Feature Request: Verify that all services used are support in selected set of compliance programs

[phene]

Is this feature request related to a new rule or cfn-lint capabilities?

rules

Describe the feature you'd like to request

As some products are making their journey to compliance programs like FedRAMP, it would be good to have a rule/validator that verifies that any resources you intended to add to your templates are supported in the compliance programs you are responsible for staying in line with.

Describe the solution you'd like

Given a list of compliance programs the product should support. Validates that those resources are in scope for that compliance program.

For example, if I need to deploy to environments that are targeted for FedRAMP High, I should see a failure if I try to use AWS Shield or CloudFront resources. This failure would not occur if I only chose FedRAMP Moderate (east/west).

Additional context

No response

Is this something that you'd be interested in working on?

• [ ] 👋 I may be able to implement this feature request

Would this feature include a breaking change?

• [ ] ⚠️ This feature might incur a breaking change

[PatMyron]

See https://github.com/salesforce/aws-allowlister for how to do this immediately with IAM policies (note their data's out of date: https://github.com/salesforce/aws-allowlister/issues/108)

---

I'd rather not duplicate their scraping efforts. I'd prefer someone shore up their scraping or convince AWS to vend machine-readable lists. Manually mapping service names, IAM prefixes, CloudFormation namespaces seems like the least sustainable part: https://github.com/salesforce/aws-allowlister/blob/main/aws_allowlister/data/overrides.yml

[kddejong]

You can provide an override --override-spec with ExcludeResourceTypes to exclude certain resource types from the spec.

https://github.com/aws-cloudformation/cfn-lint/blob/main/docs/customize_specifications.md#features