aws-cis-controls-assessment 1.0.9__py3-none-any.whl → 1.1.0__py3-none-any.whl

{aws_cis_controls_assessment-1.0.9.dist-info → aws_cis_controls_assessment-1.1.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: aws-cis-controls-assessment
-Version: 1.0.9
+Version: 1.1.0
 Summary: Production-ready AWS CIS Controls compliance assessment framework with 145 comprehensive rules
 Author-email: AWS CIS Assessment Team <security@example.com>
 Maintainer-email: AWS CIS Assessment Team <security@example.com>
@@ -57,19 +57,22 @@ Dynamic: license-file
 
 # AWS CIS Controls Compliance Assessment Framework
 
-A production-ready, enterprise-grade framework for evaluating AWS account configurations against CIS Controls Implementation Groups (IG1, IG2, IG3) using AWS Config rule specifications. **100% CIS Controls coverage achieved** with 131 implemented rules plus 5 bonus security enhancements.
+A production-ready, enterprise-grade framework for evaluating AWS account configurations against CIS Controls Implementation Groups (IG1, IG2, IG3) using AWS Config rule specifications. **100% CIS Controls coverage achieved** with 163 implemented rules (131 CIS Controls + 32 bonus security enhancements).
 
 > **Production Status**: This framework is production-ready and actively deployed in enterprise environments. It provides comprehensive point-in-time compliance assessments while we recommend [AWS Config](https://aws.amazon.com/config/) for ongoing continuous compliance monitoring and automated remediation.
 
 ## 🎯 Key Features
 
-- **✅ Complete Coverage**: 131/131 CIS Controls rules implemented (100% coverage)
+- **✅ Complete Coverage**: 163 total rules implemented (131 CIS Controls + 32 bonus)
 - **✅ Dual Scoring System**: Both weighted and AWS Config-style scoring methodologies
+- **✅ Enhanced HTML Reports**: Control names, working search, improved remediation display
 - **✅ Enterprise Ready**: Production-tested with enterprise-grade architecture
 - **✅ Performance Optimized**: Handles large-scale assessments efficiently
 - **✅ Multi-Format Reports**: JSON, HTML, and CSV with detailed remediation guidance
 - **✅ No AWS Config Required**: Direct AWS API calls based on Config rule specifications
-- **✅ Bonus Security Rules**: 5 additional security enhancements beyond CIS requirements
+- **✅ AWS Backup Controls**: 6 comprehensive backup infrastructure controls (3 IG1 + 3 IG2)
+- **✅ Audit Logging Controls**: 7 comprehensive audit log management controls (CIS Control 8)
+- **✅ Access & Configuration Controls**: 14 comprehensive identity, access, and secure configuration controls (CIS Controls 4, 5, 6)
 
 ## 🚀 Quick Start
 
@@ -88,7 +91,7 @@ pip install -e .
 ### Basic Usage
 
 ```bash
-# Run complete assessment (all 136 rules) - defaults to us-east-1
+# Run complete assessment (all 163 rules) - defaults to us-east-1
 aws-cis-assess assess --aws-profile my-aws-profile
 
 # Assess multiple regions
@@ -109,19 +112,19 @@ aws-cis-assess assess --output-format json
 
 ## 📊 Implementation Groups Coverage
 
-### IG1 - Essential Cyber Hygiene (93 Rules) ✅
+### IG1 - Essential Cyber Hygiene (96 Rules) ✅
 **100% Coverage Achieved**
 - Asset Inventory and Management (6 rules)
 - Identity and Access Management (15 rules)  
 - Data Protection and Encryption (8 rules)
 - Network Security Controls (20 rules)
 - Logging and Monitoring (13 rules)
-- Backup and Recovery (12 rules)
+- Backup and Recovery (17 rules) - **6 AWS Backup service controls (3 IG1 + 3 IG2)**
 - Security Services Integration (5 rules)
 - Configuration Management (9 rules)
 - Vulnerability Management (5 rules)
 
-### IG2 - Enhanced Security (+37 Rules) ✅  
+### IG2 - Enhanced Security (+74 Rules) ✅  
 **100% Coverage Achieved**
 - Advanced Encryption at Rest (6 rules)
 - Certificate Management (2 rules)
@@ -132,6 +135,11 @@ aws-cis-assess assess --output-format json
 - Network Segmentation (5 rules)
 - Auto-scaling Security (1 rule)
 - Enhanced Access Controls (8 rules)
+- AWS Backup Advanced Controls (3 rules) - **Vault lock, reporting, restore testing**
+- Audit Log Management (7 rules) - **Control 8 comprehensive logging coverage**
+- Secure Configuration (5 rules) - **Control 4: session duration, security groups, VPC DNS, RDS admin, EC2 least privilege**
+- Account Management (4 rules) - **Control 5: service account docs, admin policies, SSO, inline policies**
+- Access Control Management (5 rules) - **Control 6: Access Analyzer, permission boundaries, SCPs, Cognito MFA, VPN MFA**
 
 ### IG3 - Advanced Security (+1 Rule) ✅
 **100% Coverage Achieved**
@@ -139,19 +147,82 @@ aws-cis-assess assess --output-format json
 - Critical for preventing application-layer attacks
 - Required for high-security environments
 
-### Bonus Security Rules (+5 Rules) ✅
+### Bonus Security Rules (+32 Rules) ✅
 **Additional Value Beyond CIS Requirements**
 - Enhanced logging security (`cloudwatch-log-group-encrypted`)
 - Network security enhancement (`incoming-ssh-disabled`)
 - Data streaming encryption (`kinesis-stream-encrypted`)
 - Network access control (`restricted-incoming-traffic`)
 - Message queue encryption (`sqs-queue-encrypted-kms`)
+- Route 53 DNS query logging (`route53-query-logging-enabled`)
+- Plus 26 additional security enhancements
+- Application Load Balancer access logs (`alb-access-logs-enabled`)
+- CloudFront distribution access logs (`cloudfront-access-logs-enabled`)
+- WAF web ACL logging (`waf-logging-enabled`)
+
+### 🔍 CIS Control 8: Audit Log Management (13 Rules)
+**Comprehensive Audit Logging Coverage**
+
+Control 8 focuses on collecting, alerting, reviewing, and retaining audit logs of events that could help detect, understand, or recover from an attack. Our implementation provides comprehensive coverage across AWS services:
+
+**DNS Query Logging**
+- `route53-query-logging-enabled`: Validates Route 53 hosted zones have query logging enabled to track DNS queries for security investigations
+
+**Load Balancer & CDN Logging**
+- `alb-access-logs-enabled`: Ensures Application Load Balancers capture access logs for traffic analysis
+- `elb-logging-enabled`: Validates Classic Load Balancers have access logging enabled
+- `cloudfront-access-logs-enabled`: Ensures CloudFront distributions log content delivery requests
+
+**Log Retention & Management**
+- `cloudwatch-log-retention-check`: Validates log groups have appropriate retention periods (minimum 90 days)
+- `cw-loggroup-retention-period-check`: Additional log retention validation
+
+**CloudTrail Monitoring**
+- `cloudtrail-insights-enabled`: Enables anomaly detection for unusual API activity
+
+**Configuration Tracking**
+- `config-recording-all-resources`: Ensures AWS Config tracks all resource configuration changes
+
+**Application Security Logging**
+- `waf-logging-enabled`: Validates WAF web ACLs capture firewall events
+- `wafv2-logging-enabled`: Ensures WAFv2 web ACLs have logging enabled
+
+**Database & Service Logging**
+- `rds-logging-enabled`: Validates RDS instances have appropriate logging enabled
+- `elasticsearch-logs-to-cloudwatch`: Ensures Elasticsearch domains send logs to CloudWatch
+- `codebuild-project-logging-enabled`: Validates CodeBuild projects capture build logs
+- `redshift-cluster-configuration-check`: Ensures Redshift clusters have audit logging enabled
+
+### 🔐 CIS Controls 4, 5, 6: Access & Configuration Controls (14 Rules)
+**Comprehensive Identity, Access Management, and Secure Configuration Coverage**
+
+These controls focus on secure configuration of enterprise assets, account management, and access control management. Our implementation provides comprehensive coverage across AWS IAM, networking, and identity services:
+
+**Control 4 - Secure Configuration (5 rules)**
+- `iam-max-session-duration-check`: Validates IAM role session duration does not exceed 12 hours to limit credential exposure
+- `security-group-default-rules-check`: Ensures default security groups have no inbound or outbound rules to prevent unintended access
+- `vpc-dns-resolution-enabled`: Validates VPC DNS settings (enableDnsHostnames and enableDnsSupport) are properly configured
+- `rds-default-admin-check`: Ensures RDS instances don't use default admin usernames (postgres, admin, root, mysql, administrator)
+- `ec2-instance-profile-least-privilege`: Validates EC2 instance profile permissions follow least privilege principles
+
+**Control 5 - Account Management (4 rules)**
+- `iam-service-account-inventory-check`: Validates service accounts have required documentation tags (Purpose, Owner, LastReviewed)
+- `iam-admin-policy-attached-to-role-check`: Ensures administrative policies are attached to roles, not directly to users
+- `sso-enabled-check`: Validates AWS IAM Identity Center is configured and enabled for centralized identity management
+- `iam-user-no-inline-policies`: Ensures IAM users don't have inline policies (only managed policies or group memberships)
+
+**Control 6 - Access Control Management (5 rules)**
+- `iam-access-analyzer-enabled`: Validates IAM Access Analyzer is enabled in all active regions for external access detection
+- `iam-permission-boundaries-check`: Ensures permission boundaries are configured for roles with elevated privileges
+- `organizations-scp-enabled-check`: Validates AWS Organizations Service Control Policies are enabled and in use
+- `cognito-user-pool-mfa-enabled`: Ensures Cognito user pools have MFA enabled for enhanced authentication security
+- `vpn-connection-mfa-enabled`: Validates Client VPN endpoints require MFA authentication
 
 ## 🏗️ Production Architecture
 
 ### Core Components
 - **Assessment Engine**: Orchestrates compliance evaluations across all AWS regions
-- **Control Assessments**: 136 individual rule implementations with robust error handling
+- **Control Assessments**: 149 individual rule implementations with robust error handling
 - **Scoring Engine**: Calculates compliance scores and generates executive metrics
 - **Reporting System**: Multi-format output with detailed remediation guidance
 - **Resource Management**: Optimized for enterprise-scale deployments with memory management
@@ -247,7 +318,87 @@ MIT License - see [LICENSE](LICENSE) file for details.
 
 ---
 
-**Framework Version**: 1.0.0+  
-**CIS Controls Coverage**: 131/131 rules (100%) + 5 bonus rules  
+**Framework Version**: 1.1.0 (in development)  
+**CIS Controls Coverage**: 151/151 rules (100%) + 9 bonus rules  
 **Production Status**: ✅ Ready for immediate enterprise deployment  
 **Last Updated**: January 2026
+
+## 🆕 What's New in Version 1.1.0
+
+### Access & Configuration Controls (CIS Controls 4, 5, 6)
+Fourteen new controls added to assess identity, access management, and secure configuration:
+
+**Control 4 - Secure Configuration (5 rules)**:
+1. **iam-max-session-duration-check** - Validates IAM role session duration does not exceed 12 hours
+   - Ensures temporary credentials have limited exposure window
+   - Checks MaxSessionDuration property on all IAM roles
+   - Compliant if session duration ≤ 43200 seconds (12 hours)
+
+2. **security-group-default-rules-check** - Ensures default security groups have no rules
+   - Validates default security groups are restricted (no inbound/outbound rules)
+   - Prevents unintended access through default security groups
+   - Encourages use of custom security groups with explicit rules
+
+3. **vpc-dns-resolution-enabled** - Validates VPC DNS configuration
+   - Checks both enableDnsHostnames and enableDnsSupport are enabled
+   - Ensures proper DNS resolution within VPCs
+   - Required for many AWS services to function correctly
+
+4. **rds-default-admin-check** - Ensures RDS instances don't use default admin usernames
+   - Detects default usernames: postgres, admin, root, mysql, administrator, sa
+   - Case-insensitive detection
+   - Reduces risk of credential guessing attacks
+
+5. **ec2-instance-profile-least-privilege** - Validates EC2 instance profile permissions
+   - Checks for overly permissive policies (AdministratorAccess, PowerUserAccess)
+   - Detects wildcard permissions (Action: "*", Resource: "*")
+   - Ensures least privilege principle for EC2 workloads
+
+**Control 5 - Account Management (4 rules)**:
+6. **iam-service-account-inventory-check** - Validates service account documentation
+   - Ensures service accounts have required tags: Purpose, Owner, LastReviewed
+   - Identifies service accounts by naming convention or tags
+   - Supports compliance and access review processes
+
+7. **iam-admin-policy-attached-to-role-check** - Ensures admin policies on roles, not users
+   - Detects administrative policies attached directly to IAM users
+   - Encourages role-based access with temporary credentials
+   - Improves audit trail and access management
+
+8. **sso-enabled-check** - Validates AWS IAM Identity Center (SSO) is configured
+   - Checks for SSO instance existence
+   - Encourages centralized identity management
+   - Supports integration with corporate identity providers
+
+9. **iam-user-no-inline-policies** - Ensures IAM users don't have inline policies
+   - Detects inline policies attached to users
+   - Encourages use of managed policies for reusability
+   - Simplifies policy management and auditing
+
+**Control 6 - Access Control Management (5 rules)**:
+10. **iam-access-analyzer-enabled** - Validates Access Analyzer in all regions
+    - Ensures IAM Access Analyzer is enabled regionally
+    - Detects resources shared with external entities
+    - Provides continuous monitoring for unintended access
+
+11. **iam-permission-boundaries-check** - Validates permission boundaries for elevated roles
+    - Identifies roles with elevated privileges
+    - Checks for permission boundary configuration
+    - Prevents privilege escalation in delegated administration
+
+12. **organizations-scp-enabled-check** - Validates Service Control Policies are in use
+    - Checks account is part of AWS Organizations
+    - Verifies SCPs are enabled (FeatureSet includes ALL)
+    - Ensures custom SCPs exist beyond default FullAWSAccess
+
+13. **cognito-user-pool-mfa-enabled** - Ensures Cognito user pools have MFA
+    - Validates MfaConfiguration is 'ON' or 'OPTIONAL'
+    - Supports both SMS and TOTP authentication methods
+    - Enhances authentication security for applications
+
+14. **vpn-connection-mfa-enabled** - Validates Client VPN endpoints require MFA
+    - Checks VPN authentication options for MFA requirement
+    - Supports Active Directory, SAML, and certificate-based MFA
+    - Ensures secure remote access to AWS resources
+
+These controls complement the existing audit logging and backup controls by providing comprehensive coverage of identity, access management, and secure configuration practices. Total rules: 163 (149 previous + 14 new). See [Config Rule Mappings](docs/config-rule-mappings.md) for detailed documentation.

{aws_cis_controls_assessment-1.0.9.dist-info → aws_cis_controls_assessment-1.1.0.dist-info}/RECORD

@@ -1,16 +1,16 @@
-aws_cis_assessment/__init__.py,sha256=EO4JEYzH1KqBsVY47ECD1ctR40yddm7WEfZRGfctQf8,480
+aws_cis_assessment/__init__.py,sha256=9OlnlIo1cWbCTuav3NJ9LOgo_ixBbsyKL75BIw2kjoM,480
 aws_cis_assessment/cli/__init__.py,sha256=DYaGVAIoy5ucs9ubKQxX6Z3ZD46AGz9AaIaDQXzrzeY,100
 aws_cis_assessment/cli/examples.py,sha256=F9K2Fe297kUfwoq6Ine9Aj_IXNU-KwO9hd7SAPWeZHI,12884
 aws_cis_assessment/cli/main.py,sha256=i5QoqHXsPG_Kw0W7jM3Zj2YaAaCJnxxnfz82QBBHq-U,49441
 aws_cis_assessment/cli/utils.py,sha256=ufdsifIPIE9HKVZAvFXfeJgEk_aAmz01tDrEukVyL0g,9783
 aws_cis_assessment/config/__init__.py,sha256=aSQyaKGEQ7WgldC8IocY-YK7nduzfgjI6EuDE4Xti6s,77
 aws_cis_assessment/config/config_loader.py,sha256=Wk6gfblj8RWU5QctHjPu5tTJMIb8lbEW3Ic9z-se4uQ,13165
-aws_cis_assessment/config/rules/cis_controls_ig1.yaml,sha256=_fzD09kHEeriBmNp-6GPsuZZFFfoY4d-OiNexM8mbGA,28310
-aws_cis_assessment/config/rules/cis_controls_ig2.yaml,sha256=sMQXkLWFgpbVhfrjvGwwWnOj-5TKu-wTQPnOWveARns,18464
+aws_cis_assessment/config/rules/cis_controls_ig1.yaml,sha256=keJ9QeRRKOzc8OVcSPthbFG6HP2VyZLZVFByjjUKQuQ,32388
+aws_cis_assessment/config/rules/cis_controls_ig2.yaml,sha256=kX4h-TFmaohNPhhFBrzHBZkitgG_kaRb2-XW_AJwnR0,48820
 aws_cis_assessment/config/rules/cis_controls_ig3.yaml,sha256=YSghyCmwKF5UNZXdQQQNsaidQ95VDUgnwvh4jsV6kQU,4347
 aws_cis_assessment/controls/__init__.py,sha256=oVTM94UAt0Vu7Hy-V84p6LAxZHORs-RRAj9j86r_730,72
 aws_cis_assessment/controls/base_control.py,sha256=DpjRrYdz3FzpuU_WtbvtqUBRgEoMW7Qgah-iD5Y_HJI,17227
-aws_cis_assessment/controls/ig1/__init__.py,sha256=fbBhuwDcekiSJJ5hCm4W76Rb66QDhGj7NRtTSU8ZamE,7748
+aws_cis_assessment/controls/ig1/__init__.py,sha256=hV_Amiwd-6wcrQcSp8O_gTaqujiPkZ0BY20DdboTfkc,8411
 aws_cis_assessment/controls/ig1/control_1_1.py,sha256=MwxaFCayJmFrBeGrVyTcLUksrPqRHId76m2Du1Vuk4I,28070
 aws_cis_assessment/controls/ig1/control_2_2.py,sha256=yPp4aGGGzroAFqoTSaujjALSPq4jPxcaDiDIhwC11P0,11504
 aws_cis_assessment/controls/ig1/control_3_3.py,sha256=f4ZuiMR6qSXCmVwP3OflEeZn48qpzQqq0XfjZgbq3Go,35668
@@ -18,6 +18,7 @@ aws_cis_assessment/controls/ig1/control_3_4.py,sha256=Flw_cA8_Qxv8zuIbOWv6JAYUdj
 aws_cis_assessment/controls/ig1/control_4_1.py,sha256=-lIoa0XRGwiRdtG9L9f00Wud525FZbv3961bXMuiQIE,22362
 aws_cis_assessment/controls/ig1/control_access_keys.py,sha256=Hj3G0Qpwa2EcJE-u49nvADjbESZh9YClElfP4dWYQfk,14424
 aws_cis_assessment/controls/ig1/control_advanced_security.py,sha256=PNtPfqSKGu7UYDx6PccO8tVT5ZL6YmzeH45Cew_UjLM,24256
+aws_cis_assessment/controls/ig1/control_aws_backup_service.py,sha256=_bUc6x7jXhav0Cm5jfX0_tk1UOa8qoso2ND1-6xsPtI,54651
 aws_cis_assessment/controls/ig1/control_backup_recovery.py,sha256=Y5za_4lCZmA5MYhHp4OCGyL4z97cj6dbO0KfabQ5Hr0,21465
 aws_cis_assessment/controls/ig1/control_cloudtrail_logging.py,sha256=lQOjshW8BBymvzphtWuwg4wIyv6nH2mOSiogBe_Ejfo,8514
 aws_cis_assessment/controls/ig1/control_critical_security.py,sha256=1MVMkfOAWcH5ppFv7psZvJvcOtpww6Pl5WFXrMyN158,20942
@@ -31,11 +32,14 @@ aws_cis_assessment/controls/ig1/control_network_security.py,sha256=DyaXzpMuZ5Ba9
 aws_cis_assessment/controls/ig1/control_s3_enhancements.py,sha256=uP0Ko6cjTvmpg47vNtdaFgdjVPMS6Yjww-WZQIzvk8o,7759
 aws_cis_assessment/controls/ig1/control_s3_security.py,sha256=8vt2rnNPdgQrvO5Ds3yV74mQ7qkF0f_LpKqQLjg0AQc,18308
 aws_cis_assessment/controls/ig1/control_vpc_security.py,sha256=RCtBUozvdIPrXKFU0ssxjBF6A9l_HMcAbRv0K87Bbhc,10639
-aws_cis_assessment/controls/ig2/__init__.py,sha256=mMOtjYH_CcH-ioswgVLse4XOh-i_-TDoLenJbSxiuFQ,5985
+aws_cis_assessment/controls/ig2/__init__.py,sha256=xJyhtNpaLfQ2nljPnREY3pltMcrDJJ2WsIxO8sJop74,8613
 aws_cis_assessment/controls/ig2/control_3_10.py,sha256=xv2F85SB1Jd5g7HWZzrqGntTH3az8BbCcZLlDV2Di7g,33762
 aws_cis_assessment/controls/ig2/control_3_11.py,sha256=Xrn1PRWQp3kK3won-AieUMIweEPQAF3Sb4OcFsUTj2A,65245
+aws_cis_assessment/controls/ig2/control_4_5_6_access_configuration.py,sha256=BukLazjKsSzy49KjV2ajLMALUk0ygz5T7tyk3QtAe08,120785
 aws_cis_assessment/controls/ig2/control_5_2.py,sha256=5-3eHaltXP_UiMTlk3pLv4VafzBf41Vjh_8DpWfhqrw,19060
+aws_cis_assessment/controls/ig2/control_8_audit_logging.py,sha256=OWPl1Xf3lGct6smclHl931CRzgVFXpGkWdqjbT8oHZg,44934
 aws_cis_assessment/controls/ig2/control_advanced_encryption.py,sha256=S3wU0f46FIc8e50fd4zvyrLe8J5j9Ryb94he32XWVdQ,14201
+aws_cis_assessment/controls/ig2/control_aws_backup_ig2.py,sha256=FApHDPLQFDvfyvCClbdQC-9ap6I6wpW1d6D85bvHmMQ,907
 aws_cis_assessment/controls/ig2/control_codebuild_security.py,sha256=k2f8Xh6l09o1rb3B_J412qDsHI_Y8to3Ap8FbTGQ05g,11517
 aws_cis_assessment/controls/ig2/control_encryption_rest.py,sha256=EQ2wK1uz9LWpZiep_kMB4zccg9keh0XMiy44fIKt49Q,18002
 aws_cis_assessment/controls/ig2/control_encryption_transit.py,sha256=g9BOuA9ovTDT2WZ18k0i4YiZoz_Fsovihth4Kd4rE9k,18801
@@ -50,7 +54,7 @@ aws_cis_assessment/controls/ig3/control_3_14.py,sha256=fY2MZATcicuP1Zich5L7J6-MM
 aws_cis_assessment/controls/ig3/control_7_1.py,sha256=GZQt0skGJVlUbGoH4MD5AoJJONf0nT9k7WQT-8F3le4,18499
 aws_cis_assessment/core/__init__.py,sha256=aXt5Z3mqaaDvFyZPyMaJYFy66A_phfFIhhH_eyaic8Q,52
 aws_cis_assessment/core/accuracy_validator.py,sha256=jnN2O32PpdDfWAp6erV4v4zKugC9ziJkDYnVF93FVuY,18386
-aws_cis_assessment/core/assessment_engine.py,sha256=-dxww7Qp-dww3pUmyLOBAt44U2CrcP_8WmhjFrJ8sMw,62509
+aws_cis_assessment/core/assessment_engine.py,sha256=I__VAJ93m3KWrIpexgF4_FpuSvH2fNM_tq8eaUNTJv4,66807
 aws_cis_assessment/core/audit_trail.py,sha256=qapCkI2zjbAPHlHQcgYonfDYyjU2MoX5Sc2IXtYj3eE,18395
 aws_cis_assessment/core/aws_client_factory.py,sha256=1qTLfQ3fgPBH3mWRpX1_i3bbHlQQYsmSE8vsKxKTz8w,13143
 aws_cis_assessment/core/error_handler.py,sha256=5JgH3Y2yG1-ZSuEJR7o0ZMzqlwGWFRW2N4SjcL2gnBw,24219
@@ -59,24 +63,25 @@ aws_cis_assessment/core/scoring_engine.py,sha256=ylx2urk_DxGzU_LZB0ip-qtUzOh4yu0
 aws_cis_assessment/reporters/__init__.py,sha256=GXdlY08kKy1Y3mMBv8Y0JuUB69u--e5DIu2jNJpc6QI,357
 aws_cis_assessment/reporters/base_reporter.py,sha256=joy_O4IL4Hs_qwAuPtl81GIPxLAbUAMFKiF8r5si2aw,18082
 aws_cis_assessment/reporters/csv_reporter.py,sha256=r83xzfP1t5AO9MfKawgN4eTeOU6eGZwJQgvNDLEd7NI,31419
-aws_cis_assessment/reporters/html_reporter.py,sha256=i5HBLAjZB1TKAUrc6X7-Qbzr7QTQOwLplDu-ZnDzTUs,113444
+aws_cis_assessment/reporters/html_reporter.py,sha256=vnTP831t4I1G763ZmWqtvoKXzecJOVxnH8q_DRD--qs,118917
 aws_cis_assessment/reporters/json_reporter.py,sha256=MObCzTc9nlGTEXeWc7P8tTMeKCpEaJNfcSYc79cHXhc,22250
-aws_cis_controls_assessment-1.0.9.dist-info/licenses/LICENSE,sha256=T_p0qKH4RoI3ejr3tktf3rx2Zart_9KeUmJd5iiqXW8,1079
+aws_cis_controls_assessment-1.1.0.dist-info/licenses/LICENSE,sha256=T_p0qKH4RoI3ejr3tktf3rx2Zart_9KeUmJd5iiqXW8,1079
 deprecation-package/aws_cis_assessment_deprecated/__init__.py,sha256=WOaufqanKNhvWQ3frj8e627tS_kZnyk2R2hwqPFqydw,1892
-docs/README.md,sha256=8UaAzc2pI1nhMFf_pGSFAf0UfeaM1MXw9X93IrN-z5A,4264
-docs/assessment-logic.md,sha256=7t1YPkLPI3-MpvF3cLpO4x4LeNMfM950-es4vn0W4Zc,27123
-docs/cli-reference.md,sha256=zyTacw3neOJ2lQmq8E7WPJUDGMIDgUzQCqutu0lJ3SY,17854
-docs/config-rule-mappings.md,sha256=Jk31ZqnSn1JAR3iXHlhGnVxVpPukVuCZtK4H58j08Nk,18508
-docs/developer-guide.md,sha256=uC0DvgmBoOQ2LnBNManTe_rdOccvjWbzvqd93huO4jE,31026
+docs/README.md,sha256=MXnfbPRmxir-7ihG2lNmLI9TJG0Pp0QWqoDZtXiH_Mk,4912
+docs/adding-aws-backup-controls.md,sha256=l_H0H8W71n-6NbeplNujC_li2NiaQcYPr0hQMhEPbrc,21081
+docs/assessment-logic.md,sha256=necuK7Ufk7zusuoGq5FKjOv0Z6Ih6s4m-yfLaJCfRto,38908
+docs/cli-reference.md,sha256=wrifE4XDYt-sN8s4KD86IWgX5FjtXIzM3mTe1me7QsM,17881
+docs/config-rule-mappings.md,sha256=rdsRavSQHFicsjizgs07WKAhOXddspKsb3zdUgKDmp0,41407
+docs/developer-guide.md,sha256=SqT2VEwDyIcLRcIn9BmM5J-V0qN9ctPa2JZ6wxvnqvo,43935
 docs/dual-scoring-implementation.md,sha256=n8xwurAAx4iOyCeITE9Anvz6W6YupejVYWt6ARtmmTY,8567
 docs/html-report-improvements.md,sha256=a0OzKvQC_KpcielntTHXMPObwulfWIDgBKnF66iaxp4,11432
-docs/installation.md,sha256=y_CQE44yE3ENeAcBANonJUqsl9pLQsGOX92tui-t2OU,9576
+docs/installation.md,sha256=GAyHN3LseuN2dRogemnwGaDo-Udp0V23KUd_m-9SrJQ,9576
 docs/scoring-comparison-aws-config.md,sha256=8BBe1tQsaAT0BAE3OdGIRFjuT1VJcOlM1qBWFmZKaIo,11801
 docs/scoring-methodology.md,sha256=C86FisBxKt6pyr-Kp6rAVPz45yPZpgsGibjgq8obIsg,9404
-docs/troubleshooting.md,sha256=JcYw6qS9G9YsM0MxxxZUGfPZmmZBxDYTV8tAIK0Sa2U,13175
-docs/user-guide.md,sha256=4azuL1RWewtA2wRH0ejHkCvVKV3dBfyRJ28THahlmaA,10352
-aws_cis_controls_assessment-1.0.9.dist-info/METADATA,sha256=UjpUaAlo77AoGVHC8-okG5bo5DlWjwR7boXomQsPrKk,11809
-aws_cis_controls_assessment-1.0.9.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-aws_cis_controls_assessment-1.0.9.dist-info/entry_points.txt,sha256=-AxPn5Y7yau0pQh33F5_uyWfvcnm2Kg1_nMQuLrZ7SY,68
-aws_cis_controls_assessment-1.0.9.dist-info/top_level.txt,sha256=4OHmV6RAEWkz-Se50kfmuGCd-mUSotDZz3iLGF9CmkI,44
-aws_cis_controls_assessment-1.0.9.dist-info/RECORD,,
+docs/troubleshooting.md,sha256=mGmWgrc3A1dn-Uk_XxWFh04OQxjmqkeax8vQX7takg0,18220
+docs/user-guide.md,sha256=lBDgU40tIPstOdNx4YqVkPTIDntn4o2y2tr2CPQt7b8,11942
+aws_cis_controls_assessment-1.1.0.dist-info/METADATA,sha256=OlnrvuCgBP2cPn7l8YQjw2TCf4d715qpQ8C8gyX8GcY,21383
+aws_cis_controls_assessment-1.1.0.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+aws_cis_controls_assessment-1.1.0.dist-info/entry_points.txt,sha256=-AxPn5Y7yau0pQh33F5_uyWfvcnm2Kg1_nMQuLrZ7SY,68
+aws_cis_controls_assessment-1.1.0.dist-info/top_level.txt,sha256=4OHmV6RAEWkz-Se50kfmuGCd-mUSotDZz3iLGF9CmkI,44
+aws_cis_controls_assessment-1.1.0.dist-info/RECORD,,

docs/README.md

@@ -2,6 +2,15 @@
 
 Welcome to the comprehensive documentation for the AWS CIS Controls Compliance Assessment Framework. This production-ready, enterprise-grade framework evaluates AWS account security posture against CIS Controls Implementation Groups (IG1, IG2, IG3) using AWS Config rule specifications without requiring AWS Config to be enabled.
 
+## 🆕 Latest Updates (Version 1.0.10)
+
+### New AWS Backup Service Controls
+Two new controls added to assess AWS Backup infrastructure security:
+- **backup-plan-min-frequency-and-min-retention-check** - Validates backup plan policies
+- **backup-vault-access-policy-check** - Ensures backup vault security
+
+See the [AWS Backup Controls Guide](adding-aws-backup-controls.md) for detailed documentation.
+
 ## Documentation Structure
 
 ### User Documentation
@@ -15,6 +24,7 @@ Welcome to the comprehensive documentation for the AWS CIS Controls Compliance A
 - **[Assessment Logic](assessment-logic.md)** - Detailed assessment logic documentation
 - **[Config Rule Mappings](config-rule-mappings.md)** - Complete mapping of CIS Controls to AWS Config rules
 - **[HTML Report Improvements](html-report-improvements.md)** - Enhanced HTML report features and customization
+- **[AWS Backup Controls Guide](adding-aws-backup-controls.md)** - **NEW:** Comprehensive guide for AWS Backup service controls
 
 ## Quick Start
 
@@ -25,16 +35,17 @@ Welcome to the comprehensive documentation for the AWS CIS Controls Compliance A
 
 ## Key Features
 
-- **✅ Complete Coverage**: 136 AWS Config rules (131 CIS Controls + 5 bonus security rules)
+- **✅ Complete Coverage**: 138 AWS Config rules (133 CIS Controls + 5 bonus security rules)
 - **✅ Production Ready**: Enterprise-tested with comprehensive error handling
 - **✅ Performance Optimized**: Handles large-scale assessments efficiently
 - **✅ Multiple Output Formats**: JSON, HTML, and CSV reports with detailed remediation guidance
 - **✅ No AWS Config Required**: Direct AWS API calls based on Config rule specifications
 - **✅ Enterprise Architecture**: Scalable, maintainable framework with audit trails
+- **✅ AWS Backup Controls**: Comprehensive backup infrastructure assessment
 
 ## Implementation Groups Overview
 
-### IG1 - Essential Cyber Hygiene (93 Config Rules) ✅
+### IG1 - Essential Cyber Hygiene (95 Config Rules) ✅
 **100% Coverage Achieved**
 Foundational safeguards for all enterprises:
 - Asset Inventory and Management (6 rules)
@@ -42,7 +53,7 @@ Foundational safeguards for all enterprises:
 - Data Protection and Encryption (8 rules)
 - Network Security Controls (20 rules)
 - Logging and Monitoring (13 rules)
-- Backup and Recovery (12 rules)
+- Backup and Recovery (14 rules) - **NEW: AWS Backup service controls**
 - Security Services Integration (5 rules)
 - Configuration Management (9 rules)
 - Vulnerability Management (5 rules)