aws-cis-controls-assessment 1.0.9__py3-none-any.whl → 1.1.0__py3-none-any.whl

aws_cis_assessment/controls/ig2/control_aws_backup_ig2.py

@@ -0,0 +1,23 @@
+"""AWS Backup Service Controls for IG2 - Advanced backup infrastructure assessment.
+
+This module implements IG2-level AWS Backup service controls that assess
+advanced backup capabilities like vault lock, reporting, and restore testing.
+
+Controls:
+- backup-vault-lock-check: Verifies vault lock (ransomware protection)
+- backup-report-plan-exists-check: Validates backup compliance reporting
+- backup-restore-testing-plan-exists-check: Ensures backups are recoverable
+"""
+
+# Import the IG2 controls from the IG1 module since they're all in the same file
+from aws_cis_assessment.controls.ig1.control_aws_backup_service import (
+    BackupVaultLockCheckAssessment,
+    BackupReportPlanExistsCheckAssessment,
+    BackupRestoreTestingPlanExistsCheckAssessment
+)
+
+__all__ = [
+    'BackupVaultLockCheckAssessment',
+    'BackupReportPlanExistsCheckAssessment',
+    'BackupRestoreTestingPlanExistsCheckAssessment'
+]

aws_cis_assessment/core/assessment_engine.py

@@ -95,6 +95,11 @@ from aws_cis_assessment.controls.ig1.control_backup_recovery import (
     DBInstanceBackupEnabledAssessment, RedshiftBackupEnabledAssessment, DynamoDBPITREnabledAssessment,
     ElastiCacheRedisClusterAutomaticBackupCheckAssessment, S3BucketReplicationEnabledAssessment
 )
+from aws_cis_assessment.controls.ig1.control_aws_backup_service import (
+    BackupPlanMinFrequencyAndMinRetentionCheckAssessment,
+    BackupVaultAccessPolicyCheckAssessment,
+    BackupSelectionResourceCoverageCheckAssessment
+)
 from aws_cis_assessment.controls.ig1.control_s3_enhancements import (
     S3AccountLevelPublicAccessBlocksPeriodicAssessment, S3BucketPublicWriteProhibitedAssessment
 )
@@ -151,6 +156,36 @@ from aws_cis_assessment.controls.ig2.control_remaining_rules import (
     RedshiftEnhancedVPCRoutingEnabledAssessment, RestrictedCommonPortsAssessment,
     AuditLogPolicyExistsAssessment
 )
+from aws_cis_assessment.controls.ig2.control_aws_backup_ig2 import (
+    BackupVaultLockCheckAssessment,
+    BackupReportPlanExistsCheckAssessment,
+    BackupRestoreTestingPlanExistsCheckAssessment
+)
+from aws_cis_assessment.controls.ig2.control_8_audit_logging import (
+    Route53QueryLoggingAssessment,
+    ALBAccessLogsEnabledAssessment,
+    CloudFrontAccessLogsEnabledAssessment,
+    CloudWatchLogRetentionCheckAssessment,
+    CloudTrailInsightsEnabledAssessment,
+    ConfigRecordingAllResourcesAssessment,
+    WAFLoggingEnabledAssessment
+)
+from aws_cis_assessment.controls.ig2.control_4_5_6_access_configuration import (
+    IAMMaxSessionDurationCheckAssessment,
+    SecurityGroupDefaultRulesCheckAssessment,
+    VPCDnsResolutionEnabledAssessment,
+    RDSDefaultAdminCheckAssessment,
+    EC2InstanceProfileLeastPrivilegeAssessment,
+    IAMServiceAccountInventoryCheckAssessment,
+    IAMAdminPolicyAttachedToRoleCheckAssessment,
+    SSOEnabledCheckAssessment,
+    IAMUserNoInlinePoliciesAssessment,
+    IAMAccessAnalyzerEnabledAssessment,
+    IAMPermissionBoundariesCheckAssessment,
+    OrganizationsSCPEnabledCheckAssessment,
+    CognitoUserPoolMFAEnabledAssessment,
+    VPNConnectionMFAEnabledAssessment
+)
 from aws_cis_assessment.controls.ig3.control_3_14 import (
     APIGatewayExecutionLoggingEnabledAssessment, CloudTrailS3DataEventsEnabledAssessment,
     MultiRegionCloudTrailEnabledAssessment, CloudTrailCloudWatchLogsEnabledAssessment
@@ -412,6 +447,11 @@ class AssessmentEngine:
                 'elasticache-redis-cluster-automatic-backup-check': ElastiCacheRedisClusterAutomaticBackupCheckAssessment(),
                 's3-bucket-replication-enabled': S3BucketReplicationEnabledAssessment(),
                 
+                # AWS Backup Service Controls (IG1)
+                'backup-plan-min-frequency-and-min-retention-check': BackupPlanMinFrequencyAndMinRetentionCheckAssessment(),
+                'backup-vault-access-policy-check': BackupVaultAccessPolicyCheckAssessment(),
+                'backup-selection-resource-coverage-check': BackupSelectionResourceCoverageCheckAssessment(),
+                
                 # S3 Security Enhancements
                 's3-account-level-public-access-blocks-periodic': S3AccountLevelPublicAccessBlocksPeriodicAssessment(),
                 's3-bucket-public-write-prohibited': S3BucketPublicWriteProhibitedAssessment(),
@@ -488,6 +528,40 @@ class AssessmentEngine:
                 'redshift-enhanced-vpc-routing-enabled': RedshiftEnhancedVPCRoutingEnabledAssessment(),
                 'restricted-common-ports': RestrictedCommonPortsAssessment(),
                 'audit-log-policy-exists (Process check)': AuditLogPolicyExistsAssessment(),
+                
+                # AWS Backup Service Controls (IG2)
+                'backup-vault-lock-check': BackupVaultLockCheckAssessment(),
+                'backup-report-plan-exists-check': BackupReportPlanExistsCheckAssessment(),
+                'backup-restore-testing-plan-exists-check': BackupRestoreTestingPlanExistsCheckAssessment(),
+                
+                # Control 8.2 - Audit Log Management
+                'route53-query-logging-enabled': Route53QueryLoggingAssessment(),
+                'alb-access-logs-enabled': ALBAccessLogsEnabledAssessment(),
+                'cloudfront-access-logs-enabled': CloudFrontAccessLogsEnabledAssessment(),
+                'cloudwatch-log-retention-check': CloudWatchLogRetentionCheckAssessment(),
+                'cloudtrail-insights-enabled': CloudTrailInsightsEnabledAssessment(),
+                'config-recording-all-resources': ConfigRecordingAllResourcesAssessment(),
+                'waf-logging-enabled': WAFLoggingEnabledAssessment(),
+                
+                # Control 4 - Secure Configuration
+                'iam-max-session-duration-check': IAMMaxSessionDurationCheckAssessment(),
+                'security-group-default-rules-check': SecurityGroupDefaultRulesCheckAssessment(),
+                'vpc-dns-resolution-enabled': VPCDnsResolutionEnabledAssessment(),
+                'rds-default-admin-check': RDSDefaultAdminCheckAssessment(),
+                'ec2-instance-profile-least-privilege': EC2InstanceProfileLeastPrivilegeAssessment(),
+                
+                # Control 5 - Account Management
+                'iam-service-account-inventory-check': IAMServiceAccountInventoryCheckAssessment(),
+                'iam-admin-policy-attached-to-role-check': IAMAdminPolicyAttachedToRoleCheckAssessment(),
+                'sso-enabled-check': SSOEnabledCheckAssessment(),
+                'iam-user-no-inline-policies': IAMUserNoInlinePoliciesAssessment(),
+                
+                # Control 6 - Access Control Management
+                'iam-access-analyzer-enabled': IAMAccessAnalyzerEnabledAssessment(),
+                'iam-permission-boundaries-check': IAMPermissionBoundariesCheckAssessment(),
+                'organizations-scp-enabled-check': OrganizationsSCPEnabledCheckAssessment(),
+                'cognito-user-pool-mfa-enabled': CognitoUserPoolMFAEnabledAssessment(),
+                'vpn-connection-mfa-enabled': VPNConnectionMFAEnabledAssessment(),
             },
             'IG3': {
                 # Control 3.14 - Sensitive Data Logging

aws_cis_assessment/reporters/html_reporter.py

@@ -70,6 +70,7 @@ class HTMLReporter(ReportGenerator):
         """
         super().__init__(template_dir)
         self.include_charts = include_charts
+        self._control_titles_cache = {}  # Cache for control titles from YAML
         logger.info(f"Initialized HTMLReporter with charts={include_charts}")
     
     def generate_report(self, assessment_result: AssessmentResult, 
@@ -1117,7 +1118,97 @@ class HTMLReporter(ReportGenerator):
             text-decoration: underline;
         }
         
+        /* Remediation Section Styles */
+        .remediation {
+            margin-bottom: 40px;
+        }
+        
+        .remediation-list {
+            display: flex;
+            flex-direction: column;
+            gap: 20px;
+        }
+        
+        .remediation-item {
+            background: white;
+            border: 1px solid #e0e0e0;
+            border-radius: 8px;
+            padding: 20px;
+            box-shadow: 0 2px 4px rgba(0,0,0,0.1);
+            transition: box-shadow 0.2s;
+        }
+        
+        .remediation-item:hover {
+            box-shadow: 0 4px 12px rgba(0,0,0,0.15);
+        }
+        
+        .remediation-header {
+            display: flex;
+            justify-content: space-between;
+            align-items: flex-start;
+            margin-bottom: 15px;
+            padding-bottom: 15px;
+            border-bottom: 2px solid #f0f0f0;
+        }
+        
+        .remediation-header h4 {
+            margin: 0;
+            color: #2c3e50;
+            font-size: 1.1em;
+            flex: 1;
+        }
+        
+        .remediation-badges {
+            display: flex;
+            gap: 10px;
+            flex-shrink: 0;
+            margin-left: 15px;
+        }
+        
+        .remediation-content {
+            color: #555;
+        }
+        
+        .remediation-content h5 {
+            margin: 15px 0 10px 0;
+            color: #2c3e50;
+            font-size: 1em;
+        }
+        
+        .remediation-content ol {
+            margin: 10px 0;
+            padding-left: 25px;
+        }
+        
+        .remediation-content ol li {
+            margin: 8px 0;
+            line-height: 1.6;
+        }
+        
+        .remediation-content p {
+            margin: 15px 0 5px 0;
+        }
+        
+        .remediation-content a {
+            color: #3498db;
+            text-decoration: none;
+            font-weight: 500;
+        }
+        
+        .remediation-content a:hover {
+            text-decoration: underline;
+        }
+        
         @media (max-width: 768px) {
+            .remediation-header {
+                flex-direction: column;
+                gap: 10px;
+            }
+            
+            .remediation-badges {
+                margin-left: 0;
+            }
+            
             .comparison-grid {
                 grid-template-columns: 1fr;
             }
@@ -1331,13 +1422,51 @@ class HTMLReporter(ReportGenerator):
             }});
         }}
         
-        // Search functionality
+        // Search functionality for detailed findings
         function searchFindings(searchTerm) {{
-            const tables = document.querySelectorAll('.findings-table tbody tr');
-            tables.forEach(function(row) {{
-                const text = row.textContent.toLowerCase();
-                const matches = text.includes(searchTerm.toLowerCase());
-                row.style.display = matches ? '' : 'none';
+            const term = searchTerm.toLowerCase();
+            const controlSections = document.querySelectorAll('.collapsible-content');
+            
+            controlSections.forEach(function(section) {{
+                const rows = section.querySelectorAll('.findings-table tbody tr');
+                let visibleCount = 0;
+                
+                rows.forEach(function(row) {{
+                    const cells = row.querySelectorAll('td');
+                    if (cells.length === 0) return;
+                    
+                    // Search across: resource ID, resource type, region, evaluation reason, config rule name
+                    const resourceId = cells[0] ? cells[0].textContent.toLowerCase() : '';
+                    const resourceType = cells[1] ? cells[1].textContent.toLowerCase() : '';
+                    const region = cells[2] ? cells[2].textContent.toLowerCase() : '';
+                    const configRule = cells[4] ? cells[4].textContent.toLowerCase() : '';
+                    const evaluationReason = cells[5] ? cells[5].textContent.toLowerCase() : '';
+                    
+                    const matches = resourceId.includes(term) || 
+                                  resourceType.includes(term) ||
+                                  region.includes(term) ||
+                                  configRule.includes(term) ||
+                                  evaluationReason.includes(term);
+                    
+                    if (matches || term === '') {{
+                        row.style.display = '';
+                        visibleCount++;
+                    }} else {{
+                        row.style.display = 'none';
+                    }}
+                }});
+                
+                // Update the count in the collapsible button if it exists
+                const collapsibleBtn = section.previousElementSibling;
+                if (collapsibleBtn && collapsibleBtn.classList.contains('collapsible')) {{
+                    const originalText = collapsibleBtn.textContent.split('(')[0].trim();
+                    const totalCount = rows.length;
+                    if (term === '') {{
+                        collapsibleBtn.textContent = `${{originalText}} (${{totalCount}} findings)`;
+                    }} else {{
+                        collapsibleBtn.textContent = `${{originalText}} (${{visibleCount}} of ${{totalCount}} findings)`;
+                    }}
+                }}
             }});
         }}
         
@@ -1851,13 +1980,19 @@ class HTMLReporter(ReportGenerator):
             for step in remediation["remediation_steps"]:
                 steps_html += f"<li>{step}</li>"
             
+            # Normalize priority and effort text to proper capitalization
+            priority_text = remediation['priority'].capitalize()
+            effort_text = remediation['estimated_effort'].capitalize()
+            
             remediation_items += f"""
             <div class="remediation-item">
                 <div class="remediation-header">
-                    <h4>{remediation['control_id']} - {remediation['config_rule_name']}</h4>
+                    <div>
+                        <h4>{remediation['control_id']} - {remediation['config_rule_name']}</h4>
+                    </div>
                     <div class="remediation-badges">
-                        <span class="badge {remediation['priority_badge']}">{remediation['priority']}</span>
-                        <span class="badge {remediation['effort_badge']}">{remediation['estimated_effort']}</span>
+                        <span class="badge {remediation['priority_badge']}">{priority_text}</span>
+                        <span class="badge {remediation['effort_badge']}">{effort_text}</span>
                     </div>
                 </div>
                 <div class="remediation-content">
@@ -2168,17 +2303,7 @@ class HTMLReporter(ReportGenerator):
                 </div>
             </div>
             
-            <div class="methodology-note">
-                <strong>Which score should I use?</strong>
-                <ul>
-                    <li><strong>Weighted Score:</strong> Use for security decision-making, risk prioritization, and remediation planning</li>
-                    <li><strong>AWS Config Style:</strong> Use for compliance reporting, audits, and simple stakeholder communication</li>
-                    <li><strong>Both:</strong> Track both metrics for comprehensive security program management</li>
-                </ul>
-                <p>
-                    <a href="#" onclick="toggleScoringDetails(); return false;">Learn more about scoring methodologies →</a>
-                </p>
-            </div>
+
         </div>
         """
     
@@ -2615,47 +2740,84 @@ class HTMLReporter(ReportGenerator):
             options += f'<option value="{resource_type}">{resource_type}</option>'
         return options
     
+    def _load_control_titles(self) -> Dict[str, str]:
+        """Load control titles from YAML configuration files.
+        
+        Returns:
+            Dictionary mapping control IDs to their titles
+        """
+        if self._control_titles_cache:
+            return self._control_titles_cache
+        
+        from aws_cis_assessment.config.config_loader import ConfigRuleLoader
+        
+        try:
+            loader = ConfigRuleLoader()
+            all_controls = loader.get_all_controls()
+            
+            # Build a map of control_id -> title
+            # Since controls can appear in multiple IGs, we'll use the first title we find
+            for unique_key, control in all_controls.items():
+                control_id = control.control_id
+                if control_id not in self._control_titles_cache and control.title:
+                    self._control_titles_cache[control_id] = control.title
+            
+            logger.info(f"Loaded {len(self._control_titles_cache)} control titles from YAML")
+        except Exception as e:
+            logger.warning(f"Failed to load control titles from YAML: {e}")
+            self._control_titles_cache = {}
+        
+        return self._control_titles_cache
+    
     def _format_control_display_name(self, control_id: str, config_rule_name: str, title: Optional[str] = None) -> str:
-        """Format control display name combining ID, rule name, and optional title.
+        """Format control display name combining ID and title.
         
         Creates a human-readable display name that shows both the control identifier
-        and the AWS Config rule name, making it easier for users to understand what
-        each control checks without looking up documentation.
+        and the control title from the YAML configuration, making it easier for users 
+        to understand what each control is about without looking up documentation.
         
         Args:
             control_id: Control identifier (e.g., "1.5", "2.1")
             config_rule_name: AWS Config rule name (e.g., "root-account-hardware-mfa-enabled")
-            title: Optional human-readable title for the control
+            title: Optional human-readable title for the control (if not provided, loads from YAML)
             
         Returns:
             Formatted string for display in the following formats:
-            - With title: "{control_id}: {title} ({config_rule_name})"
+            - With title: "{control_id}: {title}"
             - Without title: "{control_id}: {config_rule_name}"
             - Fallback (no rule name): "{control_id}"
         
         Examples:
-            >>> _format_control_display_name("1.5", "root-account-hardware-mfa-enabled")
-            "1.5: root-account-hardware-mfa-enabled"
+            >>> _format_control_display_name("1.1", "eip-attached")
+            "1.1: Establish and Maintain Detailed Enterprise Asset Inventory"
             
-            >>> _format_control_display_name("2.1", "iam-password-policy", "IAM Password Policy")
-            "2.1: IAM Password Policy (iam-password-policy)"
+            >>> _format_control_display_name("3.3", "s3-bucket-ssl-requests-only")
+            "3.3: Configure Data Access Control Lists"
             
             >>> _format_control_display_name("3.1", "")
             "3.1"
         
         Notes:
-            - Gracefully handles missing config_rule_name by falling back to control_id only
+            - Loads control titles from YAML configuration files
+            - Gracefully handles missing titles by falling back to config_rule_name
             - Used in both Implementation Groups and Detailed Findings sections
             - Display names longer than 50 characters are truncated with tooltips
         """
-        if not config_rule_name:
-            # Fallback to control_id only if config_rule_name is missing
-            return control_id
+        # Load control titles from YAML if not already loaded
+        if not title:
+            control_titles = self._load_control_titles()
+            title = control_titles.get(control_id)
         
+        # If we have a title, use it
         if title:
-            return f"{control_id}: {title} ({config_rule_name})"
-        else:
+            return f"{control_id}: {title}"
+        
+        # Fallback to config_rule_name if no title
+        if config_rule_name:
             return f"{control_id}: {config_rule_name}"
+        
+        # Last resort: just the control_id
+        return control_id
     
     def _get_ig_badge_class(self, ig_name: str) -> str:
         """Get CSS class for IG badge styling.