Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/salesforce/aws-allowlister

Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.
https://github.com/salesforce/aws-allowlister

aws cloud cloud-security compliance iam salesforce security

Last synced: about 2 months ago
JSON representation

Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.

Host: GitHub
URL: https://github.com/salesforce/aws-allowlister
Owner: salesforce
License: mit
Created: 2021-01-19T21:36:47.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2023-08-11T20:00:08.000Z (about 1 year ago)
Last Synced: 2024-07-05T16:40:54.572Z (2 months ago)
Topics: aws, cloud, cloud-security, compliance, iam, salesforce, security
Language: Python
Homepage:
Size: 6.63 MB
Stars: 219
Watchers: 11
Forks: 34
Open Issues: 9
Metadata Files:
- Readme: README.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Codeowners: CODEOWNERS
- Security: SECURITY.md

Awesome Lists containing this project

awesome-cloud-security - AWS-AllowLister
awesome-cloud-security - aws-allowlister

README

# aws-allowlister

![Continuous Integration Tests](https://github.com/salesforce/aws-allowlister/workflows/continuous-integration/badge.svg)
[![Twitter](https://img.shields.io/twitter/url/https/twitter.com/kmcquade3.svg?style=social&label=Follow%20the%20author)](https://twitter.com/kmcquade3)
[![Downloads](https://pepy.tech/badge/aws-allowlister)](https://pepy.tech/project/aws-allowlister)

Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.

![](./examples/media/aws-allowlister.gif)

## Overview

AWS Service Control Policies (SCPs) allow you to control which AWS Service APIs are allowed *at the AWS Account level* - so local administrators (not even the account's root user) can perform prohibited actions in a child account.

However, before `aws-allowlister`, it was very difficult and error-prone to create AWS AllowList SCPs - only giving accounts access to the compliant services that they need, and nothing else. Before `aws-allowlister`, the approach for creating an AllowList was:
1. Create a spreadsheet 🙄 based on the [AWS Services in Scope](https://aws.amazon.com/compliance/services-in-scope/) documentation, which have inconsistent naming and do not list the "IAM names"
2. Create an AllowList.json by hand, based on that spreadsheet
3. Roll it out to Dev/Stage/Production
4. Whoever manages that spreadsheet now magically owns the AllowList policy due to ✨tribal knowledge✨ and any updates occur by pinging this person over Slack.

`aws-allowlister` takes care of this process for you. Instead of following the painful process above, just run the following command to generate an AWS SCP policy that meets PCI compliance:

```bash
aws-allowlister generate --pci
```

The policies generated by `aws-allowlister` are based off of official AWS [documentation](https://aws.amazon.com/compliance/services-in-scope/) and are automatically kept up to date when new services achieve compliance or accreditation.

### Support statuses

`aws-allowlister` currently supports:

| Compliance Framework | Support Status |
|----------------------|----------------|
| PCI | ✅ |
| SOC 1, 2, and 3 | ✅ |
| ISO/IEC | ✅ |
| HIPAA BAA | ✅ |
| FedRAMP Moderate | ✅ |
| FedRAMP High | ✅ |
| DOD CC SRG (USA 🇺🇸) | ✅ |
| HITRUST | ✅ |
| IRAP (Australia 🇦🇺) | ✅ |
| C5 (Germany 🇩🇪) | ⏱ Coming soon |
| K-ISMS (Japan 🇯🇵) | ⏱ Coming soon |
| ENS High (Spain 🇪🇸) | ⏱ Coming soon |

### Forcibly include/exclude services

In addition to creating compliance-focused SCPs, `aws-allowlister` supports the ability to include or exclude services (IAM permissions) of your choice using the `--include` or `--exclude` flags. For more details related to policy customization, view the [Arguments](#arguments) section.

## Installation

* Python Pip:

```bash
pip3 install aws-allowlister
```

* Homebrew:

```bash
brew tap salesforce/aws-allowlister https://github.com/salesforce/aws-allowlister
brew install aws-allowlister
```

## Usage

* Generate an AllowList Policy using this command:

```bash
aws-allowlister generate
```

By default, it allows policies at the intersection of PCI, HIPAA, SOC, ISO, FedRAMP High, and FedRAMP Moderate.

The resulting policy will look like this:

Example AllowList Policy

```json
{
"Version": "2012-10-17",
"Statement": {
"Sid": "AllowList",
"Effect": "Deny",
"NotAction": [
"account:*",
"acm:*",
"amplify:*",
"amplifybackend:*",
"apigateway:*",
"application-autoscaling:*",
"appstream:*",
"appsync:*",
"athena:*",
"autoscaling:*",
"aws-portal:*",
"backup:*",
"batch:*",
"clouddirectory:*",
"cloudformation:*",
"cloudfront:*",
"cloudhsm:*",
"cloudtrail:*",
"cloudwatch:*",
"codebuild:*",
"codecommit:*",
"codedeploy:*",
"codepipeline:*",
"cognito-identity:*",
"cognito-idp:*",
"comprehend:*",
"comprehendmedical:*",
"config:*",
"connect:*",
"dataexchange:*",
"datasync:*",
"directconnect:*",
"dms:*",
"ds:*",
"dynamodb:*",
"ebs:*",
"ec2:*",
"ecr:*",
"ecs:*",
"eks:*",
"elasticache:*",
"elasticbeanstalk:*",
"elasticfilesystem:*",
"elasticmapreduce:*",
"es:*",
"events:*",
"execute-api:*",
"firehose:*",
"fms:*",
"forecast:*",
"freertos:*",
"fsx:*",
"glacier:*",
"globalaccelerator:*",
"glue:*",
"greengrass:*",
"guardduty:*",
"health:*",
"iam:*",
"inspector:*",
"iot:*",
"iot-device-tester:*",
"iotdeviceadvisor:*",
"iotevents:*",
"iotwireless:*",
"kafka:*",
"kinesis:*",
"kinesisanalytics:*",
"kinesisvideo:*",
"kms:*",
"lambda:*",
"lex:*",
"logs:*",
"macie2:*",
"mediaconnect:*",
"mediaconvert:*",
"medialive:*",
"mq:*",
"neptune-db:*",
"opsworks-cm:*",
"organizations:*",
"outposts:*",
"personalize:*",
"polly:*",
"qldb:*",
"quicksight:*",
"rds:*",
"rds-data:*",
"rds-db:*",
"redshift:*",
"rekognition:*",
"robomaker:*",
"route53:*",
"route53domains:*",
"s3:*",
"sagemaker:*",
"secretsmanager:*",
"securityhub:*",
"serverlessrepo:*",
"servicecatalog:*",
"shield:*",
"sms:*",
"sms-voice:*",
"snowball:*",
"sns:*",
"sqs:*",
"ssm:*",
"sso:*",
"sso-directory:*",
"states:*",
"storagegateway:*",
"sts:*",
"support:*",
"swf:*",
"textract:*",
"transcribe:*",
"transfer:*",
"translate:*",
"waf:*",
"waf-regional:*",
"wafv2:*",
"workdocs:*",
"worklink:*",
"workspaces:*",
"xray:*"
],
"Resource": "*"
}
}
```

### Markdown Table Output

* You can also specify the `--table` option to output the results in a Markdown Table format, as shown below:

```
aws-allowlister generate --pci --table
```

The results will look like this:

Example AllowList Policy

```
| Service Prefix | Service Name |
|-------------------------|-------------------------------------------------|
| account | AWS Accounts |
| acm | AWS Certificate Manager |
| amplify | AWS Amplify |
| amplifybackend | AWS Amplify Admin |
| apigateway | Manage Amazon API Gateway |
| application-autoscaling | Application Auto Scaling |
| appmesh | AWS App Mesh |
| appstream | Amazon AppStream 2.0 |
| appsync | AWS AppSync |
| athena | Amazon Athena |
| autoscaling | Amazon EC2 Auto Scaling |
| autoscaling-plans | AWS Auto Scaling |
| aws-portal | AWS Billing |
| backup | AWS Backup |
| batch | AWS Batch |
| cassandra | AWS Managed Apache Cassandra Service |
| chatbot | AWS Chatbot |
| clouddirectory | Amazon Cloud Directory |
| cloudformation | AWS CloudFormation |
| cloudfront | Amazon CloudFront |
| cloudhsm | AWS CloudHSM |
| cloudtrail | AWS CloudTrail |
| cloudwatch | Amazon CloudWatch |
| codebuild | AWS CodeBuild |
| codecommit | AWS CodeCommit |
| codedeploy | AWS CodeDeploy |
| codepipeline | AWS CodePipeline |
| cognito-identity | Amazon Cognito Identity |
| cognito-idp | Amazon Cognito User Pools |
| cognito-sync | Amazon Cognito Sync |
| comprehend | Amazon Comprehend |
| comprehendmedical | Comprehend Medical |
| config | AWS Config |
| connect | Amazon Connect |
| databrew | AWS Glue DataBrew |
| dataexchange | AWS Data Exchange |
| datasync | DataSync |
| directconnect | AWS Direct Connect |
| dms | AWS Database Migration Service |
| ds | AWS Directory Service |
| dynamodb | Amazon DynamoDB |
| ebs | Amazon Elastic Block Store |
| ec2 | Amazon EC2 |
| ec2messages | Amazon Message Delivery Service |
| ecr | Amazon Elastic Container Registry |
| ecs | Amazon Elastic Container Service |
| eks | Amazon Elastic Container Service for Kubernetes |
| elasticache | Amazon ElastiCache |
| elasticbeanstalk | AWS Elastic Beanstalk |
| elasticfilesystem | Amazon Elastic File System |
| elasticloadbalancing | Elastic Load Balancing V2 |
| elasticmapreduce | Amazon Elastic MapReduce |
| es | Amazon Elasticsearch Service |
| events | Amazon EventBridge |
| execute-api | Amazon API Gateway |
| firehose | Amazon Kinesis Firehose |
| fms | AWS Firewall Manager |
| forecast | Amazon Forecast |
| freertos | Amazon FreeRTOS |
| fsx | Amazon FSx |
| glacier | Amazon Glacier |
| globalaccelerator | AWS Global Accelerator |
| glue | AWS Glue |
| greengrass | AWS IoT Greengrass |
| groundstation | AWS Ground Station |
| guardduty | Amazon GuardDuty |
| health | AWS Health APIs and Notifications |
| iam | Identity And Access Management |
| importexport | AWS Import Export Disk Service |
| inspector | Amazon Inspector |
| iot | AWS IoT |
| iot-device-tester | AWS IoT Device Tester |
| iotdeviceadvisor | AWS IoT Core Device Advisor |
| iotevents | AWS IoT Events |
| iotwireless | AWS IoT Core for LoRaWAN |
| kendra | Amazon Kendra |
| kinesis | Amazon Kinesis |
| kinesisanalytics | Amazon Kinesis Analytics V2 |
| kinesisvideo | Amazon Kinesis Video Streams |
| kms | AWS Key Management Service |
| lakeformation | AWS Lake Formation |
| lambda | AWS Lambda |
| lex | Amazon Lex |
| license-manager | AWS License Manager |
| logs | Amazon CloudWatch Logs |
| macie | Amazon Macie Classic |
| macie2 | Amazon Macie |
| mediaconnect | AWS Elemental MediaConnect |
| mediaconvert | AWS Elemental MediaConvert |
| medialive | AWS Elemental MediaLive |
| mobiletargeting | Amazon Pinpoint |
| mq | Amazon MQ |
| neptune-db | Amazon Neptune |
| opsworks | AWS OpsWorks |
| opsworks-cm | AWS OpsWorks Configuration Management |
| organizations | AWS Organizations |
| outposts | AWS Outposts |
| personalize | Amazon Personalize |
| polly | Amazon Polly |
| qldb | Amazon QLDB |
| quicksight | Amazon QuickSight |
| rds | Amazon RDS |
| rds-data | Amazon RDS Data API |
| rds-db | Amazon RDS IAM Authentication |
| redshift | Amazon Redshift |
| rekognition | Amazon Rekognition |
| resource-groups | AWS Resource Groups |
| robomaker | AWS RoboMaker |
| route53 | Amazon Route 53 |
| route53domains | Amazon Route53 Domains |
| s3 | Amazon S3 |
| sagemaker | Amazon SageMaker |
| sdb | Amazon SimpleDB |
| secretsmanager | AWS Secrets Manager |
| securityhub | AWS Security Hub |
| serverlessrepo | AWS Serverless Application Repository |
| servicecatalog | AWS Service Catalog |
| servicediscovery | AWS Cloud Map |
| shield | AWS Shield |
| sms | AWS Server Migration Service |
| sms-voice | Amazon Pinpoint SMS and Voice Service |
| snowball | AWS Snowball |
| sns | Amazon SNS |
| sqs | Amazon SQS |
| ssm | AWS Systems Manager |
| ssmmessages | Amazon Session Manager Message Gateway Service |
| states | AWS Step Functions |
| storagegateway | Amazon Storage Gateway |
| sts | AWS Security Token Service |
| support | AWS Support |
| swf | Amazon Simple Workflow Service |
| textract | Amazon Textract |
| timestream | AWS Timestream |
| transcribe | Amazon Transcribe |
| transfer | AWS Transfer for SFTP |
| translate | Amazon Translate |
| trustedadvisor | AWS Trusted Advisor |
| waf | AWS WAF |
| waf-regional | AWS WAF Regional |
| wafv2 | AWS WAF V2 |
| workdocs | Amazon WorkDocs |
| worklink | Amazon WorkLink |
| workspaces | Amazon WorkSpaces |
| xray | AWS X-Ray |
```

### Markdown Table of Excluded Services

* Let's say you want to know which services are **excluded**, not just the ones that are **included**. In this case, you can specify the `--excluded-table` option to output the list of services that are not allowed.

```
aws-allowlister generate --pci --excluded-table
```

The results will look like this:

Example AllowList Policy

```
| Service Prefix | Service Name |
|-------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| a4b | [Alexa for Business](https://docs.aws.amazon.com/service-authorization/latest/reference/list_alexaforbusiness.html) |
| acm-pca | [AWS Certificate Manager Private Certificate Authority](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscertificatemanagerprivatecertificateauthority.html) |
| activate | [AWS Activate](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsactivate.html) |
| airflow | [Amazon Managed Workflows for Apache Airflow](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedworkflowsforapacheairflow.html) |
| app-integrations | [Amazon AppIntegrations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappintegrations.html) |
| appconfig | [AWS AppConfig](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappconfig.html) |
| appflow | [Amazon AppFlow](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappflow.html) |
| applicationinsights | [CloudWatch Application Insights](https://docs.aws.amazon.com/service-authorization/latest/reference/list_cloudwatchapplicationinsights.html) |
| appmesh | [AWS App Mesh](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappmesh.html) |
| appmesh-preview | [AWS App Mesh Preview](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappmeshpreview.html) |
| aps | [Amazon Managed Service for Prometheus](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedserviceforprometheus.html) |
| arsenal | [Application Discovery Arsenal](https://docs.aws.amazon.com/service-authorization/latest/reference/list_applicationdiscoveryarsenal.html) |
| artifact | [AWS Artifact](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsartifact.html) |
| auditmanager | [AWS Audit Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsauditmanager.html) |
| aws-marketplace | [AWS Private Marketplace](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsprivatemarketplace.html) |
| aws-marketplace-management | [AWS Marketplace Management Portal](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacemanagementportal.html) |
| awsconnector | [AWS Connector Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconnectorservice.html) |
| braket | [Amazon Braket](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbraket.html) |
| budgets | [AWS Budget Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbudgetservice.html) |
| cassandra | [AWS Managed Apache Cassandra Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmanagedapachecassandraservice.html) |
| ce | [AWS Cost Explorer Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscostexplorerservice.html) |
| chatbot | [AWS Chatbot](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awschatbot.html) |
| chime | [Amazon Chime](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonchime.html) |
| cloud9 | [AWS Cloud9](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloud9.html) |
| cloudsearch | [Amazon CloudSearch](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudsearch.html) |
| cloudshell | [AWS CloudShell](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudshell.html) |
| codeartifact | [AWS CodeArtifact](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodeartifact.html) |
| codeguru | [Amazon CodeGuru](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodeguru.html) |
| codeguru-profiler | [Amazon CodeGuru Profiler](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodeguruprofiler.html) |
| codeguru-reviewer | [Amazon CodeGuru Reviewer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodegurureviewer.html) |
| codestar | [AWS CodeStar](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestar.html) |
| codestar-connections | [AWS CodeStar Connections](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestarconnections.html) |
| codestar-notifications | [AWS CodeStar Notifications](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestarnotifications.html) |
| compute-optimizer | [Compute Optimizer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_computeoptimizer.html) |
| cur | [AWS Cost and Usage Report](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscostandusagereport.html) |
| databrew | [AWS Glue DataBrew](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgluedatabrew.html) |
| datapipeline | [Data Pipeline](https://docs.aws.amazon.com/service-authorization/latest/reference/list_datapipeline.html) |
| dax | [Amazon DynamoDB Accelerator (DAX)](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondynamodbacceleratordax.html) |
| dbqms | [Database Query Metadata Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_databasequerymetadataservice.html) |
| deepcomposer | [AWS DeepComposer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdeepcomposer.html) |
| deeplens | [AWS DeepLens](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdeeplens.html) |
| deepracer | [AWS DeepRacer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdeepracer.html) |
| detective | [Amazon Detective](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondetective.html) |
| devicefarm | [AWS Device Farm](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdevicefarm.html) |
| devops-guru | [Amazon DevOps Guru](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondevopsguru.html) |
| discovery | [Application Discovery](https://docs.aws.amazon.com/service-authorization/latest/reference/list_applicationdiscovery.html) |
| dlm | [Amazon Data Lifecycle Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondatalifecyclemanager.html) |
| ec2-instance-connect | [Amazon EC2 Instance Connect](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2instanceconnect.html) |
| ecr-public | [Amazon Elastic Container Registry Public](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistrypublic.html) |
| elastic-inference | [Amazon Elastic Inference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticinference.html) |
| elastictranscoder | [Amazon Elastic Transcoder](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelastictranscoder.html) |
| elemental-activations | [Elemental Activations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_elementalactivations.html) |
| elemental-appliances-software | [AWS Elemental Appliances and Software](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalappliancesandsoftware.html) |
| elemental-support-cases | [Elemental Support Cases](https://docs.aws.amazon.com/service-authorization/latest/reference/list_elementalsupportcases.html) |
| elemental-support-content | [Elemental Support Content](https://docs.aws.amazon.com/service-authorization/latest/reference/list_elementalsupportcontent.html) |
| emr-containers | [Amazon EMR on EKS (EMR Containers)](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonemroneksemrcontainers.html) |
| fis | [AWS Fault Injection Simulator](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfaultinjectionsimulator.html) |
| frauddetector | [Amazon Fraud Detector](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html) |
| gamelift | [Amazon GameLift](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazongamelift.html) |
| geo | [Amazon Location](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlocation.html) |
| grafana | [Amazon Managed Service for Grafana](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedserviceforgrafana.html) |
| groundstation | [AWS Ground Station](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgroundstation.html) |
| groundtruthlabeling | [Amazon GroundTruth Labeling](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazongroundtruthlabeling.html) |
| healthlake | [Amazon HealthLake](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonhealthlake.html) |
| honeycode | [Amazon Honeycode](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonhoneycode.html) |
| identitystore | [AWS Identity Store](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentitystore.html) |
| imagebuilder | [Amazon EC2 Image Builder](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2imagebuilder.html) |
| iot1click | [AWS IoT 1-Click](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot1-click.html) |
| iotanalytics | [AWS IoT Analytics](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotanalytics.html) |
| iotfleethub | [Fleet Hub for AWS IoT Device Management](https://docs.aws.amazon.com/service-authorization/latest/reference/list_fleethubforawsiotdevicemanagement.html) |
| iotsitewise | [AWS IoT SiteWise](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotsitewise.html) |
| iotthingsgraph | [AWS IoT Things Graph](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotthingsgraph.html) |
| iq | [AWS IQ](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiq.html) |
| iq-permission | [AWS IQ Permissions](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiqpermissions.html) |
| ivs | [Amazon Interactive Video Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninteractivevideoservice.html) |
| kendra | [Amazon Kendra](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkendra.html) |
| launchwizard | [Launch Wizard](https://docs.aws.amazon.com/service-authorization/latest/reference/list_launchwizard.html) |
| lex | [Amazon Lex V2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlexv2.html) |
| license-manager | [AWS License Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslicensemanager.html) |
| lightsail | [Amazon Lightsail](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlightsail.html) |
| lookoutequipment | [Amazon Lookout for Equipment](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutforequipment.html) |
| lookoutmetrics | [Amazon Lookout for Metrics](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutformetrics.html) |
| lookoutvision | [Amazon Lookout for Vision](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutforvision.html) |
| machinelearning | [Amazon Machine Learning](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmachinelearning.html) |
| managedblockchain | [Amazon Managed Blockchain](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedblockchain.html) |
| marketplacecommerceanalytics | [AWS Marketplace Commerce Analytics Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacecommerceanalyticsservice.html) |
| mechanicalturk | [Amazon Mechanical Turk](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmechanicalturk.html) |
| mediapackage | [AWS Elemental MediaPackage](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediapackage.html) |
| mediapackage-vod | [AWS Elemental MediaPackage VOD](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediapackagevod.html) |
| mediastore | [AWS Elemental MediaStore](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediastore.html) |
| mediatailor | [AWS Elemental MediaTailor](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediatailor.html) |
| mgh | [AWS Migration Hub](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmigrationhub.html) |
| mobileanalytics | [Amazon Mobile Analytics](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmobileanalytics.html) |
| mobilehub | [AWS Mobile Hub](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmobilehub.html) |
| monitron | [Amazon Monitron](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmonitron.html) |
| network-firewall | [AWS Network Firewall](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsnetworkfirewall.html) |
| networkmanager | [Network Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_networkmanager.html) |
| panorama | [AWS Panorama](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspanorama.html) |
| pi | [AWS Performance Insights](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsperformanceinsights.html) |
| pricing | [AWS Price List](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspricelist.html) |
| profile | [Amazon Connect Customer Profiles](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnectcustomerprofiles.html) |
| proton | [AWS Proton](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsproton.html) |
| purchase-orders | [AWS Purchase Orders Console](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspurchaseordersconsole.html) |
| ram | [AWS Resource Access Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresourceaccessmanager.html) |
| redshift-data | [Amazon Redshift Data API](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshiftdataapi.html) |
| resource-explorer | [AWS Tag Editor](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstageditor.html) |
| resource-groups | [AWS Resource Groups](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresourcegroups.html) |
| s3-object-lambda | [Amazon S3 Object Lambda](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3objectlambda.html) |
| s3-outposts | [Amazon S3 on Outposts](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3onoutposts.html) |
| savingsplans | [AWS Savings Plans](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssavingsplans.html) |
| schemas | [Amazon EventBridge Schemas](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridgeschemas.html) |
| sdb | [Amazon SimpleDB](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsimpledb.html) |
| servicediscovery | [AWS Cloud Map](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudmap.html) |
| servicequotas | [Service Quotas](https://docs.aws.amazon.com/service-authorization/latest/reference/list_servicequotas.html) |
| ses | [Amazon Simple Email Service v2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsimpleemailservicev2.html) |
| signer | [AWS Signer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssigner.html) |
| sms-voice | [Amazon Pinpoint SMS and Voice Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpinpointsmsandvoiceservice.html) |
| sso | [AWS SSO](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssso.html) |
| sso-directory | [AWS SSO Directory](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsssodirectory.html) |
| sumerian | [Amazon Sumerian](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsumerian.html) |
| synthetics | [Amazon CloudWatch Synthetics](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchsynthetics.html) |
| tag | [Amazon Resource Group Tagging API](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonresourcegrouptaggingapi.html) |
| timestream | [AWS Timestream](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstimestream.html) |
| tiros | [AWS Tiros](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstiros.html) |
| trustedadvisor | [AWS Trusted Advisor](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstrustedadvisor.html) |
| wam | [Amazon WorkSpaces Application Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkspacesapplicationmanager.html) |
| wellarchitected | [AWS Well-Architected Tool](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswell-architectedtool.html) |
| workmail | [Amazon WorkMail](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkmail.html) |
| workmailmessageflow | [Amazon WorkMail Message Flow](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkmailmessageflow.html) |
```

### JSON Output

* You can also specify the `--json-list` option to output the results in JSON, as shown below:

```
aws-allowlister generate --pci --json-list
```

The results will look like this:

Example AllowList JSON list

```
{
"access-analyzer": {
"service_name": "IAM Access Analyzer",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_iamaccessanalyzer.html"
},
"account": {
"service_name": "AWS Accounts",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsaccounts.html"
},
"acm": {
"service_name": "AWS Certificate Manager",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscertificatemanager.html"
},
"amplify": {
"service_name": "AWS Amplify",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsamplify.html"
},
"amplifybackend": {
"service_name": "AWS Amplify Admin",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsamplifyadmin.html"
},
"apigateway": {
"service_name": "Manage Amazon API Gateway",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_manageamazonapigateway.html"
},
"application-autoscaling": {
"service_name": "Application Auto Scaling",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_applicationautoscaling.html"
},
"appmesh": {
"service_name": "AWS App Mesh",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappmesh.html"
},
"appstream": {
"service_name": "Amazon AppStream 2.0",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappstream2.0.html"
},
"appsync": {
"service_name": "AWS AppSync",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappsync.html"
},
"athena": {
"service_name": "Amazon Athena",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonathena.html"
},
"autoscaling": {
"service_name": "Amazon EC2 Auto Scaling",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2autoscaling.html"
},
"autoscaling-plans": {
"service_name": "AWS Auto Scaling",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsautoscaling.html"
},
"aws-portal": {
"service_name": "AWS Billing",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbilling.html"
},
"backup": {
"service_name": "AWS Backup",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbackup.html"
},
"backup-storage": {
"service_name": "AWS Backup storage",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbackupstorage.html"
},
"batch": {
"service_name": "AWS Batch",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html"
},
"cassandra": {
"service_name": "AWS Managed Apache Cassandra Service",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmanagedapachecassandraservice.html"
},
"chatbot": {
"service_name": "AWS Chatbot",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awschatbot.html"
},
"clouddirectory": {
"service_name": "Amazon Cloud Directory",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonclouddirectory.html"
},
"cloudformation": {
"service_name": "AWS CloudFormation",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudformation.html"
},
"cloudfront": {
"service_name": "Amazon CloudFront",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudfront.html"
},
"cloudhsm": {
"service_name": "AWS CloudHSM",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudhsm.html"
},
"cloudtrail": {
"service_name": "AWS CloudTrail",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudtrail.html"
},
"cloudwatch": {
"service_name": "Amazon CloudWatch",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatch.html"
},
"codebuild": {
"service_name": "AWS CodeBuild",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodebuild.html"
},
"codecommit": {
"service_name": "AWS CodeCommit",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodecommit.html"
},
"codedeploy": {
"service_name": "AWS CodeDeploy",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodedeploy.html"
},
"codepipeline": {
"service_name": "AWS CodePipeline",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodepipeline.html"
},
"cognito-identity": {
"service_name": "Amazon Cognito Identity",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncognitoidentity.html"
},
"cognito-idp": {
"service_name": "Amazon Cognito User Pools",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncognitouserpools.html"
},
"cognito-sync": {
"service_name": "Amazon Cognito Sync",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncognitosync.html"
},
"comprehend": {
"service_name": "Amazon Comprehend",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncomprehend.html"
},
"comprehendmedical": {
"service_name": "Comprehend Medical",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_comprehendmedical.html"
},
"config": {
"service_name": "AWS Config",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconfig.html"
},
"connect": {
"service_name": "Amazon Connect",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnect.html"
},
"databrew": {
"service_name": "AWS Glue DataBrew",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgluedatabrew.html"
},
"dataexchange": {
"service_name": "AWS Data Exchange",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdataexchange.html"
},
"datasync": {
"service_name": "DataSync",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_datasync.html"
},
"directconnect": {
"service_name": "AWS Direct Connect",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdirectconnect.html"
},
"dms": {
"service_name": "AWS Database Migration Service",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html"
},
"ds": {
"service_name": "AWS Directory Service",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdirectoryservice.html"
},
"dynamodb": {
"service_name": "Amazon DynamoDB",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondynamodb.html"
},
"ebs": {
"service_name": "Amazon Elastic Block Store",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticblockstore.html"
},
"ec2": {
"service_name": "Amazon EC2",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html"
},
"ec2messages": {
"service_name": "Amazon Message Delivery Service",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmessagedeliveryservice.html"
},
"ecr": {
"service_name": "Amazon Elastic Container Registry",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistry.html"
},
"ecs": {
"service_name": "Amazon Elastic Container Service",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html"
},
"eks": {
"service_name": "Amazon Elastic Kubernetes Service",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelastickubernetesservice.html"
},
"elasticache": {
"service_name": "Amazon ElastiCache",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticache.html"
},
"elasticbeanstalk": {
"service_name": "AWS Elastic Beanstalk",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselasticbeanstalk.html"
},
"elasticfilesystem": {
"service_name": "Amazon Elastic File System",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticfilesystem.html"
},
"elasticloadbalancing": {
"service_name": "Elastic Load Balancing V2",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_elasticloadbalancingv2.html"
},
"elasticmapreduce": {
"service_name": "Amazon Elastic MapReduce",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticmapreduce.html"
},
"es": {
"service_name": "Amazon Elasticsearch Service",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticsearchservice.html"
},
"events": {
"service_name": "Amazon EventBridge",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridge.html"
},
"execute-api": {
"service_name": "Amazon API Gateway",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonapigateway.html"
},
"firehose": {
"service_name": "Amazon Kinesis Firehose",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisfirehose.html"
},
"fms": {
"service_name": "AWS Firewall Manager",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfirewallmanager.html"
},
"forecast": {
"service_name": "Amazon Forecast",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonforecast.html"
},
"freertos": {
"service_name": "Amazon FreeRTOS",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfreertos.html"
},
"fsx": {
"service_name": "Amazon FSx",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfsx.html"
},
"glacier": {
"service_name": "Amazon Glacier",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonglacier.html"
},
"globalaccelerator": {
"service_name": "AWS Global Accelerator",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsglobalaccelerator.html"
},
"glue": {
"service_name": "AWS Glue",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsglue.html"
},
"greengrass": {
"service_name": "AWS IoT Greengrass V2",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotgreengrassv2.html"
},
"groundstation": {
"service_name": "AWS Ground Station",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgroundstation.html"
},
"guardduty": {
"service_name": "Amazon GuardDuty",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonguardduty.html"
},
"health": {
"service_name": "AWS Health APIs and Notifications",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthapisandnotifications.html"
},
"iam": {
"service_name": "Identity And Access Management",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_identityandaccessmanagement.html"
},
"importexport": {
"service_name": "AWS Import Export Disk Service",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsimportexportdiskservice.html"
},
"inspector": {
"service_name": "Amazon Inspector",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspector.html"
},
"iot": {
"service_name": "AWS IoT",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html"
},
"iot-device-tester": {
"service_name": "AWS IoT Device Tester",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotdevicetester.html"
},
"iotdeviceadvisor": {
"service_name": "AWS IoT Core Device Advisor",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotcoredeviceadvisor.html"
},
"iotevents": {
"service_name": "AWS IoT Events",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotevents.html"
},
"iotwireless": {
"service_name": "AWS IoT Core for LoRaWAN",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotcoreforlorawan.html"
},
"kafka": {
"service_name": "Amazon Managed Streaming for Kafka",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedstreamingforkafka.html"
},
"kendra": {
"service_name": "Amazon Kendra",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkendra.html"
},
"kinesis": {
"service_name": "Amazon Kinesis",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesis.html"
},
"kinesisanalytics": {
"service_name": "Amazon Kinesis Analytics V2",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisanalyticsv2.html"
},
"kinesisvideo": {
"service_name": "Amazon Kinesis Video Streams",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisvideostreams.html"
},
"kms": {
"service_name": "AWS Key Management Service",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskeymanagementservice.html"
},
"lakeformation": {
"service_name": "AWS Lake Formation",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslakeformation.html"
},
"lambda": {
"service_name": "AWS Lambda",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslambda.html"
},
"lex": {
"service_name": "Amazon Lex V2",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlexv2.html"
},
"license-manager": {
"service_name": "AWS License Manager",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslicensemanager.html"
},
"logs": {
"service_name": "Amazon CloudWatch Logs",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchlogs.html"
},
"macie": {
"service_name": "Amazon Macie Classic",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmacieclassic.html"
},
"macie2": {
"service_name": "Amazon Macie",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmacie.html"
},
"mediaconnect": {
"service_name": "AWS Elemental MediaConnect",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediaconnect.html"
},
"mediaconvert": {
"service_name": "AWS Elemental MediaConvert",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediaconvert.html"
},
"medialive": {
"service_name": "AWS Elemental MediaLive",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmedialive.html"
},
"mobiletargeting": {
"service_name": "Amazon Pinpoint",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpinpoint.html"
},
"mq": {
"service_name": "Amazon MQ",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmq.html"
},
"neptune-db": {
"service_name": "Amazon Neptune",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonneptune.html"
},
"opsworks": {
"service_name": "AWS OpsWorks",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsopsworks.html"
},
"opsworks-cm": {
"service_name": "AWS OpsWorks Configuration Management",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsopsworksconfigurationmanagement.html"
},
"organizations": {
"service_name": "AWS Organizations",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html"
},
"outposts": {
"service_name": "AWS Outposts",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsoutposts.html"
},
"personalize": {
"service_name": "Amazon Personalize",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpersonalize.html"
},
"polly": {
"service_name": "Amazon Polly",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpolly.html"
},
"qldb": {
"service_name": "Amazon QLDB",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonqldb.html"
},
"quicksight": {
"service_name": "Amazon QuickSight",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonquicksight.html"
},
"rds": {
"service_name": "Amazon RDS",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrds.html"
},
"rds-data": {
"service_name": "Amazon RDS Data API",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrdsdataapi.html"
},
"rds-db": {
"service_name": "Amazon RDS IAM Authentication",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrdsiamauthentication.html"
},
"redshift": {
"service_name": "Amazon Redshift",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshift.html"
},
"rekognition": {
"service_name": "Amazon Rekognition",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrekognition.html"
},
"resource-groups": {
"service_name": "AWS Resource Groups",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresourcegroups.html"
},
"robomaker": {
"service_name": "AWS RoboMaker",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrobomaker.html"
},
"route53": {
"service_name": "Amazon Route 53",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html"
},
"route53domains": {
"service_name": "Amazon Route 53 Domains",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53domains.html"
},
"route53resolver": {
"service_name": "Amazon Route 53 Resolver",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53resolver.html"
},
"s3": {
"service_name": "Amazon S3",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html"
},
"sagemaker": {
"service_name": "Amazon SageMaker",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsagemaker.html"
},
"sdb": {
"service_name": "Amazon SimpleDB",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsimpledb.html"
},
"secretsmanager": {
"service_name": "AWS Secrets Manager",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html"
},
"securityhub": {
"service_name": "AWS Security Hub",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecurityhub.html"
},
"serverlessrepo": {
"service_name": "AWS Serverless Application Repository",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsserverlessapplicationrepository.html"
},
"servicecatalog": {
"service_name": "AWS Service Catalog",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsservicecatalog.html"
},
"servicediscovery": {
"service_name": "AWS Cloud Map",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudmap.html"
},
"shield": {
"service_name": "AWS Shield",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsshield.html"
},
"sms": {
"service_name": "AWS Server Migration Service",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsservermigrationservice.html"
},
"sms-voice": {
"service_name": "Amazon Pinpoint SMS and Voice Service",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpinpointsmsandvoiceservice.html"
},
"snowball": {
"service_name": "AWS Snowball",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssnowball.html"
},
"sns": {
"service_name": "Amazon SNS",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsns.html"
},
"sqs": {
"service_name": "Amazon SQS",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsqs.html"
},
"ssm": {
"service_name": "AWS Systems Manager",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html"
},
"ssmmessages": {
"service_name": "Amazon Session Manager Message Gateway Service",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsessionmanagermessagegatewayservice.html"
},
"states": {
"service_name": "AWS Step Functions",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsstepfunctions.html"
},
"storagegateway": {
"service_name": "Amazon Storage Gateway",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonstoragegateway.html"
},
"sts": {
"service_name": "AWS Security Token Service",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecuritytokenservice.html"
},
"support": {
"service_name": "AWS Support",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssupport.html"
},
"swf": {
"service_name": "Amazon Simple Workflow Service",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsimpleworkflowservice.html"
},
"textract": {
"service_name": "Amazon Textract",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontextract.html"
},
"timestream": {
"service_name": "AWS Timestream",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstimestream.html"
},
"transcribe": {
"service_name": "Amazon Transcribe",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontranscribe.html"
},
"transfer": {
"service_name": "AWS Transfer for SFTP",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstransferforsftp.html"
},
"translate": {
"service_name": "Amazon Translate",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontranslate.html"
},
"trustedadvisor": {
"service_name": "AWS Trusted Advisor",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstrustedadvisor.html"
},
"waf": {
"service_name": "AWS WAF",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswaf.html"
},
"waf-regional": {
"service_name": "AWS WAF Regional",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafregional.html"
},
"wafv2": {
"service_name": "AWS WAF V2",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html"
},
"workdocs": {
"service_name": "Amazon WorkDocs",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkdocs.html"
},
"worklink": {
"service_name": "Amazon WorkLink",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworklink.html"
},
"workspaces": {
"service_name": "Amazon WorkSpaces",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkspaces.html"
},
"xray": {
"service_name": "AWS X-Ray",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsx-ray.html"
}
}
```

### JSON Output of Excluded Services

* As with the Markdown Table output, you can specify the `--excluded-json-list` option to output the list of excluded services in JSON, as shown below:

```
aws-allowlister generate --pci --excluded-json-list
```

The results will look like this:

Example AllowList JSON list

```
{
"a4b": {
"service_name": "Alexa for Business",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_alexaforbusiness.html"
},
"acm-pca": {
"service_name": "AWS Certificate Manager Private Certificate Authority",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscertificatemanagerprivatecertificateauthority.html"
},
"activate": {
"service_name": "AWS Activate",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsactivate.html"
},
"airflow": {
"service_name": "Amazon Managed Workflows for Apache Airflow",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedworkflowsforapacheairflow.html"
},
"app-integrations": {
"service_name": "Amazon AppIntegrations",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappintegrations.html"
},
"appconfig": {
"service_name": "AWS AppConfig",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappconfig.html"
},
"appflow": {
"service_name": "Amazon AppFlow",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappflow.html"
},
"application-cost-profiler": {
"service_name": "AWS Application Cost Profiler Service",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationcostprofilerservice.html"
},
"applicationinsights": {
"service_name": "CloudWatch Application Insights",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_cloudwatchapplicationinsights.html"
},
"appmesh-preview": {
"service_name": "AWS App Mesh Preview",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappmeshpreview.html"
},
"apprunner": {
"service_name": "AWS App Runner",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapprunner.html"
},
"aps": {
"service_name": "Amazon Managed Service for Prometheus",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedserviceforprometheus.html"
},
"arsenal": {
"service_name": "Application Discovery Arsenal",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_applicationdiscoveryarsenal.html"
},
"artifact": {
"service_name": "AWS Artifact",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsartifact.html"
},
"auditmanager": {
"service_name": "AWS Audit Manager",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsauditmanager.html"
},
"aws-marketplace": {
"service_name": "AWS Private Marketplace",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsprivatemarketplace.html"
},
"aws-marketplace-management": {
"service_name": "AWS Marketplace Management Portal",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacemanagementportal.html"
},
"awsconnector": {
"service_name": "AWS Connector Service",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconnectorservice.html"
},
"braket": {
"service_name": "Amazon Braket",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbraket.html"
},
"budgets": {
"service_name": "AWS Budget Service",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbudgetservice.html"
},
"ce": {
"service_name": "AWS Cost Explorer Service",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscostexplorerservice.html"
},
"chime": {
"service_name": "Amazon Chime",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonchime.html"
},
"cloud9": {
"service_name": "AWS Cloud9",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloud9.html"
},
"cloudsearch": {
"service_name": "Amazon CloudSearch",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudsearch.html"
},
"cloudshell": {
"service_name": "AWS CloudShell",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudshell.html"
},
"codeartifact": {
"service_name": "AWS CodeArtifact",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodeartifact.html"
},
"codeguru": {
"service_name": "Amazon CodeGuru",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodeguru.html"
},
"codeguru-profiler": {
"service_name": "Amazon CodeGuru Profiler",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodeguruprofiler.html"
},
"codeguru-reviewer": {
"service_name": "Amazon CodeGuru Reviewer",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodegurureviewer.html"
},
"codestar": {
"service_name": "AWS CodeStar",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestar.html"
},
"codestar-connections": {
"service_name": "AWS CodeStar Connections",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestarconnections.html"
},
"codestar-notifications": {
"service_name": "AWS CodeStar Notifications",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestarnotifications.html"
},
"compute-optimizer": {
"service_name": "Compute Optimizer",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_computeoptimizer.html"
},
"controltower": {
"service_name": "AWS Control Tower",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscontroltower.html"
},
"cur": {
"service_name": "AWS Cost and Usage Report",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscostandusagereport.html"
},
"datapipeline": {
"service_name": "Data Pipeline",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_datapipeline.html"
},
"dax": {
"service_name": "Amazon DynamoDB Accelerator (DAX)",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondynamodbacceleratordax.html"
},
"dbqms": {
"service_name": "Database Query Metadata Service",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_databasequerymetadataservice.html"
},
"deepcomposer": {
"service_name": "AWS DeepComposer",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdeepcomposer.html"
},
"deeplens": {
"service_name": "AWS DeepLens",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdeeplens.html"
},
"deepracer": {
"service_name": "AWS DeepRacer",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdeepracer.html"
},
"detective": {
"service_name": "Amazon Detective",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondetective.html"
},
"devicefarm": {
"service_name": "AWS Device Farm",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdevicefarm.html"
},
"devops-guru": {
"service_name": "Amazon DevOps Guru",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondevopsguru.html"
},
"discovery": {
"service_name": "Application Discovery",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_applicationdiscovery.html"
},
"dlm": {
"service_name": "Amazon Data Lifecycle Manager",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondatalifecyclemanager.html"
},
"ec2-instance-connect": {
"service_name": "Amazon EC2 Instance Connect",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2instanceconnect.html"
},
"ecr-public": {
"service_name": "Amazon Elastic Container Registry Public",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistrypublic.html"
},
"elastic-inference": {
"service_name": "Amazon Elastic Inference",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticinference.html"
},
"elastictranscoder": {
"service_name": "Amazon Elastic Transcoder",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelastictranscoder.html"
},
"elemental-activations": {
"service_name": "Elemental Activations",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_elementalactivations.html"
},
"elemental-appliances-software": {
"service_name": "AWS Elemental Appliances and Software",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalappliancesandsoftware.html"
},
"elemental-support-cases": {
"service_name": "Elemental Support Cases",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_elementalsupportcases.html"
},
"elemental-support-content": {
"service_name": "Elemental Support Content",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_elementalsupportcontent.html"
},
"emr-containers": {
"service_name": "Amazon EMR on EKS (EMR Containers)",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonemroneksemrcontainers.html"
},
"fis": {
"service_name": "AWS Fault Injection Simulator",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfaultinjectionsimulator.html"
},
"frauddetector": {
"service_name": "Amazon Fraud Detector",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html"
},
"gamelift": {
"service_name": "Amazon GameLift",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazongamelift.html"
},
"geo": {
"service_name": "Amazon Location",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlocation.html"
},
"grafana": {
"service_name": "Amazon Managed Service for Grafana",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedserviceforgrafana.html"
},
"groundtruthlabeling": {
"service_name": "Amazon GroundTruth Labeling",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazongroundtruthlabeling.html"
},
"healthlake": {
"service_name": "Amazon HealthLake",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonhealthlake.html"
},
"honeycode": {
"service_name": "Amazon Honeycode",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonhoneycode.html"
},
"identitystore": {
"service_name": "AWS Identity Store",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentitystore.html"
},
"imagebuilder": {
"service_name": "Amazon EC2 Image Builder",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2imagebuilder.html"
},
"iot1click": {
"service_name": "AWS IoT 1-Click",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot1-click.html"
},
"iotanalytics": {
"service_name": "AWS IoT Analytics",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotanalytics.html"
},
"iotfleethub": {
"service_name": "Fleet Hub for AWS IoT Device Management",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_fleethubforawsiotdevicemanagement.html"
},
"iotsitewise": {
"service_name": "AWS IoT SiteWise",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotsitewise.html"
},
"iotthingsgraph": {
"service_name": "AWS IoT Things Graph",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotthingsgraph.html"
},
"iq": {
"service_name": "AWS IQ",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiq.html"
},
"iq-permission": {
"service_name": "AWS IQ Permissions",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiqpermissions.html"
},
"ivs": {
"service_name": "Amazon Interactive Video Service",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninteractivevideoservice.html"
},
"kafka-cluster": {
"service_name": "Apache Kafka APIs for Amazon MSK clusters",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_apachekafkaapisforamazonmskclusters.html"
},
"launchwizard": {
"service_name": "Launch Wizard",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_launchwizard.html"
},
"lightsail": {
"service_name": "Amazon Lightsail",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlightsail.html"
},
"lookoutequipment": {
"service_name": "Amazon Lookout for Equipment",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutforequipment.html"
},
"lookoutmetrics": {
"service_name": "Amazon Lookout for Metrics",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutformetrics.html"
},
"lookoutvision": {
"service_name": "Amazon Lookout for Vision",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutforvision.html"
},
"machinelearning": {
"service_name": "Amazon Machine Learning",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmachinelearning.html"
},
"managedblockchain": {
"service_name": "Amazon Managed Blockchain",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedblockchain.html"
},
"marketplacecommerceanalytics": {
"service_name": "AWS Marketplace Commerce Analytics Service",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacecommerceanalyticsservice.html"
},
"mechanicalturk": {
"service_name": "Amazon Mechanical Turk",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmechanicalturk.html"
},
"mediapackage": {
"service_name": "AWS Elemental MediaPackage",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediapackage.html"
},
"mediapackage-vod": {
"service_name": "AWS Elemental MediaPackage VOD",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediapackagevod.html"
},
"mediastore": {
"service_name": "AWS Elemental MediaStore",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediastore.html"
},
"mediatailor": {
"service_name": "AWS Elemental MediaTailor",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediatailor.html"
},
"mgh": {
"service_name": "AWS Migration Hub",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmigrationhub.html"
},
"mgn": {
"service_name": "AWS Application Migration Service",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationmigrationservice.html"
},
"mobileanalytics": {
"service_name": "Amazon Mobile Analytics",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmobileanalytics.html"
},
"mobilehub": {
"service_name": "AWS Mobile Hub",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmobilehub.html"
},
"monitron": {
"service_name": "Amazon Monitron",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmonitron.html"
},
"network-firewall": {
"service_name": "AWS Network Firewall",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsnetworkfirewall.html"
},
"networkmanager": {
"service_name": "Network Manager",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_networkmanager.html"
},
"nimble": {
"service_name": "Amazon Nimble Studio",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonnimblestudio.html"
},
"panorama": {
"service_name": "AWS Panorama",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspanorama.html"
},
"pi": {
"service_name": "AWS Performance Insights",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsperformanceinsights.html"
},
"pricing": {
"service_name": "AWS Price List",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspricelist.html"
},
"profile": {
"service_name": "Amazon Connect Customer Profiles",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnectcustomerprofiles.html"
},
"proton": {
"service_name": "AWS Proton",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsproton.html"
},
"purchase-orders": {
"service_name": "AWS Purchase Orders Console",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspurchaseordersconsole.html"
},
"ram": {
"service_name": "AWS Resource Access Manager",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresourceaccessmanager.html"
},
"redshift-data": {
"service_name": "Amazon Redshift Data API",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshiftdataapi.html"
},
"resource-explorer": {
"service_name": "AWS Tag Editor",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstageditor.html"
},
"s3-object-lambda": {
"service_name": "Amazon S3 Object Lambda",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3objectlambda.html"
},
"s3-outposts": {
"service_name": "Amazon S3 on Outposts",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3onoutposts.html"
},
"savingsplans": {
"service_name": "AWS Savings Plans",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssavingsplans.html"
},
"schemas": {
"service_name": "Amazon EventBridge Schemas",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridgeschemas.html"
},
"servicequotas": {
"service_name": "Service Quotas",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_servicequotas.html"
},
"ses": {
"service_name": "Amazon Simple Email Service v2",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsimpleemailservicev2.html"
},
"signer": {
"service_name": "AWS Signer",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssigner.html"
},
"ssm-contacts": {
"service_name": "AWS Systems Manager Incident Manager Contacts",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanagerincidentmanagercontacts.html"
},
"ssm-incidents": {
"service_name": "AWS Systems Manager Incident Manager",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanagerincidentmanager.html"
},
"sso": {
"service_name": "AWS SSO",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssso.html"
},
"sso-directory": {
"service_name": "AWS SSO Directory",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsssodirectory.html"
},
"sumerian": {
"service_name": "Amazon Sumerian",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsumerian.html"
},
"synthetics": {
"service_name": "Amazon CloudWatch Synthetics",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchsynthetics.html"
},
"tag": {
"service_name": "Amazon Resource Group Tagging API",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonresourcegrouptaggingapi.html"
},
"tiros": {
"service_name": "AWS Tiros",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstiros.html"
},
"wam": {
"service_name": "Amazon WorkSpaces Application Manager",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkspacesapplicationmanager.html"
},
"wellarchitected": {
"service_name": "AWS Well-Architected Tool",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswell-architectedtool.html"
},
"workmail": {
"service_name": "Amazon WorkMail",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkmail.html"
},
"workmailmessageflow": {
"service_name": "Amazon WorkMail Message Flow",
"service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkmailmessageflow.html"
}
}
```

## Arguments

`aws-allowlister` supports different arguments to generate fine-grained compliance focused Service Control Policy (SCP) AllowLists. You can specify individual flags for the compliance frameworks you care about.

```
Usage: aws-allowlister generate [OPTIONS]

Options:
Compliance Standard Selection:
-a, --all SOC, PCI, ISO, HIPAA, FedRAMP_High, and
FedRAMP_Moderate.
-s, --soc Include SOC-compliant services
-p, --pci Include PCI-compliant services
-h, --hipaa Include HIPAA-compliant services
-i, --iso Include ISO-compliant services
-fh, --fedramp-high Include FedRAMP High
-fm, --fedramp-moderate Include FedRAMP Moderate
-d2e, --dodccsrg-il2-ew Include DoD CC SRG IL2 (East/West)
-d2g, --dodccsrg-il2-gc Include DoD CC SRG IL2 (GovCloud)
-d4g, --dodccsrg-il4-gc Include DoD CC SRG IL4 (GovCloud)
-d5g, --dodccsrg-il5-gc Include DoD CC SRG IL5 (GovCloud)
Forcibly Include AWS Services: [mutually_exclusive]
--include TEXT Include specific AWS IAM services, specified
in a comma separated string.
--include-file PATH A YAML file that contains a list of AWS IAM
services to include.
Forcibly Exclude AWS Services: [mutually_exclusive]
--exclude TEXT Exclude specific AWS IAM services, specified
in a comma separated string.
--exclude-file PATH A YAML file that contains a list of AWS IAM
services to exclude.
Output options: [mutually_exclusive]
--table Output a markdown-formatted table of the
Service Prefixes alongside Service Names.
--json-list Output a JSON object of the service
prefixes, service names, and authorization
URLs.
--excluded-table Output a markdown-formatted table of
*excluded* services.
--excluded-json-list Output a JSON object of *excluded* service
prefixes, service names, and authorization
URLs.
-q, --quiet
--help Show this message and exit.

```

* For example, to generate a PCI only Service Control Policy and save it to JSON:

```bash
aws-allowlister generate --pci --quiet > pci.json
```

* You can also chain command flags together. For example, to generate a Policy for all the major compliance frameworks but FedRAMP:

```bash
aws-allowlister generate -sphi --quiet
```

* Let's say your organization is not subject to FedRAMP or HIPAA, but you want to create a Policy for SOC, ISO, and PCI:

```bash
aws-allowlister generate -sip --quiet
```

### Exceptions: Including or Excluding Services

If you want to force-exclude or force-include a service, you have two options.
1. Specify the exclusions in command line arguments
2. Specify the exclusions in a YAML file and supply the file name

#### Example: Exclude Services using a file

For example, create a file that is called `exclusions.yml` with the following contents

```yaml
# If you use this for exclusions, this will exclude EC2 and S3. Don't actually do this, this is just for the example
- ec2
- s3
```

Now you can specify the following arguments to leverage this file:

```bash
aws-allowlister generate --exclude-file exclusions.yml
```

Alternatively, you can supply the argument inline like this:

```bash
aws-allowlister generate ---exclude ec2,s3
```

Notice how the output does not include `ec2` or `s3` in the output.

Exclude output

```
{
"Version": "2012-10-17",
"Statement": {
"Sid": "AllowList",
"Effect": "Deny",
"Resource": "*",
"NotAction": ["access-analyzer:*", "account:*", "acm:*", "amplify:*", "amplifybackend:*", "apigateway:*", "application-autoscaling:*", "appstream:*", "appsync:*", "athena:*", "autoscaling:*", "autoscaling-plans:*", "aws-portal:*", "backup:*", "backup-storage:*", "batch:*", "clouddirectory:*", "cloudformation:*", "cloudfront:*", "cloudhsm:*", "cloudtrail:*", "cloudwatch:*", "codebuild:*", "codecommit:*", "codedeploy:*", "codepipeline:*", "cognito-identity:*", "cognito-idp:*", "cognito-sync:*", "comprehend:*", "comprehendmedical:*", "config:*", "connect:*", "dataexchange:*", "datasync:*", "directconnect:*", "dms:*", "ds:*", "dynamodb:*", "ebs:*", "ec2messages:*", "ecr:*", "ecs:*", "eks:*", "elasticache:*", "elasticbeanstalk:*", "elasticfilesystem:*", "elasticloadbalancing:*", "elasticmapreduce:*", "es:*", "events:*", "execute-api:*", "firehose:*", "fms:*", "forecast:*", "freertos:*", "fsx:*", "glacier:*", "globalaccelerator:*", "glue:*", "greengrass:*", "guardduty:*", "health:*", "iam:*", "importexport:*", "inspector:*", "iot:*", "iot-device-tester:*", "iotdeviceadvisor:*", "iotevents:*", "iotwireless:*", "kafka:*", "kinesis:*", "kinesisanalytics:*", "kinesisvideo:*", "kms:*", "lakeformation:*", "lambda:*", "logs:*", "macie:*", "macie2:*", "mediaconnect:*", "mediaconvert:*", "medialive:*", "mobiletargeting:*", "mq:*", "neptune-db:*", "opsworks:*", "opsworks-cm:*", "organizations:*", "outposts:*", "personalize:*", "polly:*", "qldb:*", "quicksight:*", "rds:*", "rds-data:*", "rds-db:*", "redshift:*", "rekognition:*", "robomaker:*", "route53:*", "route53domains:*", "route53resolver:*", "sagemaker:*", "secretsmanager:*", "securityhub:*", "serverlessrepo:*", "servicecatalog:*", "shield:*", "sms:*", "snowball:*", "sns:*", "sqs:*", "ssm:*", "ssmmessages:*", "states:*", "storagegateway:*", "sts:*", "support:*", "swf:*", "textract:*", "transcribe:*", "transfer:*", "translate:*", "waf:*", "waf-regional:*", "wafv2:*", "workdocs:*", "worklink:*", "workspaces:*", "xray:*"]
}
}
```

#### Example: Including a service using a file

You can also use this approach for force-including services. Let's say that you want to include the AWS Managed BlockChain Services because your CEO is convinced you're going to the moon 🚀 (even though the AWS Managed BlockChain service does not meet any common compliance frameworks like PCI or HIPAA). You could create a file called `include.yml` with the contents:

```yaml
- managedblockchain
```

Then run the following command:

```bash
aws-allowlister generate --include-file include.yml
```

Alternatively, you can supply the argument inline like this:

```bash
aws-allowlister generate --include managedblockchain
```

Notice how the output includes the `managedblockchain` service.

Output with managed blockchain

```
{
"Version": "2012-10-17",
"Statement": {
"Sid": "AllowList",
"Effect": "Deny",
"Resource": "*",
"NotAction": ["access-analyzer:*", "account:*", "acm:*", "apigateway:*", "application-autoscaling:*", "appstream:*", "athena:*", "autoscaling:*", "autoscaling-plans:*", "aws-portal:*", "batch:*", "clouddirectory:*", "cloudformation:*", "cloudtrail:*", "cloudwatch:*", "codebuild:*", "codecommit:*", "codedeploy:*", "comprehend:*", "config:*", "datasync:*", "directconnect:*", "dms:*", "ds:*", "dynamodb:*", "ebs:*", "ec2:*", "ec2messages:*", "ecr:*", "ecs:*", "elasticache:*", "elasticbeanstalk:*", "elasticfilesystem:*", "elasticloadbalancing:*", "elasticmapreduce:*", "es:*", "events:*", "execute-api:*", "firehose:*", "glacier:*", "glue:*", "guardduty:*", "iam:*", "importexport:*", "inspector:*", "iot:*", "iot-device-tester:*", "iotdeviceadvisor:*", "iotwireless:*", "kinesis:*", "kms:*", "lakeformation:*", "lambda:*", "logs:*", "managedblockchain:*", "mediaconvert:*", "organizations:*", "polly:*", "rds:*", "rds-data:*", "rds-db:*", "redshift:*", "rekognition:*", "route53:*", "route53domains:*", "route53resolver:*", "s3:*", "sagemaker:*", "secretsmanager:*", "serverlessrepo:*", "servicecatalog:*", "sms:*", "snowball:*", "sns:*", "sqs:*", "ssm:*", "ssmmessages:*", "states:*", "sts:*", "support:*", "swf:*", "transcribe:*", "translate:*", "waf:*", "waf-regional:*", "wafv2:*", "workspaces:*"]
}
}
```

# Contributing

## Setup

* Set up the virtual environment

```bash
pipenv --python 3.7 # create the environment
pipenv shell # start the environment
pipenv install # install both development and production dependencies
```

* Build the package

```bash
# To build only
make build

# To build and install
make install

# To run tests
make test

# To clean local dev environment
make clean
```

## Other tasks

* Update with the latest AWS Compliance data

```bash
make update-data
```

# Authors and Contributors

* [Kinnaird McQuade (@kmcquade3)](https://twitter.com/kmcquade3), Salesforce - Author
* [Jason Dyke (@jasonadyke)](https://twitter.com/jasonadyke), Square - Contributor

# 🚨 Disclaimer 🚨

The policies generated by `aws-allowlister` do not guarantee that your AWS accounts will be compliant or that you will become accredited with the supported compliance frameworks. These policies are intended to be a useful tool to assist with restricting which service can or cannot be leveraged.