aws-allowlister
Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.
Overview
AWS Service Control Policies (SCPs) allow you to control which AWS Service APIs are allowed at the AWS Account level - so local administrators (not even the account's root user) can perform prohibited actions in a child account.
However, before aws-allowlister
, it was very difficult and error-prone to create AWS AllowList SCPs - only giving accounts access to the compliant services that they need, and nothing else. Before aws-allowlister
, the approach for creating an AllowList was:
- Create a spreadsheet
๐ based on the AWS Services in Scope documentation, which have inconsistent naming and do not list the "IAM names" - Create an AllowList.json by hand, based on that spreadsheet
- Roll it out to Dev/Stage/Production
- Whoever manages that spreadsheet now magically owns the AllowList policy due to
โจ tribal knowledgeโจ and any updates occur by pinging this person over Slack.
aws-allowlister
takes care of this process for you. Instead of following the painful process above, just run the following command to generate an AWS SCP policy that meets PCI compliance:
aws-allowlister generate --pci
The policies generated by aws-allowlister
are based off of official AWS documentation and are automatically kept up to date when new services achieve compliance or accreditation.
Support statuses
aws-allowlister
currently supports:
Compliance Framework | Support Status |
---|---|
PCI |
|
SOC 1, 2, and 3 |
|
ISO/IEC |
|
HIPAA BAA |
|
FedRAMP Moderate |
|
FedRAMP High |
|
DOD CC SRG (USA |
|
HITRUST |
|
IRAP (Australia |
|
C5 (Germany |
|
K-ISMS (Japan |
|
ENS High (Spain |
|
Forcibly include/exclude services
In addition to creating compliance-focused SCPs, aws-allowlister
supports the ability to include or exclude services (IAM permissions) of your choice using the --include
or --exclude
flags. For more details related to policy customization, view the Arguments section.
Installation
- Python Pip:
pip3 install aws-allowlister
- Homebrew:
brew tap salesforce/aws-allowlister https://github.com/salesforce/aws-allowlister
brew install aws-allowlister
Usage
- Generate an AllowList Policy using this command:
aws-allowlister generate
By default, it allows policies at the intersection of PCI, HIPAA, SOC, ISO, FedRAMP High, and FedRAMP Moderate.
The resulting policy will look like this:
Example AllowList Policy
{
"Version": "2012-10-17",
"Statement": {
"Sid": "AllowList",
"Effect": "Deny",
"NotAction": [
"account:*",
"acm:*",
"amplify:*",
"amplifybackend:*",
"apigateway:*",
"application-autoscaling:*",
"appstream:*",
"appsync:*",
"athena:*",
"autoscaling:*",
"aws-portal:*",
"backup:*",
"batch:*",
"clouddirectory:*",
"cloudformation:*",
"cloudfront:*",
"cloudhsm:*",
"cloudtrail:*",
"cloudwatch:*",
"codebuild:*",
"codecommit:*",
"codedeploy:*",
"codepipeline:*",
"cognito-identity:*",
"cognito-idp:*",
"comprehend:*",
"comprehendmedical:*",
"config:*",
"connect:*",
"dataexchange:*",
"datasync:*",
"directconnect:*",
"dms:*",
"ds:*",
"dynamodb:*",
"ebs:*",
"ec2:*",
"ecr:*",
"ecs:*",
"eks:*",
"elasticache:*",
"elasticbeanstalk:*",
"elasticfilesystem:*",
"elasticmapreduce:*",
"es:*",
"events:*",
"execute-api:*",
"firehose:*",
"fms:*",
"forecast:*",
"freertos:*",
"fsx:*",
"glacier:*",
"globalaccelerator:*",
"glue:*",
"greengrass:*",
"guardduty:*",
"health:*",
"iam:*",
"inspector:*",
"iot:*",
"iot-device-tester:*",
"iotdeviceadvisor:*",
"iotevents:*",
"iotwireless:*",
"kafka:*",
"kinesis:*",
"kinesisanalytics:*",
"kinesisvideo:*",
"kms:*",
"lambda:*",
"lex:*",
"logs:*",
"macie2:*",
"mediaconnect:*",
"mediaconvert:*",
"medialive:*",
"mq:*",
"neptune-db:*",
"opsworks-cm:*",
"organizations:*",
"outposts:*",
"personalize:*",
"polly:*",
"qldb:*",
"quicksight:*",
"rds:*",
"rds-data:*",
"rds-db:*",
"redshift:*",
"rekognition:*",
"robomaker:*",
"route53:*",
"route53domains:*",
"s3:*",
"sagemaker:*",
"secretsmanager:*",
"securityhub:*",
"serverlessrepo:*",
"servicecatalog:*",
"shield:*",
"sms:*",
"sms-voice:*",
"snowball:*",
"sns:*",
"sqs:*",
"ssm:*",
"sso:*",
"sso-directory:*",
"states:*",
"storagegateway:*",
"sts:*",
"support:*",
"swf:*",
"textract:*",
"transcribe:*",
"transfer:*",
"translate:*",
"waf:*",
"waf-regional:*",
"wafv2:*",
"workdocs:*",
"worklink:*",
"workspaces:*",
"xray:*"
],
"Resource": "*"
}
}
- You can also specify the
--table
option to output the results in a Markdown Table format, as shown below:
aws-allowlister generate --pci --table
The results will look like this:
Example AllowList Policy
| Service Prefix | Service Name |
|-------------------------|-------------------------------------------------|
| account | AWS Accounts |
| acm | AWS Certificate Manager |
| amplify | AWS Amplify |
| amplifybackend | AWS Amplify Admin |
| apigateway | Manage Amazon API Gateway |
| application-autoscaling | Application Auto Scaling |
| appmesh | AWS App Mesh |
| appstream | Amazon AppStream 2.0 |
| appsync | AWS AppSync |
| athena | Amazon Athena |
| autoscaling | Amazon EC2 Auto Scaling |
| autoscaling-plans | AWS Auto Scaling |
| aws-portal | AWS Billing |
| backup | AWS Backup |
| batch | AWS Batch |
| cassandra | AWS Managed Apache Cassandra Service |
| chatbot | AWS Chatbot |
| clouddirectory | Amazon Cloud Directory |
| cloudformation | AWS CloudFormation |
| cloudfront | Amazon CloudFront |
| cloudhsm | AWS CloudHSM |
| cloudtrail | AWS CloudTrail |
| cloudwatch | Amazon CloudWatch |
| codebuild | AWS CodeBuild |
| codecommit | AWS CodeCommit |
| codedeploy | AWS CodeDeploy |
| codepipeline | AWS CodePipeline |
| cognito-identity | Amazon Cognito Identity |
| cognito-idp | Amazon Cognito User Pools |
| cognito-sync | Amazon Cognito Sync |
| comprehend | Amazon Comprehend |
| comprehendmedical | Comprehend Medical |
| config | AWS Config |
| connect | Amazon Connect |
| databrew | AWS Glue DataBrew |
| dataexchange | AWS Data Exchange |
| datasync | DataSync |
| directconnect | AWS Direct Connect |
| dms | AWS Database Migration Service |
| ds | AWS Directory Service |
| dynamodb | Amazon DynamoDB |
| ebs | Amazon Elastic Block Store |
| ec2 | Amazon EC2 |
| ec2messages | Amazon Message Delivery Service |
| ecr | Amazon Elastic Container Registry |
| ecs | Amazon Elastic Container Service |
| eks | Amazon Elastic Container Service for Kubernetes |
| elasticache | Amazon ElastiCache |
| elasticbeanstalk | AWS Elastic Beanstalk |
| elasticfilesystem | Amazon Elastic File System |
| elasticloadbalancing | Elastic Load Balancing V2 |
| elasticmapreduce | Amazon Elastic MapReduce |
| es | Amazon Elasticsearch Service |
| events | Amazon EventBridge |
| execute-api | Amazon API Gateway |
| firehose | Amazon Kinesis Firehose |
| fms | AWS Firewall Manager |
| forecast | Amazon Forecast |
| freertos | Amazon FreeRTOS |
| fsx | Amazon FSx |
| glacier | Amazon Glacier |
| globalaccelerator | AWS Global Accelerator |
| glue | AWS Glue |
| greengrass | AWS IoT Greengrass |
| groundstation | AWS Ground Station |
| guardduty | Amazon GuardDuty |
| health | AWS Health APIs and Notifications |
| iam | Identity And Access Management |
| importexport | AWS Import Export Disk Service |
| inspector | Amazon Inspector |
| iot | AWS IoT |
| iot-device-tester | AWS IoT Device Tester |
| iotdeviceadvisor | AWS IoT Core Device Advisor |
| iotevents | AWS IoT Events |
| iotwireless | AWS IoT Core for LoRaWAN |
| kendra | Amazon Kendra |
| kinesis | Amazon Kinesis |
| kinesisanalytics | Amazon Kinesis Analytics V2 |
| kinesisvideo | Amazon Kinesis Video Streams |
| kms | AWS Key Management Service |
| lakeformation | AWS Lake Formation |
| lambda | AWS Lambda |
| lex | Amazon Lex |
| license-manager | AWS License Manager |
| logs | Amazon CloudWatch Logs |
| macie | Amazon Macie Classic |
| macie2 | Amazon Macie |
| mediaconnect | AWS Elemental MediaConnect |
| mediaconvert | AWS Elemental MediaConvert |
| medialive | AWS Elemental MediaLive |
| mobiletargeting | Amazon Pinpoint |
| mq | Amazon MQ |
| neptune-db | Amazon Neptune |
| opsworks | AWS OpsWorks |
| opsworks-cm | AWS OpsWorks Configuration Management |
| organizations | AWS Organizations |
| outposts | AWS Outposts |
| personalize | Amazon Personalize |
| polly | Amazon Polly |
| qldb | Amazon QLDB |
| quicksight | Amazon QuickSight |
| rds | Amazon RDS |
| rds-data | Amazon RDS Data API |
| rds-db | Amazon RDS IAM Authentication |
| redshift | Amazon Redshift |
| rekognition | Amazon Rekognition |
| resource-groups | AWS Resource Groups |
| robomaker | AWS RoboMaker |
| route53 | Amazon Route 53 |
| route53domains | Amazon Route53 Domains |
| s3 | Amazon S3 |
| sagemaker | Amazon SageMaker |
| sdb | Amazon SimpleDB |
| secretsmanager | AWS Secrets Manager |
| securityhub | AWS Security Hub |
| serverlessrepo | AWS Serverless Application Repository |
| servicecatalog | AWS Service Catalog |
| servicediscovery | AWS Cloud Map |
| shield | AWS Shield |
| sms | AWS Server Migration Service |
| sms-voice | Amazon Pinpoint SMS and Voice Service |
| snowball | AWS Snowball |
| sns | Amazon SNS |
| sqs | Amazon SQS |
| ssm | AWS Systems Manager |
| ssmmessages | Amazon Session Manager Message Gateway Service |
| states | AWS Step Functions |
| storagegateway | Amazon Storage Gateway |
| sts | AWS Security Token Service |
| support | AWS Support |
| swf | Amazon Simple Workflow Service |
| textract | Amazon Textract |
| timestream | AWS Timestream |
| transcribe | Amazon Transcribe |
| transfer | AWS Transfer for SFTP |
| translate | Amazon Translate |
| trustedadvisor | AWS Trusted Advisor |
| waf | AWS WAF |
| waf-regional | AWS WAF Regional |
| wafv2 | AWS WAF V2 |
| workdocs | Amazon WorkDocs |
| worklink | Amazon WorkLink |
| workspaces | Amazon WorkSpaces |
| xray | AWS X-Ray |
Arguments
aws-allowlister
supports different arguments to generate fine-grained compliance focused Service Control Policy (SCP) AllowLists. You can specify individual flags for the compliance frameworks you care about.
Usage: aws-allowlister generate [OPTIONS]
Options:
-a, --all SOC, PCI, ISO, HIPAA, FedRAMP_High, and
FedRAMP_Moderate.
-s, --soc Include SOC-compliant services
-p, --pci Include PCI-compliant services
-h, --hipaa Include HIPAA-compliant services
-i, --iso Include ISO-compliant services
-fh, --fedramp-high Include FedRAMP High
-fm, --fedramp-moderate Include FedRAMP Moderate
-d2e, --dodccsrg-il2-ew Include DoD CC SRG IL2 (East/West)
-d2g, --dodccsrg-il2-gc Include DoD CC SRG IL2 (GovCloud)
-d4g, --dodccsrg-il4-gc Include DoD CC SRG IL4 (GovCloud)
-d5g, --dodccsrg-il5-gc Include DoD CC SRG IL5 (GovCloud)
--include TEXT Include specific AWS IAM services, specified in a
comma separated string.
--exclude TEXT Exclude specific AWS IAM services, specified in a
comma separated string.
-q, --quiet
--help Show this message and exit.
- For example, to generate a PCI only Service Control Policy and save it to JSON:
aws-allowlister generate --pci --quiet > pci.json
- You can also chain command flags together. For example, to generate a Policy for all the major compliance frameworks but FedRAMP:
aws-allowlister generate -sphi --quiet
- Let's say your organization is not subject to FedRAMP or HIPAA, but you want to create a Policy for SOC, ISO, and PCI:
aws-allowlister generate -sip --quiet
Contributing
Setup
- Set up the virtual environment
# Set up the virtual environment
python3 -m venv ./venv && source venv/bin/activate
pip3 install -r requirements.txt
- Build the package
# To build only
make build
# To build and install
make install
# To run tests
make test
# To clean local dev environment
make clean
Authors and Contributors
- Kinnaird McQuade (@kmcquade3), Salesforce - Author
- Jason Dyke (@jasonadyke), ScaleSec - Contributor
๐จ
Disclaimer
๐จ
The policies generated by aws-allowlister
do not guarantee that your AWS accounts will be compliant or that you will become accredited with the supported compliance frameworks. These policies are intended to be a useful tool to assist with restricting which service can or cannot be leveraged.