aws-cis-controls-assessment 1.1.3__py3-none-any.whl → 1.2.0__py3-none-any.whl

aws_cis_assessment/__init__.py

@@ -2,10 +2,10 @@
 AWS CIS Controls Compliance Assessment Framework
 
 A production-ready, enterprise-grade framework for evaluating AWS account configurations against 
-CIS Controls Implementation Groups (IG1, IG2, IG3). Implements 163 comprehensive AWS Config rules 
-across all implementation groups for complete security compliance assessment.
+CIS Controls Implementation Groups (IG1, IG2, IG3). Implements 175 comprehensive AWS Config rules 
+across all implementation groups with 75%+ coverage of CIS Controls v8.1 IG1 safeguards.
 """
 
-__version__ = "1.1.3"
+__version__ = "1.2.0"
 __author__ = "AWS CIS Assessment Team"
-__description__ = "Production-ready AWS CIS Controls Compliance Assessment Framework"
+__description__ = "Production-ready AWS CIS Controls Compliance Assessment Framework with Enhanced IG1 Coverage"

aws_cis_assessment/config/rules/cis_controls_ig1.yaml

@@ -1,5 +1,5 @@
 implementation_group: IG1
-total_rules: 77
+total_rules: 125
 description: Essential cyber hygiene - foundational safeguards for all enterprises
 controls:
   '1.1':
@@ -39,6 +39,48 @@ controls:
       parameters: {}
       description: Assessment for ec2-security-group-attached-to-eni Config rule.
       remediation_guidance: Follow AWS Config rule guidance for ec2-security-group-attached-to-eni
+    - name: ssm-inventory-enabled
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory\n    AWS Config Rule: ssm-inventory-enabled\n    \n    Ensures AWS Systems Manager Inventory is enabled for comprehensive asset tracking."
+      remediation_guidance: Follow AWS Config rule guidance for ssm-inventory-enabled
+    - name: config-enabled-all-regions
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory\n    AWS Config Rule: config-enabled-all-regions\n    \n    Ensures AWS Config is enabled in all regions for complete resource tracking."
+      remediation_guidance: Follow AWS Config rule guidance for config-enabled-all-regions
+    - name: ami-inventory-tracking
+      resource_types:
+      - AWS::EC2::Image
+      parameters: {}
+      description: "CIS Control 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory\n    AWS Config Rule: ami-inventory-tracking\n    \n    Ensures AMIs are properly tagged for inventory management."
+      remediation_guidance: Follow AWS Config rule guidance for ami-inventory-tracking
+    - name: lambda-runtime-inventory
+      resource_types:
+      - AWS::Lambda::Function
+      parameters: {}
+      description: "CIS Control 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory\n    AWS Config Rule: lambda-runtime-inventory\n    \n    Tracks Lambda function runtimes for inventory purposes."
+      remediation_guidance: Follow AWS Config rule guidance for lambda-runtime-inventory
+    - name: iam-user-inventory-check
+      resource_types:
+      - AWS::IAM::User
+      parameters: {}
+      description: "CIS Control 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory\n    AWS Config Rule: iam-user-inventory-check\n    \n    Ensures IAM users have proper inventory tags for asset management."
+      remediation_guidance: Follow AWS Config rule guidance for iam-user-inventory-check
+    - name: asset-tagging-compliance
+      resource_types:
+      - AWS::EC2::Instance
+      parameters: {}
+      description: "CIS Control 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory\n    AWS Config Rule: asset-tagging-compliance\n    \n    Ensures resources have required tags for asset management."
+      remediation_guidance: Follow AWS Config rule guidance for asset-tagging-compliance
+    - name: unauthorized-asset-detection
+      resource_types:
+      - AWS::EC2::Instance
+      parameters: {}
+      description: "CIS Control 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory\n    AWS Config Rule: unauthorized-asset-detection\n    \n    Detects resources without proper authorization tags."
+      remediation_guidance: Follow AWS Config rule guidance for unauthorized-asset-detection
   '1.5':
     title: Control 1.5
     weight: 1.0
@@ -201,6 +243,18 @@ controls:
             "ConditionValue": "true"
           }]
         }'
+    - name: rds-backup-retention-check
+      resource_types:
+      - AWS::RDS::DBInstance
+      parameters: {}
+      description: "CIS Control 11.2 - Perform Automated Backups\n    AWS Config Rule: rds-backup-retention-check\n    \n    Ensures RDS instances have adequate backup retention periods (minimum 7 days)."
+      remediation_guidance: Follow AWS Config rule guidance for rds-backup-retention-check
+    - name: route53-query-logging-enabled
+      resource_types:
+      - AWS::Route53::HostedZone
+      parameters: {}
+      description: "CIS Control 8.2 - Collect Audit Logs\n    AWS Config Rule: route53-query-logging-enabled\n    \n    Ensures Route 53 hosted zones have query logging enabled."
+      remediation_guidance: Follow AWS Config rule guidance for route53-query-logging-enabled
   '12.2':
     title: Control 12.2
     weight: 1.0
@@ -238,6 +292,24 @@ controls:
       parameters: {}
       description: Assessment for ecs-fargate-latest-platform-version Config rule.
       remediation_guidance: Follow AWS Config rule guidance for ecs-fargate-latest-platform-version
+    - name: ec2-os-version-supported
+      resource_types:
+      - AWS::EC2::Instance
+      parameters: {}
+      description: "CIS Control 2.2 - Ensure Authorized Software is Currently Supported\n    AWS Config Rule: ec2-os-version-supported\n    \n    Ensures EC2 instances run supported operating system versions."
+      remediation_guidance: Follow AWS Config rule guidance for ec2-os-version-supported
+    - name: rds-engine-version-supported
+      resource_types:
+      - AWS::RDS::DBInstance
+      parameters: {}
+      description: "CIS Control 2.2 - Ensure Authorized Software is Currently Supported\n    AWS Config Rule: rds-engine-version-supported\n    \n    Ensures RDS instances run supported database engine versions."
+      remediation_guidance: Follow AWS Config rule guidance for rds-engine-version-supported
+    - name: lambda-runtime-supported
+      resource_types:
+      - AWS::Lambda::Function
+      parameters: {}
+      description: "CIS Control 2.2 - Ensure Authorized Software is Currently Supported\n    AWS Config Rule: lambda-runtime-supported\n    \n    Ensures Lambda functions use supported runtimes."
+      remediation_guidance: Follow AWS Config rule guidance for lambda-runtime-supported
   2.2.1:
     title: Control 2.2.1
     weight: 1.0
@@ -271,6 +343,36 @@ controls:
         \ Rule: cloudwatch-log-group-encrypted\n    \n    Ensures CloudWatch Log Groups\
         \ are encrypted with KMS keys."
       remediation_guidance: Follow AWS Config rule guidance for cloudwatch-log-group-encrypted
+    - name: ebs-encryption-by-default
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 3.11 - Encrypt Sensitive Data at Rest\n    AWS Config Rule: ebs-encryption-by-default\n    \n    Ensures EBS encryption by default is enabled at the account level for automatic volume encryption."
+      remediation_guidance: Follow AWS Config rule guidance for ebs-encryption-by-default
+    - name: rds-storage-encrypted
+      resource_types:
+      - AWS::RDS::DBInstance
+      parameters: {}
+      description: "CIS Control 3.11 - Encrypt Sensitive Data at Rest\n    AWS Config Rule: rds-storage-encrypted\n    \n    Ensures RDS database instances have storage encryption enabled."
+      remediation_guidance: Follow AWS Config rule guidance for rds-storage-encrypted
+    - name: efs-encrypted-check
+      resource_types:
+      - AWS::EFS::FileSystem
+      parameters: {}
+      description: "CIS Control 3.11 - Encrypt Sensitive Data at Rest\n    AWS Config Rule: efs-encrypted-check\n    \n    Ensures EFS file systems have encryption at rest enabled."
+      remediation_guidance: Follow AWS Config rule guidance for efs-encrypted-check
+    - name: dynamodb-table-encrypted-kms
+      resource_types:
+      - AWS::DynamoDB::Table
+      parameters: {}
+      description: "CIS Control 3.11 - Encrypt Sensitive Data at Rest\n    AWS Config Rule: dynamodb-table-encrypted-kms\n    \n    Ensures DynamoDB tables are encrypted with customer-managed KMS keys."
+      remediation_guidance: Follow AWS Config rule guidance for dynamodb-table-encrypted-kms
+    - name: s3-default-encryption-kms
+      resource_types:
+      - AWS::S3::Bucket
+      parameters: {}
+      description: "CIS Control 3.11 - Encrypt Sensitive Data at Rest\n    AWS Config Rule: s3-default-encryption-kms\n    \n    Ensures S3 buckets have default encryption enabled with customer-managed KMS keys."
+      remediation_guidance: Follow AWS Config rule guidance for s3-default-encryption-kms
   '3.3':
     title: Configure Data Access Control Lists
     weight: 1.0
@@ -648,6 +750,18 @@ controls:
       parameters: {}
       description: Assessment for access-keys-rotated Config rule.
       remediation_guidance: Follow AWS Config rule guidance for access-keys-rotated
+    - name: config-conformance-pack-deployed
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 4.1 - Establish and Maintain a Secure Configuration Process\n    AWS Config Rule: config-conformance-pack-deployed\n    \n    Ensures AWS Config conformance packs are deployed for configuration management."
+      remediation_guidance: Follow AWS Config rule guidance for config-conformance-pack-deployed
+    - name: securityhub-standards-enabled
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 4.1 - Establish and Maintain a Secure Configuration Process\n    AWS Config Rule: securityhub-standards-enabled\n    \n    Ensures Security Hub standards are enabled for security configuration management."
+      remediation_guidance: Follow AWS Config rule guidance for securityhub-standards-enabled
   '5.2':
     title: Use Unique Passwords
     weight: 1.0
@@ -659,8 +773,36 @@ controls:
       description: Assessment for iam-password-policy Config rule - ensures strong
         password policy.
       remediation_guidance: Follow AWS Config rule guidance for iam-password-policy
+  '6.2':
+    title: Establish and Maintain a Secure Network Architecture
+    weight: 1.0
+    config_rules:
+    - name: guardduty-enabled-centralized
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 6.2 - Establish and Maintain a Secure Network Architecture\n    AWS Config Rule: guardduty-enabled-centralized\n    \n    Ensures GuardDuty is enabled for threat detection and continuous monitoring."
+      remediation_guidance: Follow AWS Config rule guidance for guardduty-enabled-centralized
+    - name: inspector-enabled
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 6.2 - Establish and Maintain a Secure Network Architecture\n    AWS Config Rule: inspector-enabled\n    \n    Ensures Amazon Inspector is enabled for vulnerability scanning and security assessments."
+      remediation_guidance: Follow AWS Config rule guidance for inspector-enabled
+    - name: macie-enabled
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 6.2 - Establish and Maintain a Secure Network Architecture\n    AWS Config Rule: macie-enabled\n    \n    Ensures Amazon Macie is enabled for sensitive data discovery and protection."
+      remediation_guidance: Follow AWS Config rule guidance for macie-enabled
+    - name: iam-access-analyzer-enabled
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 6.2 - Establish and Maintain a Secure Network Architecture\n    AWS Config Rule: iam-access-analyzer-enabled\n    \n    Ensures IAM Access Analyzer is enabled to detect external access to resources."
+      remediation_guidance: Follow AWS Config rule guidance for iam-access-analyzer-enabled
   '8.2':
-    title: Control 8.2
+    title: Collect Audit Logs
     weight: 1.0
     config_rules:
     - name: cloudtrail-enabled
@@ -671,6 +813,30 @@ controls:
         \    \n    Ensures CloudTrail is enabled to record AWS Management Console\
         \ actions and API calls."
       remediation_guidance: Follow AWS Config rule guidance for cloudtrail-enabled
+    - name: vpc-flow-logs-enabled
+      resource_types:
+      - AWS::EC2::VPC
+      parameters: {}
+      description: "CIS Control 8.2 - Collect Audit Logs\n    AWS Config Rule: vpc-flow-logs-enabled\n    \n    Ensures VPC Flow Logs are enabled for network traffic monitoring and analysis."
+      remediation_guidance: Follow AWS Config rule guidance for vpc-flow-logs-enabled
+    - name: elb-logging-enabled
+      resource_types:
+      - AWS::ElasticLoadBalancingV2::LoadBalancer
+      parameters: {}
+      description: "CIS Control 8.2 - Collect Audit Logs\n    AWS Config Rule: elb-logging-enabled\n    \n    Ensures Elastic Load Balancer access logs are enabled for request tracking."
+      remediation_guidance: Follow AWS Config rule guidance for elb-logging-enabled
+    - name: cloudfront-accesslogs-enabled
+      resource_types:
+      - AWS::CloudFront::Distribution
+      parameters: {}
+      description: "CIS Control 8.2 - Collect Audit Logs\n    AWS Config Rule: cloudfront-accesslogs-enabled\n    \n    Ensures CloudFront distributions have access logging enabled."
+      remediation_guidance: Follow AWS Config rule guidance for cloudfront-accesslogs-enabled
+    - name: wafv2-logging-enabled
+      resource_types:
+      - AWS::WAFv2::WebACL
+      parameters: {}
+      description: "CIS Control 8.2 - Collect Audit Logs\n    AWS Config Rule: wafv2-logging-enabled\n    \n    Ensures WAF web ACLs have logging enabled for security monitoring."
+      remediation_guidance: Follow AWS Config rule guidance for wafv2-logging-enabled
   '8.8':
     title: Control 8.8
     weight: 1.0
@@ -681,3 +847,200 @@ controls:
       parameters: {}
       description: Assessment for securityhub-enabled AWS Config rule.
       remediation_guidance: Follow AWS Config rule guidance for securityhub-enabled
+  '7.1':
+    title: Establish and Maintain a Vulnerability Management Process
+    weight: 1.0
+    config_rules:
+    - name: ssm-patch-manager-enabled
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 7.1 - Establish and Maintain a Vulnerability Management Process\n    AWS Config Rule: ssm-patch-manager-enabled\n    \n    Ensures AWS Systems Manager Patch Manager is configured with patch baselines."
+      remediation_guidance: Follow AWS Config rule guidance for ssm-patch-manager-enabled
+    - name: ssm-patch-baseline-configured
+      resource_types:
+      - AWS::SSM::PatchBaseline
+      parameters: {}
+      description: "CIS Control 7.1 - Establish and Maintain a Vulnerability Management Process\n    AWS Config Rule: ssm-patch-baseline-configured\n    \n    Ensures SSM patch baselines have proper approval rules and patch filters configured."
+      remediation_guidance: Follow AWS Config rule guidance for ssm-patch-baseline-configured
+    - name: ec2-patch-compliance-status
+      resource_types:
+      - AWS::EC2::Instance
+      parameters: {}
+      description: "CIS Control 7.1 - Establish and Maintain a Vulnerability Management Process\n    AWS Config Rule: ec2-patch-compliance-status\n    \n    Ensures EC2 instances are compliant with patch baselines and have no missing patches."
+      remediation_guidance: Follow AWS Config rule guidance for ec2-patch-compliance-status
+  '5.3':
+    title: Disable Dormant Accounts
+    weight: 1.0
+    config_rules:
+    - name: sso-enabled-check
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 5.3 - Disable Dormant Accounts\n    AWS Config Rule: sso-enabled-check\n    \n    Ensures AWS SSO (Identity Center) is enabled for centralized identity management."
+      remediation_guidance: Follow AWS Config rule guidance for sso-enabled-check
+    - name: identity-center-configured
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 5.3 - Disable Dormant Accounts\n    AWS Config Rule: identity-center-configured\n    \n    Ensures AWS Identity Center has permission sets and proper configuration."
+      remediation_guidance: Follow AWS Config rule guidance for identity-center-configured
+    - name: iam-user-last-access-check
+      resource_types:
+      - AWS::IAM::User
+      parameters: {}
+      description: "CIS Control 5.3 - Disable Dormant Accounts\n    AWS Config Rule: iam-user-last-access-check\n    \n    Ensures IAM users have been accessed recently (within 90 days)."
+      remediation_guidance: Follow AWS Config rule guidance for iam-user-last-access-check
+  '6.5':
+    title: Require MFA for Administrative Access
+    weight: 1.0
+    config_rules:
+    - name: iam-admin-mfa-required
+      resource_types:
+      - AWS::IAM::User
+      parameters: {}
+      description: "CIS Control 6.5 - Require MFA for Administrative Access\n    AWS Config Rule: iam-admin-mfa-required\n    \n    Ensures IAM users with administrative privileges have MFA enabled."
+      remediation_guidance: Follow AWS Config rule guidance for iam-admin-mfa-required
+    - name: cognito-mfa-enabled
+      resource_types:
+      - AWS::Cognito::UserPool
+      parameters: {}
+      description: "CIS Control 6.5 - Require MFA for Administrative Access\n    AWS Config Rule: cognito-mfa-enabled\n    \n    Ensures Cognito user pools require MFA for user authentication."
+      remediation_guidance: Follow AWS Config rule guidance for cognito-mfa-enabled
+    - name: vpn-mfa-enabled
+      resource_types:
+      - AWS::EC2::ClientVpnEndpoint
+      parameters: {}
+      description: "CIS Control 6.5 - Require MFA for Administrative Access\n    AWS Config Rule: vpn-mfa-enabled\n    \n    Ensures Client VPN endpoints require MFA for authentication."
+      remediation_guidance: Follow AWS Config rule guidance for vpn-mfa-enabled
+  '3.10':
+    title: Encrypt Sensitive Data in Transit
+    weight: 1.0
+    config_rules:
+    - name: alb-http-to-https-redirection
+      resource_types:
+      - AWS::ElasticLoadBalancingV2::LoadBalancer
+      parameters: {}
+      description: "CIS Control 3.10 - Encrypt Sensitive Data in Transit\n    AWS Config Rule: alb-http-to-https-redirection\n    \n    Ensures Application Load Balancers redirect HTTP traffic to HTTPS."
+      remediation_guidance: Follow AWS Config rule guidance for alb-http-to-https-redirection
+    - name: elb-tls-https-listeners-only
+      resource_types:
+      - AWS::ElasticLoadBalancingV2::LoadBalancer
+      parameters: {}
+      description: "CIS Control 3.10 - Encrypt Sensitive Data in Transit\n    AWS Config Rule: elb-tls-https-listeners-only\n    \n    Ensures Elastic Load Balancers use only HTTPS/TLS listeners."
+      remediation_guidance: Follow AWS Config rule guidance for elb-tls-https-listeners-only
+    - name: rds-ssl-connection-required
+      resource_types:
+      - AWS::RDS::DBInstance
+      parameters: {}
+      description: "CIS Control 3.10 - Encrypt Sensitive Data in Transit\n    AWS Config Rule: rds-ssl-connection-required\n    \n    Ensures RDS database instances require SSL/TLS connections."
+      remediation_guidance: Follow AWS Config rule guidance for rds-ssl-connection-required
+    - name: api-gateway-ssl-enabled
+      resource_types:
+      - AWS::ApiGateway::RestApi
+      parameters: {}
+      description: "CIS Control 3.10 - Encrypt Sensitive Data in Transit\n    AWS Config Rule: api-gateway-ssl-enabled\n    \n    Ensures API Gateway REST APIs use SSL/TLS certificates."
+      remediation_guidance: Follow AWS Config rule guidance for api-gateway-ssl-enabled
+    - name: redshift-require-tls-ssl
+      resource_types:
+      - AWS::Redshift::Cluster
+      parameters: {}
+      description: "CIS Control 3.10 - Encrypt Sensitive Data in Transit\n    AWS Config Rule: redshift-require-tls-ssl\n    \n    Ensures Redshift clusters require TLS/SSL for connections."
+      remediation_guidance: Follow AWS Config rule guidance for redshift-require-tls-ssl
+    - name: sns-encrypted-kms
+      resource_types:
+      - AWS::SNS::Topic
+      parameters: {}
+      description: "CIS Control 3.11 - Encrypt Sensitive Data at Rest\n    AWS Config Rule: sns-encrypted-kms\n    \n    Ensures SNS topics are encrypted with customer-managed KMS keys."
+      remediation_guidance: Follow AWS Config rule guidance for sns-encrypted-kms
+    - name: sqs-queue-encrypted
+      resource_types:
+      - AWS::SQS::Queue
+      parameters: {}
+      description: "CIS Control 3.11 - Encrypt Sensitive Data at Rest\n    AWS Config Rule: sqs-queue-encrypted\n    \n    Ensures SQS queues are encrypted at rest."
+      remediation_guidance: Follow AWS Config rule guidance for sqs-queue-encrypted
+    - name: cloudtrail-s3-dataevents-enabled
+      resource_types:
+      - AWS::CloudTrail::Trail
+      parameters: {}
+      description: "CIS Control 8.2 - Collect Audit Logs\n    AWS Config Rule: cloudtrail-s3-dataevents-enabled\n    \n    Ensures CloudTrail logs S3 data events for object-level operations monitoring."
+      remediation_guidance: Follow AWS Config rule guidance for cloudtrail-s3-dataevents-enabled
+  '7.5':
+    title: Perform Automated Vulnerability Scans
+    weight: 1.0
+    config_rules:
+    - name: inspector-assessment-enabled
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 7.5 - Perform Automated Vulnerability Scans\n    AWS Config Rule: inspector-assessment-enabled\n    \n    Ensures Amazon Inspector assessments are actively running for vulnerability detection."
+      remediation_guidance: Follow AWS Config rule guidance for inspector-assessment-enabled
+  '12.4':
+    title: Establish and Maintain Architecture Diagram(s)
+    weight: 1.0
+    config_rules:
+    - name: ssm-session-manager-enabled
+      resource_types:
+      - AWS::EC2::Instance
+      parameters: {}
+      description: "CIS Control 12.4 - Establish and Maintain Architecture Diagram(s)\n    AWS Config Rule: ssm-session-manager-enabled\n    \n    Ensures Systems Manager Session Manager is available for secure instance access."
+      remediation_guidance: Follow AWS Config rule guidance for ssm-session-manager-enabled
+  '3.12':
+    title: Segment Data Processing and Storage Based on Sensitivity
+    weight: 1.0
+    config_rules:
+    - name: data-classification-tagging
+      resource_types:
+      - AWS::RDS::DBInstance
+      - AWS::DynamoDB::Table
+      parameters: {}
+      description: "CIS Control 3.12 - Segment Data Processing and Storage Based on Sensitivity\n    AWS Config Rule: data-classification-tagging\n    \n    Ensures data resources have proper classification tags (DataClassification, Sensitivity, or Compliance)."
+      remediation_guidance: Follow AWS Config rule guidance for data-classification-tagging
+    - name: s3-bucket-classification-tags
+      resource_types:
+      - AWS::S3::Bucket
+      parameters: {}
+      description: "CIS Control 3.12 - Segment Data Processing and Storage Based on Sensitivity\n    AWS Config Rule: s3-bucket-classification-tags\n    \n    Ensures S3 buckets have proper data classification tags."
+      remediation_guidance: Follow AWS Config rule guidance for s3-bucket-classification-tags
+  '13.6':
+    title: Deny Communications with Known Malicious IP Addresses
+    weight: 1.0
+    config_rules:
+    - name: network-firewall-deployed
+      resource_types:
+      - AWS::EC2::VPC
+      parameters: {}
+      description: "CIS Control 13.6 - Deny Communications with Known Malicious IP Addresses\n    AWS Config Rule: network-firewall-deployed\n    \n    Ensures AWS Network Firewall is deployed for advanced network protection."
+      remediation_guidance: Follow AWS Config rule guidance for network-firewall-deployed
+    - name: route53-resolver-firewall-enabled
+      resource_types:
+      - AWS::EC2::VPC
+      parameters: {}
+      description: "CIS Control 13.6 - Deny Communications with Known Malicious IP Addresses\n    AWS Config Rule: route53-resolver-firewall-enabled\n    \n    Ensures Route 53 Resolver DNS Firewall is enabled for DNS-level protection."
+      remediation_guidance: Follow AWS Config rule guidance for route53-resolver-firewall-enabled
+  '11.3':
+    title: Protect Recovery Data
+    weight: 1.0
+    config_rules:
+    - name: backup-vault-encryption-enabled
+      resource_types:
+      - AWS::Backup::BackupVault
+      parameters: {}
+      description: "CIS Control 11.3 - Protect Recovery Data\n    AWS Config Rule: backup-vault-encryption-enabled\n    \n    Ensures AWS Backup vaults are encrypted with KMS."
+      remediation_guidance: Follow AWS Config rule guidance for backup-vault-encryption-enabled
+    - name: backup-vault-lock-enabled
+      resource_types:
+      - AWS::Backup::BackupVault
+      parameters: {}
+      description: "CIS Control 11.3 - Protect Recovery Data\n    AWS Config Rule: backup-vault-lock-enabled\n    \n    Ensures backup vaults have vault lock enabled to prevent deletion."
+      remediation_guidance: Follow AWS Config rule guidance for backup-vault-lock-enabled
+  '11.4':
+    title: Establish and Maintain an Isolated Instance of Recovery Data
+    weight: 1.0
+    config_rules:
+    - name: backup-cross-region-copy-enabled
+      resource_types:
+      - AWS::Backup::BackupPlan
+      parameters: {}
+      description: "CIS Control 11.4 - Establish and Maintain an Isolated Instance of Recovery Data\n    AWS Config Rule: backup-cross-region-copy-enabled\n    \n    Ensures backup plans include cross-region copy for disaster recovery."
+      remediation_guidance: Follow AWS Config rule guidance for backup-cross-region-copy-enabled

aws_cis_assessment/controls/ig1/control_access_analyzer.py

@@ -0,0 +1,198 @@
+"""
+CIS Control 6.1 - IAM Access Analyzer
+Ensures IAM Access Analyzer is enabled for access control validation.
+"""
+
+import logging
+from typing import List, Dict, Any
+from botocore.exceptions import ClientError
+
+from aws_cis_assessment.controls.base_control import BaseConfigRuleAssessment
+from aws_cis_assessment.core.models import ComplianceResult, ComplianceStatus
+from aws_cis_assessment.core.aws_client_factory import AWSClientFactory
+
+logger = logging.getLogger(__name__)
+
+
+class IAMAccessAnalyzerEnabledAssessment(BaseConfigRuleAssessment):
+    """
+    CIS Control 6.1 - Establish an Access Granting Process
+    AWS Config Rule: iam-access-analyzer-enabled
+    
+    Ensures IAM Access Analyzer is enabled to identify resources shared with
+    external entities. Access Analyzer helps identify unintended access to
+    resources and data, which is a security risk.
+    """
+    
+    def __init__(self):
+        super().__init__(
+            rule_name="iam-access-analyzer-enabled",
+            control_id="6.1",
+            resource_types=["AWS::AccessAnalyzer::Analyzer"]
+        )
+    
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get IAM Access Analyzer configuration for the region."""
+        if resource_type != "AWS::AccessAnalyzer::Analyzer":
+            return []
+        
+        try:
+            access_analyzer_client = aws_factory.get_client('accessanalyzer', region)
+            
+            # List all analyzers in the region
+            try:
+                response = access_analyzer_client.list_analyzers()
+                analyzers = response.get('analyzers', [])
+                
+                if not analyzers:
+                    # No analyzer found
+                    return [{
+                        'AnalyzerArn': 'none',
+                        'AnalyzerName': 'none',
+                        'Status': 'NOT_ENABLED',
+                        'Type': 'UNKNOWN',
+                        'Region': region,
+                        'AccountId': aws_factory.get_account_info().get('account_id', 'unknown')
+                    }]
+                
+                # Return all analyzers
+                analyzer_resources = []
+                for analyzer in analyzers:
+                    analyzer_resources.append({
+                        'AnalyzerArn': analyzer.get('arn', ''),
+                        'AnalyzerName': analyzer.get('name', ''),
+                        'Status': analyzer.get('status', 'UNKNOWN'),
+                        'Type': analyzer.get('type', 'UNKNOWN'),
+                        'Region': region,
+                        'AccountId': aws_factory.get_account_info().get('account_id', 'unknown'),
+                        'CreatedAt': analyzer.get('createdAt', ''),
+                        'LastResourceAnalyzed': analyzer.get('lastResourceAnalyzed', ''),
+                        'LastResourceAnalyzedAt': analyzer.get('lastResourceAnalyzedAt', '')
+                    })
+                
+                return analyzer_resources
+                
+            except ClientError as e:
+                error_code = e.response.get('Error', {}).get('Code', '')
+                if error_code in ['ResourceNotFoundException', 'AccessDeniedException']:
+                    # No analyzer or no access
+                    return [{
+                        'AnalyzerArn': 'none',
+                        'AnalyzerName': 'none',
+                        'Status': 'NOT_ENABLED',
+                        'Type': 'UNKNOWN',
+                        'Region': region,
+                        'AccountId': aws_factory.get_account_info().get('account_id', 'unknown')
+                    }]
+                raise
+            
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            if error_code == 'AccessDeniedException':
+                logger.warning(f"Access denied to IAM Access Analyzer in {region}")
+            else:
+                logger.error(f"Error checking IAM Access Analyzer status in {region}: {e}")
+            return []
+    
+    def _evaluate_resource_compliance(
+        self, 
+        resource: Dict[str, Any], 
+        aws_factory: AWSClientFactory, 
+        region: str
+    ) -> ComplianceResult:
+        """Evaluate if IAM Access Analyzer is enabled."""
+        analyzer_name = resource.get('AnalyzerName', 'none')
+        analyzer_arn = resource.get('AnalyzerArn', 'none')
+        status = resource.get('Status', 'NOT_ENABLED')
+        analyzer_type = resource.get('Type', 'UNKNOWN')
+        
+        # Check if Access Analyzer is enabled and active
+        is_compliant = status == 'ACTIVE' and analyzer_type in ['ACCOUNT', 'ORGANIZATION']
+        
+        if is_compliant:
+            evaluation_reason = (
+                f"IAM Access Analyzer '{analyzer_name}' is active in {region}. "
+                f"Type: {analyzer_type}"
+            )
+            compliance_status = ComplianceStatus.COMPLIANT
+        else:
+            if analyzer_name == 'none' or status == 'NOT_ENABLED':
+                evaluation_reason = f"IAM Access Analyzer is not enabled in {region}."
+            elif status == 'CREATING':
+                evaluation_reason = f"IAM Access Analyzer '{analyzer_name}' is being created in {region}."
+                compliance_status = ComplianceStatus.NON_COMPLIANT
+            elif status == 'FAILED':
+                evaluation_reason = f"IAM Access Analyzer '{analyzer_name}' failed to create in {region}."
+                compliance_status = ComplianceStatus.NON_COMPLIANT
+            else:
+                evaluation_reason = f"IAM Access Analyzer '{analyzer_name}' status is {status} in {region}."
+                compliance_status = ComplianceStatus.NON_COMPLIANT
+            
+            if not is_compliant:
+                compliance_status = ComplianceStatus.NON_COMPLIANT
+        
+        return ComplianceResult(
+            resource_id=analyzer_arn if analyzer_arn != 'none' else 'none',
+            resource_type="AWS::AccessAnalyzer::Analyzer",
+            compliance_status=compliance_status,
+            evaluation_reason=evaluation_reason,
+            config_rule_name=self.rule_name,
+            region=region
+        )
+    
+    def _get_rule_remediation_steps(self) -> List[str]:
+        """Get remediation steps for enabling IAM Access Analyzer."""
+        return [
+            "1. Enable IAM Access Analyzer in the AWS Console:",
+            "   - Navigate to IAM service",
+            "   - Click 'Access analyzer' in the left menu",
+            "   - Click 'Create analyzer'",
+            "   - Choose analyzer type:",
+            "     * Account: Analyzes resources in current account",
+            "     * Organization: Analyzes resources across AWS Organization",
+            "   - Enter analyzer name",
+            "   - Click 'Create analyzer'",
+            "",
+            "2. Enable Access Analyzer using AWS CLI:",
+            "   # For account-level analyzer",
+            "   aws accessanalyzer create-analyzer \\",
+            "     --analyzer-name MyAccountAnalyzer \\",
+            "     --type ACCOUNT \\",
+            "     --region <region>",
+            "",
+            "   # For organization-level analyzer (requires AWS Organizations)",
+            "   aws accessanalyzer create-analyzer \\",
+            "     --analyzer-name MyOrgAnalyzer \\",
+            "     --type ORGANIZATION \\",
+            "     --region <region>",
+            "",
+            "3. Review findings:",
+            "   - Access Analyzer automatically scans resources",
+            "   - Review findings in IAM console under 'Access analyzer'",
+            "   - Findings show resources accessible from outside your account/org",
+            "",
+            "4. Resolve findings:",
+            "   - Active findings: Resources with external access",
+            "   - Archived findings: Previously resolved or accepted risks",
+            "   - For each finding:",
+            "     * Review the resource and access path",
+            "     * Determine if access is intended",
+            "     * If unintended: Remove the external access",
+            "     * If intended: Archive the finding with justification",
+            "",
+            "5. Set up notifications:",
+            "   - Create EventBridge rules to route findings to SNS/Slack",
+            "   - Configure alerts for new findings",
+            "",
+            "6. Best practices:",
+            "   - Enable in all regions where you have resources",
+            "   - Review findings weekly",
+            "   - Use organization analyzer for centralized visibility",
+            "   - Integrate with Security Hub for consolidated findings",
+            "",
+            "Priority: HIGH - Unintended external access is a critical security risk",
+            "Effort: Low - Can be enabled in minutes",
+            "",
+            "AWS Documentation:",
+            "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html"
+        ]