Generate AWS AllowList SCPs
Project description
aws-allowlister
Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.
Overview
AWS Service Control Policies (SCPs) allow you to control which AWS Service APIs are allowed at the AWS Account level - so local administrators (not even the account's root user) can perform prohibited actions in a child account.
However, before aws-allowlister
, it was very difficult and error-prone to create AWS AllowList SCPs - only giving accounts access to the compliant services that they need, and nothing else. Before aws-allowlister
, the approach for creating an AllowList was:
- Create a spreadsheet 🙄 based on the AWS Services in Scope documentation, which have inconsistent naming and do not list the "IAM names"
- Create an AllowList.json by hand, based on that spreadsheet
- Roll it out to Dev/Stage/Production
- Whoever manages that spreadsheet now magically owns the AllowList policy due to ✨tribal knowledge✨ and any updates occur by pinging this person over Slack.
aws-allowlister
takes care of this process for you. Instead of following the painful process above, just run the following command to generate an AWS SCP policy that meets PCI compliance:
aws-allowlister generate --pci
The policies generated by aws-allowlister
are based off of official AWS documentation and are automatically kept up to date when new services achieve compliance or accreditation. aws-allowlister
currently supports:
- PCI
- SOC 1,2,3
- ISO/IEC
- HIPAA BAA
- FedRAMP Moderate
- FedRAMP High
In addition to creating compliance-focused SCPs, aws-allowlister
supports the ability to include or exclude services (IAM permissions) of your choice using the --include
or --exclude
flags. For more details related to policy customization, view the Arguments section.
Installation
- Python Pip:
pip3 install aws-allowlister
- Homebrew:
brew tap salesforce/aws-allowlister https://github.com/salesforce/aws-allowlister
brew install aws-allowlister
Usage
- Generate an AllowList Policy using this command:
aws-allowlister generate
By default, it allows policies at the intersection of PCI, HIPAA, SOC, ISO, FedRAMP High, and FedRAMP Moderate.
The resulting policy will look like this:
Example AllowList Policy
{
"Version": "2012-10-17",
"Statement": {
"Sid": "AllowList",
"Effect": "Deny",
"NotAction": [
"account:*",
"acm:*",
"amplify:*",
"amplifybackend:*",
"apigateway:*",
"application-autoscaling:*",
"appstream:*",
"appsync:*",
"athena:*",
"autoscaling:*",
"aws-portal:*",
"backup:*",
"batch:*",
"clouddirectory:*",
"cloudformation:*",
"cloudfront:*",
"cloudhsm:*",
"cloudtrail:*",
"cloudwatch:*",
"codebuild:*",
"codecommit:*",
"codedeploy:*",
"codepipeline:*",
"cognito-identity:*",
"cognito-idp:*",
"comprehend:*",
"comprehendmedical:*",
"config:*",
"connect:*",
"dataexchange:*",
"datasync:*",
"directconnect:*",
"dms:*",
"ds:*",
"dynamodb:*",
"ebs:*",
"ec2:*",
"ecr:*",
"ecs:*",
"eks:*",
"elasticache:*",
"elasticbeanstalk:*",
"elasticfilesystem:*",
"elasticmapreduce:*",
"es:*",
"events:*",
"execute-api:*",
"firehose:*",
"fms:*",
"forecast:*",
"freertos:*",
"fsx:*",
"glacier:*",
"globalaccelerator:*",
"glue:*",
"greengrass:*",
"guardduty:*",
"health:*",
"iam:*",
"inspector:*",
"iot:*",
"iot-device-tester:*",
"iotdeviceadvisor:*",
"iotevents:*",
"iotwireless:*",
"kafka:*",
"kinesis:*",
"kinesisanalytics:*",
"kinesisvideo:*",
"kms:*",
"lambda:*",
"lex:*",
"logs:*",
"macie2:*",
"mediaconnect:*",
"mediaconvert:*",
"medialive:*",
"mq:*",
"neptune-db:*",
"opsworks-cm:*",
"organizations:*",
"outposts:*",
"personalize:*",
"polly:*",
"qldb:*",
"quicksight:*",
"rds:*",
"rds-data:*",
"rds-db:*",
"redshift:*",
"rekognition:*",
"robomaker:*",
"route53:*",
"route53domains:*",
"s3:*",
"sagemaker:*",
"secretsmanager:*",
"securityhub:*",
"serverlessrepo:*",
"servicecatalog:*",
"shield:*",
"sms:*",
"sms-voice:*",
"snowball:*",
"sns:*",
"sqs:*",
"ssm:*",
"sso:*",
"sso-directory:*",
"states:*",
"storagegateway:*",
"sts:*",
"support:*",
"swf:*",
"textract:*",
"transcribe:*",
"transfer:*",
"translate:*",
"waf:*",
"waf-regional:*",
"wafv2:*",
"workdocs:*",
"worklink:*",
"workspaces:*",
"xray:*"
],
"Resource": "*"
}
}
Arguments
aws-allowlister
supports different arguments to generate fine-grained compliance focused Service Control Policy (SCP) AllowLists. You can specify individual flags for the compliance frameworks you care about.
Usage: aws-allowlister generate [OPTIONS]
Options:
-a, --all SOC, PCI, ISO, HIPAA, FedRAMP_High, and
FedRAMP_Moderate.
-s, --soc Include SOC-compliant services
-p, --pci Include PCI-compliant services
-h, --hipaa Include HIPAA-compliant services
-i, --iso Include ISO-compliant services
-fh, --fedramp-high Include FedRAMP High
-fm, --fedramp-moderate Include FedRAMP Moderate
--include TEXT Include specific AWS IAM services, specified in a
comma separated string.
--exclude TEXT Exclude specific AWS IAM services, specified in a
comma separated string.
-q, --quiet
--help Show this message and exit.
- For example, to generate a PCI only Service Control Policy and save it to JSON:
aws-allowlister generate --pci --quiet > pci.json
- You can also chain command flags together. For example, to generate a Policy for all the major compliance frameworks but FedRAMP:
aws-allowlister generate -sphi --quiet
- Let's say your organization is not subject to FedRAMP or HIPAA, but you want to create a Policy for SOC, ISO, and PCI:
aws-allowlister generate -sip --quiet
Contributing
Setup
- Set up the virtual environment
# Set up the virtual environment
python3 -m venv ./venv && source venv/bin/activate
pip3 install -r requirements.txt
- Build the package
# To build only
make build
# To build and install
make install
# To run tests
make test
# To clean local dev environment
make clean
Authors and Contributors
- Kinnaird McQuade (@kmcquade3), Salesforce - Author
- Jason Dyke (@jasonadyke), ScaleSec - Contributor
🚨 Disclaimer 🚨
The policies generated by aws-allowlister
do not guarantee that your AWS accounts will be compliant or that you will become accredited with the supported compliance frameworks. These policies are intended to be a useful tool to assist with restricting which service can or cannot be leveraged.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for aws_allowlister-0.1.3-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | e3164b136c28f52854ae20043e8b98cbd3b8866892809e9866540ef532e9d75a |
|
MD5 | c8882e49f8e2ca3c89597a5f71ea01dc |
|
BLAKE2b-256 | 23314f2d57c632b7043afe50901e8799b36da0ae965709daf1747144c6eac29e |