aws-cis-controls-assessment 1.0.8__py3-none-any.whl → 1.0.10__py3-none-any.whl

docs/assessment-logic.md

@@ -5,7 +5,7 @@ This document provides detailed information about the assessment logic used by t
 ## Production Framework Overview
 
 **✅ Complete Implementation Status**
-- 136 AWS Config rules implemented (131 CIS Controls + 5 bonus)
+- 138 AWS Config rules implemented (133 CIS Controls + 5 bonus)
 - 100% coverage across all Implementation Groups (IG1, IG2, IG3)
 - Production-tested with enterprise-grade error handling
 - Optimized for large-scale enterprise deployments
@@ -25,7 +25,7 @@ This document provides detailed information about the assessment logic used by t
 
 The assessment tool evaluates AWS account configurations against CIS Controls using the same logic as AWS Config rules, but without requiring AWS Config to be enabled. Each assessment follows a standardized process while implementing control-specific evaluation logic.
 
-**Framework Scope**: 136 implemented rules covering all CIS Controls requirements plus 5 bonus security enhancements for additional value.
+**Framework Scope**: 138 implemented rules covering all CIS Controls requirements plus 5 bonus security enhancements for additional value.
 
 ### Key Principles
 
@@ -763,4 +763,292 @@ def batch_evaluate_resources(self, resources, batch_size=50):
     return results
 ```
 
-This comprehensive assessment logic ensures accurate, efficient, and reliable evaluation of AWS resources against CIS Controls while maintaining compatibility with AWS Config rule specifications.
+This comprehensive assessment logic ensures accurate, efficient, and reliable evaluation of AWS resources against CIS Controls while maintaining compatibility with AWS Config rule specifications.
+
+
+### AWS Backup Resources
+```python
+def discover_backup_plans(self, backup_client, region):
+    """Discover AWS Backup plans in specific region."""
+    try:
+        paginator = backup_client.get_paginator('list_backup_plans')
+        
+        backup_plans = []
+        for page in paginator.paginate():
+            for plan in page['BackupPlansList']:
+                try:
+                    # Get detailed plan information
+                    plan_details = backup_client.get_backup_plan(
+                        BackupPlanId=plan['BackupPlanId']
+                    )
+                    
+                    backup_plans.append({
+                        'BackupPlanId': plan['BackupPlanId'],
+                        'BackupPlanName': plan['BackupPlanName'],
+                        'BackupPlanArn': plan['BackupPlanArn'],
+                        'CreationDate': plan['CreationDate'],
+                        'VersionId': plan['VersionId'],
+                        'Rules': plan_details['BackupPlan'].get('Rules', []),
+                        'Region': region
+                    })
+                    
+                except ClientError as e:
+                    # Skip plans we can't access
+                    if e.response['Error']['Code'] in ['AccessDenied', 'ResourceNotFoundException']:
+                        continue
+                    raise
+        
+        return backup_plans
+        
+    except ClientError as e:
+        if e.response['Error']['Code'] == 'AccessDenied':
+            self.logger.warning(f"Insufficient permissions for Backup in {region}")
+            return []
+        raise
+
+def discover_backup_vaults(self, backup_client, region):
+    """Discover AWS Backup vaults in specific region."""
+    try:
+        paginator = backup_client.get_paginator('list_backup_vaults')
+        
+        backup_vaults = []
+        for page in paginator.paginate():
+            for vault in page['BackupVaultList']:
+                try:
+                    # Get vault access policy if exists
+                    try:
+                        policy_response = backup_client.get_backup_vault_access_policy(
+                            BackupVaultName=vault['BackupVaultName']
+                        )
+                        vault['Policy'] = policy_response.get('Policy')
+                    except ClientError as e:
+                        if e.response['Error']['Code'] == 'ResourceNotFoundException':
+                            vault['Policy'] = None
+                        else:
+                            raise
+                    
+                    backup_vaults.append({
+                        'BackupVaultName': vault['BackupVaultName'],
+                        'BackupVaultArn': vault['BackupVaultArn'],
+                        'CreationDate': vault['CreationDate'],
+                        'EncryptionKeyArn': vault.get('EncryptionKeyArn'),
+                        'NumberOfRecoveryPoints': vault.get('NumberOfRecoveryPoints', 0),
+                        'Policy': vault.get('Policy'),
+                        'Region': region
+                    })
+                    
+                except ClientError as e:
+                    if e.response['Error']['Code'] in ['AccessDenied', 'ResourceNotFoundException']:
+                        continue
+                    raise
+        
+        return backup_vaults
+        
+    except ClientError as e:
+        if e.response['Error']['Code'] == 'AccessDenied':
+            self.logger.warning(f"Insufficient permissions for Backup vaults in {region}")
+            return []
+        raise
+```
+
+## AWS Backup Controls Logic
+
+### Backup Plan Frequency and Retention Check
+
+Evaluates backup plans to ensure they meet minimum frequency and retention requirements:
+
+```python
+def evaluate_backup_plan_compliance(self, resource, aws_factory):
+    """Evaluate backup plan frequency and retention requirements."""
+    backup_plan_id = resource['BackupPlanId']
+    backup_plan_name = resource['BackupPlanName']
+    rules = resource.get('Rules', [])
+    region = resource['Region']
+    
+    if not rules:
+        return ComplianceResult(
+            resource_id=backup_plan_id,
+            resource_type="AWS::Backup::BackupPlan",
+            compliance_status="NON_COMPLIANT",
+            evaluation_reason="Backup plan has no rules defined",
+            config_rule_name="backup-plan-min-frequency-and-min-retention-check",
+            region=region,
+            timestamp=datetime.now(),
+            remediation_guidance="Add backup rules with appropriate frequency and retention"
+        )
+    
+    # Check each rule for compliance
+    non_compliant_rules = []
+    
+    for rule in rules:
+        rule_name = rule.get('RuleName', 'Unnamed')
+        
+        # Check frequency (schedule expression)
+        schedule = rule.get('ScheduleExpression', '')
+        if not self._meets_frequency_requirement(schedule):
+            non_compliant_rules.append(
+                f"{rule_name}: frequency does not meet minimum (daily)"
+            )
+        
+        # Check retention (minimum 35 days / 5 weeks)
+        lifecycle = rule.get('Lifecycle', {})
+        delete_after_days = lifecycle.get('DeleteAfterDays')
+        
+        if delete_after_days is None or delete_after_days < 35:
+            non_compliant_rules.append(
+                f"{rule_name}: retention {delete_after_days} days is less than minimum (35 days)"
+            )
+    
+    if non_compliant_rules:
+        return ComplianceResult(
+            resource_id=backup_plan_id,
+            resource_type="AWS::Backup::BackupPlan",
+            compliance_status="NON_COMPLIANT",
+            evaluation_reason=f"Backup plan rules do not meet requirements: {'; '.join(non_compliant_rules)}",
+            config_rule_name="backup-plan-min-frequency-and-min-retention-check",
+            region=region,
+            timestamp=datetime.now(),
+            remediation_guidance="Update backup plan rules to meet minimum frequency (daily) and retention (35 days)"
+        )
+    
+    return ComplianceResult(
+        resource_id=backup_plan_id,
+        resource_type="AWS::Backup::BackupPlan",
+        compliance_status="COMPLIANT",
+        evaluation_reason="Backup plan meets frequency and retention requirements",
+        config_rule_name="backup-plan-min-frequency-and-min-retention-check",
+        region=region,
+        timestamp=datetime.now()
+    )
+
+def _meets_frequency_requirement(self, schedule_expression):
+    """Check if schedule expression meets minimum daily frequency."""
+    if not schedule_expression:
+        return False
+    
+    # Check for rate expressions (e.g., "rate(1 day)")
+    if schedule_expression.startswith('rate('):
+        # Extract number and unit
+        match = re.match(r'rate\((\d+)\s+(hour|day|week)\)', schedule_expression)
+        if match:
+            value = int(match.group(1))
+            unit = match.group(2)
+            
+            # Convert to hours for comparison
+            if unit == 'hour':
+                hours = value
+            elif unit == 'day':
+                hours = value * 24
+            elif unit == 'week':
+                hours = value * 24 * 7
+            
+            # Must be at least daily (24 hours or less)
+            return hours <= 24
+    
+    # Check for cron expressions (e.g., "cron(0 0 * * ? *)")
+    elif schedule_expression.startswith('cron('):
+        # Daily or more frequent cron patterns
+        # This is a simplified check - full cron parsing would be more complex
+        return True  # Assume cron expressions are configured appropriately
+    
+    return False
+```
+
+### Backup Vault Access Policy Check
+
+Evaluates backup vault access policies to ensure they don't allow overly permissive access:
+
+```python
+def evaluate_backup_vault_policy(self, resource, aws_factory):
+    """Evaluate backup vault access policy for security."""
+    vault_name = resource['BackupVaultName']
+    vault_arn = resource['BackupVaultArn']
+    policy = resource.get('Policy')
+    region = resource['Region']
+    
+    # If no policy, vault is secure by default
+    if not policy:
+        return ComplianceResult(
+            resource_id=vault_arn,
+            resource_type="AWS::Backup::BackupVault",
+            compliance_status="COMPLIANT",
+            evaluation_reason="Backup vault has no access policy (secure by default)",
+            config_rule_name="backup-vault-access-policy-check",
+            region=region,
+            timestamp=datetime.now()
+        )
+    
+    try:
+        # Parse policy JSON
+        policy_doc = json.loads(policy) if isinstance(policy, str) else policy
+        
+        # Check for overly permissive principals
+        security_issues = []
+        
+        for statement in policy_doc.get('Statement', []):
+            principal = statement.get('Principal', {})
+            effect = statement.get('Effect', '')
+            
+            # Check for wildcard principals with Allow effect
+            if effect == 'Allow':
+                if principal == '*' or principal == {'AWS': '*'}:
+                    security_issues.append("Policy allows access from any principal (*)")
+                
+                # Check for overly broad actions
+                actions = statement.get('Action', [])
+                if isinstance(actions, str):
+                    actions = [actions]
+                
+                if 'backup:*' in actions or '*' in actions:
+                    security_issues.append("Policy allows all backup actions (*)")
+        
+        if security_issues:
+            return ComplianceResult(
+                resource_id=vault_arn,
+                resource_type="AWS::Backup::BackupVault",
+                compliance_status="NON_COMPLIANT",
+                evaluation_reason=f"Backup vault policy has security issues: {'; '.join(security_issues)}",
+                config_rule_name="backup-vault-access-policy-check",
+                region=region,
+                timestamp=datetime.now(),
+                remediation_guidance="Update vault policy to restrict access to specific principals and actions"
+            )
+        
+        return ComplianceResult(
+            resource_id=vault_arn,
+            resource_type="AWS::Backup::BackupVault",
+            compliance_status="COMPLIANT",
+            evaluation_reason="Backup vault policy follows security best practices",
+            config_rule_name="backup-vault-access-policy-check",
+            region=region,
+            timestamp=datetime.now()
+        )
+        
+    except (json.JSONDecodeError, KeyError) as e:
+        return ComplianceResult(
+            resource_id=vault_arn,
+            resource_type="AWS::Backup::BackupVault",
+            compliance_status="ERROR",
+            evaluation_reason=f"Failed to parse vault policy: {str(e)}",
+            config_rule_name="backup-vault-access-policy-check",
+            region=region,
+            timestamp=datetime.now(),
+            remediation_guidance="Verify vault policy is valid JSON"
+        )
+```
+
+### Backup Controls Integration
+
+The AWS Backup service-level controls complement the existing resource-specific backup controls:
+
+**Resource-Specific Controls** (existing):
+- `backup-recovery-point-encrypted`: Validates individual recovery points are encrypted
+- `backup-recovery-point-minimum-retention-check`: Checks retention of recovery points
+- `backup-recovery-point-manual-deletion-disabled`: Ensures manual deletion is disabled
+- And 9 other resource-specific backup controls
+
+**Service-Level Controls** (new):
+- `backup-plan-min-frequency-and-min-retention-check`: Validates backup plan policies
+- `backup-vault-access-policy-check`: Checks backup vault security
+
+This hybrid approach provides comprehensive backup coverage at both the service configuration level and individual resource level.

docs/cli-reference.md

@@ -1,6 +1,6 @@
 # CLI Reference
 
-Complete command-line interface reference for the AWS CIS Controls Compliance Assessment Framework - a production-ready enterprise solution with 136 implemented rules (131 CIS Controls + 5 bonus security enhancements).
+Complete command-line interface reference for the AWS CIS Controls Compliance Assessment Framework - a production-ready enterprise solution with 138 implemented rules (133 CIS Controls + 5 bonus security enhancements).
 
 ## Table of Contents
 

docs/config-rule-mappings.md

@@ -16,7 +16,7 @@ This document provides a comprehensive mapping of CIS Controls to AWS Config rul
 
 The AWS CIS Controls Compliance Assessment Framework uses AWS Config rule specifications as the foundation for evaluating compliance. Each CIS Control is mapped to one or more AWS Config rules that assess specific AWS resources and configurations.
 
-**Production Status**: This framework has achieved 100% coverage of all CIS Controls requirements with 136 implemented rules (131 CIS Controls + 5 bonus security enhancements).
+**Production Status**: This framework has achieved 100% coverage of all CIS Controls requirements with 138 implemented rules (133 CIS Controls + 5 bonus security enhancements).
 
 ### Mapping Methodology
 
@@ -27,11 +27,11 @@ The AWS CIS Controls Compliance Assessment Framework uses AWS Config rule specif
 
 ### Implementation Groups Hierarchy
 
-- **IG1**: 93 Config rules covering essential cyber hygiene
-- **IG2**: +37 Config rules for enhanced security (includes all IG1 rules)
+- **IG1**: 96 Config rules covering essential cyber hygiene
+- **IG2**: +40 Config rules for enhanced security (includes all IG1 rules)
 - **IG3**: +1 Config rule for advanced security (includes all IG1+IG2 rules)
 - **Bonus**: +5 additional security rules beyond CIS requirements
-- **Total**: 136 Config rules implemented (131 CIS + 5 bonus)
+- **Total**: 142 Config rules implemented (137 CIS + 5 bonus)
 
 ## IG1 - Essential Cyber Hygiene
 
@@ -106,6 +106,47 @@ The AWS CIS Controls Compliance Assessment Framework uses AWS Config rule specif
 - Checks for proper resource utilization and maintenance
 - Ensures automatic security updates and rotation policies
 
+### Control 11.1: Establish and Maintain a Data Recovery Process
+
+**Purpose**: Establish and maintain a data recovery process for enterprise data.
+
+| Config Rule | Resource Types | Description |
+|-------------|----------------|-------------|
+| `backup-recovery-point-encrypted` | AWS::Backup::RecoveryPoint | Ensures backup recovery points are encrypted |
+| `backup-recovery-point-minimum-retention-check` | AWS::Backup::RecoveryPoint | Validates recovery point retention periods |
+| `backup-recovery-point-manual-deletion-disabled` | AWS::Backup::RecoveryPoint | Ensures manual deletion is disabled for recovery points |
+| `backup-plan-min-frequency-and-min-retention-check` | AWS::Backup::BackupPlan | Validates backup plan frequency and retention policies |
+| `backup-vault-access-policy-check` | AWS::Backup::BackupVault | Checks backup vault access policies for security |
+| `backup-selection-resource-coverage-check` | AWS::Backup::BackupPlan | Ensures backup plans cover critical resources |
+| `db-instance-backup-enabled` | AWS::RDS::DBInstance | Ensures RDS instances have automated backups enabled |
+| `dynamodb-pitr-enabled` | AWS::DynamoDB::Table | Ensures DynamoDB tables have point-in-time recovery |
+| `elasticache-redis-cluster-automatic-backup-check` | AWS::ElastiCache::CacheCluster | Validates ElastiCache Redis backup configuration |
+| `redshift-backup-enabled` | AWS::Redshift::Cluster | Ensures Redshift clusters have automated backups |
+| `aurora-resources-protected-by-backup-plan` | AWS::RDS::DBCluster | Ensures Aurora clusters are protected by backup plans |
+| `rds-resources-protected-by-backup-plan` | AWS::RDS::DBInstance | Ensures RDS instances are protected by backup plans |
+| `dynamodb-resources-protected-by-backup-plan` | AWS::DynamoDB::Table | Ensures DynamoDB tables are protected by backup plans |
+| `ebs-resources-protected-by-backup-plan` | AWS::EC2::Volume | Ensures EBS volumes are protected by backup plans |
+| `efs-resources-protected-by-backup-plan` | AWS::EFS::FileSystem | Ensures EFS file systems are protected by backup plans |
+
+**Assessment Logic**:
+- Validates backup plan configuration and policies
+- Checks backup vault security and access controls
+- Ensures recovery points meet retention requirements
+- Validates encryption of backup data
+- Confirms resources are protected by backup plans
+- Checks automated backup configuration across services
+- Validates backup selections cover critical resources
+
+**Service-Level Controls (IG1)**:
+- `backup-plan-min-frequency-and-min-retention-check`: Evaluates backup plans to ensure they have rules with minimum frequency and retention
+- `backup-vault-access-policy-check`: Validates backup vault access policies don't allow overly permissive access (wildcard principals or actions)
+- `backup-selection-resource-coverage-check`: Ensures backup plans have selections that target resources (not empty plans)
+
+**Service-Level Controls (IG2)**:
+- `backup-vault-lock-check`: Verifies vault lock is enabled for ransomware protection (immutable backups)
+- `backup-report-plan-exists-check`: Validates backup compliance reporting is configured
+- `backup-restore-testing-plan-exists-check`: Ensures backup recoverability is validated through restore testing
+
 ### Control 5.2: Use Unique Passwords
 
 **Purpose**: Use unique passwords for all enterprise assets.
@@ -234,7 +275,7 @@ The AWS CIS Controls Compliance Assessment Framework uses AWS Config rule specif
 
 ## Bonus Security Rules
 
-Beyond the required 131 CIS Controls rules, the framework includes 5 additional security enhancements:
+Beyond the required 133 CIS Controls rules, the framework includes 5 additional security enhancements:
 
 ### Enhanced Logging Security
 | Config Rule | Resource Types | Description |