PyPI - aws-cis-controls-assessment - Versions diffs - 1.0.9__py3-none-any.whl → 1.1.0__py3-none-any.whl - Mend

aws-cis-controls-assessment 1.0.9py3-none-any.whl → 1.1.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

docs/assessment-logic.md CHANGED Viewed

@@ -5,7 +5,7 @@ This document provides detailed information about the assessment logic used by t
 ## Production Framework Overview
 **✅ Complete Implementation Status**
-- 136 AWS Config rules implemented (131 CIS Controls + 5 bonus)
+- 138 AWS Config rules implemented (133 CIS Controls + 5 bonus)
 - 100% coverage across all Implementation Groups (IG1, IG2, IG3)
 - Production-tested with enterprise-grade error handling
 - Optimized for large-scale enterprise deployments
@@ -25,7 +25,7 @@ This document provides detailed information about the assessment logic used by t
 The assessment tool evaluates AWS account configurations against CIS Controls using the same logic as AWS Config rules, but without requiring AWS Config to be enabled. Each assessment follows a standardized process while implementing control-specific evaluation logic.
-**Framework Scope**: 136 implemented rules covering all CIS Controls requirements plus 5 bonus security enhancements for additional value.
+**Framework Scope**: 138 implemented rules covering all CIS Controls requirements plus 5 bonus security enhancements for additional value.
 ### Key Principles
@@ -763,4 +763,292 @@ def batch_evaluate_resources(self, resources, batch_size=50):
     return results
 ```
-This comprehensive assessment logic ensures accurate, efficient, and reliable evaluation of AWS resources against CIS Controls while maintaining compatibility with AWS Config rule specifications.
+This comprehensive assessment logic ensures accurate, efficient, and reliable evaluation of AWS resources against CIS Controls while maintaining compatibility with AWS Config rule specifications.
+### AWS Backup Resources
+```python
+def discover_backup_plans(self, backup_client, region):
+    """Discover AWS Backup plans in specific region."""
+    try:
+        paginator = backup_client.get_paginator('list_backup_plans')
+        backup_plans = []
+        for page in paginator.paginate():
+            for plan in page['BackupPlansList']:
+                try:
+                    # Get detailed plan information
+                    plan_details = backup_client.get_backup_plan(
+                        BackupPlanId=plan['BackupPlanId']
+                    )
+                    backup_plans.append({
+                        'BackupPlanId': plan['BackupPlanId'],
+                        'BackupPlanName': plan['BackupPlanName'],
+                        'BackupPlanArn': plan['BackupPlanArn'],
+                        'CreationDate': plan['CreationDate'],
+                        'VersionId': plan['VersionId'],
+                        'Rules': plan_details['BackupPlan'].get('Rules', []),
+                        'Region': region
+                    })
+                except ClientError as e:
+                    # Skip plans we can't access
+                    if e.response['Error']['Code'] in ['AccessDenied', 'ResourceNotFoundException']:
+                        continue
+                    raise
+        return backup_plans
+    except ClientError as e:
+        if e.response['Error']['Code'] == 'AccessDenied':
+            self.logger.warning(f"Insufficient permissions for Backup in {region}")
+            return []
+        raise
+def discover_backup_vaults(self, backup_client, region):
+    """Discover AWS Backup vaults in specific region."""
+    try:
+        paginator = backup_client.get_paginator('list_backup_vaults')
+        backup_vaults = []
+        for page in paginator.paginate():
+            for vault in page['BackupVaultList']:
+                try:
+                    # Get vault access policy if exists
+                    try:
+                        policy_response = backup_client.get_backup_vault_access_policy(
+                            BackupVaultName=vault['BackupVaultName']
+                        )
+                        vault['Policy'] = policy_response.get('Policy')
+                    except ClientError as e:
+                        if e.response['Error']['Code'] == 'ResourceNotFoundException':
+                            vault['Policy'] = None
+                        else:
+                            raise
+                    backup_vaults.append({
+                        'BackupVaultName': vault['BackupVaultName'],
+                        'BackupVaultArn': vault['BackupVaultArn'],
+                        'CreationDate': vault['CreationDate'],
+                        'EncryptionKeyArn': vault.get('EncryptionKeyArn'),
+                        'NumberOfRecoveryPoints': vault.get('NumberOfRecoveryPoints', 0),
+                        'Policy': vault.get('Policy'),
+                        'Region': region
+                    })
+                except ClientError as e:
+                    if e.response['Error']['Code'] in ['AccessDenied', 'ResourceNotFoundException']:
+                        continue
+                    raise
+        return backup_vaults
+    except ClientError as e:
+        if e.response['Error']['Code'] == 'AccessDenied':
+            self.logger.warning(f"Insufficient permissions for Backup vaults in {region}")
+            return []
+        raise
+```
+## AWS Backup Controls Logic
+### Backup Plan Frequency and Retention Check
+Evaluates backup plans to ensure they meet minimum frequency and retention requirements:
+```python
+def evaluate_backup_plan_compliance(self, resource, aws_factory):
+    """Evaluate backup plan frequency and retention requirements."""
+    backup_plan_id = resource['BackupPlanId']
+    backup_plan_name = resource['BackupPlanName']
+    rules = resource.get('Rules', [])
+    region = resource['Region']
+    if not rules:
+        return ComplianceResult(
+            resource_id=backup_plan_id,
+            resource_type="AWS::Backup::BackupPlan",
+            compliance_status="NON_COMPLIANT",
+            evaluation_reason="Backup plan has no rules defined",
+            config_rule_name="backup-plan-min-frequency-and-min-retention-check",
+            region=region,
+            timestamp=datetime.now(),
+            remediation_guidance="Add backup rules with appropriate frequency and retention"
+        )
+    # Check each rule for compliance
+    non_compliant_rules = []
+    for rule in rules:
+        rule_name = rule.get('RuleName', 'Unnamed')
+        # Check frequency (schedule expression)
+        schedule = rule.get('ScheduleExpression', '')
+        if not self._meets_frequency_requirement(schedule):
+            non_compliant_rules.append(
+                f"{rule_name}: frequency does not meet minimum (daily)"
+            )
+        # Check retention (minimum 35 days / 5 weeks)
+        lifecycle = rule.get('Lifecycle', {})
+        delete_after_days = lifecycle.get('DeleteAfterDays')
+        if delete_after_days is None or delete_after_days < 35:
+            non_compliant_rules.append(
+                f"{rule_name}: retention {delete_after_days} days is less than minimum (35 days)"
+            )
+    if non_compliant_rules:
+        return ComplianceResult(
+            resource_id=backup_plan_id,
+            resource_type="AWS::Backup::BackupPlan",
+            compliance_status="NON_COMPLIANT",
+            evaluation_reason=f"Backup plan rules do not meet requirements: {'; '.join(non_compliant_rules)}",
+            config_rule_name="backup-plan-min-frequency-and-min-retention-check",
+            region=region,
+            timestamp=datetime.now(),
+            remediation_guidance="Update backup plan rules to meet minimum frequency (daily) and retention (35 days)"
+        )
+    return ComplianceResult(
+        resource_id=backup_plan_id,
+        resource_type="AWS::Backup::BackupPlan",
+        compliance_status="COMPLIANT",
+        evaluation_reason="Backup plan meets frequency and retention requirements",
+        config_rule_name="backup-plan-min-frequency-and-min-retention-check",
+        region=region,
+        timestamp=datetime.now()
+    )
+def _meets_frequency_requirement(self, schedule_expression):
+    """Check if schedule expression meets minimum daily frequency."""
+    if not schedule_expression:
+        return False
+    # Check for rate expressions (e.g., "rate(1 day)")
+    if schedule_expression.startswith('rate('):
+        # Extract number and unit
+        match = re.match(r'rate\((\d+)\s+(hour|day|week)\)', schedule_expression)
+        if match:
+            value = int(match.group(1))
+            unit = match.group(2)
+            # Convert to hours for comparison
+            if unit == 'hour':
+                hours = value
+            elif unit == 'day':
+                hours = value * 24
+            elif unit == 'week':
+                hours = value * 24 * 7
+            # Must be at least daily (24 hours or less)
+            return hours <= 24
+    # Check for cron expressions (e.g., "cron(0 0 * * ? *)")
+    elif schedule_expression.startswith('cron('):
+        # Daily or more frequent cron patterns
+        # This is a simplified check - full cron parsing would be more complex
+        return True  # Assume cron expressions are configured appropriately
+    return False
+```
+### Backup Vault Access Policy Check
+Evaluates backup vault access policies to ensure they don't allow overly permissive access:
+```python
+def evaluate_backup_vault_policy(self, resource, aws_factory):
+    """Evaluate backup vault access policy for security."""
+    vault_name = resource['BackupVaultName']
+    vault_arn = resource['BackupVaultArn']
+    policy = resource.get('Policy')
+    region = resource['Region']
+    # If no policy, vault is secure by default
+    if not policy:
+        return ComplianceResult(
+            resource_id=vault_arn,
+            resource_type="AWS::Backup::BackupVault",
+            compliance_status="COMPLIANT",
+            evaluation_reason="Backup vault has no access policy (secure by default)",
+            config_rule_name="backup-vault-access-policy-check",
+            region=region,
+            timestamp=datetime.now()
+        )
+    try:
+        # Parse policy JSON
+        policy_doc = json.loads(policy) if isinstance(policy, str) else policy
+        # Check for overly permissive principals
+        security_issues = []
+        for statement in policy_doc.get('Statement', []):
+            principal = statement.get('Principal', {})
+            effect = statement.get('Effect', '')
+            # Check for wildcard principals with Allow effect
+            if effect == 'Allow':
+                if principal == '*' or principal == {'AWS': '*'}:
+                    security_issues.append("Policy allows access from any principal (*)")
+                # Check for overly broad actions
+                actions = statement.get('Action', [])
+                if isinstance(actions, str):
+                    actions = [actions]
+                if 'backup:*' in actions or '*' in actions:
+                    security_issues.append("Policy allows all backup actions (*)")
+        if security_issues:
+            return ComplianceResult(
+                resource_id=vault_arn,
+                resource_type="AWS::Backup::BackupVault",
+                compliance_status="NON_COMPLIANT",
+                evaluation_reason=f"Backup vault policy has security issues: {'; '.join(security_issues)}",
+                config_rule_name="backup-vault-access-policy-check",
+                region=region,
+                timestamp=datetime.now(),
+                remediation_guidance="Update vault policy to restrict access to specific principals and actions"
+            )
+        return ComplianceResult(
+            resource_id=vault_arn,
+            resource_type="AWS::Backup::BackupVault",
+            compliance_status="COMPLIANT",
+            evaluation_reason="Backup vault policy follows security best practices",
+            config_rule_name="backup-vault-access-policy-check",
+            region=region,
+            timestamp=datetime.now()
+        )
+    except (json.JSONDecodeError, KeyError) as e:
+        return ComplianceResult(
+            resource_id=vault_arn,
+            resource_type="AWS::Backup::BackupVault",
+            compliance_status="ERROR",
+            evaluation_reason=f"Failed to parse vault policy: {str(e)}",
+            config_rule_name="backup-vault-access-policy-check",
+            region=region,
+            timestamp=datetime.now(),
+            remediation_guidance="Verify vault policy is valid JSON"
+        )
+```
+### Backup Controls Integration
+The AWS Backup service-level controls complement the existing resource-specific backup controls:
+**Resource-Specific Controls** (existing):
+- `backup-recovery-point-encrypted`: Validates individual recovery points are encrypted
+- `backup-recovery-point-minimum-retention-check`: Checks retention of recovery points
+- `backup-recovery-point-manual-deletion-disabled`: Ensures manual deletion is disabled
+- And 9 other resource-specific backup controls
+**Service-Level Controls** (new):
+- `backup-plan-min-frequency-and-min-retention-check`: Validates backup plan policies
+- `backup-vault-access-policy-check`: Checks backup vault security
+This hybrid approach provides comprehensive backup coverage at both the service configuration level and individual resource level.

docs/cli-reference.md CHANGED Viewed

@@ -1,6 +1,6 @@
 # CLI Reference
-Complete command-line interface reference for the AWS CIS Controls Compliance Assessment Framework - a production-ready enterprise solution with 136 implemented rules (131 CIS Controls + 5 bonus security enhancements).
+Complete command-line interface reference for the AWS CIS Controls Compliance Assessment Framework - a production-ready enterprise solution with 149 implemented rules (133 CIS Controls + 9 bonus security enhancements + 7 audit logging controls).
 ## Table of Contents

aws-cis-controls-assessment 1.0.9__py3-none-any.whl → 1.1.0__py3-none-any.whl

aws-cis-controls-assessment 1.0.9py3-none-any.whl → 1.1.0py3-none-any.whl