By using AWS re:Post, you agree to the Terms of Use

Is there a list of APIs for all AWS Services, which can ideally be checked programmatically ?

0

Hi,

I am searching for a (programmatically checkable) list of all API calls for AWS services. Background is the usage of allow/deny of specific services in a service control policy (SCP). For example: If I would like to allow/deny AWS WAF, I need to allow/deny the following APIs in the SCP: "waf-regional:", "waf:", "wafv2:*

There is from my point of view no easy way to find these information in the docs (https://docs.aws.amazon.com/cli/latest/reference/waf/index.html?highlight=waf or https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html).

If there is any change for WAF, for example version 3 or additional features for the WAF, I would like to check a list in a scheduled way to look for changes and then add them to the SCP.

Is there a consistent and easy way to get the information I need ?

Kind regards, David

1 Answer
0

One way to approach this is to

  1. Allow all services
  2. Deny services not on your allow list

So even if there is a new service introduced, say 'waf3', that service will be denied.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowsAllActions",
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        },
        {
            "Sid": "DenyNotAllowList", 
            "Effect": "Deny",
            "NotAction": [ "dynamodb:*", "s3:*" ],
            "Resource": "*"
        }
    ]
}

The array of services under NotAction are the allowed services.

profile picture
EXPERT
answered 8 months ago
  • Hi, thanks for the response, this is a possibility, which I already use, but my main question is not solved. I want to easliy have a list of all API calls for services which are available, so that I can detect waf3 and add it to my allow list, because I want that all waf services are usable as they are available and do not want to wait till somebody tells me: I want to use the new waf, but can't because of the SCP. For all other services I want them not to be automatically usable, so therefore the implicit deny works, but as I stated not for my main question.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions