{"id":13820817,"url":"https://github.com/aquia-inc/scpkit","last_synced_at":"2026-01-03T16:58:42.788Z","repository":{"id":156797116,"uuid":"449872493","full_name":"aquia-inc/scpkit","owner":"aquia-inc","description":"SCP management tool","archived":false,"fork":false,"pushed_at":"2023-10-23T19:16:28.000Z","size":141,"stargazers_count":131,"open_issues_count":1,"forks_count":9,"subscribers_count":12,"default_branch":"main","last_synced_at":"2025-04-25T13:56:25.901Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://pypi.org/project/scpkit/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aquia-inc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-01-19T22:15:25.000Z","updated_at":"2025-02-25T15:18:06.000Z","dependencies_parsed_at":null,"dependency_job_id":"6a67c973-8f39-482b-9622-ccc351d0e576","html_url":"https://github.com/aquia-inc/scpkit","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquia-inc%2Fscpkit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquia-inc%2Fscpkit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquia-inc%2Fscpkit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquia-inc%2Fscpkit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aquia-inc","download_url":"https://codeload.github.com/aquia-inc/scpkit/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254512819,"owners_count":22083465,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T08:01:09.597Z","updated_at":"2026-01-03T16:58:42.744Z","avatar_url":"https://github.com/aquia-inc.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# SCPkit\n[![GitHub Super-Linter](https://github.com/aquia-inc/scpkit/workflows/Lint%20Code%20Base/badge.svg)](https://github.com/aquia-inc/scpkit/actions/workflows/linter.yaml)\n\n## Overview\n\nThis project provides a Python module to aid in Service Control Policy (SCP) management in AWS accounts.\n\nSCPs have a current limit of 5 total per entity, and a size limit on each of 5120 characters. This tool will merge selected SCPs into the fewest amount of policies, and optionally remove whitespace characters as they count toward the character limit.\n\n\n```mermaid\n  stateDiagram-v2\n      [SCPTool] --\u003e Validate\n      [SCPTool] --\u003e Merge\n      [SCPTool] --\u003e Visualize\n      Merge --\u003e Validate\n      Validate --\u003e [*]\n      Merge --\u003e [*]\n      Visualize --\u003e [*]\n```\n## Using SCPkit\nSCPkit can be installed from PyPI\n```\npip install scpkit\n```\n\n### Validating a directory of SCPs\nValidating a directory requires active AWS credentials through a profile or environment. SCPkit will recursively search the directory for json files and validate them with [Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html)'s [ValidatePolicy API](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ValidatePolicy.html).\n```\nscpkit validate --sourcefiles /path/to/scps --profile yourawsprofile --outdir /path/to/findings\n```\n\n### Merging a directory of SCPs\nMerging a directory of SCPs does not require active AWS credentials, but can optionally validate after merging.\n```\nscpkit merge --sourcefiles /path/to/scps --outdir /path/to/directory\n```\nOptional validation with output locally:\n```\nscpkit merge --sourcefiles /path/to/scps --outdir /path/to/directory --validate-after-merge --profile yourawsprofile\n```\n\n### Creating a visualization of an AWS Organization, OUs, Accounts, and SCPs\nCreating this visualization requires you be authenticated with either the Org management account, or a delegated administrator. See the [AWS Documentation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_delegate_policies_example_view_accts_orgs.html) page for more info on delegating Organizations.\n\nThis will output a graph pdf and graphviz data file in the specified directory (or local directory, if outdir is not specified.)\n\n```\nscpkit visualize --profile yourawsprofile --outdir ./org-graph\n```\nAccounts are presented as ellipses, organizational units are rectangles, and SCPs are trapezoids.\n\n![Visualization of an Organization](./visualize-org.png)\n\nThe full CLI is documented through docopt\n```\n\"\"\"SCPkit\nUsage:\n    main.py (validate | merge | visualize) [--sourcefiles sourcefiles] [--profile profile] [ --outdir outdir] [--validate-after-merge] [--readable] [--console]\n\nOptions:\n    -h --help                   Show this screen.\n    --version                   Show version.\n    --sourcefiles sourcefiles   Directory path to SCP files in json format or a single SCP file\n    --outdir outdir             Directory to write new SCP files [Default: ./]\n    --profile profile           AWS profile name\n    --validate-after-merge      Validate the policies after merging them\n    --readable                  Leave indentation and some whitespace to make the SCPs readable\n    --console                   Adds Log to console\n\"\"\"\n```\n\n## Local development\nFrom the root of the folder:\n```\npython3 -m venv .venv\nsource .venv/bin/activate\npip install -r requirements.txt\npython -m scpkit.main validate --sourcefiles ./scps --profile yourawsprofile\n```\nInstall as a package\n```\npython3 -m venv .venv\nsource .venv/bin/activate\npip install -U git+https://github.com/aquia-inc/scpkit.git\n```\n\n## References\nThis project would not be possible without the contributions of the following:\n* https://summitroute.com/blog/2020/03/25/aws_scp_best_practices/\n* https://github.com/ScaleSec/terraform_aws_scp\n* https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html\n* https://asecure.cloud/l/scp/\n* https://github.com/aws-samples/service-control-policy-examples\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faquia-inc%2Fscpkit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faquia-inc%2Fscpkit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faquia-inc%2Fscpkit/lists"}