Generate AWS AllowList SCPs
Project description
aws-allowlister
Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.
Overview
Service Control Policies (SCPs) are some of the strongest security tools available to configure guardrails and enforce best practices in AWS. One of the biggest challenges with SCPs is writing comprehensive and trustworthy policies that are tailored to your environments. This is especially important when organizations must abide by compliance requirements that have little to no wiggle room when it comes to allowed AWS services or actions. aws-allowlister
looks to mitigate some of the risks involved with hand-writing policies that align with compliance frameworks by generating compliance-focused "AllowList" SCPs.
The policies generated by aws-allowlister
are based off of official AWS documentation and are automatically kept up to date when new services achieve compliance or accredidation. aws-allowlister
currently supports:
- PCI
- SOC 1,2,3
- ISO/IEC 27001:2013, 27017:2015, 27018:2019, and ISO/IEC 9001:2015 and CSA STAR CCM v3.0.1
- HIPAA BAA
- FedRAMP Moderate
- FedRAMP High
In addition to creating compliance-focused SCPs, aws-allowlister
supports the ability to include or exclude services (IAM permissions) of your choice using the --include
or --exclude
flags. For more details related to policy customization, view the Arguments section.
Installation
- Python Pip:
pip3 install aws-allowlister
- Homebrew (this will work once we open source it):
brew tap salesforce/aws-allowlister https://github.com/salesforce/aws-allowlister
brew install aws-allowlister
Usage
- Generate an AllowList Policy using this command:
aws-allowlister generate
By default, it allows policies at the intersection of PCI, HIPAA, SOC, ISO, FedRAMP High, and FedRAMP Moderate.
The resulting policy will look like this:
Example AllowList Policy
{
"Version": "2012-10-17",
"Statement": {
"Sid": "AllowList",
"Effect": "Deny",
"NotAction": [
"account:*",
"acm:*",
"amplify:*",
"amplifybackend:*",
"apigateway:*",
"application-autoscaling:*",
"appstream:*",
"appsync:*",
"athena:*",
"autoscaling:*",
"aws-portal:*",
"backup:*",
"batch:*",
"clouddirectory:*",
"cloudformation:*",
"cloudfront:*",
"cloudhsm:*",
"cloudtrail:*",
"cloudwatch:*",
"codebuild:*",
"codecommit:*",
"codedeploy:*",
"codepipeline:*",
"cognito-identity:*",
"cognito-idp:*",
"comprehend:*",
"comprehendmedical:*",
"config:*",
"connect:*",
"dataexchange:*",
"datasync:*",
"directconnect:*",
"dms:*",
"ds:*",
"dynamodb:*",
"ebs:*",
"ec2:*",
"ecr:*",
"ecs:*",
"eks:*",
"elasticache:*",
"elasticbeanstalk:*",
"elasticfilesystem:*",
"elasticmapreduce:*",
"es:*",
"events:*",
"execute-api:*",
"firehose:*",
"fms:*",
"forecast:*",
"freertos:*",
"fsx:*",
"glacier:*",
"globalaccelerator:*",
"glue:*",
"greengrass:*",
"guardduty:*",
"health:*",
"iam:*",
"inspector:*",
"iot:*",
"iot-device-tester:*",
"iotdeviceadvisor:*",
"iotevents:*",
"iotwireless:*",
"kafka:*",
"kinesis:*",
"kinesisanalytics:*",
"kinesisvideo:*",
"kms:*",
"lambda:*",
"lex:*",
"logs:*",
"macie2:*",
"mediaconnect:*",
"mediaconvert:*",
"medialive:*",
"mq:*",
"neptune-db:*",
"opsworks-cm:*",
"organizations:*",
"outposts:*",
"personalize:*",
"polly:*",
"qldb:*",
"quicksight:*",
"rds:*",
"rds-data:*",
"rds-db:*",
"redshift:*",
"rekognition:*",
"robomaker:*",
"route53:*",
"route53domains:*",
"s3:*",
"sagemaker:*",
"secretsmanager:*",
"securityhub:*",
"serverlessrepo:*",
"servicecatalog:*",
"shield:*",
"sms:*",
"sms-voice:*",
"snowball:*",
"sns:*",
"sqs:*",
"ssm:*",
"sso:*",
"sso-directory:*",
"states:*",
"storagegateway:*",
"sts:*",
"support:*",
"swf:*",
"textract:*",
"transcribe:*",
"transfer:*",
"translate:*",
"waf:*",
"waf-regional:*",
"wafv2:*",
"workdocs:*",
"worklink:*",
"workspaces:*",
"xray:*"
],
"Resource": "*"
}
}
Arguments
aws-allowlister
supports different arguments to generate fine-grained compliance focused Service Control Policy (SCP) AllowLists. You can specify individual flags for the compliance frameworks you care about.
Usage: aws-allowlister generate [OPTIONS]
Options:
-a, --all SOC, PCI, ISO, HIPAA, FedRAMP_High, and
FedRAMP_Moderate.
-s, --soc Include SOC-compliant services
-p, --pci Include PCI-compliant services
-h, --hipaa Include HIPAA-compliant services
-i, --iso Include ISO-compliant services
-fh, --fedramp-high Include FedRAMP High
-fm, --fedramp-moderate Include FedRAMP Moderate
--include TEXT Include specific AWS IAM services, specified in a
comma separated string.
--exclude TEXT Exclude specific AWS IAM services, specified in a
comma separated string.
-q, --quiet
--help Show this message and exit.
- For example, to generate a PCI only Service Control Policy and save it to JSON:
aws-allowlister generate --pci --quiet > pci.json
- You can also chain command flags together. For example, to generate a Policy for all the major compliance frameworks but FedRAMP:
aws-allowlister generate -sphi --quiet
- Let's say your organization is not subject to FedRAMP or HIPAA, but you want to create a Policy for SOC, ISO, and PCI:
aws-allowlister generate -sip --quiet
Contributing
Setup
- Set up the virtual environment
# Set up the virtual environment
python3 -m venv ./venv && source venv/bin/activate
pip3 install -r requirements.txt
- Build the package
# To build only
make build
# To build and install
make install
# To run tests
make test
# To clean local dev environment
make clean
Authors and Contributors
- Kinnaird McQuade (@kmcquade3), Salesforce - Author
- Jason Dyke (@jasonadyke), ScaleSec - Contributor
Disclaimer
The policies generated by aws-allowlister
do not guarantee that your AWS accounts will be compliant or that you will become accredited with the supported compliance frameworks. These policies are intended to be a useful tool to assist with restricting which service can or cannot be leveraged.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for aws_allowlister-0.1.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | beae9951ab9ab15997e21e9f769a9686ce5d4ecdd634aed627c422f34ed0d60e |
|
MD5 | b932830558355b1c3f07e374c86aa22d |
|
BLAKE2b-256 | 7bc0a3e3b29e4b1d9f1eebba919831d293b695a2a24e3bb21bae061e91a15d4f |