PyPI - aws-cis-controls-assessment - Versions diffs - 1.0.3__py3-none-any.whl - Mend

aws-cis-controls-assessment 1.0.3__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (77) hide show

aws_cis_assessment/__init__.py +11 -0
aws_cis_assessment/cli/__init__.py +3 -0
aws_cis_assessment/cli/examples.py +274 -0
aws_cis_assessment/cli/main.py +1259 -0
aws_cis_assessment/cli/utils.py +356 -0
aws_cis_assessment/config/__init__.py +1 -0
aws_cis_assessment/config/config_loader.py +328 -0
aws_cis_assessment/config/rules/cis_controls_ig1.yaml +590 -0
aws_cis_assessment/config/rules/cis_controls_ig2.yaml +412 -0
aws_cis_assessment/config/rules/cis_controls_ig3.yaml +100 -0
aws_cis_assessment/controls/__init__.py +1 -0
aws_cis_assessment/controls/base_control.py +400 -0
aws_cis_assessment/controls/ig1/__init__.py +239 -0
aws_cis_assessment/controls/ig1/control_1_1.py +586 -0
aws_cis_assessment/controls/ig1/control_2_2.py +231 -0
aws_cis_assessment/controls/ig1/control_3_3.py +718 -0
aws_cis_assessment/controls/ig1/control_3_4.py +235 -0
aws_cis_assessment/controls/ig1/control_4_1.py +461 -0
aws_cis_assessment/controls/ig1/control_access_keys.py +310 -0
aws_cis_assessment/controls/ig1/control_advanced_security.py +512 -0
aws_cis_assessment/controls/ig1/control_backup_recovery.py +510 -0
aws_cis_assessment/controls/ig1/control_cloudtrail_logging.py +197 -0
aws_cis_assessment/controls/ig1/control_critical_security.py +422 -0
aws_cis_assessment/controls/ig1/control_data_protection.py +898 -0
aws_cis_assessment/controls/ig1/control_iam_advanced.py +573 -0
aws_cis_assessment/controls/ig1/control_iam_governance.py +493 -0
aws_cis_assessment/controls/ig1/control_iam_policies.py +383 -0
aws_cis_assessment/controls/ig1/control_instance_optimization.py +100 -0
aws_cis_assessment/controls/ig1/control_network_enhancements.py +203 -0
aws_cis_assessment/controls/ig1/control_network_security.py +672 -0
aws_cis_assessment/controls/ig1/control_s3_enhancements.py +173 -0
aws_cis_assessment/controls/ig1/control_s3_security.py +422 -0
aws_cis_assessment/controls/ig1/control_vpc_security.py +235 -0
aws_cis_assessment/controls/ig2/__init__.py +172 -0
aws_cis_assessment/controls/ig2/control_3_10.py +698 -0
aws_cis_assessment/controls/ig2/control_3_11.py +1330 -0
aws_cis_assessment/controls/ig2/control_5_2.py +393 -0
aws_cis_assessment/controls/ig2/control_advanced_encryption.py +355 -0
aws_cis_assessment/controls/ig2/control_codebuild_security.py +263 -0
aws_cis_assessment/controls/ig2/control_encryption_rest.py +382 -0
aws_cis_assessment/controls/ig2/control_encryption_transit.py +382 -0
aws_cis_assessment/controls/ig2/control_network_ha.py +467 -0
aws_cis_assessment/controls/ig2/control_remaining_encryption.py +426 -0
aws_cis_assessment/controls/ig2/control_remaining_rules.py +363 -0
aws_cis_assessment/controls/ig2/control_service_logging.py +402 -0
aws_cis_assessment/controls/ig3/__init__.py +49 -0
aws_cis_assessment/controls/ig3/control_12_8.py +395 -0
aws_cis_assessment/controls/ig3/control_13_1.py +467 -0
aws_cis_assessment/controls/ig3/control_3_14.py +523 -0
aws_cis_assessment/controls/ig3/control_7_1.py +359 -0
aws_cis_assessment/core/__init__.py +1 -0
aws_cis_assessment/core/accuracy_validator.py +425 -0
aws_cis_assessment/core/assessment_engine.py +1266 -0
aws_cis_assessment/core/audit_trail.py +491 -0
aws_cis_assessment/core/aws_client_factory.py +313 -0
aws_cis_assessment/core/error_handler.py +607 -0
aws_cis_assessment/core/models.py +166 -0
aws_cis_assessment/core/scoring_engine.py +459 -0
aws_cis_assessment/reporters/__init__.py +8 -0
aws_cis_assessment/reporters/base_reporter.py +454 -0
aws_cis_assessment/reporters/csv_reporter.py +835 -0
aws_cis_assessment/reporters/html_reporter.py +2162 -0
aws_cis_assessment/reporters/json_reporter.py +561 -0
aws_cis_controls_assessment-1.0.3.dist-info/METADATA +248 -0
aws_cis_controls_assessment-1.0.3.dist-info/RECORD +77 -0
aws_cis_controls_assessment-1.0.3.dist-info/WHEEL +5 -0
aws_cis_controls_assessment-1.0.3.dist-info/entry_points.txt +2 -0
aws_cis_controls_assessment-1.0.3.dist-info/licenses/LICENSE +21 -0
aws_cis_controls_assessment-1.0.3.dist-info/top_level.txt +2 -0
docs/README.md +94 -0
docs/assessment-logic.md +766 -0
docs/cli-reference.md +698 -0
docs/config-rule-mappings.md +393 -0
docs/developer-guide.md +858 -0
docs/installation.md +299 -0
docs/troubleshooting.md +634 -0
docs/user-guide.md +487 -0

aws_cis_assessment/controls/ig1/control_s3_enhancements.py ADDED Viewed

@@ -0,0 +1,173 @@
+"""Control 3.3: Configure Data Access Control Lists - S3 enhancements."""
+from typing import Dict, List, Any
+import logging
+from botocore.exceptions import ClientError
+from aws_cis_assessment.controls.base_control import BaseConfigRuleAssessment
+from aws_cis_assessment.core.models import ComplianceResult, ComplianceStatus
+from aws_cis_assessment.core.aws_client_factory import AWSClientFactory
+logger = logging.getLogger(__name__)
+class S3AccountLevelPublicAccessBlocksPeriodicAssessment(BaseConfigRuleAssessment):
+    """Assessment for s3-account-level-public-access-blocks-periodic AWS Config rule."""
+    def __init__(self):
+        super().__init__(
+            rule_name="s3-account-level-public-access-blocks-periodic",
+            control_id="3.3",
+            resource_types=["AWS::::Account"]
+        )
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get account-level resource for S3 public access block check."""
+        if resource_type != "AWS::::Account":
+            return []
+        # Return a single account resource
+        return [{'AccountId': aws_factory.account_id}]
+    def _evaluate_resource_compliance(self, resource: Dict[str, Any], aws_factory: AWSClientFactory, region: str) -> ComplianceResult:
+        """Evaluate if account has S3 public access blocks configured."""
+        account_id = resource.get('AccountId', 'unknown')
+        try:
+            s3control_client = aws_factory.get_client('s3control', region)
+            response = aws_factory.aws_api_call_with_retry(
+                lambda: s3control_client.get_public_access_block(AccountId=account_id)
+            )
+            config = response.get('PublicAccessBlockConfiguration', {})
+            block_public_acls = config.get('BlockPublicAcls', False)
+            ignore_public_acls = config.get('IgnorePublicAcls', False)
+            block_public_policy = config.get('BlockPublicPolicy', False)
+            restrict_public_buckets = config.get('RestrictPublicBuckets', False)
+            if all([block_public_acls, ignore_public_acls, block_public_policy, restrict_public_buckets]):
+                compliance_status = ComplianceStatus.COMPLIANT
+                evaluation_reason = f"Account {account_id} has all S3 public access blocks enabled"
+            else:
+                compliance_status = ComplianceStatus.NON_COMPLIANT
+                missing = []
+                if not block_public_acls:
+                    missing.append('BlockPublicAcls')
+                if not ignore_public_acls:
+                    missing.append('IgnorePublicAcls')
+                if not block_public_policy:
+                    missing.append('BlockPublicPolicy')
+                if not restrict_public_buckets:
+                    missing.append('RestrictPublicBuckets')
+                evaluation_reason = f"Account {account_id} is missing S3 public access blocks: {', '.join(missing)}"
+        except ClientError as e:
+            if e.response.get('Error', {}).get('Code') == 'NoSuchPublicAccessBlockConfiguration':
+                compliance_status = ComplianceStatus.NON_COMPLIANT
+                evaluation_reason = f"Account {account_id} does not have S3 public access blocks configured"
+            else:
+                compliance_status = ComplianceStatus.ERROR
+                evaluation_reason = f"Error checking S3 public access blocks for account {account_id}: {str(e)}"
+        return ComplianceResult(
+            resource_id=account_id,
+            resource_type="AWS::::Account",
+            compliance_status=compliance_status,
+            evaluation_reason=evaluation_reason,
+            config_rule_name=self.rule_name,
+            region=region
+        )
+class S3BucketPublicWriteProhibitedAssessment(BaseConfigRuleAssessment):
+    """Assessment for s3-bucket-public-write-prohibited AWS Config rule."""
+    def __init__(self):
+        super().__init__(
+            rule_name="s3-bucket-public-write-prohibited",
+            control_id="3.3",
+            resource_types=["AWS::S3::Bucket"]
+        )
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get S3 buckets."""
+        if resource_type != "AWS::S3::Bucket":
+            return []
+        try:
+            s3_client = aws_factory.get_client('s3', region)
+            response = aws_factory.aws_api_call_with_retry(
+                lambda: s3_client.list_buckets()
+            )
+            buckets = []
+            for bucket in response.get('Buckets', []):
+                buckets.append({
+                    'Name': bucket.get('Name'),
+                    'CreationDate': bucket.get('CreationDate')
+                })
+            return buckets
+        except ClientError as e:
+            logger.error(f"Error retrieving S3 buckets: {e}")
+            raise
+    def _evaluate_resource_compliance(self, resource: Dict[str, Any], aws_factory: AWSClientFactory, region: str) -> ComplianceResult:
+        """Evaluate if S3 bucket prohibits public write access."""
+        bucket_name = resource.get('Name', 'unknown')
+        try:
+            s3_client = aws_factory.get_client('s3', region)
+            # Check bucket ACL
+            try:
+                acl_response = aws_factory.aws_api_call_with_retry(
+                    lambda: s3_client.get_bucket_acl(Bucket=bucket_name)
+                )
+                grants = acl_response.get('Grants', [])
+                public_write_found = False
+                for grant in grants:
+                    grantee = grant.get('Grantee', {})
+                    permission = grant.get('Permission', '')
+                    # Check for public write permissions
+                    if (grantee.get('Type') == 'Group' and
+                        grantee.get('URI') in [
+                            'http://acs.amazonaws.com/groups/global/AllUsers',
+                            'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'
+                        ] and
+                        permission in ['WRITE', 'WRITE_ACP', 'FULL_CONTROL']):
+                        public_write_found = True
+                        break
+                if not public_write_found:
+                    compliance_status = ComplianceStatus.COMPLIANT
+                    evaluation_reason = f"S3 bucket {bucket_name} does not allow public write access"
+                else:
+                    compliance_status = ComplianceStatus.NON_COMPLIANT
+                    evaluation_reason = f"S3 bucket {bucket_name} allows public write access"
+            except ClientError as e:
+                if e.response.get('Error', {}).get('Code') in ['AccessDenied', 'NoSuchBucket']:
+                    compliance_status = ComplianceStatus.ERROR
+                    evaluation_reason = f"Cannot access ACL for bucket {bucket_name}: {str(e)}"
+                else:
+                    raise
+        except ClientError as e:
+            compliance_status = ComplianceStatus.ERROR
+            evaluation_reason = f"Error checking public write access for bucket {bucket_name}: {str(e)}"
+        return ComplianceResult(
+            resource_id=bucket_name,
+            resource_type="AWS::S3::Bucket",
+            compliance_status=compliance_status,
+            evaluation_reason=evaluation_reason,
+            config_rule_name=self.rule_name,
+            region=region
+        )

aws_cis_assessment/controls/ig1/control_s3_security.py ADDED Viewed

@@ -0,0 +1,422 @@
+"""
+CIS Control 3.3 - S3 Security Controls
+Critical S3 security rules for data protection and access control.
+"""
+import logging
+from typing import List, Dict, Any, Optional
+import boto3
+import json
+from botocore.exceptions import ClientError, NoCredentialsError
+from aws_cis_assessment.controls.base_control import BaseConfigRuleAssessment
+from aws_cis_assessment.core.models import ComplianceResult, ComplianceStatus
+from aws_cis_assessment.core.aws_client_factory import AWSClientFactory
+logger = logging.getLogger(__name__)
+class S3BucketSSLRequestsOnlyAssessment(BaseConfigRuleAssessment):
+    """
+    CIS Control 3.3 - Configure Data Access Control Lists
+    AWS Config Rule: s3-bucket-ssl-requests-only
+    Ensures S3 buckets require SSL/TLS for all requests to protect data in transit.
+    """
+    def __init__(self):
+        super().__init__(
+            rule_name="s3-bucket-ssl-requests-only",
+            control_id="3.3",
+            resource_types=["AWS::S3::Bucket"]
+        )
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get all S3 buckets (only from us-east-1 to avoid duplicates)."""
+        if resource_type != "AWS::S3::Bucket":
+            return []
+        # S3 is global, only check from us-east-1 to avoid duplicate checks
+        if region != 'us-east-1':
+            return []
+        try:
+            s3_client = aws_factory.get_client('s3', region)
+            response = s3_client.list_buckets()
+            buckets = []
+            for bucket in response.get('Buckets', []):
+                bucket_name = bucket['Name']
+                try:
+                    # Get bucket policy to check for SSL enforcement
+                    has_ssl_policy = False
+                    ssl_policy_statements = []
+                    try:
+                        policy_response = s3_client.get_bucket_policy(Bucket=bucket_name)
+                        policy_doc = json.loads(policy_response['Policy'])
+                        statements = policy_doc.get('Statement', [])
+                        for statement in statements:
+                            if isinstance(statement, dict):
+                                effect = statement.get('Effect', '')
+                                condition = statement.get('Condition', {})
+                                # Check for SSL enforcement conditions
+                                if effect == 'Deny':
+                                    # Check for aws:SecureTransport condition
+                                    bool_conditions = condition.get('Bool', {})
+                                    if 'aws:SecureTransport' in bool_conditions:
+                                        secure_transport = bool_conditions['aws:SecureTransport']
+                                        if secure_transport == 'false' or secure_transport is False:
+                                            has_ssl_policy = True
+                                            ssl_policy_statements.append(statement)
+                    except ClientError as e:
+                        if e.response.get('Error', {}).get('Code') != 'NoSuchBucketPolicy':
+                            raise e
+                    buckets.append({
+                        'BucketName': bucket_name,
+                        'HasSSLPolicy': has_ssl_policy,
+                        'SSLPolicyStatements': ssl_policy_statements
+                    })
+                except ClientError as e:
+                    error_code = e.response.get('Error', {}).get('Code', '')
+                    if error_code in ['NoSuchBucket', 'AccessDenied']:
+                        continue
+                    else:
+                        logger.warning(f"Error checking S3 bucket {bucket_name}: {e}")
+                        continue
+            logger.debug(f"Found {len(buckets)} S3 buckets from {region}")
+            return buckets
+        except ClientError as e:
+            logger.error(f"Error retrieving S3 buckets from {region}: {e}")
+            raise
+        except Exception as e:
+            logger.error(f"Unexpected error retrieving S3 buckets from {region}: {e}")
+            raise
+    def _evaluate_resource_compliance(self, resource: Dict[str, Any], aws_factory: AWSClientFactory, region: str) -> ComplianceResult:
+        """Evaluate if S3 bucket requires SSL/TLS for requests."""
+        bucket_name = resource.get('BucketName', 'unknown')
+        has_ssl_policy = resource.get('HasSSLPolicy', False)
+        if has_ssl_policy:
+            return ComplianceResult(
+                resource_id=bucket_name,
+                resource_type="AWS::S3::Bucket",
+                compliance_status=ComplianceStatus.COMPLIANT,
+                evaluation_reason="S3 bucket has policy requiring SSL/TLS for requests",
+                config_rule_name=self.rule_name,
+                region=region
+            )
+        else:
+            return ComplianceResult(
+                resource_id=bucket_name,
+                resource_type="AWS::S3::Bucket",
+                compliance_status=ComplianceStatus.NON_COMPLIANT,
+                evaluation_reason="S3 bucket does not require SSL/TLS for requests",
+                config_rule_name=self.rule_name,
+                region=region
+            )
+class S3BucketServerSideEncryptionEnabledAssessment(BaseConfigRuleAssessment):
+    """
+    CIS Control 3.3 - Configure Data Access Control Lists
+    AWS Config Rule: s3-bucket-server-side-encryption-enabled
+    Ensures S3 buckets have server-side encryption enabled to protect data at rest.
+    """
+    def __init__(self):
+        super().__init__(
+            rule_name="s3-bucket-server-side-encryption-enabled",
+            control_id="3.3",
+            resource_types=["AWS::S3::Bucket"]
+        )
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get all S3 buckets with encryption configuration."""
+        if resource_type != "AWS::S3::Bucket":
+            return []
+        # S3 is global, only check from us-east-1 to avoid duplicate checks
+        if region != 'us-east-1':
+            return []
+        try:
+            s3_client = aws_factory.get_client('s3', region)
+            response = s3_client.list_buckets()
+            buckets = []
+            for bucket in response.get('Buckets', []):
+                bucket_name = bucket['Name']
+                try:
+                    # Get bucket encryption configuration
+                    has_encryption = False
+                    encryption_rules = []
+                    try:
+                        encryption_response = s3_client.get_bucket_encryption(Bucket=bucket_name)
+                        encryption_config = encryption_response.get('ServerSideEncryptionConfiguration', {})
+                        rules = encryption_config.get('Rules', [])
+                        if rules:
+                            has_encryption = True
+                            for rule in rules:
+                                sse_algorithm = rule.get('ApplyServerSideEncryptionByDefault', {}).get('SSEAlgorithm', '')
+                                kms_key_id = rule.get('ApplyServerSideEncryptionByDefault', {}).get('KMSMasterKeyID', '')
+                                encryption_rules.append({
+                                    'SSEAlgorithm': sse_algorithm,
+                                    'KMSMasterKeyID': kms_key_id
+                                })
+                    except ClientError as e:
+                        if e.response.get('Error', {}).get('Code') != 'ServerSideEncryptionConfigurationNotFoundError':
+                            raise e
+                    buckets.append({
+                        'BucketName': bucket_name,
+                        'HasEncryption': has_encryption,
+                        'EncryptionRules': encryption_rules
+                    })
+                except ClientError as e:
+                    error_code = e.response.get('Error', {}).get('Code', '')
+                    if error_code in ['NoSuchBucket', 'AccessDenied']:
+                        continue
+                    else:
+                        logger.warning(f"Error checking S3 bucket {bucket_name}: {e}")
+                        continue
+            logger.debug(f"Found {len(buckets)} S3 buckets from {region}")
+            return buckets
+        except ClientError as e:
+            logger.error(f"Error retrieving S3 buckets from {region}: {e}")
+            raise
+        except Exception as e:
+            logger.error(f"Unexpected error retrieving S3 buckets from {region}: {e}")
+            raise
+    def _evaluate_resource_compliance(self, resource: Dict[str, Any], aws_factory: AWSClientFactory, region: str) -> ComplianceResult:
+        """Evaluate if S3 bucket has server-side encryption enabled."""
+        bucket_name = resource.get('BucketName', 'unknown')
+        has_encryption = resource.get('HasEncryption', False)
+        encryption_rules = resource.get('EncryptionRules', [])
+        if has_encryption:
+            encryption_details = []
+            for rule in encryption_rules:
+                algorithm = rule.get('SSEAlgorithm', 'Unknown')
+                encryption_details.append(algorithm)
+            return ComplianceResult(
+                resource_id=bucket_name,
+                resource_type="AWS::S3::Bucket",
+                compliance_status=ComplianceStatus.COMPLIANT,
+                evaluation_reason=f"S3 bucket has server-side encryption enabled: {', '.join(encryption_details)}",
+                config_rule_name=self.rule_name,
+                region=region
+            )
+        else:
+            return ComplianceResult(
+                resource_id=bucket_name,
+                resource_type="AWS::S3::Bucket",
+                compliance_status=ComplianceStatus.NON_COMPLIANT,
+                evaluation_reason="S3 bucket does not have server-side encryption enabled",
+                config_rule_name=self.rule_name,
+                region=region
+            )
+class S3BucketLoggingEnabledAssessment(BaseConfigRuleAssessment):
+    """
+    CIS Control 3.3 - Configure Data Access Control Lists
+    AWS Config Rule: s3-bucket-logging-enabled
+    Ensures S3 buckets have access logging enabled for audit and compliance.
+    """
+    def __init__(self):
+        super().__init__(
+            rule_name="s3-bucket-logging-enabled",
+            control_id="3.3",
+            resource_types=["AWS::S3::Bucket"]
+        )
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get all S3 buckets with logging configuration."""
+        if resource_type != "AWS::S3::Bucket":
+            return []
+        # S3 is global, only check from us-east-1 to avoid duplicate checks
+        if region != 'us-east-1':
+            return []
+        try:
+            s3_client = aws_factory.get_client('s3', region)
+            response = s3_client.list_buckets()
+            buckets = []
+            for bucket in response.get('Buckets', []):
+                bucket_name = bucket['Name']
+                try:
+                    # Get bucket logging configuration
+                    logging_response = s3_client.get_bucket_logging(Bucket=bucket_name)
+                    logging_config = logging_response.get('LoggingEnabled', {})
+                    has_logging = bool(logging_config)
+                    target_bucket = logging_config.get('TargetBucket', '') if has_logging else ''
+                    target_prefix = logging_config.get('TargetPrefix', '') if has_logging else ''
+                    buckets.append({
+                        'BucketName': bucket_name,
+                        'HasLogging': has_logging,
+                        'TargetBucket': target_bucket,
+                        'TargetPrefix': target_prefix
+                    })
+                except ClientError as e:
+                    error_code = e.response.get('Error', {}).get('Code', '')
+                    if error_code in ['NoSuchBucket', 'AccessDenied']:
+                        continue
+                    else:
+                        logger.warning(f"Error checking S3 bucket {bucket_name}: {e}")
+                        continue
+            logger.debug(f"Found {len(buckets)} S3 buckets from {region}")
+            return buckets
+        except ClientError as e:
+            logger.error(f"Error retrieving S3 buckets from {region}: {e}")
+            raise
+        except Exception as e:
+            logger.error(f"Unexpected error retrieving S3 buckets from {region}: {e}")
+            raise
+    def _evaluate_resource_compliance(self, resource: Dict[str, Any], aws_factory: AWSClientFactory, region: str) -> ComplianceResult:
+        """Evaluate if S3 bucket has access logging enabled."""
+        bucket_name = resource.get('BucketName', 'unknown')
+        has_logging = resource.get('HasLogging', False)
+        target_bucket = resource.get('TargetBucket', '')
+        if has_logging:
+            return ComplianceResult(
+                resource_id=bucket_name,
+                resource_type="AWS::S3::Bucket",
+                compliance_status=ComplianceStatus.COMPLIANT,
+                evaluation_reason=f"S3 bucket has access logging enabled (target: {target_bucket})",
+                config_rule_name=self.rule_name,
+                region=region
+            )
+        else:
+            return ComplianceResult(
+                resource_id=bucket_name,
+                resource_type="AWS::S3::Bucket",
+                compliance_status=ComplianceStatus.NON_COMPLIANT,
+                evaluation_reason="S3 bucket does not have access logging enabled",
+                config_rule_name=self.rule_name,
+                region=region
+            )
+class S3BucketVersioningEnabledAssessment(BaseConfigRuleAssessment):
+    """
+    CIS Control 3.4 - Enforce Data Retention
+    AWS Config Rule: s3-bucket-versioning-enabled
+    Ensures S3 buckets have versioning enabled for data protection and recovery.
+    """
+    def __init__(self):
+        super().__init__(
+            rule_name="s3-bucket-versioning-enabled",
+            control_id="3.4",
+            resource_types=["AWS::S3::Bucket"]
+        )
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get all S3 buckets with versioning configuration."""
+        if resource_type != "AWS::S3::Bucket":
+            return []
+        # S3 is global, only check from us-east-1 to avoid duplicate checks
+        if region != 'us-east-1':
+            return []
+        try:
+            s3_client = aws_factory.get_client('s3', region)
+            response = s3_client.list_buckets()
+            buckets = []
+            for bucket in response.get('Buckets', []):
+                bucket_name = bucket['Name']
+                try:
+                    # Get bucket versioning configuration
+                    versioning_response = s3_client.get_bucket_versioning(Bucket=bucket_name)
+                    versioning_status = versioning_response.get('Status', 'Disabled')
+                    mfa_delete = versioning_response.get('MfaDelete', 'Disabled')
+                    buckets.append({
+                        'BucketName': bucket_name,
+                        'VersioningStatus': versioning_status,
+                        'MfaDelete': mfa_delete,
+                        'IsVersioningEnabled': versioning_status == 'Enabled'
+                    })
+                except ClientError as e:
+                    error_code = e.response.get('Error', {}).get('Code', '')
+                    if error_code in ['NoSuchBucket', 'AccessDenied']:
+                        continue
+                    else:
+                        logger.warning(f"Error checking S3 bucket {bucket_name}: {e}")
+                        continue
+            logger.debug(f"Found {len(buckets)} S3 buckets from {region}")
+            return buckets
+        except ClientError as e:
+            logger.error(f"Error retrieving S3 buckets from {region}: {e}")
+            raise
+        except Exception as e:
+            logger.error(f"Unexpected error retrieving S3 buckets from {region}: {e}")
+            raise
+    def _evaluate_resource_compliance(self, resource: Dict[str, Any], aws_factory: AWSClientFactory, region: str) -> ComplianceResult:
+        """Evaluate if S3 bucket has versioning enabled."""
+        bucket_name = resource.get('BucketName', 'unknown')
+        versioning_status = resource.get('VersioningStatus', 'Disabled')
+        is_versioning_enabled = resource.get('IsVersioningEnabled', False)
+        if is_versioning_enabled:
+            return ComplianceResult(
+                resource_id=bucket_name,
+                resource_type="AWS::S3::Bucket",
+                compliance_status=ComplianceStatus.COMPLIANT,
+                evaluation_reason=f"S3 bucket has versioning enabled (status: {versioning_status})",
+                config_rule_name=self.rule_name,
+                region=region
+            )
+        else:
+            return ComplianceResult(
+                resource_id=bucket_name,
+                resource_type="AWS::S3::Bucket",
+                compliance_status=ComplianceStatus.NON_COMPLIANT,
+                evaluation_reason=f"S3 bucket does not have versioning enabled (status: {versioning_status})",
+                config_rule_name=self.rule_name,
+                region=region
+            )