstream:*",
            "appsync:*",
            "athena:*",
            "autoscaling:*",
            "aws-portal:*",
            "backup:*",
            "batch:*",
            "clouddirectory:*",
            "cloudformation:*",
            "cloudfront:*",
            "cloudhsm:*",
            "cloudtrail:*",
            "cloudwatch:*",
            "codebuild:*",
            "codecommit:*",
            "codedeploy:*",
            "codepipeline:*",
            "cognito-identity:*",
            "cognito-idp:*",
            "comprehend:*",
            "comprehendmedical:*",
            "config:*",
            "connect:*",
            "dataexchange:*",
            "datasync:*",
            "directconnect:*",
            "dms:*",
            "ds:*",
            "dynamodb:*",
            "ebs:*",
            "ec2:*",
            "ecr:*",
            "ecs:*",
            "eks:*",
            "elasticache:*",
            "elasticbeanstalk:*",
            "elasticfilesystem:*",
            "elasticmapreduce:*",
            "es:*",
            "events:*",
            "execute-api:*",
            "firehose:*",
            "fms:*",
            "forecast:*",
            "freertos:*",
            "fsx:*",
            "glacier:*",
            "globalaccelerator:*",
            "glue:*",
            "greengrass:*",
            "guardduty:*",
            "health:*",
            "iam:*",
            "inspector:*",
            "iot:*",
            "iot-device-tester:*",
            "iotdeviceadvisor:*",
            "iotevents:*",
            "iotwireless:*",
            "kafka:*",
            "kinesis:*",
            "kinesisanalytics:*",
            "kinesisvideo:*",
            "kms:*",
            "lambda:*",
            "lex:*",
            "logs:*",
            "macie2:*",
            "mediaconnect:*",
            "mediaconvert:*",
            "medialive:*",
            "mq:*",
            "neptune-db:*",
            "opsworks-cm:*",
            "organizations:*",
            "outposts:*",
            "personalize:*",
            "polly:*",
            "qldb:*",
            "quicksight:*",
            "rds:*",
            "rds-data:*",
            "rds-db:*",
            "redshift:*",
            "rekognition:*",
            "robomaker:*",
            "route53:*",
            "route53domains:*",
            "s3:*",
            "sagemaker:*",
            "secretsmanager:*",
            "securityhub:*",
            "serverlessrepo:*",
            "servicecatalog:*",
            "shield:*",
            "sms:*",
            "sms-voice:*",
            "snowball:*",
            "sns:*",
            "sqs:*",
            "ssm:*",
            "sso:*",
            "sso-directory:*",
            "states:*",
            "storagegateway:*",
            "sts:*",
            "support:*",
            "swf:*",
            "textract:*",
            "transcribe:*",
            "transfer:*",
            "translate:*",
            "waf:*",
            "waf-regional:*",
            "wafv2:*",
            "workdocs:*",
            "worklink:*",
            "workspaces:*",
            "xray:*"
        ],
        "Resource": "*"
    }
}

Arguments

aws-allowlister supports different arguments to generate fine-grained compliance focused Service Control Policy (SCP) AllowLists.

  • --soc, or -s
  • --pci, or -p
  • --hipaa, or -h
  • --iso, or -i
  • --fedramp-moderate, or -fm
  • --fedramp-high, or fh

For example, to generate a PCI only Service Control Policy:

aws-allowlister generate --pci

Contributing

Setup

  • Set up the virtual environment
# Set up the virtual environment
python3 -m venv ./venv && source venv/bin/activate
pip3 install -r requirements.txt
  • Build the package
# To build only
make build

# To build and install
make install

# To run tests
make test

# To clean local dev environment
make clean

TODO

  • After we make it public, we should have an index.html page that leverages some Javascript magic to allow people to filter the table without having to download SQLite Browser. I can do this in about an hour with Vue.

Disclaimer

The policies generated by aws-allowlister do not guarantee that your AWS accounts will be compliant or that you will become accredited with the supported compliance frameworks. These policies are intended to be a useful tool to assist with restricting which service can or cannot be leveraged.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for kinnairdm from gravatar.com kinnairdm Avatar for mattyjones from gravatar.com mattyjones

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: MIT License

Author: Kinnaird McQuade

Tags aws, iam, roles, policy, policies, privileges, security

Requires: Python >=3.6

Classifiers

Release history Release notifications | RSS feed

0.2.15

0.2.14

0.2.13

0.2.12

0.2.11

0.2.9

0.2.7

0.2.6

0.2.5

0.2.4

0.2.1

0.2.0

0.1.3

0.1.2

0.1.1

0.1.0

0.0.4

This version

0.0.3

0.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

aws-allowlister-0.0.3.tar.gz (130.6 kB view hashes)

Uploaded Source

Built Distribution

aws_allowlister-0.0.3-py3-none-any.whl (142.5 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page