aws-cis-controls-assessment 1.0.10__tar.gz → 1.1.0__tar.gz

{aws_cis_controls_assessment-1.0.10/aws_cis_controls_assessment.egg-info → aws_cis_controls_assessment-1.1.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: aws-cis-controls-assessment
-Version: 1.0.10
+Version: 1.1.0
 Summary: Production-ready AWS CIS Controls compliance assessment framework with 145 comprehensive rules
 Author-email: AWS CIS Assessment Team <security@example.com>
 Maintainer-email: AWS CIS Assessment Team <security@example.com>
@@ -57,20 +57,22 @@ Dynamic: license-file
 
 # AWS CIS Controls Compliance Assessment Framework
 
-A production-ready, enterprise-grade framework for evaluating AWS account configurations against CIS Controls Implementation Groups (IG1, IG2, IG3) using AWS Config rule specifications. **100% CIS Controls coverage achieved** with 133 implemented rules plus 5 bonus security enhancements.
+A production-ready, enterprise-grade framework for evaluating AWS account configurations against CIS Controls Implementation Groups (IG1, IG2, IG3) using AWS Config rule specifications. **100% CIS Controls coverage achieved** with 163 implemented rules (131 CIS Controls + 32 bonus security enhancements).
 
 > **Production Status**: This framework is production-ready and actively deployed in enterprise environments. It provides comprehensive point-in-time compliance assessments while we recommend [AWS Config](https://aws.amazon.com/config/) for ongoing continuous compliance monitoring and automated remediation.
 
 ## 🎯 Key Features
 
-- **✅ Complete Coverage**: 137/137 CIS Controls rules implemented (100% coverage)
+- **✅ Complete Coverage**: 163 total rules implemented (131 CIS Controls + 32 bonus)
 - **✅ Dual Scoring System**: Both weighted and AWS Config-style scoring methodologies
+- **✅ Enhanced HTML Reports**: Control names, working search, improved remediation display
 - **✅ Enterprise Ready**: Production-tested with enterprise-grade architecture
 - **✅ Performance Optimized**: Handles large-scale assessments efficiently
 - **✅ Multi-Format Reports**: JSON, HTML, and CSV with detailed remediation guidance
 - **✅ No AWS Config Required**: Direct AWS API calls based on Config rule specifications
-- **✅ Bonus Security Rules**: 5 additional security enhancements beyond CIS requirements
 - **✅ AWS Backup Controls**: 6 comprehensive backup infrastructure controls (3 IG1 + 3 IG2)
+- **✅ Audit Logging Controls**: 7 comprehensive audit log management controls (CIS Control 8)
+- **✅ Access & Configuration Controls**: 14 comprehensive identity, access, and secure configuration controls (CIS Controls 4, 5, 6)
 
 ## 🚀 Quick Start
 
@@ -89,7 +91,7 @@ pip install -e .
 ### Basic Usage
 
 ```bash
-# Run complete assessment (all 142 rules) - defaults to us-east-1
+# Run complete assessment (all 163 rules) - defaults to us-east-1
 aws-cis-assess assess --aws-profile my-aws-profile
 
 # Assess multiple regions
@@ -117,12 +119,12 @@ aws-cis-assess assess --output-format json
 - Data Protection and Encryption (8 rules)
 - Network Security Controls (20 rules)
 - Logging and Monitoring (13 rules)
-- Backup and Recovery (17 rules) - **NEW: 6 AWS Backup service controls added (3 IG1 + 3 IG2)**
+- Backup and Recovery (17 rules) - **6 AWS Backup service controls (3 IG1 + 3 IG2)**
 - Security Services Integration (5 rules)
 - Configuration Management (9 rules)
 - Vulnerability Management (5 rules)
 
-### IG2 - Enhanced Security (+40 Rules) ✅  
+### IG2 - Enhanced Security (+74 Rules) ✅  
 **100% Coverage Achieved**
 - Advanced Encryption at Rest (6 rules)
 - Certificate Management (2 rules)
@@ -133,7 +135,11 @@ aws-cis-assess assess --output-format json
 - Network Segmentation (5 rules)
 - Auto-scaling Security (1 rule)
 - Enhanced Access Controls (8 rules)
-- AWS Backup Advanced Controls (3 rules) - **NEW: Vault lock, reporting, restore testing**
+- AWS Backup Advanced Controls (3 rules) - **Vault lock, reporting, restore testing**
+- Audit Log Management (7 rules) - **Control 8 comprehensive logging coverage**
+- Secure Configuration (5 rules) - **Control 4: session duration, security groups, VPC DNS, RDS admin, EC2 least privilege**
+- Account Management (4 rules) - **Control 5: service account docs, admin policies, SSO, inline policies**
+- Access Control Management (5 rules) - **Control 6: Access Analyzer, permission boundaries, SCPs, Cognito MFA, VPN MFA**
 
 ### IG3 - Advanced Security (+1 Rule) ✅
 **100% Coverage Achieved**
@@ -141,19 +147,82 @@ aws-cis-assess assess --output-format json
 - Critical for preventing application-layer attacks
 - Required for high-security environments
 
-### Bonus Security Rules (+5 Rules) ✅
+### Bonus Security Rules (+32 Rules) ✅
 **Additional Value Beyond CIS Requirements**
 - Enhanced logging security (`cloudwatch-log-group-encrypted`)
 - Network security enhancement (`incoming-ssh-disabled`)
 - Data streaming encryption (`kinesis-stream-encrypted`)
 - Network access control (`restricted-incoming-traffic`)
 - Message queue encryption (`sqs-queue-encrypted-kms`)
+- Route 53 DNS query logging (`route53-query-logging-enabled`)
+- Plus 26 additional security enhancements
+- Application Load Balancer access logs (`alb-access-logs-enabled`)
+- CloudFront distribution access logs (`cloudfront-access-logs-enabled`)
+- WAF web ACL logging (`waf-logging-enabled`)
+
+### 🔍 CIS Control 8: Audit Log Management (13 Rules)
+**Comprehensive Audit Logging Coverage**
+
+Control 8 focuses on collecting, alerting, reviewing, and retaining audit logs of events that could help detect, understand, or recover from an attack. Our implementation provides comprehensive coverage across AWS services:
+
+**DNS Query Logging**
+- `route53-query-logging-enabled`: Validates Route 53 hosted zones have query logging enabled to track DNS queries for security investigations
+
+**Load Balancer & CDN Logging**
+- `alb-access-logs-enabled`: Ensures Application Load Balancers capture access logs for traffic analysis
+- `elb-logging-enabled`: Validates Classic Load Balancers have access logging enabled
+- `cloudfront-access-logs-enabled`: Ensures CloudFront distributions log content delivery requests
+
+**Log Retention & Management**
+- `cloudwatch-log-retention-check`: Validates log groups have appropriate retention periods (minimum 90 days)
+- `cw-loggroup-retention-period-check`: Additional log retention validation
+
+**CloudTrail Monitoring**
+- `cloudtrail-insights-enabled`: Enables anomaly detection for unusual API activity
+
+**Configuration Tracking**
+- `config-recording-all-resources`: Ensures AWS Config tracks all resource configuration changes
+
+**Application Security Logging**
+- `waf-logging-enabled`: Validates WAF web ACLs capture firewall events
+- `wafv2-logging-enabled`: Ensures WAFv2 web ACLs have logging enabled
+
+**Database & Service Logging**
+- `rds-logging-enabled`: Validates RDS instances have appropriate logging enabled
+- `elasticsearch-logs-to-cloudwatch`: Ensures Elasticsearch domains send logs to CloudWatch
+- `codebuild-project-logging-enabled`: Validates CodeBuild projects capture build logs
+- `redshift-cluster-configuration-check`: Ensures Redshift clusters have audit logging enabled
+
+### 🔐 CIS Controls 4, 5, 6: Access & Configuration Controls (14 Rules)
+**Comprehensive Identity, Access Management, and Secure Configuration Coverage**
+
+These controls focus on secure configuration of enterprise assets, account management, and access control management. Our implementation provides comprehensive coverage across AWS IAM, networking, and identity services:
+
+**Control 4 - Secure Configuration (5 rules)**
+- `iam-max-session-duration-check`: Validates IAM role session duration does not exceed 12 hours to limit credential exposure
+- `security-group-default-rules-check`: Ensures default security groups have no inbound or outbound rules to prevent unintended access
+- `vpc-dns-resolution-enabled`: Validates VPC DNS settings (enableDnsHostnames and enableDnsSupport) are properly configured
+- `rds-default-admin-check`: Ensures RDS instances don't use default admin usernames (postgres, admin, root, mysql, administrator)
+- `ec2-instance-profile-least-privilege`: Validates EC2 instance profile permissions follow least privilege principles
+
+**Control 5 - Account Management (4 rules)**
+- `iam-service-account-inventory-check`: Validates service accounts have required documentation tags (Purpose, Owner, LastReviewed)
+- `iam-admin-policy-attached-to-role-check`: Ensures administrative policies are attached to roles, not directly to users
+- `sso-enabled-check`: Validates AWS IAM Identity Center is configured and enabled for centralized identity management
+- `iam-user-no-inline-policies`: Ensures IAM users don't have inline policies (only managed policies or group memberships)
+
+**Control 6 - Access Control Management (5 rules)**
+- `iam-access-analyzer-enabled`: Validates IAM Access Analyzer is enabled in all active regions for external access detection
+- `iam-permission-boundaries-check`: Ensures permission boundaries are configured for roles with elevated privileges
+- `organizations-scp-enabled-check`: Validates AWS Organizations Service Control Policies are enabled and in use
+- `cognito-user-pool-mfa-enabled`: Ensures Cognito user pools have MFA enabled for enhanced authentication security
+- `vpn-connection-mfa-enabled`: Validates Client VPN endpoints require MFA authentication
 
 ## 🏗️ Production Architecture
 
 ### Core Components
 - **Assessment Engine**: Orchestrates compliance evaluations across all AWS regions
-- **Control Assessments**: 138 individual rule implementations with robust error handling
+- **Control Assessments**: 149 individual rule implementations with robust error handling
 - **Scoring Engine**: Calculates compliance scores and generates executive metrics
 - **Reporting System**: Multi-format output with detailed remediation guidance
 - **Resource Management**: Optimized for enterprise-scale deployments with memory management
@@ -249,48 +318,87 @@ MIT License - see [LICENSE](LICENSE) file for details.
 
 ---
 
-**Framework Version**: 1.0.10 (in development)  
-**CIS Controls Coverage**: 137/137 rules (100%) + 5 bonus rules  
+**Framework Version**: 1.1.0 (in development)  
+**CIS Controls Coverage**: 151/151 rules (100%) + 9 bonus rules  
 **Production Status**: ✅ Ready for immediate enterprise deployment  
 **Last Updated**: January 2026
 
-## 🆕 What's New in Version 1.0.10
-
-### AWS Backup Service Controls
-Six new controls added to assess AWS Backup infrastructure:
-
-**IG1 Controls (3)**:
-1. **backup-plan-min-frequency-and-min-retention-check** - Validates backup plans have appropriate frequency and retention policies
-   - Ensures backup plans have at least one rule defined
-   - Validates schedule expressions (cron or rate)
-   - Checks retention periods meet minimum requirements (default: 7 days)
-   - Validates lifecycle policies for cold storage transitions
-
-2. **backup-vault-access-policy-check** - Ensures backup vaults have secure access policies
-   - Detects publicly accessible backup vaults
-   - Identifies overly permissive access policies
-   - Warns about dangerous permissions (DeleteBackupVault, DeleteRecoveryPoint)
-   - Validates principle of least privilege
-
-3. **backup-selection-resource-coverage-check** - Validates backup plans cover critical resources
-   - Ensures backup plans have at least one selection
-   - Validates selections target specific resources or use tags
-   - Checks that selections are not empty
-
-**IG2 Controls (3)**:
-4. **backup-vault-lock-check** - Verifies vault lock for ransomware protection
-   - Ensures critical vaults have Vault Lock enabled
-   - Validates immutable backup configuration (WORM)
-   - Checks minimum and maximum retention periods
-
-5. **backup-report-plan-exists-check** - Validates backup compliance reporting
-   - Ensures at least one report plan exists
-   - Validates report delivery configuration
-   - Checks for active report generation
-
-6. **backup-restore-testing-plan-exists-check** - Ensures backups are recoverable
-   - Validates restore testing plans exist
-   - Checks testing schedules are configured
-   - Ensures backups are actually tested for recoverability
-
-These controls complement the existing 12 resource-specific backup controls by assessing the centralized AWS Backup service infrastructure itself. Total backup controls: 17 (12 resource-specific + 5 service-level). See [AWS Backup Controls Guide](docs/adding-aws-backup-controls.md) for detailed documentation.
+## 🆕 What's New in Version 1.1.0
+
+### Access & Configuration Controls (CIS Controls 4, 5, 6)
+Fourteen new controls added to assess identity, access management, and secure configuration:
+
+**Control 4 - Secure Configuration (5 rules)**:
+1. **iam-max-session-duration-check** - Validates IAM role session duration does not exceed 12 hours
+   - Ensures temporary credentials have limited exposure window
+   - Checks MaxSessionDuration property on all IAM roles
+   - Compliant if session duration ≤ 43200 seconds (12 hours)
+
+2. **security-group-default-rules-check** - Ensures default security groups have no rules
+   - Validates default security groups are restricted (no inbound/outbound rules)
+   - Prevents unintended access through default security groups
+   - Encourages use of custom security groups with explicit rules
+
+3. **vpc-dns-resolution-enabled** - Validates VPC DNS configuration
+   - Checks both enableDnsHostnames and enableDnsSupport are enabled
+   - Ensures proper DNS resolution within VPCs
+   - Required for many AWS services to function correctly
+
+4. **rds-default-admin-check** - Ensures RDS instances don't use default admin usernames
+   - Detects default usernames: postgres, admin, root, mysql, administrator, sa
+   - Case-insensitive detection
+   - Reduces risk of credential guessing attacks
+
+5. **ec2-instance-profile-least-privilege** - Validates EC2 instance profile permissions
+   - Checks for overly permissive policies (AdministratorAccess, PowerUserAccess)
+   - Detects wildcard permissions (Action: "*", Resource: "*")
+   - Ensures least privilege principle for EC2 workloads
+
+**Control 5 - Account Management (4 rules)**:
+6. **iam-service-account-inventory-check** - Validates service account documentation
+   - Ensures service accounts have required tags: Purpose, Owner, LastReviewed
+   - Identifies service accounts by naming convention or tags
+   - Supports compliance and access review processes
+
+7. **iam-admin-policy-attached-to-role-check** - Ensures admin policies on roles, not users
+   - Detects administrative policies attached directly to IAM users
+   - Encourages role-based access with temporary credentials
+   - Improves audit trail and access management
+
+8. **sso-enabled-check** - Validates AWS IAM Identity Center (SSO) is configured
+   - Checks for SSO instance existence
+   - Encourages centralized identity management
+   - Supports integration with corporate identity providers
+
+9. **iam-user-no-inline-policies** - Ensures IAM users don't have inline policies
+   - Detects inline policies attached to users
+   - Encourages use of managed policies for reusability
+   - Simplifies policy management and auditing
+
+**Control 6 - Access Control Management (5 rules)**:
+10. **iam-access-analyzer-enabled** - Validates Access Analyzer in all regions
+    - Ensures IAM Access Analyzer is enabled regionally
+    - Detects resources shared with external entities
+    - Provides continuous monitoring for unintended access
+
+11. **iam-permission-boundaries-check** - Validates permission boundaries for elevated roles
+    - Identifies roles with elevated privileges
+    - Checks for permission boundary configuration
+    - Prevents privilege escalation in delegated administration
+
+12. **organizations-scp-enabled-check** - Validates Service Control Policies are in use
+    - Checks account is part of AWS Organizations
+    - Verifies SCPs are enabled (FeatureSet includes ALL)
+    - Ensures custom SCPs exist beyond default FullAWSAccess
+
+13. **cognito-user-pool-mfa-enabled** - Ensures Cognito user pools have MFA
+    - Validates MfaConfiguration is 'ON' or 'OPTIONAL'
+    - Supports both SMS and TOTP authentication methods
+    - Enhances authentication security for applications
+
+14. **vpn-connection-mfa-enabled** - Validates Client VPN endpoints require MFA
+    - Checks VPN authentication options for MFA requirement
+    - Supports Active Directory, SAML, and certificate-based MFA
+    - Ensures secure remote access to AWS resources
+
+These controls complement the existing audit logging and backup controls by providing comprehensive coverage of identity, access management, and secure configuration practices. Total rules: 163 (149 previous + 14 new). See [Config Rule Mappings](docs/config-rule-mappings.md) for detailed documentation.

aws_cis_controls_assessment-1.1.0/README.md

@@ -0,0 +1,347 @@
+# AWS CIS Controls Compliance Assessment Framework
+
+A production-ready, enterprise-grade framework for evaluating AWS account configurations against CIS Controls Implementation Groups (IG1, IG2, IG3) using AWS Config rule specifications. **100% CIS Controls coverage achieved** with 163 implemented rules (131 CIS Controls + 32 bonus security enhancements).
+
+> **Production Status**: This framework is production-ready and actively deployed in enterprise environments. It provides comprehensive point-in-time compliance assessments while we recommend [AWS Config](https://aws.amazon.com/config/) for ongoing continuous compliance monitoring and automated remediation.
+
+## 🎯 Key Features
+
+- **✅ Complete Coverage**: 163 total rules implemented (131 CIS Controls + 32 bonus)
+- **✅ Dual Scoring System**: Both weighted and AWS Config-style scoring methodologies
+- **✅ Enhanced HTML Reports**: Control names, working search, improved remediation display
+- **✅ Enterprise Ready**: Production-tested with enterprise-grade architecture
+- **✅ Performance Optimized**: Handles large-scale assessments efficiently
+- **✅ Multi-Format Reports**: JSON, HTML, and CSV with detailed remediation guidance
+- **✅ No AWS Config Required**: Direct AWS API calls based on Config rule specifications
+- **✅ AWS Backup Controls**: 6 comprehensive backup infrastructure controls (3 IG1 + 3 IG2)
+- **✅ Audit Logging Controls**: 7 comprehensive audit log management controls (CIS Control 8)
+- **✅ Access & Configuration Controls**: 14 comprehensive identity, access, and secure configuration controls (CIS Controls 4, 5, 6)
+
+## 🚀 Quick Start
+
+### Installation
+
+```bash
+# Install from PyPI (production-ready)
+pip install aws-cis-controls-assessment
+
+# Or install from source for development
+git clone <repository-url>
+cd aws-cis-controls-assessment
+pip install -e .
+```
+
+### Basic Usage
+
+```bash
+# Run complete assessment (all 163 rules) - defaults to us-east-1
+aws-cis-assess assess --aws-profile my-aws-profile
+
+# Assess multiple regions
+aws-cis-assess assess --aws-profile my-aws-profile --regions us-east-1,us-west-2
+
+# Assess specific Implementation Group using short flag (defaults to us-east-1)
+aws-cis-assess assess -p my-aws-profile --implementation-groups IG1 --output-format json
+
+# Generate comprehensive HTML report (defaults to us-east-1)
+aws-cis-assess assess --aws-profile production --output-format html --output-file compliance-report.html
+
+# Enterprise multi-region assessment with multiple formats
+aws-cis-assess assess -p security-audit --implementation-groups IG1,IG2,IG3 --regions all --output-format html,json --output-dir ./reports/
+
+# Quick assessment with default profile and default region (us-east-1)
+aws-cis-assess assess --output-format json
+```
+
+## 📊 Implementation Groups Coverage
+
+### IG1 - Essential Cyber Hygiene (96 Rules) ✅
+**100% Coverage Achieved**
+- Asset Inventory and Management (6 rules)
+- Identity and Access Management (15 rules)  
+- Data Protection and Encryption (8 rules)
+- Network Security Controls (20 rules)
+- Logging and Monitoring (13 rules)
+- Backup and Recovery (17 rules) - **6 AWS Backup service controls (3 IG1 + 3 IG2)**
+- Security Services Integration (5 rules)
+- Configuration Management (9 rules)
+- Vulnerability Management (5 rules)
+
+### IG2 - Enhanced Security (+74 Rules) ✅  
+**100% Coverage Achieved**
+- Advanced Encryption at Rest (6 rules)
+- Certificate Management (2 rules)
+- Network High Availability (7 rules)
+- Enhanced Monitoring (3 rules)
+- CodeBuild Security (4 rules)
+- Vulnerability Scanning (1 rule)
+- Network Segmentation (5 rules)
+- Auto-scaling Security (1 rule)
+- Enhanced Access Controls (8 rules)
+- AWS Backup Advanced Controls (3 rules) - **Vault lock, reporting, restore testing**
+- Audit Log Management (7 rules) - **Control 8 comprehensive logging coverage**
+- Secure Configuration (5 rules) - **Control 4: session duration, security groups, VPC DNS, RDS admin, EC2 least privilege**
+- Account Management (4 rules) - **Control 5: service account docs, admin policies, SSO, inline policies**
+- Access Control Management (5 rules) - **Control 6: Access Analyzer, permission boundaries, SCPs, Cognito MFA, VPN MFA**
+
+### IG3 - Advanced Security (+1 Rule) ✅
+**100% Coverage Achieved**
+- API Gateway WAF Integration (1 rule)
+- Critical for preventing application-layer attacks
+- Required for high-security environments
+
+### Bonus Security Rules (+32 Rules) ✅
+**Additional Value Beyond CIS Requirements**
+- Enhanced logging security (`cloudwatch-log-group-encrypted`)
+- Network security enhancement (`incoming-ssh-disabled`)
+- Data streaming encryption (`kinesis-stream-encrypted`)
+- Network access control (`restricted-incoming-traffic`)
+- Message queue encryption (`sqs-queue-encrypted-kms`)
+- Route 53 DNS query logging (`route53-query-logging-enabled`)
+- Plus 26 additional security enhancements
+- Application Load Balancer access logs (`alb-access-logs-enabled`)
+- CloudFront distribution access logs (`cloudfront-access-logs-enabled`)
+- WAF web ACL logging (`waf-logging-enabled`)
+
+### 🔍 CIS Control 8: Audit Log Management (13 Rules)
+**Comprehensive Audit Logging Coverage**
+
+Control 8 focuses on collecting, alerting, reviewing, and retaining audit logs of events that could help detect, understand, or recover from an attack. Our implementation provides comprehensive coverage across AWS services:
+
+**DNS Query Logging**
+- `route53-query-logging-enabled`: Validates Route 53 hosted zones have query logging enabled to track DNS queries for security investigations
+
+**Load Balancer & CDN Logging**
+- `alb-access-logs-enabled`: Ensures Application Load Balancers capture access logs for traffic analysis
+- `elb-logging-enabled`: Validates Classic Load Balancers have access logging enabled
+- `cloudfront-access-logs-enabled`: Ensures CloudFront distributions log content delivery requests
+
+**Log Retention & Management**
+- `cloudwatch-log-retention-check`: Validates log groups have appropriate retention periods (minimum 90 days)
+- `cw-loggroup-retention-period-check`: Additional log retention validation
+
+**CloudTrail Monitoring**
+- `cloudtrail-insights-enabled`: Enables anomaly detection for unusual API activity
+
+**Configuration Tracking**
+- `config-recording-all-resources`: Ensures AWS Config tracks all resource configuration changes
+
+**Application Security Logging**
+- `waf-logging-enabled`: Validates WAF web ACLs capture firewall events
+- `wafv2-logging-enabled`: Ensures WAFv2 web ACLs have logging enabled
+
+**Database & Service Logging**
+- `rds-logging-enabled`: Validates RDS instances have appropriate logging enabled
+- `elasticsearch-logs-to-cloudwatch`: Ensures Elasticsearch domains send logs to CloudWatch
+- `codebuild-project-logging-enabled`: Validates CodeBuild projects capture build logs
+- `redshift-cluster-configuration-check`: Ensures Redshift clusters have audit logging enabled
+
+### 🔐 CIS Controls 4, 5, 6: Access & Configuration Controls (14 Rules)
+**Comprehensive Identity, Access Management, and Secure Configuration Coverage**
+
+These controls focus on secure configuration of enterprise assets, account management, and access control management. Our implementation provides comprehensive coverage across AWS IAM, networking, and identity services:
+
+**Control 4 - Secure Configuration (5 rules)**
+- `iam-max-session-duration-check`: Validates IAM role session duration does not exceed 12 hours to limit credential exposure
+- `security-group-default-rules-check`: Ensures default security groups have no inbound or outbound rules to prevent unintended access
+- `vpc-dns-resolution-enabled`: Validates VPC DNS settings (enableDnsHostnames and enableDnsSupport) are properly configured
+- `rds-default-admin-check`: Ensures RDS instances don't use default admin usernames (postgres, admin, root, mysql, administrator)
+- `ec2-instance-profile-least-privilege`: Validates EC2 instance profile permissions follow least privilege principles
+
+**Control 5 - Account Management (4 rules)**
+- `iam-service-account-inventory-check`: Validates service accounts have required documentation tags (Purpose, Owner, LastReviewed)
+- `iam-admin-policy-attached-to-role-check`: Ensures administrative policies are attached to roles, not directly to users
+- `sso-enabled-check`: Validates AWS IAM Identity Center is configured and enabled for centralized identity management
+- `iam-user-no-inline-policies`: Ensures IAM users don't have inline policies (only managed policies or group memberships)
+
+**Control 6 - Access Control Management (5 rules)**
+- `iam-access-analyzer-enabled`: Validates IAM Access Analyzer is enabled in all active regions for external access detection
+- `iam-permission-boundaries-check`: Ensures permission boundaries are configured for roles with elevated privileges
+- `organizations-scp-enabled-check`: Validates AWS Organizations Service Control Policies are enabled and in use
+- `cognito-user-pool-mfa-enabled`: Ensures Cognito user pools have MFA enabled for enhanced authentication security
+- `vpn-connection-mfa-enabled`: Validates Client VPN endpoints require MFA authentication
+
+## 🏗️ Production Architecture
+
+### Core Components
+- **Assessment Engine**: Orchestrates compliance evaluations across all AWS regions
+- **Control Assessments**: 149 individual rule implementations with robust error handling
+- **Scoring Engine**: Calculates compliance scores and generates executive metrics
+- **Reporting System**: Multi-format output with detailed remediation guidance
+- **Resource Management**: Optimized for enterprise-scale deployments with memory management
+
+### Enterprise Features
+- **Multi-threading**: Parallel execution for improved performance
+- **Error Recovery**: Comprehensive error handling and retry mechanisms
+- **Audit Trail**: Complete compliance audit and logging capabilities
+- **Resource Monitoring**: Real-time performance and resource usage tracking
+- **Scalable Architecture**: Handles assessments across hundreds of AWS accounts
+
+## 📋 Requirements
+
+- **Python**: 3.8+ (production tested on 3.8, 3.9, 3.10, 3.11)
+- **AWS Credentials**: Configured via AWS CLI, environment variables, or IAM roles
+- **Permissions**: Read-only access to AWS services being assessed
+- **Memory**: Minimum 2GB RAM for large-scale assessments
+- **Network**: Internet access for AWS API calls
+- **Default Region**: Assessments default to `us-east-1` unless `--regions` is specified
+
+## 📈 Business Value
+
+### Immediate Benefits
+- **Compliance Readiness**: Instant CIS Controls compliance assessment
+- **Risk Reduction**: Identify and prioritize security vulnerabilities
+- **Audit Support**: Generate comprehensive compliance reports
+- **Cost Optimization**: Identify misconfigured and unused resources
+- **Operational Efficiency**: Automate manual compliance checking
+
+### Long-term Value
+- **Continuous Improvement**: Track compliance posture over time
+- **Regulatory Compliance**: Support for multiple compliance frameworks
+- **Security Automation**: Foundation for automated remediation
+- **Enterprise Integration**: Integrate with existing security tools
+- **Future-Proof**: Extensible architecture for evolving requirements
+
+## 🛡️ Security & Compliance
+
+### Security Features
+- **Read-Only Access**: Framework requires only read permissions
+- **No Data Storage**: No sensitive data stored or transmitted
+- **Audit Logging**: Complete audit trail of all assessments
+- **Error Handling**: Secure error handling without data leakage
+
+### Compliance Support
+- **CIS Controls**: 100% coverage of Implementation Groups 1, 2, and 3
+- **AWS Well-Architected**: Aligned with security pillar best practices
+- **Industry Standards**: Supports SOC 2, NIST, ISO 27001 mapping
+- **Regulatory Requirements**: HIPAA, PCI DSS, FedRAMP compatible
+- **Custom Frameworks**: Extensible for organization-specific requirements
+
+## 📚 Documentation
+
+### Core Documentation
+- **[Installation Guide](docs/installation.md)**: Detailed installation instructions and requirements
+- **[User Guide](docs/user-guide.md)**: Comprehensive user manual and best practices
+- **[CLI Reference](docs/cli-reference.md)**: Complete command-line interface documentation
+- **[Dual Scoring Guide](docs/dual-scoring-implementation.md)**: Weighted vs AWS Config scoring methodologies
+- **[Scoring Methodology](docs/scoring-methodology.md)**: Detailed explanation of weighted scoring
+- **[AWS Config Comparison](docs/scoring-comparison-aws-config.md)**: Comparison with AWS Config approach
+- **[Troubleshooting Guide](docs/troubleshooting.md)**: Common issues and solutions
+- **[Developer Guide](docs/developer-guide.md)**: Development and contribution guidelines
+
+### Technical Documentation
+- **[Assessment Logic](docs/assessment-logic.md)**: How compliance assessments work
+- **[Config Rule Mappings](docs/config-rule-mappings.md)**: CIS Controls to AWS Config rule mappings
+- **[HTML Report Improvements](docs/html-report-improvements.md)**: Enhanced HTML report features and customization
+
+## 🤝 Support & Community
+
+### Getting Help
+- **Documentation**: Comprehensive guides and API documentation
+- **GitHub Issues**: Bug reports and feature requests
+- **Enterprise Support**: Commercial support available for enterprise deployments
+
+### Contributing
+- **Code Contributions**: Pull requests welcome with comprehensive tests
+- **Documentation**: Help improve documentation and examples
+- **Bug Reports**: Detailed bug reports with reproduction steps
+- **Feature Requests**: Enhancement suggestions with business justification
+
+## 📄 License
+
+MIT License - see [LICENSE](LICENSE) file for details.
+
+## 🏆 Project Status
+
+**✅ Production Ready**: Complete implementation with 100% CIS Controls coverage  
+**✅ Enterprise Deployed**: Actively used in production environments  
+**✅ Continuously Maintained**: Regular updates and security patches  
+**✅ Community Supported**: Active development and community contributions  
+**✅ Future-Proof**: Extensible architecture for evolving requirements
+
+---
+
+**Framework Version**: 1.1.0 (in development)  
+**CIS Controls Coverage**: 151/151 rules (100%) + 9 bonus rules  
+**Production Status**: ✅ Ready for immediate enterprise deployment  
+**Last Updated**: January 2026
+
+## 🆕 What's New in Version 1.1.0
+
+### Access & Configuration Controls (CIS Controls 4, 5, 6)
+Fourteen new controls added to assess identity, access management, and secure configuration:
+
+**Control 4 - Secure Configuration (5 rules)**:
+1. **iam-max-session-duration-check** - Validates IAM role session duration does not exceed 12 hours
+   - Ensures temporary credentials have limited exposure window
+   - Checks MaxSessionDuration property on all IAM roles
+   - Compliant if session duration ≤ 43200 seconds (12 hours)
+
+2. **security-group-default-rules-check** - Ensures default security groups have no rules
+   - Validates default security groups are restricted (no inbound/outbound rules)
+   - Prevents unintended access through default security groups
+   - Encourages use of custom security groups with explicit rules
+
+3. **vpc-dns-resolution-enabled** - Validates VPC DNS configuration
+   - Checks both enableDnsHostnames and enableDnsSupport are enabled
+   - Ensures proper DNS resolution within VPCs
+   - Required for many AWS services to function correctly
+
+4. **rds-default-admin-check** - Ensures RDS instances don't use default admin usernames
+   - Detects default usernames: postgres, admin, root, mysql, administrator, sa
+   - Case-insensitive detection
+   - Reduces risk of credential guessing attacks
+
+5. **ec2-instance-profile-least-privilege** - Validates EC2 instance profile permissions
+   - Checks for overly permissive policies (AdministratorAccess, PowerUserAccess)
+   - Detects wildcard permissions (Action: "*", Resource: "*")
+   - Ensures least privilege principle for EC2 workloads
+
+**Control 5 - Account Management (4 rules)**:
+6. **iam-service-account-inventory-check** - Validates service account documentation
+   - Ensures service accounts have required tags: Purpose, Owner, LastReviewed
+   - Identifies service accounts by naming convention or tags
+   - Supports compliance and access review processes
+
+7. **iam-admin-policy-attached-to-role-check** - Ensures admin policies on roles, not users
+   - Detects administrative policies attached directly to IAM users
+   - Encourages role-based access with temporary credentials
+   - Improves audit trail and access management
+
+8. **sso-enabled-check** - Validates AWS IAM Identity Center (SSO) is configured
+   - Checks for SSO instance existence
+   - Encourages centralized identity management
+   - Supports integration with corporate identity providers
+
+9. **iam-user-no-inline-policies** - Ensures IAM users don't have inline policies
+   - Detects inline policies attached to users
+   - Encourages use of managed policies for reusability
+   - Simplifies policy management and auditing
+
+**Control 6 - Access Control Management (5 rules)**:
+10. **iam-access-analyzer-enabled** - Validates Access Analyzer in all regions
+    - Ensures IAM Access Analyzer is enabled regionally
+    - Detects resources shared with external entities
+    - Provides continuous monitoring for unintended access
+
+11. **iam-permission-boundaries-check** - Validates permission boundaries for elevated roles
+    - Identifies roles with elevated privileges
+    - Checks for permission boundary configuration
+    - Prevents privilege escalation in delegated administration
+
+12. **organizations-scp-enabled-check** - Validates Service Control Policies are in use
+    - Checks account is part of AWS Organizations
+    - Verifies SCPs are enabled (FeatureSet includes ALL)
+    - Ensures custom SCPs exist beyond default FullAWSAccess
+
+13. **cognito-user-pool-mfa-enabled** - Ensures Cognito user pools have MFA
+    - Validates MfaConfiguration is 'ON' or 'OPTIONAL'
+    - Supports both SMS and TOTP authentication methods
+    - Enhances authentication security for applications
+
+14. **vpn-connection-mfa-enabled** - Validates Client VPN endpoints require MFA
+    - Checks VPN authentication options for MFA requirement
+    - Supports Active Directory, SAML, and certificate-based MFA
+    - Ensures secure remote access to AWS resources
+
+These controls complement the existing audit logging and backup controls by providing comprehensive coverage of identity, access management, and secure configuration practices. Total rules: 163 (149 previous + 14 new). See [Config Rule Mappings](docs/config-rule-mappings.md) for detailed documentation.

{aws_cis_controls_assessment-1.0.10 → aws_cis_controls_assessment-1.1.0}/aws_cis_assessment/__init__.py

@@ -2,10 +2,10 @@
 AWS CIS Controls Compliance Assessment Framework
 
 A production-ready, enterprise-grade framework for evaluating AWS account configurations against 
-CIS Controls Implementation Groups (IG1, IG2, IG3). Implements 145 comprehensive AWS Config rules 
+CIS Controls Implementation Groups (IG1, IG2, IG3). Implements 163 comprehensive AWS Config rules 
 across all implementation groups for complete security compliance assessment.
 """
 
-__version__ = "1.0.10"
+__version__ = "1.1.0"
 __author__ = "AWS CIS Assessment Team"
 __description__ = "Production-ready AWS CIS Controls Compliance Assessment Framework"

{aws_cis_controls_assessment-1.0.10 → aws_cis_controls_assessment-1.1.0}/aws_cis_assessment/config/rules/cis_controls_ig1.yaml

@@ -1,5 +1,5 @@
 implementation_group: IG1
-total_rules: 76
+total_rules: 77
 description: Essential cyber hygiene - foundational safeguards for all enterprises
 controls:
   '1.1':