aws-cis-controls-assessment 1.0.6__py3-none-any.whl → 1.0.8__py3-none-any.whl

{aws_cis_controls_assessment-1.0.6.dist-info → aws_cis_controls_assessment-1.0.8.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: aws-cis-controls-assessment
-Version: 1.0.6
+Version: 1.0.8
 Summary: Production-ready AWS CIS Controls compliance assessment framework with 145 comprehensive rules
 Author-email: AWS CIS Assessment Team <security@example.com>
 Maintainer-email: AWS CIS Assessment Team <security@example.com>
@@ -214,6 +214,7 @@ aws-cis-assess assess --output-format json
 ### Technical Documentation
 - **[Assessment Logic](docs/assessment-logic.md)**: How compliance assessments work
 - **[Config Rule Mappings](docs/config-rule-mappings.md)**: CIS Controls to AWS Config rule mappings
+- **[HTML Report Improvements](docs/html-report-improvements.md)**: Enhanced HTML report features and customization
 
 ## 🤝 Support & Community
 

{aws_cis_controls_assessment-1.0.6.dist-info → aws_cis_controls_assessment-1.0.8.dist-info}/RECORD

@@ -1,4 +1,4 @@
-aws_cis_assessment/__init__.py,sha256=ENW-oYsdAEpNlcdVOswJHLtIyWLwm1qKC0CaFVObN4Q,480
+aws_cis_assessment/__init__.py,sha256=trVrC7YvGPjivqPsY-Z2mULRuYcQBDAHH8d8zPB8rYw,480
 aws_cis_assessment/cli/__init__.py,sha256=DYaGVAIoy5ucs9ubKQxX6Z3ZD46AGz9AaIaDQXzrzeY,100
 aws_cis_assessment/cli/examples.py,sha256=F9K2Fe297kUfwoq6Ine9Aj_IXNU-KwO9hd7SAPWeZHI,12884
 aws_cis_assessment/cli/main.py,sha256=i5QoqHXsPG_Kw0W7jM3Zj2YaAaCJnxxnfz82QBBHq-U,49441
@@ -17,10 +17,10 @@ aws_cis_assessment/controls/ig1/control_3_3.py,sha256=f4ZuiMR6qSXCmVwP3OflEeZn48
 aws_cis_assessment/controls/ig1/control_3_4.py,sha256=Flw_cA8_Qxv8zuIbOWv6JAYUdjPiAPU7Qs3CqDoRqvk,11438
 aws_cis_assessment/controls/ig1/control_4_1.py,sha256=-lIoa0XRGwiRdtG9L9f00Wud525FZbv3961bXMuiQIE,22362
 aws_cis_assessment/controls/ig1/control_access_keys.py,sha256=Hj3G0Qpwa2EcJE-u49nvADjbESZh9YClElfP4dWYQfk,14424
-aws_cis_assessment/controls/ig1/control_advanced_security.py,sha256=cSbgwEKVuqBq9_YoAC30OSiBrDOmpPaOUNJSa9udOUQ,24250
+aws_cis_assessment/controls/ig1/control_advanced_security.py,sha256=PNtPfqSKGu7UYDx6PccO8tVT5ZL6YmzeH45Cew_UjLM,24256
 aws_cis_assessment/controls/ig1/control_backup_recovery.py,sha256=Y5za_4lCZmA5MYhHp4OCGyL4z97cj6dbO0KfabQ5Hr0,21465
 aws_cis_assessment/controls/ig1/control_cloudtrail_logging.py,sha256=lQOjshW8BBymvzphtWuwg4wIyv6nH2mOSiogBe_Ejfo,8514
-aws_cis_assessment/controls/ig1/control_critical_security.py,sha256=ixUhwM7USK6nur4C1iZNOtRASNomLNggSglQw8qZRAg,20926
+aws_cis_assessment/controls/ig1/control_critical_security.py,sha256=1MVMkfOAWcH5ppFv7psZvJvcOtpww6Pl5WFXrMyN158,20942
 aws_cis_assessment/controls/ig1/control_data_protection.py,sha256=-EDT-d0IcYpdv4cYSNfsSKwX7YzKZ9MiVY18-6YHcVE,44216
 aws_cis_assessment/controls/ig1/control_iam_advanced.py,sha256=FQA_8IV5CyD_49u0eLN8q-JM50g1-tilDu9Ww_R3o9s,27694
 aws_cis_assessment/controls/ig1/control_iam_governance.py,sha256=msaqmhLlFYK3pMgC-eYOP7RvDCpx014W8Su6hdlQ_Ic,22079
@@ -59,20 +59,21 @@ aws_cis_assessment/core/scoring_engine.py,sha256=JYSPZA9oYJZoH3khxHNzRe5asFIm9Do
 aws_cis_assessment/reporters/__init__.py,sha256=GXdlY08kKy1Y3mMBv8Y0JuUB69u--e5DIu2jNJpc6QI,357
 aws_cis_assessment/reporters/base_reporter.py,sha256=xalVCTpNzSrTcfZmyRL2I-3B6dd6sbeBIkatUiSDTrs,17838
 aws_cis_assessment/reporters/csv_reporter.py,sha256=r83xzfP1t5AO9MfKawgN4eTeOU6eGZwJQgvNDLEd7NI,31419
-aws_cis_assessment/reporters/html_reporter.py,sha256=1MdbKQ8Eujc0B6x_toHmr3WupjgfTpNzSYwLNFWxzW8,81712
+aws_cis_assessment/reporters/html_reporter.py,sha256=TzCVxPGSFs0N5Zzz2evdm88gu7vjSXJJpzvEW-kimfY,104214
 aws_cis_assessment/reporters/json_reporter.py,sha256=MObCzTc9nlGTEXeWc7P8tTMeKCpEaJNfcSYc79cHXhc,22250
-aws_cis_controls_assessment-1.0.6.dist-info/licenses/LICENSE,sha256=T_p0qKH4RoI3ejr3tktf3rx2Zart_9KeUmJd5iiqXW8,1079
+aws_cis_controls_assessment-1.0.8.dist-info/licenses/LICENSE,sha256=T_p0qKH4RoI3ejr3tktf3rx2Zart_9KeUmJd5iiqXW8,1079
 deprecation-package/aws_cis_assessment_deprecated/__init__.py,sha256=WOaufqanKNhvWQ3frj8e627tS_kZnyk2R2hwqPFqydw,1892
-docs/README.md,sha256=lZNUghM9wgl1uW8OoVHpxt5ugKB6DL0rqx_hVTx8yZc,4152
+docs/README.md,sha256=8UaAzc2pI1nhMFf_pGSFAf0UfeaM1MXw9X93IrN-z5A,4264
 docs/assessment-logic.md,sha256=7t1YPkLPI3-MpvF3cLpO4x4LeNMfM950-es4vn0W4Zc,27123
 docs/cli-reference.md,sha256=zyTacw3neOJ2lQmq8E7WPJUDGMIDgUzQCqutu0lJ3SY,17854
 docs/config-rule-mappings.md,sha256=Jk31ZqnSn1JAR3iXHlhGnVxVpPukVuCZtK4H58j08Nk,18508
 docs/developer-guide.md,sha256=uC0DvgmBoOQ2LnBNManTe_rdOccvjWbzvqd93huO4jE,31026
-docs/installation.md,sha256=ELCw7jhvtbavzL18sitbpi02We-_qB4sg8t3jKBy5cw,7481
+docs/html-report-improvements.md,sha256=a0OzKvQC_KpcielntTHXMPObwulfWIDgBKnF66iaxp4,11432
+docs/installation.md,sha256=y_CQE44yE3ENeAcBANonJUqsl9pLQsGOX92tui-t2OU,9576
 docs/troubleshooting.md,sha256=JcYw6qS9G9YsM0MxxxZUGfPZmmZBxDYTV8tAIK0Sa2U,13175
-docs/user-guide.md,sha256=8XZpgnDTMBFc1s3nR__9GnwjRqPnSXAYBDow3586OcQ,9927
-aws_cis_controls_assessment-1.0.6.dist-info/METADATA,sha256=wRved3YCBUAXrbjjmyO-ZR4kpj9E4h0hUnvRz4JztME,11290
-aws_cis_controls_assessment-1.0.6.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-aws_cis_controls_assessment-1.0.6.dist-info/entry_points.txt,sha256=-AxPn5Y7yau0pQh33F5_uyWfvcnm2Kg1_nMQuLrZ7SY,68
-aws_cis_controls_assessment-1.0.6.dist-info/top_level.txt,sha256=4OHmV6RAEWkz-Se50kfmuGCd-mUSotDZz3iLGF9CmkI,44
-aws_cis_controls_assessment-1.0.6.dist-info/RECORD,,
+docs/user-guide.md,sha256=4azuL1RWewtA2wRH0ejHkCvVKV3dBfyRJ28THahlmaA,10352
+aws_cis_controls_assessment-1.0.8.dist-info/METADATA,sha256=DI4dO_e0RTeeCL48Xil1V8oYTNk1hbg5GxwOebtUKJc,11406
+aws_cis_controls_assessment-1.0.8.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+aws_cis_controls_assessment-1.0.8.dist-info/entry_points.txt,sha256=-AxPn5Y7yau0pQh33F5_uyWfvcnm2Kg1_nMQuLrZ7SY,68
+aws_cis_controls_assessment-1.0.8.dist-info/top_level.txt,sha256=4OHmV6RAEWkz-Se50kfmuGCd-mUSotDZz3iLGF9CmkI,44
+aws_cis_controls_assessment-1.0.8.dist-info/RECORD,,

docs/README.md

@@ -14,6 +14,7 @@ Welcome to the comprehensive documentation for the AWS CIS Controls Compliance A
 - **[Developer Guide](developer-guide.md)** - Extending and customizing assessments
 - **[Assessment Logic](assessment-logic.md)** - Detailed assessment logic documentation
 - **[Config Rule Mappings](config-rule-mappings.md)** - Complete mapping of CIS Controls to AWS Config rules
+- **[HTML Report Improvements](html-report-improvements.md)** - Enhanced HTML report features and customization
 
 ## Quick Start
 

docs/html-report-improvements.md

@@ -0,0 +1,422 @@
+# HTML Report Improvements Documentation
+
+## Overview
+
+The HTML reporter has been enhanced with improved readability features and reduced redundancy. This document describes the new features, display formats, and customization options.
+
+## New Features
+
+### 1. Control Display Names
+
+Controls now show both the control ID and the AWS Config rule name together, making it easier to understand what each control checks.
+
+**Display Format:**
+- Without title: `{control_id}: {config_rule_name}`
+- With title: `{control_id}: {title} ({config_rule_name})`
+
+**Examples:**
+```
+1.5: root-account-hardware-mfa-enabled
+2.1: IAM Password Policy (iam-password-policy)
+3.3: cloudtrail-enabled
+```
+
+**Truncation:**
+- Display names longer than 50 characters are truncated with ellipsis
+- Full name appears in a tooltip on hover
+- CSS class `.control-display-name.truncated` is applied
+
+### 2. Unique Controls Per Implementation Group
+
+Each Implementation Group section now shows only the controls unique to that level, eliminating duplication.
+
+**Behavior:**
+- **IG1**: Shows all foundational controls
+- **IG2**: Shows only controls unique to IG2 (not in IG1)
+- **IG3**: Shows only controls unique to IG3 (not in IG1 or IG2)
+
+**Visual Indicators:**
+- An explanation box clarifies that IGs are cumulative
+- Each section header shows the count of unique controls
+- Scope descriptions explain what each IG includes
+
+**Example:**
+```
+IG1 - Essential Cyber Hygiene
+Showing 58 foundational controls essential for all organizations.
+
+IG2 - Enhanced Security (includes IG1)
+Showing 74 additional controls beyond IG1 for enhanced security.
+
+IG3 - Advanced Security (includes IG1 + IG2)
+Showing 24 advanced controls beyond IG1 and IG2 for comprehensive security.
+```
+
+### 3. IG Membership Badges
+
+Controls display badges indicating which Implementation Groups include them.
+
+**Badge Colors:**
+- **IG1**: Blue (#3498db)
+- **IG2**: Green (#27ae60)
+- **IG3**: Purple (#9b59b6)
+
+**Display Locations:**
+- Implementation Groups section: Shows originating IG badge
+- Detailed Findings section: Shows all IGs that include the control
+
+**Example:**
+```
+Control: 1.5: root-account-hardware-mfa-enabled
+Badges: [IG1] [IG2] [IG3]  (appears in all three IGs)
+
+Control: 5.2: encryption-at-rest-enabled
+Badges: [IG2] [IG3]  (appears only in IG2 and IG3)
+```
+
+### 4. Consolidated Detailed Findings
+
+The Detailed Findings section now groups findings by control ID only, eliminating duplication across IGs.
+
+**Changes:**
+- Removed "IG1 Detailed Findings", "IG2 Detailed Findings", "IG3 Detailed Findings" subsections
+- Each control appears once with all its findings
+- IG membership badges show which IGs include each control
+- Findings are sorted alphanumerically by control ID
+
+**Benefits:**
+- Easier to remediate issues (each resource listed once)
+- Clearer understanding of which IGs are affected
+- Reduced report length and improved readability
+
+## CSS Classes for Custom Styling
+
+### IG Badge Classes
+
+```css
+/* IG1 badge - Blue */
+.ig-badge-1 {
+    background-color: #3498db;
+    color: white;
+}
+
+/* IG2 badge - Green */
+.ig-badge-2 {
+    background-color: #27ae60;
+    color: white;
+}
+
+/* IG3 badge - Purple */
+.ig-badge-3 {
+    background-color: #9b59b6;
+    color: white;
+}
+
+/* Default badge for unknown IGs */
+.ig-badge-default {
+    background-color: #95a5a6;
+    color: white;
+}
+```
+
+### Control Display Name Classes
+
+```css
+/* Control display name container */
+.control-display-name {
+    font-weight: 600;
+    color: #2c3e50;
+    margin-bottom: 5px;
+    font-size: 0.95em;
+}
+
+/* Truncated display names with tooltip */
+.control-display-name.truncated {
+    overflow: hidden;
+    text-overflow: ellipsis;
+    white-space: nowrap;
+    cursor: help;
+}
+```
+
+### IG Membership Badge Container
+
+```css
+/* Container for IG membership badges */
+.ig-membership-badges {
+    display: flex;
+    gap: 5px;
+    margin-top: 5px;
+    margin-bottom: 10px;
+}
+
+/* Individual IG membership badge */
+.ig-membership-badge {
+    font-size: 0.7em;
+    padding: 2px 6px;
+    border-radius: 10px;
+    font-weight: bold;
+    text-transform: uppercase;
+    letter-spacing: 0.5px;
+}
+```
+
+### IG Explanation and Scope
+
+```css
+/* Informational box explaining IG cumulative nature */
+.ig-explanation {
+    background-color: #e8f4fd;
+    border-left: 4px solid #3498db;
+    padding: 15px;
+    margin-bottom: 30px;
+    border-radius: 5px;
+}
+
+/* Scope description for each IG section */
+.ig-scope {
+    color: #666;
+    font-size: 0.9em;
+    margin-top: 5px;
+}
+```
+
+## Customization Examples
+
+### Change IG Badge Colors
+
+To customize the IG badge colors, override the CSS classes:
+
+```css
+/* Custom color scheme */
+.ig-badge-1 {
+    background-color: #e74c3c;  /* Red for IG1 */
+    color: white;
+}
+
+.ig-badge-2 {
+    background-color: #f39c12;  /* Orange for IG2 */
+    color: white;
+}
+
+.ig-badge-3 {
+    background-color: #9b59b6;  /* Keep purple for IG3 */
+    color: white;
+}
+```
+
+### Adjust Truncation Threshold
+
+The default truncation threshold is 50 characters. To change this, modify the `_enrich_control_metadata()` method:
+
+```python
+# In html_reporter.py
+enriched['needs_truncation'] = len(enriched['display_name']) > 80  # Change to 80 characters
+```
+
+### Hide IG Badges
+
+To hide IG badges in the report, add this CSS:
+
+```css
+.ig-membership-badges {
+    display: none;
+}
+```
+
+### Customize Control Card Layout
+
+To adjust the control card layout:
+
+```css
+.control-card {
+    border: 2px solid #3498db;  /* Thicker border */
+    border-radius: 12px;         /* More rounded corners */
+    padding: 25px;               /* More padding */
+    background: linear-gradient(135deg, #f5f7fa 0%, #c3cfe2 100%);  /* Gradient background */
+}
+```
+
+## Backward Compatibility
+
+The improvements maintain full backward compatibility:
+
+1. **Existing Data Structures**: Works with existing `AssessmentResult` data without modification
+2. **Graceful Fallback**: If `config_rule_name` is missing, displays control ID only
+3. **Preserved Sections**: All existing sections and functionality remain intact
+4. **CSS Compatibility**: Existing CSS classes are preserved for custom styling
+5. **JavaScript Functions**: All interactive features continue to work
+
+## Migration Notes
+
+No migration is required. The improvements work automatically with existing assessment data:
+
+- Old reports: Show control IDs only (if config_rule_name was not available)
+- New reports: Show formatted display names with rule names
+- Mixed data: Gracefully handles both old and new data formats
+
+## API Reference
+
+### Key Methods
+
+#### `_format_control_display_name(control_id, config_rule_name, title=None)`
+Formats control display name combining ID, rule name, and optional title.
+
+**Parameters:**
+- `control_id` (str): Control identifier (e.g., "1.5")
+- `config_rule_name` (str): AWS Config rule name
+- `title` (str, optional): Human-readable title
+
+**Returns:** Formatted display name string
+
+#### `_get_ig_badge_class(ig_name)`
+Returns CSS class for IG badge styling.
+
+**Parameters:**
+- `ig_name` (str): Implementation Group name (IG1, IG2, or IG3)
+
+**Returns:** CSS class name string
+
+#### `_enrich_control_metadata(control_data, control_id, ig_name, all_igs)`
+Enriches control data with display metadata.
+
+**Parameters:**
+- `control_data` (dict): Existing control data
+- `control_id` (str): Control identifier
+- `ig_name` (str): Implementation Group name
+- `all_igs` (dict): All implementation groups data
+
+**Returns:** Enhanced control data dictionary
+
+#### `_consolidate_findings_by_control(implementation_groups)`
+Consolidates findings from all IGs, grouped by control ID only.
+
+**Parameters:**
+- `implementation_groups` (dict): Implementation groups data
+
+**Returns:** Dictionary mapping control_id to consolidated findings
+
+#### `_get_control_ig_membership(control_id, implementation_groups)`
+Determines which IGs include a specific control.
+
+**Parameters:**
+- `control_id` (str): Control identifier
+- `implementation_groups` (dict): All IG data
+
+**Returns:** List of IG names
+
+## Examples
+
+### Example 1: Control Card Display
+
+**Before:**
+```
+┌─────────────────────────┐
+│ 1.5                     │
+│ ━━━━━━━━━━━━━━━━━━━━━  │
+│ 0% compliant            │
+└─────────────────────────┘
+```
+
+**After:**
+```
+┌─────────────────────────────────────────────┐
+│ 1.5: root-account-hardware-mfa-enabled      │
+│ [IG1]                                       │
+│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━  │
+│ 0% compliant                                │
+└─────────────────────────────────────────────┘
+```
+
+### Example 2: Detailed Findings Section
+
+**Before:**
+```
+Detailed Findings
+
+IG1 Detailed Findings
+  Control 1.5
+    - Resource: 175331854181
+    - Status: NON_COMPLIANT
+
+IG2 Detailed Findings
+  Control 1.5
+    - Resource: 175331854181
+    - Status: NON_COMPLIANT
+
+IG3 Detailed Findings
+  Control 1.5
+    - Resource: 175331854181
+    - Status: NON_COMPLIANT
+```
+
+**After:**
+```
+Detailed Findings
+
+1.5: root-account-hardware-mfa-enabled
+Implementation Groups: [IG1] [IG2] [IG3]
+  - Resource: 175331854181
+  - Status: NON_COMPLIANT
+```
+
+### Example 3: Implementation Groups Section
+
+**Before:**
+```
+IG1 - Essential Cyber Hygiene (58 controls)
+  [Shows all 58 controls]
+
+IG2 - Enhanced Security (132 controls)
+  [Shows all 132 controls, including 58 from IG1]
+
+IG3 - Advanced Security (156 controls)
+  [Shows all 156 controls, including 132 from IG1+IG2]
+```
+
+**After:**
+```
+Implementation Groups
+Note: IGs are cumulative. IG2 includes IG1, IG3 includes IG1+IG2.
+
+IG1 - Essential Cyber Hygiene
+Showing 58 foundational controls essential for all organizations.
+  [Shows 58 IG1 controls]
+
+IG2 - Enhanced Security (includes IG1)
+Showing 74 additional controls beyond IG1 for enhanced security.
+  [Shows only 74 controls unique to IG2]
+
+IG3 - Advanced Security (includes IG1 + IG2)
+Showing 24 advanced controls beyond IG1 and IG2 for comprehensive security.
+  [Shows only 24 controls unique to IG3]
+```
+
+## Troubleshooting
+
+### Issue: Control names not showing
+
+**Cause:** `config_rule_name` field is missing in assessment data
+
+**Solution:** The reporter gracefully falls back to showing control ID only. To fix, ensure your assessment includes config_rule_name in control data.
+
+### Issue: IG badges not appearing
+
+**Cause:** CSS classes may be overridden by custom styles
+
+**Solution:** Check for conflicting CSS rules and ensure `.ig-membership-badge` classes are not hidden.
+
+### Issue: Truncation not working
+
+**Cause:** CSS for `.control-display-name.truncated` may be missing
+
+**Solution:** Ensure the CSS styles are included in the report. Check browser developer tools for CSS conflicts.
+
+## Support
+
+For issues or questions about the HTML report improvements:
+
+1. Check this documentation for examples and customization options
+2. Review the docstrings in `html_reporter.py` for detailed API information
+3. Examine the CSS classes in the generated HTML for styling customization
+4. Refer to the requirements and design documents in `.kiro/specs/html-report-improvements/`

docs/installation.md

@@ -104,7 +104,7 @@ aws-cis-assess assess --aws-profile my-sso-profile
 
 ## Required IAM Permissions
 
-The tool requires read-only permissions for various AWS services. Here's a comprehensive IAM policy:
+The tool requires read-only permissions for various AWS services. Here's a comprehensive IAM policy that covers all 136 assessments:
 
 ```json
 {
@@ -113,50 +113,87 @@ The tool requires read-only permissions for various AWS services. Here's a compr
         {
             "Effect": "Allow",
             "Action": [
-                "ec2:Describe*",
-                "iam:Get*",
-                "iam:List*",
-                "s3:GetBucket*",
-                "s3:GetObject*",
-                "s3:ListBucket*",
-                "rds:Describe*",
+                "acm:Describe*",
+                "acm:Get*",
+                "acm:List*",
+                "apigateway:GET",
+                "application-autoscaling:Describe*",
+                "autoscaling:Describe*",
+                "backup:Describe*",
+                "backup:Get*",
+                "backup:List*",
                 "cloudtrail:Describe*",
                 "cloudtrail:GetTrailStatus",
                 "cloudtrail:LookupEvents",
                 "cloudwatch:Describe*",
                 "cloudwatch:Get*",
                 "cloudwatch:List*",
-                "logs:Describe*",
-                "guardduty:Get*",
-                "guardduty:List*",
+                "codebuild:BatchGetProjects",
+                "codebuild:ListProjects",
                 "config:Describe*",
                 "config:Get*",
                 "config:List*",
+                "dms:Describe*",
+                "dms:List*",
+                "dynamodb:Describe*",
+                "dynamodb:List*",
+                "ec2:Describe*",
+                "ecr:Describe*",
+                "ecr:Get*",
+                "ecr:List*",
+                "ecs:Describe*",
+                "ecs:List*",
+                "elasticfilesystem:Describe*",
+                "elasticache:Describe*",
+                "elasticache:List*",
+                "elasticbeanstalk:Describe*",
+                "elasticbeanstalk:List*",
+                "elasticloadbalancing:Describe*",
+                "elasticmapreduce:Describe*",
+                "elasticmapreduce:List*",
+                "elasticmapreduce:ViewEventsFromAllClustersInConsole",
+                "es:Describe*",
+                "es:ESHttpGet",
+                "es:List*",
+                "guardduty:Get*",
+                "guardduty:List*",
+                "iam:Get*",
+                "iam:List*",
+                "kinesis:Describe*",
+                "kinesis:List*",
                 "kms:Describe*",
                 "kms:Get*",
                 "kms:List*",
+                "lambda:Get*",
+                "lambda:List*",
+                "logs:Describe*",
+                "organizations:Describe*",
+                "organizations:List*",
+                "rds:Describe*",
+                "redshift:Describe*",
+                "s3:GetBucket*",
+                "s3:GetObject*",
+                "s3:ListBucket*",
+                "s3:GetAccountPublicAccessBlock",
+                "sagemaker:Describe*",
+                "sagemaker:List*",
                 "secretsmanager:Describe*",
                 "secretsmanager:List*",
+                "securityhub:Describe*",
+                "securityhub:Get*",
+                "securityhub:List*",
+                "sns:Get*",
+                "sns:List*",
+                "sqs:Get*",
+                "sqs:List*",
                 "ssm:Describe*",
                 "ssm:Get*",
                 "ssm:List*",
-                "organizations:Describe*",
-                "organizations:List*",
-                "backup:Describe*",
-                "backup:Get*",
-                "backup:List*",
-                "dynamodb:Describe*",
-                "dynamodb:List*",
-                "elasticloadbalancing:Describe*",
-                "apigateway:GET",
-                "redshift:Describe*",
-                "ecr:Describe*",
-                "ecr:Get*",
-                "ecr:List*",
-                "wafv2:Get*",
-                "wafv2:List*",
+                "sts:GetCallerIdentity",
                 "waf:Get*",
-                "waf:List*"
+                "waf:List*",
+                "wafv2:Get*",
+                "wafv2:List*"
             ],
             "Resource": "*"
         }
@@ -164,6 +201,20 @@ The tool requires read-only permissions for various AWS services. Here's a compr
 }
 ```
 
+### Services Covered
+
+This policy includes permissions for all AWS services assessed by the tool:
+
+**Core Services:** EC2, IAM, S3, RDS, CloudTrail, CloudWatch, Logs  
+**Security Services:** GuardDuty, Security Hub, WAF, KMS, Secrets Manager, ACM  
+**Container Services:** ECS, ECR, EKS (via EC2), Lambda  
+**Data Services:** DynamoDB, Redshift, ElastiCache, OpenSearch, Elasticsearch, Kinesis, SQS, SNS  
+**Compute Services:** Auto Scaling, Elastic Beanstalk, EMR, SageMaker  
+**Network Services:** ELB, ALB/NLB, API Gateway, VPC  
+**Storage Services:** EFS, S3 Control, Backup  
+**DevOps Services:** CodeBuild, DMS  
+**Management Services:** SSM, Organizations, Config, STS
+
 ### Minimal Permissions for Testing
 
 For initial testing, you can use the AWS managed `ReadOnlyAccess` policy:

docs/user-guide.md

@@ -210,7 +210,7 @@ JSON structure:
 
 ### HTML Format
 
-Interactive web-based report:
+Interactive web-based report with enhanced readability features:
 
 ```bash
 aws-cis-assess assess --output-format html --output-file report.html
@@ -218,11 +218,17 @@ aws-cis-assess assess --output-format html --output-file report.html
 
 Features:
 - Executive dashboard with charts
+- Control display names with AWS Config rule names
+- Unique controls per Implementation Group (eliminates duplication)
+- IG membership badges for easy identification
+- Consolidated detailed findings (each resource listed once)
 - Drill-down capabilities
 - Responsive design
 - Remediation guidance
 - Export capabilities
 
+> **Note:** See [HTML Report Improvements](html-report-improvements.md) for detailed documentation on the enhanced features, customization options, and examples.
+
 ### CSV Format
 
 Spreadsheet-compatible format: