Generate AWS AllowList SCPs
Project description
aws-allowlister
Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your selected frameworks. Supports SOC, PCI, HIPAA, ISO, FedRAMP High, and FedRAMP Moderate.
Installation
- Python Pip:
pip3 install aws-allowlister
- Homebrew (this will work once we open source it):
brew tap salesforce/aws-allowlister https://github.com/salesforce/aws-allowlister
brew install aws-allowlister
Usage
- Generate an AllowList Policy using this command:
aws-allowlister generate
By default, it allows policies at the intersection of PCI, HIPAA, SOC, ISO.
The resulting policy will look like this:
Example AllowList Policy
{
"Version": "2012-10-17",
"Statement": {
"Sid": "AllowList",
"Effect": "Deny",
"NotAction": [
"account:*",
"acm:*",
"amplify:*",
"amplifybackend:*",
"apigateway:*",
"application-autoscaling:*",
"appstream:*",
"appsync:*",
"athena:*",
"autoscaling:*",
"aws-portal:*",
"backup:*",
"batch:*",
"clouddirectory:*",
"cloudformation:*",
"cloudfront:*",
"cloudhsm:*",
"cloudtrail:*",
"cloudwatch:*",
"codebuild:*",
"codecommit:*",
"codedeploy:*",
"codepipeline:*",
"cognito-identity:*",
"cognito-idp:*",
"comprehend:*",
"comprehendmedical:*",
"config:*",
"connect:*",
"dataexchange:*",
"datasync:*",
"directconnect:*",
"dms:*",
"ds:*",
"dynamodb:*",
"ebs:*",
"ec2:*",
"ecr:*",
"ecs:*",
"eks:*",
"elasticache:*",
"elasticbeanstalk:*",
"elasticfilesystem:*",
"elasticmapreduce:*",
"es:*",
"events:*",
"execute-api:*",
"firehose:*",
"fms:*",
"forecast:*",
"freertos:*",
"fsx:*",
"glacier:*",
"globalaccelerator:*",
"glue:*",
"greengrass:*",
"guardduty:*",
"health:*",
"iam:*",
"inspector:*",
"iot:*",
"iot-device-tester:*",
"iotdeviceadvisor:*",
"iotevents:*",
"iotwireless:*",
"kafka:*",
"kinesis:*",
"kinesisanalytics:*",
"kinesisvideo:*",
"kms:*",
"lambda:*",
"lex:*",
"logs:*",
"macie2:*",
"mediaconnect:*",
"mediaconvert:*",
"medialive:*",
"mq:*",
"neptune-db:*",
"opsworks-cm:*",
"organizations:*",
"outposts:*",
"personalize:*",
"polly:*",
"qldb:*",
"quicksight:*",
"rds:*",
"rds-data:*",
"rds-db:*",
"redshift:*",
"rekognition:*",
"robomaker:*",
"route53:*",
"route53domains:*",
"s3:*",
"sagemaker:*",
"secretsmanager:*",
"securityhub:*",
"serverlessrepo:*",
"servicecatalog:*",
"shield:*",
"sms:*",
"sms-voice:*",
"snowball:*",
"sns:*",
"sqs:*",
"ssm:*",
"sso:*",
"sso-directory:*",
"states:*",
"storagegateway:*",
"sts:*",
"support:*",
"swf:*",
"textract:*",
"transcribe:*",
"transfer:*",
"translate:*",
"waf:*",
"waf-regional:*",
"wafv2:*",
"workdocs:*",
"worklink:*",
"workspaces:*",
"xray:*"
],
"Resource": "*"
}
}
Arguments
aws-allowlister supports different arguments to generate fine-grained compliance focused Service Control Policy (SCP) AllowLists.
--soc, or-s--pci, or-p--hipaa, or-h--iso, or-i--fedramp-moderate, or-fm--fedramp-high, or-fh
For example, to generate a PCI only Service Control Policy:
aws-allowlister generate --pci
Contributing
Setup
- Set up the virtual environment
# Set up the virtual environment
python3 -m venv ./venv && source venv/bin/activate
pip3 install -r requirements.txt
- Build the package
# To build only
make build
# To build and install
make install
# To run tests
make test
# To clean local dev environment
make clean
Disclaimer
The policies generated by aws-allowlister do not guarantee that your AWS accounts will be compliant or that you will become accredited with the supported compliance frameworks. These policies are intended to be a useful tool to assist with restricting which service can or cannot be leveraged.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for aws_allowlister-0.0.4-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | af70bfd6869632a4190fff9fc7c6139f3f51a847d8a0df8edd7a03118f8e6582 |
|
| MD5 | 6161299e769c42a4f1063dc24d8bab61 |
|
| BLAKE2b-256 | 1ac70b1b744ad25cd1815d9ceb57bac50f9362dd08f3f0b7237ad85987f750e7 |
