Metadata-Version: 2.1
Name: aws-allowlister
Version: 0.2.11
Summary: Generate AWS AllowList SCPs
Home-page: https://github.com/salesforce/aws-allowlister
Author: Kinnaird McQuade
Author-email: kinnairdm@gmail.com
License: UNKNOWN
Keywords: aws iam roles policy policies privileges security
Platform: UNKNOWN
Classifier: Programming Language :: Python :: 3
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Requires-Python: >=3.7
Description-Content-Type: text/markdown
License-File: LICENSE

# aws-allowlister

![Continuous Integration Tests](https://github.com/salesforce/aws-allowlister/workflows/continuous-integration/badge.svg)
[![Twitter](https://img.shields.io/twitter/url/https/twitter.com/kmcquade3.svg?style=social&label=Follow%20the%20author)](https://twitter.com/kmcquade3)
[![Downloads](https://pepy.tech/badge/aws-allowlister)](https://pepy.tech/project/aws-allowlister)

Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.

![](./examples/media/aws-allowlister.gif)

## Overview

AWS Service Control Policies (SCPs) allow you to control which AWS Service APIs are allowed *at the AWS Account level* - so local administrators (not even the account's root user) can perform prohibited actions in a child account.

 However, before `aws-allowlister`, it was very difficult and error-prone to create AWS AllowList SCPs - only giving accounts access to the compliant services that they need, and nothing else. Before `aws-allowlister`, the approach for creating an AllowList was:
1. Create a spreadsheet 🙄  based on the [AWS Services in Scope](https://aws.amazon.com/compliance/services-in-scope/) documentation, which have inconsistent naming and do not list the "IAM names"
2. Create an AllowList.json by hand, based on that spreadsheet
3. Roll it out to Dev/Stage/Production
4. Whoever manages that spreadsheet now magically owns the AllowList policy due to ✨tribal knowledge✨ and any updates occur by pinging this person over Slack.

`aws-allowlister` takes care of this process for you. Instead of following the painful process above, just run the following command to generate an AWS SCP policy that meets PCI compliance:

```bash
aws-allowlister generate --pci
```

The policies generated by `aws-allowlister` are based off of official AWS [documentation](https://aws.amazon.com/compliance/services-in-scope/) and are automatically kept up to date when new services achieve compliance or accreditation.


### Support statuses

`aws-allowlister` currently supports:

| Compliance Framework | Support Status |
|----------------------|----------------|
| PCI                  | ✅             |
| SOC 1, 2, and 3      | ✅             |
| ISO/IEC              | ✅             |
| HIPAA BAA            | ✅             |
| FedRAMP Moderate     | ✅             |
| FedRAMP High         | ✅             |
| DOD CC SRG (USA 🇺🇸)  | ✅             |
| HITRUST              | ⏱ Coming soon |
| IRAP (Australia 🇦🇺)  | ⏱ Coming soon |
| C5 (Germany 🇩🇪)      | ⏱ Coming soon |
| K-ISMS (Japan 🇯🇵)    | ⏱ Coming soon |
| ENS High (Spain 🇪🇸)  | ⏱ Coming soon |

### Forcibly include/exclude services

In addition to creating compliance-focused SCPs, `aws-allowlister` supports the ability to include or exclude services (IAM permissions) of your choice using the `--include` or `--exclude` flags. For more details related to policy customization, view the [Arguments](#arguments) section.

## Installation

* Python Pip:

```bash
pip3 install aws-allowlister
```

* Homebrew:

```bash
brew tap salesforce/aws-allowlister https://github.com/salesforce/aws-allowlister
brew install aws-allowlister
```

## Usage

* Generate an AllowList Policy using this command:

```bash
aws-allowlister generate
```

By default, it allows policies at the intersection of PCI, HIPAA, SOC, ISO, FedRAMP High, and FedRAMP Moderate.

The resulting policy will look like this:

<details>
<summary>Example AllowList Policy</summary>

```json
{
    "Version": "2012-10-17",
    "Statement": {
        "Sid": "AllowList",
        "Effect": "Deny",
        "NotAction": [
            "account:*",
            "acm:*",
            "amplify:*",
            "amplifybackend:*",
            "apigateway:*",
            "application-autoscaling:*",
            "appstream:*",
            "appsync:*",
            "athena:*",
            "autoscaling:*",
            "aws-portal:*",
            "backup:*",
            "batch:*",
            "clouddirectory:*",
            "cloudformation:*",
            "cloudfront:*",
            "cloudhsm:*",
            "cloudtrail:*",
            "cloudwatch:*",
            "codebuild:*",
            "codecommit:*",
            "codedeploy:*",
            "codepipeline:*",
            "cognito-identity:*",
            "cognito-idp:*",
            "comprehend:*",
            "comprehendmedical:*",
            "config:*",
            "connect:*",
            "dataexchange:*",
            "datasync:*",
            "directconnect:*",
            "dms:*",
            "ds:*",
            "dynamodb:*",
            "ebs:*",
            "ec2:*",
            "ecr:*",
            "ecs:*",
            "eks:*",
            "elasticache:*",
            "elasticbeanstalk:*",
            "elasticfilesystem:*",
            "elasticmapreduce:*",
            "es:*",
            "events:*",
            "execute-api:*",
            "firehose:*",
            "fms:*",
            "forecast:*",
            "freertos:*",
            "fsx:*",
            "glacier:*",
            "globalaccelerator:*",
            "glue:*",
            "greengrass:*",
            "guardduty:*",
            "health:*",
            "iam:*",
            "inspector:*",
            "iot:*",
            "iot-device-tester:*",
            "iotdeviceadvisor:*",
            "iotevents:*",
            "iotwireless:*",
            "kafka:*",
            "kinesis:*",
            "kinesisanalytics:*",
            "kinesisvideo:*",
            "kms:*",
            "lambda:*",
            "lex:*",
            "logs:*",
            "macie2:*",
            "mediaconnect:*",
            "mediaconvert:*",
            "medialive:*",
            "mq:*",
            "neptune-db:*",
            "opsworks-cm:*",
            "organizations:*",
            "outposts:*",
            "personalize:*",
            "polly:*",
            "qldb:*",
            "quicksight:*",
            "rds:*",
            "rds-data:*",
            "rds-db:*",
            "redshift:*",
            "rekognition:*",
            "robomaker:*",
            "route53:*",
            "route53domains:*",
            "s3:*",
            "sagemaker:*",
            "secretsmanager:*",
            "securityhub:*",
            "serverlessrepo:*",
            "servicecatalog:*",
            "shield:*",
            "sms:*",
            "sms-voice:*",
            "snowball:*",
            "sns:*",
            "sqs:*",
            "ssm:*",
            "sso:*",
            "sso-directory:*",
            "states:*",
            "storagegateway:*",
            "sts:*",
            "support:*",
            "swf:*",
            "textract:*",
            "transcribe:*",
            "transfer:*",
            "translate:*",
            "waf:*",
            "waf-regional:*",
            "wafv2:*",
            "workdocs:*",
            "worklink:*",
            "workspaces:*",
            "xray:*"
        ],
        "Resource": "*"
    }
}
```

</details>

### Markdown Table Output

* You can also specify the `--table` option to output the results in a Markdown Table format, as shown below:

```
aws-allowlister generate --pci --table
```

The results will look like this:

<details>
<summary>Example AllowList Policy</summary>

```
| Service Prefix          | Service Name                                    |
|-------------------------|-------------------------------------------------|
| account                 | AWS Accounts                                    |
| acm                     | AWS Certificate Manager                         |
| amplify                 | AWS Amplify                                     |
| amplifybackend          | AWS Amplify Admin                               |
| apigateway              | Manage Amazon API Gateway                       |
| application-autoscaling | Application Auto Scaling                        |
| appmesh                 | AWS App Mesh                                    |
| appstream               | Amazon AppStream 2.0                            |
| appsync                 | AWS AppSync                                     |
| athena                  | Amazon Athena                                   |
| autoscaling             | Amazon EC2 Auto Scaling                         |
| autoscaling-plans       | AWS Auto Scaling                                |
| aws-portal              | AWS Billing                                     |
| backup                  | AWS Backup                                      |
| batch                   | AWS Batch                                       |
| cassandra               | AWS Managed Apache Cassandra Service            |
| chatbot                 | AWS Chatbot                                     |
| clouddirectory          | Amazon Cloud Directory                          |
| cloudformation          | AWS CloudFormation                              |
| cloudfront              | Amazon CloudFront                               |
| cloudhsm                | AWS CloudHSM                                    |
| cloudtrail              | AWS CloudTrail                                  |
| cloudwatch              | Amazon CloudWatch                               |
| codebuild               | AWS CodeBuild                                   |
| codecommit              | AWS CodeCommit                                  |
| codedeploy              | AWS CodeDeploy                                  |
| codepipeline            | AWS CodePipeline                                |
| cognito-identity        | Amazon Cognito Identity                         |
| cognito-idp             | Amazon Cognito User Pools                       |
| cognito-sync            | Amazon Cognito Sync                             |
| comprehend              | Amazon Comprehend                               |
| comprehendmedical       | Comprehend Medical                              |
| config                  | AWS Config                                      |
| connect                 | Amazon Connect                                  |
| databrew                | AWS Glue DataBrew                               |
| dataexchange            | AWS Data Exchange                               |
| datasync                | DataSync                                        |
| directconnect           | AWS Direct Connect                              |
| dms                     | AWS Database Migration Service                  |
| ds                      | AWS Directory Service                           |
| dynamodb                | Amazon DynamoDB                                 |
| ebs                     | Amazon Elastic Block Store                      |
| ec2                     | Amazon EC2                                      |
| ec2messages             | Amazon Message Delivery Service                 |
| ecr                     | Amazon Elastic Container Registry               |
| ecs                     | Amazon Elastic Container Service                |
| eks                     | Amazon Elastic Container Service for Kubernetes |
| elasticache             | Amazon ElastiCache                              |
| elasticbeanstalk        | AWS Elastic Beanstalk                           |
| elasticfilesystem       | Amazon Elastic File System                      |
| elasticloadbalancing    | Elastic Load Balancing V2                       |
| elasticmapreduce        | Amazon Elastic MapReduce                        |
| es                      | Amazon Elasticsearch Service                    |
| events                  | Amazon EventBridge                              |
| execute-api             | Amazon API Gateway                              |
| firehose                | Amazon Kinesis Firehose                         |
| fms                     | AWS Firewall Manager                            |
| forecast                | Amazon Forecast                                 |
| freertos                | Amazon FreeRTOS                                 |
| fsx                     | Amazon FSx                                      |
| glacier                 | Amazon Glacier                                  |
| globalaccelerator       | AWS Global Accelerator                          |
| glue                    | AWS Glue                                        |
| greengrass              | AWS IoT Greengrass                              |
| groundstation           | AWS Ground Station                              |
| guardduty               | Amazon GuardDuty                                |
| health                  | AWS Health APIs and Notifications               |
| iam                     | Identity And Access Management                  |
| importexport            | AWS Import Export Disk Service                  |
| inspector               | Amazon Inspector                                |
| iot                     | AWS IoT                                         |
| iot-device-tester       | AWS IoT Device Tester                           |
| iotdeviceadvisor        | AWS IoT Core Device Advisor                     |
| iotevents               | AWS IoT Events                                  |
| iotwireless             | AWS IoT Core for LoRaWAN                        |
| kendra                  | Amazon Kendra                                   |
| kinesis                 | Amazon Kinesis                                  |
| kinesisanalytics        | Amazon Kinesis Analytics V2                     |
| kinesisvideo            | Amazon Kinesis Video Streams                    |
| kms                     | AWS Key Management Service                      |
| lakeformation           | AWS Lake Formation                              |
| lambda                  | AWS Lambda                                      |
| lex                     | Amazon Lex                                      |
| license-manager         | AWS License Manager                             |
| logs                    | Amazon CloudWatch Logs                          |
| macie                   | Amazon Macie Classic                            |
| macie2                  | Amazon Macie                                    |
| mediaconnect            | AWS Elemental MediaConnect                      |
| mediaconvert            | AWS Elemental MediaConvert                      |
| medialive               | AWS Elemental MediaLive                         |
| mobiletargeting         | Amazon Pinpoint                                 |
| mq                      | Amazon MQ                                       |
| neptune-db              | Amazon Neptune                                  |
| opsworks                | AWS OpsWorks                                    |
| opsworks-cm             | AWS OpsWorks Configuration Management           |
| organizations           | AWS Organizations                               |
| outposts                | AWS Outposts                                    |
| personalize             | Amazon Personalize                              |
| polly                   | Amazon Polly                                    |
| qldb                    | Amazon QLDB                                     |
| quicksight              | Amazon QuickSight                               |
| rds                     | Amazon RDS                                      |
| rds-data                | Amazon RDS Data API                             |
| rds-db                  | Amazon RDS IAM Authentication                   |
| redshift                | Amazon Redshift                                 |
| rekognition             | Amazon Rekognition                              |
| resource-groups         | AWS Resource Groups                             |
| robomaker               | AWS RoboMaker                                   |
| route53                 | Amazon Route 53                                 |
| route53domains          | Amazon Route53 Domains                          |
| s3                      | Amazon S3                                       |
| sagemaker               | Amazon SageMaker                                |
| sdb                     | Amazon SimpleDB                                 |
| secretsmanager          | AWS Secrets Manager                             |
| securityhub             | AWS Security Hub                                |
| serverlessrepo          | AWS Serverless Application Repository           |
| servicecatalog          | AWS Service Catalog                             |
| servicediscovery        | AWS Cloud Map                                   |
| shield                  | AWS Shield                                      |
| sms                     | AWS Server Migration Service                    |
| sms-voice               | Amazon Pinpoint SMS and Voice Service           |
| snowball                | AWS Snowball                                    |
| sns                     | Amazon SNS                                      |
| sqs                     | Amazon SQS                                      |
| ssm                     | AWS Systems Manager                             |
| ssmmessages             | Amazon Session Manager Message Gateway Service  |
| states                  | AWS Step Functions                              |
| storagegateway          | Amazon Storage Gateway                          |
| sts                     | AWS Security Token Service                      |
| support                 | AWS Support                                     |
| swf                     | Amazon Simple Workflow Service                  |
| textract                | Amazon Textract                                 |
| timestream              | AWS Timestream                                  |
| transcribe              | Amazon Transcribe                               |
| transfer                | AWS Transfer for SFTP                           |
| translate               | Amazon Translate                                |
| trustedadvisor          | AWS Trusted Advisor                             |
| waf                     | AWS WAF                                         |
| waf-regional            | AWS WAF Regional                                |
| wafv2                   | AWS WAF V2                                      |
| workdocs                | Amazon WorkDocs                                 |
| worklink                | Amazon WorkLink                                 |
| workspaces              | Amazon WorkSpaces                               |
| xray                    | AWS X-Ray                                       |
```

</details>

### Markdown Table of Excluded Services

* Let's say you want to know which services are **excluded**, not just the ones that are **included**. In this case, you can specify the `--excluded-table` option to output the list of services that are not allowed.

```
aws-allowlister generate --pci --excluded-table
```

The results will look like this:


<details>
<summary>Example AllowList Policy</summary>

```
| Service Prefix                | Service Name                                                                                                                                                                           |
|-------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| a4b                           | [Alexa for Business](https://docs.aws.amazon.com/service-authorization/latest/reference/list_alexaforbusiness.html)                                                                    |
| acm-pca                       | [AWS Certificate Manager Private Certificate Authority](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscertificatemanagerprivatecertificateauthority.html) |
| activate                      | [AWS Activate](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsactivate.html)                                                                               |
| airflow                       | [Amazon Managed Workflows for Apache Airflow](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedworkflowsforapacheairflow.html)                     |
| app-integrations              | [Amazon AppIntegrations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappintegrations.html)                                                           |
| appconfig                     | [AWS AppConfig](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappconfig.html)                                                                             |
| appflow                       | [Amazon AppFlow](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappflow.html)                                                                           |
| applicationinsights           | [CloudWatch Application Insights](https://docs.aws.amazon.com/service-authorization/latest/reference/list_cloudwatchapplicationinsights.html)                                          |
| appmesh                       | [AWS App Mesh](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappmesh.html)                                                                                |
| appmesh-preview               | [AWS App Mesh Preview](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappmeshpreview.html)                                                                 |
| aps                           | [Amazon Managed Service for Prometheus](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedserviceforprometheus.html)                                |
| arsenal                       | [Application Discovery Arsenal](https://docs.aws.amazon.com/service-authorization/latest/reference/list_applicationdiscoveryarsenal.html)                                              |
| artifact                      | [AWS Artifact](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsartifact.html)                                                                               |
| auditmanager                  | [AWS Audit Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsauditmanager.html)                                                                      |
| aws-marketplace               | [AWS Private Marketplace](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsprivatemarketplace.html)                                                          |
| aws-marketplace-management    | [AWS Marketplace Management Portal](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacemanagementportal.html)                                       |
| awsconnector                  | [AWS Connector Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconnectorservice.html)                                                              |
| braket                        | [Amazon Braket](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbraket.html)                                                                             |
| budgets                       | [AWS Budget Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbudgetservice.html)                                                                    |
| cassandra                     | [AWS Managed Apache Cassandra Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmanagedapachecassandraservice.html)                                  |
| ce                            | [AWS Cost Explorer Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscostexplorerservice.html)                                                       |
| chatbot                       | [AWS Chatbot](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awschatbot.html)                                                                                 |
| chime                         | [Amazon Chime](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonchime.html)                                                                               |
| cloud9                        | [AWS Cloud9](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloud9.html)                                                                                   |
| cloudsearch                   | [Amazon CloudSearch](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudsearch.html)                                                                   |
| cloudshell                    | [AWS CloudShell](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudshell.html)                                                                           |
| codeartifact                  | [AWS CodeArtifact](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodeartifact.html)                                                                       |
| codeguru                      | [Amazon CodeGuru](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodeguru.html)                                                                         |
| codeguru-profiler             | [Amazon CodeGuru Profiler](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodeguruprofiler.html)                                                        |
| codeguru-reviewer             | [Amazon CodeGuru Reviewer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodegurureviewer.html)                                                        |
| codestar                      | [AWS CodeStar](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestar.html)                                                                               |
| codestar-connections          | [AWS CodeStar Connections](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestarconnections.html)                                                        |
| codestar-notifications        | [AWS CodeStar Notifications](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestarnotifications.html)                                                    |
| compute-optimizer             | [Compute Optimizer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_computeoptimizer.html)                                                                     |
| cur                           | [AWS Cost and Usage Report](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscostandusagereport.html)                                                        |
| databrew                      | [AWS Glue DataBrew](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgluedatabrew.html)                                                                      |
| datapipeline                  | [Data Pipeline](https://docs.aws.amazon.com/service-authorization/latest/reference/list_datapipeline.html)                                                                             |
| dax                           | [Amazon DynamoDB Accelerator (DAX)](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondynamodbacceleratordax.html)                                         |
| dbqms                         | [Database Query Metadata Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_databasequerymetadataservice.html)                                           |
| deepcomposer                  | [AWS DeepComposer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdeepcomposer.html)                                                                       |
| deeplens                      | [AWS DeepLens](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdeeplens.html)                                                                               |
| deepracer                     | [AWS DeepRacer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdeepracer.html)                                                                             |
| detective                     | [Amazon Detective](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondetective.html)                                                                       |
| devicefarm                    | [AWS Device Farm](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdevicefarm.html)                                                                          |
| devops-guru                   | [Amazon DevOps Guru](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondevopsguru.html)                                                                    |
| discovery                     | [Application Discovery](https://docs.aws.amazon.com/service-authorization/latest/reference/list_applicationdiscovery.html)                                                             |
| dlm                           | [Amazon Data Lifecycle Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondatalifecyclemanager.html)                                               |
| ec2-instance-connect          | [Amazon EC2 Instance Connect](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2instanceconnect.html)                                                   |
| ecr-public                    | [Amazon Elastic Container Registry Public](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistrypublic.html)                          |
| elastic-inference             | [Amazon Elastic Inference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticinference.html)                                                        |
| elastictranscoder             | [Amazon Elastic Transcoder](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelastictranscoder.html)                                                      |
| elemental-activations         | [Elemental Activations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_elementalactivations.html)                                                             |
| elemental-appliances-software | [AWS Elemental Appliances and Software](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalappliancesandsoftware.html)                                |
| elemental-support-cases       | [Elemental Support Cases](https://docs.aws.amazon.com/service-authorization/latest/reference/list_elementalsupportcases.html)                                                          |
| elemental-support-content     | [Elemental Support Content](https://docs.aws.amazon.com/service-authorization/latest/reference/list_elementalsupportcontent.html)                                                      |
| emr-containers                | [Amazon EMR on EKS (EMR Containers)](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonemroneksemrcontainers.html)                                         |
| fis                           | [AWS Fault Injection Simulator](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfaultinjectionsimulator.html)                                               |
| frauddetector                 | [Amazon Fraud Detector](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html)                                                              |
| gamelift                      | [Amazon GameLift](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazongamelift.html)                                                                         |
| geo                           | [Amazon Location](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlocation.html)                                                                         |
| grafana                       | [Amazon Managed Service for Grafana](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedserviceforgrafana.html)                                      |
| groundstation                 | [AWS Ground Station](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgroundstation.html)                                                                    |
| groundtruthlabeling           | [Amazon GroundTruth Labeling](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazongroundtruthlabeling.html)                                                  |
| healthlake                    | [Amazon HealthLake](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonhealthlake.html)                                                                     |
| honeycode                     | [Amazon Honeycode](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonhoneycode.html)                                                                       |
| identitystore                 | [AWS Identity Store](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentitystore.html)                                                                    |
| imagebuilder                  | [Amazon EC2 Image Builder](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2imagebuilder.html)                                                         |
| iot1click                     | [AWS IoT 1-Click](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot1-click.html)                                                                          |
| iotanalytics                  | [AWS IoT Analytics](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotanalytics.html)                                                                      |
| iotfleethub                   | [Fleet Hub for AWS IoT Device Management](https://docs.aws.amazon.com/service-authorization/latest/reference/list_fleethubforawsiotdevicemanagement.html)                              |
| iotsitewise                   | [AWS IoT SiteWise](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotsitewise.html)                                                                        |
| iotthingsgraph                | [AWS IoT Things Graph](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotthingsgraph.html)                                                                 |
| iq                            | [AWS IQ](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiq.html)                                                                                           |
| iq-permission                 | [AWS IQ Permissions](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiqpermissions.html)                                                                    |
| ivs                           | [Amazon Interactive Video Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninteractivevideoservice.html)                                         |
| kendra                        | [Amazon Kendra](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkendra.html)                                                                             |
| launchwizard                  | [Launch Wizard](https://docs.aws.amazon.com/service-authorization/latest/reference/list_launchwizard.html)                                                                             |
| lex                           | [Amazon Lex V2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlexv2.html)                                                                              |
| license-manager               | [AWS License Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslicensemanager.html)                                                                  |
| lightsail                     | [Amazon Lightsail](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlightsail.html)                                                                       |
| lookoutequipment              | [Amazon Lookout for Equipment](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutforequipment.html)                                                 |
| lookoutmetrics                | [Amazon Lookout for Metrics](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutformetrics.html)                                                     |
| lookoutvision                 | [Amazon Lookout for Vision](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutforvision.html)                                                       |
| machinelearning               | [Amazon Machine Learning](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmachinelearning.html)                                                          |
| managedblockchain             | [Amazon Managed Blockchain](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedblockchain.html)                                                      |
| marketplacecommerceanalytics  | [AWS Marketplace Commerce Analytics Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacecommerceanalyticsservice.html)                      |
| mechanicalturk                | [Amazon Mechanical Turk](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmechanicalturk.html)                                                            |
| mediapackage                  | [AWS Elemental MediaPackage](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediapackage.html)                                                    |
| mediapackage-vod              | [AWS Elemental MediaPackage VOD](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediapackagevod.html)                                             |
| mediastore                    | [AWS Elemental MediaStore](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediastore.html)                                                        |
| mediatailor                   | [AWS Elemental MediaTailor](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediatailor.html)                                                      |
| mgh                           | [AWS Migration Hub](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmigrationhub.html)                                                                      |
| mobileanalytics               | [Amazon Mobile Analytics](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmobileanalytics.html)                                                          |
| mobilehub                     | [AWS Mobile Hub](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmobilehub.html)                                                                            |
| monitron                      | [Amazon Monitron](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmonitron.html)                                                                         |
| network-firewall              | [AWS Network Firewall](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsnetworkfirewall.html)                                                                |
| networkmanager                | [Network Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_networkmanager.html)                                                                         |
| panorama                      | [AWS Panorama](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspanorama.html)                                                                               |
| pi                            | [AWS Performance Insights](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsperformanceinsights.html)                                                        |
| pricing                       | [AWS Price List](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspricelist.html)                                                                            |
| profile                       | [Amazon Connect Customer Profiles](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnectcustomerprofiles.html)                                         |
| proton                        | [AWS Proton](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsproton.html)                                                                                   |
| purchase-orders               | [AWS Purchase Orders Console](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspurchaseordersconsole.html)                                                   |
| ram                           | [AWS Resource Access Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresourceaccessmanager.html)                                                   |
| redshift-data                 | [Amazon Redshift Data API](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshiftdataapi.html)                                                         |
| resource-explorer             | [AWS Tag Editor](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstageditor.html)                                                                            |
| resource-groups               | [AWS Resource Groups](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresourcegroups.html)                                                                  |
| s3-object-lambda              | [Amazon S3 Object Lambda](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3objectlambda.html)                                                           |
| s3-outposts                   | [Amazon S3 on Outposts](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3onoutposts.html)                                                               |
| savingsplans                  | [AWS Savings Plans](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssavingsplans.html)                                                                      |
| schemas                       | [Amazon EventBridge Schemas](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridgeschemas.html)                                                    |
| sdb                           | [Amazon SimpleDB](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsimpledb.html)                                                                         |
| servicediscovery              | [AWS Cloud Map](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudmap.html)                                                                              |
| servicequotas                 | [Service Quotas](https://docs.aws.amazon.com/service-authorization/latest/reference/list_servicequotas.html)                                                                           |
| ses                           | [Amazon Simple Email Service v2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsimpleemailservicev2.html)                                              |
| signer                        | [AWS Signer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssigner.html)                                                                                   |
| sms-voice                     | [Amazon Pinpoint SMS and Voice Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpinpointsmsandvoiceservice.html)                                 |
| sso                           | [AWS SSO](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssso.html)                                                                                         |
| sso-directory                 | [AWS SSO Directory](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsssodirectory.html)                                                                      |
| sumerian                      | [Amazon Sumerian](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsumerian.html)                                                                         |
| synthetics                    | [Amazon CloudWatch Synthetics](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchsynthetics.html)                                                |
| tag                           | [Amazon Resource Group Tagging API](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonresourcegrouptaggingapi.html)                                        |
| timestream                    | [AWS Timestream](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstimestream.html)                                                                           |
| tiros                         | [AWS Tiros](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstiros.html)                                                                                     |
| trustedadvisor                | [AWS Trusted Advisor](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstrustedadvisor.html)                                                                  |
| wam                           | [Amazon WorkSpaces Application Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkspacesapplicationmanager.html)                               |
| wellarchitected               | [AWS Well-Architected Tool](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswell-architectedtool.html)                                                      |
| workmail                      | [Amazon WorkMail](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkmail.html)                                                                         |
| workmailmessageflow           | [Amazon WorkMail Message Flow](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkmailmessageflow.html)                                                 |
```

</details>

### JSON Output

* You can also specify the `--json-list` option to output the results in JSON, as shown below:

```
aws-allowlister generate --pci --json-list
```

The results will look like this:

<details>
<summary>Example AllowList JSON list</summary>

```
{
  "access-analyzer": {
    "service_name": "IAM Access Analyzer",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_iamaccessanalyzer.html"
  },
  "account": {
    "service_name": "AWS Accounts",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsaccounts.html"
  },
  "acm": {
    "service_name": "AWS Certificate Manager",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscertificatemanager.html"
  },
  "amplify": {
    "service_name": "AWS Amplify",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsamplify.html"
  },
  "amplifybackend": {
    "service_name": "AWS Amplify Admin",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsamplifyadmin.html"
  },
  "apigateway": {
    "service_name": "Manage Amazon API Gateway",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_manageamazonapigateway.html"
  },
  "application-autoscaling": {
    "service_name": "Application Auto Scaling",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_applicationautoscaling.html"
  },
  "appmesh": {
    "service_name": "AWS App Mesh",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappmesh.html"
  },
  "appstream": {
    "service_name": "Amazon AppStream 2.0",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappstream2.0.html"
  },
  "appsync": {
    "service_name": "AWS AppSync",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappsync.html"
  },
  "athena": {
    "service_name": "Amazon Athena",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonathena.html"
  },
  "autoscaling": {
    "service_name": "Amazon EC2 Auto Scaling",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2autoscaling.html"
  },
  "autoscaling-plans": {
    "service_name": "AWS Auto Scaling",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsautoscaling.html"
  },
  "aws-portal": {
    "service_name": "AWS Billing",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbilling.html"
  },
  "backup": {
    "service_name": "AWS Backup",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbackup.html"
  },
  "backup-storage": {
    "service_name": "AWS Backup storage",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbackupstorage.html"
  },
  "batch": {
    "service_name": "AWS Batch",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html"
  },
  "cassandra": {
    "service_name": "AWS Managed Apache Cassandra Service",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmanagedapachecassandraservice.html"
  },
  "chatbot": {
    "service_name": "AWS Chatbot",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awschatbot.html"
  },
  "clouddirectory": {
    "service_name": "Amazon Cloud Directory",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonclouddirectory.html"
  },
  "cloudformation": {
    "service_name": "AWS CloudFormation",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudformation.html"
  },
  "cloudfront": {
    "service_name": "Amazon CloudFront",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudfront.html"
  },
  "cloudhsm": {
    "service_name": "AWS CloudHSM",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudhsm.html"
  },
  "cloudtrail": {
    "service_name": "AWS CloudTrail",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudtrail.html"
  },
  "cloudwatch": {
    "service_name": "Amazon CloudWatch",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatch.html"
  },
  "codebuild": {
    "service_name": "AWS CodeBuild",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodebuild.html"
  },
  "codecommit": {
    "service_name": "AWS CodeCommit",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodecommit.html"
  },
  "codedeploy": {
    "service_name": "AWS CodeDeploy",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodedeploy.html"
  },
  "codepipeline": {
    "service_name": "AWS CodePipeline",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodepipeline.html"
  },
  "cognito-identity": {
    "service_name": "Amazon Cognito Identity",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncognitoidentity.html"
  },
  "cognito-idp": {
    "service_name": "Amazon Cognito User Pools",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncognitouserpools.html"
  },
  "cognito-sync": {
    "service_name": "Amazon Cognito Sync",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncognitosync.html"
  },
  "comprehend": {
    "service_name": "Amazon Comprehend",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncomprehend.html"
  },
  "comprehendmedical": {
    "service_name": "Comprehend Medical",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_comprehendmedical.html"
  },
  "config": {
    "service_name": "AWS Config",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconfig.html"
  },
  "connect": {
    "service_name": "Amazon Connect",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnect.html"
  },
  "databrew": {
    "service_name": "AWS Glue DataBrew",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgluedatabrew.html"
  },
  "dataexchange": {
    "service_name": "AWS Data Exchange",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdataexchange.html"
  },
  "datasync": {
    "service_name": "DataSync",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_datasync.html"
  },
  "directconnect": {
    "service_name": "AWS Direct Connect",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdirectconnect.html"
  },
  "dms": {
    "service_name": "AWS Database Migration Service",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html"
  },
  "ds": {
    "service_name": "AWS Directory Service",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdirectoryservice.html"
  },
  "dynamodb": {
    "service_name": "Amazon DynamoDB",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondynamodb.html"
  },
  "ebs": {
    "service_name": "Amazon Elastic Block Store",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticblockstore.html"
  },
  "ec2": {
    "service_name": "Amazon EC2",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html"
  },
  "ec2messages": {
    "service_name": "Amazon Message Delivery Service",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmessagedeliveryservice.html"
  },
  "ecr": {
    "service_name": "Amazon Elastic Container Registry",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistry.html"
  },
  "ecs": {
    "service_name": "Amazon Elastic Container Service",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html"
  },
  "eks": {
    "service_name": "Amazon Elastic Kubernetes Service",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelastickubernetesservice.html"
  },
  "elasticache": {
    "service_name": "Amazon ElastiCache",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticache.html"
  },
  "elasticbeanstalk": {
    "service_name": "AWS Elastic Beanstalk",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselasticbeanstalk.html"
  },
  "elasticfilesystem": {
    "service_name": "Amazon Elastic File System",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticfilesystem.html"
  },
  "elasticloadbalancing": {
    "service_name": "Elastic Load Balancing V2",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_elasticloadbalancingv2.html"
  },
  "elasticmapreduce": {
    "service_name": "Amazon Elastic MapReduce",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticmapreduce.html"
  },
  "es": {
    "service_name": "Amazon Elasticsearch Service",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticsearchservice.html"
  },
  "events": {
    "service_name": "Amazon EventBridge",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridge.html"
  },
  "execute-api": {
    "service_name": "Amazon API Gateway",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonapigateway.html"
  },
  "firehose": {
    "service_name": "Amazon Kinesis Firehose",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisfirehose.html"
  },
  "fms": {
    "service_name": "AWS Firewall Manager",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfirewallmanager.html"
  },
  "forecast": {
    "service_name": "Amazon Forecast",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonforecast.html"
  },
  "freertos": {
    "service_name": "Amazon FreeRTOS",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfreertos.html"
  },
  "fsx": {
    "service_name": "Amazon FSx",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfsx.html"
  },
  "glacier": {
    "service_name": "Amazon Glacier",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonglacier.html"
  },
  "globalaccelerator": {
    "service_name": "AWS Global Accelerator",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsglobalaccelerator.html"
  },
  "glue": {
    "service_name": "AWS Glue",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsglue.html"
  },
  "greengrass": {
    "service_name": "AWS IoT Greengrass V2",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotgreengrassv2.html"
  },
  "groundstation": {
    "service_name": "AWS Ground Station",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgroundstation.html"
  },
  "guardduty": {
    "service_name": "Amazon GuardDuty",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonguardduty.html"
  },
  "health": {
    "service_name": "AWS Health APIs and Notifications",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthapisandnotifications.html"
  },
  "iam": {
    "service_name": "Identity And Access Management",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_identityandaccessmanagement.html"
  },
  "importexport": {
    "service_name": "AWS Import Export Disk Service",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsimportexportdiskservice.html"
  },
  "inspector": {
    "service_name": "Amazon Inspector",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspector.html"
  },
  "iot": {
    "service_name": "AWS IoT",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html"
  },
  "iot-device-tester": {
    "service_name": "AWS IoT Device Tester",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotdevicetester.html"
  },
  "iotdeviceadvisor": {
    "service_name": "AWS IoT Core Device Advisor",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotcoredeviceadvisor.html"
  },
  "iotevents": {
    "service_name": "AWS IoT Events",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotevents.html"
  },
  "iotwireless": {
    "service_name": "AWS IoT Core for LoRaWAN",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotcoreforlorawan.html"
  },
  "kafka": {
    "service_name": "Amazon Managed Streaming for Kafka",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedstreamingforkafka.html"
  },
  "kendra": {
    "service_name": "Amazon Kendra",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkendra.html"
  },
  "kinesis": {
    "service_name": "Amazon Kinesis",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesis.html"
  },
  "kinesisanalytics": {
    "service_name": "Amazon Kinesis Analytics V2",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisanalyticsv2.html"
  },
  "kinesisvideo": {
    "service_name": "Amazon Kinesis Video Streams",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisvideostreams.html"
  },
  "kms": {
    "service_name": "AWS Key Management Service",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskeymanagementservice.html"
  },
  "lakeformation": {
    "service_name": "AWS Lake Formation",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslakeformation.html"
  },
  "lambda": {
    "service_name": "AWS Lambda",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslambda.html"
  },
  "lex": {
    "service_name": "Amazon Lex V2",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlexv2.html"
  },
  "license-manager": {
    "service_name": "AWS License Manager",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslicensemanager.html"
  },
  "logs": {
    "service_name": "Amazon CloudWatch Logs",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchlogs.html"
  },
  "macie": {
    "service_name": "Amazon Macie Classic",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmacieclassic.html"
  },
  "macie2": {
    "service_name": "Amazon Macie",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmacie.html"
  },
  "mediaconnect": {
    "service_name": "AWS Elemental MediaConnect",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediaconnect.html"
  },
  "mediaconvert": {
    "service_name": "AWS Elemental MediaConvert",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediaconvert.html"
  },
  "medialive": {
    "service_name": "AWS Elemental MediaLive",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmedialive.html"
  },
  "mobiletargeting": {
    "service_name": "Amazon Pinpoint",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpinpoint.html"
  },
  "mq": {
    "service_name": "Amazon MQ",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmq.html"
  },
  "neptune-db": {
    "service_name": "Amazon Neptune",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonneptune.html"
  },
  "opsworks": {
    "service_name": "AWS OpsWorks",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsopsworks.html"
  },
  "opsworks-cm": {
    "service_name": "AWS OpsWorks Configuration Management",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsopsworksconfigurationmanagement.html"
  },
  "organizations": {
    "service_name": "AWS Organizations",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html"
  },
  "outposts": {
    "service_name": "AWS Outposts",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsoutposts.html"
  },
  "personalize": {
    "service_name": "Amazon Personalize",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpersonalize.html"
  },
  "polly": {
    "service_name": "Amazon Polly",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpolly.html"
  },
  "qldb": {
    "service_name": "Amazon QLDB",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonqldb.html"
  },
  "quicksight": {
    "service_name": "Amazon QuickSight",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonquicksight.html"
  },
  "rds": {
    "service_name": "Amazon RDS",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrds.html"
  },
  "rds-data": {
    "service_name": "Amazon RDS Data API",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrdsdataapi.html"
  },
  "rds-db": {
    "service_name": "Amazon RDS IAM Authentication",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrdsiamauthentication.html"
  },
  "redshift": {
    "service_name": "Amazon Redshift",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshift.html"
  },
  "rekognition": {
    "service_name": "Amazon Rekognition",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrekognition.html"
  },
  "resource-groups": {
    "service_name": "AWS Resource Groups",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresourcegroups.html"
  },
  "robomaker": {
    "service_name": "AWS RoboMaker",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrobomaker.html"
  },
  "route53": {
    "service_name": "Amazon Route 53",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html"
  },
  "route53domains": {
    "service_name": "Amazon Route 53 Domains",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53domains.html"
  },
  "route53resolver": {
    "service_name": "Amazon Route 53 Resolver",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53resolver.html"
  },
  "s3": {
    "service_name": "Amazon S3",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html"
  },
  "sagemaker": {
    "service_name": "Amazon SageMaker",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsagemaker.html"
  },
  "sdb": {
    "service_name": "Amazon SimpleDB",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsimpledb.html"
  },
  "secretsmanager": {
    "service_name": "AWS Secrets Manager",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html"
  },
  "securityhub": {
    "service_name": "AWS Security Hub",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecurityhub.html"
  },
  "serverlessrepo": {
    "service_name": "AWS Serverless Application Repository",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsserverlessapplicationrepository.html"
  },
  "servicecatalog": {
    "service_name": "AWS Service Catalog",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsservicecatalog.html"
  },
  "servicediscovery": {
    "service_name": "AWS Cloud Map",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudmap.html"
  },
  "shield": {
    "service_name": "AWS Shield",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsshield.html"
  },
  "sms": {
    "service_name": "AWS Server Migration Service",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsservermigrationservice.html"
  },
  "sms-voice": {
    "service_name": "Amazon Pinpoint SMS and Voice Service",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpinpointsmsandvoiceservice.html"
  },
  "snowball": {
    "service_name": "AWS Snowball",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssnowball.html"
  },
  "sns": {
    "service_name": "Amazon SNS",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsns.html"
  },
  "sqs": {
    "service_name": "Amazon SQS",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsqs.html"
  },
  "ssm": {
    "service_name": "AWS Systems Manager",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html"
  },
  "ssmmessages": {
    "service_name": "Amazon Session Manager Message Gateway Service",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsessionmanagermessagegatewayservice.html"
  },
  "states": {
    "service_name": "AWS Step Functions",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsstepfunctions.html"
  },
  "storagegateway": {
    "service_name": "Amazon Storage Gateway",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonstoragegateway.html"
  },
  "sts": {
    "service_name": "AWS Security Token Service",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecuritytokenservice.html"
  },
  "support": {
    "service_name": "AWS Support",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssupport.html"
  },
  "swf": {
    "service_name": "Amazon Simple Workflow Service",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsimpleworkflowservice.html"
  },
  "textract": {
    "service_name": "Amazon Textract",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontextract.html"
  },
  "timestream": {
    "service_name": "AWS Timestream",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstimestream.html"
  },
  "transcribe": {
    "service_name": "Amazon Transcribe",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontranscribe.html"
  },
  "transfer": {
    "service_name": "AWS Transfer for SFTP",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstransferforsftp.html"
  },
  "translate": {
    "service_name": "Amazon Translate",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontranslate.html"
  },
  "trustedadvisor": {
    "service_name": "AWS Trusted Advisor",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstrustedadvisor.html"
  },
  "waf": {
    "service_name": "AWS WAF",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswaf.html"
  },
  "waf-regional": {
    "service_name": "AWS WAF Regional",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafregional.html"
  },
  "wafv2": {
    "service_name": "AWS WAF V2",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html"
  },
  "workdocs": {
    "service_name": "Amazon WorkDocs",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkdocs.html"
  },
  "worklink": {
    "service_name": "Amazon WorkLink",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworklink.html"
  },
  "workspaces": {
    "service_name": "Amazon WorkSpaces",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkspaces.html"
  },
  "xray": {
    "service_name": "AWS X-Ray",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsx-ray.html"
  }
}
```

</details>

### JSON Output of Excluded Services

* As with the Markdown Table output, you can specify the `--excluded-json-list` option to output the list of excluded services in JSON, as shown below:

```
aws-allowlister generate --pci --excluded-json-list
```

The results will look like this:

<details>
<summary>Example AllowList JSON list</summary>

```
{
  "a4b": {
    "service_name": "Alexa for Business",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_alexaforbusiness.html"
  },
  "acm-pca": {
    "service_name": "AWS Certificate Manager Private Certificate Authority",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscertificatemanagerprivatecertificateauthority.html"
  },
  "activate": {
    "service_name": "AWS Activate",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsactivate.html"
  },
  "airflow": {
    "service_name": "Amazon Managed Workflows for Apache Airflow",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedworkflowsforapacheairflow.html"
  },
  "app-integrations": {
    "service_name": "Amazon AppIntegrations",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappintegrations.html"
  },
  "appconfig": {
    "service_name": "AWS AppConfig",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappconfig.html"
  },
  "appflow": {
    "service_name": "Amazon AppFlow",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappflow.html"
  },
  "application-cost-profiler": {
    "service_name": "AWS Application Cost Profiler Service",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationcostprofilerservice.html"
  },
  "applicationinsights": {
    "service_name": "CloudWatch Application Insights",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_cloudwatchapplicationinsights.html"
  },
  "appmesh-preview": {
    "service_name": "AWS App Mesh Preview",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappmeshpreview.html"
  },
  "apprunner": {
    "service_name": "AWS App Runner",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapprunner.html"
  },
  "aps": {
    "service_name": "Amazon Managed Service for Prometheus",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedserviceforprometheus.html"
  },
  "arsenal": {
    "service_name": "Application Discovery Arsenal",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_applicationdiscoveryarsenal.html"
  },
  "artifact": {
    "service_name": "AWS Artifact",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsartifact.html"
  },
  "auditmanager": {
    "service_name": "AWS Audit Manager",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsauditmanager.html"
  },
  "aws-marketplace": {
    "service_name": "AWS Private Marketplace",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsprivatemarketplace.html"
  },
  "aws-marketplace-management": {
    "service_name": "AWS Marketplace Management Portal",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacemanagementportal.html"
  },
  "awsconnector": {
    "service_name": "AWS Connector Service",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconnectorservice.html"
  },
  "braket": {
    "service_name": "Amazon Braket",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbraket.html"
  },
  "budgets": {
    "service_name": "AWS Budget Service",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbudgetservice.html"
  },
  "ce": {
    "service_name": "AWS Cost Explorer Service",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscostexplorerservice.html"
  },
  "chime": {
    "service_name": "Amazon Chime",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonchime.html"
  },
  "cloud9": {
    "service_name": "AWS Cloud9",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloud9.html"
  },
  "cloudsearch": {
    "service_name": "Amazon CloudSearch",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudsearch.html"
  },
  "cloudshell": {
    "service_name": "AWS CloudShell",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudshell.html"
  },
  "codeartifact": {
    "service_name": "AWS CodeArtifact",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodeartifact.html"
  },
  "codeguru": {
    "service_name": "Amazon CodeGuru",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodeguru.html"
  },
  "codeguru-profiler": {
    "service_name": "Amazon CodeGuru Profiler",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodeguruprofiler.html"
  },
  "codeguru-reviewer": {
    "service_name": "Amazon CodeGuru Reviewer",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodegurureviewer.html"
  },
  "codestar": {
    "service_name": "AWS CodeStar",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestar.html"
  },
  "codestar-connections": {
    "service_name": "AWS CodeStar Connections",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestarconnections.html"
  },
  "codestar-notifications": {
    "service_name": "AWS CodeStar Notifications",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestarnotifications.html"
  },
  "compute-optimizer": {
    "service_name": "Compute Optimizer",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_computeoptimizer.html"
  },
  "controltower": {
    "service_name": "AWS Control Tower",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscontroltower.html"
  },
  "cur": {
    "service_name": "AWS Cost and Usage Report",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscostandusagereport.html"
  },
  "datapipeline": {
    "service_name": "Data Pipeline",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_datapipeline.html"
  },
  "dax": {
    "service_name": "Amazon DynamoDB Accelerator (DAX)",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondynamodbacceleratordax.html"
  },
  "dbqms": {
    "service_name": "Database Query Metadata Service",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_databasequerymetadataservice.html"
  },
  "deepcomposer": {
    "service_name": "AWS DeepComposer",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdeepcomposer.html"
  },
  "deeplens": {
    "service_name": "AWS DeepLens",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdeeplens.html"
  },
  "deepracer": {
    "service_name": "AWS DeepRacer",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdeepracer.html"
  },
  "detective": {
    "service_name": "Amazon Detective",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondetective.html"
  },
  "devicefarm": {
    "service_name": "AWS Device Farm",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdevicefarm.html"
  },
  "devops-guru": {
    "service_name": "Amazon DevOps Guru",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondevopsguru.html"
  },
  "discovery": {
    "service_name": "Application Discovery",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_applicationdiscovery.html"
  },
  "dlm": {
    "service_name": "Amazon Data Lifecycle Manager",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondatalifecyclemanager.html"
  },
  "ec2-instance-connect": {
    "service_name": "Amazon EC2 Instance Connect",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2instanceconnect.html"
  },
  "ecr-public": {
    "service_name": "Amazon Elastic Container Registry Public",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistrypublic.html"
  },
  "elastic-inference": {
    "service_name": "Amazon Elastic Inference",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticinference.html"
  },
  "elastictranscoder": {
    "service_name": "Amazon Elastic Transcoder",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelastictranscoder.html"
  },
  "elemental-activations": {
    "service_name": "Elemental Activations",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_elementalactivations.html"
  },
  "elemental-appliances-software": {
    "service_name": "AWS Elemental Appliances and Software",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalappliancesandsoftware.html"
  },
  "elemental-support-cases": {
    "service_name": "Elemental Support Cases",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_elementalsupportcases.html"
  },
  "elemental-support-content": {
    "service_name": "Elemental Support Content",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_elementalsupportcontent.html"
  },
  "emr-containers": {
    "service_name": "Amazon EMR on EKS (EMR Containers)",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonemroneksemrcontainers.html"
  },
  "fis": {
    "service_name": "AWS Fault Injection Simulator",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfaultinjectionsimulator.html"
  },
  "frauddetector": {
    "service_name": "Amazon Fraud Detector",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector.html"
  },
  "gamelift": {
    "service_name": "Amazon GameLift",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazongamelift.html"
  },
  "geo": {
    "service_name": "Amazon Location",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlocation.html"
  },
  "grafana": {
    "service_name": "Amazon Managed Service for Grafana",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedserviceforgrafana.html"
  },
  "groundtruthlabeling": {
    "service_name": "Amazon GroundTruth Labeling",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazongroundtruthlabeling.html"
  },
  "healthlake": {
    "service_name": "Amazon HealthLake",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonhealthlake.html"
  },
  "honeycode": {
    "service_name": "Amazon Honeycode",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonhoneycode.html"
  },
  "identitystore": {
    "service_name": "AWS Identity Store",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentitystore.html"
  },
  "imagebuilder": {
    "service_name": "Amazon EC2 Image Builder",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2imagebuilder.html"
  },
  "iot1click": {
    "service_name": "AWS IoT 1-Click",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot1-click.html"
  },
  "iotanalytics": {
    "service_name": "AWS IoT Analytics",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotanalytics.html"
  },
  "iotfleethub": {
    "service_name": "Fleet Hub for AWS IoT Device Management",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_fleethubforawsiotdevicemanagement.html"
  },
  "iotsitewise": {
    "service_name": "AWS IoT SiteWise",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotsitewise.html"
  },
  "iotthingsgraph": {
    "service_name": "AWS IoT Things Graph",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotthingsgraph.html"
  },
  "iq": {
    "service_name": "AWS IQ",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiq.html"
  },
  "iq-permission": {
    "service_name": "AWS IQ Permissions",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiqpermissions.html"
  },
  "ivs": {
    "service_name": "Amazon Interactive Video Service",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninteractivevideoservice.html"
  },
  "kafka-cluster": {
    "service_name": "Apache Kafka APIs for Amazon MSK clusters",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_apachekafkaapisforamazonmskclusters.html"
  },
  "launchwizard": {
    "service_name": "Launch Wizard",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_launchwizard.html"
  },
  "lightsail": {
    "service_name": "Amazon Lightsail",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlightsail.html"
  },
  "lookoutequipment": {
    "service_name": "Amazon Lookout for Equipment",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutforequipment.html"
  },
  "lookoutmetrics": {
    "service_name": "Amazon Lookout for Metrics",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutformetrics.html"
  },
  "lookoutvision": {
    "service_name": "Amazon Lookout for Vision",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutforvision.html"
  },
  "machinelearning": {
    "service_name": "Amazon Machine Learning",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmachinelearning.html"
  },
  "managedblockchain": {
    "service_name": "Amazon Managed Blockchain",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedblockchain.html"
  },
  "marketplacecommerceanalytics": {
    "service_name": "AWS Marketplace Commerce Analytics Service",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacecommerceanalyticsservice.html"
  },
  "mechanicalturk": {
    "service_name": "Amazon Mechanical Turk",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmechanicalturk.html"
  },
  "mediapackage": {
    "service_name": "AWS Elemental MediaPackage",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediapackage.html"
  },
  "mediapackage-vod": {
    "service_name": "AWS Elemental MediaPackage VOD",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediapackagevod.html"
  },
  "mediastore": {
    "service_name": "AWS Elemental MediaStore",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediastore.html"
  },
  "mediatailor": {
    "service_name": "AWS Elemental MediaTailor",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediatailor.html"
  },
  "mgh": {
    "service_name": "AWS Migration Hub",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmigrationhub.html"
  },
  "mgn": {
    "service_name": "AWS Application Migration Service",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationmigrationservice.html"
  },
  "mobileanalytics": {
    "service_name": "Amazon Mobile Analytics",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmobileanalytics.html"
  },
  "mobilehub": {
    "service_name": "AWS Mobile Hub",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmobilehub.html"
  },
  "monitron": {
    "service_name": "Amazon Monitron",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmonitron.html"
  },
  "network-firewall": {
    "service_name": "AWS Network Firewall",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsnetworkfirewall.html"
  },
  "networkmanager": {
    "service_name": "Network Manager",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_networkmanager.html"
  },
  "nimble": {
    "service_name": "Amazon Nimble Studio",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonnimblestudio.html"
  },
  "panorama": {
    "service_name": "AWS Panorama",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspanorama.html"
  },
  "pi": {
    "service_name": "AWS Performance Insights",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsperformanceinsights.html"
  },
  "pricing": {
    "service_name": "AWS Price List",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspricelist.html"
  },
  "profile": {
    "service_name": "Amazon Connect Customer Profiles",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnectcustomerprofiles.html"
  },
  "proton": {
    "service_name": "AWS Proton",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsproton.html"
  },
  "purchase-orders": {
    "service_name": "AWS Purchase Orders Console",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspurchaseordersconsole.html"
  },
  "ram": {
    "service_name": "AWS Resource Access Manager",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresourceaccessmanager.html"
  },
  "redshift-data": {
    "service_name": "Amazon Redshift Data API",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshiftdataapi.html"
  },
  "resource-explorer": {
    "service_name": "AWS Tag Editor",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstageditor.html"
  },
  "s3-object-lambda": {
    "service_name": "Amazon S3 Object Lambda",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3objectlambda.html"
  },
  "s3-outposts": {
    "service_name": "Amazon S3 on Outposts",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3onoutposts.html"
  },
  "savingsplans": {
    "service_name": "AWS Savings Plans",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssavingsplans.html"
  },
  "schemas": {
    "service_name": "Amazon EventBridge Schemas",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridgeschemas.html"
  },
  "servicequotas": {
    "service_name": "Service Quotas",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_servicequotas.html"
  },
  "ses": {
    "service_name": "Amazon Simple Email Service v2",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsimpleemailservicev2.html"
  },
  "signer": {
    "service_name": "AWS Signer",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssigner.html"
  },
  "ssm-contacts": {
    "service_name": "AWS Systems Manager Incident Manager Contacts",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanagerincidentmanagercontacts.html"
  },
  "ssm-incidents": {
    "service_name": "AWS Systems Manager Incident Manager",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanagerincidentmanager.html"
  },
  "sso": {
    "service_name": "AWS SSO",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssso.html"
  },
  "sso-directory": {
    "service_name": "AWS SSO Directory",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsssodirectory.html"
  },
  "sumerian": {
    "service_name": "Amazon Sumerian",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsumerian.html"
  },
  "synthetics": {
    "service_name": "Amazon CloudWatch Synthetics",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchsynthetics.html"
  },
  "tag": {
    "service_name": "Amazon Resource Group Tagging API",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonresourcegrouptaggingapi.html"
  },
  "tiros": {
    "service_name": "AWS Tiros",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstiros.html"
  },
  "wam": {
    "service_name": "Amazon WorkSpaces Application Manager",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkspacesapplicationmanager.html"
  },
  "wellarchitected": {
    "service_name": "AWS Well-Architected Tool",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswell-architectedtool.html"
  },
  "workmail": {
    "service_name": "Amazon WorkMail",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkmail.html"
  },
  "workmailmessageflow": {
    "service_name": "Amazon WorkMail Message Flow",
    "service_authorization_url": "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkmailmessageflow.html"
  }
}
```

</details>

## Arguments

`aws-allowlister` supports different arguments to generate fine-grained compliance focused Service Control Policy (SCP) AllowLists. You can specify individual flags for the compliance frameworks you care about.

```
Usage: aws-allowlister generate [OPTIONS]

Options:
  Compliance Standard Selection:
    -a, --all                     SOC, PCI, ISO, HIPAA, FedRAMP_High, and
                                  FedRAMP_Moderate.
    -s, --soc                     Include SOC-compliant services
    -p, --pci                     Include PCI-compliant services
    -h, --hipaa                   Include HIPAA-compliant services
    -i, --iso                     Include ISO-compliant services
    -fh, --fedramp-high           Include FedRAMP High
    -fm, --fedramp-moderate       Include FedRAMP Moderate
    -d2e, --dodccsrg-il2-ew       Include DoD CC SRG IL2 (East/West)
    -d2g, --dodccsrg-il2-gc       Include DoD CC SRG IL2 (GovCloud)
    -d4g, --dodccsrg-il4-gc       Include DoD CC SRG IL4 (GovCloud)
    -d5g, --dodccsrg-il5-gc       Include DoD CC SRG IL5 (GovCloud)
  Forcibly Include AWS Services: [mutually_exclusive]
    --include TEXT                Include specific AWS IAM services, specified
                                  in a comma separated string.
    --include-file PATH           A YAML file that contains a list of AWS IAM
                                  services to include.
  Forcibly Exclude AWS Services: [mutually_exclusive]
    --exclude TEXT                Exclude specific AWS IAM services, specified
                                  in a comma separated string.
    --exclude-file PATH           A YAML file that contains a list of AWS IAM
                                  services to exclude.
  Output options: [mutually_exclusive]
    --table                       Output a markdown-formatted table of the
                                  Service Prefixes alongside Service Names.
    --json-list                   Output a JSON object of the service
                                  prefixes, service names, and authorization
                                  URLs.
    --excluded-table              Output a markdown-formatted table of
                                  *excluded* services.
    --excluded-json-list          Output a JSON object of *excluded* service
                                  prefixes, service names, and authorization
                                  URLs.
  -q, --quiet
  --help                          Show this message and exit.

```


* For example, to generate a PCI only Service Control Policy and save it to JSON:

```bash
aws-allowlister generate --pci --quiet > pci.json
```

* You can also chain command flags together. For example, to generate a Policy for all the major compliance frameworks but FedRAMP:

```bash
aws-allowlister generate -sphi --quiet
```

* Let's say your organization is not subject to FedRAMP or HIPAA, but you want to create a Policy for SOC, ISO, and PCI:

```bash
aws-allowlister generate -sip --quiet
```

### Exceptions: Including or Excluding Services

If you want to force-exclude or force-include a service, you have two options.
1. Specify the exclusions in command line arguments
2. Specify the exclusions in a YAML file and supply the file name

#### Example: Exclude Services using a file

For example, create a file that is called `exclusions.yml` with the following contents

```yaml
# If you use this for exclusions, this will exclude EC2 and S3. Don't actually do this, this is just for the example
- ec2
- s3
```

Now you can specify the following arguments to leverage this file:

```bash
aws-allowlister generate --exclude-file exclusions.yml
```

Alternatively, you can supply the argument inline like this:

```bash
aws-allowlister generate ---exclude ec2,s3
```

Notice how the output does not include `ec2` or `s3` in the output.


<details>
<summary>Exclude output</summary>

```
{
    "Version": "2012-10-17",
        "Statement": {
            "Sid": "AllowList",
            "Effect": "Deny",
            "Resource": "*",
            "NotAction": ["access-analyzer:*", "account:*", "acm:*", "amplify:*", "amplifybackend:*", "apigateway:*", "application-autoscaling:*", "appstream:*", "appsync:*", "athena:*", "autoscaling:*", "autoscaling-plans:*", "aws-portal:*", "backup:*", "backup-storage:*", "batch:*", "clouddirectory:*", "cloudformation:*", "cloudfront:*", "cloudhsm:*", "cloudtrail:*", "cloudwatch:*", "codebuild:*", "codecommit:*", "codedeploy:*", "codepipeline:*", "cognito-identity:*", "cognito-idp:*", "cognito-sync:*", "comprehend:*", "comprehendmedical:*", "config:*", "connect:*", "dataexchange:*", "datasync:*", "directconnect:*", "dms:*", "ds:*", "dynamodb:*", "ebs:*", "ec2messages:*", "ecr:*", "ecs:*", "eks:*", "elasticache:*", "elasticbeanstalk:*", "elasticfilesystem:*", "elasticloadbalancing:*", "elasticmapreduce:*", "es:*", "events:*", "execute-api:*", "firehose:*", "fms:*", "forecast:*", "freertos:*", "fsx:*", "glacier:*", "globalaccelerator:*", "glue:*", "greengrass:*", "guardduty:*", "health:*", "iam:*", "importexport:*", "inspector:*", "iot:*", "iot-device-tester:*", "iotdeviceadvisor:*", "iotevents:*", "iotwireless:*", "kafka:*", "kinesis:*", "kinesisanalytics:*", "kinesisvideo:*", "kms:*", "lakeformation:*", "lambda:*", "logs:*", "macie:*", "macie2:*", "mediaconnect:*", "mediaconvert:*", "medialive:*", "mobiletargeting:*", "mq:*", "neptune-db:*", "opsworks:*", "opsworks-cm:*", "organizations:*", "outposts:*", "personalize:*", "polly:*", "qldb:*", "quicksight:*", "rds:*", "rds-data:*", "rds-db:*", "redshift:*", "rekognition:*", "robomaker:*", "route53:*", "route53domains:*", "route53resolver:*", "sagemaker:*", "secretsmanager:*", "securityhub:*", "serverlessrepo:*", "servicecatalog:*", "shield:*", "sms:*", "snowball:*", "sns:*", "sqs:*", "ssm:*", "ssmmessages:*", "states:*", "storagegateway:*", "sts:*", "support:*", "swf:*", "textract:*", "transcribe:*", "transfer:*", "translate:*", "waf:*", "waf-regional:*", "wafv2:*", "workdocs:*", "worklink:*", "workspaces:*", "xray:*"]
        }
}
```

</details>


#### Example: Including a service using a file

You can also use this approach for force-including services. Let's say that you want to include the AWS Managed BlockChain Services because your CEO is convinced you're going to the moon 🚀 (even though the AWS Managed BlockChain service does not meet any common compliance frameworks like PCI or HIPAA). You could create a file called `include.yml` with the contents:

```yaml
- managedblockchain
```

Then run the following command:

```bash
aws-allowlister generate --include-file include.yml
```

Alternatively, you can supply the argument inline like this:

```bash
aws-allowlister generate --include managedblockchain
```

Notice how the output includes the `managedblockchain` service.

<details>
<summary>Output with managed blockchain</summary>
<p>

```
{
    "Version": "2012-10-17",
        "Statement": {
            "Sid": "AllowList",
            "Effect": "Deny",
            "Resource": "*",
            "NotAction": ["access-analyzer:*", "account:*", "acm:*", "apigateway:*", "application-autoscaling:*", "appstream:*", "athena:*", "autoscaling:*", "autoscaling-plans:*", "aws-portal:*", "batch:*", "clouddirectory:*", "cloudformation:*", "cloudtrail:*", "cloudwatch:*", "codebuild:*", "codecommit:*", "codedeploy:*", "comprehend:*", "config:*", "datasync:*", "directconnect:*", "dms:*", "ds:*", "dynamodb:*", "ebs:*", "ec2:*", "ec2messages:*", "ecr:*", "ecs:*", "elasticache:*", "elasticbeanstalk:*", "elasticfilesystem:*", "elasticloadbalancing:*", "elasticmapreduce:*", "es:*", "events:*", "execute-api:*", "firehose:*", "glacier:*", "glue:*", "guardduty:*", "iam:*", "importexport:*", "inspector:*", "iot:*", "iot-device-tester:*", "iotdeviceadvisor:*", "iotwireless:*", "kinesis:*", "kms:*", "lakeformation:*", "lambda:*", "logs:*", "managedblockchain:*", "mediaconvert:*", "organizations:*", "polly:*", "rds:*", "rds-data:*", "rds-db:*", "redshift:*", "rekognition:*", "route53:*", "route53domains:*", "route53resolver:*", "s3:*", "sagemaker:*", "secretsmanager:*", "serverlessrepo:*", "servicecatalog:*", "sms:*", "snowball:*", "sns:*", "sqs:*", "ssm:*", "ssmmessages:*", "states:*", "sts:*", "support:*", "swf:*", "transcribe:*", "translate:*", "waf:*", "waf-regional:*", "wafv2:*", "workspaces:*"]
        }
}
```
</details>

# Contributing

## Setup

* Set up the virtual environment

```bash
pipenv --python 3.7  # create the environment
pipenv shell         # start the environment
pipenv install       # install both development and production dependencies
```

* Build the package

```bash
# To build only
make build

# To build and install
make install

# To run tests
make test

# To clean local dev environment
make clean
```

## Other tasks

* Update with the latest AWS Compliance data

```bash
make update-data
```

# Authors and Contributors

* [Kinnaird McQuade (@kmcquade3)](https://twitter.com/kmcquade3), Salesforce - Author
* [Jason Dyke (@jasonadyke)](https://twitter.com/jasonadyke), ScaleSec - Contributor

# 🚨 Disclaimer 🚨

The policies generated by `aws-allowlister` do not guarantee that your AWS accounts will be compliant or that you will become accredited with the supported compliance frameworks. These policies are intended to be a useful tool to assist with restricting which service can or cannot be leveraged.


