## Service Control Policy (SCP) preprocessor
A command line tool that takes a single JSON file and outputs a collection of valid service control policies. This allows you to organize your SCPs logically and write statements in a way that makes sense to you without directly worrying about size constraints. The tool will then handle optimization and bin packing of your single JSON file into a collection of SCPs that fit the size limits. The tool also introduces some new SCP language concepts that are explained below. The resultant SCPs are written to std out.
### Getting Started
Installation:
Python 3.6+ is supported.
```
pip install scp-preprocessor
```
Basic usage:
```bash
scp-pre process file://my-single-scp > output.json
```
### Available Commands
**process**
```bash
scp-pre process file://my-single-scp.json
```
| Arguments | Description |
| --------- |----------- |
| --enable-logging | Enables log output to stdout. Turn off if you want to use the SCP output which is also output to stdout. |
| --retain-sid | Retain the SID element of the policy in the SCP output |
| --basic | Basic transformation. Skips the wildcarding of IAM actions that outputs the shortest possible action prefix to save space. |
| --pretty-print | Keep whitespace to make output readable. Useful for debugging. |
### New language constructs for IAM actions
#### Exclude a particular action from the resulting action list
Must be an exact action name, does not support globbing. Useful when there are only a few exemptions.
Example:
```json
{
...
"Action": [
"iam:*User*",
"iam:{Exclude:ListUsers}"
]
}
```
Resulting SCP will contain all actions matching `iam:*User*` except for iam:ListUsers.
#### Adds support for wildcards in all parts of IAM action name
Example:
```json
{
...
"Action": [
"service:*PartOfActionName*"
]
}
```
Regular SCP syntax only supports wildcards at the end of the action name. The resulting SCP will have all actions that match this wildcard pattern expanded.
#### Adds support for comment element in SCPs
Example:
```json
{
...
"Action": [
"service:Action"
],
"Comment": "This will be stripped off before deployment, but can be helpful when left in a source repository."
}
```
Comments are stripped during preproccessing. This is a helpful place to store a short explanation of the policy statement.
### Transformations that are done to your SCP (in order)
1. SIDs and Comments are removed from all statements
2. Wildcards are expanded
3. Actions are excluded if using the {Exclude} syntax
4. Statements with the same Effect, Resource, and Condition are merged together
5. Actions are wildcarded to save space. This can be disabled with the `--basic` flag.
1. Example: iam:SetSecurityTokenServicePreferences -> iam:SetS*
2. You will want to run this transformation periodically (e.g. daily) if you use this feature. This is because new IAM actions are added over time that the transformation has not taken into account when shortening these action names.
6. Statements are bin packed to fit SCP size quotas
## Security
See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information.
## License
This library is licensed under the MIT-0 License. See the LICENSE file.
Raw data
{
"_id": null,
"home_page": "https://github.com/aws-samples/service-control-policy-preprocessor",
"name": "service-control-policy-preprocessor",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.6",
"maintainer_email": null,
"keywords": "scp-preprocess aws iam SCP service control policy",
"author": "matluttr",
"author_email": "matluttr@amazon.com",
"download_url": "https://files.pythonhosted.org/packages/91/6f/9f309aca48d23aa862b213de2391456d98c77678099538c2b91ae0059598/service_control_policy_preprocessor-0.0.1.tar.gz",
"platform": null,
"description": "## Service Control Policy (SCP) preprocessor\n\nA command line tool that takes a single JSON file and outputs a collection of valid service control policies. This allows you to organize your SCPs logically and write statements in a way that makes sense to you without directly worrying about size constraints. The tool will then handle optimization and bin packing of your single JSON file into a collection of SCPs that fit the size limits. The tool also introduces some new SCP language concepts that are explained below. The resultant SCPs are written to std out.\n\n### Getting Started\n\nInstallation:\n\nPython 3.6+ is supported.\n\n```\npip install scp-preprocessor\n```\n\nBasic usage:\n```bash\nscp-pre process file://my-single-scp > output.json\n```\n\n\n### Available Commands\n\n**process**\n\n```bash\nscp-pre process file://my-single-scp.json\n```\n\n| Arguments | Description |\n| --------- |----------- |\n| --enable-logging | Enables log output to stdout. Turn off if you want to use the SCP output which is also output to stdout. |\n| --retain-sid | Retain the SID element of the policy in the SCP output |\n| --basic | Basic transformation. Skips the wildcarding of IAM actions that outputs the shortest possible action prefix to save space. |\n| --pretty-print | Keep whitespace to make output readable. Useful for debugging. |\n\n\n### New language constructs for IAM actions\n\n#### Exclude a particular action from the resulting action list\n\nMust be an exact action name, does not support globbing. Useful when there are only a few exemptions.\n\nExample:\n\n```json\n{\n ...\n \"Action\": [\n \"iam:*User*\",\n \"iam:{Exclude:ListUsers}\"\n ]\n}\n```\n\nResulting SCP will contain all actions matching `iam:*User*` except for iam:ListUsers.\n\n#### Adds support for wildcards in all parts of IAM action name\n\nExample:\n\n```json\n{\n ...\n \"Action\": [\n \"service:*PartOfActionName*\"\n ]\n}\n```\n\nRegular SCP syntax only supports wildcards at the end of the action name. The resulting SCP will have all actions that match this wildcard pattern expanded.\n\n#### Adds support for comment element in SCPs\n\nExample:\n\n```json\n{\n ...\n \"Action\": [\n \"service:Action\"\n ],\n \"Comment\": \"This will be stripped off before deployment, but can be helpful when left in a source repository.\"\n}\n```\n\nComments are stripped during preproccessing. This is a helpful place to store a short explanation of the policy statement.\n\n### Transformations that are done to your SCP (in order)\n\n1. SIDs and Comments are removed from all statements\n2. Wildcards are expanded\n3. Actions are excluded if using the {Exclude} syntax\n4. Statements with the same Effect, Resource, and Condition are merged together\n5. Actions are wildcarded to save space. This can be disabled with the `--basic` flag.\n 1. Example: iam:SetSecurityTokenServicePreferences -> iam:SetS*\n 2. You will want to run this transformation periodically (e.g. daily) if you use this feature. This is because new IAM actions are added over time that the transformation has not taken into account when shortening these action names.\n6. Statements are bin packed to fit SCP size quotas\n\n\n## Security\n\nSee [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information.\n\n## License\n\nThis library is licensed under the MIT-0 License. See the LICENSE file.\n\n",
"bugtrack_url": null,
"license": "MIT-0",
"summary": "Preprocesses SCPs.",
"version": "0.0.1",
"project_urls": {
"Homepage": "https://github.com/aws-samples/service-control-policy-preprocessor"
},
"split_keywords": [
"scp-preprocess",
"aws",
"iam",
"scp",
"service",
"control",
"policy"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "6012c09b838eed2b70231386e78a074a67d8b0c73057a6a2267c2f16237fa24f",
"md5": "ffe80aa307503decbdf57e7b68071a06",
"sha256": "69aea0b70d299a163f136c45e87ebc0418c92b9c796bb2d879e589b773df9ef5"
},
"downloads": -1,
"filename": "service_control_policy_preprocessor-0.0.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "ffe80aa307503decbdf57e7b68071a06",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.6",
"size": 15252,
"upload_time": "2025-01-30T16:35:26",
"upload_time_iso_8601": "2025-01-30T16:35:26.562148Z",
"url": "https://files.pythonhosted.org/packages/60/12/c09b838eed2b70231386e78a074a67d8b0c73057a6a2267c2f16237fa24f/service_control_policy_preprocessor-0.0.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "916f9f309aca48d23aa862b213de2391456d98c77678099538c2b91ae0059598",
"md5": "cbaf85666b5fc3ae657e3cf13d3d53af",
"sha256": "e07c2d9913d163e0979281f8c716be9097cd971a3e896715af5c75e0585aa428"
},
"downloads": -1,
"filename": "service_control_policy_preprocessor-0.0.1.tar.gz",
"has_sig": false,
"md5_digest": "cbaf85666b5fc3ae657e3cf13d3d53af",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.6",
"size": 12841,
"upload_time": "2025-01-30T16:35:28",
"upload_time_iso_8601": "2025-01-30T16:35:28.697534Z",
"url": "https://files.pythonhosted.org/packages/91/6f/9f309aca48d23aa862b213de2391456d98c77678099538c2b91ae0059598/service_control_policy_preprocessor-0.0.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-01-30 16:35:28",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "aws-samples",
"github_project": "service-control-policy-preprocessor",
"github_not_found": true,
"lcname": "service-control-policy-preprocessor"
}
JSON
