PyPI - aws-cis-controls-assessment - Versions diffs - 1.0.10__py3-none-any.whl → 1.1.1__py3-none-any.whl - Mend

aws-cis-controls-assessment 1.0.10py3-none-any.whl → 1.1.1py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

docs/config-rule-mappings.md CHANGED Viewed

@@ -16,7 +16,7 @@ This document provides a comprehensive mapping of CIS Controls to AWS Config rul
 The AWS CIS Controls Compliance Assessment Framework uses AWS Config rule specifications as the foundation for evaluating compliance. Each CIS Control is mapped to one or more AWS Config rules that assess specific AWS resources and configurations.
-**Production Status**: This framework has achieved 100% coverage of all CIS Controls requirements with 138 implemented rules (133 CIS Controls + 5 bonus security enhancements).
+**Production Status**: This framework has achieved 100% coverage of all CIS Controls requirements with 163 implemented rules (147 CIS Controls + 9 bonus security enhancements + 7 audit logging controls).
 ### Mapping Methodology
@@ -28,10 +28,10 @@ The AWS CIS Controls Compliance Assessment Framework uses AWS Config rule specif
 ### Implementation Groups Hierarchy
 - **IG1**: 96 Config rules covering essential cyber hygiene
-- **IG2**: +40 Config rules for enhanced security (includes all IG1 rules)
+- **IG2**: +74 Config rules for enhanced security (includes all IG1 rules)
 - **IG3**: +1 Config rule for advanced security (includes all IG1+IG2 rules)
-- **Bonus**: +5 additional security rules beyond CIS requirements
-- **Total**: 142 Config rules implemented (137 CIS + 5 bonus)
+- **Bonus**: +9 additional security rules beyond CIS requirements
+- **Total**: 163 Config rules implemented (151 CIS + 9 bonus + 7 audit logging)
 ## IG1 - Essential Cyber Hygiene
@@ -165,6 +165,379 @@ The AWS CIS Controls Compliance Assessment Framework uses AWS Config rule specif
 ## IG2 - Enhanced Security
+### Control 4: Secure Configuration of Enterprise Assets and Software
+**Purpose**: Establish and maintain the secure configuration of enterprise assets and software.
+#### Control 4.1: IAM Role Session Duration Validation
+| Config Rule | Resource Types | Description |
+|-------------|----------------|-------------|
+| `iam-max-session-duration-check` | AWS::IAM::Role | Validates IAM role session duration does not exceed 12 hours |
+**Assessment Logic**:
+- Discovers all IAM roles (global service, evaluated in us-east-1)
+- Checks MaxSessionDuration property on each role
+- COMPLIANT if MaxSessionDuration ≤ 43200 seconds (12 hours)
+- NON_COMPLIANT if MaxSessionDuration > 43200 seconds
+- Limits credential exposure window for temporary credentials
+**Remediation Guidance**:
+```bash
+# Update IAM role to limit session duration
+aws iam update-role --role-name <role-name> --max-session-duration 43200
+```
+#### Control 4.2: Default Security Group Restriction
+| Config Rule | Resource Types | Description |
+|-------------|----------------|-------------|
+| `security-group-default-rules-check` | AWS::EC2::SecurityGroup | Ensures default security groups have no inbound or outbound rules |
+**Assessment Logic**:
+- Discovers all security groups with GroupName='default' (regional service)
+- Checks IpPermissions (inbound rules) and IpPermissionsEgress (outbound rules)
+- COMPLIANT if both rule lists are empty
+- NON_COMPLIANT if any rules exist
+- Prevents unintended access through default security groups
+**Remediation Guidance**:
+```bash
+# Remove all inbound rules from default security group
+aws ec2 revoke-security-group-ingress --group-id <sg-id> --ip-permissions <permissions>
+# Remove all outbound rules from default security group
+aws ec2 revoke-security-group-egress --group-id <sg-id> --ip-permissions <permissions>
+```
+#### Control 4.3: VPC DNS Configuration Validation
+| Config Rule | Resource Types | Description |
+|-------------|----------------|-------------|
+| `vpc-dns-resolution-enabled` | AWS::EC2::VPC | Validates VPC DNS settings (enableDnsHostnames and enableDnsSupport) |
+**Assessment Logic**:
+- Discovers all VPCs (regional service)
+- Checks enableDnsHostnames attribute via describe_vpc_attribute
+- Checks enableDnsSupport attribute via describe_vpc_attribute
+- COMPLIANT if both attributes are True
+- NON_COMPLIANT if either attribute is False
+- Required for many AWS services to function correctly
+**Remediation Guidance**:
+```bash
+# Enable DNS resolution for VPC
+aws ec2 modify-vpc-attribute --vpc-id <vpc-id> --enable-dns-support
+# Enable DNS hostnames for VPC
+aws ec2 modify-vpc-attribute --vpc-id <vpc-id> --enable-dns-hostnames
+```
+#### Control 4.4: RDS Default Admin Username Check
+| Config Rule | Resource Types | Description |
+|-------------|----------------|-------------|
+| `rds-default-admin-check` | AWS::RDS::DBInstance | Ensures RDS instances don't use default admin usernames |
+**Assessment Logic**:
+- Discovers all RDS instances (regional service)
+- Checks MasterUsername against default list (case-insensitive): postgres, admin, root, mysql, administrator, sa
+- COMPLIANT if MasterUsername is not a default value
+- NON_COMPLIANT if MasterUsername matches default list
+- Reduces risk of credential guessing attacks
+**Remediation Guidance**:
+```bash
+# RDS master username cannot be changed after creation
+# Remediation requires snapshot and restore:
+aws rds create-db-snapshot --db-instance-identifier <old-instance> --db-snapshot-identifier <snapshot-name>
+aws rds restore-db-instance-from-db-snapshot --db-instance-identifier <new-instance> --db-snapshot-identifier <snapshot-name> --master-username <custom-username>
+# Note: This is a disruptive change requiring downtime
+```
+#### Control 4.5: EC2 Instance Profile Least Privilege Validation
+| Config Rule | Resource Types | Description |
+|-------------|----------------|-------------|
+| `ec2-instance-profile-least-privilege` | AWS::EC2::Instance | Validates EC2 instance profile permissions follow least privilege |
+**Assessment Logic**:
+- Discovers all EC2 instances with instance profiles (regional service)
+- Gets IAM role from instance profile (IAM is global, queried in us-east-1)
+- Lists attached managed policies and inline policies
+- Checks for overly permissive policies:
+  - AdministratorAccess or PowerUserAccess managed policies
+  - Policies with Action: "*" and Resource: "*"
+- COMPLIANT if no overly permissive policies found
+- NON_COMPLIANT if overly permissive policies detected
+**Remediation Guidance**:
+```bash
+# Create specific policy with limited permissions
+aws iam create-policy --policy-name <specific-policy> --policy-document file://policy.json
+# Attach specific policy to role
+aws iam attach-role-policy --role-name <role-name> --policy-arn <specific-policy-arn>
+# Detach overly permissive policy
+aws iam detach-role-policy --role-name <role-name> --policy-arn <broad-policy-arn>
+```
+### Control 5: Account Management
+**Purpose**: Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.
+#### Control 5.1: Service Account Documentation Verification
+| Config Rule | Resource Types | Description |
+|-------------|----------------|-------------|
+| `iam-service-account-inventory-check` | AWS::IAM::User, AWS::IAM::Role | Validates service accounts have required documentation tags |
+**Assessment Logic**:
+- Discovers all IAM users and roles (global service, evaluated in us-east-1)
+- Identifies service accounts by:
+  - Naming convention (contains "service", "app", "application")
+  - ServiceAccount=true tag
+- Checks for required tags: Purpose, Owner, LastReviewed
+- COMPLIANT if all three tags present with non-empty values
+- NON_COMPLIANT if any required tag missing or empty
+- Supports compliance and access review processes
+**Remediation Guidance**:
+```bash
+# Add required documentation tags to service account
+aws iam tag-user --user-name <service-account> --tags \
+  Key=Purpose,Value="API access for application" \
+  Key=Owner,Value="platform-team" \
+  Key=LastReviewed,Value="2024-01-15"
+# For roles
+aws iam tag-role --role-name <service-role> --tags \
+  Key=Purpose,Value="Lambda execution" \
+  Key=Owner,Value="dev-team" \
+  Key=LastReviewed,Value="2024-01-15"
+```
+#### Control 5.2: Administrative Policy Attachment Validation
+| Config Rule | Resource Types | Description |
+|-------------|----------------|-------------|
+| `iam-admin-policy-attached-to-role-check` | AWS::IAM::User | Ensures administrative policies are attached to roles, not users |
+**Assessment Logic**:
+- Discovers all IAM users (global service, evaluated in us-east-1)
+- Lists attached managed policies and inline policies
+- Checks for administrative policies:
+  - AdministratorAccess (arn:aws:iam::aws:policy/AdministratorAccess)
+  - PowerUserAccess
+  - Inline policies with Action: "*" and Resource: "*"
+- COMPLIANT if no admin policies attached to user
+- NON_COMPLIANT if admin policies found on user
+- Encourages role-based access with temporary credentials
+**Remediation Guidance**:
+```bash
+# Create admin role
+aws iam create-role --role-name AdminRole --assume-role-policy-document file://trust-policy.json
+# Attach admin policy to role
+aws iam attach-role-policy --role-name AdminRole --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
+# Remove admin policy from user
+aws iam detach-user-policy --user-name <user> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
+# User assumes role for admin access
+aws sts assume-role --role-arn arn:aws:iam::<account>:role/AdminRole --role-session-name admin-session
+```
+#### Control 5.3: AWS IAM Identity Center (SSO) Enablement Check
+| Config Rule | Resource Types | Description |
+|-------------|----------------|-------------|
+| `sso-enabled-check` | AWS::::Account | Validates AWS IAM Identity Center is configured and enabled |
+**Assessment Logic**:
+- Account-level check (global service, evaluated in us-east-1)
+- Calls sso-admin.list_instances() to check for SSO instances
+- COMPLIANT if at least one SSO instance exists
+- NON_COMPLIANT if no SSO instances found
+- Encourages centralized identity management
+**Remediation Guidance**:
+```bash
+# SSO must be enabled through console or Organizations API
+# After enabling, configure permission sets:
+aws sso-admin create-permission-set --instance-arn <instance-arn> --name ReadOnlyAccess
+aws sso-admin attach-managed-policy-to-permission-set \
+  --instance-arn <instance-arn> \
+  --permission-set-arn <ps-arn> \
+  --managed-policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
+```
+#### Control 5.4: IAM User Inline Policy Restriction
+| Config Rule | Resource Types | Description |
+|-------------|----------------|-------------|
+| `iam-user-no-inline-policies` | AWS::IAM::User | Ensures IAM users don't have inline policies |
+**Assessment Logic**:
+- Discovers all IAM users (global service, evaluated in us-east-1)
+- Lists inline policies attached to each user
+- COMPLIANT if inline policy list is empty
+- NON_COMPLIANT if any inline policies exist
+- Encourages use of managed policies for reusability
+**Remediation Guidance**:
+```bash
+# Get inline policy document
+aws iam get-user-policy --user-name <user> --policy-name <inline-policy> > policy.json
+# Create managed policy from document
+aws iam create-policy --policy-name <policy-name> --policy-document file://policy.json
+# Attach managed policy to user
+aws iam attach-user-policy --user-name <user> --policy-arn <policy-arn>
+# Delete inline policy
+aws iam delete-user-policy --user-name <user> --policy-name <inline-policy>
+```
+### Control 6: Access Control Management
+**Purpose**: Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
+#### Control 6.1: IAM Access Analyzer Enablement Verification
+| Config Rule | Resource Types | Description |
+|-------------|----------------|-------------|
+| `iam-access-analyzer-enabled` | AWS::AccessAnalyzer::Analyzer | Validates IAM Access Analyzer is enabled in all active regions |
+**Assessment Logic**:
+- Regional service, evaluated in all active regions
+- Lists analyzers in each region
+- Checks for at least one analyzer with status='ACTIVE'
+- COMPLIANT if active analyzer found in region
+- NON_COMPLIANT if no active analyzers in region
+- Detects resources shared with external entities
+**Remediation Guidance**:
+```bash
+# Create analyzer in each region
+aws accessanalyzer create-analyzer --analyzer-name account-analyzer --type ACCOUNT --region <region>
+# Create in all regions
+for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
+  aws accessanalyzer create-analyzer --analyzer-name account-analyzer --type ACCOUNT --region $region
+done
+```
+#### Control 6.2: Permission Boundary Configuration Validation
+| Config Rule | Resource Types | Description |
+|-------------|----------------|-------------|
+| `iam-permission-boundaries-check` | AWS::IAM::Role | Ensures permission boundaries are configured for roles with elevated privileges |
+**Assessment Logic**:
+- Discovers all IAM roles (global service, evaluated in us-east-1)
+- Identifies roles with elevated privileges:
+  - Roles with AdministratorAccess or PowerUserAccess
+  - Roles with policies containing Action: "*"
+  - Roles with AssumeRole permissions
+- Checks if PermissionsBoundary field is set
+- COMPLIANT if permission boundary configured for elevated privilege roles
+- NON_COMPLIANT if no permission boundary on elevated privilege roles
+- Prevents privilege escalation in delegated administration
+**Remediation Guidance**:
+```bash
+# Create permission boundary policy
+aws iam create-policy --policy-name DelegatedAdminBoundary --policy-document file://boundary.json
+# Attach boundary to role
+aws iam put-role-permissions-boundary --role-name <role> --permissions-boundary arn:aws:iam::<account>:policy/DelegatedAdminBoundary
+```
+#### Control 6.3: Service Control Policy Enablement Check
+| Config Rule | Resource Types | Description |
+|-------------|----------------|-------------|
+| `organizations-scp-enabled-check` | AWS::::Account | Validates AWS Organizations Service Control Policies are enabled and in use |
+**Assessment Logic**:
+- Account-level check (global service, evaluated in us-east-1)
+- Calls organizations.describe_organization() to check if account is in organization
+- Checks if FeatureSet includes ALL or SERVICE_CONTROL_POLICY
+- Lists SCPs to verify custom SCPs exist (beyond default FullAWSAccess)
+- COMPLIANT if organization exists, SCPs enabled, and custom SCPs in use
+- NON_COMPLIANT if not in organization, SCPs not enabled, or only default SCP
+- Enforces organizational policies and guardrails
+**Remediation Guidance**:
+```bash
+# Enable all features in Organizations
+aws organizations enable-all-features
+# Create custom SCP
+aws organizations create-policy --name DenyRootUser --type SERVICE_CONTROL_POLICY --content file://scp.json
+# Attach SCP to OU
+aws organizations attach-policy --policy-id <policy-id> --target-id <ou-id>
+```
+#### Control 6.4: Cognito User Pool MFA Validation
+| Config Rule | Resource Types | Description |
+|-------------|----------------|-------------|
+| `cognito-user-pool-mfa-enabled` | AWS::Cognito::UserPool | Ensures Cognito user pools have MFA enabled |
+**Assessment Logic**:
+- Discovers all Cognito user pools (regional service)
+- Calls cognito-idp.describe_user_pool() to get MfaConfiguration
+- COMPLIANT if MfaConfiguration is 'ON' or 'OPTIONAL'
+- NON_COMPLIANT if MfaConfiguration is 'OFF'
+- Enhances authentication security for applications
+**Remediation Guidance**:
+```bash
+# Enable MFA for Cognito user pool
+aws cognito-idp set-user-pool-mfa-config \
+  --user-pool-id <pool-id> \
+  --mfa-configuration ON \
+  --software-token-mfa-configuration Enabled=true \
+  --sms-mfa-configuration SmsConfiguration={SnsCallerArn=<sns-role-arn>}
+```
+#### Control 6.5: VPN Connection MFA Requirement Verification
+| Config Rule | Resource Types | Description |
+|-------------|----------------|-------------|
+| `vpn-connection-mfa-enabled` | AWS::EC2::ClientVpnEndpoint | Validates Client VPN endpoints require MFA authentication |
+**Assessment Logic**:
+- Discovers all Client VPN endpoints (regional service)
+- Checks AuthenticationOptions for MFA requirement
+- Looks for:
+  - directory-service-authentication with MFA
+  - federated-authentication with MFA requirement
+  - certificate-authentication with additional factor
+- COMPLIANT if MFA is required for authentication
+- NON_COMPLIANT if no MFA requirement found
+- Ensures secure remote access to AWS resources
+**Remediation Guidance**:
+```bash
+# Create Client VPN endpoint with AD authentication and MFA
+aws ec2 create-client-vpn-endpoint \
+  --client-cidr-block 10.0.0.0/16 \
+  --server-certificate-arn <cert-arn> \
+  --authentication-options Type=directory-service-authentication,ActiveDirectory={DirectoryId=<dir-id>} \
+  --connection-log-options Enabled=true,CloudwatchLogGroup=<log-group>
+# Note: MFA enforcement depends on authentication method (AD, SAML, or certificate)
+```
 ### Control 3.10: Encrypt Sensitive Data in Transit
 **Purpose**: Encrypt sensitive data in transit between network locations.
@@ -220,6 +593,46 @@ The AWS CIS Controls Compliance Assessment Framework uses AWS Config rule specif
 - Checks for threat detection services
 - Ensures patch management compliance
+### Control 8.2: Collect Audit Logs
+**Purpose**: Collect audit logs from enterprise assets and software to support security monitoring, incident response, and compliance requirements.
+| Config Rule | Resource Types | Description |
+|-------------|----------------|-------------|
+| `route53-query-logging-enabled` | AWS::Route53::HostedZone | Validates Route 53 hosted zones have query logging enabled to track DNS queries for security investigations |
+| `alb-access-logs-enabled` | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensures Application Load Balancers have access logging enabled to analyze traffic patterns |
+| `cloudfront-access-logs-enabled` | AWS::CloudFront::Distribution | Validates CloudFront distributions have access logging enabled to track content delivery requests |
+| `cloudwatch-log-retention-check` | AWS::Logs::LogGroup | Ensures CloudWatch log groups have appropriate retention periods (minimum 90 days) for compliance |
+| `cloudtrail-insights-enabled` | AWS::CloudTrail::Trail | Validates CloudTrail Insights is enabled for automatic anomaly detection of API activity |
+| `config-recording-all-resources` | AWS::Config::ConfigurationRecorder | Ensures AWS Config records all resource types to track configuration changes |
+| `waf-logging-enabled` | AWS::WAFv2::WebACL | Validates WAF web ACLs have logging enabled to capture web application firewall events |
+| `elb-logging-enabled` | AWS::ElasticLoadBalancing::LoadBalancer | Ensures Classic Load Balancers have access logging enabled |
+| `rds-logging-enabled` | AWS::RDS::DBInstance | Validates RDS instances have appropriate database logging enabled |
+| `elasticsearch-logs-to-cloudwatch` | AWS::Elasticsearch::Domain | Ensures Elasticsearch domains send logs to CloudWatch |
+| `codebuild-project-logging-enabled` | AWS::CodeBuild::Project | Validates CodeBuild projects capture build logs |
+| `redshift-cluster-configuration-check` | AWS::Redshift::Cluster | Ensures Redshift clusters have audit logging enabled |
+| `wafv2-logging-enabled` | AWS::WAFv2::WebACL | Ensures WAFv2 web ACLs have logging enabled |
+**Assessment Logic**:
+- **DNS Query Logging**: Validates Route 53 hosted zones have query logging configurations pointing to CloudWatch Logs
+- **Load Balancer Logging**: Checks ALB and Classic ELB access_logs.s3.enabled attribute and validates S3 bucket configuration
+- **CDN Logging**: Validates CloudFront distribution Logging.Enabled field and S3 bucket configuration
+- **Log Retention**: Checks CloudWatch log groups have retentionInDays set to at least 90 days (configurable parameter)
+- **CloudTrail Insights**: Validates at least one active trail has InsightSelectors configured for anomaly detection
+- **Config Recording**: Ensures configuration recorders have allSupported=true and recording status is active
+- **WAF Logging**: Validates WAF web ACLs (both REGIONAL and CLOUDFRONT scopes) have logging configurations with destination ARNs
+- **Multi-Region Support**: Regional services (ALB, CloudWatch Logs, AWS Config, WAF) are evaluated in all active regions
+- **Global Services**: Route 53 and CloudFront are evaluated in us-east-1 only
+**Remediation Guidance**:
+- Route 53: Create CloudWatch Logs log group and configure query logging for each hosted zone
+- ALB/ELB: Enable access logs with S3 bucket destination and appropriate bucket policy
+- CloudFront: Enable logging in distribution settings with S3 bucket and optional prefix
+- CloudWatch Logs: Set retention policy using `put-retention-policy` API (recommended: 90-365 days)
+- CloudTrail: Enable Insights using `put-insight-selectors` API (note: additional charges apply)
+- AWS Config: Configure recorder with allSupported=true and start recording
+- WAF: Create Kinesis Data Firehose delivery stream (prefix: "aws-waf-logs-") and configure logging
 ## IG3 - Advanced Security
 ### Control 3.14: Log Sensitive Data Access
@@ -275,12 +688,16 @@ The AWS CIS Controls Compliance Assessment Framework uses AWS Config rule specif
 ## Bonus Security Rules
-Beyond the required 133 CIS Controls rules, the framework includes 5 additional security enhancements:
+Beyond the required 133 CIS Controls rules, the framework includes 9 additional security enhancements:
 ### Enhanced Logging Security
 | Config Rule | Resource Types | Description |
 |-------------|----------------|-------------|
 | `cloudwatch-log-group-encrypted` | AWS::Logs::LogGroup | Ensures CloudWatch log groups are encrypted |
+| `route53-query-logging-enabled` | AWS::Route53::HostedZone | Validates Route 53 DNS query logging is enabled |
+| `alb-access-logs-enabled` | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensures ALB access logging is enabled |
+| `cloudfront-access-logs-enabled` | AWS::CloudFront::Distribution | Validates CloudFront access logging is enabled |
+| `waf-logging-enabled` | AWS::WAFv2::WebACL | Ensures WAF web ACL logging is enabled |
 ### Network Security Enhancements
 | Config Rule | Resource Types | Description |
@@ -294,7 +711,7 @@ Beyond the required 133 CIS Controls rules, the framework includes 5 additional
 | `kinesis-stream-encrypted` | AWS::Kinesis::Stream | Ensures Kinesis streams are encrypted |
 | `sqs-queue-encrypted-kms` | AWS::SQS::Queue | Ensures SQS queues use KMS encryption |
-**Business Value**: These bonus rules provide additional security value beyond CIS Controls requirements, enhancing the overall security posture with minimal additional overhead.
+**Business Value**: These bonus rules provide additional security value beyond CIS Controls requirements, enhancing the overall security posture with minimal additional overhead. The audit logging rules (Control 8.2) provide comprehensive visibility across AWS services for security investigations and compliance.
 ## Config Rule Details

{aws_cis_controls_assessment-1.0.10.dist-info → aws_cis_controls_assessment-1.1.1.dist-info}/WHEEL RENAMED Viewed

File without changes

{aws_cis_controls_assessment-1.0.10.dist-info → aws_cis_controls_assessment-1.1.1.dist-info}/entry_points.txt RENAMED Viewed

File without changes

{aws_cis_controls_assessment-1.0.10.dist-info → aws_cis_controls_assessment-1.1.1.dist-info}/licenses/LICENSE RENAMED Viewed

File without changes

{aws_cis_controls_assessment-1.0.10.dist-info → aws_cis_controls_assessment-1.1.1.dist-info}/top_level.txt RENAMED Viewed

File without changes

aws-cis-controls-assessment 1.0.10__py3-none-any.whl → 1.1.1__py3-none-any.whl

aws-cis-controls-assessment 1.0.10py3-none-any.whl → 1.1.1py3-none-any.whl