aws-cis-controls-assessment 1.0.6__py3-none-any.whl → 1.0.7__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. aws_cis_assessment/__init__.py +1 -1
  2. aws_cis_assessment/controls/ig1/control_critical_security.py +33 -36
  3. {aws_cis_controls_assessment-1.0.6.dist-info → aws_cis_controls_assessment-1.0.7.dist-info}/METADATA +1 -1
  4. {aws_cis_controls_assessment-1.0.6.dist-info → aws_cis_controls_assessment-1.0.7.dist-info}/RECORD +8 -8
  5. {aws_cis_controls_assessment-1.0.6.dist-info → aws_cis_controls_assessment-1.0.7.dist-info}/WHEEL +0 -0
  6. {aws_cis_controls_assessment-1.0.6.dist-info → aws_cis_controls_assessment-1.0.7.dist-info}/entry_points.txt +0 -0
  7. {aws_cis_controls_assessment-1.0.6.dist-info → aws_cis_controls_assessment-1.0.7.dist-info}/licenses/LICENSE +0 -0
  8. {aws_cis_controls_assessment-1.0.6.dist-info → aws_cis_controls_assessment-1.0.7.dist-info}/top_level.txt +0 -0
aws_cis_assessment/__init__.py CHANGED
@@ -6,6 +6,6 @@ CIS Controls Implementation Groups (IG1, IG2, IG3). Implements 145 comprehensive
6
6
  across all implementation groups for complete security compliance assessment.
7
7
  """
8
8
 
9
- __version__ = "1.0.6"
9
+ __version__ = "1.0.7"
10
10
  __author__ = "AWS CIS Assessment Team"
11
11
  __description__ = "Production-ready AWS CIS Controls Compliance Assessment Framework"
aws_cis_assessment/controls/ig1/control_critical_security.py CHANGED
@@ -32,24 +32,31 @@ class RootAccountHardwareMFAEnabledAssessment(BaseConfigRuleAssessment):
32
32
  try:
33
33
  iam_client = aws_factory.get_client('iam', region)
34
34
 
35
- # Get account summary which includes MFA device count
35
+ # Get account summary which includes MFA device count for root
36
36
  account_summary = iam_client.get_account_summary()
37
+ summary_map = account_summary.get('SummaryMap', {})
37
38
 
38
- # List MFA devices for root account (empty user name for root)
39
- mfa_devices = iam_client.list_mfa_devices()
40
-
41
- # Get virtual MFA devices to differentiate from hardware
42
- virtual_mfa_devices = iam_client.list_virtual_mfa_devices()
39
+ # Get virtual MFA devices to check if root has hardware MFA
40
+ # Virtual MFA devices can be listed without specifying a user
41
+ try:
42
+ virtual_mfa_devices = iam_client.list_virtual_mfa_devices()
43
+ virtual_mfa_list = virtual_mfa_devices.get('VirtualMFADevices', [])
44
+ except ClientError as e:
45
+ logger.warning(f"Could not list virtual MFA devices: {e}")
46
+ virtual_mfa_list = []
43
47
 
44
48
  return [{
45
49
  'account_id': aws_factory.account_id,
46
- 'account_summary': account_summary.get('SummaryMap', {}),
47
- 'mfa_devices': mfa_devices.get('MFADevices', []),
48
- 'virtual_mfa_devices': virtual_mfa_devices.get('VirtualMFADevices', [])
50
+ 'account_summary': summary_map,
51
+ 'virtual_mfa_devices': virtual_mfa_list
49
52
  }]
50
53
 
51
54
  except ClientError as e:
52
- logger.error(f"Error getting root account MFA configuration: {e}")
55
+ error_code = e.response.get('Error', {}).get('Code', '')
56
+ if error_code in ['AccessDenied', 'UnauthorizedOperation']:
57
+ logger.warning(f"Insufficient permissions to check root account MFA: {e}")
58
+ else:
59
+ logger.error(f"Error getting root account MFA configuration: {e}")
53
60
  return []
54
61
  except Exception as e:
55
62
  logger.error(f"Unexpected error in root account MFA check: {e}")
@@ -59,15 +66,15 @@ class RootAccountHardwareMFAEnabledAssessment(BaseConfigRuleAssessment):
59
66
  """Evaluate root account hardware MFA compliance."""
60
67
  try:
61
68
  account_summary = resource.get('account_summary', {})
62
- mfa_devices = resource.get('mfa_devices', [])
63
69
  virtual_mfa_devices = resource.get('virtual_mfa_devices', [])
70
+ account_id = resource.get('account_id', 'unknown')
64
71
 
65
72
  # Check if root account has any MFA devices
66
73
  account_mfa_enabled = account_summary.get('AccountMFAEnabled', 0)
67
74
 
68
75
  if account_mfa_enabled == 0:
69
76
  return ComplianceResult(
70
- resource_id=resource['account_id'],
77
+ resource_id=account_id,
71
78
  resource_type="AWS::IAM::Root",
72
79
  compliance_status=ComplianceStatus.NON_COMPLIANT,
73
80
  evaluation_reason="Root account does not have MFA enabled",
@@ -75,42 +82,32 @@ class RootAccountHardwareMFAEnabledAssessment(BaseConfigRuleAssessment):
75
82
  region=region
76
83
  )
77
84
 
78
- # Check if there are any MFA devices for root (empty UserName indicates root)
79
- root_mfa_devices = [device for device in mfa_devices if not device.get('UserName')]
80
-
81
- if not root_mfa_devices:
82
- return ComplianceResult(
83
- resource_id=resource['account_id'],
84
- resource_type="AWS::IAM::Root",
85
- compliance_status=ComplianceStatus.NON_COMPLIANT,
86
- evaluation_reason="Root account MFA is enabled but no MFA devices found",
87
- config_rule_name=self.rule_name,
88
- region=region
89
- )
90
-
91
- # Check if any of the root MFA devices are hardware (not virtual)
92
- virtual_mfa_serial_numbers = {device.get('SerialNumber') for device in virtual_mfa_devices}
93
-
94
- hardware_mfa_devices = [
95
- device for device in root_mfa_devices
96
- if device.get('SerialNumber') not in virtual_mfa_serial_numbers
85
+ # Check if root has a virtual MFA device
86
+ # Virtual MFA devices for root have SerialNumber like: arn:aws:iam::ACCOUNT_ID:mfa/root-account-mfa-device
87
+ root_virtual_mfa = [
88
+ device for device in virtual_mfa_devices
89
+ if 'root-account-mfa-device' in device.get('SerialNumber', '').lower()
90
+ or device.get('User', {}).get('Arn', '').endswith(':root')
97
91
  ]
98
92
 
99
- if not hardware_mfa_devices:
93
+ if root_virtual_mfa:
100
94
  return ComplianceResult(
101
- resource_id=resource['account_id'],
95
+ resource_id=account_id,
102
96
  resource_type="AWS::IAM::Root",
103
97
  compliance_status=ComplianceStatus.NON_COMPLIANT,
104
- evaluation_reason="Root account only has virtual MFA devices, hardware MFA required",
98
+ evaluation_reason="Root account has virtual MFA enabled, hardware MFA required for enhanced security",
105
99
  config_rule_name=self.rule_name,
106
100
  region=region
107
101
  )
108
102
 
103
+ # If MFA is enabled but no virtual MFA found, assume hardware MFA
104
+ # Note: We cannot definitively verify hardware MFA without root credentials,
105
+ # but if AccountMFAEnabled=1 and no virtual MFA exists, it's likely hardware
109
106
  return ComplianceResult(
110
- resource_id=resource['account_id'],
107
+ resource_id=account_id,
111
108
  resource_type="AWS::IAM::Root",
112
109
  compliance_status=ComplianceStatus.COMPLIANT,
113
- evaluation_reason=f"Root account has {len(hardware_mfa_devices)} hardware MFA device(s) enabled",
110
+ evaluation_reason="Root account has MFA enabled (likely hardware MFA - no virtual MFA detected)",
114
111
  config_rule_name=self.rule_name,
115
112
  region=region
116
113
  )
{aws_cis_controls_assessment-1.0.6.dist-info → aws_cis_controls_assessment-1.0.7.dist-info}/METADATA RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: aws-cis-controls-assessment
3
- Version: 1.0.6
3
+ Version: 1.0.7
4
4
  Summary: Production-ready AWS CIS Controls compliance assessment framework with 145 comprehensive rules
5
5
  Author-email: AWS CIS Assessment Team <security@example.com>
6
6
  Maintainer-email: AWS CIS Assessment Team <security@example.com>
{aws_cis_controls_assessment-1.0.6.dist-info → aws_cis_controls_assessment-1.0.7.dist-info}/RECORD RENAMED
@@ -1,4 +1,4 @@
1
- aws_cis_assessment/__init__.py,sha256=ENW-oYsdAEpNlcdVOswJHLtIyWLwm1qKC0CaFVObN4Q,480
1
+ aws_cis_assessment/__init__.py,sha256=MIb9QxlByRyGULow2iCQGagEILhZIrW3eYXu0sNMrR8,480
2
2
  aws_cis_assessment/cli/__init__.py,sha256=DYaGVAIoy5ucs9ubKQxX6Z3ZD46AGz9AaIaDQXzrzeY,100
3
3
  aws_cis_assessment/cli/examples.py,sha256=F9K2Fe297kUfwoq6Ine9Aj_IXNU-KwO9hd7SAPWeZHI,12884
4
4
  aws_cis_assessment/cli/main.py,sha256=i5QoqHXsPG_Kw0W7jM3Zj2YaAaCJnxxnfz82QBBHq-U,49441
@@ -20,7 +20,7 @@ aws_cis_assessment/controls/ig1/control_access_keys.py,sha256=Hj3G0Qpwa2EcJE-u49
20
20
  aws_cis_assessment/controls/ig1/control_advanced_security.py,sha256=cSbgwEKVuqBq9_YoAC30OSiBrDOmpPaOUNJSa9udOUQ,24250
21
21
  aws_cis_assessment/controls/ig1/control_backup_recovery.py,sha256=Y5za_4lCZmA5MYhHp4OCGyL4z97cj6dbO0KfabQ5Hr0,21465
22
22
  aws_cis_assessment/controls/ig1/control_cloudtrail_logging.py,sha256=lQOjshW8BBymvzphtWuwg4wIyv6nH2mOSiogBe_Ejfo,8514
23
- aws_cis_assessment/controls/ig1/control_critical_security.py,sha256=ixUhwM7USK6nur4C1iZNOtRASNomLNggSglQw8qZRAg,20926
23
+ aws_cis_assessment/controls/ig1/control_critical_security.py,sha256=1MVMkfOAWcH5ppFv7psZvJvcOtpww6Pl5WFXrMyN158,20942
24
24
  aws_cis_assessment/controls/ig1/control_data_protection.py,sha256=-EDT-d0IcYpdv4cYSNfsSKwX7YzKZ9MiVY18-6YHcVE,44216
25
25
  aws_cis_assessment/controls/ig1/control_iam_advanced.py,sha256=FQA_8IV5CyD_49u0eLN8q-JM50g1-tilDu9Ww_R3o9s,27694
26
26
  aws_cis_assessment/controls/ig1/control_iam_governance.py,sha256=msaqmhLlFYK3pMgC-eYOP7RvDCpx014W8Su6hdlQ_Ic,22079
@@ -61,7 +61,7 @@ aws_cis_assessment/reporters/base_reporter.py,sha256=xalVCTpNzSrTcfZmyRL2I-3B6dd
61
61
  aws_cis_assessment/reporters/csv_reporter.py,sha256=r83xzfP1t5AO9MfKawgN4eTeOU6eGZwJQgvNDLEd7NI,31419
62
62
  aws_cis_assessment/reporters/html_reporter.py,sha256=1MdbKQ8Eujc0B6x_toHmr3WupjgfTpNzSYwLNFWxzW8,81712
63
63
  aws_cis_assessment/reporters/json_reporter.py,sha256=MObCzTc9nlGTEXeWc7P8tTMeKCpEaJNfcSYc79cHXhc,22250
64
- aws_cis_controls_assessment-1.0.6.dist-info/licenses/LICENSE,sha256=T_p0qKH4RoI3ejr3tktf3rx2Zart_9KeUmJd5iiqXW8,1079
64
+ aws_cis_controls_assessment-1.0.7.dist-info/licenses/LICENSE,sha256=T_p0qKH4RoI3ejr3tktf3rx2Zart_9KeUmJd5iiqXW8,1079
65
65
  deprecation-package/aws_cis_assessment_deprecated/__init__.py,sha256=WOaufqanKNhvWQ3frj8e627tS_kZnyk2R2hwqPFqydw,1892
66
66
  docs/README.md,sha256=lZNUghM9wgl1uW8OoVHpxt5ugKB6DL0rqx_hVTx8yZc,4152
67
67
  docs/assessment-logic.md,sha256=7t1YPkLPI3-MpvF3cLpO4x4LeNMfM950-es4vn0W4Zc,27123
@@ -71,8 +71,8 @@ docs/developer-guide.md,sha256=uC0DvgmBoOQ2LnBNManTe_rdOccvjWbzvqd93huO4jE,31026
71
71
  docs/installation.md,sha256=ELCw7jhvtbavzL18sitbpi02We-_qB4sg8t3jKBy5cw,7481
72
72
  docs/troubleshooting.md,sha256=JcYw6qS9G9YsM0MxxxZUGfPZmmZBxDYTV8tAIK0Sa2U,13175
73
73
  docs/user-guide.md,sha256=8XZpgnDTMBFc1s3nR__9GnwjRqPnSXAYBDow3586OcQ,9927
74
- aws_cis_controls_assessment-1.0.6.dist-info/METADATA,sha256=wRved3YCBUAXrbjjmyO-ZR4kpj9E4h0hUnvRz4JztME,11290
75
- aws_cis_controls_assessment-1.0.6.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
76
- aws_cis_controls_assessment-1.0.6.dist-info/entry_points.txt,sha256=-AxPn5Y7yau0pQh33F5_uyWfvcnm2Kg1_nMQuLrZ7SY,68
77
- aws_cis_controls_assessment-1.0.6.dist-info/top_level.txt,sha256=4OHmV6RAEWkz-Se50kfmuGCd-mUSotDZz3iLGF9CmkI,44
78
- aws_cis_controls_assessment-1.0.6.dist-info/RECORD,,
74
+ aws_cis_controls_assessment-1.0.7.dist-info/METADATA,sha256=TzjkiiU1ZdPb-rqfbL9NkJTsWHqyC4C7d7a_ojR-fVg,11290
75
+ aws_cis_controls_assessment-1.0.7.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
76
+ aws_cis_controls_assessment-1.0.7.dist-info/entry_points.txt,sha256=-AxPn5Y7yau0pQh33F5_uyWfvcnm2Kg1_nMQuLrZ7SY,68
77
+ aws_cis_controls_assessment-1.0.7.dist-info/top_level.txt,sha256=4OHmV6RAEWkz-Se50kfmuGCd-mUSotDZz3iLGF9CmkI,44
78
+ aws_cis_controls_assessment-1.0.7.dist-info/RECORD,,