Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.

Overview

aws-allowlister

Continuous Integration Tests

Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.

Overview

AWS Service Control Policies (SCPs) allow you to control which AWS Service APIs are allowed at the AWS Account level - so local administrators (not even the account's root user) can perform prohibited actions in a child account.

However, before aws-allowlister, it was very difficult and error-prone to create AWS AllowList SCPs - only giving accounts access to the compliant services that they need, and nothing else. Before aws-allowlister, the approach for creating an AllowList was:

  1. Create a spreadsheet πŸ™„ based on the AWS Services in Scope documentation, which have inconsistent naming and do not list the "IAM names"
  2. Create an AllowList.json by hand, based on that spreadsheet
  3. Roll it out to Dev/Stage/Production
  4. Whoever manages that spreadsheet now magically owns the AllowList policy due to ✨ tribal knowledge ✨ and any updates occur by pinging this person over Slack.

aws-allowlister takes care of this process for you. Instead of following the painful process above, just run the following command to generate an AWS SCP policy that meets PCI compliance:

aws-allowlister generate --pci

The policies generated by aws-allowlister are based off of official AWS documentation and are automatically kept up to date when new services achieve compliance or accreditation.

Support statuses

aws-allowlister currently supports:

Compliance Framework Support Status
PCI βœ…
SOC 1, 2, and 3 βœ…
ISO/IEC βœ…
HIPAA BAA βœ…
FedRAMP Moderate βœ…
FedRAMP High βœ…
DOD CC SRG (USA πŸ‡ΊπŸ‡Έ ) βœ…
HITRUST ⏱ Coming soon
IRAP (Australia πŸ‡¦πŸ‡Ί ) ⏱ Coming soon
C5 (Germany πŸ‡©πŸ‡ͺ ) ⏱ Coming soon
K-ISMS (Japan πŸ‡―πŸ‡΅ ) ⏱ Coming soon
ENS High (Spain πŸ‡ͺπŸ‡Έ ) ⏱ Coming soon

Forcibly include/exclude services

In addition to creating compliance-focused SCPs, aws-allowlister supports the ability to include or exclude services (IAM permissions) of your choice using the --include or --exclude flags. For more details related to policy customization, view the Arguments section.

Installation

  • Python Pip:
pip3 install aws-allowlister
  • Homebrew:
brew tap salesforce/aws-allowlister https://github.com/salesforce/aws-allowlister
brew install aws-allowlister

Usage

  • Generate an AllowList Policy using this command:
aws-allowlister generate

By default, it allows policies at the intersection of PCI, HIPAA, SOC, ISO, FedRAMP High, and FedRAMP Moderate.

The resulting policy will look like this:

Example AllowList Policy
{
    "Version": "2012-10-17",
    "Statement": {
        "Sid": "AllowList",
        "Effect": "Deny",
        "NotAction": [
            "account:*",
            "acm:*",
            "amplify:*",
            "amplifybackend:*",
            "apigateway:*",
            "application-autoscaling:*",
            "appstream:*",
            "appsync:*",
            "athena:*",
            "autoscaling:*",
            "aws-portal:*",
            "backup:*",
            "batch:*",
            "clouddirectory:*",
            "cloudformation:*",
            "cloudfront:*",
            "cloudhsm:*",
            "cloudtrail:*",
            "cloudwatch:*",
            "codebuild:*",
            "codecommit:*",
            "codedeploy:*",
            "codepipeline:*",
            "cognito-identity:*",
            "cognito-idp:*",
            "comprehend:*",
            "comprehendmedical:*",
            "config:*",
            "connect:*",
            "dataexchange:*",
            "datasync:*",
            "directconnect:*",
            "dms:*",
            "ds:*",
            "dynamodb:*",
            "ebs:*",
            "ec2:*",
            "ecr:*",
            "ecs:*",
            "eks:*",
            "elasticache:*",
            "elasticbeanstalk:*",
            "elasticfilesystem:*",
            "elasticmapreduce:*",
            "es:*",
            "events:*",
            "execute-api:*",
            "firehose:*",
            "fms:*",
            "forecast:*",
            "freertos:*",
            "fsx:*",
            "glacier:*",
            "globalaccelerator:*",
            "glue:*",
            "greengrass:*",
            "guardduty:*",
            "health:*",
            "iam:*",
            "inspector:*",
            "iot:*",
            "iot-device-tester:*",
            "iotdeviceadvisor:*",
            "iotevents:*",
            "iotwireless:*",
            "kafka:*",
            "kinesis:*",
            "kinesisanalytics:*",
            "kinesisvideo:*",
            "kms:*",
            "lambda:*",
            "lex:*",
            "logs:*",
            "macie2:*",
            "mediaconnect:*",
            "mediaconvert:*",
            "medialive:*",
            "mq:*",
            "neptune-db:*",
            "opsworks-cm:*",
            "organizations:*",
            "outposts:*",
            "personalize:*",
            "polly:*",
            "qldb:*",
            "quicksight:*",
            "rds:*",
            "rds-data:*",
            "rds-db:*",
            "redshift:*",
            "rekognition:*",
            "robomaker:*",
            "route53:*",
            "route53domains:*",
            "s3:*",
            "sagemaker:*",
            "secretsmanager:*",
            "securityhub:*",
            "serverlessrepo:*",
            "servicecatalog:*",
            "shield:*",
            "sms:*",
            "sms-voice:*",
            "snowball:*",
            "sns:*",
            "sqs:*",
            "ssm:*",
            "sso:*",
            "sso-directory:*",
            "states:*",
            "storagegateway:*",
            "sts:*",
            "support:*",
            "swf:*",
            "textract:*",
            "transcribe:*",
            "transfer:*",
            "translate:*",
            "waf:*",
            "waf-regional:*",
            "wafv2:*",
            "workdocs:*",
            "worklink:*",
            "workspaces:*",
            "xray:*"
        ],
        "Resource": "*"
    }
}
  • You can also specify the --table option to output the results in a Markdown Table format, as shown below:
aws-allowlister generate --pci --table

The results will look like this:

Example AllowList Policy
| Service Prefix          | Service Name                                    |
|-------------------------|-------------------------------------------------|
| account                 | AWS Accounts                                    |
| acm                     | AWS Certificate Manager                         |
| amplify                 | AWS Amplify                                     |
| amplifybackend          | AWS Amplify Admin                               |
| apigateway              | Manage Amazon API Gateway                       |
| application-autoscaling | Application Auto Scaling                        |
| appmesh                 | AWS App Mesh                                    |
| appstream               | Amazon AppStream 2.0                            |
| appsync                 | AWS AppSync                                     |
| athena                  | Amazon Athena                                   |
| autoscaling             | Amazon EC2 Auto Scaling                         |
| autoscaling-plans       | AWS Auto Scaling                                |
| aws-portal              | AWS Billing                                     |
| backup                  | AWS Backup                                      |
| batch                   | AWS Batch                                       |
| cassandra               | AWS Managed Apache Cassandra Service            |
| chatbot                 | AWS Chatbot                                     |
| clouddirectory          | Amazon Cloud Directory                          |
| cloudformation          | AWS CloudFormation                              |
| cloudfront              | Amazon CloudFront                               |
| cloudhsm                | AWS CloudHSM                                    |
| cloudtrail              | AWS CloudTrail                                  |
| cloudwatch              | Amazon CloudWatch                               |
| codebuild               | AWS CodeBuild                                   |
| codecommit              | AWS CodeCommit                                  |
| codedeploy              | AWS CodeDeploy                                  |
| codepipeline            | AWS CodePipeline                                |
| cognito-identity        | Amazon Cognito Identity                         |
| cognito-idp             | Amazon Cognito User Pools                       |
| cognito-sync            | Amazon Cognito Sync                             |
| comprehend              | Amazon Comprehend                               |
| comprehendmedical       | Comprehend Medical                              |
| config                  | AWS Config                                      |
| connect                 | Amazon Connect                                  |
| databrew                | AWS Glue DataBrew                               |
| dataexchange            | AWS Data Exchange                               |
| datasync                | DataSync                                        |
| directconnect           | AWS Direct Connect                              |
| dms                     | AWS Database Migration Service                  |
| ds                      | AWS Directory Service                           |
| dynamodb                | Amazon DynamoDB                                 |
| ebs                     | Amazon Elastic Block Store                      |
| ec2                     | Amazon EC2                                      |
| ec2messages             | Amazon Message Delivery Service                 |
| ecr                     | Amazon Elastic Container Registry               |
| ecs                     | Amazon Elastic Container Service                |
| eks                     | Amazon Elastic Container Service for Kubernetes |
| elasticache             | Amazon ElastiCache                              |
| elasticbeanstalk        | AWS Elastic Beanstalk                           |
| elasticfilesystem       | Amazon Elastic File System                      |
| elasticloadbalancing    | Elastic Load Balancing V2                       |
| elasticmapreduce        | Amazon Elastic MapReduce                        |
| es                      | Amazon Elasticsearch Service                    |
| events                  | Amazon EventBridge                              |
| execute-api             | Amazon API Gateway                              |
| firehose                | Amazon Kinesis Firehose                         |
| fms                     | AWS Firewall Manager                            |
| forecast                | Amazon Forecast                                 |
| freertos                | Amazon FreeRTOS                                 |
| fsx                     | Amazon FSx                                      |
| glacier                 | Amazon Glacier                                  |
| globalaccelerator       | AWS Global Accelerator                          |
| glue                    | AWS Glue                                        |
| greengrass              | AWS IoT Greengrass                              |
| groundstation           | AWS Ground Station                              |
| guardduty               | Amazon GuardDuty                                |
| health                  | AWS Health APIs and Notifications               |
| iam                     | Identity And Access Management                  |
| importexport            | AWS Import Export Disk Service                  |
| inspector               | Amazon Inspector                                |
| iot                     | AWS IoT                                         |
| iot-device-tester       | AWS IoT Device Tester                           |
| iotdeviceadvisor        | AWS IoT Core Device Advisor                     |
| iotevents               | AWS IoT Events                                  |
| iotwireless             | AWS IoT Core for LoRaWAN                        |
| kendra                  | Amazon Kendra                                   |
| kinesis                 | Amazon Kinesis                                  |
| kinesisanalytics        | Amazon Kinesis Analytics V2                     |
| kinesisvideo            | Amazon Kinesis Video Streams                    |
| kms                     | AWS Key Management Service                      |
| lakeformation           | AWS Lake Formation                              |
| lambda                  | AWS Lambda                                      |
| lex                     | Amazon Lex                                      |
| license-manager         | AWS License Manager                             |
| logs                    | Amazon CloudWatch Logs                          |
| macie                   | Amazon Macie Classic                            |
| macie2                  | Amazon Macie                                    |
| mediaconnect            | AWS Elemental MediaConnect                      |
| mediaconvert            | AWS Elemental MediaConvert                      |
| medialive               | AWS Elemental MediaLive                         |
| mobiletargeting         | Amazon Pinpoint                                 |
| mq                      | Amazon MQ                                       |
| neptune-db              | Amazon Neptune                                  |
| opsworks                | AWS OpsWorks                                    |
| opsworks-cm             | AWS OpsWorks Configuration Management           |
| organizations           | AWS Organizations                               |
| outposts                | AWS Outposts                                    |
| personalize             | Amazon Personalize                              |
| polly                   | Amazon Polly                                    |
| qldb                    | Amazon QLDB                                     |
| quicksight              | Amazon QuickSight                               |
| rds                     | Amazon RDS                                      |
| rds-data                | Amazon RDS Data API                             |
| rds-db                  | Amazon RDS IAM Authentication                   |
| redshift                | Amazon Redshift                                 |
| rekognition             | Amazon Rekognition                              |
| resource-groups         | AWS Resource Groups                             |
| robomaker               | AWS RoboMaker                                   |
| route53                 | Amazon Route 53                                 |
| route53domains          | Amazon Route53 Domains                          |
| s3                      | Amazon S3                                       |
| sagemaker               | Amazon SageMaker                                |
| sdb                     | Amazon SimpleDB                                 |
| secretsmanager          | AWS Secrets Manager                             |
| securityhub             | AWS Security Hub                                |
| serverlessrepo          | AWS Serverless Application Repository           |
| servicecatalog          | AWS Service Catalog                             |
| servicediscovery        | AWS Cloud Map                                   |
| shield                  | AWS Shield                                      |
| sms                     | AWS Server Migration Service                    |
| sms-voice               | Amazon Pinpoint SMS and Voice Service           |
| snowball                | AWS Snowball                                    |
| sns                     | Amazon SNS                                      |
| sqs                     | Amazon SQS                                      |
| ssm                     | AWS Systems Manager                             |
| ssmmessages             | Amazon Session Manager Message Gateway Service  |
| states                  | AWS Step Functions                              |
| storagegateway          | Amazon Storage Gateway                          |
| sts                     | AWS Security Token Service                      |
| support                 | AWS Support                                     |
| swf                     | Amazon Simple Workflow Service                  |
| textract                | Amazon Textract                                 |
| timestream              | AWS Timestream                                  |
| transcribe              | Amazon Transcribe                               |
| transfer                | AWS Transfer for SFTP                           |
| translate               | Amazon Translate                                |
| trustedadvisor          | AWS Trusted Advisor                             |
| waf                     | AWS WAF                                         |
| waf-regional            | AWS WAF Regional                                |
| wafv2                   | AWS WAF V2                                      |
| workdocs                | Amazon WorkDocs                                 |
| worklink                | Amazon WorkLink                                 |
| workspaces              | Amazon WorkSpaces                               |
| xray                    | AWS X-Ray                                       |

Arguments

aws-allowlister supports different arguments to generate fine-grained compliance focused Service Control Policy (SCP) AllowLists. You can specify individual flags for the compliance frameworks you care about.

Usage: aws-allowlister generate [OPTIONS]

Options:
  -a, --all                SOC, PCI, ISO, HIPAA, FedRAMP_High, and
                           FedRAMP_Moderate.

  -s, --soc                Include SOC-compliant services
  -p, --pci                Include PCI-compliant services
  -h, --hipaa              Include HIPAA-compliant services
  -i, --iso                Include ISO-compliant services
  -fh, --fedramp-high      Include FedRAMP High
  -fm, --fedramp-moderate  Include FedRAMP Moderate
  -d2e, --dodccsrg-il2-ew  Include DoD CC SRG IL2 (East/West)
  -d2g, --dodccsrg-il2-gc  Include DoD CC SRG IL2 (GovCloud)
  -d4g, --dodccsrg-il4-gc  Include DoD CC SRG IL4 (GovCloud)
  -d5g, --dodccsrg-il5-gc  Include DoD CC SRG IL5 (GovCloud)
  --include TEXT           Include specific AWS IAM services, specified in a
                           comma separated string.

  --exclude TEXT           Exclude specific AWS IAM services, specified in a
                           comma separated string.

  -q, --quiet
  --help                   Show this message and exit.
  • For example, to generate a PCI only Service Control Policy and save it to JSON:
aws-allowlister generate --pci --quiet > pci.json
  • You can also chain command flags together. For example, to generate a Policy for all the major compliance frameworks but FedRAMP:
aws-allowlister generate -sphi --quiet
  • Let's say your organization is not subject to FedRAMP or HIPAA, but you want to create a Policy for SOC, ISO, and PCI:
aws-allowlister generate -sip --quiet

Contributing

Setup

  • Set up the virtual environment
# Set up the virtual environment
python3 -m venv ./venv && source venv/bin/activate
pip3 install -r requirements.txt
  • Build the package
# To build only
make build

# To build and install
make install

# To run tests
make test

# To clean local dev environment
make clean

Authors and Contributors

🚨 Disclaimer 🚨

The policies generated by aws-allowlister do not guarantee that your AWS accounts will be compliant or that you will become accredited with the supported compliance frameworks. These policies are intended to be a useful tool to assist with restricting which service can or cannot be leveraged.

Comments
  • Go/Terraform Integration

    Go/Terraform Integration

    @kmcquade thanks for making this tool! I have a use case where Id like to run this through terraform, which currently I basically execute the pull into json and then soup it up, but I was wondering if there was any interest in making this part of a custom provider? This is somewhat a feature request, but due to the fact that its a completely different implementation strategy, feel free to close if you don't find interest in it!

    enhancement 
    opened by danquack 9
  • ssmmessages and ec2messages not included - seeking input on status with different frameworks

    ssmmessages and ec2messages not included - seeking input on status with different frameworks

    I'd like some feedback from others, please. See the diffchecker between All Services vs. aws-allowlister generate: https://www.diffchecker.com/nXTPUgkL

    Notice that ssmmessages and ec2messages is not in the policy. This could cause issues for those who rely on SSM heavily.

    Relevant links: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html

    If so, we need to specify those services in the overrides file. https://github.com/salesforce/aws-allowlister/blob/main/aws_allowlister/data/overrides.yml

    discussion 
    opened by kmcquade 9
  • Gif time

    Gif time

    What does this PR do?

    Closes #36

    Adds an example gif to the readme.

    What gif best describes this PR or how it makes you feel?

    gif

    Completion checklist

    enhancement cla:signed 
    opened by jdyke 7
  • added acm-pca under Certificate Manager

    added acm-pca under Certificate Manager

    What does this PR do?

    Adds acm-pca under the umbrella of acm. Our AWS TAM confirmed that it is covered as part of ACM for compliance purposes.

    What gif best describes this PR or how it makes you feel?

    Completion checklist

    cla:signed 
    opened by pkaeding 6
  • Add schedule to update database

    Add schedule to update database

    What does this PR do?

    Updates the database every morning. Closes #72

    What gif best describes this PR or how it makes you feel?

    updates

    Completion checklist

    cla:signed 
    opened by danquack 6
  • PCI Allowlist findings

    PCI Allowlist findings

    I did some QA against the PCI policy generated via aws-allowlister generate --pci and have recorded my thoughts below. I'll still need to test these to verify if A) they're required for the service to function properly (if its related to a different approved service) and B) how much wiggle room there is to throw those in if they are not approved.

    The following are included in the aws-allowlister JSON but are not in the list of PCI services (I did not include permissions like account and sts which are generally required to use AWS.

    • chime
    • ses
    • sso and sso-directory

    The following are approved services / programs and are not included in the JSON output file but should be.

    • appmesh (AWS App Mesh)
    • cassandra (Amazon Keyspaces (for Apache Cassandra)
    • chatbot (AWS Chatbot)
    • cognito-sync (Amazon Cognito Sync - not called out by service name but included in the SDK column for Amazon Cognito)
    • databrew - (AWS Glue DataBrew)
    • elasticloadbalancing - (Elastic Load Balancing)
    • groundstation - (AWS Ground Station)
    • kendra - (Amazon Kendra)
    • lakeformation - (AWS Glue)
    • license-manager - (AWS License Manager)
    • macie - (macie2 is included but not macie)
    • opsworks - (AWS OpsWorks Stacks)
    • resource-groups - (AWS Resource Groups)
    • sdb - (Amazon SimpleDB)
    • timestream - (Amazon Timestream)
    • trustedadvisor - (AWS Trusted Advisor)

    Let me know what you think about these.

    Thanks!

    qa 
    opened by jdyke 6
  • commenting out pandas writing to Excel

    commenting out pandas writing to Excel

    What does this PR do?

    essentially reverting https://github.com/salesforce/aws-allowlister/pull/37 to fix https://github.com/salesforce/aws-allowlister/issues/88

    What gif best describes this PR or how it makes you feel?

    panda

    Completion checklist

    cla:missing 
    opened by PatMyron 5
  • Add CLI option to force-include AWS services

    Add CLI option to force-include AWS services

    Just in case someone needs to include an AWS service but the tooling has not caught up.

    aws-allowlister generate --include serv1,serv2,serv3
    

    Maybe also an exclude option:

    aws-allowlister generate --exclude qldb
    

    @jdyke thoughts?

    enhancement discussion 
    opened by kmcquade 5
  • Add DOD CC SRG Support; Fix FedRAMP High bug

    Add DOD CC SRG Support; Fix FedRAMP High bug

    FedRAMP High (GovCloud) was pulling from FedRAMP Moderate (cell[1]) column instead of FedRAMP High (cell[2]).

    What does this PR do?

    FedRAMP High scraper was pulling from the wrong column and was listing FedRAMP Moderate services.

    What gif best describes this PR or how it makes you feel?

    Completion checklist

    cla:signed 
    opened by AMHesch 4
  • Update fedramp.py

    Update fedramp.py

    FedRAMP High (GovCloud) was pulling from FedRAMP Moderate (cell[1]) column instead of FedRAMP High (cell[2]).

    What does this PR do?

    FedRAMP High scraper was pulling from the wrong column and was listing FedRAMP Moderate services.

    What gif best describes this PR or how it makes you feel?

    Completion checklist

    cla:signed 
    opened by AMHesch 4
  • --all option fails

    --all option fails

    For some reason, the --all option fails.

     $ aws-allowlister generate -a
                                                                                                                                                                             
    aws_allowlister.command.generate [INFO] Note: to silence these logs, supply the argument '--quiet'
    aws_allowlister.command.generate [INFO] Policies for standard(s): 
    Traceback (most recent call last):
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/bin/aws-allowlister", line 8, in <module>
        sys.exit(main())
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/aws_allowlister/bin/cli.py", line 21, in main
        aws_allowlister()
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/click/core.py", line 829, in __call__
        return self.main(*args, **kwargs)
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/click/core.py", line 782, in main
        rv = self.invoke(ctx)
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/click/core.py", line 1259, in invoke
        return _process_result(sub_ctx.command.invoke(sub_ctx))
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/click/core.py", line 1066, in invoke
        return ctx.invoke(self.callback, **ctx.params)
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/click/core.py", line 610, in invoke
        return callback(*args, **kwargs)
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/aws_allowlister/command/generate.py", line 133, in generate
        results = generate_allowlist_scp(standards, include, exclude)
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/aws_allowlister/command/generate.py", line 151, in generate_allowlist_scp
        services = list(standard_results[0].intersection(*standard_results))
    IndexError: list index out of range
    

    I am about to fix this now. I will also expand the click unit tests so it covers all the options.

    bug 
    opened by kmcquade 4
  • Bump certifi from 2021.5.30 to 2022.12.7

    Bump certifi from 2021.5.30 to 2022.12.7

    Bumps certifi from 2021.5.30 to 2022.12.7.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • FedRAMP high services in 3PAO/JAB status are added to JSON policy

    FedRAMP high services in 3PAO/JAB status are added to JSON policy

    I used this tool to generate an SCP for FedRAMP High services restriction, and I noticed a few services that were added into the "NotAction" section in the resulting JSON that show a current status of "3PAO Assessment" or "JAB Review" on the AWS Services in Scope page for FedRAMP compliance. These should not have been added into the JSON, as they are not yet fully approved.

    In my case, as of the time of this issue creation, that included the following services:

    • application-autoscaling (JAB Review)
    • wafv2 (3PAO Assessment)

    Oddly, the Single Sign-On (sso) service which appears to be in JAB Review status did not get added to the resulting JSON.

    Steps to re-create: pip3 install aws-allowlister aws-allowlister generate --fedramp-high --quiet > fedramp-high.json

    Resulting JSON file zipped and attached.

    fedramp-high.json.zip

    opened by ndvrichaws 0
  • K-ISMS (Japan) support

    K-ISMS (Japan) support

    K-ISMS is not currently scraped or included. It uses a 2-column structure so it can't use the same standard_scraper, but should be pretty straightforward to adjust the approach from the other scrapers.

    enhancement help wanted 
    opened by kmcquade 0
Releases(0.2.14)
  • 0.2.14(Jul 14, 2022)

  • 0.2.13(Feb 15, 2022)

  • 0.2.12(Feb 2, 2022)

  • 0.2.11(Jan 27, 2022)

    Changes

    • Updates database @github-actions (#100)
    • commenting out pandas writing to Excel @PatMyron (#99)
    • Update README.md @jdyke (#98)
    • Add IRAP (Australia) support @HanselD (#96)
    • Add HITRUST CSF support @HanselD (#95)
    Source code(tar.gz)
    Source code(zip)
  • 0.2.10(Sep 27, 2021)

    Changes

    • Migrate to Pipenv @kmcquade (#90)
    • Updating Resource Groups @ld-jmertz (#91)

    πŸš€ Features

    • Add JSON list outputs @jmhale (#92)

    πŸ› Bug Fixes

    • Fixes #88 - AWS Compliance scraping failures @kmcquade (#93)
    Source code(tar.gz)
    Source code(zip)
  • 0.2.9(Jun 8, 2021)

    Changes

    • Updates database @github-actions (#85)
    • Updates database @github-actions (#84)
    • Updates database @github-actions (#83)
    • Updates database @github-actions (#82)
    • Updates database @github-actions (#78)
    • Updates database @github-actions (#76)

    Automation

    • Add schedule to update database @danquack (#75)
    • enhanced github action @jdyke (#80)

    πŸš€ Features

    • migrate to config + loop, add DOD requirements @danquack (#77)
    • added acm-pca under Certificate Manager @pkaeding (#81)
    • Adds --include-file and --exclude-file arguments as an alternative to supplying the arguments inline @kmcquade (#87)
    Source code(tar.gz)
    Source code(zip)
  • 0.2.8(Jun 8, 2021)

    Changes

    • Updates database @github-actions (#85)
    • Updates database @github-actions (#84)
    • Updates database @github-actions (#83)
    • Updates database @github-actions (#82)
    • Updates database @github-actions (#78)
    • Updates database @github-actions (#76)

    Automation

    • Add schedule to update database @danquack (#75)
    • enhanced github action @jdyke (#80)

    πŸš€ Features

    • migrate to config + loop, add DOD requirements @danquack (#77)
    • added acm-pca under Certificate Manager @pkaeding (#81)
    • Adds --include-file and --exclude-file arguments as an alternative to supplying the arguments inline @kmcquade (#87)
    Source code(tar.gz)
    Source code(zip)
  • 0.2.7(Apr 21, 2021)

  • 0.2.6(Apr 20, 2021)

  • 0.2.5(Mar 24, 2021)

  • 0.2.4(Mar 23, 2021)

    Changes

    • Changes to makefile to update with latest compliance data; added example AWS Commercial-only SCP @kmcquade (#66)

    πŸš€ Features

    • Adds --excluded-table flag to output a markdown formatted table of excluded services @kmcquade (#69)
    • Service Links are in Markdown table output @kmcquade (#68)
    Source code(tar.gz)
    Source code(zip)
  • 0.2.1(Mar 11, 2021)

  • 0.2.0(Feb 24, 2021)

    πŸš€ Features

    • Adds Markdown table output support; bump to version 0.2.0 @kmcquade (#62)
    • Add DOD CC SRG Support; Fix FedRAMP High bug @AMHesch (#58)

    πŸ› Bug Fixes

    • ssmmessages and ec2messages are compliant when SSM is compliant (fixes #48) @kmcquade (#50)

    πŸ“ Documentation

    • Update README with support statuses @kmcquade (#53)
    Source code(tar.gz)
    Source code(zip)
  • 0.1.3(Feb 4, 2021)

  • 0.1.2(Jan 27, 2021)

  • 0.1.1(Jan 27, 2021)

    Changes

    • SCP Generation script pushes examples into the 'latest' folder so we can view the diff between versions @kmcquade (#38)
    • Database update utility script generates excel spreadsheet, not just CSV @kmcquade (#37)

    πŸš€ Features

    • overview addition @jdyke (#41)

    πŸ› Bug Fixes

    • Update README.md @jdyke (#40)
    Source code(tar.gz)
    Source code(zip)
  • 0.1.0(Jan 25, 2021)

  • 0.0.4(Jan 25, 2021)

    Changes

    • GitHub action that runs aws-allowlister periodically and updates repository with the newest SCP JSONs. Fixes #12 - @kmcquade (#33)

    πŸ› Bug Fixes

    • Fixes --all argument @kmcquade (#32)
    Source code(tar.gz)
    Source code(zip)
  • 0.0.3(Jan 24, 2021)

    Changes

    • Lots of QA Fixes thanks to @jdyke (#26)
    • Update script now writes a new CSV file containing database contents so we can view it on GitHub @kmcquade (#24)
    • Added some maintainer friendly automation @kmcquade (#21)
    • SOC quality checks @kmcquade (#28)

    πŸš€ Features

    • Added FedRAMP @kmcquade (#27)
    • Adds ability to exclude and include AWS services via command line @kmcquade (#20)
    Source code(tar.gz)
    Source code(zip)
  • 0.0.2(Jan 23, 2021)

    Changes

    • Lots of QA Fixes thanks to @jdyke (#26)
    • Update script now writes a new CSV file containing database contents so we can view it on GitHub @kmcquade (#24)
    • Added some maintainer friendly automation @kmcquade (#21)

    πŸš€ Features

    • Added FedRAMP @kmcquade (#27)
    • Adds ability to exclude and include AWS services via command line @kmcquade (#20)
    Source code(tar.gz)
    Source code(zip)
Owner
Salesforce
A variety of vendor agnostic projects which power Salesforce
Salesforce
SSH-Restricted deploys an SSH compliance rule (AWS Config) with auto-remediation via AWS Lambda if SSH access is public.

SSH-Restricted SSH-Restricted deploys an SSH compliance rule with auto-remediation via AWS Lambda if SSH access is public. SSH-Auto-Restricted checks

Adrian Hornsby 30 Nov 8, 2022
A collection of scripts to steal BTC from Lightning Network enabled custodial services. Only for educational purpose! Share your findings only when design flaws are fixed.

Lightning Network Fee Siphoning Attack LN-fee-siphoning is a collection of scripts to subtract BTC from Lightning Network enabled custodial services b

Reckless_Satoshi 14 Oct 15, 2022
A collection of scripts to steal BTC from Lightning Network enabled custodial services. Only for educational purpose! Share your findings only when design flaws are fixed.

Lightning Network Fee Siphoning Attack LN-fee-siphoning is a collection of scripts to subtract BTC from Lightning Network enabled custodial services b

Reckless_Satoshi 14 Oct 15, 2022
Telegram bot that search for the classrooms status of the chosen day and then return all the free classrooms using your preferred time slot

Aule Libere Polimi Since the PoliMi site no longer allows people to search for free classrooms this bot was necessary! It simply search for the classr

Daniele Ferrazzo 16 Nov 9, 2022
Davide Gallitelli 3 Dec 21, 2021
A GUI Application that creates a Spotify Playlist from any year in the past, by just entering your preferred date

A GUI Application that creates a Spotify Playlist from any year in the past, by just entering your preferred date

David .K. Danso 1 Jan 17, 2022
Automated AWS account hardening with AWS Control Tower and AWS Step Functions

Automate activities in Control Tower provisioned AWS accounts Table of contents Introduction Architecture Prerequisites Tools and services Usage Clean

AWS Samples 20 Dec 7, 2022
Policy and data administration, distribution, and real-time updates on top of Open Policy Agent

⚑ OPAL ⚑ Open Policy Administration Layer OPAL is an administration layer for Open Policy Agent (OPA), detecting changes to both policy and policy dat

null 8 Dec 7, 2022
Unauthenticated enumeration of services, roles, and users in an AWS account or in every AWS account in existence.

Quiet Riot ?? C'mon, Feel The Noise ?? An enumeration tool for scalable, unauthenticated validation of AWS principals; including AWS Acccount IDs, roo

Wes Ladd 89 Jan 5, 2023
AWS Auto Inventory allows you to quickly and easily generate inventory reports of your AWS resources.

Photo by Denny MΓΌller on Unsplash AWS Automated Inventory ( aws-auto-inventory ) Automates creation of detailed inventories from AWS resources. Table

AWS Samples 123 Dec 26, 2022
Implement backup and recovery with AWS Backup across your AWS Organizations using a CI/CD pipeline (AWS CodePipeline).

Backup and Recovery with AWS Backup This repository provides you with a management and deployment solution for implementing Backup and Recovery with A

AWS Samples 8 Nov 22, 2022
Validate all your Customer IAM Policies against AWS Access Analyzer - Policy Validation

βœ… Access Analyzer - Batch Policy Validator This script will analyze using AWS Access Analyzer - Policy Validation all your account customer managed IA

Victor GRENU 41 Dec 12, 2022
Zalo AI challenge 2021 5K-Compliance

Zalo AI challenge 2021 5K-Compliance Prepare data: Dα»― liệu của ban tα»• chα»©c cung

Nguyα»…n nhαΊ­t hoΓ ng 32 Nov 21, 2022
Python3 program to control Elgato Ring Light on your local network without Elgato's Control Center software

Elgato Light Controller I'm really happy with my Elgato Key Light from an illumination perspective. However, their control software has been glitchy f

Jeff Tarr 14 Nov 16, 2022
Lambda-function - Python codes that allow notification of changes made to some services using the AWS Lambda Function

AWS Lambda Function This repository contains python codes that allow notificatio

Elif ApaydΔ±n 3 Feb 11, 2022
A solution designed to extract, transform and load Chicago crime data from an RDS instance to other services in AWS.

This project is intended to implement a solution designed to extract, transform and load Chicago crime data from an RDS instance to other services in AWS.

Yesaswi Avula 1 Feb 4, 2022
Script for polybar to display and control media(not only Spotify) using DBus.

polybar-now-playing Script for polybar to display and control media(not only Spotify) using DBus Python script to display and control current playing

Dope Wizard 48 Dec 31, 2022
A simple tool that allows you to change your default AWS CLI profile.

Select AWS Profile Select AWS Profile (slapr) is a simple tool that lets you select which AWS Profile you want to use and sets it as the default AWS p

Antoni Yanev 2 Nov 9, 2022