def generate_allowlist_service_prefixes(standards: list,
include: list = None,
exclude: list = None):
"""Generate a list of service Prefixes"""
db_session = connect_db()
compliance_data = ComplianceData()
# This is a list of sets
standard_results = []
for standard in standards:
standard_results.append(
set(
compliance_data.get_compliant_services(
db_session=db_session, compliance_standard=standard)))
# Intersect a collection of sets
if len(standard_results) > 1:
services = list(standard_results[0].intersection(*standard_results))
else:
services = list(standard_results[0])
# Add the force-include services
if include:
services.extend(include)
services.sort()
allowed_services = []
for service in services:
# Remove the services that were specified for exclusion
if exclude:
if service in exclude:
logger.info(f"{service} has been excluded from the policy")
continue
# If the service is not excluded, proceed
allowed_services.append(service)
# allowed_services.append(f"{service}:*")
return allowed_services
def build_database(download: bool):
"""Builds the database from AWS Documentation files from scratch."""
# Remove previous database file and connect
if os.path.exists(DATABASE_PATH):
os.remove(DATABASE_PATH)
db_session = connect_db()
# First, fill in the compliance database table with the service prefix
# (ex: s3) and the Service name (Simple Storage Service) and set all the values to blank strings
create_empty_compliance_database(db_session)
html_docs_folder = os.path.join(os.path.dirname(__file__), os.path.pardir,
"data")
# Scrape the tables that follow the standard format.
# These compliance frameworks, and services that are certified by them, are located at:
# https://aws.amazon.com/compliance/services-in-scope/
scrape_standard_table(
db_session=db_session,
link="https://aws.amazon.com/compliance/services-in-scope/",
destination_folder=html_docs_folder,
file_name="services-in-scope.html",
download=download)
# ISO docs follow a different format.
# ISO compliant services are located at https://aws.amazon.com/compliance/iso-certified/
scrape_iso_table(db_session=db_session,
link="https://aws.amazon.com/compliance/iso-certified/",
destination_folder=html_docs_folder,
file_name="iso-certified.html",
download=download)
# HIPAA Docs follow a different format.
# HIPAA compliant services are located at https://aws.amazon.com/compliance/hipaa-eligible-services-reference/
scrape_hipaa_table(
db_session=db_session,
link=
"https://aws.amazon.com/compliance/hipaa-eligible-services-reference/",
destination_folder=html_docs_folder,
file_name="hipaa-eligible-services-reference.html",
download=download)
# FedRAMP Docs have a few extra columns
# They are located at the same as the standard ones, but we just have to treat them a bit differently.
scrape_fedramp_table(
db_session=db_session,
link="https://aws.amazon.com/compliance/services-in-scope/",
destination_folder=html_docs_folder,
file_name="services-in-scope.html",
download=download)
scrape_dodccsrg_table(
db_session=db_session,
link="https://aws.amazon.com/compliance/services-in-scope/",
destination_folder=html_docs_folder,
file_name="services-in-scope.html",
download=download)
def generate_allowlist_scp(standards, include=None, exclude=None):
db_session = connect_db()
compliance_data = ComplianceData()
# This is a list of sets
standard_results = []
for standard in standards:
standard_results.append(
set(
compliance_data.get_compliant_services(
db_session=db_session, compliance_standard=standard)))
# Intersect a collection of sets
if len(standard_results) > 1:
services = list(standard_results[0].intersection(*standard_results))
else:
services = list(standard_results[0])
# Add the force-include services
if include:
services.extend(include)
services.sort()
allowed_services = []
for service in services:
# Remove the services that were specified for exclusion
if exclude:
if service in exclude:
logger.info(f"{service} has been excluded from the policy")
continue
# If the service is not excluded, proceed
allowed_services.append(f"{service}:*")
policy = {
"Version": "2012-10-17",
"Statement": {
"Sid": "AllowList",
"Effect": "Deny",
"Resource": "*",
"NotAction": allowed_services
},
}
return policy
def test_get_compliant_services(self):
compliance_data = ComplianceData()
db_session = connect_db()
standard = "SOC"
results = compliance_data.get_compliant_services(
db_session=db_session, compliance_standard=standard)
expected_results = [
"account", "acm", "amplify", "amplifybackend", "apigateway",
"application-autoscaling", "appstream", "appsync", "athena",
"autoscaling", "autoscaling-plans", "aws-portal", "backup",
"batch", "chime", "clouddirectory", "cloudformation", "cloudfront",
"cloudhsm", "cloudtrail", "cloudwatch", "codebuild", "codecommit",
"codedeploy", "codepipeline", "cognito-identity", "cognito-idp",
"cognito-sync", "comprehend", "comprehendmedical", "config",
"connect", "dataexchange", "datasync", "directconnect", "dms",
"ds", "dynamodb", "ebs", "ec2", "ecr", "ecs", "eks", "elasticache",
"elasticbeanstalk", "elasticfilesystem", "elasticloadbalancing",
"elasticmapreduce", "es", "events", "execute-api", "firehose",
"fms", "forecast", "freertos", "fsx", "glacier",
"globalaccelerator", "glue", "greengrass", "guardduty", "health",
"iam", "importexport", "inspector", "iot", "iot-device-tester",
"iotdeviceadvisor", "iotevents", "iotwireless", "kinesis",
"kinesisanalytics", "kinesisvideo", "kms", "lakeformation",
"lambda", "lex", "license-manager", "logs", "macie", "macie2",
"mediaconnect", "mediaconvert", "medialive", "mobiletargeting",
"mq", "neptune-db", "opsworks", "opsworks-cm", "organizations",
"outposts", "personalize", "polly", "qldb", "quicksight", "rds",
"rds-data", "rds-db", "redshift", "rekognition", "resource-groups",
"robomaker", "route53", "route53domains", "s3", "sagemaker", "sdb",
"secretsmanager", "securityhub", "serverlessrepo",
"servicecatalog", "ses", "shield", "sms", "sms-voice", "snowball",
"sns", "sqs", "ssm", "states", "storagegateway", "sts", "support",
"swf", "textract", "transcribe", "transfer", "translate", "waf",
"waf-regional", "wafv2", "workdocs", "worklink", "workmail",
"workspaces", "xray"
]
# print(len(expected_results))
for expected_result in expected_results:
self.assertTrue(expected_result in results)
import unittest
from aws_allowlister.database.compliance_data import ComplianceData
from aws_allowlister.database.database import connect_db
compliance_data = ComplianceData()
db_session = connect_db()
class IsoQATestCase(unittest.TestCase):
def test_gh_09_ISO_compliant_services(self):
results = compliance_data.get_compliant_services(
db_session=db_session, compliance_standard="ISO")
expected_results = ["mobiletargeting", "macie", "kafka"]
print(results)
# print(len(expected_results))
for expected_result in expected_results:
# print(expected_result)
print(f"{expected_result} in {results}")
self.assertTrue(expected_result in results)
self.assertTrue("msk" not in results)
