aws-cis-controls-assessment 1.0.5__py3-none-any.whl → 1.0.7__py3-none-any.whl

aws_cis_assessment/__init__.py

@@ -6,6 +6,6 @@ CIS Controls Implementation Groups (IG1, IG2, IG3). Implements 145 comprehensive
 across all implementation groups for complete security compliance assessment.
 """
 
-__version__ = "1.0.5"
+__version__ = "1.0.7"
 __author__ = "AWS CIS Assessment Team"
 __description__ = "Production-ready AWS CIS Controls Compliance Assessment Framework"

aws_cis_assessment/controls/ig1/control_critical_security.py

@@ -32,24 +32,31 @@ class RootAccountHardwareMFAEnabledAssessment(BaseConfigRuleAssessment):
         try:
             iam_client = aws_factory.get_client('iam', region)
             
-            # Get account summary which includes MFA device count
+            # Get account summary which includes MFA device count for root
             account_summary = iam_client.get_account_summary()
+            summary_map = account_summary.get('SummaryMap', {})
             
-            # List MFA devices for root account (empty user name for root)
-            mfa_devices = iam_client.list_mfa_devices()
-            
-            # Get virtual MFA devices to differentiate from hardware
-            virtual_mfa_devices = iam_client.list_virtual_mfa_devices()
+            # Get virtual MFA devices to check if root has hardware MFA
+            # Virtual MFA devices can be listed without specifying a user
+            try:
+                virtual_mfa_devices = iam_client.list_virtual_mfa_devices()
+                virtual_mfa_list = virtual_mfa_devices.get('VirtualMFADevices', [])
+            except ClientError as e:
+                logger.warning(f"Could not list virtual MFA devices: {e}")
+                virtual_mfa_list = []
             
             return [{
                 'account_id': aws_factory.account_id,
-                'account_summary': account_summary.get('SummaryMap', {}),
-                'mfa_devices': mfa_devices.get('MFADevices', []),
-                'virtual_mfa_devices': virtual_mfa_devices.get('VirtualMFADevices', [])
+                'account_summary': summary_map,
+                'virtual_mfa_devices': virtual_mfa_list
             }]
             
         except ClientError as e:
-            logger.error(f"Error getting root account MFA configuration: {e}")
+            error_code = e.response.get('Error', {}).get('Code', '')
+            if error_code in ['AccessDenied', 'UnauthorizedOperation']:
+                logger.warning(f"Insufficient permissions to check root account MFA: {e}")
+            else:
+                logger.error(f"Error getting root account MFA configuration: {e}")
             return []
         except Exception as e:
             logger.error(f"Unexpected error in root account MFA check: {e}")
@@ -59,15 +66,15 @@ class RootAccountHardwareMFAEnabledAssessment(BaseConfigRuleAssessment):
         """Evaluate root account hardware MFA compliance."""
         try:
             account_summary = resource.get('account_summary', {})
-            mfa_devices = resource.get('mfa_devices', [])
             virtual_mfa_devices = resource.get('virtual_mfa_devices', [])
+            account_id = resource.get('account_id', 'unknown')
             
             # Check if root account has any MFA devices
             account_mfa_enabled = account_summary.get('AccountMFAEnabled', 0)
             
             if account_mfa_enabled == 0:
                 return ComplianceResult(
-                    resource_id=resource['account_id'],
+                    resource_id=account_id,
                     resource_type="AWS::IAM::Root",
                     compliance_status=ComplianceStatus.NON_COMPLIANT,
                     evaluation_reason="Root account does not have MFA enabled",
@@ -75,42 +82,32 @@ class RootAccountHardwareMFAEnabledAssessment(BaseConfigRuleAssessment):
                     region=region
                 )
             
-            # Check if there are any MFA devices for root (empty UserName indicates root)
-            root_mfa_devices = [device for device in mfa_devices if not device.get('UserName')]
-            
-            if not root_mfa_devices:
-                return ComplianceResult(
-                    resource_id=resource['account_id'],
-                    resource_type="AWS::IAM::Root",
-                    compliance_status=ComplianceStatus.NON_COMPLIANT,
-                    evaluation_reason="Root account MFA is enabled but no MFA devices found",
-                    config_rule_name=self.rule_name,
-                    region=region
-                )
-            
-            # Check if any of the root MFA devices are hardware (not virtual)
-            virtual_mfa_serial_numbers = {device.get('SerialNumber') for device in virtual_mfa_devices}
-            
-            hardware_mfa_devices = [
-                device for device in root_mfa_devices 
-                if device.get('SerialNumber') not in virtual_mfa_serial_numbers
+            # Check if root has a virtual MFA device
+            # Virtual MFA devices for root have SerialNumber like: arn:aws:iam::ACCOUNT_ID:mfa/root-account-mfa-device
+            root_virtual_mfa = [
+                device for device in virtual_mfa_devices 
+                if 'root-account-mfa-device' in device.get('SerialNumber', '').lower()
+                or device.get('User', {}).get('Arn', '').endswith(':root')
             ]
             
-            if not hardware_mfa_devices:
+            if root_virtual_mfa:
                 return ComplianceResult(
-                    resource_id=resource['account_id'],
+                    resource_id=account_id,
                     resource_type="AWS::IAM::Root",
                     compliance_status=ComplianceStatus.NON_COMPLIANT,
-                    evaluation_reason="Root account only has virtual MFA devices, hardware MFA required",
+                    evaluation_reason="Root account has virtual MFA enabled, hardware MFA required for enhanced security",
                     config_rule_name=self.rule_name,
                     region=region
                 )
             
+            # If MFA is enabled but no virtual MFA found, assume hardware MFA
+            # Note: We cannot definitively verify hardware MFA without root credentials,
+            # but if AccountMFAEnabled=1 and no virtual MFA exists, it's likely hardware
             return ComplianceResult(
-                resource_id=resource['account_id'],
+                resource_id=account_id,
                 resource_type="AWS::IAM::Root",
                 compliance_status=ComplianceStatus.COMPLIANT,
-                evaluation_reason=f"Root account has {len(hardware_mfa_devices)} hardware MFA device(s) enabled",
+                evaluation_reason="Root account has MFA enabled (likely hardware MFA - no virtual MFA detected)",
                 config_rule_name=self.rule_name,
                 region=region
             )

aws_cis_assessment/core/assessment_engine.py

@@ -1134,7 +1134,10 @@ class AssessmentEngine:
             'assessments_by_ig': {}
         }
         
-        total_assessments = 0
+        # Track unique rules across all IGs to avoid double-counting
+        # Since IG2 includes IG1 and IG3 includes IG2, we need to count unique rules
+        unique_rules = set()
+        
         for ig in implementation_groups:
             if ig in self._assessment_registry:
                 ig_controls = self._filter_controls_for_ig(ig, controls, exclude_controls)
@@ -1142,9 +1145,11 @@ class AssessmentEngine:
                     'count': len(ig_controls),
                     'rules': list(ig_controls.keys())
                 }
-                total_assessments += len(ig_controls)
+                # Add rules to unique set
+                unique_rules.update(ig_controls.keys())
         
-        summary['total_assessments'] = total_assessments
+        # Total assessments is the count of unique rules across all selected IGs
+        summary['total_assessments'] = len(unique_rules)
         return summary
     
     def _filter_controls_for_ig(self, implementation_group: str, 

{aws_cis_controls_assessment-1.0.5.dist-info → aws_cis_controls_assessment-1.0.7.dist-info}/METADATA

@@ -1,16 +1,16 @@
 Metadata-Version: 2.4
 Name: aws-cis-controls-assessment
-Version: 1.0.5
+Version: 1.0.7
 Summary: Production-ready AWS CIS Controls compliance assessment framework with 145 comprehensive rules
 Author-email: AWS CIS Assessment Team <security@example.com>
 Maintainer-email: AWS CIS Assessment Team <security@example.com>
 License: MIT
-Project-URL: Homepage, https://github.com/yourusername/aws-cis-assessment
-Project-URL: Documentation, https://github.com/yourusername/aws-cis-assessment/blob/main/README.md
-Project-URL: Repository, https://github.com/yourusername/aws-cis-assessment.git
-Project-URL: Bug Reports, https://github.com/yourusername/aws-cis-assessment/issues
-Project-URL: Changelog, https://github.com/yourusername/aws-cis-assessment/blob/main/CHANGELOG.md
-Project-URL: Source Code, https://github.com/yourusername/aws-cis-assessment
+Project-URL: Homepage, https://github.com/yourusername/aws-cis-controls-assessment
+Project-URL: Documentation, https://github.com/yourusername/aws-cis-controls-assessment/blob/main/README.md
+Project-URL: Repository, https://github.com/yourusername/aws-cis-controls-assessment.git
+Project-URL: Bug Reports, https://github.com/yourusername/aws-cis-controls-assessment/issues
+Project-URL: Changelog, https://github.com/yourusername/aws-cis-controls-assessment/blob/main/CHANGELOG.md
+Project-URL: Source Code, https://github.com/yourusername/aws-cis-controls-assessment
 Keywords: aws,security,compliance,cis,controls,assessment,audit,enterprise,production
 Classifier: Development Status :: 5 - Production/Stable
 Classifier: Intended Audience :: System Administrators
@@ -76,11 +76,11 @@ A production-ready, enterprise-grade framework for evaluating AWS account config
 
 ```bash
 # Install from PyPI (production-ready)
-pip install aws-cis-assessment
+pip install aws-cis-controls-assessment
 
 # Or install from source for development
 git clone <repository-url>
-cd aws-cis-assessment
+cd aws-cis-controls-assessment
 pip install -e .
 ```
 

{aws_cis_controls_assessment-1.0.5.dist-info → aws_cis_controls_assessment-1.0.7.dist-info}/RECORD

@@ -1,4 +1,4 @@
-aws_cis_assessment/__init__.py,sha256=UpxV3g2cOtqu3O4FETEj63RdV8-W6sQOhv2tvBEM0qU,480
+aws_cis_assessment/__init__.py,sha256=MIb9QxlByRyGULow2iCQGagEILhZIrW3eYXu0sNMrR8,480
 aws_cis_assessment/cli/__init__.py,sha256=DYaGVAIoy5ucs9ubKQxX6Z3ZD46AGz9AaIaDQXzrzeY,100
 aws_cis_assessment/cli/examples.py,sha256=F9K2Fe297kUfwoq6Ine9Aj_IXNU-KwO9hd7SAPWeZHI,12884
 aws_cis_assessment/cli/main.py,sha256=i5QoqHXsPG_Kw0W7jM3Zj2YaAaCJnxxnfz82QBBHq-U,49441
@@ -20,7 +20,7 @@ aws_cis_assessment/controls/ig1/control_access_keys.py,sha256=Hj3G0Qpwa2EcJE-u49
 aws_cis_assessment/controls/ig1/control_advanced_security.py,sha256=cSbgwEKVuqBq9_YoAC30OSiBrDOmpPaOUNJSa9udOUQ,24250
 aws_cis_assessment/controls/ig1/control_backup_recovery.py,sha256=Y5za_4lCZmA5MYhHp4OCGyL4z97cj6dbO0KfabQ5Hr0,21465
 aws_cis_assessment/controls/ig1/control_cloudtrail_logging.py,sha256=lQOjshW8BBymvzphtWuwg4wIyv6nH2mOSiogBe_Ejfo,8514
-aws_cis_assessment/controls/ig1/control_critical_security.py,sha256=ixUhwM7USK6nur4C1iZNOtRASNomLNggSglQw8qZRAg,20926
+aws_cis_assessment/controls/ig1/control_critical_security.py,sha256=1MVMkfOAWcH5ppFv7psZvJvcOtpww6Pl5WFXrMyN158,20942
 aws_cis_assessment/controls/ig1/control_data_protection.py,sha256=-EDT-d0IcYpdv4cYSNfsSKwX7YzKZ9MiVY18-6YHcVE,44216
 aws_cis_assessment/controls/ig1/control_iam_advanced.py,sha256=FQA_8IV5CyD_49u0eLN8q-JM50g1-tilDu9Ww_R3o9s,27694
 aws_cis_assessment/controls/ig1/control_iam_governance.py,sha256=msaqmhLlFYK3pMgC-eYOP7RvDCpx014W8Su6hdlQ_Ic,22079
@@ -50,7 +50,7 @@ aws_cis_assessment/controls/ig3/control_3_14.py,sha256=fY2MZATcicuP1Zich5L7J6-MM
 aws_cis_assessment/controls/ig3/control_7_1.py,sha256=GZQt0skGJVlUbGoH4MD5AoJJONf0nT9k7WQT-8F3le4,18499
 aws_cis_assessment/core/__init__.py,sha256=aXt5Z3mqaaDvFyZPyMaJYFy66A_phfFIhhH_eyaic8Q,52
 aws_cis_assessment/core/accuracy_validator.py,sha256=jnN2O32PpdDfWAp6erV4v4zKugC9ziJkDYnVF93FVuY,18386
-aws_cis_assessment/core/assessment_engine.py,sha256=IRERKu6qSwWNC8ywfTwn-qkFx89iNa4bwJJZHtIb9Cg,61981
+aws_cis_assessment/core/assessment_engine.py,sha256=QqQXWHRJOZadigA7fSwZld2nl2qhFY-MEhcDk2mVazY,62268
 aws_cis_assessment/core/audit_trail.py,sha256=qapCkI2zjbAPHlHQcgYonfDYyjU2MoX5Sc2IXtYj3eE,18395
 aws_cis_assessment/core/aws_client_factory.py,sha256=1qTLfQ3fgPBH3mWRpX1_i3bbHlQQYsmSE8vsKxKTz8w,13143
 aws_cis_assessment/core/error_handler.py,sha256=5JgH3Y2yG1-ZSuEJR7o0ZMzqlwGWFRW2N4SjcL2gnBw,24219
@@ -61,17 +61,18 @@ aws_cis_assessment/reporters/base_reporter.py,sha256=xalVCTpNzSrTcfZmyRL2I-3B6dd
 aws_cis_assessment/reporters/csv_reporter.py,sha256=r83xzfP1t5AO9MfKawgN4eTeOU6eGZwJQgvNDLEd7NI,31419
 aws_cis_assessment/reporters/html_reporter.py,sha256=1MdbKQ8Eujc0B6x_toHmr3WupjgfTpNzSYwLNFWxzW8,81712
 aws_cis_assessment/reporters/json_reporter.py,sha256=MObCzTc9nlGTEXeWc7P8tTMeKCpEaJNfcSYc79cHXhc,22250
-aws_cis_controls_assessment-1.0.5.dist-info/licenses/LICENSE,sha256=T_p0qKH4RoI3ejr3tktf3rx2Zart_9KeUmJd5iiqXW8,1079
-docs/README.md,sha256=Wjg0WxRPz1JLMWx-BeNcnFjT7OR7X1DsQcv1JTvlDQg,4143
+aws_cis_controls_assessment-1.0.7.dist-info/licenses/LICENSE,sha256=T_p0qKH4RoI3ejr3tktf3rx2Zart_9KeUmJd5iiqXW8,1079
+deprecation-package/aws_cis_assessment_deprecated/__init__.py,sha256=WOaufqanKNhvWQ3frj8e627tS_kZnyk2R2hwqPFqydw,1892
+docs/README.md,sha256=lZNUghM9wgl1uW8OoVHpxt5ugKB6DL0rqx_hVTx8yZc,4152
 docs/assessment-logic.md,sha256=7t1YPkLPI3-MpvF3cLpO4x4LeNMfM950-es4vn0W4Zc,27123
 docs/cli-reference.md,sha256=zyTacw3neOJ2lQmq8E7WPJUDGMIDgUzQCqutu0lJ3SY,17854
 docs/config-rule-mappings.md,sha256=Jk31ZqnSn1JAR3iXHlhGnVxVpPukVuCZtK4H58j08Nk,18508
-docs/developer-guide.md,sha256=vAbY-e0G74m0CSun71qDmLRH_0VA0R6h2zpDmBHKAss,31008
-docs/installation.md,sha256=CSejc0L0SbPeBktlA3_XE1iE1Tj0IotXU9MS1z_qI88,7061
+docs/developer-guide.md,sha256=uC0DvgmBoOQ2LnBNManTe_rdOccvjWbzvqd93huO4jE,31026
+docs/installation.md,sha256=ELCw7jhvtbavzL18sitbpi02We-_qB4sg8t3jKBy5cw,7481
 docs/troubleshooting.md,sha256=JcYw6qS9G9YsM0MxxxZUGfPZmmZBxDYTV8tAIK0Sa2U,13175
 docs/user-guide.md,sha256=8XZpgnDTMBFc1s3nR__9GnwjRqPnSXAYBDow3586OcQ,9927
-aws_cis_controls_assessment-1.0.5.dist-info/METADATA,sha256=fZMMoXlvKvaFUPoYMxA3jN6asoxPHLZyqw86NU2zA2k,11218
-aws_cis_controls_assessment-1.0.5.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-aws_cis_controls_assessment-1.0.5.dist-info/entry_points.txt,sha256=-AxPn5Y7yau0pQh33F5_uyWfvcnm2Kg1_nMQuLrZ7SY,68
-aws_cis_controls_assessment-1.0.5.dist-info/top_level.txt,sha256=26tkntrVzt9EPxjrf6-Ve9-CnXUzic6jKAL0ljBK5Uw,24
-aws_cis_controls_assessment-1.0.5.dist-info/RECORD,,
+aws_cis_controls_assessment-1.0.7.dist-info/METADATA,sha256=TzjkiiU1ZdPb-rqfbL9NkJTsWHqyC4C7d7a_ojR-fVg,11290
+aws_cis_controls_assessment-1.0.7.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+aws_cis_controls_assessment-1.0.7.dist-info/entry_points.txt,sha256=-AxPn5Y7yau0pQh33F5_uyWfvcnm2Kg1_nMQuLrZ7SY,68
+aws_cis_controls_assessment-1.0.7.dist-info/top_level.txt,sha256=4OHmV6RAEWkz-Se50kfmuGCd-mUSotDZz3iLGF9CmkI,44
+aws_cis_controls_assessment-1.0.7.dist-info/RECORD,,

{aws_cis_controls_assessment-1.0.5.dist-info → aws_cis_controls_assessment-1.0.7.dist-info}/top_level.txt

@@ -1,2 +1,3 @@
 aws_cis_assessment
+deprecation-package
 docs

deprecation-package/aws_cis_assessment_deprecated/__init__.py

@@ -0,0 +1,65 @@
+"""
+DEPRECATED: This package has been renamed to aws-cis-controls-assessment
+
+This is a deprecation shim that redirects to the new package.
+"""
+
+import warnings
+import sys
+
+# Show deprecation warning
+warnings.warn(
+    "\n\n"
+    "=" * 80 + "\n"
+    "⚠️  DEPRECATION WARNING\n"
+    "=" * 80 + "\n"
+    "The package 'aws-cis-assessment' has been renamed to 'aws-cis-controls-assessment'\n"
+    "\n"
+    "Please uninstall this package and install the new one:\n"
+    "  pip uninstall aws-cis-assessment\n"
+    "  pip install aws-cis-controls-assessment\n"
+    "\n"
+    "This deprecation package will not receive updates.\n"
+    "All development continues under 'aws-cis-controls-assessment'.\n"
+    "=" * 80 + "\n",
+    DeprecationWarning,
+    stacklevel=2
+)
+
+__version__ = "1.0.3.post1"
+__deprecated__ = True
+
+
+def main():
+    """
+    Entry point that shows deprecation warning and delegates to the new package.
+    """
+    print("\n" + "=" * 80)
+    print("⚠️  DEPRECATION WARNING")
+    print("=" * 80)
+    print("The package 'aws-cis-assessment' has been renamed to 'aws-cis-controls-assessment'")
+    print()
+    print("Please uninstall this package and install the new one:")
+    print("  pip uninstall aws-cis-assessment")
+    print("  pip install aws-cis-controls-assessment")
+    print()
+    print("Attempting to run the new package...")
+    print("=" * 80 + "\n")
+    
+    try:
+        # Try to import and run the new package
+        from aws_cis_assessment.cli.main import main as new_main
+        new_main()
+    except ImportError:
+        print("\n" + "=" * 80)
+        print("❌ ERROR: The new package 'aws-cis-controls-assessment' is not installed.")
+        print("=" * 80)
+        print()
+        print("Please install it manually:")
+        print("  pip install aws-cis-controls-assessment")
+        print()
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()

docs/README.md

@@ -17,7 +17,7 @@ Welcome to the comprehensive documentation for the AWS CIS Controls Compliance A
 
 ## Quick Start
 
-1. **Install the framework**: `pip install aws-cis-assessment`
+1. **Install the framework**: `pip install aws-cis-controls-assessment`
 2. **Configure AWS credentials**: `aws configure` or set environment variables
 3. **Run basic assessment**: `aws-cis-assess assess`
 4. **View results**: Open the generated HTML report

docs/developer-guide.md

@@ -70,8 +70,8 @@ aws_cis_assessment/
 
 ```bash
 # Clone the repository
-git clone https://github.com/your-org/aws-cis-assessment.git
-cd aws-cis-assessment
+git clone https://github.com/your-org/aws-cis-controls-assessment.git
+cd aws-cis-controls-assessment
 
 # Create virtual environment
 python -m venv venv

docs/installation.md

@@ -2,6 +2,8 @@
 
 This guide covers the installation and initial setup of the AWS CIS Controls Compliance Assessment Framework - a production-ready, enterprise-grade solution for AWS security compliance assessment.
 
+> **📦 Package Name Change**: Starting from version 1.0.4, this package is published as `aws-cis-controls-assessment` (previously `aws-cis-assessment`). If you have the old package installed, please uninstall it first: `pip uninstall aws-cis-assessment` then install the new package: `pip install aws-cis-controls-assessment`
+
 ## Production Status
 
 **✅ Ready for Enterprise Deployment**
@@ -33,7 +35,7 @@ This guide covers the installation and initial setup of the AWS CIS Controls Com
 
 ```bash
 # Install the latest production version
-pip install aws-cis-assessment
+pip install aws-cis-controls-assessment
 
 # Verify installation
 aws-cis-assess --version
@@ -43,8 +45,8 @@ aws-cis-assess --version
 
 ```bash
 # Clone the repository
-git clone https://github.com/your-org/aws-cis-assessment.git
-cd aws-cis-assessment
+git clone https://github.com/your-org/aws-cis-controls-assessment.git
+cd aws-cis-controls-assessment
 
 # Create virtual environment (recommended)
 python -m venv venv
@@ -223,18 +225,18 @@ aws-cis-assess assess --dry-run
 python --version
 
 # Use specific Python version
-python3.9 -m pip install aws-cis-assessment
+python3.9 -m pip install aws-cis-controls-assessment
 ```
 
 #### Permission Issues
 ```bash
 # Install for current user only
-pip install --user aws-cis-assessment
+pip install --user aws-cis-controls-assessment
 
 # Use virtual environment
 python -m venv aws-cis-env
 source aws-cis-env/bin/activate
-pip install aws-cis-assessment
+pip install aws-cis-controls-assessment
 ```
 
 #### AWS Credential Issues
@@ -249,7 +251,7 @@ aws-cis-assess validate-credentials --verbose
 #### Network/Proxy Issues
 ```bash
 # Install with proxy
-pip install --proxy http://proxy.company.com:8080 aws-cis-assessment
+pip install --proxy http://proxy.company.com:8080 aws-cis-controls-assessment
 
 # Configure AWS CLI with proxy
 aws configure set proxy.http http://proxy.company.com:8080
@@ -275,16 +277,16 @@ After successful installation:
 3. **Run Your First Assessment**: Follow the quick start in the user guide
 4. **Explore CLI Commands**: `docs/cli-reference.md`
 
-## Upgrading
+### Upgrading
 
 ### Upgrade from PyPI
 ```bash
-pip install --upgrade aws-cis-assessment
+pip install --upgrade aws-cis-controls-assessment
 ```
 
 ### Upgrade from Source
 ```bash
-cd aws-cis-assessment
+cd aws-cis-controls-assessment
 git pull origin main
 pip install -e .
 ```
@@ -295,5 +297,5 @@ pip install -e .
 aws-cis-assess --version
 
 # Check for available updates
-pip list --outdated | grep aws-cis-assessment
+pip list --outdated | grep aws-cis-controls-assessment
 ```