PyPI - aws-cis-controls-assessment - Versions diffs - 1.0.3__py3-none-any.whl - Mend

aws-cis-controls-assessment 1.0.3__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (77) hide show

aws_cis_assessment/__init__.py +11 -0
aws_cis_assessment/cli/__init__.py +3 -0
aws_cis_assessment/cli/examples.py +274 -0
aws_cis_assessment/cli/main.py +1259 -0
aws_cis_assessment/cli/utils.py +356 -0
aws_cis_assessment/config/__init__.py +1 -0
aws_cis_assessment/config/config_loader.py +328 -0
aws_cis_assessment/config/rules/cis_controls_ig1.yaml +590 -0
aws_cis_assessment/config/rules/cis_controls_ig2.yaml +412 -0
aws_cis_assessment/config/rules/cis_controls_ig3.yaml +100 -0
aws_cis_assessment/controls/__init__.py +1 -0
aws_cis_assessment/controls/base_control.py +400 -0
aws_cis_assessment/controls/ig1/__init__.py +239 -0
aws_cis_assessment/controls/ig1/control_1_1.py +586 -0
aws_cis_assessment/controls/ig1/control_2_2.py +231 -0
aws_cis_assessment/controls/ig1/control_3_3.py +718 -0
aws_cis_assessment/controls/ig1/control_3_4.py +235 -0
aws_cis_assessment/controls/ig1/control_4_1.py +461 -0
aws_cis_assessment/controls/ig1/control_access_keys.py +310 -0
aws_cis_assessment/controls/ig1/control_advanced_security.py +512 -0
aws_cis_assessment/controls/ig1/control_backup_recovery.py +510 -0
aws_cis_assessment/controls/ig1/control_cloudtrail_logging.py +197 -0
aws_cis_assessment/controls/ig1/control_critical_security.py +422 -0
aws_cis_assessment/controls/ig1/control_data_protection.py +898 -0
aws_cis_assessment/controls/ig1/control_iam_advanced.py +573 -0
aws_cis_assessment/controls/ig1/control_iam_governance.py +493 -0
aws_cis_assessment/controls/ig1/control_iam_policies.py +383 -0
aws_cis_assessment/controls/ig1/control_instance_optimization.py +100 -0
aws_cis_assessment/controls/ig1/control_network_enhancements.py +203 -0
aws_cis_assessment/controls/ig1/control_network_security.py +672 -0
aws_cis_assessment/controls/ig1/control_s3_enhancements.py +173 -0
aws_cis_assessment/controls/ig1/control_s3_security.py +422 -0
aws_cis_assessment/controls/ig1/control_vpc_security.py +235 -0
aws_cis_assessment/controls/ig2/__init__.py +172 -0
aws_cis_assessment/controls/ig2/control_3_10.py +698 -0
aws_cis_assessment/controls/ig2/control_3_11.py +1330 -0
aws_cis_assessment/controls/ig2/control_5_2.py +393 -0
aws_cis_assessment/controls/ig2/control_advanced_encryption.py +355 -0
aws_cis_assessment/controls/ig2/control_codebuild_security.py +263 -0
aws_cis_assessment/controls/ig2/control_encryption_rest.py +382 -0
aws_cis_assessment/controls/ig2/control_encryption_transit.py +382 -0
aws_cis_assessment/controls/ig2/control_network_ha.py +467 -0
aws_cis_assessment/controls/ig2/control_remaining_encryption.py +426 -0
aws_cis_assessment/controls/ig2/control_remaining_rules.py +363 -0
aws_cis_assessment/controls/ig2/control_service_logging.py +402 -0
aws_cis_assessment/controls/ig3/__init__.py +49 -0
aws_cis_assessment/controls/ig3/control_12_8.py +395 -0
aws_cis_assessment/controls/ig3/control_13_1.py +467 -0
aws_cis_assessment/controls/ig3/control_3_14.py +523 -0
aws_cis_assessment/controls/ig3/control_7_1.py +359 -0
aws_cis_assessment/core/__init__.py +1 -0
aws_cis_assessment/core/accuracy_validator.py +425 -0
aws_cis_assessment/core/assessment_engine.py +1266 -0
aws_cis_assessment/core/audit_trail.py +491 -0
aws_cis_assessment/core/aws_client_factory.py +313 -0
aws_cis_assessment/core/error_handler.py +607 -0
aws_cis_assessment/core/models.py +166 -0
aws_cis_assessment/core/scoring_engine.py +459 -0
aws_cis_assessment/reporters/__init__.py +8 -0
aws_cis_assessment/reporters/base_reporter.py +454 -0
aws_cis_assessment/reporters/csv_reporter.py +835 -0
aws_cis_assessment/reporters/html_reporter.py +2162 -0
aws_cis_assessment/reporters/json_reporter.py +561 -0
aws_cis_controls_assessment-1.0.3.dist-info/METADATA +248 -0
aws_cis_controls_assessment-1.0.3.dist-info/RECORD +77 -0
aws_cis_controls_assessment-1.0.3.dist-info/WHEEL +5 -0
aws_cis_controls_assessment-1.0.3.dist-info/entry_points.txt +2 -0
aws_cis_controls_assessment-1.0.3.dist-info/licenses/LICENSE +21 -0
aws_cis_controls_assessment-1.0.3.dist-info/top_level.txt +2 -0
docs/README.md +94 -0
docs/assessment-logic.md +766 -0
docs/cli-reference.md +698 -0
docs/config-rule-mappings.md +393 -0
docs/developer-guide.md +858 -0
docs/installation.md +299 -0
docs/troubleshooting.md +634 -0
docs/user-guide.md +487 -0

aws_cis_assessment/cli/utils.py ADDED Viewed

@@ -0,0 +1,356 @@
+"""Utility functions for the CLI module."""
+import os
+import sys
+from typing import Dict, List, Optional, Any
+from pathlib import Path
+import boto3
+from botocore.exceptions import ClientError, NoCredentialsError
+def get_default_regions() -> List[str]:
+    """Get default AWS regions for assessment.
+    Returns:
+        List of default AWS region names (us-east-1 only)
+    """
+    # Default to us-east-1 only for focused assessment
+    return ['us-east-1']
+def get_all_enabled_regions() -> List[str]:
+    """Get all enabled AWS regions for the current account.
+    Returns:
+        List of all enabled AWS region names
+    """
+    try:
+        ec2 = boto3.client('ec2', region_name='us-east-1')
+        response = ec2.describe_regions()
+        return [region['RegionName'] for region in response['Regions']]
+    except Exception:
+        # Fallback to default regions if unable to query
+        return get_default_regions()
+def get_enabled_regions_for_profile(profile_name: str) -> List[str]:
+    """Get enabled regions for a specific AWS profile.
+    Args:
+        profile_name: Name of the AWS profile
+    Returns:
+        List of enabled region names
+    """
+    try:
+        session = boto3.Session(profile_name=profile_name)
+        ec2 = session.client('ec2', region_name='us-east-1')
+        response = ec2.describe_regions()
+        return [region['RegionName'] for region in response['Regions']]
+    except Exception:
+        return get_default_regions()
+def validate_aws_profile(profile_name: str) -> bool:
+    """Validate that an AWS profile exists and is accessible.
+    Args:
+        profile_name: Name of the AWS profile to validate
+    Returns:
+        True if profile is valid, False otherwise
+    """
+    try:
+        session = boto3.Session(profile_name=profile_name)
+        sts = session.client('sts')
+        sts.get_caller_identity()
+        return True
+    except Exception:
+        return False
+def get_aws_config_path() -> Optional[Path]:
+    """Get the path to AWS configuration directory.
+    Returns:
+        Path to AWS config directory or None if not found
+    """
+    aws_config_dir = Path.home() / '.aws'
+    if aws_config_dir.exists():
+        return aws_config_dir
+    return None
+def list_aws_profiles() -> List[str]:
+    """List available AWS profiles.
+    Returns:
+        List of AWS profile names
+    """
+    profiles = []
+    aws_config_path = get_aws_config_path()
+    if aws_config_path:
+        credentials_file = aws_config_path / 'credentials'
+        config_file = aws_config_path / 'config'
+        # Parse credentials file
+        if credentials_file.exists():
+            profiles.extend(_parse_aws_config_file(credentials_file))
+        # Parse config file
+        if config_file.exists():
+            config_profiles = _parse_aws_config_file(config_file, prefix='profile ')
+            profiles.extend(config_profiles)
+    # Remove duplicates and sort
+    return sorted(list(set(profiles)))
+def _parse_aws_config_file(file_path: Path, prefix: str = '') -> List[str]:
+    """Parse AWS configuration file to extract profile names.
+    Args:
+        file_path: Path to the configuration file
+        prefix: Prefix to remove from profile names (e.g., 'profile ')
+    Returns:
+        List of profile names
+    """
+    profiles = []
+    try:
+        with open(file_path, 'r') as f:
+            for line in f:
+                line = line.strip()
+                if line.startswith('[') and line.endswith(']'):
+                    profile_name = line[1:-1]  # Remove brackets
+                    if prefix and profile_name.startswith(prefix):
+                        profile_name = profile_name[len(prefix):]
+                    if profile_name and profile_name != 'default':
+                        profiles.append(profile_name)
+    except Exception:
+        pass  # Ignore parsing errors
+    return profiles
+def format_duration(duration) -> str:
+    """Format a timedelta duration for display.
+    Args:
+        duration: timedelta object or None
+    Returns:
+        Formatted duration string
+    """
+    if duration is None:
+        return "Unknown"
+    total_seconds = int(duration.total_seconds())
+    hours, remainder = divmod(total_seconds, 3600)
+    minutes, seconds = divmod(remainder, 60)
+    if hours > 0:
+        return f"{hours}h {minutes}m {seconds}s"
+    elif minutes > 0:
+        return f"{minutes}m {seconds}s"
+    else:
+        return f"{seconds}s"
+def format_percentage(value: float, precision: int = 1) -> str:
+    """Format a percentage value for display.
+    Args:
+        value: Percentage value (0-100)
+        precision: Number of decimal places
+    Returns:
+        Formatted percentage string
+    """
+    return f"{value:.{precision}f}%"
+def format_file_size(size_bytes: int) -> str:
+    """Format file size in human-readable format.
+    Args:
+        size_bytes: Size in bytes
+    Returns:
+        Formatted size string
+    """
+    if size_bytes == 0:
+        return "0 B"
+    size_names = ["B", "KB", "MB", "GB", "TB"]
+    i = 0
+    while size_bytes >= 1024 and i < len(size_names) - 1:
+        size_bytes /= 1024.0
+        i += 1
+    return f"{size_bytes:.1f} {size_names[i]}"
+def ensure_output_directory(output_path: str) -> Path:
+    """Ensure output directory exists and return Path object.
+    Args:
+        output_path: Output file or directory path
+    Returns:
+        Path object with directory created
+    """
+    path = Path(output_path)
+    # If it's a file path, get the directory
+    if path.suffix:
+        directory = path.parent
+    else:
+        directory = path
+    # Create directory if it doesn't exist
+    directory.mkdir(parents=True, exist_ok=True)
+    return path
+def get_terminal_width() -> int:
+    """Get terminal width for formatting output.
+    Returns:
+        Terminal width in characters
+    """
+    try:
+        return os.get_terminal_size().columns
+    except OSError:
+        return 80  # Default width
+def truncate_string(text: str, max_length: int, suffix: str = "...") -> str:
+    """Truncate string to maximum length with suffix.
+    Args:
+        text: String to truncate
+        max_length: Maximum length including suffix
+        suffix: Suffix to add when truncating
+    Returns:
+        Truncated string
+    """
+    if len(text) <= max_length:
+        return text
+    return text[:max_length - len(suffix)] + suffix
+def colorize_compliance_status(status: str, percentage: Optional[float] = None) -> str:
+    """Add color codes to compliance status for terminal display.
+    Args:
+        status: Compliance status string
+        percentage: Optional percentage value for color coding
+    Returns:
+        Colorized status string
+    """
+    # ANSI color codes
+    RED = '\033[91m'
+    YELLOW = '\033[93m'
+    GREEN = '\033[92m'
+    RESET = '\033[0m'
+    if percentage is not None:
+        if percentage >= 90:
+            return f"{GREEN}{status}{RESET}"
+        elif percentage >= 70:
+            return f"{YELLOW}{status}{RESET}"
+        else:
+            return f"{RED}{status}{RESET}"
+    # Status-based coloring
+    status_lower = status.lower()
+    if 'compliant' in status_lower and 'non' not in status_lower:
+        return f"{GREEN}{status}{RESET}"
+    elif 'non_compliant' in status_lower or 'failed' in status_lower:
+        return f"{RED}{status}{RESET}"
+    elif 'error' in status_lower or 'warning' in status_lower:
+        return f"{YELLOW}{status}{RESET}"
+    return status
+def is_tty() -> bool:
+    """Check if output is going to a terminal (TTY).
+    Returns:
+        True if output is to a terminal, False otherwise
+    """
+    return sys.stdout.isatty()
+def get_config_file_path(config_path: Optional[str], filename: str) -> Path:
+    """Get full path to a configuration file.
+    Args:
+        config_path: Base configuration directory path
+        filename: Configuration filename
+    Returns:
+        Full path to configuration file
+    """
+    if config_path:
+        base_path = Path(config_path)
+    else:
+        # Use package default
+        from aws_cis_assessment.config import config_loader
+        base_path = Path(config_loader.__file__).parent / 'rules'
+    return base_path / filename
+def validate_output_format(formats: List[str]) -> List[str]:
+    """Validate and normalize output format list.
+    Args:
+        formats: List of output format strings
+    Returns:
+        List of validated format strings
+    Raises:
+        ValueError: If any format is invalid
+    """
+    valid_formats = ['json', 'html', 'csv']
+    normalized_formats = []
+    for fmt in formats:
+        fmt_lower = fmt.lower()
+        if fmt_lower not in valid_formats:
+            raise ValueError(f"Invalid output format: {fmt}. Valid formats: {', '.join(valid_formats)}")
+        normalized_formats.append(fmt_lower)
+    return normalized_formats
+def create_progress_bar(current: int, total: int, width: int = 50,
+                       fill_char: str = '█', empty_char: str = '░') -> str:
+    """Create a text-based progress bar.
+    Args:
+        current: Current progress value
+        total: Total progress value
+        width: Width of progress bar in characters
+        fill_char: Character for filled portion
+        empty_char: Character for empty portion
+    Returns:
+        Progress bar string
+    """
+    if total == 0:
+        return empty_char * width
+    filled_width = int(width * current / total)
+    return fill_char * filled_width + empty_char * (width - filled_width)

aws_cis_assessment/config/__init__.py ADDED Viewed

	@@ -0,0 +1 @@
1	+ """Configuration management for CIS Controls and AWS Config rule mappings."""

aws_cis_assessment/config/config_loader.py ADDED Viewed

@@ -0,0 +1,328 @@
+"""Configuration loader for CIS Controls and AWS Config rule mappings."""
+import os
+import yaml
+from typing import Dict, List, Optional
+from pathlib import Path
+from aws_cis_assessment.core.models import ConfigRule, CISControl, ImplementationGroup
+class ConfigRuleLoader:
+    """Load and parse AWS Config rule specifications for CIS Controls."""
+    def __init__(self, config_path: Optional[str] = None):
+        """Initialize with path to CIS Controls configuration files.
+        Args:
+            config_path: Path to configuration directory. If None, uses package default.
+        """
+        if config_path is None:
+            # Use package default configuration path
+            package_dir = Path(__file__).parent
+            self.config_path = package_dir / "rules"
+        else:
+            self.config_path = Path(config_path)
+        self._config_cache = {}
+        self._rules_cache = {}
+    def load_rules_for_ig(self, implementation_group: str) -> Dict[str, List[ConfigRule]]:
+        """Load all Config rules for specified Implementation Group.
+        Args:
+            implementation_group: IG1, IG2, or IG3
+        Returns:
+            Dictionary mapping control IDs to lists of ConfigRule objects
+        Raises:
+            ValueError: If implementation group is invalid
+            FileNotFoundError: If configuration file not found
+        """
+        if implementation_group not in [ig.value for ig in ImplementationGroup]:
+            raise ValueError(f"Invalid implementation group: {implementation_group}")
+        # Check cache first
+        cache_key = f"rules_{implementation_group}"
+        if cache_key in self._rules_cache:
+            return self._rules_cache[cache_key]
+        # Load configuration file
+        config_file = self.config_path / f"cis_controls_{implementation_group.lower()}.yaml"
+        if not config_file.exists():
+            raise FileNotFoundError(f"Configuration file not found: {config_file}")
+        with open(config_file, 'r', encoding='utf-8') as f:
+            config_data = yaml.safe_load(f)
+        # Parse configuration into ConfigRule objects
+        rules_by_control = {}
+        if 'controls' in config_data:
+            for control_id, control_data in config_data['controls'].items():
+                config_rules = []
+                if 'config_rules' in control_data:
+                    for rule_data in control_data['config_rules']:
+                        config_rule = ConfigRule(
+                            name=rule_data['name'],
+                            control_id=control_id,
+                            resource_types=rule_data.get('resource_types', []),
+                            parameters=rule_data.get('parameters', {}),
+                            implementation_group=implementation_group,
+                            description=rule_data.get('description', ''),
+                            remediation_guidance=rule_data.get('remediation_guidance', '')
+                        )
+                        config_rules.append(config_rule)
+                if config_rules:
+                    rules_by_control[control_id] = config_rules
+        # Cache results
+        self._rules_cache[cache_key] = rules_by_control
+        return rules_by_control
+    def get_rule_by_name(self, rule_name: str) -> Optional[ConfigRule]:
+        """Get specific Config rule definition by name.
+        Args:
+            rule_name: Name of the AWS Config rule
+        Returns:
+            ConfigRule object if found, None otherwise
+        """
+        # Search through all implementation groups
+        for ig in ImplementationGroup:
+            rules_by_control = self.load_rules_for_ig(ig.value)
+            for control_rules in rules_by_control.values():
+                for rule in control_rules:
+                    if rule.name == rule_name:
+                        return rule
+        return None
+    def get_all_controls(self) -> Dict[str, CISControl]:
+        """Get all CIS Controls across all Implementation Groups.
+        Returns:
+            Dictionary mapping control IDs to CISControl objects
+        """
+        all_controls = {}
+        for ig in ImplementationGroup:
+            rules_by_control = self.load_rules_for_ig(ig.value)
+            # Load control metadata
+            config_file = self.config_path / f"cis_controls_{ig.value.lower()}.yaml"
+            with open(config_file, 'r', encoding='utf-8') as f:
+                config_data = yaml.safe_load(f)
+            if 'controls' in config_data:
+                for control_id, control_data in config_data['controls'].items():
+                    # Create unique key for each IG-control combination
+                    unique_key = f"{ig.value}_{control_id}"
+                    control = CISControl(
+                        control_id=control_id,
+                        title=control_data.get('title', ''),
+                        implementation_group=ig.value,
+                        config_rules=rules_by_control.get(control_id, []),
+                        weight=control_data.get('weight', 1.0)
+                    )
+                    all_controls[unique_key] = control
+        return all_controls
+    def validate_configuration(self) -> List[str]:
+        """Validate configuration files and return any errors.
+        Returns:
+            List of validation error messages
+        """
+        errors = []
+        for ig in ImplementationGroup:
+            config_file = self.config_path / f"cis_controls_{ig.value.lower()}.yaml"
+            if not config_file.exists():
+                errors.append(f"Missing configuration file: {config_file}")
+                continue
+            try:
+                with open(config_file, 'r', encoding='utf-8') as f:
+                    config_data = yaml.safe_load(f)
+                # Validate structure
+                if not isinstance(config_data, dict):
+                    errors.append(f"Invalid YAML structure in {config_file}")
+                    continue
+                if 'controls' not in config_data:
+                    errors.append(f"Missing 'controls' section in {config_file}")
+                    continue
+                # Validate each control
+                for control_id, control_data in config_data['controls'].items():
+                    if not isinstance(control_data, dict):
+                        errors.append(f"Invalid control data for {control_id} in {config_file}")
+                        continue
+                    if 'title' not in control_data:
+                        errors.append(f"Missing title for control {control_id} in {config_file}")
+                    if 'config_rules' in control_data:
+                        for i, rule_data in enumerate(control_data['config_rules']):
+                            if not isinstance(rule_data, dict):
+                                errors.append(f"Invalid rule data at index {i} for control {control_id}")
+                                continue
+                            if 'name' not in rule_data:
+                                errors.append(f"Missing rule name at index {i} for control {control_id}")
+                            if 'resource_types' not in rule_data:
+                                errors.append(f"Missing resource_types for rule at index {i} for control {control_id}")
+            except yaml.YAMLError as e:
+                errors.append(f"YAML parsing error in {config_file}: {e}")
+            except Exception as e:
+                errors.append(f"Error validating {config_file}: {e}")
+        return errors
+    def get_rules_count_by_ig(self) -> Dict[str, int]:
+        """Get count of Config rules by Implementation Group.
+        Returns:
+            Dictionary mapping IG names to rule counts
+        """
+        counts = {}
+        for ig in ImplementationGroup:
+            try:
+                rules_by_control = self.load_rules_for_ig(ig.value)
+                total_rules = sum(len(rules) for rules in rules_by_control.values())
+                counts[ig.value] = total_rules
+            except (FileNotFoundError, ValueError):
+                counts[ig.value] = 0
+        return counts
+    def get_assessment_statistics(self, implementation_groups: Optional[List[str]] = None,
+                                controls: Optional[List[str]] = None,
+                                regions: Optional[List[str]] = None) -> Dict[str, any]:
+        """Get assessment statistics based on specified criteria.
+        Args:
+            implementation_groups: List of IGs to include (default: all)
+            controls: List of specific control IDs to include
+            regions: List of regions to include (for estimation)
+        Returns:
+            Dictionary containing assessment statistics
+        """
+        # Default to all IGs if none specified
+        if implementation_groups is None:
+            implementation_groups = [ig.value for ig in ImplementationGroup]
+        # Default regions for estimation
+        if regions is None:
+            from aws_cis_assessment.cli.utils import get_default_regions
+            regions = get_default_regions()
+        stats = {
+            'total_controls': 0,
+            'total_config_rules': 0,
+            'total_regions': len(regions),
+            'estimated_assessments': 0,
+            'by_implementation_group': {},
+            'by_service': {},
+            'resource_types': set()
+        }
+        # Get all controls
+        all_controls = self.get_all_controls()
+        # Filter controls based on criteria
+        filtered_controls = {}
+        for control_id, control in all_controls.items():
+            # Filter by implementation group
+            if control.implementation_group not in implementation_groups:
+                continue
+            # Filter by specific controls
+            if controls and control_id not in controls:
+                continue
+            filtered_controls[control_id] = control
+        # Calculate statistics
+        stats['total_controls'] = len(filtered_controls)
+        for control_id, control in filtered_controls.items():
+            ig = control.implementation_group
+            # Initialize IG stats if needed
+            if ig not in stats['by_implementation_group']:
+                stats['by_implementation_group'][ig] = {
+                    'controls': 0,
+                    'config_rules': 0
+                }
+            # Count controls and rules
+            stats['by_implementation_group'][ig]['controls'] += 1
+            stats['by_implementation_group'][ig]['config_rules'] += len(control.config_rules)
+            stats['total_config_rules'] += len(control.config_rules)
+            # Count by service and resource types
+            for rule in control.config_rules:
+                # Extract service from rule name (heuristic)
+                service = self._extract_service_from_rule(rule.name)
+                if service:
+                    stats['by_service'][service] = stats['by_service'].get(service, 0) + 1
+                # Add resource types
+                stats['resource_types'].update(rule.resource_types)
+        # Estimate total assessments (rules * regions)
+        stats['estimated_assessments'] = stats['total_config_rules'] * len(regions)
+        # Convert set to list for JSON serialization
+        stats['resource_types'] = sorted(list(stats['resource_types']))
+        return stats
+    def _extract_service_from_rule(self, rule_name: str) -> Optional[str]:
+        """Extract AWS service name from Config rule name.
+        Args:
+            rule_name: AWS Config rule name
+        Returns:
+            Service name if identifiable, None otherwise
+        """
+        # Common service prefixes in Config rule names
+        service_prefixes = {
+            'ec2-': 'EC2',
+            'iam-': 'IAM',
+            's3-': 'S3',
+            'rds-': 'RDS',
+            'vpc-': 'VPC',
+            'elb-': 'ELB',
+            'alb-': 'ALB',
+            'api-gw-': 'API Gateway',
+            'cloudtrail-': 'CloudTrail',
+            'guardduty-': 'GuardDuty',
+            'dynamodb-': 'DynamoDB',
+            'redshift-': 'Redshift',
+            'secretsmanager-': 'Secrets Manager',
+            'backup-': 'Backup',
+            'ecr-': 'ECR'
+        }
+        rule_lower = rule_name.lower()
+        for prefix, service in service_prefixes.items():
+            if rule_lower.startswith(prefix):
+                return service
+        return 'Other'