PyPI - aws-cis-controls-assessment - Versions diffs - 1.0.3__py3-none-any.whl - Mend

aws-cis-controls-assessment 1.0.3__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (77) hide show

aws_cis_assessment/__init__.py +11 -0
aws_cis_assessment/cli/__init__.py +3 -0
aws_cis_assessment/cli/examples.py +274 -0
aws_cis_assessment/cli/main.py +1259 -0
aws_cis_assessment/cli/utils.py +356 -0
aws_cis_assessment/config/__init__.py +1 -0
aws_cis_assessment/config/config_loader.py +328 -0
aws_cis_assessment/config/rules/cis_controls_ig1.yaml +590 -0
aws_cis_assessment/config/rules/cis_controls_ig2.yaml +412 -0
aws_cis_assessment/config/rules/cis_controls_ig3.yaml +100 -0
aws_cis_assessment/controls/__init__.py +1 -0
aws_cis_assessment/controls/base_control.py +400 -0
aws_cis_assessment/controls/ig1/__init__.py +239 -0
aws_cis_assessment/controls/ig1/control_1_1.py +586 -0
aws_cis_assessment/controls/ig1/control_2_2.py +231 -0
aws_cis_assessment/controls/ig1/control_3_3.py +718 -0
aws_cis_assessment/controls/ig1/control_3_4.py +235 -0
aws_cis_assessment/controls/ig1/control_4_1.py +461 -0
aws_cis_assessment/controls/ig1/control_access_keys.py +310 -0
aws_cis_assessment/controls/ig1/control_advanced_security.py +512 -0
aws_cis_assessment/controls/ig1/control_backup_recovery.py +510 -0
aws_cis_assessment/controls/ig1/control_cloudtrail_logging.py +197 -0
aws_cis_assessment/controls/ig1/control_critical_security.py +422 -0
aws_cis_assessment/controls/ig1/control_data_protection.py +898 -0
aws_cis_assessment/controls/ig1/control_iam_advanced.py +573 -0
aws_cis_assessment/controls/ig1/control_iam_governance.py +493 -0
aws_cis_assessment/controls/ig1/control_iam_policies.py +383 -0
aws_cis_assessment/controls/ig1/control_instance_optimization.py +100 -0
aws_cis_assessment/controls/ig1/control_network_enhancements.py +203 -0
aws_cis_assessment/controls/ig1/control_network_security.py +672 -0
aws_cis_assessment/controls/ig1/control_s3_enhancements.py +173 -0
aws_cis_assessment/controls/ig1/control_s3_security.py +422 -0
aws_cis_assessment/controls/ig1/control_vpc_security.py +235 -0
aws_cis_assessment/controls/ig2/__init__.py +172 -0
aws_cis_assessment/controls/ig2/control_3_10.py +698 -0
aws_cis_assessment/controls/ig2/control_3_11.py +1330 -0
aws_cis_assessment/controls/ig2/control_5_2.py +393 -0
aws_cis_assessment/controls/ig2/control_advanced_encryption.py +355 -0
aws_cis_assessment/controls/ig2/control_codebuild_security.py +263 -0
aws_cis_assessment/controls/ig2/control_encryption_rest.py +382 -0
aws_cis_assessment/controls/ig2/control_encryption_transit.py +382 -0
aws_cis_assessment/controls/ig2/control_network_ha.py +467 -0
aws_cis_assessment/controls/ig2/control_remaining_encryption.py +426 -0
aws_cis_assessment/controls/ig2/control_remaining_rules.py +363 -0
aws_cis_assessment/controls/ig2/control_service_logging.py +402 -0
aws_cis_assessment/controls/ig3/__init__.py +49 -0
aws_cis_assessment/controls/ig3/control_12_8.py +395 -0
aws_cis_assessment/controls/ig3/control_13_1.py +467 -0
aws_cis_assessment/controls/ig3/control_3_14.py +523 -0
aws_cis_assessment/controls/ig3/control_7_1.py +359 -0
aws_cis_assessment/core/__init__.py +1 -0
aws_cis_assessment/core/accuracy_validator.py +425 -0
aws_cis_assessment/core/assessment_engine.py +1266 -0
aws_cis_assessment/core/audit_trail.py +491 -0
aws_cis_assessment/core/aws_client_factory.py +313 -0
aws_cis_assessment/core/error_handler.py +607 -0
aws_cis_assessment/core/models.py +166 -0
aws_cis_assessment/core/scoring_engine.py +459 -0
aws_cis_assessment/reporters/__init__.py +8 -0
aws_cis_assessment/reporters/base_reporter.py +454 -0
aws_cis_assessment/reporters/csv_reporter.py +835 -0
aws_cis_assessment/reporters/html_reporter.py +2162 -0
aws_cis_assessment/reporters/json_reporter.py +561 -0
aws_cis_controls_assessment-1.0.3.dist-info/METADATA +248 -0
aws_cis_controls_assessment-1.0.3.dist-info/RECORD +77 -0
aws_cis_controls_assessment-1.0.3.dist-info/WHEEL +5 -0
aws_cis_controls_assessment-1.0.3.dist-info/entry_points.txt +2 -0
aws_cis_controls_assessment-1.0.3.dist-info/licenses/LICENSE +21 -0
aws_cis_controls_assessment-1.0.3.dist-info/top_level.txt +2 -0
docs/README.md +94 -0
docs/assessment-logic.md +766 -0
docs/cli-reference.md +698 -0
docs/config-rule-mappings.md +393 -0
docs/developer-guide.md +858 -0
docs/installation.md +299 -0
docs/troubleshooting.md +634 -0
docs/user-guide.md +487 -0

aws_cis_assessment/controls/ig1/control_access_keys.py ADDED Viewed

@@ -0,0 +1,310 @@
+"""Access Keys Rotation and Management assessments."""
+from typing import Dict, List, Any
+import logging
+from datetime import datetime, timezone, timedelta
+from botocore.exceptions import ClientError
+from aws_cis_assessment.controls.base_control import BaseConfigRuleAssessment
+from aws_cis_assessment.core.models import ComplianceResult, ComplianceStatus
+from aws_cis_assessment.core.aws_client_factory import AWSClientFactory
+logger = logging.getLogger(__name__)
+class AccessKeysRotatedAssessment(BaseConfigRuleAssessment):
+    """Assessment for access-keys-rotated Config rule."""
+    def __init__(self, max_access_key_age: int = 90):
+        """Initialize access keys rotation assessment."""
+        super().__init__(
+            rule_name="access-keys-rotated",
+            control_id="4.1",
+            resource_types=["AWS::IAM::User"],
+            parameters={"maxAccessKeyAge": max_access_key_age}
+        )
+        self.max_access_key_age = max_access_key_age
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get all IAM users with access keys."""
+        if resource_type != "AWS::IAM::User":
+            return []
+        try:
+            iam_client = aws_factory.get_client('iam', region)
+            # Get all users
+            users_response = aws_factory.aws_api_call_with_retry(
+                lambda: iam_client.list_users()
+            )
+            users_with_keys = []
+            for user in users_response.get('Users', []):
+                user_name = user.get('UserName')
+                # Get access keys for each user
+                try:
+                    keys_response = aws_factory.aws_api_call_with_retry(
+                        lambda: iam_client.list_access_keys(UserName=user_name)
+                    )
+                    access_keys = keys_response.get('AccessKeyMetadata', [])
+                    if access_keys:
+                        users_with_keys.append({
+                            'UserName': user_name,
+                            'UserId': user.get('UserId'),
+                            'CreateDate': user.get('CreateDate'),
+                            'AccessKeys': access_keys
+                        })
+                except ClientError as e:
+                    logger.debug(f"Cannot access keys for user {user_name}: {e}")
+                    continue
+            logger.debug(f"Found {len(users_with_keys)} IAM users with access keys")
+            return users_with_keys
+        except ClientError as e:
+            logger.error(f"Error retrieving IAM users: {e}")
+            raise
+        except Exception as e:
+            logger.error(f"Unexpected error retrieving IAM users: {e}")
+            raise
+    def _evaluate_resource_compliance(self, resource: Dict[str, Any], aws_factory: AWSClientFactory, region: str) -> ComplianceResult:
+        """Evaluate if IAM user's access keys are rotated within the specified timeframe."""
+        user_name = resource.get('UserName', 'unknown')
+        access_keys = resource.get('AccessKeys', [])
+        now = datetime.now(timezone.utc)
+        old_keys = []
+        compliant_keys = []
+        for key in access_keys:
+            if key.get('Status') == 'Active':
+                create_date = key.get('CreateDate')
+                if isinstance(create_date, datetime):
+                    if create_date.tzinfo is None:
+                        create_date = create_date.replace(tzinfo=timezone.utc)
+                    age_days = (now - create_date).days
+                    if age_days > self.max_access_key_age:
+                        old_keys.append({
+                            'AccessKeyId': key.get('AccessKeyId'),
+                            'Age': age_days
+                        })
+                    else:
+                        compliant_keys.append({
+                            'AccessKeyId': key.get('AccessKeyId'),
+                            'Age': age_days
+                        })
+        if old_keys:
+            compliance_status = ComplianceStatus.NON_COMPLIANT
+            key_details = [f"{key['AccessKeyId']} ({key['Age']} days old)" for key in old_keys]
+            evaluation_reason = f"User {user_name} has {len(old_keys)} access key(s) older than {self.max_access_key_age} days: {', '.join(key_details)}"
+        elif compliant_keys:
+            compliance_status = ComplianceStatus.COMPLIANT
+            evaluation_reason = f"User {user_name} has {len(compliant_keys)} access key(s) within rotation period"
+        else:
+            compliance_status = ComplianceStatus.NOT_APPLICABLE
+            evaluation_reason = f"User {user_name} has no active access keys"
+        return ComplianceResult(
+            resource_id=user_name,
+            resource_type="AWS::IAM::User",
+            compliance_status=compliance_status,
+            evaluation_reason=evaluation_reason,
+            config_rule_name=self.rule_name,
+            region=region
+        )
+    def _get_rule_remediation_steps(self) -> List[str]:
+        """Get specific remediation steps for access key rotation."""
+        return [
+            f"Identify IAM users with access keys older than {self.max_access_key_age} days",
+            "For each user with old access keys:",
+            "  1. Create a new access key for the user",
+            "  2. Update applications/services to use the new access key",
+            "  3. Test that applications work with the new key",
+            "  4. Deactivate the old access key",
+            "  5. Monitor for any issues, then delete the old key",
+            "Use AWS CLI: aws iam create-access-key --user-name <username>",
+            "Use AWS CLI: aws iam delete-access-key --user-name <username> --access-key-id <old-key-id>",
+            "Set up automated access key rotation using AWS Secrets Manager or custom solutions",
+            "Implement monitoring and alerting for access key age"
+        ]
+class EC2IMDSv2CheckAssessment(BaseConfigRuleAssessment):
+    """Assessment for ec2-imdsv2-check Config rule."""
+    def __init__(self):
+        """Initialize EC2 IMDSv2 assessment."""
+        super().__init__(
+            rule_name="ec2-imdsv2-check",
+            control_id="3.3",
+            resource_types=["AWS::EC2::Instance"]
+        )
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get all EC2 instances in the region."""
+        if resource_type != "AWS::EC2::Instance":
+            return []
+        try:
+            ec2_client = aws_factory.get_client('ec2', region)
+            response = aws_factory.aws_api_call_with_retry(
+                lambda: ec2_client.describe_instances()
+            )
+            instances = []
+            for reservation in response.get('Reservations', []):
+                for instance in reservation.get('Instances', []):
+                    if instance.get('State', {}).get('Name') in ['running', 'stopped']:
+                        instances.append({
+                            'InstanceId': instance.get('InstanceId'),
+                            'State': instance.get('State', {}),
+                            'MetadataOptions': instance.get('MetadataOptions', {}),
+                            'InstanceType': instance.get('InstanceType'),
+                            'Tags': instance.get('Tags', [])
+                        })
+            logger.debug(f"Found {len(instances)} EC2 instances in region {region}")
+            return instances
+        except ClientError as e:
+            logger.error(f"Error retrieving EC2 instances in region {region}: {e}")
+            raise
+        except Exception as e:
+            logger.error(f"Unexpected error retrieving EC2 instances in region {region}: {e}")
+            raise
+    def _evaluate_resource_compliance(self, resource: Dict[str, Any], aws_factory: AWSClientFactory, region: str) -> ComplianceResult:
+        """Evaluate if EC2 instance requires IMDSv2."""
+        instance_id = resource.get('InstanceId', 'unknown')
+        metadata_options = resource.get('MetadataOptions', {})
+        # Check if IMDSv2 is required
+        http_tokens = metadata_options.get('HttpTokens', 'optional')
+        http_endpoint = metadata_options.get('HttpEndpoint', 'enabled')
+        if http_endpoint == 'disabled':
+            compliance_status = ComplianceStatus.COMPLIANT
+            evaluation_reason = f"Instance {instance_id} has metadata service disabled"
+        elif http_tokens == 'required':
+            compliance_status = ComplianceStatus.COMPLIANT
+            evaluation_reason = f"Instance {instance_id} requires IMDSv2 (HttpTokens: required)"
+        else:
+            compliance_status = ComplianceStatus.NON_COMPLIANT
+            evaluation_reason = f"Instance {instance_id} allows IMDSv1 (HttpTokens: {http_tokens})"
+        return ComplianceResult(
+            resource_id=instance_id,
+            resource_type="AWS::EC2::Instance",
+            compliance_status=compliance_status,
+            evaluation_reason=evaluation_reason,
+            config_rule_name=self.rule_name,
+            region=region
+        )
+    def _get_rule_remediation_steps(self) -> List[str]:
+        """Get specific remediation steps for IMDSv2 enforcement."""
+        return [
+            "Identify EC2 instances that allow IMDSv1 access",
+            "For each instance, enforce IMDSv2:",
+            "  1. Test applications to ensure IMDSv2 compatibility",
+            "  2. Stop the instance (if required for modification)",
+            "  3. Modify instance metadata options to require IMDSv2",
+            "  4. Start the instance and verify functionality",
+            "Use AWS CLI: aws ec2 modify-instance-metadata-options --instance-id <id> --http-tokens required",
+            "Update launch templates and Auto Scaling groups to enforce IMDSv2 by default",
+            "Monitor applications for any IMDSv1 dependencies",
+            "Consider setting HttpPutResponseHopLimit to 1 for additional security"
+        ]
+class EC2InstanceProfileAttachedAssessment(BaseConfigRuleAssessment):
+    """Assessment for ec2-instance-profile-attached Config rule."""
+    def __init__(self):
+        """Initialize EC2 instance profile assessment."""
+        super().__init__(
+            rule_name="ec2-instance-profile-attached",
+            control_id="3.3",
+            resource_types=["AWS::EC2::Instance"]
+        )
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get all EC2 instances in the region."""
+        if resource_type != "AWS::EC2::Instance":
+            return []
+        try:
+            ec2_client = aws_factory.get_client('ec2', region)
+            response = aws_factory.aws_api_call_with_retry(
+                lambda: ec2_client.describe_instances()
+            )
+            instances = []
+            for reservation in response.get('Reservations', []):
+                for instance in reservation.get('Instances', []):
+                    if instance.get('State', {}).get('Name') in ['running', 'stopped']:
+                        instances.append({
+                            'InstanceId': instance.get('InstanceId'),
+                            'State': instance.get('State', {}),
+                            'IamInstanceProfile': instance.get('IamInstanceProfile'),
+                            'InstanceType': instance.get('InstanceType'),
+                            'Tags': instance.get('Tags', [])
+                        })
+            logger.debug(f"Found {len(instances)} EC2 instances in region {region}")
+            return instances
+        except ClientError as e:
+            logger.error(f"Error retrieving EC2 instances in region {region}: {e}")
+            raise
+        except Exception as e:
+            logger.error(f"Unexpected error retrieving EC2 instances in region {region}: {e}")
+            raise
+    def _evaluate_resource_compliance(self, resource: Dict[str, Any], aws_factory: AWSClientFactory, region: str) -> ComplianceResult:
+        """Evaluate if EC2 instance has an IAM instance profile attached."""
+        instance_id = resource.get('InstanceId', 'unknown')
+        iam_instance_profile = resource.get('IamInstanceProfile')
+        if iam_instance_profile:
+            profile_arn = iam_instance_profile.get('Arn', 'unknown')
+            compliance_status = ComplianceStatus.COMPLIANT
+            evaluation_reason = f"Instance {instance_id} has IAM instance profile attached: {profile_arn}"
+        else:
+            compliance_status = ComplianceStatus.NON_COMPLIANT
+            evaluation_reason = f"Instance {instance_id} does not have an IAM instance profile attached"
+        return ComplianceResult(
+            resource_id=instance_id,
+            resource_type="AWS::EC2::Instance",
+            compliance_status=compliance_status,
+            evaluation_reason=evaluation_reason,
+            config_rule_name=self.rule_name,
+            region=region
+        )
+    def _get_rule_remediation_steps(self) -> List[str]:
+        """Get specific remediation steps for instance profile attachment."""
+        return [
+            "Identify EC2 instances without IAM instance profiles",
+            "For each instance, attach an appropriate IAM instance profile:",
+            "  1. Create an IAM role with necessary permissions",
+            "  2. Create an instance profile and add the role to it",
+            "  3. Stop the instance (if required)",
+            "  4. Associate the instance profile with the instance",
+            "  5. Start the instance and verify functionality",
+            "Use AWS CLI: aws ec2 associate-iam-instance-profile --instance-id <id> --iam-instance-profile Name=<profile>",
+            "Follow principle of least privilege when creating IAM roles",
+            "Update launch templates to include instance profiles by default",
+            "Monitor and audit instance profile usage regularly"
+        ]