Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.

Overview

aws-allowlister

Continuous Integration Tests

Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.

Overview

AWS Service Control Policies (SCPs) allow you to control which AWS Service APIs are allowed at the AWS Account level - so local administrators (not even the account's root user) can perform prohibited actions in a child account.

However, before aws-allowlister, it was very difficult and error-prone to create AWS AllowList SCPs - only giving accounts access to the compliant services that they need, and nothing else. Before aws-allowlister, the approach for creating an AllowList was:

  1. Create a spreadsheet ๐Ÿ™„ based on the AWS Services in Scope documentation, which have inconsistent naming and do not list the "IAM names"
  2. Create an AllowList.json by hand, based on that spreadsheet
  3. Roll it out to Dev/Stage/Production
  4. Whoever manages that spreadsheet now magically owns the AllowList policy due to โœจ tribal knowledge โœจ and any updates occur by pinging this person over Slack.

aws-allowlister takes care of this process for you. Instead of following the painful process above, just run the following command to generate an AWS SCP policy that meets PCI compliance:

aws-allowlister generate --pci

The policies generated by aws-allowlister are based off of official AWS documentation and are automatically kept up to date when new services achieve compliance or accreditation.

Support statuses

aws-allowlister currently supports:

Compliance Framework Support Status
PCI โœ…
SOC 1, 2, and 3 โœ…
ISO/IEC โœ…
HIPAA BAA โœ…
FedRAMP Moderate โœ…
FedRAMP High โœ…
DOD CC SRG (USA ๐Ÿ‡บ๐Ÿ‡ธ ) โœ…
HITRUST โฑ Coming soon
IRAP (Australia ๐Ÿ‡ฆ๐Ÿ‡บ ) โฑ Coming soon
C5 (Germany ๐Ÿ‡ฉ๐Ÿ‡ช ) โฑ Coming soon
K-ISMS (Japan ๐Ÿ‡ฏ๐Ÿ‡ต ) โฑ Coming soon
ENS High (Spain ๐Ÿ‡ช๐Ÿ‡ธ ) โฑ Coming soon

Forcibly include/exclude services

In addition to creating compliance-focused SCPs, aws-allowlister supports the ability to include or exclude services (IAM permissions) of your choice using the --include or --exclude flags. For more details related to policy customization, view the Arguments section.

Installation

  • Python Pip:
pip3 install aws-allowlister
  • Homebrew:
brew tap salesforce/aws-allowlister https://github.com/salesforce/aws-allowlister
brew install aws-allowlister

Usage

  • Generate an AllowList Policy using this command:
aws-allowlister generate

By default, it allows policies at the intersection of PCI, HIPAA, SOC, ISO, FedRAMP High, and FedRAMP Moderate.

The resulting policy will look like this:

Example AllowList Policy
{
    "Version": "2012-10-17",
    "Statement": {
        "Sid": "AllowList",
        "Effect": "Deny",
        "NotAction": [
            "account:*",
            "acm:*",
            "amplify:*",
            "amplifybackend:*",
            "apigateway:*",
            "application-autoscaling:*",
            "appstream:*",
            "appsync:*",
            "athena:*",
            "autoscaling:*",
            "aws-portal:*",
            "backup:*",
            "batch:*",
            "clouddirectory:*",
            "cloudformation:*",
            "cloudfront:*",
            "cloudhsm:*",
            "cloudtrail:*",
            "cloudwatch:*",
            "codebuild:*",
            "codecommit:*",
            "codedeploy:*",
            "codepipeline:*",
            "cognito-identity:*",
            "cognito-idp:*",
            "comprehend:*",
            "comprehendmedical:*",
            "config:*",
            "connect:*",
            "dataexchange:*",
            "datasync:*",
            "directconnect:*",
            "dms:*",
            "ds:*",
            "dynamodb:*",
            "ebs:*",
            "ec2:*",
            "ecr:*",
            "ecs:*",
            "eks:*",
            "elasticache:*",
            "elasticbeanstalk:*",
            "elasticfilesystem:*",
            "elasticmapreduce:*",
            "es:*",
            "events:*",
            "execute-api:*",
            "firehose:*",
            "fms:*",
            "forecast:*",
            "freertos:*",
            "fsx:*",
            "glacier:*",
            "globalaccelerator:*",
            "glue:*",
            "greengrass:*",
            "guardduty:*",
            "health:*",
            "iam:*",
            "inspector:*",
            "iot:*",
            "iot-device-tester:*",
            "iotdeviceadvisor:*",
            "iotevents:*",
            "iotwireless:*",
            "kafka:*",
            "kinesis:*",
            "kinesisanalytics:*",
            "kinesisvideo:*",
            "kms:*",
            "lambda:*",
            "lex:*",
            "logs:*",
            "macie2:*",
            "mediaconnect:*",
            "mediaconvert:*",
            "medialive:*",
            "mq:*",
            "neptune-db:*",
            "opsworks-cm:*",
            "organizations:*",
            "outposts:*",
            "personalize:*",
            "polly:*",
            "qldb:*",
            "quicksight:*",
            "rds:*",
            "rds-data:*",
            "rds-db:*",
            "redshift:*",
            "rekognition:*",
            "robomaker:*",
            "route53:*",
            "route53domains:*",
            "s3:*",
            "sagemaker:*",
            "secretsmanager:*",
            "securityhub:*",
            "serverlessrepo:*",
            "servicecatalog:*",
            "shield:*",
            "sms:*",
            "sms-voice:*",
            "snowball:*",
            "sns:*",
            "sqs:*",
            "ssm:*",
            "sso:*",
            "sso-directory:*",
            "states:*",
            "storagegateway:*",
            "sts:*",
            "support:*",
            "swf:*",
            "textract:*",
            "transcribe:*",
            "transfer:*",
            "translate:*",
            "waf:*",
            "waf-regional:*",
            "wafv2:*",
            "workdocs:*",
            "worklink:*",
            "workspaces:*",
            "xray:*"
        ],
        "Resource": "*"
    }
}
  • You can also specify the --table option to output the results in a Markdown Table format, as shown below:
aws-allowlister generate --pci --table

The results will look like this:

Example AllowList Policy
| Service Prefix          | Service Name                                    |
|-------------------------|-------------------------------------------------|
| account                 | AWS Accounts                                    |
| acm                     | AWS Certificate Manager                         |
| amplify                 | AWS Amplify                                     |
| amplifybackend          | AWS Amplify Admin                               |
| apigateway              | Manage Amazon API Gateway                       |
| application-autoscaling | Application Auto Scaling                        |
| appmesh                 | AWS App Mesh                                    |
| appstream               | Amazon AppStream 2.0                            |
| appsync                 | AWS AppSync                                     |
| athena                  | Amazon Athena                                   |
| autoscaling             | Amazon EC2 Auto Scaling                         |
| autoscaling-plans       | AWS Auto Scaling                                |
| aws-portal              | AWS Billing                                     |
| backup                  | AWS Backup                                      |
| batch                   | AWS Batch                                       |
| cassandra               | AWS Managed Apache Cassandra Service            |
| chatbot                 | AWS Chatbot                                     |
| clouddirectory          | Amazon Cloud Directory                          |
| cloudformation          | AWS CloudFormation                              |
| cloudfront              | Amazon CloudFront                               |
| cloudhsm                | AWS CloudHSM                                    |
| cloudtrail              | AWS CloudTrail                                  |
| cloudwatch              | Amazon CloudWatch                               |
| codebuild               | AWS CodeBuild                                   |
| codecommit              | AWS CodeCommit                                  |
| codedeploy              | AWS CodeDeploy                                  |
| codepipeline            | AWS CodePipeline                                |
| cognito-identity        | Amazon Cognito Identity                         |
| cognito-idp             | Amazon Cognito User Pools                       |
| cognito-sync            | Amazon Cognito Sync                             |
| comprehend              | Amazon Comprehend                               |
| comprehendmedical       | Comprehend Medical                              |
| config                  | AWS Config                                      |
| connect                 | Amazon Connect                                  |
| databrew                | AWS Glue DataBrew                               |
| dataexchange            | AWS Data Exchange                               |
| datasync                | DataSync                                        |
| directconnect           | AWS Direct Connect                              |
| dms                     | AWS Database Migration Service                  |
| ds                      | AWS Directory Service                           |
| dynamodb                | Amazon DynamoDB                                 |
| ebs                     | Amazon Elastic Block Store                      |
| ec2                     | Amazon EC2                                      |
| ec2messages             | Amazon Message Delivery Service                 |
| ecr                     | Amazon Elastic Container Registry               |
| ecs                     | Amazon Elastic Container Service                |
| eks                     | Amazon Elastic Container Service for Kubernetes |
| elasticache             | Amazon ElastiCache                              |
| elasticbeanstalk        | AWS Elastic Beanstalk                           |
| elasticfilesystem       | Amazon Elastic File System                      |
| elasticloadbalancing    | Elastic Load Balancing V2                       |
| elasticmapreduce        | Amazon Elastic MapReduce                        |
| es                      | Amazon Elasticsearch Service                    |
| events                  | Amazon EventBridge                              |
| execute-api             | Amazon API Gateway                              |
| firehose                | Amazon Kinesis Firehose                         |
| fms                     | AWS Firewall Manager                            |
| forecast                | Amazon Forecast                                 |
| freertos                | Amazon FreeRTOS                                 |
| fsx                     | Amazon FSx                                      |
| glacier                 | Amazon Glacier                                  |
| globalaccelerator       | AWS Global Accelerator                          |
| glue                    | AWS Glue                                        |
| greengrass              | AWS IoT Greengrass                              |
| groundstation           | AWS Ground Station                              |
| guardduty               | Amazon GuardDuty                                |
| health                  | AWS Health APIs and Notifications               |
| iam                     | Identity And Access Management                  |
| importexport            | AWS Import Export Disk Service                  |
| inspector               | Amazon Inspector                                |
| iot                     | AWS IoT                                         |
| iot-device-tester       | AWS IoT Device Tester                           |
| iotdeviceadvisor        | AWS IoT Core Device Advisor                     |
| iotevents               | AWS IoT Events                                  |
| iotwireless             | AWS IoT Core for LoRaWAN                        |
| kendra                  | Amazon Kendra                                   |
| kinesis                 | Amazon Kinesis                                  |
| kinesisanalytics        | Amazon Kinesis Analytics V2                     |
| kinesisvideo            | Amazon Kinesis Video Streams                    |
| kms                     | AWS Key Management Service                      |
| lakeformation           | AWS Lake Formation                              |
| lambda                  | AWS Lambda                                      |
| lex                     | Amazon Lex                                      |
| license-manager         | AWS License Manager                             |
| logs                    | Amazon CloudWatch Logs                          |
| macie                   | Amazon Macie Classic                            |
| macie2                  | Amazon Macie                                    |
| mediaconnect            | AWS Elemental MediaConnect                      |
| mediaconvert            | AWS Elemental MediaConvert                      |
| medialive               | AWS Elemental MediaLive                         |
| mobiletargeting         | Amazon Pinpoint                                 |
| mq                      | Amazon MQ                                       |
| neptune-db              | Amazon Neptune                                  |
| opsworks                | AWS OpsWorks                                    |
| opsworks-cm             | AWS OpsWorks Configuration Management           |
| organizations           | AWS Organizations                               |
| outposts                | AWS Outposts                                    |
| personalize             | Amazon Personalize                              |
| polly                   | Amazon Polly                                    |
| qldb                    | Amazon QLDB                                     |
| quicksight              | Amazon QuickSight                               |
| rds                     | Amazon RDS                                      |
| rds-data                | Amazon RDS Data API                             |
| rds-db                  | Amazon RDS IAM Authentication                   |
| redshift                | Amazon Redshift                                 |
| rekognition             | Amazon Rekognition                              |
| resource-groups         | AWS Resource Groups                             |
| robomaker               | AWS RoboMaker                                   |
| route53                 | Amazon Route 53                                 |
| route53domains          | Amazon Route53 Domains                          |
| s3                      | Amazon S3                                       |
| sagemaker               | Amazon SageMaker                                |
| sdb                     | Amazon SimpleDB                                 |
| secretsmanager          | AWS Secrets Manager                             |
| securityhub             | AWS Security Hub                                |
| serverlessrepo          | AWS Serverless Application Repository           |
| servicecatalog          | AWS Service Catalog                             |
| servicediscovery        | AWS Cloud Map                                   |
| shield                  | AWS Shield                                      |
| sms                     | AWS Server Migration Service                    |
| sms-voice               | Amazon Pinpoint SMS and Voice Service           |
| snowball                | AWS Snowball                                    |
| sns                     | Amazon SNS                                      |
| sqs                     | Amazon SQS                                      |
| ssm                     | AWS Systems Manager                             |
| ssmmessages             | Amazon Session Manager Message Gateway Service  |
| states                  | AWS Step Functions                              |
| storagegateway          | Amazon Storage Gateway                          |
| sts                     | AWS Security Token Service                      |
| support                 | AWS Support                                     |
| swf                     | Amazon Simple Workflow Service                  |
| textract                | Amazon Textract                                 |
| timestream              | AWS Timestream                                  |
| transcribe              | Amazon Transcribe                               |
| transfer                | AWS Transfer for SFTP                           |
| translate               | Amazon Translate                                |
| trustedadvisor          | AWS Trusted Advisor                             |
| waf                     | AWS WAF                                         |
| waf-regional            | AWS WAF Regional                                |
| wafv2                   | AWS WAF V2                                      |
| workdocs                | Amazon WorkDocs                                 |
| worklink                | Amazon WorkLink                                 |
| workspaces              | Amazon WorkSpaces                               |
| xray                    | AWS X-Ray                                       |

Arguments

aws-allowlister supports different arguments to generate fine-grained compliance focused Service Control Policy (SCP) AllowLists. You can specify individual flags for the compliance frameworks you care about.

Usage: aws-allowlister generate [OPTIONS]

Options:
  -a, --all                SOC, PCI, ISO, HIPAA, FedRAMP_High, and
                           FedRAMP_Moderate.

  -s, --soc                Include SOC-compliant services
  -p, --pci                Include PCI-compliant services
  -h, --hipaa              Include HIPAA-compliant services
  -i, --iso                Include ISO-compliant services
  -fh, --fedramp-high      Include FedRAMP High
  -fm, --fedramp-moderate  Include FedRAMP Moderate
  -d2e, --dodccsrg-il2-ew  Include DoD CC SRG IL2 (East/West)
  -d2g, --dodccsrg-il2-gc  Include DoD CC SRG IL2 (GovCloud)
  -d4g, --dodccsrg-il4-gc  Include DoD CC SRG IL4 (GovCloud)
  -d5g, --dodccsrg-il5-gc  Include DoD CC SRG IL5 (GovCloud)
  --include TEXT           Include specific AWS IAM services, specified in a
                           comma separated string.

  --exclude TEXT           Exclude specific AWS IAM services, specified in a
                           comma separated string.

  -q, --quiet
  --help                   Show this message and exit.
  • For example, to generate a PCI only Service Control Policy and save it to JSON:
aws-allowlister generate --pci --quiet > pci.json
  • You can also chain command flags together. For example, to generate a Policy for all the major compliance frameworks but FedRAMP:
aws-allowlister generate -sphi --quiet
  • Let's say your organization is not subject to FedRAMP or HIPAA, but you want to create a Policy for SOC, ISO, and PCI:
aws-allowlister generate -sip --quiet

Contributing

Setup

  • Set up the virtual environment
# Set up the virtual environment
python3 -m venv ./venv && source venv/bin/activate
pip3 install -r requirements.txt
  • Build the package
# To build only
make build

# To build and install
make install

# To run tests
make test

# To clean local dev environment
make clean

Authors and Contributors

๐Ÿšจ Disclaimer ๐Ÿšจ

The policies generated by aws-allowlister do not guarantee that your AWS accounts will be compliant or that you will become accredited with the supported compliance frameworks. These policies are intended to be a useful tool to assist with restricting which service can or cannot be leveraged.

Comments
  • Go/Terraform Integration

    Go/Terraform Integration

    @kmcquade thanks for making this tool! I have a use case where Id like to run this through terraform, which currently I basically execute the pull into json and then soup it up, but I was wondering if there was any interest in making this part of a custom provider? This is somewhat a feature request, but due to the fact that its a completely different implementation strategy, feel free to close if you don't find interest in it!

    enhancement 
    opened by danquack 9
  • ssmmessages and ec2messages not included - seeking input on status with different frameworks

    ssmmessages and ec2messages not included - seeking input on status with different frameworks

    I'd like some feedback from others, please. See the diffchecker between All Services vs. aws-allowlister generate: https://www.diffchecker.com/nXTPUgkL

    Notice that ssmmessages and ec2messages is not in the policy. This could cause issues for those who rely on SSM heavily.

    Relevant links: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html

    If so, we need to specify those services in the overrides file. https://github.com/salesforce/aws-allowlister/blob/main/aws_allowlister/data/overrides.yml

    discussion 
    opened by kmcquade 9
  • Gif time

    Gif time

    What does this PR do?

    Closes #36

    Adds an example gif to the readme.

    What gif best describes this PR or how it makes you feel?

    gif

    Completion checklist

    enhancement cla:signed 
    opened by jdyke 7
  • added acm-pca under Certificate Manager

    added acm-pca under Certificate Manager

    What does this PR do?

    Adds acm-pca under the umbrella of acm. Our AWS TAM confirmed that it is covered as part of ACM for compliance purposes.

    What gif best describes this PR or how it makes you feel?

    Completion checklist

    cla:signed 
    opened by pkaeding 6
  • Add schedule to update database

    Add schedule to update database

    What does this PR do?

    Updates the database every morning. Closes #72

    What gif best describes this PR or how it makes you feel?

    updates

    Completion checklist

    cla:signed 
    opened by danquack 6
  • PCI Allowlist findings

    PCI Allowlist findings

    I did some QA against the PCI policy generated via aws-allowlister generate --pci and have recorded my thoughts below. I'll still need to test these to verify if A) they're required for the service to function properly (if its related to a different approved service) and B) how much wiggle room there is to throw those in if they are not approved.

    The following are included in the aws-allowlister JSON but are not in the list of PCI services (I did not include permissions like account and sts which are generally required to use AWS.

    • chime
    • ses
    • sso and sso-directory

    The following are approved services / programs and are not included in the JSON output file but should be.

    • appmesh (AWS App Mesh)
    • cassandra (Amazon Keyspaces (for Apache Cassandra)
    • chatbot (AWS Chatbot)
    • cognito-sync (Amazon Cognito Sync - not called out by service name but included in the SDK column for Amazon Cognito)
    • databrew - (AWS Glue DataBrew)
    • elasticloadbalancing - (Elastic Load Balancing)
    • groundstation - (AWS Ground Station)
    • kendra - (Amazon Kendra)
    • lakeformation - (AWS Glue)
    • license-manager - (AWS License Manager)
    • macie - (macie2 is included but not macie)
    • opsworks - (AWS OpsWorks Stacks)
    • resource-groups - (AWS Resource Groups)
    • sdb - (Amazon SimpleDB)
    • timestream - (Amazon Timestream)
    • trustedadvisor - (AWS Trusted Advisor)

    Let me know what you think about these.

    Thanks!

    qa 
    opened by jdyke 6
  • commenting out pandas writing to Excel

    commenting out pandas writing to Excel

    What does this PR do?

    essentially reverting https://github.com/salesforce/aws-allowlister/pull/37 to fix https://github.com/salesforce/aws-allowlister/issues/88

    What gif best describes this PR or how it makes you feel?

    panda

    Completion checklist

    cla:missing 
    opened by PatMyron 5
  • Add CLI option to force-include AWS services

    Add CLI option to force-include AWS services

    Just in case someone needs to include an AWS service but the tooling has not caught up.

    aws-allowlister generate --include serv1,serv2,serv3
    

    Maybe also an exclude option:

    aws-allowlister generate --exclude qldb
    

    @jdyke thoughts?

    enhancement discussion 
    opened by kmcquade 5
  • Add DOD CC SRG Support; Fix FedRAMP High bug

    Add DOD CC SRG Support; Fix FedRAMP High bug

    FedRAMP High (GovCloud) was pulling from FedRAMP Moderate (cell[1]) column instead of FedRAMP High (cell[2]).

    What does this PR do?

    FedRAMP High scraper was pulling from the wrong column and was listing FedRAMP Moderate services.

    What gif best describes this PR or how it makes you feel?

    Completion checklist

    cla:signed 
    opened by AMHesch 4
  • Update fedramp.py

    Update fedramp.py

    FedRAMP High (GovCloud) was pulling from FedRAMP Moderate (cell[1]) column instead of FedRAMP High (cell[2]).

    What does this PR do?

    FedRAMP High scraper was pulling from the wrong column and was listing FedRAMP Moderate services.

    What gif best describes this PR or how it makes you feel?

    Completion checklist

    cla:signed 
    opened by AMHesch 4
  • --all option fails

    --all option fails

    For some reason, the --all option fails.

     $ aws-allowlister generate -a
                                                                                                                                                                             
    aws_allowlister.command.generate [INFO] Note: to silence these logs, supply the argument '--quiet'
    aws_allowlister.command.generate [INFO] Policies for standard(s): 
    Traceback (most recent call last):
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/bin/aws-allowlister", line 8, in <module>
        sys.exit(main())
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/aws_allowlister/bin/cli.py", line 21, in main
        aws_allowlister()
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/click/core.py", line 829, in __call__
        return self.main(*args, **kwargs)
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/click/core.py", line 782, in main
        rv = self.invoke(ctx)
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/click/core.py", line 1259, in invoke
        return _process_result(sub_ctx.command.invoke(sub_ctx))
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/click/core.py", line 1066, in invoke
        return ctx.invoke(self.callback, **ctx.params)
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/click/core.py", line 610, in invoke
        return callback(*args, **kwargs)
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/aws_allowlister/command/generate.py", line 133, in generate
        results = generate_allowlist_scp(standards, include, exclude)
      File "/Users/kmcquade/Code/github.com/salesforce/aws-allowlister/venv/lib/python3.9/site-packages/aws_allowlister/command/generate.py", line 151, in generate_allowlist_scp
        services = list(standard_results[0].intersection(*standard_results))
    IndexError: list index out of range
    

    I am about to fix this now. I will also expand the click unit tests so it covers all the options.

    bug 
    opened by kmcquade 4
  • Bump certifi from 2021.5.30 to 2022.12.7

    Bump certifi from 2021.5.30 to 2022.12.7

    Bumps certifi from 2021.5.30 to 2022.12.7.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • FedRAMP high services in 3PAO/JAB status are added to JSON policy

    FedRAMP high services in 3PAO/JAB status are added to JSON policy

    I used this tool to generate an SCP for FedRAMP High services restriction, and I noticed a few services that were added into the "NotAction" section in the resulting JSON that show a current status of "3PAO Assessment" or "JAB Review" on the AWS Services in Scope page for FedRAMP compliance. These should not have been added into the JSON, as they are not yet fully approved.

    In my case, as of the time of this issue creation, that included the following services:

    • application-autoscaling (JAB Review)
    • wafv2 (3PAO Assessment)

    Oddly, the Single Sign-On (sso) service which appears to be in JAB Review status did not get added to the resulting JSON.

    Steps to re-create: pip3 install aws-allowlister aws-allowlister generate --fedramp-high --quiet > fedramp-high.json

    Resulting JSON file zipped and attached.

    fedramp-high.json.zip

    opened by ndvrichaws 0
  • K-ISMS (Japan) support

    K-ISMS (Japan) support

    K-ISMS is not currently scraped or included. It uses a 2-column structure so it can't use the same standard_scraper, but should be pretty straightforward to adjust the approach from the other scrapers.

    enhancement help wanted 
    opened by kmcquade 0
Releases(0.2.14)
  • 0.2.14(Jul 14, 2022)

  • 0.2.13(Feb 15, 2022)

  • 0.2.12(Feb 2, 2022)

  • 0.2.11(Jan 27, 2022)

    Changes

    • Updates database @github-actions (#100)
    • commenting out pandas writing to Excel @PatMyron (#99)
    • Update README.md @jdyke (#98)
    • Add IRAP (Australia) support @HanselD (#96)
    • Add HITRUST CSF support @HanselD (#95)
    Source code(tar.gz)
    Source code(zip)
  • 0.2.10(Sep 27, 2021)

    Changes

    • Migrate to Pipenv @kmcquade (#90)
    • Updating Resource Groups @ld-jmertz (#91)

    ๐Ÿš€ Features

    • Add JSON list outputs @jmhale (#92)

    ๐Ÿ› Bug Fixes

    • Fixes #88 - AWS Compliance scraping failures @kmcquade (#93)
    Source code(tar.gz)
    Source code(zip)
  • 0.2.9(Jun 8, 2021)

    Changes

    • Updates database @github-actions (#85)
    • Updates database @github-actions (#84)
    • Updates database @github-actions (#83)
    • Updates database @github-actions (#82)
    • Updates database @github-actions (#78)
    • Updates database @github-actions (#76)

    Automation

    • Add schedule to update database @danquack (#75)
    • enhanced github action @jdyke (#80)

    ๐Ÿš€ Features

    • migrate to config + loop, add DOD requirements @danquack (#77)
    • added acm-pca under Certificate Manager @pkaeding (#81)
    • Adds --include-file and --exclude-file arguments as an alternative to supplying the arguments inline @kmcquade (#87)
    Source code(tar.gz)
    Source code(zip)
  • 0.2.8(Jun 8, 2021)

    Changes

    • Updates database @github-actions (#85)
    • Updates database @github-actions (#84)
    • Updates database @github-actions (#83)
    • Updates database @github-actions (#82)
    • Updates database @github-actions (#78)
    • Updates database @github-actions (#76)

    Automation

    • Add schedule to update database @danquack (#75)
    • enhanced github action @jdyke (#80)

    ๐Ÿš€ Features

    • migrate to config + loop, add DOD requirements @danquack (#77)
    • added acm-pca under Certificate Manager @pkaeding (#81)
    • Adds --include-file and --exclude-file arguments as an alternative to supplying the arguments inline @kmcquade (#87)
    Source code(tar.gz)
    Source code(zip)
  • 0.2.7(Apr 21, 2021)

  • 0.2.6(Apr 20, 2021)

  • 0.2.5(Mar 24, 2021)

  • 0.2.4(Mar 23, 2021)

    Changes

    • Changes to makefile to update with latest compliance data; added example AWS Commercial-only SCP @kmcquade (#66)

    ๐Ÿš€ Features

    • Adds --excluded-table flag to output a markdown formatted table of excluded services @kmcquade (#69)
    • Service Links are in Markdown table output @kmcquade (#68)
    Source code(tar.gz)
    Source code(zip)
  • 0.2.1(Mar 11, 2021)

  • 0.2.0(Feb 24, 2021)

    ๐Ÿš€ Features

    • Adds Markdown table output support; bump to version 0.2.0 @kmcquade (#62)
    • Add DOD CC SRG Support; Fix FedRAMP High bug @AMHesch (#58)

    ๐Ÿ› Bug Fixes

    • ssmmessages and ec2messages are compliant when SSM is compliant (fixes #48) @kmcquade (#50)

    ๐Ÿ“ Documentation

    • Update README with support statuses @kmcquade (#53)
    Source code(tar.gz)
    Source code(zip)
  • 0.1.3(Feb 4, 2021)

  • 0.1.2(Jan 27, 2021)

  • 0.1.1(Jan 27, 2021)

    Changes

    • SCP Generation script pushes examples into the 'latest' folder so we can view the diff between versions @kmcquade (#38)
    • Database update utility script generates excel spreadsheet, not just CSV @kmcquade (#37)

    ๐Ÿš€ Features

    • overview addition @jdyke (#41)

    ๐Ÿ› Bug Fixes

    • Update README.md @jdyke (#40)
    Source code(tar.gz)
    Source code(zip)
  • 0.1.0(Jan 25, 2021)

  • 0.0.4(Jan 25, 2021)

    Changes

    • GitHub action that runs aws-allowlister periodically and updates repository with the newest SCP JSONs. Fixes #12 - @kmcquade (#33)

    ๐Ÿ› Bug Fixes

    • Fixes --all argument @kmcquade (#32)
    Source code(tar.gz)
    Source code(zip)
  • 0.0.3(Jan 24, 2021)

    Changes

    • Lots of QA Fixes thanks to @jdyke (#26)
    • Update script now writes a new CSV file containing database contents so we can view it on GitHub @kmcquade (#24)
    • Added some maintainer friendly automation @kmcquade (#21)
    • SOC quality checks @kmcquade (#28)

    ๐Ÿš€ Features

    • Added FedRAMP @kmcquade (#27)
    • Adds ability to exclude and include AWS services via command line @kmcquade (#20)
    Source code(tar.gz)
    Source code(zip)
  • 0.0.2(Jan 23, 2021)

    Changes

    • Lots of QA Fixes thanks to @jdyke (#26)
    • Update script now writes a new CSV file containing database contents so we can view it on GitHub @kmcquade (#24)
    • Added some maintainer friendly automation @kmcquade (#21)

    ๐Ÿš€ Features

    • Added FedRAMP @kmcquade (#27)
    • Adds ability to exclude and include AWS services via command line @kmcquade (#20)
    Source code(tar.gz)
    Source code(zip)
Owner
Salesforce
A variety of vendor agnostic projects which power Salesforce
Salesforce
Telegram Bot to store Posts and Documents and it can Access by Special Links.

File-sharing-Bot Telegram Bot to store Posts and Documents and it can Access by Special Links. I Guess This Will Be Usefull For Many People..... ๐Ÿ˜‡ .

Code X Botz 1.2k Jan 08, 2023
Advanced telegram link in a message attach bot

Attach-Bot-V2 An advanced telegram attach bot Made with Python3 (C) @FayasNoushad Copyright permission under MIT License License - https://github.com

Fayas Noushad 8 Oct 21, 2022
YouTube bot, this is just my introduction to api and requests, this isn't intended on being an actual view bot.

YouTube bot, this is just my introduction to api and requests, this isn't intended on being an actual view bot.

Aran 2 Jul 25, 2022
Code for "Multimodal Trajectory Prediction Conditioned on Lane-Graph Traversals," CoRL 2021.

Multimodal Trajectory Prediction Conditioned on Lane-Graph Traversals This repository contains code for "Multimodal trajectory prediction conditioned

Nachiket Deo 113 Dec 28, 2022
Discord bot that generates boba drinks. Submission for sunhacks 2021

boba-bot Team Poggies' submission for Sunhacks 2021. Find our project page on Devpost, and a video demonstration can be found on YouTube. Commands $he

Joshua Tenorio 3 Nov 02, 2022
BaiduPCS API & App ็™พๅบฆ็ฝ‘็›˜ๅฎขๆˆท็ซฏ

BaiduPCS-Py A BaiduPCS API and An App BaiduPCS-Py ๆ˜ฏ็™พๅบฆ็ฝ‘็›˜ pcs ็š„้žๅฎ˜ๆ–น api ๅ’Œไธ€ไธชๅ‘ฝไปค่กŒ่ฟ็”จ็จ‹ๅบใ€‚

Peter Ding 450 Jan 05, 2023
Display relevant information for the amazing Banano coin.

Display relevant information for the amazing Banano coin. It'll also show your current [email 

Ron Talman 4 Aug 14, 2022
Reddit cli to slack at work

Reddit CLI (v1.0) Introduction Why Reddit CLI? Coworker who sees me looking at something in a browser: "Glad you're not busy; I need you to do this, t

3 Jun 22, 2021
Raphtory-client - The python client for the Raphtory project

Raphtory Client This is the python client for the Raphtory project Install via p

Raphtory 5 Apr 28, 2022
discord voice bot to stream radio

Radio-Id Bot (Discord Voice Bot) Radio-id-bot (Radio Indonesia) is a simple Discord Music Bot built with discord.py to play a radio from some Indonesi

Adi Fahmi 20 Sep 20, 2022
Migration Manager (MM) is a very small utility that can list source servers in a target account and apply mass launch template modifications.

Migration Manager Migration Manager (MM) is a very small utility that can list source servers in a target account and apply mass launch template modif

Cody 2 Nov 04, 2021
Upload-Instagram - Auto Uploading Instagram Bot

###Instagram Uploading Bot### Download Python and Chrome browser pip install -r

byeonggeon sim 1 Feb 13, 2022
Basic query to access Traindex API

traindex-api-query Basic query to access Traindex API Please make sure to provide your Traindex API key to the line 8 in the script file. There are tw

Foretheta 1 Nov 11, 2021
Python: Asynchronous client for the Tailscale API

Python: Asynchronous client for the Tailscale API Asynchronous client for the Tailscale API. About This package allows you to control and monitor Tail

Franck Nijhof 9 Nov 22, 2022
Tinkoff social pulse api wrapper

Tinkoff social pulse api wrapper

Semenov Artur 9 Dec 20, 2022
A python oriented telegram with API of yobit.net

YoBit-BTC A python oriented telegram bot with API of https://yobit.net/ Developed By @riz4d What is Yobit? โžช YoBit is a cryptocurrency exchange that w

Muhammed Rizad 6 Apr 02, 2022
The implementation of Learning Instance and Task-Aware Dynamic Kernels for Few Shot Learning

INSTA: Learning Instance and Task-Aware Dynamic Kernels for Few Shot Learning This repository provides the implementation and demo of Learning Instanc

11 Jan 02, 2023
Growtopia server_data.php reader with bypass method, using discord bot

Server_data.php-reader Growtopia server_data.php reader with bypass method, using discord bot How to use 1 install python 2 change your bot token

7 Jul 16, 2022
Telegram bot to stream videos in telegram Voice Chat for both groups and channels

Telegram bot to stream videos in telegram Voice Chat for both groups and channels. Supports live steams, YouTube videos and telegram media. Supports scheduling streams, recording and many more.

Akki ThePro 2 Sep 11, 2022
ELiza music is a telegram music bot project, allow you to play music on voice chat group telegram.

โค๏ธ ๐—˜๐—น๐—ถ๐˜‡๐—ฎ ๐— ๐˜‚๐˜€๐—ถ๐—ฐ โค๏ธ Unmaintained. The new repo of @MrsElizaRobot is private. (It is no longer based on this source code. The completely rewrit

Team Eliza 2 Dec 08, 2022