Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Is there a list of APIs for all AWS Services, which can ideally be checked programmatically ?

0

Hi,

I am searching for a (programmatically checkable) list of all API calls for AWS services. Background is the usage of allow/deny of specific services in a service control policy (SCP). For example: If I would like to allow/deny AWS WAF, I need to allow/deny the following APIs in the SCP: "waf-regional:", "waf:", "wafv2:*

There is from my point of view no easy way to find these information in the docs (https://docs.aws.amazon.com/cli/latest/reference/waf/index.html?highlight=waf or https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html).

If there is any change for WAF, for example version 3 or additional features for the WAF, I would like to check a list in a scheduled way to look for changes and then add them to the SCP.

Is there a consistent and easy way to get the information I need ?

Kind regards, David

Themen
Sicherheit, Identität & KonformitätEntwicklertoolsManagement & Unternehmensführung
Tags
Sicherheit, Identität & KonformitätUnterstütze APIAWS Cloud Control-APIRichtlinie zur Dienstleistungskontrolle
Sprache
English
dsa
gefragt vor 2 Jahren1226 Aufrufe
1 Antwort
0

One way to approach this is to

  1. Allow all services
  2. Deny services not on your allow list

So even if there is a new service introduced, say 'waf3', that service will be denied.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowsAllActions",
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        },
        {
            "Sid": "DenyNotAllowList", 
            "Effect": "Deny",
            "NotAction": [ "dynamodb:*", "s3:*" ],
            "Resource": "*"
        }
    ]
}

The array of services under NotAction are the allowed services.

profile pictureAWS
EXPERTE
kentrad
beantwortet vor 2 Jahren
  • dsa
    vor 2 Jahren

    Hi, thanks for the response, this is a possibility, which I already use, but my main question is not solved. I want to easliy have a list of all API calls for services which are available, so that I can detect waf3 and add it to my allow list, because I want that all waf services are usable as they are available and do not want to wait till somebody tells me: I want to use the new waf, but can't because of the SCP. For all other services I want them not to be automatically usable, so therefore the implicit deny works, but as I stated not for my main question.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt