aws-cis-controls-assessment 1.0.9__py3-none-any.whl → 1.1.0__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- aws_cis_assessment/__init__.py +2 -2
- aws_cis_assessment/config/rules/cis_controls_ig1.yaml +94 -1
- aws_cis_assessment/config/rules/cis_controls_ig2.yaml +680 -1
- aws_cis_assessment/controls/ig1/__init__.py +17 -0
- aws_cis_assessment/controls/ig1/control_aws_backup_service.py +1276 -0
- aws_cis_assessment/controls/ig2/__init__.py +74 -1
- aws_cis_assessment/controls/ig2/control_4_5_6_access_configuration.py +2638 -0
- aws_cis_assessment/controls/ig2/control_8_audit_logging.py +984 -0
- aws_cis_assessment/controls/ig2/control_aws_backup_ig2.py +23 -0
- aws_cis_assessment/core/assessment_engine.py +74 -0
- aws_cis_assessment/reporters/html_reporter.py +197 -35
- {aws_cis_controls_assessment-1.0.9.dist-info → aws_cis_controls_assessment-1.1.0.dist-info}/METADATA +163 -12
- {aws_cis_controls_assessment-1.0.9.dist-info → aws_cis_controls_assessment-1.1.0.dist-info}/RECORD +26 -21
- docs/README.md +14 -3
- docs/adding-aws-backup-controls.md +562 -0
- docs/assessment-logic.md +291 -3
- docs/cli-reference.md +1 -1
- docs/config-rule-mappings.md +465 -7
- docs/developer-guide.md +312 -3
- docs/installation.md +2 -2
- docs/troubleshooting.md +211 -2
- docs/user-guide.md +47 -2
- {aws_cis_controls_assessment-1.0.9.dist-info → aws_cis_controls_assessment-1.1.0.dist-info}/WHEEL +0 -0
- {aws_cis_controls_assessment-1.0.9.dist-info → aws_cis_controls_assessment-1.1.0.dist-info}/entry_points.txt +0 -0
- {aws_cis_controls_assessment-1.0.9.dist-info → aws_cis_controls_assessment-1.1.0.dist-info}/licenses/LICENSE +0 -0
- {aws_cis_controls_assessment-1.0.9.dist-info → aws_cis_controls_assessment-1.1.0.dist-info}/top_level.txt +0 -0
aws_cis_assessment/__init__.py
CHANGED
|
@@ -2,10 +2,10 @@
|
|
|
2
2
|
AWS CIS Controls Compliance Assessment Framework
|
|
3
3
|
|
|
4
4
|
A production-ready, enterprise-grade framework for evaluating AWS account configurations against
|
|
5
|
-
CIS Controls Implementation Groups (IG1, IG2, IG3). Implements
|
|
5
|
+
CIS Controls Implementation Groups (IG1, IG2, IG3). Implements 163 comprehensive AWS Config rules
|
|
6
6
|
across all implementation groups for complete security compliance assessment.
|
|
7
7
|
"""
|
|
8
8
|
|
|
9
|
-
__version__ = "1.0
|
|
9
|
+
__version__ = "1.1.0"
|
|
10
10
|
__author__ = "AWS CIS Assessment Team"
|
|
11
11
|
__description__ = "Production-ready AWS CIS Controls Compliance Assessment Framework"
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
implementation_group: IG1
|
|
2
|
-
total_rules:
|
|
2
|
+
total_rules: 77
|
|
3
3
|
description: Essential cyber hygiene - foundational safeguards for all enterprises
|
|
4
4
|
controls:
|
|
5
5
|
'1.1':
|
|
@@ -108,6 +108,99 @@ controls:
|
|
|
108
108
|
parameters: {}
|
|
109
109
|
description: Assessment for s3-bucket-replication-enabled AWS Config rule.
|
|
110
110
|
remediation_guidance: Follow AWS Config rule guidance for s3-bucket-replication-enabled
|
|
111
|
+
- name: backup-plan-min-frequency-and-min-retention-check
|
|
112
|
+
resource_types:
|
|
113
|
+
- AWS::Backup::BackupPlan
|
|
114
|
+
parameters: {}
|
|
115
|
+
description: Validates AWS Backup plans have appropriate backup frequency and retention policies to ensure data protection and recovery capabilities
|
|
116
|
+
remediation_guidance: |
|
|
117
|
+
Ensure backup plans have:
|
|
118
|
+
- Backup frequency of at least daily
|
|
119
|
+
- Retention period of at least 7 days
|
|
120
|
+
- Appropriate lifecycle policies
|
|
121
|
+
|
|
122
|
+
To create or update a backup plan:
|
|
123
|
+
1. Go to AWS Backup console
|
|
124
|
+
2. Create or edit a backup plan
|
|
125
|
+
3. Add backup rules with:
|
|
126
|
+
- Schedule: Use cron or rate expressions (e.g., "cron(0 5 * * ? *)" for daily at 5 AM)
|
|
127
|
+
- Retention: Set to at least 7 days
|
|
128
|
+
- Lifecycle: Configure cold storage transition if needed
|
|
129
|
+
|
|
130
|
+
AWS CLI example:
|
|
131
|
+
aws backup create-backup-plan --backup-plan '{
|
|
132
|
+
"BackupPlanName": "daily-backup-plan",
|
|
133
|
+
"Rules": [{
|
|
134
|
+
"RuleName": "daily-rule",
|
|
135
|
+
"ScheduleExpression": "cron(0 5 * * ? *)",
|
|
136
|
+
"Lifecycle": {"DeleteAfterDays": 30}
|
|
137
|
+
}]
|
|
138
|
+
}'
|
|
139
|
+
- name: backup-vault-access-policy-check
|
|
140
|
+
resource_types:
|
|
141
|
+
- AWS::Backup::BackupVault
|
|
142
|
+
parameters: {}
|
|
143
|
+
description: Checks AWS Backup vault access policies for security to ensure vaults follow principle of least privilege and do not allow public access
|
|
144
|
+
remediation_guidance: |
|
|
145
|
+
Ensure backup vaults:
|
|
146
|
+
- Do not allow public access (Principal: "*")
|
|
147
|
+
- Have restrictive access policies
|
|
148
|
+
- Follow principle of least privilege
|
|
149
|
+
- Consider using vault lock for critical vaults
|
|
150
|
+
|
|
151
|
+
To secure a backup vault:
|
|
152
|
+
1. Go to AWS Backup console
|
|
153
|
+
2. Select the backup vault
|
|
154
|
+
3. Review and update access policy:
|
|
155
|
+
- Remove any wildcard principals
|
|
156
|
+
- Restrict to specific IAM roles/users
|
|
157
|
+
- Limit permissions to necessary actions only
|
|
158
|
+
4. Consider enabling vault lock to prevent deletion
|
|
159
|
+
|
|
160
|
+
AWS CLI example to remove public access:
|
|
161
|
+
aws backup delete-backup-vault-access-policy --backup-vault-name MyVault
|
|
162
|
+
|
|
163
|
+
To set a restrictive policy:
|
|
164
|
+
aws backup put-backup-vault-access-policy --backup-vault-name MyVault --policy '{
|
|
165
|
+
"Version": "2012-10-17",
|
|
166
|
+
"Statement": [{
|
|
167
|
+
"Effect": "Allow",
|
|
168
|
+
"Principal": {"AWS": "arn:aws:iam::123456789012:role/BackupRole"},
|
|
169
|
+
"Action": ["backup:DescribeBackupVault", "backup:ListRecoveryPointsByBackupVault"],
|
|
170
|
+
"Resource": "*"
|
|
171
|
+
}]
|
|
172
|
+
}'
|
|
173
|
+
- name: backup-selection-resource-coverage-check
|
|
174
|
+
resource_types:
|
|
175
|
+
- AWS::Backup::BackupPlan
|
|
176
|
+
parameters: {}
|
|
177
|
+
description: Validates that AWS Backup plans have backup selections that cover critical resources ensuring comprehensive backup coverage
|
|
178
|
+
remediation_guidance: |
|
|
179
|
+
Ensure backup plans have proper resource coverage:
|
|
180
|
+
- At least one backup selection per plan
|
|
181
|
+
- Selections target specific resources or use tags
|
|
182
|
+
- Critical resource types are included
|
|
183
|
+
- Selections are not empty
|
|
184
|
+
|
|
185
|
+
To add backup selections:
|
|
186
|
+
1. Go to AWS Backup console
|
|
187
|
+
2. Select your backup plan
|
|
188
|
+
3. Add backup selection:
|
|
189
|
+
- Specify resources by ARN, or
|
|
190
|
+
- Use resource tags to automatically include resources, or
|
|
191
|
+
- Use conditions to dynamically select resources
|
|
192
|
+
4. Ensure critical resources (RDS, EBS, EFS, DynamoDB) are covered
|
|
193
|
+
|
|
194
|
+
AWS CLI example to create a backup selection:
|
|
195
|
+
aws backup create-backup-selection --backup-plan-id <plan-id> --backup-selection '{
|
|
196
|
+
"SelectionName": "CriticalResources",
|
|
197
|
+
"IamRoleArn": "arn:aws:iam::123456789012:role/AWSBackupRole",
|
|
198
|
+
"ListOfTags": [{
|
|
199
|
+
"ConditionType": "STRINGEQUALS",
|
|
200
|
+
"ConditionKey": "backup",
|
|
201
|
+
"ConditionValue": "true"
|
|
202
|
+
}]
|
|
203
|
+
}'
|
|
111
204
|
'12.2':
|
|
112
205
|
title: Control 12.2
|
|
113
206
|
weight: 1.0
|