PCI Allowlist findings

[jdyke]

I did some QA against the PCI policy generated via aws-allowlister generate --pci and have recorded my thoughts below. I'll still need to test these to verify if A) they're required for the service to function properly (if its related to a different approved service) and B) how much wiggle room there is to throw those in if they are not approved.

The following are included in the aws-allowlister JSON but are not in the list of PCI services (I did not include permissions like account and sts which are generally required to use AWS.

• chime
• ses
• sso and sso-directory

The following are approved services / programs and are not included in the JSON output file but should be.

• appmesh (AWS App Mesh)
• cassandra (Amazon Keyspaces (for Apache Cassandra)
• chatbot (AWS Chatbot)
• cognito-sync (Amazon Cognito Sync - not called out by service name but included in the SDK column for Amazon Cognito)
• databrew - (AWS Glue DataBrew)
• elasticloadbalancing - (Elastic Load Balancing)
• groundstation - (AWS Ground Station)
• kendra - (Amazon Kendra)
• lakeformation - (AWS Glue)
• license-manager - (AWS License Manager)
• macie - (macie2 is included but not macie)
• opsworks - (AWS OpsWorks Stacks)
• resource-groups - (AWS Resource Groups)
• sdb - (Amazon SimpleDB)
• timestream - (Amazon Timestream)
• trustedadvisor - (AWS Trusted Advisor)

Let me know what you think about these.

Thanks!

[kmcquade]

@jdyke - for AppMesh, that is because AppMesh is only for PCI.

I realize the CLI arguments were not consistent. Now, it will give you the intersection of SOC, PCI, ISO, and HIPAA. You can specify them individually. And the logging indicates the active options to the user. You can quiet the logs with --quiet as well.

Status per service

Here is my worksheet based on the list you gave. These are services that are given when you supply aws-allowlister --pci, given my newest changes. I will update as we go along.

• [x] appmesh (AWS App Mesh)
• [x] cassandra (Amazon Keyspaces (for Apache Cassandra)
• [ ] chatbot (AWS Chatbot)
• [x] cognito-sync (Amazon Cognito Sync - not called out by service name but included in the SDK column for Amazon Cognito)
• [x] databrew - (AWS Glue DataBrew)
• [x] elasticloadbalancing - (Elastic Load Balancing)
• [x] groundstation - (AWS Ground Station)
• [x] kendra - (Amazon Kendra)
• [x] lakeformation - (AWS Glue)
• [x] license-manager - (AWS License Manager)
• [x] macie - (macie2 is included but not macie)
• [x] opsworks - (AWS OpsWorks Stacks)
• [x] resource-groups - (AWS Resource Groups)
• [x] sdb - (Amazon SimpleDB)
• [x] timestream - (Amazon Timestream)
• [x] trustedadvisor - (AWS Trusted Advisor)

[kmcquade]

The following are included in the aws-allowlister JSON but are not in the list of PCI services (I did not include permissions like account and sts which are generally required to use AWS. (chime, ses, sso and sso-directory)

• [x] chime: Removed
• [x] ses: Removed
• [ ] sso: Still included. Will take a look.
• [ ] sso-directory: Still included. Will take a look.

[kmcquade]

Regarding sso and sso-directory: that's because I added the following to the global_inserts section of the overrides.yml file:

https://github.com/salesforce/aws-allowlister/blob/main/aws_allowlister/data/overrides.yml#L152-L153

I am hesitant to remove that because I think it would break a lot of orgs, and I suspect that might be an error? No idea how AWS SSO is not approved lol

[jdyke]

for AppMesh, that is because AppMesh is only for PCI.

Ah so I was misreading how it worked. I like the way it works now - if someone passes in a pci argument, only PCI compliant services should return. That provides a lot of flexibility and allows more granular JSON policies vs one policy with many compliance / accreditation combined.

Regarding sso and sso-directory: that's because I added the following to the global_inserts section of the overrides.yml file

I totally missed that functionality, if its not in the readme somewhere ill add it.

I followed up about the sso situation. I think it will be ok to leave it out of the SCP for PCI because that SCP should only be applied to cat 1 accounts and your SSO "hub" should be cat 2. Thats my hypothesis and ill report back with my findings.

@kmcquade would you like me to QA the HIPAA JSON now that they're separated?

[kmcquade]

@jdyke - I fixed all the services mentioned above for PCI, except for Chatbot. I think that might be due to the fact that the SDK name is missing from the web page.

[kmcquade]

I am closing this because I fixed everything except for Chatbot. Addressing chatbot in a separate issue.

I will open up issues for other compliance frameworks