aws-cis-controls-assessment 1.0.8__py3-none-any.whl → 1.0.10__py3-none-any.whl

aws_cis_assessment/__init__.py

@@ -6,6 +6,6 @@ CIS Controls Implementation Groups (IG1, IG2, IG3). Implements 145 comprehensive
 across all implementation groups for complete security compliance assessment.
 """
 
-__version__ = "1.0.8"
+__version__ = "1.0.10"
 __author__ = "AWS CIS Assessment Team"
 __description__ = "Production-ready AWS CIS Controls Compliance Assessment Framework"

aws_cis_assessment/config/rules/cis_controls_ig1.yaml

@@ -1,5 +1,5 @@
 implementation_group: IG1
-total_rules: 74
+total_rules: 76
 description: Essential cyber hygiene - foundational safeguards for all enterprises
 controls:
   '1.1':
@@ -108,6 +108,99 @@ controls:
       parameters: {}
       description: Assessment for s3-bucket-replication-enabled AWS Config rule.
       remediation_guidance: Follow AWS Config rule guidance for s3-bucket-replication-enabled
+    - name: backup-plan-min-frequency-and-min-retention-check
+      resource_types:
+      - AWS::Backup::BackupPlan
+      parameters: {}
+      description: Validates AWS Backup plans have appropriate backup frequency and retention policies to ensure data protection and recovery capabilities
+      remediation_guidance: |
+        Ensure backup plans have:
+        - Backup frequency of at least daily
+        - Retention period of at least 7 days
+        - Appropriate lifecycle policies
+        
+        To create or update a backup plan:
+        1. Go to AWS Backup console
+        2. Create or edit a backup plan
+        3. Add backup rules with:
+           - Schedule: Use cron or rate expressions (e.g., "cron(0 5 * * ? *)" for daily at 5 AM)
+           - Retention: Set to at least 7 days
+           - Lifecycle: Configure cold storage transition if needed
+        
+        AWS CLI example:
+        aws backup create-backup-plan --backup-plan '{
+          "BackupPlanName": "daily-backup-plan",
+          "Rules": [{
+            "RuleName": "daily-rule",
+            "ScheduleExpression": "cron(0 5 * * ? *)",
+            "Lifecycle": {"DeleteAfterDays": 30}
+          }]
+        }'
+    - name: backup-vault-access-policy-check
+      resource_types:
+      - AWS::Backup::BackupVault
+      parameters: {}
+      description: Checks AWS Backup vault access policies for security to ensure vaults follow principle of least privilege and do not allow public access
+      remediation_guidance: |
+        Ensure backup vaults:
+        - Do not allow public access (Principal: "*")
+        - Have restrictive access policies
+        - Follow principle of least privilege
+        - Consider using vault lock for critical vaults
+        
+        To secure a backup vault:
+        1. Go to AWS Backup console
+        2. Select the backup vault
+        3. Review and update access policy:
+           - Remove any wildcard principals
+           - Restrict to specific IAM roles/users
+           - Limit permissions to necessary actions only
+        4. Consider enabling vault lock to prevent deletion
+        
+        AWS CLI example to remove public access:
+        aws backup delete-backup-vault-access-policy --backup-vault-name MyVault
+        
+        To set a restrictive policy:
+        aws backup put-backup-vault-access-policy --backup-vault-name MyVault --policy '{
+          "Version": "2012-10-17",
+          "Statement": [{
+            "Effect": "Allow",
+            "Principal": {"AWS": "arn:aws:iam::123456789012:role/BackupRole"},
+            "Action": ["backup:DescribeBackupVault", "backup:ListRecoveryPointsByBackupVault"],
+            "Resource": "*"
+          }]
+        }'
+    - name: backup-selection-resource-coverage-check
+      resource_types:
+      - AWS::Backup::BackupPlan
+      parameters: {}
+      description: Validates that AWS Backup plans have backup selections that cover critical resources ensuring comprehensive backup coverage
+      remediation_guidance: |
+        Ensure backup plans have proper resource coverage:
+        - At least one backup selection per plan
+        - Selections target specific resources or use tags
+        - Critical resource types are included
+        - Selections are not empty
+        
+        To add backup selections:
+        1. Go to AWS Backup console
+        2. Select your backup plan
+        3. Add backup selection:
+           - Specify resources by ARN, or
+           - Use resource tags to automatically include resources, or
+           - Use conditions to dynamically select resources
+        4. Ensure critical resources (RDS, EBS, EFS, DynamoDB) are covered
+        
+        AWS CLI example to create a backup selection:
+        aws backup create-backup-selection --backup-plan-id <plan-id> --backup-selection '{
+          "SelectionName": "CriticalResources",
+          "IamRoleArn": "arn:aws:iam::123456789012:role/AWSBackupRole",
+          "ListOfTags": [{
+            "ConditionType": "STRINGEQUALS",
+            "ConditionKey": "backup",
+            "ConditionValue": "true"
+          }]
+        }'
   '12.2':
     title: Control 12.2
     weight: 1.0

aws_cis_assessment/config/rules/cis_controls_ig2.yaml

@@ -1,5 +1,5 @@
 implementation_group: IG2
-total_rules: 58
+total_rules: 53
 description: Enhanced security for enterprises with regulatory compliance burdens
 controls:
   '11.4':
@@ -344,6 +344,88 @@ controls:
       parameters: {}
       description: Assessment for acm-certificate-expiration-check AWS Config rule.
       remediation_guidance: Follow AWS Config rule guidance for acm-certificate-expiration-check
+  '11.3':
+    title: Establish and Maintain Data Recovery Process - Advanced
+    weight: 1.0
+    config_rules:
+    - name: backup-vault-lock-check
+      resource_types:
+      - AWS::Backup::BackupVault
+      parameters: {}
+      description: Validates that AWS Backup vaults have Vault Lock enabled to prevent deletion of recovery points providing ransomware protection
+      remediation_guidance: |
+        Enable Vault Lock for critical backup vaults:
+        - Vault Lock provides immutable backups (WORM - Write Once Read Many)
+        - Protects against accidental or malicious deletion
+        - Compliance mode prevents even root user from deleting backups
+        
+        To enable Vault Lock:
+        1. Go to AWS Backup console
+        2. Select your backup vault
+        3. Configure Vault Lock:
+           - Set minimum retention period
+           - Set maximum retention period (optional)
+           - Choose compliance mode for strictest protection
+        4. Test the configuration before finalizing
+        
+        AWS CLI example:
+        aws backup put-backup-vault-lock-configuration \
+          --backup-vault-name MyVault \
+          --min-retention-days 35 \
+          --max-retention-days 365
+    - name: backup-report-plan-exists-check
+      resource_types:
+      - AWS::Backup::ReportPlan
+      parameters: {}
+      description: Validates that AWS Backup has report plans configured to monitor backup compliance and provide audit trails
+      remediation_guidance: |
+        Configure backup report plans for compliance monitoring:
+        - At least one report plan should exist
+        - Reports should cover backup job status and compliance
+        - Report delivery should be configured to S3
+        - Reports provide audit trails for compliance
+        
+        To create a report plan:
+        1. Go to AWS Backup console
+        2. Navigate to Reports section
+        3. Create report plan:
+           - Choose report template (backup job report, compliance report, etc.)
+           - Configure S3 bucket for delivery
+           - Set report frequency
+        4. Review generated reports regularly
+        
+        AWS CLI example:
+        aws backup create-report-plan \
+          --report-plan-name ComplianceReport \
+          --report-delivery-channel S3BucketName=my-backup-reports \
+          --report-setting ReportTemplate=BACKUP_JOB_REPORT
+    - name: backup-restore-testing-plan-exists-check
+      resource_types:
+      - AWS::Backup::RestoreTestingPlan
+      parameters: {}
+      description: Validates that AWS Backup has restore testing plans configured to ensure backups are actually recoverable and meet RTO/RPO requirements
+      remediation_guidance: |
+        Configure restore testing plans to validate backup recoverability:
+        - At least one restore testing plan should exist
+        - Testing plans should be actively running
+        - Critical backup vaults should be included in testing
+        - Testing frequency should be appropriate (weekly/monthly)
+        
+        To create a restore testing plan:
+        1. Go to AWS Backup console
+        2. Navigate to Restore testing section
+        3. Create restore testing plan:
+           - Select backup vaults to test
+           - Configure testing schedule
+           - Define validation rules
+           - Set up notifications for test results
+        4. Monitor test execution and results
+        
+        AWS CLI example:
+        aws backup create-restore-testing-plan \
+          --restore-testing-plan-name WeeklyRestoreTest \
+          --schedule-expression "cron(0 2 ? * SUN *)" \
+          --start-window-hours 2
   '5.2':
     title: Use Unique Passwords
     weight: 1.0

aws_cis_assessment/controls/ig1/__init__.py

@@ -125,6 +125,15 @@ from .control_backup_recovery import (
     S3BucketReplicationEnabledAssessment
 )
 
+from .control_aws_backup_service import (
+    BackupPlanMinFrequencyAndMinRetentionCheckAssessment,
+    BackupVaultAccessPolicyCheckAssessment,
+    BackupVaultLockCheckAssessment,
+    BackupSelectionResourceCoverageCheckAssessment,
+    BackupReportPlanExistsCheckAssessment,
+    BackupRestoreTestingPlanExistsCheckAssessment
+)
+
 from .control_s3_enhancements import (
     S3AccountLevelPublicAccessBlocksPeriodicAssessment,
     S3BucketPublicWriteProhibitedAssessment
@@ -230,6 +239,14 @@ __all__ = [
     'ElastiCacheRedisClusterAutomaticBackupCheckAssessment',
     'S3BucketReplicationEnabledAssessment',
     
+    # AWS Backup Service Controls
+    'BackupPlanMinFrequencyAndMinRetentionCheckAssessment',
+    'BackupVaultAccessPolicyCheckAssessment',
+    'BackupVaultLockCheckAssessment',
+    'BackupSelectionResourceCoverageCheckAssessment',
+    'BackupReportPlanExistsCheckAssessment',
+    'BackupRestoreTestingPlanExistsCheckAssessment',
+    
     # S3 Security Enhancements
     'S3AccountLevelPublicAccessBlocksPeriodicAssessment',
     'S3BucketPublicWriteProhibitedAssessment',