PyPI - aws-cis-controls-assessment - Versions diffs - 1.0.3__py3-none-any.whl - Mend

aws-cis-controls-assessment 1.0.3__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (77) hide show

aws_cis_assessment/__init__.py +11 -0
aws_cis_assessment/cli/__init__.py +3 -0
aws_cis_assessment/cli/examples.py +274 -0
aws_cis_assessment/cli/main.py +1259 -0
aws_cis_assessment/cli/utils.py +356 -0
aws_cis_assessment/config/__init__.py +1 -0
aws_cis_assessment/config/config_loader.py +328 -0
aws_cis_assessment/config/rules/cis_controls_ig1.yaml +590 -0
aws_cis_assessment/config/rules/cis_controls_ig2.yaml +412 -0
aws_cis_assessment/config/rules/cis_controls_ig3.yaml +100 -0
aws_cis_assessment/controls/__init__.py +1 -0
aws_cis_assessment/controls/base_control.py +400 -0
aws_cis_assessment/controls/ig1/__init__.py +239 -0
aws_cis_assessment/controls/ig1/control_1_1.py +586 -0
aws_cis_assessment/controls/ig1/control_2_2.py +231 -0
aws_cis_assessment/controls/ig1/control_3_3.py +718 -0
aws_cis_assessment/controls/ig1/control_3_4.py +235 -0
aws_cis_assessment/controls/ig1/control_4_1.py +461 -0
aws_cis_assessment/controls/ig1/control_access_keys.py +310 -0
aws_cis_assessment/controls/ig1/control_advanced_security.py +512 -0
aws_cis_assessment/controls/ig1/control_backup_recovery.py +510 -0
aws_cis_assessment/controls/ig1/control_cloudtrail_logging.py +197 -0
aws_cis_assessment/controls/ig1/control_critical_security.py +422 -0
aws_cis_assessment/controls/ig1/control_data_protection.py +898 -0
aws_cis_assessment/controls/ig1/control_iam_advanced.py +573 -0
aws_cis_assessment/controls/ig1/control_iam_governance.py +493 -0
aws_cis_assessment/controls/ig1/control_iam_policies.py +383 -0
aws_cis_assessment/controls/ig1/control_instance_optimization.py +100 -0
aws_cis_assessment/controls/ig1/control_network_enhancements.py +203 -0
aws_cis_assessment/controls/ig1/control_network_security.py +672 -0
aws_cis_assessment/controls/ig1/control_s3_enhancements.py +173 -0
aws_cis_assessment/controls/ig1/control_s3_security.py +422 -0
aws_cis_assessment/controls/ig1/control_vpc_security.py +235 -0
aws_cis_assessment/controls/ig2/__init__.py +172 -0
aws_cis_assessment/controls/ig2/control_3_10.py +698 -0
aws_cis_assessment/controls/ig2/control_3_11.py +1330 -0
aws_cis_assessment/controls/ig2/control_5_2.py +393 -0
aws_cis_assessment/controls/ig2/control_advanced_encryption.py +355 -0
aws_cis_assessment/controls/ig2/control_codebuild_security.py +263 -0
aws_cis_assessment/controls/ig2/control_encryption_rest.py +382 -0
aws_cis_assessment/controls/ig2/control_encryption_transit.py +382 -0
aws_cis_assessment/controls/ig2/control_network_ha.py +467 -0
aws_cis_assessment/controls/ig2/control_remaining_encryption.py +426 -0
aws_cis_assessment/controls/ig2/control_remaining_rules.py +363 -0
aws_cis_assessment/controls/ig2/control_service_logging.py +402 -0
aws_cis_assessment/controls/ig3/__init__.py +49 -0
aws_cis_assessment/controls/ig3/control_12_8.py +395 -0
aws_cis_assessment/controls/ig3/control_13_1.py +467 -0
aws_cis_assessment/controls/ig3/control_3_14.py +523 -0
aws_cis_assessment/controls/ig3/control_7_1.py +359 -0
aws_cis_assessment/core/__init__.py +1 -0
aws_cis_assessment/core/accuracy_validator.py +425 -0
aws_cis_assessment/core/assessment_engine.py +1266 -0
aws_cis_assessment/core/audit_trail.py +491 -0
aws_cis_assessment/core/aws_client_factory.py +313 -0
aws_cis_assessment/core/error_handler.py +607 -0
aws_cis_assessment/core/models.py +166 -0
aws_cis_assessment/core/scoring_engine.py +459 -0
aws_cis_assessment/reporters/__init__.py +8 -0
aws_cis_assessment/reporters/base_reporter.py +454 -0
aws_cis_assessment/reporters/csv_reporter.py +835 -0
aws_cis_assessment/reporters/html_reporter.py +2162 -0
aws_cis_assessment/reporters/json_reporter.py +561 -0
aws_cis_controls_assessment-1.0.3.dist-info/METADATA +248 -0
aws_cis_controls_assessment-1.0.3.dist-info/RECORD +77 -0
aws_cis_controls_assessment-1.0.3.dist-info/WHEEL +5 -0
aws_cis_controls_assessment-1.0.3.dist-info/entry_points.txt +2 -0
aws_cis_controls_assessment-1.0.3.dist-info/licenses/LICENSE +21 -0
aws_cis_controls_assessment-1.0.3.dist-info/top_level.txt +2 -0
docs/README.md +94 -0
docs/assessment-logic.md +766 -0
docs/cli-reference.md +698 -0
docs/config-rule-mappings.md +393 -0
docs/developer-guide.md +858 -0
docs/installation.md +299 -0
docs/troubleshooting.md +634 -0
docs/user-guide.md +487 -0

docs/user-guide.md ADDED Viewed

@@ -0,0 +1,487 @@
+# User Guide
+This comprehensive guide covers how to use the AWS CIS Controls Compliance Assessment Framework effectively - a production-ready, enterprise-grade solution with complete CIS Controls coverage.
+## Production Framework Overview
+**✅ Complete Implementation**
+- 136 AWS Config rules implemented (131 CIS Controls + 5 bonus security rules)
+- 100% coverage across all Implementation Groups (IG1, IG2, IG3)
+- Production-tested architecture with enterprise-grade error handling
+- Ready for immediate deployment in production environments
+## Table of Contents
+1. [Quick Start](#quick-start)
+2. [Basic Usage](#basic-usage)
+3. [Assessment Options](#assessment-options)
+4. [Output Formats](#output-formats)
+5. [Advanced Features](#advanced-features)
+6. [Best Practices](#best-practices)
+7. [Common Workflows](#common-workflows)
+## Quick Start
+### Your First Assessment
+```bash
+# Run a basic assessment with default settings
+aws-cis-assess assess
+# This will:
+# - Assess all Implementation Groups (IG1, IG2, IG3)
+# - Use all enabled AWS regions
+# - Generate a JSON report
+# - Use default AWS credentials
+```
+### Quick IG1 Assessment
+```bash
+# Focus on essential controls only
+aws-cis-assess assess --implementation-groups IG1 --regions us-east-1
+```
+### Generate HTML Report
+```bash
+# Create an interactive web report
+aws-cis-assess assess --output-format html --output-file compliance-report.html
+```
+## Basic Usage
+### Command Structure
+```bash
+aws-cis-assess [GLOBAL_OPTIONS] COMMAND [COMMAND_OPTIONS]
+```
+### Global Options
+- `--verbose, -v`: Enable verbose output
+- `--debug`: Enable debug logging
+- `--version`: Show version information
+- `--help`: Show help information
+### Main Commands
+#### assess
+Run CIS Controls compliance assessment
+```bash
+aws-cis-assess assess [OPTIONS]
+```
+#### list-controls
+List available CIS Controls and their Config rules
+```bash
+aws-cis-assess list-controls [OPTIONS]
+```
+#### list-regions
+List available AWS regions
+```bash
+aws-cis-assess list-regions [OPTIONS]
+```
+#### show-stats
+Show assessment statistics and scope
+```bash
+aws-cis-assess show-stats [OPTIONS]
+```
+#### validate-credentials
+Test AWS credentials and permissions
+```bash
+aws-cis-assess validate-credentials [OPTIONS]
+```
+#### validate-config
+Validate CIS Controls configuration files
+```bash
+aws-cis-assess validate-config [OPTIONS]
+```
+## Assessment Options
+### Implementation Groups
+Choose which CIS Controls Implementation Groups to assess:
+```bash
+# Assess only IG1 (Essential Cyber Hygiene)
+aws-cis-assess assess --implementation-groups IG1
+# Assess IG1 and IG2
+aws-cis-assess assess --implementation-groups IG1,IG2
+# Assess all groups (default)
+aws-cis-assess assess --implementation-groups IG1,IG2,IG3
+```
+### Specific Controls
+Target specific CIS Controls:
+```bash
+# Assess specific controls
+aws-cis-assess assess --controls 1.1,3.3,4.1
+# Exclude specific controls
+aws-cis-assess assess --exclude-controls 7.1,12.8
+```
+### Regional Scope
+Control which AWS regions to assess:
+```bash
+# Specific regions
+aws-cis-assess assess --regions us-east-1,us-west-2,eu-west-1
+# Exclude regions
+aws-cis-assess assess --exclude-regions us-gov-east-1,us-gov-west-1
+# Single region
+aws-cis-assess assess --regions us-east-1
+```
+### AWS Credentials
+Specify AWS credentials and profiles:
+```bash
+# Use specific AWS profile
+aws-cis-assess assess --aws-profile production
+# Use short flag for profile
+aws-cis-assess assess -p production
+# Use access keys directly
+aws-cis-assess assess --aws-access-key-id AKIA... --aws-secret-access-key ...
+# Use temporary credentials
+aws-cis-assess assess --aws-access-key-id AKIA... --aws-secret-access-key ... --aws-session-token ...
+```
+## Output Formats
+### JSON Format (Default)
+Machine-readable format for automation:
+```bash
+aws-cis-assess assess --output-format json --output-file results.json
+```
+JSON structure:
+```json
+{
+  "assessment_metadata": {
+    "account_id": "123456789012",
+    "timestamp": "2024-01-15T10:30:00Z",
+    "regions_assessed": ["us-east-1", "us-west-2"],
+    "assessment_duration": "PT15M30S"
+  },
+  "compliance_summary": {
+    "overall_compliance_percentage": 78.5,
+    "ig1_compliance_percentage": 85.2,
+    "ig2_compliance_percentage": 72.1,
+    "ig3_compliance_percentage": 65.8
+  },
+  "detailed_results": {
+    "IG1": {
+      "controls": {
+        "1.1": {
+          "compliance_percentage": 90.0,
+          "findings": [...]
+        }
+      }
+    }
+  }
+}
+```
+### HTML Format
+Interactive web-based report:
+```bash
+aws-cis-assess assess --output-format html --output-file report.html
+```
+Features:
+- Executive dashboard with charts
+- Drill-down capabilities
+- Responsive design
+- Remediation guidance
+- Export capabilities
+### CSV Format
+Spreadsheet-compatible format:
+```bash
+aws-cis-assess assess --output-format csv --output-file results.csv
+```
+Includes:
+- Summary CSV with overall scores
+- Detailed findings CSV
+- Remediation guidance CSV
+### Multiple Formats
+Generate multiple formats simultaneously:
+```bash
+aws-cis-assess assess --output-format json,html,csv --output-dir ./reports/
+```
+## Advanced Features
+### Performance Tuning
+Control assessment performance:
+```bash
+# Limit parallel workers
+aws-cis-assess assess --max-workers 2
+# Set timeout
+aws-cis-assess assess --timeout 1800
+# Quiet mode for automation
+aws-cis-assess assess --quiet
+```
+### Error Handling
+Configure error handling behavior:
+```bash
+# Enable error recovery
+aws-cis-assess assess --enable-error-recovery
+# Disable audit trail
+aws-cis-assess assess --disable-audit-trail
+```
+### Logging
+Control logging output:
+```bash
+# Set log level
+aws-cis-assess assess --log-level DEBUG
+# Log to file
+aws-cis-assess assess --log-file assessment.log
+# Verbose console output
+aws-cis-assess assess --verbose
+```
+### Dry Run
+Validate configuration without running assessment:
+```bash
+aws-cis-assess assess --dry-run
+```
+## Best Practices
+### 1. Start Small
+Begin with IG1 controls in a single region:
+```bash
+aws-cis-assess assess --implementation-groups IG1 --regions us-east-1
+```
+### 2. Use Dry Run
+Always validate before running full assessments:
+```bash
+aws-cis-assess assess --dry-run
+```
+### 3. Preview Scope
+Check what will be assessed:
+```bash
+aws-cis-assess show-stats --implementation-groups IG1,IG2
+```
+### 4. Focus on Critical Controls
+Start with the most important controls:
+```bash
+aws-cis-assess assess --controls 1.1,3.3,5.2,6.1
+```
+### 5. Generate Multiple Formats
+Create both viewing and automation formats:
+```bash
+aws-cis-assess assess --output-format html,json --output-dir ./reports/
+```
+### 6. Use Appropriate Regions
+Focus on your primary regions:
+```bash
+aws-cis-assess assess --regions us-east-1,us-west-2,eu-west-1
+```
+### 7. Control Resource Usage
+For large assessments, limit workers:
+```bash
+aws-cis-assess assess --max-workers 2 --timeout 3600
+```
+### 8. Enable Detailed Logging
+For troubleshooting:
+```bash
+aws-cis-assess assess --log-level DEBUG --log-file debug.log
+```
+## Common Workflows
+### Initial Security Assessment
+```bash
+# 1. Validate credentials
+aws-cis-assess validate-credentials
+# 2. Check available controls
+aws-cis-assess list-controls
+# 3. Preview assessment scope
+aws-cis-assess show-stats
+# 4. Run IG1 assessment
+aws-cis-assess assess --implementation-groups IG1 --output-format html
+# 5. Review results and plan improvements
+```
+### Regular Compliance Monitoring
+```bash
+# Monthly comprehensive assessment
+aws-cis-assess assess \
+  --output-format json,html \
+  --output-dir ./monthly-reports/ \
+  --log-file monthly-assessment.log
+# Weekly IG1 check
+aws-cis-assess assess \
+  --implementation-groups IG1 \
+  --quiet \
+  --output-format json \
+  --output-file weekly-ig1.json
+```
+### Focused Security Review
+```bash
+# Focus on specific security areas
+aws-cis-assess assess \
+  --controls 3.3,5.2,6.1,8.1 \
+  --regions us-east-1,us-west-2 \
+  --output-format html \
+  --output-file security-review.html
+```
+### Multi-Account Assessment
+```bash
+# Account 1
+aws-cis-assess assess \
+  --aws-profile account1-prod \
+  --output-file account1-results.json
+# Account 2
+aws-cis-assess assess \
+  --aws-profile account2-prod \
+  --output-file account2-results.json
+# Account 3
+aws-cis-assess assess \
+  --aws-profile account3-prod \
+  --output-file account3-results.json
+```
+### Troubleshooting Workflow
+```bash
+# 1. Enable debug logging
+aws-cis-assess assess \
+  --log-level DEBUG \
+  --log-file debug.log \
+  --verbose
+# 2. Check specific regions
+aws-cis-assess list-regions --aws-profile problematic-profile
+# 3. Test credentials
+aws-cis-assess validate-credentials --aws-profile problematic-profile
+# 4. Validate configuration
+aws-cis-assess validate-config
+# 5. Run limited scope
+aws-cis-assess assess \
+  --controls 1.1 \
+  --regions us-east-1 \
+  --verbose
+```
+## Understanding Results
+### Compliance Scores
+- **Overall Compliance**: Weighted average across all Implementation Groups
+- **IG1 Compliance**: Essential cyber hygiene controls
+- **IG2 Compliance**: Enhanced security controls (includes IG1)
+- **IG3 Compliance**: Advanced security controls (includes IG1+IG2)
+### Finding Status
+- **COMPLIANT**: Resource meets the control requirements
+- **NON_COMPLIANT**: Resource violates the control requirements
+- **NOT_APPLICABLE**: Control doesn't apply to this resource
+- **INSUFFICIENT_PERMISSIONS**: Cannot assess due to permission issues
+- **ERROR**: Assessment failed due to technical issues
+### Remediation Guidance
+Each non-compliant finding includes:
+- Specific remediation steps
+- AWS documentation links
+- Priority level (HIGH, MEDIUM, LOW)
+- Estimated effort
+## Next Steps
+- **Configuration Guide**: Learn about customizing assessments
+- **Troubleshooting Guide**: Resolve common issues
+- **CLI Reference**: Complete command reference
+- **Developer Guide**: Extend and customize the tool