def generate_allowlist_service_prefixes(standards: list, include: list = None, exclude: list = None): """Generate a list of service Prefixes""" db_session = connect_db() compliance_data = ComplianceData() # This is a list of sets standard_results = [] for standard in standards: standard_results.append( set( compliance_data.get_compliant_services( db_session=db_session, compliance_standard=standard))) # Intersect a collection of sets if len(standard_results) > 1: services = list(standard_results[0].intersection(*standard_results)) else: services = list(standard_results[0]) # Add the force-include services if include: services.extend(include) services.sort() allowed_services = [] for service in services: # Remove the services that were specified for exclusion if exclude: if service in exclude: logger.info(f"{service} has been excluded from the policy") continue # If the service is not excluded, proceed allowed_services.append(service) # allowed_services.append(f"{service}:*") return allowed_services
def generate_allowlist_scp(standards, include=None, exclude=None): db_session = connect_db() compliance_data = ComplianceData() # This is a list of sets standard_results = [] for standard in standards: standard_results.append( set( compliance_data.get_compliant_services( db_session=db_session, compliance_standard=standard))) # Intersect a collection of sets if len(standard_results) > 1: services = list(standard_results[0].intersection(*standard_results)) else: services = list(standard_results[0]) # Add the force-include services if include: services.extend(include) services.sort() allowed_services = [] for service in services: # Remove the services that were specified for exclusion if exclude: if service in exclude: logger.info(f"{service} has been excluded from the policy") continue # If the service is not excluded, proceed allowed_services.append(f"{service}:*") policy = { "Version": "2012-10-17", "Statement": { "Sid": "AllowList", "Effect": "Deny", "Resource": "*", "NotAction": allowed_services }, } return policy
def test_get_compliant_services(self): compliance_data = ComplianceData() db_session = connect_db() standard = "SOC" results = compliance_data.get_compliant_services( db_session=db_session, compliance_standard=standard) expected_results = [ "account", "acm", "amplify", "amplifybackend", "apigateway", "application-autoscaling", "appstream", "appsync", "athena", "autoscaling", "autoscaling-plans", "aws-portal", "backup", "batch", "chime", "clouddirectory", "cloudformation", "cloudfront", "cloudhsm", "cloudtrail", "cloudwatch", "codebuild", "codecommit", "codedeploy", "codepipeline", "cognito-identity", "cognito-idp", "cognito-sync", "comprehend", "comprehendmedical", "config", "connect", "dataexchange", "datasync", "directconnect", "dms", "ds", "dynamodb", "ebs", "ec2", "ecr", "ecs", "eks", "elasticache", "elasticbeanstalk", "elasticfilesystem", "elasticloadbalancing", "elasticmapreduce", "es", "events", "execute-api", "firehose", "fms", "forecast", "freertos", "fsx", "glacier", "globalaccelerator", "glue", "greengrass", "guardduty", "health", "iam", "importexport", "inspector", "iot", "iot-device-tester", "iotdeviceadvisor", "iotevents", "iotwireless", "kinesis", "kinesisanalytics", "kinesisvideo", "kms", "lakeformation", "lambda", "lex", "license-manager", "logs", "macie", "macie2", "mediaconnect", "mediaconvert", "medialive", "mobiletargeting", "mq", "neptune-db", "opsworks", "opsworks-cm", "organizations", "outposts", "personalize", "polly", "qldb", "quicksight", "rds", "rds-data", "rds-db", "redshift", "rekognition", "resource-groups", "robomaker", "route53", "route53domains", "s3", "sagemaker", "sdb", "secretsmanager", "securityhub", "serverlessrepo", "servicecatalog", "ses", "shield", "sms", "sms-voice", "snowball", "sns", "sqs", "ssm", "states", "storagegateway", "sts", "support", "swf", "textract", "transcribe", "transfer", "translate", "waf", "waf-regional", "wafv2", "workdocs", "worklink", "workmail", "workspaces", "xray" ] # print(len(expected_results)) for expected_result in expected_results: self.assertTrue(expected_result in results)
import unittest from aws_allowlister.database.compliance_data import ComplianceData from aws_allowlister.database.database import connect_db compliance_data = ComplianceData() db_session = connect_db() class IsoQATestCase(unittest.TestCase): def test_gh_09_ISO_compliant_services(self): results = compliance_data.get_compliant_services( db_session=db_session, compliance_standard="ISO") expected_results = ["mobiletargeting", "macie", "kafka"] print(results) # print(len(expected_results)) for expected_result in expected_results: # print(expected_result) print(f"{expected_result} in {results}") self.assertTrue(expected_result in results) self.assertTrue("msk" not in results)