PyPI - aws-cis-controls-assessment - Versions diffs - 1.0.8__py3-none-any.whl → 1.0.9__py3-none-any.whl - Mend

aws-cis-controls-assessment 1.0.8py3-none-any.whl → 1.0.9py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

docs/dual-scoring-implementation.md ADDED Viewed

@@ -0,0 +1,303 @@
+# Dual Scoring Implementation Guide
+## Overview
+The AWS CIS Assessment tool now provides **two scoring methodologies** in all reports:
+1. **Weighted Score** (Default) - Risk-based scoring that prioritizes critical security controls
+2. **AWS Config Style Score** - Simple unweighted calculation matching AWS Config Conformance Packs
+Both scores are calculated automatically and displayed side-by-side in all report formats (JSON, CSV, HTML).
+## Implementation Details
+### Architecture
+The dual scoring system is implemented across multiple components:
+```
+assessment_engine.py
+    ↓
+scoring_engine.py (calculates both scores)
+    ↓
+base_reporter.py (includes both in report data)
+    ↓
+json_reporter.py / html_reporter.py (displays both scores)
+```
+### Key Components
+#### 1. Scoring Engine (`aws_cis_assessment/core/scoring_engine.py`)
+**New Method: `calculate_aws_config_style_score()`**
+```python
+def calculate_aws_config_style_score(self, ig_scores: Dict[str, IGScore]) -> float:
+    """Calculate compliance score using AWS Config Conformance Pack approach.
+    Formula: (Total Compliant Resources) / (Total Resources) × 100
+    This is a simple unweighted calculation where all rules are treated equally.
+    """
+```
+#### 2. Assessment Result Model (`aws_cis_assessment/core/models.py`)
+**Updated Field:**
+```python
+@dataclass
+class AssessmentResult:
+    overall_score: float  # Weighted score
+    aws_config_score: float = 0.0  # AWS Config style score
+```
+#### 3. Base Reporter (`aws_cis_assessment/reporters/base_reporter.py`)
+**Enhanced Executive Summary:**
+```python
+'executive_summary': {
+    'overall_compliance_percentage': compliance_summary.overall_compliance_percentage,
+    'aws_config_style_score': assessment_result.aws_config_score,
+    'score_difference': compliance_summary.overall_compliance_percentage - assessment_result.aws_config_score,
+    # ... other fields
+}
+```
+#### 4. HTML Reporter (`aws_cis_assessment/reporters/html_reporter.py`)
+**New Features:**
+- Score comparison section in executive dashboard
+- Visual comparison cards showing both methodologies
+- Difference indicator with interpretation
+- CSS styles for score comparison UI
+- JavaScript toggle function for methodology details
+**New Method: `_generate_score_comparison_section()`**
+Generates a comprehensive comparison showing:
+- Both scores side-by-side
+- Key features of each methodology
+- Score difference with interpretation
+- Guidance on when to use each score
+## Report Output
+### JSON Report
+```json
+{
+  "assessment_result": {
+    "overall_score": 65.5,
+    "aws_config_score": 65.0
+  },
+  "compliance_summary": {
+    "overall_compliance_percentage": 65.5
+  },
+  "executive_summary": {
+    "overall_compliance_percentage": 65.5,
+    "aws_config_style_score": 65.0,
+    "score_difference": 0.5
+  }
+}
+```
+### CSV Report
+The summary CSV includes both scores:
+```csv
+Metric,Value
+Overall Compliance (Weighted),65.5%
+AWS Config Style Score,65.0%
+Score Difference,+0.5%
+```
+### HTML Report
+The HTML report includes:
+1. **Metric Cards** - Both scores displayed prominently in the dashboard
+2. **Score Comparison Section** - Detailed side-by-side comparison
+3. **Visual Indicators** - Color-coded difference interpretation
+4. **Methodology Notes** - Guidance on when to use each score
+## Score Interpretation
+### When Scores Differ
+The difference between the two scores provides valuable insights:
+#### Weighted Score Higher (Positive Difference)
+```
+Weighted: 70.0%
+AWS Config: 65.0%
+Difference: +5.0%
+```
+**Interpretation:** Strong performance in critical security controls despite some gaps in less critical areas. Your most important security measures are in good shape.
+#### Weighted Score Lower (Negative Difference)
+```
+Weighted: 60.0%
+AWS Config: 65.0%
+Difference: -5.0%
+```
+**Interpretation:** Critical security controls need attention despite good overall resource compliance. Focus remediation on high-priority controls.
+#### Scores Similar (< 1% Difference)
+```
+Weighted: 65.5%
+AWS Config: 65.2%
+Difference: +0.3%
+```
+**Interpretation:** Balanced compliance across all control priorities. Both methodologies show similar results.
+## Usage Recommendations
+### Use Weighted Score For:
+- **Security Decision-Making** - Prioritize remediation based on risk
+- **Risk Assessment** - Understand actual security posture
+- **Resource Allocation** - Focus efforts on critical controls
+- **Executive Reporting** - Show security program effectiveness
+### Use AWS Config Style Score For:
+- **Compliance Audits** - Simple, auditable metric
+- **Stakeholder Communication** - Easy to understand percentage
+- **Trend Tracking** - Consistent with AWS Config reports
+- **Regulatory Reporting** - Straightforward compliance metric
+### Track Both For:
+- **Comprehensive Security Program** - Full visibility into compliance
+- **Balanced Perspective** - Understand both resource and risk views
+- **Continuous Improvement** - Monitor progress from multiple angles
+## API Usage
+### Accessing Scores Programmatically
+```python
+from aws_cis_assessment.core.assessment_engine import AssessmentEngine
+# Run assessment
+engine = AssessmentEngine(regions=['us-east-1'])
+result = engine.run_assessment(['IG1', 'IG2', 'IG3'])
+# Access both scores
+weighted_score = result.overall_score
+aws_config_score = result.aws_config_score
+difference = weighted_score - aws_config_score
+print(f"Weighted Score: {weighted_score:.1f}%")
+print(f"AWS Config Score: {aws_config_score:.1f}%")
+print(f"Difference: {difference:+.1f}%")
+```
+### Generating Reports with Both Scores
+```python
+from aws_cis_assessment.reporters.html_reporter import HTMLReporter
+from aws_cis_assessment.reporters.json_reporter import JSONReporter
+# Both reporters automatically include both scores
+html_reporter = HTMLReporter()
+html_content = html_reporter.generate_report(result, summary)
+json_reporter = JSONReporter()
+json_content = json_reporter.generate_report(result, summary)
+```
+## Testing
+The dual scoring implementation includes comprehensive tests:
+- **Unit Tests** - Scoring engine calculations
+- **Integration Tests** - End-to-end report generation
+- **Property Tests** - Score consistency and accuracy
+- **Real Data Tests** - Validation with actual assessment data
+Run tests:
+```bash
+pytest tests/test_html_reporter*.py -v
+pytest tests/test_json_reporter*.py -v
+```
+## Migration Notes
+### Backward Compatibility
+The implementation is **fully backward compatible**:
+- Existing reports continue to work
+- No breaking changes to APIs
+- All existing tests pass
+- Legacy data structures supported
+### Upgrading from Previous Versions
+No action required! The dual scoring is automatically enabled:
+1. Update to version 1.0.8+
+2. Run assessments as usual
+3. Both scores appear in all reports
+## Technical Details
+### Calculation Formulas
+**Weighted Score:**
+```
+Score = Σ(IG_Weight × IG_Score) / Σ(IG_Weight)
+Where:
+- IG_Weight: 1.0 (IG1), 1.5 (IG2), 2.0 (IG3)
+- IG_Score: Weighted average of control scores within IG
+- Control weights: 1.0-1.5 based on criticality
+```
+**AWS Config Style Score:**
+```
+Score = (Total Compliant Resources) / (Total Resources) × 100
+Where:
+- All resources weighted equally
+- All controls weighted equally
+- Simple percentage calculation
+```
+### Performance Impact
+The dual scoring implementation has **minimal performance impact**:
+- Additional calculation time: < 10ms
+- Memory overhead: < 1KB per assessment
+- No impact on AWS API calls
+- Parallel calculation with existing scoring
+## Future Enhancements
+Potential future improvements:
+1. **Custom Weighting** - Allow users to define custom control weights
+2. **Historical Tracking** - Track both scores over time
+3. **Comparative Analysis** - Compare scores across accounts/regions
+4. **Score Predictions** - Estimate impact of remediation on both scores
+5. **Export Options** - Additional export formats with both scores
+## References
+- [Scoring Methodology](scoring-methodology.md) - Detailed weighted scoring explanation
+- [AWS Config Comparison](scoring-comparison-aws-config.md) - Comparison with AWS Config approach
+- [User Guide](user-guide.md) - General usage instructions
+- [API Documentation](developer-guide.md) - Developer reference
+## Support
+For questions or issues related to dual scoring:
+1. Check the [Troubleshooting Guide](troubleshooting.md)
+2. Review [GitHub Issues](https://github.com/your-repo/issues)
+3. Contact the development team
+---
+**Version:** 1.0.8+
+**Last Updated:** January 27, 2026
+**Status:** Production Ready

docs/scoring-comparison-aws-config.md ADDED Viewed

@@ -0,0 +1,379 @@
+# Scoring Comparison: Our Approach vs AWS Config Conformance Packs
+## Overview
+This document compares our weighted scoring methodology with AWS Config's Conformance Pack approach.
+## AWS Config Conformance Pack Approach
+### Formula
+```
+Compliance Score = Compliant Rule-Resources / Total Rule-Resources
+```
+### Characteristics
+- **Simple percentage** - No weighting applied
+- **Flat structure** - All rules treated equally
+- **Resource-centric** - Counts individual rule-resource combinations
+- **No prioritization** - Critical and minor rules have equal impact
+### Example Calculation
+```
+Rule 1: 90/100 resources compliant
+Rule 2: 50/50 resources compliant
+Rule 3: 10/50 resources compliant
+Total: (90 + 50 + 10) / (100 + 50 + 50)
+     = 150 / 200
+     = 75% compliance
+```
+## Our Weighted Approach
+### Formula
+```
+Overall Score = Σ(IG Score × IG Weight) / Σ(IG Weights)
+  where IG Score = Σ(Control Score × Control Weight) / Σ(Control Weights)
+  where Control Score = Compliant Resources / Total Resources
+```
+### Characteristics
+- **Weighted average** - Critical controls have more impact
+- **Hierarchical structure** - Controls → IGs → Overall
+- **Security-centric** - Prioritizes critical security controls
+- **Maturity-aware** - Advanced IGs (IG2/IG3) weighted higher
+### Example Calculation
+```
+Control 1 (weight 1.0): 90/100 = 90%
+Control 2 (weight 1.5): 50/50 = 100%
+Control 3 (weight 1.0): 10/50 = 20%
+Weighted: (90×1.0 + 100×1.5 + 20×1.0) / (1.0 + 1.5 + 1.0)
+        = (90 + 150 + 20) / 3.5
+        = 260 / 3.5
+        = 74.3% compliance
+```
+## Side-by-Side Comparison
+| Aspect | AWS Config Conformance Pack | Our Weighted Approach |
+|--------|----------------------------|----------------------|
+| **Formula** | Simple average | Weighted average |
+| **Structure** | Flat (all rules equal) | Hierarchical (Controls → IGs → Overall) |
+| **Weighting** | None | Control weights + IG weights |
+| **Prioritization** | No | Yes (critical controls weighted higher) |
+| **Maturity Levels** | Not considered | IG1/IG2/IG3 weighted differently |
+| **Complexity** | Low | Medium |
+| **Customization** | Limited | Highly customizable |
+| **Focus** | Resource compliance | Security posture |
+## Real-World Impact Comparison
+### Scenario 1: Critical Control Failure
+**Setup:**
+- 3 controls assessed
+- Control 1 (Asset Inventory, weight 1.0): 90/100 = 90%
+- Control 2 (Encryption at Rest, weight 1.4): 10/100 = 10% ⚠️ CRITICAL
+- Control 3 (Logging, weight 1.2): 80/100 = 80%
+**AWS Config Approach:**
+```
+Score = (90 + 10 + 80) / (100 + 100 + 100)
+      = 180 / 300
+      = 60% compliance
+```
+**Our Weighted Approach:**
+```
+Score = (90×1.0 + 10×1.4 + 80×1.2) / (1.0 + 1.4 + 1.2)
+      = (90 + 14 + 96) / 3.6
+      = 200 / 3.6
+      = 55.6% compliance
+```
+**Analysis:**
+- Our approach scores **4.4% lower** because encryption (critical) is weighted higher
+- This better reflects the **security risk** of poor encryption compliance
+- AWS Config treats encryption failure same as asset inventory issues
+### Scenario 2: Minor Control Failure
+**Setup:**
+- 3 controls assessed
+- Control 1 (Asset Inventory, weight 1.0): 10/100 = 10% ⚠️ MINOR
+- Control 2 (Encryption at Rest, weight 1.4): 90/100 = 90%
+- Control 3 (Logging, weight 1.2): 80/100 = 80%
+**AWS Config Approach:**
+```
+Score = (10 + 90 + 80) / (100 + 100 + 100)
+      = 180 / 300
+      = 60% compliance
+```
+**Our Weighted Approach:**
+```
+Score = (10×1.0 + 90×1.4 + 80×1.2) / (1.0 + 1.4 + 1.2)
+      = (10 + 126 + 96) / 3.6
+      = 232 / 3.6
+      = 64.4% compliance
+```
+**Analysis:**
+- Our approach scores **4.4% higher** because critical controls (encryption) are compliant
+- This better reflects the **actual security posture** despite asset inventory issues
+- AWS Config penalizes equally regardless of control importance
+### Scenario 3: Multiple Implementation Groups
+**Setup:**
+- IG1: 85% compliance (74 controls)
+- IG2: 75% compliance (58 additional controls)
+- IG3: 60% compliance (13 additional controls)
+**AWS Config Approach:**
+```
+All rules treated equally:
+Score = (85 + 75 + 60) / 3
+      = 73.3% compliance
+```
+**Our Weighted Approach:**
+```
+Score = (85×1.0 + 75×1.5 + 60×2.0) / (1.0 + 1.5 + 2.0)
+      = (85 + 112.5 + 120) / 4.5
+      = 317.5 / 4.5
+      = 70.6% compliance
+```
+**Analysis:**
+- Our approach scores **2.7% lower** because IG3 (advanced security) is weighted higher
+- This reflects that **advanced security failures** are more concerning
+- AWS Config doesn't distinguish between basic and advanced security
+## Key Differences Explained
+### 1. Security Prioritization
+**AWS Config:**
+- Treats all rules equally
+- 100 non-compliant S3 buckets = 100 non-compliant IAM users
+- No distinction between critical and minor issues
+**Our Approach:**
+- Critical controls (encryption, access control) weighted higher
+- 100 non-encrypted databases > 100 untagged EC2 instances
+- Reflects actual security risk
+### 2. Maturity Recognition
+**AWS Config:**
+- No concept of security maturity levels
+- Basic and advanced controls treated the same
+**Our Approach:**
+- IG1 (Essential) = baseline weight
+- IG2 (Enhanced) = 1.5x weight
+- IG3 (Advanced) = 2x weight
+- Encourages progression to higher security maturity
+### 3. Resource Distribution Impact
+**AWS Config:**
+- Heavily influenced by resource count
+- 1 rule with 1000 resources dominates score
+- Can mask issues in rules with fewer resources
+**Our Approach:**
+- Each control scored independently first
+- Then weighted and averaged
+- Prevents resource count from dominating
+- Better reflects control-level compliance
+### 4. Actionable Insights
+**AWS Config:**
+- Simple percentage
+- Doesn't indicate which areas need focus
+- All non-compliance treated equally
+**Our Approach:**
+- Identifies high-priority remediation areas
+- Weights guide where to focus effort
+- Risk areas highlighted based on criticality
+## Practical Examples
+### Example 1: Encryption Compliance
+**Scenario:** Organization has poor encryption but good asset management
+| Control | Resources | Compliant | AWS Config Impact | Our Impact |
+|---------|-----------|-----------|-------------------|------------|
+| Asset Inventory (1.0) | 1000 | 950 (95%) | 950/1000 | 95% × 1.0 |
+| Encryption at Rest (1.4) | 100 | 20 (20%) | 20/100 | 20% × 1.4 |
+**AWS Config Score:**
+```
+(950 + 20) / (1000 + 100) = 970/1100 = 88.2%
+```
+**Our Score:**
+```
+(95×1.0 + 20×1.4) / (1.0 + 1.4) = (95 + 28) / 2.4 = 51.3%
+```
+**Difference:** -36.9%
+**Why?** Our approach correctly identifies this as a **critical security issue** despite high resource compliance in less critical areas.
+### Example 2: Balanced Compliance
+**Scenario:** Organization has consistent compliance across all controls
+| Control | Resources | Compliant | Compliance % |
+|---------|-----------|-----------|--------------|
+| Control 1 (1.0) | 100 | 80 | 80% |
+| Control 2 (1.5) | 100 | 80 | 80% |
+| Control 3 (1.2) | 100 | 80 | 80% |
+**AWS Config Score:**
+```
+(80 + 80 + 80) / (100 + 100 + 100) = 240/300 = 80%
+```
+**Our Score:**
+```
+(80×1.0 + 80×1.5 + 80×1.2) / (1.0 + 1.5 + 1.2) = (80 + 120 + 96) / 3.7 = 80%
+```
+**Difference:** 0%
+**Why?** When compliance is **consistent across controls**, both approaches yield the same result.
+### Example 3: Resource Count Skew
+**Scenario:** One rule has many resources, others have few
+| Control | Resources | Compliant | Compliance % |
+|---------|-----------|-----------|--------------|
+| Control 1 (1.0) | 1000 | 900 | 90% |
+| Control 2 (1.5) | 10 | 2 | 20% |
+| Control 3 (1.2) | 10 | 2 | 20% |
+**AWS Config Score:**
+```
+(900 + 2 + 2) / (1000 + 10 + 10) = 904/1020 = 88.6%
+```
+**Our Score:**
+```
+(90×1.0 + 20×1.5 + 20×1.2) / (1.0 + 1.5 + 1.2) = (90 + 30 + 24) / 3.7 = 38.9%
+```
+**Difference:** -49.7%
+**Why?** AWS Config is **dominated by the high resource count** in Control 1. Our approach treats each control equally, revealing the **poor compliance in critical areas**.
+## When Each Approach is Better
+### AWS Config Approach is Better When:
+1. **Simplicity is paramount** - Easy to understand and explain
+2. **All rules are equally important** - No need for prioritization
+3. **Resource-level tracking** - Focus on individual resource compliance
+4. **Regulatory compliance** - Simple pass/fail requirements
+5. **Audit purposes** - Straightforward percentage for auditors
+### Our Weighted Approach is Better When:
+1. **Security prioritization matters** - Critical controls should have more impact
+2. **Risk-based decision making** - Focus on highest-risk areas
+3. **Maturity progression** - Encouraging advancement through IG levels
+4. **Executive reporting** - Reflects actual security posture
+5. **Remediation planning** - Guides where to focus effort
+6. **Resource optimization** - Prevents resource count from dominating
+## Conversion Between Approaches
+### Converting Our Score to AWS Config Style
+To get an "unweighted" score similar to AWS Config:
+```python
+# Sum all compliant resources across all controls
+total_compliant = sum(control.compliant_resources for control in controls)
+# Sum all total resources across all controls
+total_resources = sum(control.total_resources for control in controls)
+# Calculate simple percentage
+aws_config_style_score = (total_compliant / total_resources) * 100
+```
+### Converting AWS Config to Our Style
+To add weighting to AWS Config scores:
+```python
+# Apply control weights to each rule's compliance
+weighted_scores = []
+for rule in rules:
+    rule_compliance = rule.compliant / rule.total
+    weight = get_control_weight(rule.control_id)
+    weighted_scores.append(rule_compliance * weight)
+# Calculate weighted average
+our_style_score = sum(weighted_scores) / sum(weights)
+```
+## Recommendations
+### Use AWS Config Approach If:
+- You need simple, auditable compliance reporting
+- All controls have equal business importance
+- You're reporting to non-technical stakeholders
+- Regulatory requirements specify simple percentage
+### Use Our Weighted Approach If:
+- You need risk-based security prioritization
+- Critical controls should influence score more
+- You're managing security maturity progression
+- You need actionable remediation guidance
+- You want to prevent resource count skew
+### Use Both Approaches:
+- Report **AWS Config style** for auditors and compliance
+- Use **weighted approach** for security decision-making
+- Track both metrics over time for comprehensive view
+## Summary Table
+| Metric | AWS Config | Our Approach | Difference |
+|--------|-----------|--------------|------------|
+| **Complexity** | Low | Medium | More complex but more insightful |
+| **Accuracy** | Resource-level | Security-level | Better reflects security posture |
+| **Actionability** | Limited | High | Clear prioritization guidance |
+| **Customization** | None | High | Adaptable to organization needs |
+| **Audit-friendly** | Very | Moderate | May need explanation |
+| **Risk-awareness** | No | Yes | Reflects actual security risk |
+## Conclusion
+**AWS Config's approach** is simpler and more straightforward - it counts compliant resources and divides by total resources. This works well for basic compliance tracking but doesn't reflect security priorities.
+**Our weighted approach** adds complexity but provides **better security insights** by:
+1. Prioritizing critical controls (encryption, access control)
+2. Recognizing security maturity levels (IG1/IG2/IG3)
+3. Preventing resource count from dominating scores
+4. Providing actionable remediation guidance
+**Best Practice:** Use both approaches:
+- **AWS Config style** for compliance reporting and audits
+- **Weighted approach** for security decision-making and prioritization
+---
+**Recommendation:** Consider adding an "unweighted score" output option to provide both perspectives to users.

aws-cis-controls-assessment 1.0.8__py3-none-any.whl → 1.0.9__py3-none-any.whl

aws-cis-controls-assessment 1.0.8py3-none-any.whl → 1.0.9py3-none-any.whl