From a93048d9a7931b732c901343b8c10865a0166c2c Mon Sep 17 00:00:00 2001 From: Chris Nesbitt-Smith Date: Mon, 5 Jan 2026 14:46:35 +0000 Subject: [PATCH] feat: add Textract analysis operations to supported services SCP Add Amazon Textract read and analysis operations to the list of allowed AWS services in the InnovationSandboxAWSNukeSupportedServicesScp. Limited to specific actions to prevent creation of adapter resources that are not managed by aws-nuke: - AnalyzeDocument, AnalyzeExpense, AnalyzeID, DetectDocumentText - GetAdapter, GetAdapterVersion, GetDocumentAnalysis - GetDocumentTextDetection, GetExpenseAnalysis, GetLendingAnalysis - GetLendingAnalysisSummary, ListAdapters, ListAdapterVersions - ListTagsForResource --- CHANGELOG.md | 6 ++++++ .../isb-aws-nuke-supported-services-scp.json | 14 ++++++++++++++ .../test/__snapshots__/snapshots.test.ts.snap | 14 ++++++++++++++ 3 files changed, 34 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c9bc5c57..1f022362 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [Unreleased] + +### Added + +- Amazon Textract analysis and read operations to supported services SCP (limited to prevent creation of adapter resources not managed by aws-nuke) + ## [1.1.7] - 2026-01-20 ### Fixed diff --git a/source/infrastructure/lib/components/service-control-policies/isb-aws-nuke-supported-services-scp.json b/source/infrastructure/lib/components/service-control-policies/isb-aws-nuke-supported-services-scp.json index 7b5fca1d..d601d07c 100644 --- a/source/infrastructure/lib/components/service-control-policies/isb-aws-nuke-supported-services-scp.json +++ b/source/infrastructure/lib/components/service-control-policies/isb-aws-nuke-supported-services-scp.json @@ -133,6 +133,20 @@ "ssmmessages:*", "storagegateway:*", "transcribe:*", + "textract:AnalyzeDocument", + "textract:AnalyzeExpense", + "textract:AnalyzeID", + "textract:DetectDocumentText", + "textract:GetAdapter", + "textract:GetAdapterVersion", + "textract:GetDocumentAnalysis", + "textract:GetDocumentTextDetection", + "textract:GetExpenseAnalysis", + "textract:GetLendingAnalysis", + "textract:GetLendingAnalysisSummary", + "textract:ListAdapters", + "textract:ListAdapterVersions", + "textract:ListTagsForResource", "transfer:*", "waf:*", "wafv2:*", diff --git a/source/infrastructure/test/__snapshots__/snapshots.test.ts.snap b/source/infrastructure/test/__snapshots__/snapshots.test.ts.snap index 66c44147..308846ed 100644 --- a/source/infrastructure/test/__snapshots__/snapshots.test.ts.snap +++ b/source/infrastructure/test/__snapshots__/snapshots.test.ts.snap @@ -2455,6 +2455,20 @@ exports[`IsbAccountPoolStack Snapshot > matches the snapshot 1`] = ` "ssmmessages:*", "storagegateway:*", "transcribe:*", + "textract:AnalyzeDocument", + "textract:AnalyzeExpense", + "textract:AnalyzeID", + "textract:DetectDocumentText", + "textract:GetAdapter", + "textract:GetAdapterVersion", + "textract:GetDocumentAnalysis", + "textract:GetDocumentTextDetection", + "textract:GetExpenseAnalysis", + "textract:GetLendingAnalysis", + "textract:GetLendingAnalysisSummary", + "textract:ListAdapters", + "textract:ListAdapterVersions", + "textract:ListTagsForResource", "transfer:*", "waf:*", "wafv2:*",