aws-cis-controls-assessment 1.1.2__tar.gz → 1.1.3__tar.gz

{aws_cis_controls_assessment-1.1.2/aws_cis_controls_assessment.egg-info → aws_cis_controls_assessment-1.1.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: aws-cis-controls-assessment
-Version: 1.1.2
+Version: 1.1.3
 Summary: Production-ready AWS CIS Controls compliance assessment framework with 145 comprehensive rules
 Author-email: AWS CIS Assessment Team <security@example.com>
 Maintainer-email: AWS CIS Assessment Team <security@example.com>

{aws_cis_controls_assessment-1.1.2 → aws_cis_controls_assessment-1.1.3}/aws_cis_assessment/__init__.py

@@ -6,6 +6,6 @@ CIS Controls Implementation Groups (IG1, IG2, IG3). Implements 163 comprehensive
 across all implementation groups for complete security compliance assessment.
 """
 
-__version__ = "1.1.2"
+__version__ = "1.1.3"
 __author__ = "AWS CIS Assessment Team"
 __description__ = "Production-ready AWS CIS Controls Compliance Assessment Framework"

{aws_cis_controls_assessment-1.1.2 → aws_cis_controls_assessment-1.1.3}/aws_cis_assessment/controls/ig1/control_cloudtrail_logging.py

@@ -39,8 +39,9 @@ class CloudTrailEnabledAssessment(BaseConfigRuleAssessment):
         try:
             cloudtrail_client = aws_factory.get_client('cloudtrail', region)
             
-            # Get all trails in this region
-            response = cloudtrail_client.describe_trails()
+            # Get all trails in this region, excluding shadow trails
+            # Shadow trails are replications from other regions or organization trails
+            response = cloudtrail_client.describe_trails(includeShadowTrails=False)
             trails = response.get('trailList', [])
             
             # Get trail status for each trail
@@ -48,6 +49,13 @@ class CloudTrailEnabledAssessment(BaseConfigRuleAssessment):
             for trail in trails:
                 trail_name = trail.get('Name', '')
                 trail_arn = trail.get('TrailARN', '')
+                home_region = trail.get('HomeRegion', '')
+                
+                # Skip shadow trails (trails from other regions or organization trails)
+                # These are indicated by HomeRegion being different from current region
+                if home_region and home_region != region:
+                    logger.debug(f"Skipping shadow trail {trail_name} (home region: {home_region}, current region: {region})")
+                    continue
                 
                 try:
                     # Get trail status
@@ -66,14 +74,22 @@ class CloudTrailEnabledAssessment(BaseConfigRuleAssessment):
                         'TrailARN': trail_arn,
                         'IsLogging': is_logging,
                         'IsMultiRegionTrail': trail.get('IsMultiRegionTrail', False),
+                        'IsOrganizationTrail': trail.get('IsOrganizationTrail', False),
                         'IncludeGlobalServiceEvents': trail.get('IncludeGlobalServiceEvents', False),
                         'S3BucketName': trail.get('S3BucketName', ''),
+                        'HomeRegion': home_region,
                         'EventSelectors': event_selectors,
                         'Region': region
                     })
                     
                 except ClientError as e:
-                    logger.warning(f"Error getting status for trail {trail_name}: {e}")
+                    error_code = e.response.get('Error', {}).get('Code', '')
+                    
+                    # Only log warning for unexpected errors, not for shadow trails
+                    if error_code == 'TrailNotFoundException':
+                        logger.debug(f"Trail {trail_name} not found in {region} - likely a shadow trail or deleted trail")
+                    else:
+                        logger.warning(f"Error getting status for trail {trail_name}: {e}")
                     continue
             
             # Return account-level resource with trail information
@@ -100,13 +116,33 @@ class CloudTrailEnabledAssessment(BaseConfigRuleAssessment):
         if has_active_trails:
             # Check for at least one properly configured trail
             active_trails = [trail for trail in trails if trail['IsLogging']]
-            trail_names = [trail['TrailName'] for trail in active_trails]
+            
+            # Categorize trails
+            org_trails = [t for t in active_trails if t.get('IsOrganizationTrail', False)]
+            multi_region_trails = [t for t in active_trails if t.get('IsMultiRegionTrail', False)]
+            regional_trails = [t for t in active_trails if not t.get('IsMultiRegionTrail', False)]
+            
+            # Build detailed reason
+            trail_details = []
+            for trail in active_trails:
+                trail_type = []
+                if trail.get('IsOrganizationTrail', False):
+                    trail_type.append("organization")
+                if trail.get('IsMultiRegionTrail', False):
+                    trail_type.append("multi-region")
+                else:
+                    trail_type.append("regional")
+                
+                trail_info = f"{trail['TrailName']} ({', '.join(trail_type)})"
+                trail_details.append(trail_info)
+            
+            reason = f"CloudTrail is enabled with {len(active_trails)} active trail(s): {', '.join(trail_details)}"
             
             return ComplianceResult(
                 resource_id=account_id,
                 resource_type="AWS::::Account",
                 compliance_status=ComplianceStatus.COMPLIANT,
-                evaluation_reason=f"CloudTrail is enabled with {len(active_trails)} active trail(s): {', '.join(trail_names)}",
+                evaluation_reason=reason,
                 config_rule_name=self.rule_name,
                 region=region
             )
@@ -115,7 +151,7 @@ class CloudTrailEnabledAssessment(BaseConfigRuleAssessment):
                 resource_id=account_id,
                 resource_type="AWS::::Account",
                 compliance_status=ComplianceStatus.NON_COMPLIANT,
-                evaluation_reason="CloudTrail is not enabled or no trails are actively logging",
+                evaluation_reason="CloudTrail is not enabled or no trails are actively logging in this region",
                 config_rule_name=self.rule_name,
                 region=region
             )

{aws_cis_controls_assessment-1.1.2 → aws_cis_controls_assessment-1.1.3}/aws_cis_assessment/reporters/html_reporter.py

@@ -1623,7 +1623,8 @@ class HTMLReporter(ReportGenerator):
                 }}
             }});
             
-            const blob = new Blob([csvContent], {{ type: 'text/csv' }});
+            // Add UTF-8 BOM to ensure proper encoding in Excel and other tools
+            const blob = new Blob(['\ufeff' + csvContent], {{ type: 'text/csv;charset=utf-8;' }});
             const url = window.URL.createObjectURL(blob);
             const a = document.createElement('a');
             a.href = url;
@@ -1955,7 +1956,7 @@ class HTMLReporter(ReportGenerator):
                 </div>
             </div>
             <div class="footer-bottom">
-                <p>&copy; 2024 AWS CIS Assessment Tool. Generated with HTML Reporter v{html_data.get('report_version', '1.0')}</p>
+                <p>&copy; {datetime.now().year} AWS CIS Assessment Tool. Generated with HTML Reporter v{html_data.get('report_version', '1.1.2')}</p>
             </div>
         </footer>
         """
@@ -2509,7 +2510,7 @@ class HTMLReporter(ReportGenerator):
         resource_rows = ""
         for resource in all_resources:
             status_class = "compliant" if resource["compliance_status"] == "COMPLIANT" else "non_compliant"
-            status_icon = "✓" if resource["compliance_status"] == "COMPLIANT" else "✗"
+            status_text = "COMPLIANT" if resource["compliance_status"] == "COMPLIANT" else "NON_COMPLIANT"
             
             # Construct pseudo-ARN for CSV export (v1.1.2)
             # Format: arn:aws:service:region:account:resource-type/resource-id
@@ -2523,7 +2524,7 @@ class HTMLReporter(ReportGenerator):
                 <td>{resource['region']}</td>
                 <td>
                     <span class="badge {status_class}">
-                        {status_icon} {resource['compliance_status']}
+                        {status_text}
                     </span>
                 </td>
                 <td>{resource['control_id']}</td>
@@ -2626,12 +2627,12 @@ class HTMLReporter(ReportGenerator):
                 <table class="findings-table resource-table" id="resourceTable">
                     <thead>
                         <tr>
-                            <th onclick="sortResourceTable(0)">Resource ID ↕</th>
-                            <th onclick="sortResourceTable(1)">Resource Type ↕</th>
-                            <th onclick="sortResourceTable(2)">Region ↕</th>
-                            <th onclick="sortResourceTable(3)">Status ↕</th>
-                            <th onclick="sortResourceTable(4)">Control ↕</th>
-                            <th onclick="sortResourceTable(5)">Config Rule ↕</th>
+                            <th onclick="sortResourceTable(0)">Resource ID</th>
+                            <th onclick="sortResourceTable(1)">Resource Type</th>
+                            <th onclick="sortResourceTable(2)">Region</th>
+                            <th onclick="sortResourceTable(3)">Status</th>
+                            <th onclick="sortResourceTable(4)">Control</th>
+                            <th onclick="sortResourceTable(5)">Config Rule</th>
                             <th>Evaluation Details</th>
                         </tr>
                     </thead>

{aws_cis_controls_assessment-1.1.2 → aws_cis_controls_assessment-1.1.3/aws_cis_controls_assessment.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: aws-cis-controls-assessment
-Version: 1.1.2
+Version: 1.1.3
 Summary: Production-ready AWS CIS Controls compliance assessment framework with 145 comprehensive rules
 Author-email: AWS CIS Assessment Team <security@example.com>
 Maintainer-email: AWS CIS Assessment Team <security@example.com>