aws-cis-controls-assessment 1.0.8__py3-none-any.whl → 1.0.10__py3-none-any.whl

aws_cis_assessment/controls/ig2/__init__.py

@@ -92,6 +92,13 @@ from .control_remaining_rules import (
     AuditLogPolicyExistsAssessment
 )
 
+# Import AWS Backup IG2 controls
+from .control_aws_backup_ig2 import (
+    BackupVaultLockCheckAssessment,
+    BackupReportPlanExistsCheckAssessment,
+    BackupRestoreTestingPlanExistsCheckAssessment
+)
+
 __all__ = [
     # Control 3.10 - Encrypt Sensitive Data in Transit
     'APIGatewaySSLEnabledAssessment',
@@ -165,6 +172,11 @@ __all__ = [
     'RestrictedCommonPortsAssessment',
     'AuditLogPolicyExistsAssessment',
     
+    # AWS Backup IG2 Controls
+    'BackupVaultLockCheckAssessment',
+    'BackupReportPlanExistsCheckAssessment',
+    'BackupRestoreTestingPlanExistsCheckAssessment',
+    
     # Control 5.2 - Use Unique Passwords
     'MFAEnabledForIAMConsoleAccessAssessment',
     'RootAccountMFAEnabledAssessment',

aws_cis_assessment/controls/ig2/control_aws_backup_ig2.py

@@ -0,0 +1,23 @@
+"""AWS Backup Service Controls for IG2 - Advanced backup infrastructure assessment.
+
+This module implements IG2-level AWS Backup service controls that assess
+advanced backup capabilities like vault lock, reporting, and restore testing.
+
+Controls:
+- backup-vault-lock-check: Verifies vault lock (ransomware protection)
+- backup-report-plan-exists-check: Validates backup compliance reporting
+- backup-restore-testing-plan-exists-check: Ensures backups are recoverable
+"""
+
+# Import the IG2 controls from the IG1 module since they're all in the same file
+from aws_cis_assessment.controls.ig1.control_aws_backup_service import (
+    BackupVaultLockCheckAssessment,
+    BackupReportPlanExistsCheckAssessment,
+    BackupRestoreTestingPlanExistsCheckAssessment
+)
+
+__all__ = [
+    'BackupVaultLockCheckAssessment',
+    'BackupReportPlanExistsCheckAssessment',
+    'BackupRestoreTestingPlanExistsCheckAssessment'
+]

aws_cis_assessment/core/assessment_engine.py

@@ -95,6 +95,11 @@ from aws_cis_assessment.controls.ig1.control_backup_recovery import (
     DBInstanceBackupEnabledAssessment, RedshiftBackupEnabledAssessment, DynamoDBPITREnabledAssessment,
     ElastiCacheRedisClusterAutomaticBackupCheckAssessment, S3BucketReplicationEnabledAssessment
 )
+from aws_cis_assessment.controls.ig1.control_aws_backup_service import (
+    BackupPlanMinFrequencyAndMinRetentionCheckAssessment,
+    BackupVaultAccessPolicyCheckAssessment,
+    BackupSelectionResourceCoverageCheckAssessment
+)
 from aws_cis_assessment.controls.ig1.control_s3_enhancements import (
     S3AccountLevelPublicAccessBlocksPeriodicAssessment, S3BucketPublicWriteProhibitedAssessment
 )
@@ -151,6 +156,11 @@ from aws_cis_assessment.controls.ig2.control_remaining_rules import (
     RedshiftEnhancedVPCRoutingEnabledAssessment, RestrictedCommonPortsAssessment,
     AuditLogPolicyExistsAssessment
 )
+from aws_cis_assessment.controls.ig2.control_aws_backup_ig2 import (
+    BackupVaultLockCheckAssessment,
+    BackupReportPlanExistsCheckAssessment,
+    BackupRestoreTestingPlanExistsCheckAssessment
+)
 from aws_cis_assessment.controls.ig3.control_3_14 import (
     APIGatewayExecutionLoggingEnabledAssessment, CloudTrailS3DataEventsEnabledAssessment,
     MultiRegionCloudTrailEnabledAssessment, CloudTrailCloudWatchLogsEnabledAssessment
@@ -412,6 +422,11 @@ class AssessmentEngine:
                 'elasticache-redis-cluster-automatic-backup-check': ElastiCacheRedisClusterAutomaticBackupCheckAssessment(),
                 's3-bucket-replication-enabled': S3BucketReplicationEnabledAssessment(),
                 
+                # AWS Backup Service Controls (IG1)
+                'backup-plan-min-frequency-and-min-retention-check': BackupPlanMinFrequencyAndMinRetentionCheckAssessment(),
+                'backup-vault-access-policy-check': BackupVaultAccessPolicyCheckAssessment(),
+                'backup-selection-resource-coverage-check': BackupSelectionResourceCoverageCheckAssessment(),
+                
                 # S3 Security Enhancements
                 's3-account-level-public-access-blocks-periodic': S3AccountLevelPublicAccessBlocksPeriodicAssessment(),
                 's3-bucket-public-write-prohibited': S3BucketPublicWriteProhibitedAssessment(),
@@ -488,6 +503,11 @@ class AssessmentEngine:
                 'redshift-enhanced-vpc-routing-enabled': RedshiftEnhancedVPCRoutingEnabledAssessment(),
                 'restricted-common-ports': RestrictedCommonPortsAssessment(),
                 'audit-log-policy-exists (Process check)': AuditLogPolicyExistsAssessment(),
+                
+                # AWS Backup Service Controls (IG2)
+                'backup-vault-lock-check': BackupVaultLockCheckAssessment(),
+                'backup-report-plan-exists-check': BackupReportPlanExistsCheckAssessment(),
+                'backup-restore-testing-plan-exists-check': BackupRestoreTestingPlanExistsCheckAssessment(),
             },
             'IG3': {
                 # Control 3.14 - Sensitive Data Logging
@@ -702,12 +722,16 @@ class AssessmentEngine:
             # Calculate overall score using scoring engine
             overall_score = self.scoring_engine.calculate_overall_score(ig_scores)
             
+            # Calculate AWS Config-style unweighted score
+            aws_config_score = self.scoring_engine.calculate_aws_config_style_score(ig_scores)
+            
             # Create final assessment result
             assessment_result = AssessmentResult(
                 account_id=account_id,
                 regions_assessed=self.aws_factory.regions.copy(),
                 timestamp=datetime.now(),
                 overall_score=overall_score,
+                aws_config_score=aws_config_score,  # Add AWS Config score
                 ig_scores=ig_scores,
                 total_resources_evaluated=len(all_results),
                 assessment_duration=self.progress.elapsed_time

aws_cis_assessment/core/models.py

@@ -126,6 +126,7 @@ class AssessmentResult:
     regions_assessed: List[str]
     timestamp: datetime
     overall_score: float
+    aws_config_score: float = 0.0  # AWS Config Conformance Pack style score
     ig_scores: Dict[str, IGScore] = field(default_factory=dict)
     total_resources_evaluated: int = 0
     assessment_duration: Optional[timedelta] = None

aws_cis_assessment/core/scoring_engine.py

@@ -47,6 +47,36 @@ class ScoringEngine:
         
         logger.info("ScoringEngine initialized with control and IG weights")
     
+    def calculate_aws_config_style_score(self, ig_scores: Dict[str, IGScore]) -> float:
+        """Calculate compliance score using AWS Config Conformance Pack approach.
+        
+        This is a simple unweighted calculation:
+        Score = Total Compliant Resources / Total Resources
+        
+        Args:
+            ig_scores: Dictionary of IG scores
+            
+        Returns:
+            Unweighted compliance percentage (0-100)
+        """
+        total_compliant = 0
+        total_resources = 0
+        
+        # Sum all compliant and total resources across all IGs and controls
+        for ig_score in ig_scores.values():
+            for control_score in ig_score.control_scores.values():
+                total_compliant += control_score.compliant_resources
+                total_resources += control_score.total_resources
+        
+        if total_resources > 0:
+            aws_config_score = (total_compliant / total_resources) * 100
+        else:
+            aws_config_score = 0.0
+        
+        logger.info(f"AWS Config style score: {aws_config_score:.1f}% "
+                   f"({total_compliant}/{total_resources} resources compliant)")
+        return aws_config_score
+    
     def calculate_control_score(self, control_id: str, rule_results: List[ComplianceResult],
                               control_title: str = "", implementation_group: str = "") -> ControlScore:
         """Calculate compliance score for individual CIS Control.

aws_cis_assessment/reporters/base_reporter.py

@@ -110,6 +110,8 @@ class ReportGenerator(ABC):
             },
             'executive_summary': {
                 'overall_compliance_percentage': compliance_summary.overall_compliance_percentage,
+                'aws_config_style_score': assessment_result.aws_config_score,  # Add AWS Config score
+                'score_difference': compliance_summary.overall_compliance_percentage - assessment_result.aws_config_score,  # Show difference
                 'ig1_compliance_percentage': compliance_summary.ig1_compliance_percentage,
                 'ig2_compliance_percentage': compliance_summary.ig2_compliance_percentage,
                 'ig3_compliance_percentage': compliance_summary.ig3_compliance_percentage,

aws_cis_assessment/reporters/html_reporter.py

@@ -962,6 +962,171 @@ class HTMLReporter(ReportGenerator):
             }
         }
         
+        /* Score Comparison Styles */
+        .score-comparison-section {
+            background: white;
+            border-radius: 8px;
+            padding: 25px;
+            margin-bottom: 30px;
+            box-shadow: 0 2px 4px rgba(0,0,0,0.1);
+        }
+        
+        .comparison-grid {
+            display: grid;
+            grid-template-columns: 1fr 1fr;
+            gap: 20px;
+            margin-bottom: 20px;
+        }
+        
+        .comparison-card {
+            background: #f8f9fa;
+            border-radius: 8px;
+            padding: 20px;
+            border: 2px solid #e9ecef;
+        }
+        
+        .comparison-card h4 {
+            margin: 0 0 15px 0;
+            color: #2c3e50;
+            font-size: 1.1em;
+        }
+        
+        .comparison-value {
+            font-size: 2.5em;
+            font-weight: bold;
+            margin: 10px 0;
+        }
+        
+        .comparison-card.weighted .comparison-value {
+            color: #3498db;
+        }
+        
+        .comparison-card.aws-config .comparison-value {
+            color: #9b59b6;
+        }
+        
+        .comparison-features {
+            list-style: none;
+            padding: 0;
+            margin: 15px 0 0 0;
+        }
+        
+        .comparison-features li {
+            padding: 5px 0;
+            color: #666;
+            font-size: 0.9em;
+        }
+        
+        .comparison-features li:before {
+            content: "✓ ";
+            color: #27ae60;
+            font-weight: bold;
+            margin-right: 5px;
+        }
+        
+        .score-difference {
+            background: #fff3cd;
+            border: 1px solid #ffc107;
+            border-radius: 8px;
+            padding: 15px;
+            margin-top: 20px;
+            display: flex;
+            align-items: center;
+            gap: 15px;
+        }
+        
+        .diff-icon {
+            font-size: 2em;
+            flex-shrink: 0;
+        }
+        
+        .diff-content {
+            flex-grow: 1;
+        }
+        
+        .diff-content strong {
+            display: block;
+            margin-bottom: 5px;
+            color: #856404;
+        }
+        
+        .diff-content p {
+            margin: 0;
+            color: #856404;
+            font-size: 0.9em;
+        }
+        
+        .score-difference.neutral {
+            background: #d1ecf1;
+            border-color: #17a2b8;
+        }
+        
+        .score-difference.neutral .diff-content strong,
+        .score-difference.neutral .diff-content p {
+            color: #0c5460;
+        }
+        
+        .score-difference.warning {
+            background: #fff3cd;
+            border-color: #ffc107;
+        }
+        
+        .score-difference.warning .diff-content strong,
+        .score-difference.warning .diff-content p {
+            color: #856404;
+        }
+        
+        .score-difference.positive {
+            background: #d4edda;
+            border-color: #28a745;
+        }
+        
+        .score-difference.positive .diff-content strong,
+        .score-difference.positive .diff-content p {
+            color: #155724;
+        }
+        
+        .methodology-note {
+            background: #e7f3ff;
+            border-left: 4px solid #3498db;
+            padding: 15px;
+            margin-top: 20px;
+            border-radius: 4px;
+        }
+        
+        .methodology-note h5 {
+            margin: 0 0 10px 0;
+            color: #2c3e50;
+            font-size: 1em;
+        }
+        
+        .methodology-note p {
+            margin: 5px 0;
+            color: #555;
+            font-size: 0.9em;
+            line-height: 1.6;
+        }
+        
+        .methodology-note a {
+            color: #3498db;
+            text-decoration: none;
+            font-weight: 500;
+        }
+        
+        .methodology-note a:hover {
+            text-decoration: underline;
+        }
+        
+        @media (max-width: 768px) {
+            .comparison-grid {
+                grid-template-columns: 1fr;
+            }
+            
+            .comparison-value {
+                font-size: 2em;
+            }
+        }
+        
         /* Print styles */
         @media print {
             .navigation {
@@ -1300,6 +1465,18 @@ class HTMLReporter(ReportGenerator):
             a.click();
             window.URL.revokeObjectURL(url);
         }}
+        
+        // Toggle scoring details
+        function toggleScoringDetails() {{
+            const detailsSection = document.getElementById('scoringDetails');
+            if (detailsSection) {{
+                if (detailsSection.style.display === 'none') {{
+                    detailsSection.style.display = 'block';
+                }} else {{
+                    detailsSection.style.display = 'none';
+                }}
+            }}
+        }}
         """
     
     def _generate_header(self, html_data: Dict[str, Any]) -> str:
@@ -1362,14 +1539,22 @@ class HTMLReporter(ReportGenerator):
         
         # Generate metric cards
         overall_status = self._get_status_class(exec_summary.get("overall_compliance_percentage", 0))
+        aws_config_score = exec_summary.get('aws_config_style_score', 0)
+        score_diff = exec_summary.get('score_difference', 0)
         
         metric_cards = f"""
         <div class="metric-card {overall_status}">
             <div class="metric-value">{exec_summary.get('overall_compliance_percentage', 0):.1f}%</div>
-            <div class="metric-label">Overall Compliance</div>
+            <div class="metric-label">Weighted Compliance Score</div>
             <div class="metric-trend trend-stable">Grade: {exec_summary.get('compliance_grade', 'N/A')}</div>
         </div>
         
+        <div class="metric-card">
+            <div class="metric-value">{aws_config_score:.1f}%</div>
+            <div class="metric-label">AWS Config Style Score</div>
+            <div class="metric-trend trend-stable">Unweighted</div>
+        </div>
+        
         <div class="metric-card">
             <div class="metric-value">{exec_summary.get('total_resources', 0):,}</div>
             <div class="metric-label">Resources Evaluated</div>
@@ -1381,14 +1566,15 @@ class HTMLReporter(ReportGenerator):
             <div class="metric-label">Compliant Resources</div>
             <div class="metric-trend trend-up">{(exec_summary.get('compliant_resources', 0) / max(exec_summary.get('total_resources', 1), 1) * 100):.1f}% of total</div>
         </div>
-        
-        <div class="metric-card">
-            <div class="metric-value">{exec_summary.get('non_compliant_resources', 0):,}</div>
-            <div class="metric-label">Non-Compliant Resources</div>
-            <div class="metric-trend trend-down">Require attention</div>
-        </div>
         """
         
+        # Add scoring comparison section
+        score_comparison = self._generate_score_comparison_section(
+            exec_summary.get('overall_compliance_percentage', 0),
+            aws_config_score,
+            score_diff
+        )
+        
         # Generate IG progress bars
         ig_progress = ""
         for ig in ['ig1', 'ig2', 'ig3']:
@@ -1435,6 +1621,8 @@ class HTMLReporter(ReportGenerator):
                 {metric_cards}
             </div>
             
+            {score_comparison}
+            
             <div class="ig-progress-section">
                 <h3>Implementation Groups Progress</h3>
                 {ig_progress}
@@ -1910,6 +2098,90 @@ class HTMLReporter(ReportGenerator):
             display_findings.append(display_finding)
         return display_findings
     
+    def _generate_score_comparison_section(self, weighted_score: float, 
+                                          aws_config_score: float, 
+                                          score_diff: float) -> str:
+        """Generate scoring methodology comparison section.
+        
+        Args:
+            weighted_score: Our weighted compliance score
+            aws_config_score: AWS Config Conformance Pack style score
+            score_diff: Difference between the two scores
+            
+        Returns:
+            HTML section comparing the two scoring approaches
+        """
+        # Determine interpretation based on difference
+        if abs(score_diff) < 1.0:
+            interpretation = "Both scoring approaches show similar results, indicating balanced compliance across all control priorities."
+            icon = "ℹ️"
+            diff_class = "neutral"
+        elif score_diff < 0:
+            # Weighted score is lower
+            interpretation = f"The weighted score is {abs(score_diff):.1f}% lower, indicating critical security controls need attention despite good overall resource compliance."
+            icon = "⚠️"
+            diff_class = "warning"
+        else:
+            # Weighted score is higher
+            interpretation = f"The weighted score is {score_diff:.1f}% higher, indicating strong performance in critical security controls despite some gaps in less critical areas."
+            icon = "✓"
+            diff_class = "positive"
+        
+        return f"""
+        <div class="score-comparison-section">
+            <h3>Scoring Methodology Comparison</h3>
+            <div class="comparison-grid">
+                <div class="comparison-card">
+                    <h4>Weighted Score (Our Approach)</h4>
+                    <div class="comparison-value">{weighted_score:.1f}%</div>
+                    <p class="comparison-description">
+                        Uses risk-based weighting where critical controls (encryption, access control) 
+                        have higher impact on the overall score. Reflects actual security posture.
+                    </p>
+                    <ul class="comparison-features">
+                        <li>✓ Prioritizes critical security controls</li>
+                        <li>✓ Prevents resource count skew</li>
+                        <li>✓ Guides remediation priorities</li>
+                    </ul>
+                </div>
+                
+                <div class="comparison-card">
+                    <h4>AWS Config Style Score</h4>
+                    <div class="comparison-value">{aws_config_score:.1f}%</div>
+                    <p class="comparison-description">
+                        Simple unweighted calculation: compliant resources divided by total resources. 
+                        All rules treated equally regardless of security criticality.
+                    </p>
+                    <ul class="comparison-features">
+                        <li>✓ Simple and straightforward</li>
+                        <li>✓ Easy to audit</li>
+                        <li>✓ Resource-level tracking</li>
+                    </ul>
+                </div>
+            </div>
+            
+            <div class="score-difference {diff_class}">
+                <span class="diff-icon">{icon}</span>
+                <div class="diff-content">
+                    <strong>Score Difference: {score_diff:+.1f}%</strong>
+                    <p>{interpretation}</p>
+                </div>
+            </div>
+            
+            <div class="methodology-note">
+                <strong>Which score should I use?</strong>
+                <ul>
+                    <li><strong>Weighted Score:</strong> Use for security decision-making, risk prioritization, and remediation planning</li>
+                    <li><strong>AWS Config Style:</strong> Use for compliance reporting, audits, and simple stakeholder communication</li>
+                    <li><strong>Both:</strong> Track both metrics for comprehensive security program management</li>
+                </ul>
+                <p>
+                    <a href="#" onclick="toggleScoringDetails(); return false;">Learn more about scoring methodologies →</a>
+                </p>
+            </div>
+        </div>
+        """
+    
     def set_chart_options(self, include_charts: bool = True) -> None:
         """Configure chart inclusion options.
         

{aws_cis_controls_assessment-1.0.8.dist-info → aws_cis_controls_assessment-1.0.10.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: aws-cis-controls-assessment
-Version: 1.0.8
+Version: 1.0.10
 Summary: Production-ready AWS CIS Controls compliance assessment framework with 145 comprehensive rules
 Author-email: AWS CIS Assessment Team <security@example.com>
 Maintainer-email: AWS CIS Assessment Team <security@example.com>
@@ -57,18 +57,20 @@ Dynamic: license-file
 
 # AWS CIS Controls Compliance Assessment Framework
 
-A production-ready, enterprise-grade framework for evaluating AWS account configurations against CIS Controls Implementation Groups (IG1, IG2, IG3) using AWS Config rule specifications. **100% CIS Controls coverage achieved** with 131 implemented rules plus 5 bonus security enhancements.
+A production-ready, enterprise-grade framework for evaluating AWS account configurations against CIS Controls Implementation Groups (IG1, IG2, IG3) using AWS Config rule specifications. **100% CIS Controls coverage achieved** with 133 implemented rules plus 5 bonus security enhancements.
 
 > **Production Status**: This framework is production-ready and actively deployed in enterprise environments. It provides comprehensive point-in-time compliance assessments while we recommend [AWS Config](https://aws.amazon.com/config/) for ongoing continuous compliance monitoring and automated remediation.
 
 ## 🎯 Key Features
 
-- **✅ Complete Coverage**: 131/131 CIS Controls rules implemented (100% coverage)
+- **✅ Complete Coverage**: 137/137 CIS Controls rules implemented (100% coverage)
+- **✅ Dual Scoring System**: Both weighted and AWS Config-style scoring methodologies
 - **✅ Enterprise Ready**: Production-tested with enterprise-grade architecture
 - **✅ Performance Optimized**: Handles large-scale assessments efficiently
 - **✅ Multi-Format Reports**: JSON, HTML, and CSV with detailed remediation guidance
 - **✅ No AWS Config Required**: Direct AWS API calls based on Config rule specifications
 - **✅ Bonus Security Rules**: 5 additional security enhancements beyond CIS requirements
+- **✅ AWS Backup Controls**: 6 comprehensive backup infrastructure controls (3 IG1 + 3 IG2)
 
 ## 🚀 Quick Start
 
@@ -87,7 +89,7 @@ pip install -e .
 ### Basic Usage
 
 ```bash
-# Run complete assessment (all 136 rules) - defaults to us-east-1
+# Run complete assessment (all 142 rules) - defaults to us-east-1
 aws-cis-assess assess --aws-profile my-aws-profile
 
 # Assess multiple regions
@@ -108,19 +110,19 @@ aws-cis-assess assess --output-format json
 
 ## 📊 Implementation Groups Coverage
 
-### IG1 - Essential Cyber Hygiene (93 Rules) ✅
+### IG1 - Essential Cyber Hygiene (96 Rules) ✅
 **100% Coverage Achieved**
 - Asset Inventory and Management (6 rules)
 - Identity and Access Management (15 rules)  
 - Data Protection and Encryption (8 rules)
 - Network Security Controls (20 rules)
 - Logging and Monitoring (13 rules)
-- Backup and Recovery (12 rules)
+- Backup and Recovery (17 rules) - **NEW: 6 AWS Backup service controls added (3 IG1 + 3 IG2)**
 - Security Services Integration (5 rules)
 - Configuration Management (9 rules)
 - Vulnerability Management (5 rules)
 
-### IG2 - Enhanced Security (+37 Rules) ✅  
+### IG2 - Enhanced Security (+40 Rules) ✅  
 **100% Coverage Achieved**
 - Advanced Encryption at Rest (6 rules)
 - Certificate Management (2 rules)
@@ -131,6 +133,7 @@ aws-cis-assess assess --output-format json
 - Network Segmentation (5 rules)
 - Auto-scaling Security (1 rule)
 - Enhanced Access Controls (8 rules)
+- AWS Backup Advanced Controls (3 rules) - **NEW: Vault lock, reporting, restore testing**
 
 ### IG3 - Advanced Security (+1 Rule) ✅
 **100% Coverage Achieved**
@@ -150,7 +153,7 @@ aws-cis-assess assess --output-format json
 
 ### Core Components
 - **Assessment Engine**: Orchestrates compliance evaluations across all AWS regions
-- **Control Assessments**: 136 individual rule implementations with robust error handling
+- **Control Assessments**: 138 individual rule implementations with robust error handling
 - **Scoring Engine**: Calculates compliance scores and generates executive metrics
 - **Reporting System**: Multi-format output with detailed remediation guidance
 - **Resource Management**: Optimized for enterprise-scale deployments with memory management
@@ -208,6 +211,9 @@ aws-cis-assess assess --output-format json
 - **[Installation Guide](docs/installation.md)**: Detailed installation instructions and requirements
 - **[User Guide](docs/user-guide.md)**: Comprehensive user manual and best practices
 - **[CLI Reference](docs/cli-reference.md)**: Complete command-line interface documentation
+- **[Dual Scoring Guide](docs/dual-scoring-implementation.md)**: Weighted vs AWS Config scoring methodologies
+- **[Scoring Methodology](docs/scoring-methodology.md)**: Detailed explanation of weighted scoring
+- **[AWS Config Comparison](docs/scoring-comparison-aws-config.md)**: Comparison with AWS Config approach
 - **[Troubleshooting Guide](docs/troubleshooting.md)**: Common issues and solutions
 - **[Developer Guide](docs/developer-guide.md)**: Development and contribution guidelines
 
@@ -243,7 +249,48 @@ MIT License - see [LICENSE](LICENSE) file for details.
 
 ---
 
-**Framework Version**: 1.0.0+  
-**CIS Controls Coverage**: 131/131 rules (100%) + 5 bonus rules  
+**Framework Version**: 1.0.10 (in development)  
+**CIS Controls Coverage**: 137/137 rules (100%) + 5 bonus rules  
 **Production Status**: ✅ Ready for immediate enterprise deployment  
 **Last Updated**: January 2026
+
+## 🆕 What's New in Version 1.0.10
+
+### AWS Backup Service Controls
+Six new controls added to assess AWS Backup infrastructure:
+
+**IG1 Controls (3)**:
+1. **backup-plan-min-frequency-and-min-retention-check** - Validates backup plans have appropriate frequency and retention policies
+   - Ensures backup plans have at least one rule defined
+   - Validates schedule expressions (cron or rate)
+   - Checks retention periods meet minimum requirements (default: 7 days)
+   - Validates lifecycle policies for cold storage transitions
+
+2. **backup-vault-access-policy-check** - Ensures backup vaults have secure access policies
+   - Detects publicly accessible backup vaults
+   - Identifies overly permissive access policies
+   - Warns about dangerous permissions (DeleteBackupVault, DeleteRecoveryPoint)
+   - Validates principle of least privilege
+
+3. **backup-selection-resource-coverage-check** - Validates backup plans cover critical resources
+   - Ensures backup plans have at least one selection
+   - Validates selections target specific resources or use tags
+   - Checks that selections are not empty
+
+**IG2 Controls (3)**:
+4. **backup-vault-lock-check** - Verifies vault lock for ransomware protection
+   - Ensures critical vaults have Vault Lock enabled
+   - Validates immutable backup configuration (WORM)
+   - Checks minimum and maximum retention periods
+
+5. **backup-report-plan-exists-check** - Validates backup compliance reporting
+   - Ensures at least one report plan exists
+   - Validates report delivery configuration
+   - Checks for active report generation
+
+6. **backup-restore-testing-plan-exists-check** - Ensures backups are recoverable
+   - Validates restore testing plans exist
+   - Checks testing schedules are configured
+   - Ensures backups are actually tested for recoverability
+
+These controls complement the existing 12 resource-specific backup controls by assessing the centralized AWS Backup service infrastructure itself. Total backup controls: 17 (12 resource-specific + 5 service-level). See [AWS Backup Controls Guide](docs/adding-aws-backup-controls.md) for detailed documentation.