aws-cis-controls-assessment 1.0.3__py3-none-any.whl

aws_cis_assessment/config/rules/cis_controls_ig2.yaml

@@ -0,0 +1,412 @@
+implementation_group: IG2
+total_rules: 58
+description: Enhanced security for enterprises with regulatory compliance burdens
+controls:
+  '11.4':
+    title: Control 11.4
+    weight: 1.0
+    config_rules:
+    - name: elb-deletion-protection-enabled
+      resource_types:
+      - AWS::ElasticLoadBalancingV2::LoadBalancer
+      parameters: {}
+      description: Assessment for elb-deletion-protection-enabled AWS Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for elb-deletion-protection-enabled
+    - name: rds-instance-deletion-protection-enabled
+      resource_types:
+      - AWS::RDS::DBInstance
+      parameters: {}
+      description: Assessment for rds-instance-deletion-protection-enabled AWS Config
+        rule.
+      remediation_guidance: Follow AWS Config rule guidance for rds-instance-deletion-protection-enabled
+  '12.2':
+    title: Control 12.2
+    weight: 1.0
+    config_rules:
+    - name: elb-cross-zone-load-balancing-enabled
+      resource_types:
+      - AWS::ElasticLoadBalancing::LoadBalancer
+      parameters: {}
+      description: Assessment for elb-cross-zone-load-balancing-enabled AWS Config
+        rule.
+      remediation_guidance: Follow AWS Config rule guidance for elb-cross-zone-load-balancing-enabled
+    - name: elbv2-multiple-az
+      resource_types:
+      - AWS::ElasticLoadBalancingV2::LoadBalancer
+      parameters: {}
+      description: Assessment for elbv2-multiple-az AWS Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for elbv2-multiple-az
+    - name: rds-cluster-multi-az-enabled
+      resource_types:
+      - AWS::RDS::DBCluster
+      parameters: {}
+      description: Assessment for rds-cluster-multi-az-enabled AWS Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for rds-cluster-multi-az-enabled
+    - name: rds-multi-az-support
+      resource_types:
+      - AWS::RDS::DBInstance
+      parameters: {}
+      description: Assessment for rds-multi-az-support AWS Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for rds-multi-az-support
+    - name: vpc-vpn-2-tunnels-up
+      resource_types:
+      - AWS::EC2::VPNConnection
+      parameters: {}
+      description: Assessment for vpc-vpn-2-tunnels-up AWS Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for vpc-vpn-2-tunnels-up
+    - name: dynamodb-autoscaling-enabled
+      resource_types:
+      - AWS::DynamoDB::Table
+      parameters: {}
+      description: Assessment for dynamodb-autoscaling-enabled AWS Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for dynamodb-autoscaling-enabled
+  '3.10':
+    title: Encrypt Sensitive Data in Transit
+    weight: 1.0
+    config_rules:
+    - name: api-gw-ssl-enabled
+      resource_types:
+      - AWS::ApiGateway::Stage
+      parameters: {}
+      description: Assessment for api-gw-ssl-enabled Config rule - ensures API Gateway
+        stages have SSL certificates.
+      remediation_guidance: Follow AWS Config rule guidance for api-gw-ssl-enabled
+    - name: alb-http-to-https-redirection-check
+      resource_types:
+      - AWS::ElasticLoadBalancingV2::LoadBalancer
+      parameters: {}
+      description: Assessment for alb-http-to-https-redirection-check Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for alb-http-to-https-redirection-check
+    - name: elb-tls-https-listeners-only
+      resource_types:
+      - AWS::ElasticLoadBalancing::LoadBalancer
+      parameters: {}
+      description: Assessment for elb-tls-https-listeners-only Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for elb-tls-https-listeners-only
+    - name: s3-bucket-ssl-requests-only
+      resource_types:
+      - AWS::S3::Bucket
+      parameters: {}
+      description: Assessment for s3-bucket-ssl-requests-only Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for s3-bucket-ssl-requests-only
+    - name: redshift-require-tls-ssl
+      resource_types:
+      - AWS::Redshift::Cluster
+      parameters: {}
+      description: Assessment for redshift-require-tls-ssl Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for redshift-require-tls-ssl
+    - name: elb-acm-certificate-required
+      resource_types:
+      - AWS::ElasticLoadBalancing::LoadBalancer
+      parameters: {}
+      description: Assessment for elb-acm-certificate-required Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for elb-acm-certificate-required
+    - name: elbv2-acm-certificate-required
+      resource_types:
+      - AWS::ElasticLoadBalancingV2::LoadBalancer
+      parameters: {}
+      description: Assessment for elbv2-acm-certificate-required Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for elbv2-acm-certificate-required
+    - name: opensearch-https-required
+      resource_types:
+      - AWS::OpenSearch::Domain
+      parameters: {}
+      description: Assessment for opensearch-https-required Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for opensearch-https-required
+    - name: opensearch-node-to-node-encryption-check
+      resource_types:
+      - AWS::OpenSearch::Domain
+      parameters: {}
+      description: Assessment for opensearch-node-to-node-encryption-check AWS Config
+        rule.
+      remediation_guidance: Follow AWS Config rule guidance for opensearch-node-to-node-encryption-check
+  '3.11':
+    title: Encrypt Sensitive Data at Rest
+    weight: 1.0
+    config_rules:
+    - name: secretsmanager-using-cmk
+      resource_types:
+      - AWS::SecretsManager::Secret
+      parameters: {}
+      description: Assessment for secretsmanager-using-cmk AWS Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for secretsmanager-using-cmk
+    - name: sns-encrypted-kms
+      resource_types:
+      - AWS::SNS::Topic
+      parameters: {}
+      description: Assessment for sns-encrypted-kms AWS Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for sns-encrypted-kms
+    - name: sqs-queue-encrypted-kms
+      resource_types:
+      - AWS::SQS::Queue
+      parameters: {}
+      description: Assessment for sqs-queue-encrypted-kms AWS Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for sqs-queue-encrypted-kms
+    - name: kinesis-stream-encrypted
+      resource_types:
+      - AWS::Kinesis::Stream
+      parameters: {}
+      description: Assessment for kinesis-stream-encrypted AWS Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for kinesis-stream-encrypted
+    - name: elasticsearch-encrypted-at-rest
+      resource_types:
+      - AWS::Elasticsearch::Domain
+      parameters: {}
+      description: Assessment for elasticsearch-encrypted-at-rest AWS Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for elasticsearch-encrypted-at-rest
+    - name: encrypted-volumes
+      resource_types:
+      - AWS::EC2::Volume
+      parameters: {}
+      description: Assessment for encrypted-volumes Config rule - ensures EBS volumes
+        are encrypted.
+      remediation_guidance: Follow AWS Config rule guidance for encrypted-volumes
+    - name: rds-storage-encrypted
+      resource_types:
+      - AWS::RDS::DBInstance
+      parameters: {}
+      description: Assessment for rds-storage-encrypted Config rule - ensures RDS
+        instances have storage encryption.
+      remediation_guidance: Follow AWS Config rule guidance for rds-storage-encrypted
+    - name: s3-default-encryption-kms
+      resource_types:
+      - AWS::S3::Bucket
+      parameters: {}
+      description: Assessment for s3-default-encryption-kms Config rule - ensures
+        S3 buckets have default KMS encryption.
+      remediation_guidance: Follow AWS Config rule guidance for s3-default-encryption-kms
+    - name: dynamodb-table-encrypted-kms
+      resource_types:
+      - AWS::DynamoDB::Table
+      parameters: {}
+      description: Assessment for dynamodb-table-encrypted-kms Config rule - ensures
+        DynamoDB tables are encrypted with KMS.
+      remediation_guidance: Follow AWS Config rule guidance for dynamodb-table-encrypted-kms
+    - name: backup-recovery-point-encrypted
+      resource_types:
+      - AWS::Backup::RecoveryPoint
+      parameters: {}
+      description: Assessment for backup-recovery-point-encrypted Config rule - ensures
+        AWS Backup recovery points are encrypted.
+      remediation_guidance: Follow AWS Config rule guidance for backup-recovery-point-encrypted
+    - name: efs-encrypted-check
+      resource_types:
+      - AWS::EFS::FileSystem
+      parameters: {}
+      description: Assessment for efs-encrypted-check Config rule - ensures EFS file
+        systems are encrypted.
+      remediation_guidance: Follow AWS Config rule guidance for efs-encrypted-check
+    - name: secretsmanager-using-cmk
+      resource_types:
+      - AWS::SecretsManager::Secret
+      parameters: {}
+      description: Assessment for secretsmanager-using-cmk Config rule - ensures Secrets
+        Manager secrets use KMS keys.
+      remediation_guidance: Follow AWS Config rule guidance for secretsmanager-using-cmk
+    - name: sns-encrypted-kms
+      resource_types:
+      - AWS::SNS::Topic
+      parameters: {}
+      description: Assessment for sns-encrypted-kms Config rule - ensures SNS topics
+        are encrypted with KMS.
+      remediation_guidance: Follow AWS Config rule guidance for sns-encrypted-kms
+    - name: sqs-queue-encrypted-kms
+      resource_types:
+      - AWS::SQS::Queue
+      parameters: {}
+      description: Assessment for sqs-queue-encrypted-kms Config rule - ensures SQS
+        queues are encrypted with KMS.
+      remediation_guidance: Follow AWS Config rule guidance for sqs-queue-encrypted-kms
+    - name: cloudwatch-log-group-encrypted
+      resource_types:
+      - AWS::Logs::LogGroup
+      parameters: {}
+      description: Assessment for cloudwatch-log-group-encrypted Config rule - ensures
+        CloudWatch log groups are encrypted.
+      remediation_guidance: Follow AWS Config rule guidance for cloudwatch-log-group-encrypted
+    - name: kinesis-stream-encrypted
+      resource_types:
+      - AWS::Kinesis::Stream
+      parameters: {}
+      description: Assessment for kinesis-stream-encrypted Config rule - ensures Kinesis
+        streams are encrypted.
+      remediation_guidance: Follow AWS Config rule guidance for kinesis-stream-encrypted
+    - name: elasticsearch-encrypted-at-rest
+      resource_types:
+      - AWS::Elasticsearch::Domain
+      parameters: {}
+      description: Assessment for elasticsearch-encrypted-at-rest Config rule - ensures
+        Elasticsearch domains are encrypted at rest.
+      remediation_guidance: Follow AWS Config rule guidance for elasticsearch-encrypted-at-rest
+    - name: cloud-trail-encryption-enabled
+      resource_types:
+      - AWS::CloudTrail::Trail
+      parameters: {}
+      description: Assessment for cloud-trail-encryption-enabled Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for cloud-trail-encryption-enabled
+    - name: efs-encrypted-check
+      resource_types:
+      - AWS::EFS::FileSystem
+      parameters: {}
+      description: Assessment for efs-encrypted-check Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for efs-encrypted-check
+    - name: ec2-ebs-encryption-by-default
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: Assessment for ec2-ebs-encryption-by-default Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for ec2-ebs-encryption-by-default
+    - name: rds-snapshot-encrypted
+      resource_types:
+      - AWS::RDS::DBSnapshot
+      - AWS::RDS::DBClusterSnapshot
+      parameters: {}
+      description: Assessment for rds-snapshot-encrypted Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for rds-snapshot-encrypted
+    - name: opensearch-encrypted-at-rest
+      resource_types:
+      - AWS::OpenSearch::Domain
+      parameters: {}
+      description: Assessment for opensearch-encrypted-at-rest AWS Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for opensearch-encrypted-at-rest
+    - name: redshift-cluster-kms-enabled
+      resource_types:
+      - AWS::Redshift::Cluster
+      parameters: {}
+      description: Assessment for redshift-cluster-kms-enabled AWS Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for redshift-cluster-kms-enabled
+    - name: sagemaker-endpoint-configuration-kms-key-configured
+      resource_types:
+      - AWS::SageMaker::EndpointConfig
+      parameters: {}
+      description: Assessment for sagemaker-endpoint-configuration-kms-key-configured
+        AWS Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for sagemaker-endpoint-configuration-kms-key-configured
+    - name: sagemaker-notebook-instance-kms-key-configured
+      resource_types:
+      - AWS::SageMaker::NotebookInstance
+      parameters: {}
+      description: Assessment for sagemaker-notebook-instance-kms-key-configured AWS
+        Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for sagemaker-notebook-instance-kms-key-configured
+    - name: codebuild-project-artifact-encryption
+      resource_types:
+      - AWS::CodeBuild::Project
+      parameters: {}
+      description: Assessment for codebuild-project-artifact-encryption AWS Config
+        rule.
+      remediation_guidance: Follow AWS Config rule guidance for codebuild-project-artifact-encryption
+  '3.3':
+    title: Configure Data Access Control Lists
+    weight: 1.0
+    config_rules:
+    - name: redshift-enhanced-vpc-routing-enabled
+      resource_types:
+      - AWS::Redshift::Cluster
+      parameters: {}
+      description: Assessment for redshift-enhanced-vpc-routing-enabled AWS Config
+        rule.
+      remediation_guidance: Follow AWS Config rule guidance for redshift-enhanced-vpc-routing-enabled
+    - name: restricted-common-ports
+      resource_types:
+      - AWS::EC2::SecurityGroup
+      parameters: {}
+      description: Assessment for restricted-common-ports AWS Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for restricted-common-ports
+    - name: codebuild-project-environment-privileged-check
+      resource_types:
+      - AWS::CodeBuild::Project
+      parameters: {}
+      description: Assessment for codebuild-project-environment-privileged-check AWS
+        Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for codebuild-project-environment-privileged-check
+    - name: codebuild-project-envvar-awscred-check
+      resource_types:
+      - AWS::CodeBuild::Project
+      parameters: {}
+      description: Assessment for codebuild-project-envvar-awscred-check AWS Config
+        rule.
+      remediation_guidance: Follow AWS Config rule guidance for codebuild-project-envvar-awscred-check
+    - name: codebuild-project-source-repo-url-check
+      resource_types:
+      - AWS::CodeBuild::Project
+      parameters: {}
+      description: Assessment for codebuild-project-source-repo-url-check AWS Config
+        rule.
+      remediation_guidance: Follow AWS Config rule guidance for codebuild-project-source-repo-url-check
+  '4.1':
+    title: Establish and Maintain a Secure Configuration Process
+    weight: 1.0
+    config_rules:
+    - name: acm-certificate-expiration-check
+      resource_types:
+      - AWS::ACM::Certificate
+      parameters: {}
+      description: Assessment for acm-certificate-expiration-check AWS Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for acm-certificate-expiration-check
+  '5.2':
+    title: Use Unique Passwords
+    weight: 1.0
+    config_rules:
+    - name: mfa-enabled-for-iam-console-access
+      resource_types:
+      - AWS::IAM::User
+      parameters: {}
+      description: Assessment for mfa-enabled-for-iam-console-access Config rule -
+        ensures MFA for console access.
+      remediation_guidance: Follow AWS Config rule guidance for mfa-enabled-for-iam-console-access
+    - name: root-account-mfa-enabled
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: Assessment for root-account-mfa-enabled Config rule - ensures root
+        account has MFA.
+      remediation_guidance: Follow AWS Config rule guidance for root-account-mfa-enabled
+    - name: iam-user-unused-credentials-check
+      resource_types:
+      - AWS::IAM::User
+      parameters: {}
+      description: Assessment for iam-user-unused-credentials-check Config rule -
+        identifies unused credentials.
+      remediation_guidance: Follow AWS Config rule guidance for iam-user-unused-credentials-check
+  '8.2':
+    title: Control 8.2
+    weight: 1.0
+    config_rules:
+    - name: elasticsearch-logs-to-cloudwatch
+      resource_types:
+      - AWS::Elasticsearch::Domain
+      parameters: {}
+      description: Assessment for elasticsearch-logs-to-cloudwatch AWS Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for elasticsearch-logs-to-cloudwatch
+    - name: elb-logging-enabled
+      resource_types:
+      - AWS::ElasticLoadBalancing::LoadBalancer
+      parameters: {}
+      description: Assessment for elb-logging-enabled AWS Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for elb-logging-enabled
+    - name: rds-logging-enabled
+      resource_types:
+      - AWS::RDS::DBInstance
+      parameters: {}
+      description: Assessment for rds-logging-enabled AWS Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for rds-logging-enabled
+    - name: wafv2-logging-enabled
+      resource_types:
+      - AWS::WAFv2::WebACL
+      parameters: {}
+      description: Assessment for wafv2-logging-enabled AWS Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for wafv2-logging-enabled
+    - name: codebuild-project-logging-enabled
+      resource_types:
+      - AWS::CodeBuild::Project
+      parameters: {}
+      description: Assessment for codebuild-project-logging-enabled AWS Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for codebuild-project-logging-enabled
+    - name: redshift-cluster-configuration-check
+      resource_types:
+      - AWS::Redshift::Cluster
+      parameters: {}
+      description: Assessment for redshift-cluster-configuration-check AWS Config
+        rule.
+      remediation_guidance: Follow AWS Config rule guidance for redshift-cluster-configuration-check

aws_cis_assessment/config/rules/cis_controls_ig3.yaml

@@ -0,0 +1,100 @@
+implementation_group: IG3
+total_rules: 13
+description: Advanced security for enterprises with high-risk environments
+controls:
+  '12.8':
+    title: Establish and Maintain Dedicated Computing Resources for All Administrative
+      Work
+    weight: 1.0
+    config_rules:
+    - name: api-gw-associated-with-waf
+      resource_types:
+      - AWS::ApiGateway::Stage
+      parameters: {}
+      description: Assessment for api-gw-associated-with-waf Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for api-gw-associated-with-waf
+    - name: vpc-sg-open-only-to-authorized-ports
+      resource_types:
+      - AWS::EC2::SecurityGroup
+      parameters: {}
+      description: Assessment for vpc-sg-open-only-to-authorized-ports Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for vpc-sg-open-only-to-authorized-ports
+    - name: no-unrestricted-route-to-igw
+      resource_types:
+      - AWS::EC2::RouteTable
+      parameters: {}
+      description: Assessment for no-unrestricted-route-to-igw Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for no-unrestricted-route-to-igw
+  '13.1':
+    title: Centralize Security Event Alerting
+    weight: 1.0
+    config_rules:
+    - name: restricted-incoming-traffic
+      resource_types:
+      - AWS::EC2::SecurityGroup
+      parameters: {}
+      description: Assessment for restricted-incoming-traffic Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for restricted-incoming-traffic
+    - name: incoming-ssh-disabled
+      resource_types:
+      - AWS::EC2::SecurityGroup
+      parameters: {}
+      description: Assessment for incoming-ssh-disabled Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for incoming-ssh-disabled
+    - name: vpc-flow-logs-enabled
+      resource_types:
+      - AWS::EC2::VPC
+      parameters: {}
+      description: Assessment for VPC Flow Logs enabled for network monitoring.
+      remediation_guidance: Follow AWS Config rule guidance for vpc-flow-logs-enabled
+  '3.14':
+    title: Log Sensitive Data Access
+    weight: 1.0
+    config_rules:
+    - name: api-gw-execution-logging-enabled
+      resource_types:
+      - AWS::ApiGateway::Stage
+      parameters: {}
+      description: Assessment for api-gw-execution-logging-enabled Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for api-gw-execution-logging-enabled
+    - name: cloudtrail-s3-dataevents-enabled
+      resource_types:
+      - AWS::CloudTrail::Trail
+      parameters: {}
+      description: Assessment for cloudtrail-s3-dataevents-enabled Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for cloudtrail-s3-dataevents-enabled
+    - name: multi-region-cloudtrail-enabled
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: Assessment for multi-region-cloudtrail-enabled Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for multi-region-cloudtrail-enabled
+    - name: cloud-trail-cloud-watch-logs-enabled
+      resource_types:
+      - AWS::CloudTrail::Trail
+      parameters: {}
+      description: Assessment for cloud-trail-cloud-watch-logs-enabled Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for cloud-trail-cloud-watch-logs-enabled
+  '7.1':
+    title: Establish and Maintain a Vulnerability Management Process
+    weight: 1.0
+    config_rules:
+    - name: ecr-private-image-scanning-enabled
+      resource_types:
+      - AWS::ECR::Repository
+      parameters: {}
+      description: Assessment for ecr-private-image-scanning-enabled Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for ecr-private-image-scanning-enabled
+    - name: guardduty-enabled-centralized
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: Assessment for guardduty-enabled-centralized Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for guardduty-enabled-centralized
+    - name: ec2-managedinstance-patch-compliance-status-check
+      resource_types:
+      - AWS::EC2::Instance
+      parameters: {}
+      description: Assessment for ec2-managedinstance-patch-compliance-status-check
+        Config rule.
+      remediation_guidance: Follow AWS Config rule guidance for ec2-managedinstance-patch-compliance-status-check

aws_cis_assessment/controls/__init__.py

@@ -0,0 +1 @@
+"""CIS Controls assessment implementations based on AWS Config rules."""