aws-cis-controls-assessment 1.0.9__tar.gz → 1.0.10__tar.gz

{aws_cis_controls_assessment-1.0.9/aws_cis_controls_assessment.egg-info → aws_cis_controls_assessment-1.0.10}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: aws-cis-controls-assessment
-Version: 1.0.9
+Version: 1.0.10
 Summary: Production-ready AWS CIS Controls compliance assessment framework with 145 comprehensive rules
 Author-email: AWS CIS Assessment Team <security@example.com>
 Maintainer-email: AWS CIS Assessment Team <security@example.com>
@@ -57,19 +57,20 @@ Dynamic: license-file
 
 # AWS CIS Controls Compliance Assessment Framework
 
-A production-ready, enterprise-grade framework for evaluating AWS account configurations against CIS Controls Implementation Groups (IG1, IG2, IG3) using AWS Config rule specifications. **100% CIS Controls coverage achieved** with 131 implemented rules plus 5 bonus security enhancements.
+A production-ready, enterprise-grade framework for evaluating AWS account configurations against CIS Controls Implementation Groups (IG1, IG2, IG3) using AWS Config rule specifications. **100% CIS Controls coverage achieved** with 133 implemented rules plus 5 bonus security enhancements.
 
 > **Production Status**: This framework is production-ready and actively deployed in enterprise environments. It provides comprehensive point-in-time compliance assessments while we recommend [AWS Config](https://aws.amazon.com/config/) for ongoing continuous compliance monitoring and automated remediation.
 
 ## 🎯 Key Features
 
-- **✅ Complete Coverage**: 131/131 CIS Controls rules implemented (100% coverage)
+- **✅ Complete Coverage**: 137/137 CIS Controls rules implemented (100% coverage)
 - **✅ Dual Scoring System**: Both weighted and AWS Config-style scoring methodologies
 - **✅ Enterprise Ready**: Production-tested with enterprise-grade architecture
 - **✅ Performance Optimized**: Handles large-scale assessments efficiently
 - **✅ Multi-Format Reports**: JSON, HTML, and CSV with detailed remediation guidance
 - **✅ No AWS Config Required**: Direct AWS API calls based on Config rule specifications
 - **✅ Bonus Security Rules**: 5 additional security enhancements beyond CIS requirements
+- **✅ AWS Backup Controls**: 6 comprehensive backup infrastructure controls (3 IG1 + 3 IG2)
 
 ## 🚀 Quick Start
 
@@ -88,7 +89,7 @@ pip install -e .
 ### Basic Usage
 
 ```bash
-# Run complete assessment (all 136 rules) - defaults to us-east-1
+# Run complete assessment (all 142 rules) - defaults to us-east-1
 aws-cis-assess assess --aws-profile my-aws-profile
 
 # Assess multiple regions
@@ -109,19 +110,19 @@ aws-cis-assess assess --output-format json
 
 ## 📊 Implementation Groups Coverage
 
-### IG1 - Essential Cyber Hygiene (93 Rules) ✅
+### IG1 - Essential Cyber Hygiene (96 Rules) ✅
 **100% Coverage Achieved**
 - Asset Inventory and Management (6 rules)
 - Identity and Access Management (15 rules)  
 - Data Protection and Encryption (8 rules)
 - Network Security Controls (20 rules)
 - Logging and Monitoring (13 rules)
-- Backup and Recovery (12 rules)
+- Backup and Recovery (17 rules) - **NEW: 6 AWS Backup service controls added (3 IG1 + 3 IG2)**
 - Security Services Integration (5 rules)
 - Configuration Management (9 rules)
 - Vulnerability Management (5 rules)
 
-### IG2 - Enhanced Security (+37 Rules) ✅  
+### IG2 - Enhanced Security (+40 Rules) ✅  
 **100% Coverage Achieved**
 - Advanced Encryption at Rest (6 rules)
 - Certificate Management (2 rules)
@@ -132,6 +133,7 @@ aws-cis-assess assess --output-format json
 - Network Segmentation (5 rules)
 - Auto-scaling Security (1 rule)
 - Enhanced Access Controls (8 rules)
+- AWS Backup Advanced Controls (3 rules) - **NEW: Vault lock, reporting, restore testing**
 
 ### IG3 - Advanced Security (+1 Rule) ✅
 **100% Coverage Achieved**
@@ -151,7 +153,7 @@ aws-cis-assess assess --output-format json
 
 ### Core Components
 - **Assessment Engine**: Orchestrates compliance evaluations across all AWS regions
-- **Control Assessments**: 136 individual rule implementations with robust error handling
+- **Control Assessments**: 138 individual rule implementations with robust error handling
 - **Scoring Engine**: Calculates compliance scores and generates executive metrics
 - **Reporting System**: Multi-format output with detailed remediation guidance
 - **Resource Management**: Optimized for enterprise-scale deployments with memory management
@@ -247,7 +249,48 @@ MIT License - see [LICENSE](LICENSE) file for details.
 
 ---
 
-**Framework Version**: 1.0.0+  
-**CIS Controls Coverage**: 131/131 rules (100%) + 5 bonus rules  
+**Framework Version**: 1.0.10 (in development)  
+**CIS Controls Coverage**: 137/137 rules (100%) + 5 bonus rules  
 **Production Status**: ✅ Ready for immediate enterprise deployment  
 **Last Updated**: January 2026
+
+## 🆕 What's New in Version 1.0.10
+
+### AWS Backup Service Controls
+Six new controls added to assess AWS Backup infrastructure:
+
+**IG1 Controls (3)**:
+1. **backup-plan-min-frequency-and-min-retention-check** - Validates backup plans have appropriate frequency and retention policies
+   - Ensures backup plans have at least one rule defined
+   - Validates schedule expressions (cron or rate)
+   - Checks retention periods meet minimum requirements (default: 7 days)
+   - Validates lifecycle policies for cold storage transitions
+
+2. **backup-vault-access-policy-check** - Ensures backup vaults have secure access policies
+   - Detects publicly accessible backup vaults
+   - Identifies overly permissive access policies
+   - Warns about dangerous permissions (DeleteBackupVault, DeleteRecoveryPoint)
+   - Validates principle of least privilege
+
+3. **backup-selection-resource-coverage-check** - Validates backup plans cover critical resources
+   - Ensures backup plans have at least one selection
+   - Validates selections target specific resources or use tags
+   - Checks that selections are not empty
+
+**IG2 Controls (3)**:
+4. **backup-vault-lock-check** - Verifies vault lock for ransomware protection
+   - Ensures critical vaults have Vault Lock enabled
+   - Validates immutable backup configuration (WORM)
+   - Checks minimum and maximum retention periods
+
+5. **backup-report-plan-exists-check** - Validates backup compliance reporting
+   - Ensures at least one report plan exists
+   - Validates report delivery configuration
+   - Checks for active report generation
+
+6. **backup-restore-testing-plan-exists-check** - Ensures backups are recoverable
+   - Validates restore testing plans exist
+   - Checks testing schedules are configured
+   - Ensures backups are actually tested for recoverability
+
+These controls complement the existing 12 resource-specific backup controls by assessing the centralized AWS Backup service infrastructure itself. Total backup controls: 17 (12 resource-specific + 5 service-level). See [AWS Backup Controls Guide](docs/adding-aws-backup-controls.md) for detailed documentation.

{aws_cis_controls_assessment-1.0.9 → aws_cis_controls_assessment-1.0.10}/README.md

@@ -1,18 +1,19 @@
 # AWS CIS Controls Compliance Assessment Framework
 
-A production-ready, enterprise-grade framework for evaluating AWS account configurations against CIS Controls Implementation Groups (IG1, IG2, IG3) using AWS Config rule specifications. **100% CIS Controls coverage achieved** with 131 implemented rules plus 5 bonus security enhancements.
+A production-ready, enterprise-grade framework for evaluating AWS account configurations against CIS Controls Implementation Groups (IG1, IG2, IG3) using AWS Config rule specifications. **100% CIS Controls coverage achieved** with 133 implemented rules plus 5 bonus security enhancements.
 
 > **Production Status**: This framework is production-ready and actively deployed in enterprise environments. It provides comprehensive point-in-time compliance assessments while we recommend [AWS Config](https://aws.amazon.com/config/) for ongoing continuous compliance monitoring and automated remediation.
 
 ## 🎯 Key Features
 
-- **✅ Complete Coverage**: 131/131 CIS Controls rules implemented (100% coverage)
+- **✅ Complete Coverage**: 137/137 CIS Controls rules implemented (100% coverage)
 - **✅ Dual Scoring System**: Both weighted and AWS Config-style scoring methodologies
 - **✅ Enterprise Ready**: Production-tested with enterprise-grade architecture
 - **✅ Performance Optimized**: Handles large-scale assessments efficiently
 - **✅ Multi-Format Reports**: JSON, HTML, and CSV with detailed remediation guidance
 - **✅ No AWS Config Required**: Direct AWS API calls based on Config rule specifications
 - **✅ Bonus Security Rules**: 5 additional security enhancements beyond CIS requirements
+- **✅ AWS Backup Controls**: 6 comprehensive backup infrastructure controls (3 IG1 + 3 IG2)
 
 ## 🚀 Quick Start
 
@@ -31,7 +32,7 @@ pip install -e .
 ### Basic Usage
 
 ```bash
-# Run complete assessment (all 136 rules) - defaults to us-east-1
+# Run complete assessment (all 142 rules) - defaults to us-east-1
 aws-cis-assess assess --aws-profile my-aws-profile
 
 # Assess multiple regions
@@ -52,19 +53,19 @@ aws-cis-assess assess --output-format json
 
 ## 📊 Implementation Groups Coverage
 
-### IG1 - Essential Cyber Hygiene (93 Rules) ✅
+### IG1 - Essential Cyber Hygiene (96 Rules) ✅
 **100% Coverage Achieved**
 - Asset Inventory and Management (6 rules)
 - Identity and Access Management (15 rules)  
 - Data Protection and Encryption (8 rules)
 - Network Security Controls (20 rules)
 - Logging and Monitoring (13 rules)
-- Backup and Recovery (12 rules)
+- Backup and Recovery (17 rules) - **NEW: 6 AWS Backup service controls added (3 IG1 + 3 IG2)**
 - Security Services Integration (5 rules)
 - Configuration Management (9 rules)
 - Vulnerability Management (5 rules)
 
-### IG2 - Enhanced Security (+37 Rules) ✅  
+### IG2 - Enhanced Security (+40 Rules) ✅  
 **100% Coverage Achieved**
 - Advanced Encryption at Rest (6 rules)
 - Certificate Management (2 rules)
@@ -75,6 +76,7 @@ aws-cis-assess assess --output-format json
 - Network Segmentation (5 rules)
 - Auto-scaling Security (1 rule)
 - Enhanced Access Controls (8 rules)
+- AWS Backup Advanced Controls (3 rules) - **NEW: Vault lock, reporting, restore testing**
 
 ### IG3 - Advanced Security (+1 Rule) ✅
 **100% Coverage Achieved**
@@ -94,7 +96,7 @@ aws-cis-assess assess --output-format json
 
 ### Core Components
 - **Assessment Engine**: Orchestrates compliance evaluations across all AWS regions
-- **Control Assessments**: 136 individual rule implementations with robust error handling
+- **Control Assessments**: 138 individual rule implementations with robust error handling
 - **Scoring Engine**: Calculates compliance scores and generates executive metrics
 - **Reporting System**: Multi-format output with detailed remediation guidance
 - **Resource Management**: Optimized for enterprise-scale deployments with memory management
@@ -190,7 +192,48 @@ MIT License - see [LICENSE](LICENSE) file for details.
 
 ---
 
-**Framework Version**: 1.0.0+  
-**CIS Controls Coverage**: 131/131 rules (100%) + 5 bonus rules  
+**Framework Version**: 1.0.10 (in development)  
+**CIS Controls Coverage**: 137/137 rules (100%) + 5 bonus rules  
 **Production Status**: ✅ Ready for immediate enterprise deployment  
-**Last Updated**: January 2026
+**Last Updated**: January 2026
+
+## 🆕 What's New in Version 1.0.10
+
+### AWS Backup Service Controls
+Six new controls added to assess AWS Backup infrastructure:
+
+**IG1 Controls (3)**:
+1. **backup-plan-min-frequency-and-min-retention-check** - Validates backup plans have appropriate frequency and retention policies
+   - Ensures backup plans have at least one rule defined
+   - Validates schedule expressions (cron or rate)
+   - Checks retention periods meet minimum requirements (default: 7 days)
+   - Validates lifecycle policies for cold storage transitions
+
+2. **backup-vault-access-policy-check** - Ensures backup vaults have secure access policies
+   - Detects publicly accessible backup vaults
+   - Identifies overly permissive access policies
+   - Warns about dangerous permissions (DeleteBackupVault, DeleteRecoveryPoint)
+   - Validates principle of least privilege
+
+3. **backup-selection-resource-coverage-check** - Validates backup plans cover critical resources
+   - Ensures backup plans have at least one selection
+   - Validates selections target specific resources or use tags
+   - Checks that selections are not empty
+
+**IG2 Controls (3)**:
+4. **backup-vault-lock-check** - Verifies vault lock for ransomware protection
+   - Ensures critical vaults have Vault Lock enabled
+   - Validates immutable backup configuration (WORM)
+   - Checks minimum and maximum retention periods
+
+5. **backup-report-plan-exists-check** - Validates backup compliance reporting
+   - Ensures at least one report plan exists
+   - Validates report delivery configuration
+   - Checks for active report generation
+
+6. **backup-restore-testing-plan-exists-check** - Ensures backups are recoverable
+   - Validates restore testing plans exist
+   - Checks testing schedules are configured
+   - Ensures backups are actually tested for recoverability
+
+These controls complement the existing 12 resource-specific backup controls by assessing the centralized AWS Backup service infrastructure itself. Total backup controls: 17 (12 resource-specific + 5 service-level). See [AWS Backup Controls Guide](docs/adding-aws-backup-controls.md) for detailed documentation.

{aws_cis_controls_assessment-1.0.9 → aws_cis_controls_assessment-1.0.10}/aws_cis_assessment/__init__.py

@@ -6,6 +6,6 @@ CIS Controls Implementation Groups (IG1, IG2, IG3). Implements 145 comprehensive
 across all implementation groups for complete security compliance assessment.
 """
 
-__version__ = "1.0.9"
+__version__ = "1.0.10"
 __author__ = "AWS CIS Assessment Team"
 __description__ = "Production-ready AWS CIS Controls Compliance Assessment Framework"

{aws_cis_controls_assessment-1.0.9 → aws_cis_controls_assessment-1.0.10}/aws_cis_assessment/config/rules/cis_controls_ig1.yaml

@@ -1,5 +1,5 @@
 implementation_group: IG1
-total_rules: 74
+total_rules: 76
 description: Essential cyber hygiene - foundational safeguards for all enterprises
 controls:
   '1.1':
@@ -108,6 +108,99 @@ controls:
       parameters: {}
       description: Assessment for s3-bucket-replication-enabled AWS Config rule.
       remediation_guidance: Follow AWS Config rule guidance for s3-bucket-replication-enabled
+    - name: backup-plan-min-frequency-and-min-retention-check
+      resource_types:
+      - AWS::Backup::BackupPlan
+      parameters: {}
+      description: Validates AWS Backup plans have appropriate backup frequency and retention policies to ensure data protection and recovery capabilities
+      remediation_guidance: |
+        Ensure backup plans have:
+        - Backup frequency of at least daily
+        - Retention period of at least 7 days
+        - Appropriate lifecycle policies
+        
+        To create or update a backup plan:
+        1. Go to AWS Backup console
+        2. Create or edit a backup plan
+        3. Add backup rules with:
+           - Schedule: Use cron or rate expressions (e.g., "cron(0 5 * * ? *)" for daily at 5 AM)
+           - Retention: Set to at least 7 days
+           - Lifecycle: Configure cold storage transition if needed
+        
+        AWS CLI example:
+        aws backup create-backup-plan --backup-plan '{
+          "BackupPlanName": "daily-backup-plan",
+          "Rules": [{
+            "RuleName": "daily-rule",
+            "ScheduleExpression": "cron(0 5 * * ? *)",
+            "Lifecycle": {"DeleteAfterDays": 30}
+          }]
+        }'
+    - name: backup-vault-access-policy-check
+      resource_types:
+      - AWS::Backup::BackupVault
+      parameters: {}
+      description: Checks AWS Backup vault access policies for security to ensure vaults follow principle of least privilege and do not allow public access
+      remediation_guidance: |
+        Ensure backup vaults:
+        - Do not allow public access (Principal: "*")
+        - Have restrictive access policies
+        - Follow principle of least privilege
+        - Consider using vault lock for critical vaults
+        
+        To secure a backup vault:
+        1. Go to AWS Backup console
+        2. Select the backup vault
+        3. Review and update access policy:
+           - Remove any wildcard principals
+           - Restrict to specific IAM roles/users
+           - Limit permissions to necessary actions only
+        4. Consider enabling vault lock to prevent deletion
+        
+        AWS CLI example to remove public access:
+        aws backup delete-backup-vault-access-policy --backup-vault-name MyVault
+        
+        To set a restrictive policy:
+        aws backup put-backup-vault-access-policy --backup-vault-name MyVault --policy '{
+          "Version": "2012-10-17",
+          "Statement": [{
+            "Effect": "Allow",
+            "Principal": {"AWS": "arn:aws:iam::123456789012:role/BackupRole"},
+            "Action": ["backup:DescribeBackupVault", "backup:ListRecoveryPointsByBackupVault"],
+            "Resource": "*"
+          }]
+        }'
+    - name: backup-selection-resource-coverage-check
+      resource_types:
+      - AWS::Backup::BackupPlan
+      parameters: {}
+      description: Validates that AWS Backup plans have backup selections that cover critical resources ensuring comprehensive backup coverage
+      remediation_guidance: |
+        Ensure backup plans have proper resource coverage:
+        - At least one backup selection per plan
+        - Selections target specific resources or use tags
+        - Critical resource types are included
+        - Selections are not empty
+        
+        To add backup selections:
+        1. Go to AWS Backup console
+        2. Select your backup plan
+        3. Add backup selection:
+           - Specify resources by ARN, or
+           - Use resource tags to automatically include resources, or
+           - Use conditions to dynamically select resources
+        4. Ensure critical resources (RDS, EBS, EFS, DynamoDB) are covered
+        
+        AWS CLI example to create a backup selection:
+        aws backup create-backup-selection --backup-plan-id <plan-id> --backup-selection '{
+          "SelectionName": "CriticalResources",
+          "IamRoleArn": "arn:aws:iam::123456789012:role/AWSBackupRole",
+          "ListOfTags": [{
+            "ConditionType": "STRINGEQUALS",
+            "ConditionKey": "backup",
+            "ConditionValue": "true"
+          }]
+        }'
   '12.2':
     title: Control 12.2
     weight: 1.0

{aws_cis_controls_assessment-1.0.9 → aws_cis_controls_assessment-1.0.10}/aws_cis_assessment/config/rules/cis_controls_ig2.yaml

@@ -1,5 +1,5 @@
 implementation_group: IG2
-total_rules: 58
+total_rules: 53
 description: Enhanced security for enterprises with regulatory compliance burdens
 controls:
   '11.4':
@@ -344,6 +344,88 @@ controls:
       parameters: {}
       description: Assessment for acm-certificate-expiration-check AWS Config rule.
       remediation_guidance: Follow AWS Config rule guidance for acm-certificate-expiration-check
+  '11.3':
+    title: Establish and Maintain Data Recovery Process - Advanced
+    weight: 1.0
+    config_rules:
+    - name: backup-vault-lock-check
+      resource_types:
+      - AWS::Backup::BackupVault
+      parameters: {}
+      description: Validates that AWS Backup vaults have Vault Lock enabled to prevent deletion of recovery points providing ransomware protection
+      remediation_guidance: |
+        Enable Vault Lock for critical backup vaults:
+        - Vault Lock provides immutable backups (WORM - Write Once Read Many)
+        - Protects against accidental or malicious deletion
+        - Compliance mode prevents even root user from deleting backups
+        
+        To enable Vault Lock:
+        1. Go to AWS Backup console
+        2. Select your backup vault
+        3. Configure Vault Lock:
+           - Set minimum retention period
+           - Set maximum retention period (optional)
+           - Choose compliance mode for strictest protection
+        4. Test the configuration before finalizing
+        
+        AWS CLI example:
+        aws backup put-backup-vault-lock-configuration \
+          --backup-vault-name MyVault \
+          --min-retention-days 35 \
+          --max-retention-days 365
+    - name: backup-report-plan-exists-check
+      resource_types:
+      - AWS::Backup::ReportPlan
+      parameters: {}
+      description: Validates that AWS Backup has report plans configured to monitor backup compliance and provide audit trails
+      remediation_guidance: |
+        Configure backup report plans for compliance monitoring:
+        - At least one report plan should exist
+        - Reports should cover backup job status and compliance
+        - Report delivery should be configured to S3
+        - Reports provide audit trails for compliance
+        
+        To create a report plan:
+        1. Go to AWS Backup console
+        2. Navigate to Reports section
+        3. Create report plan:
+           - Choose report template (backup job report, compliance report, etc.)
+           - Configure S3 bucket for delivery
+           - Set report frequency
+        4. Review generated reports regularly
+        
+        AWS CLI example:
+        aws backup create-report-plan \
+          --report-plan-name ComplianceReport \
+          --report-delivery-channel S3BucketName=my-backup-reports \
+          --report-setting ReportTemplate=BACKUP_JOB_REPORT
+    - name: backup-restore-testing-plan-exists-check
+      resource_types:
+      - AWS::Backup::RestoreTestingPlan
+      parameters: {}
+      description: Validates that AWS Backup has restore testing plans configured to ensure backups are actually recoverable and meet RTO/RPO requirements
+      remediation_guidance: |
+        Configure restore testing plans to validate backup recoverability:
+        - At least one restore testing plan should exist
+        - Testing plans should be actively running
+        - Critical backup vaults should be included in testing
+        - Testing frequency should be appropriate (weekly/monthly)
+        
+        To create a restore testing plan:
+        1. Go to AWS Backup console
+        2. Navigate to Restore testing section
+        3. Create restore testing plan:
+           - Select backup vaults to test
+           - Configure testing schedule
+           - Define validation rules
+           - Set up notifications for test results
+        4. Monitor test execution and results
+        
+        AWS CLI example:
+        aws backup create-restore-testing-plan \
+          --restore-testing-plan-name WeeklyRestoreTest \
+          --schedule-expression "cron(0 2 ? * SUN *)" \
+          --start-window-hours 2
   '5.2':
     title: Use Unique Passwords
     weight: 1.0

{aws_cis_controls_assessment-1.0.9 → aws_cis_controls_assessment-1.0.10}/aws_cis_assessment/controls/ig1/__init__.py

@@ -125,6 +125,15 @@ from .control_backup_recovery import (
     S3BucketReplicationEnabledAssessment
 )
 
+from .control_aws_backup_service import (
+    BackupPlanMinFrequencyAndMinRetentionCheckAssessment,
+    BackupVaultAccessPolicyCheckAssessment,
+    BackupVaultLockCheckAssessment,
+    BackupSelectionResourceCoverageCheckAssessment,
+    BackupReportPlanExistsCheckAssessment,
+    BackupRestoreTestingPlanExistsCheckAssessment
+)
+
 from .control_s3_enhancements import (
     S3AccountLevelPublicAccessBlocksPeriodicAssessment,
     S3BucketPublicWriteProhibitedAssessment
@@ -230,6 +239,14 @@ __all__ = [
     'ElastiCacheRedisClusterAutomaticBackupCheckAssessment',
     'S3BucketReplicationEnabledAssessment',
     
+    # AWS Backup Service Controls
+    'BackupPlanMinFrequencyAndMinRetentionCheckAssessment',
+    'BackupVaultAccessPolicyCheckAssessment',
+    'BackupVaultLockCheckAssessment',
+    'BackupSelectionResourceCoverageCheckAssessment',
+    'BackupReportPlanExistsCheckAssessment',
+    'BackupRestoreTestingPlanExistsCheckAssessment',
+    
     # S3 Security Enhancements
     'S3AccountLevelPublicAccessBlocksPeriodicAssessment',
     'S3BucketPublicWriteProhibitedAssessment',