PyPI - aws-cis-controls-assessment - Versions diffs - 1.1.3__py3-none-any.whl → 1.2.0__py3-none-any.whl - Mend

aws-cis-controls-assessment 1.1.3py3-none-any.whl → 1.2.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

aws_cis_assessment/controls/ig1/control_access_asset_mgmt.py ADDED Viewed

@@ -0,0 +1,360 @@
+"""
+CIS Control 5.3, 4.1 - Access and Asset Management
+Ensures proper access tracking and asset authorization.
+"""
+import logging
+from typing import List, Dict, Any
+from datetime import datetime, timedelta
+from botocore.exceptions import ClientError
+from aws_cis_assessment.controls.base_control import BaseConfigRuleAssessment
+from aws_cis_assessment.core.models import ComplianceResult, ComplianceStatus
+from aws_cis_assessment.core.aws_client_factory import AWSClientFactory
+logger = logging.getLogger(__name__)
+class IAMUserLastAccessCheckAssessment(BaseConfigRuleAssessment):
+    """
+    CIS Control 5.3 - Disable Dormant Accounts
+    AWS Config Rule: iam-user-last-access-check
+    Ensures IAM users have been accessed recently (within 90 days).
+    """
+    def __init__(self):
+        super().__init__(
+            rule_name="iam-user-last-access-check",
+            control_id="5.3",
+            resource_types=["AWS::IAM::User"]
+        )
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get IAM users with last access information."""
+        if resource_type != "AWS::IAM::User":
+            return []
+        # IAM is global, only process in us-east-1
+        if region != 'us-east-1':
+            return []
+        try:
+            iam_client = aws_factory.get_client('iam', region)
+            users = []
+            paginator = iam_client.get_paginator('list_users')
+            for page in paginator.paginate():
+                for user in page.get('Users', []):
+                    user_name = user.get('UserName')
+                    try:
+                        # Get user details with last access info
+                        user_detail = iam_client.get_user(UserName=user_name)
+                        user_info = user_detail.get('User', {})
+                        password_last_used = user_info.get('PasswordLastUsed')
+                        # Get access key last used
+                        access_keys = iam_client.list_access_keys(UserName=user_name)
+                        last_key_used = None
+                        for key in access_keys.get('AccessKeyMetadata', []):
+                            key_id = key.get('AccessKeyId')
+                            try:
+                                key_last_used = iam_client.get_access_key_last_used(AccessKeyId=key_id)
+                                key_used_date = key_last_used.get('AccessKeyLastUsed', {}).get('LastUsedDate')
+                                if key_used_date:
+                                    if not last_key_used or key_used_date > last_key_used:
+                                        last_key_used = key_used_date
+                            except ClientError:
+                                pass
+                        # Determine most recent access
+                        last_access = None
+                        if password_last_used and last_key_used:
+                            last_access = max(password_last_used, last_key_used)
+                        elif password_last_used:
+                            last_access = password_last_used
+                        elif last_key_used:
+                            last_access = last_key_used
+                        # Check if accessed within 90 days
+                        days_since_access = None
+                        is_dormant = False
+                        if last_access:
+                            days_since_access = (datetime.now(last_access.tzinfo) - last_access).days
+                            is_dormant = days_since_access > 90
+                        else:
+                            # Never accessed
+                            is_dormant = True
+                            days_since_access = -1
+                        users.append({
+                            'UserName': user_name,
+                            'Arn': user.get('Arn'),
+                            'LastAccess': last_access,
+                            'DaysSinceAccess': days_since_access,
+                            'IsDormant': is_dormant
+                        })
+                    except ClientError as e:
+                        logger.warning(f"Error getting details for user {user_name}: {e}")
+                        continue
+            return users
+        except ClientError as e:
+            logger.error(f"Error retrieving IAM users: {e}")
+            return []
+    def _evaluate_resource_compliance(
+        self,
+        resource: Dict[str, Any],
+        aws_factory: AWSClientFactory,
+        region: str
+    ) -> ComplianceResult:
+        """Evaluate if IAM user has been accessed recently."""
+        user_name = resource.get('UserName', 'unknown')
+        is_dormant = resource.get('IsDormant', False)
+        days_since_access = resource.get('DaysSinceAccess', -1)
+        if not is_dormant:
+            if days_since_access >= 0:
+                evaluation_reason = f"IAM user '{user_name}' accessed {days_since_access} days ago"
+            else:
+                evaluation_reason = f"IAM user '{user_name}' has recent access"
+            compliance_status = ComplianceStatus.COMPLIANT
+        else:
+            if days_since_access == -1:
+                evaluation_reason = f"IAM user '{user_name}' has never been accessed"
+            else:
+                evaluation_reason = f"IAM user '{user_name}' not accessed in {days_since_access} days (>90 days)"
+            compliance_status = ComplianceStatus.NON_COMPLIANT
+        return ComplianceResult(
+            resource_id=resource.get('Arn', user_name),
+            resource_type="AWS::IAM::User",
+            compliance_status=compliance_status,
+            evaluation_reason=evaluation_reason,
+            config_rule_name=self.rule_name,
+            region=region
+        )
+    def _get_rule_remediation_steps(self) -> List[str]:
+        """Get remediation steps for dormant user accounts."""
+        return [
+            "1. List users with last access time:",
+            "   aws iam get-credential-report",
+            "   aws iam generate-credential-report",
+            "",
+            "2. Disable dormant user:",
+            "   aws iam delete-login-profile --user-name <user-name>",
+            "   aws iam update-access-key --user-name <user-name> --access-key-id <key-id> --status Inactive",
+            "",
+            "3. Delete dormant user (after verification):",
+            "   aws iam delete-user --user-name <user-name>",
+            "",
+            "Priority: MEDIUM - Reduces attack surface",
+            "Effort: Low - Simple deactivation",
+            "",
+            "AWS Documentation:",
+            "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html"
+        ]
+class SSMSessionManagerEnabledAssessment(BaseConfigRuleAssessment):
+    """
+    CIS Control 12.4 - Establish and Maintain Architecture Diagram(s)
+    AWS Config Rule: ssm-session-manager-enabled
+    Ensures Systems Manager Session Manager is available for secure instance access.
+    """
+    def __init__(self):
+        super().__init__(
+            rule_name="ssm-session-manager-enabled",
+            control_id="12.4",
+            resource_types=["AWS::EC2::Instance"]
+        )
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get EC2 instances and check Session Manager availability."""
+        if resource_type != "AWS::EC2::Instance":
+            return []
+        try:
+            ssm_client = aws_factory.get_client('ssm', region)
+            # Get managed instances
+            response = ssm_client.describe_instance_information()
+            managed_instances = {
+                inst.get('InstanceId'): inst
+                for inst in response.get('InstanceInformationList', [])
+            }
+            # Get all EC2 instances
+            ec2_client = aws_factory.get_client('ec2', region)
+            ec2_response = ec2_client.describe_instances()
+            instances = []
+            for reservation in ec2_response.get('Reservations', []):
+                for instance in reservation.get('Instances', []):
+                    instance_id = instance.get('InstanceId')
+                    state = instance.get('State', {}).get('Name')
+                    # Only check running instances
+                    if state == 'running':
+                        is_managed = instance_id in managed_instances
+                        instances.append({
+                            'InstanceId': instance_id,
+                            'State': state,
+                            'IsManaged': is_managed
+                        })
+            return instances
+        except ClientError as e:
+            logger.error(f"Error checking Session Manager in {region}: {e}")
+            return []
+    def _evaluate_resource_compliance(
+        self,
+        resource: Dict[str, Any],
+        aws_factory: AWSClientFactory,
+        region: str
+    ) -> ComplianceResult:
+        """Evaluate if instance has Session Manager enabled."""
+        instance_id = resource.get('InstanceId', 'unknown')
+        is_managed = resource.get('IsManaged', False)
+        if is_managed:
+            evaluation_reason = f"Instance {instance_id} is managed by Systems Manager"
+            compliance_status = ComplianceStatus.COMPLIANT
+        else:
+            evaluation_reason = f"Instance {instance_id} is not managed by Systems Manager"
+            compliance_status = ComplianceStatus.NON_COMPLIANT
+        return ComplianceResult(
+            resource_id=instance_id,
+            resource_type="AWS::EC2::Instance",
+            compliance_status=compliance_status,
+            evaluation_reason=evaluation_reason,
+            config_rule_name=self.rule_name,
+            region=region
+        )
+    def _get_rule_remediation_steps(self) -> List[str]:
+        """Get remediation steps for enabling Session Manager."""
+        return [
+            "1. Attach IAM role to EC2 instance:",
+            "   aws ec2 associate-iam-instance-profile \\",
+            "     --instance-id <instance-id> \\",
+            "     --iam-instance-profile Name=SSMInstanceProfile",
+            "",
+            "2. Ensure SSM agent is installed and running",
+            "3. Verify instance appears in Systems Manager:",
+            "   aws ssm describe-instance-information",
+            "",
+            "Priority: MEDIUM - Improves secure access",
+            "Effort: Low - Attach IAM role",
+            "",
+            "AWS Documentation:",
+            "https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html"
+        ]
+class UnauthorizedAssetDetectionAssessment(BaseConfigRuleAssessment):
+    """
+    CIS Control 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory
+    AWS Config Rule: unauthorized-asset-detection
+    Detects resources without proper authorization tags.
+    """
+    def __init__(self):
+        super().__init__(
+            rule_name="unauthorized-asset-detection",
+            control_id="1.1",
+            resource_types=["AWS::EC2::Instance"]
+        )
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get EC2 instances and check for authorization tags."""
+        if resource_type != "AWS::EC2::Instance":
+            return []
+        try:
+            ec2_client = aws_factory.get_client('ec2', region)
+            response = ec2_client.describe_instances()
+            instances = []
+            for reservation in response.get('Reservations', []):
+                for instance in reservation.get('Instances', []):
+                    tags = {tag['Key']: tag['Value'] for tag in instance.get('Tags', [])}
+                    # Check for authorization tags
+                    has_authorization = bool(
+                        tags.get('Authorized') == 'true' or
+                        tags.get('Approved') == 'true' or
+                        tags.get('Owner')
+                    )
+                    instances.append({
+                        'InstanceId': instance.get('InstanceId'),
+                        'Tags': tags,
+                        'HasAuthorization': has_authorization
+                    })
+            return instances
+        except ClientError as e:
+            logger.error(f"Error retrieving EC2 instances in {region}: {e}")
+            return []
+    def _evaluate_resource_compliance(
+        self,
+        resource: Dict[str, Any],
+        aws_factory: AWSClientFactory,
+        region: str
+    ) -> ComplianceResult:
+        """Evaluate if instance has authorization tags."""
+        instance_id = resource.get('InstanceId', 'unknown')
+        has_authorization = resource.get('HasAuthorization', False)
+        if has_authorization:
+            evaluation_reason = f"Instance {instance_id} has authorization tags"
+            compliance_status = ComplianceStatus.COMPLIANT
+        else:
+            evaluation_reason = f"Instance {instance_id} missing authorization tags (Authorized, Approved, or Owner)"
+            compliance_status = ComplianceStatus.NON_COMPLIANT
+        return ComplianceResult(
+            resource_id=instance_id,
+            resource_type="AWS::EC2::Instance",
+            compliance_status=compliance_status,
+            evaluation_reason=evaluation_reason,
+            config_rule_name=self.rule_name,
+            region=region
+        )
+    def _get_rule_remediation_steps(self) -> List[str]:
+        """Get remediation steps for unauthorized asset detection."""
+        return [
+            "1. Tag authorized resources:",
+            "   aws ec2 create-tags \\",
+            "     --resources <instance-id> \\",
+            "     --tags Key=Authorized,Value=true Key=Owner,Value=team-name",
+            "",
+            "2. Investigate unauthorized resources",
+            "3. Terminate or tag unauthorized instances",
+            "",
+            "Priority: HIGH - Security risk from unauthorized assets",
+            "Effort: Low - Tagging or termination",
+            "",
+            "AWS Documentation:",
+            "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html"
+        ]

aws_cis_assessment/controls/ig1/control_access_control.py ADDED Viewed

@@ -0,0 +1,323 @@
+"""
+CIS Control 2.4-2.7, 2.15 - Access Control and MFA Controls
+Ensures proper access control mechanisms and multi-factor authentication.
+"""
+import logging
+from typing import List, Dict, Any
+from botocore.exceptions import ClientError
+from aws_cis_assessment.controls.base_control import BaseConfigRuleAssessment
+from aws_cis_assessment.core.models import ComplianceResult, ComplianceStatus
+from aws_cis_assessment.core.aws_client_factory import AWSClientFactory
+logger = logging.getLogger(__name__)
+class SSOEnabledCheckAssessment(BaseConfigRuleAssessment):
+    """
+    CIS Control 2.4 - Centralize Account Management
+    AWS Config Rule: sso-enabled-check
+    Ensures AWS Single Sign-On (SSO) / Identity Center is enabled
+    for centralized identity management.
+    """
+    def __init__(self):
+        super().__init__(
+            rule_name="sso-enabled-check",
+            control_id="2.4",
+            resource_types=["AWS::::Account"]
+        )
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get SSO/Identity Center configuration for the account."""
+        if resource_type != "AWS::::Account":
+            return []
+        # SSO is a global service, only check in us-east-1
+        if region != 'us-east-1':
+            return []
+        try:
+            sso_admin_client = aws_factory.get_client('sso-admin', region)
+            # List SSO instances
+            response = sso_admin_client.list_instances()
+            instances = response.get('Instances', [])
+            has_sso = len(instances) > 0
+            instance_info = []
+            for instance in instances:
+                instance_arn = instance.get('InstanceArn', '')
+                identity_store_id = instance.get('IdentityStoreId', '')
+                instance_info.append({
+                    'InstanceArn': instance_arn,
+                    'IdentityStoreId': identity_store_id
+                })
+            return [{
+                'AccountId': aws_factory.get_account_info().get('account_id', 'unknown'),
+                'Region': region,
+                'HasSSO': has_sso,
+                'InstanceCount': len(instances),
+                'Instances': instance_info
+            }]
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            if error_code == 'AccessDeniedException':
+                logger.warning(f"Access denied to check SSO in {region}")
+            else:
+                logger.error(f"Error checking SSO in {region}: {e}")
+            return []
+    def _evaluate_resource_compliance(
+        self,
+        resource: Dict[str, Any],
+        aws_factory: AWSClientFactory,
+        region: str
+    ) -> ComplianceResult:
+        """Evaluate if SSO/Identity Center is enabled."""
+        account_id = resource.get('AccountId', 'unknown')
+        has_sso = resource.get('HasSSO', False)
+        instance_count = resource.get('InstanceCount', 0)
+        is_compliant = has_sso
+        if is_compliant:
+            evaluation_reason = (
+                f"AWS SSO (Identity Center) is enabled with {instance_count} instance(s). "
+                f"Centralized identity management is configured."
+            )
+            compliance_status = ComplianceStatus.COMPLIANT
+        else:
+            evaluation_reason = (
+                "AWS SSO (Identity Center) is not enabled. "
+                "Consider enabling SSO for centralized identity management and single sign-on."
+            )
+            compliance_status = ComplianceStatus.NON_COMPLIANT
+        return ComplianceResult(
+            resource_id=account_id,
+            resource_type="AWS::::Account",
+            compliance_status=compliance_status,
+            evaluation_reason=evaluation_reason,
+            config_rule_name=self.rule_name,
+            region=region
+        )
+    def _get_rule_remediation_steps(self) -> List[str]:
+        """Get remediation steps for enabling SSO."""
+        return [
+            "1. Enable AWS SSO (Identity Center) via Console:",
+            "   - Navigate to AWS IAM Identity Center (successor to AWS SSO)",
+            "   - Click 'Enable'",
+            "   - Choose identity source:",
+            "     * Identity Center directory (default)",
+            "     * Active Directory",
+            "     * External identity provider (SAML 2.0)",
+            "   - Complete the setup wizard",
+            "",
+            "2. Note: AWS SSO cannot be enabled via CLI directly",
+            "   You must use the AWS Console or AWS Organizations",
+            "",
+            "3. Configure identity source:",
+            "   - For Identity Center directory:",
+            "     * Add users and groups directly",
+            "     * Manage within Identity Center",
+            "   ",
+            "   - For Active Directory:",
+            "     * Connect AWS Managed Microsoft AD",
+            "     * Or connect self-managed AD via AD Connector",
+            "   ",
+            "   - For external IdP:",
+            "     * Configure SAML 2.0 integration",
+            "     * Upload IdP metadata",
+            "",
+            "4. Create permission sets:",
+            "   - Navigate to 'Permission sets'",
+            "   - Click 'Create permission set'",
+            "   - Choose predefined or custom policies",
+            "   - Define session duration",
+            "   - Add tags (optional)",
+            "",
+            "5. Assign users/groups to AWS accounts:",
+            "   - Navigate to 'AWS accounts'",
+            "   - Select account(s)",
+            "   - Click 'Assign users or groups'",
+            "   - Select users/groups",
+            "   - Select permission sets",
+            "   - Click 'Submit'",
+            "",
+            "6. Configure MFA (recommended):",
+            "   - Navigate to 'Settings'",
+            "   - Under 'Authentication', configure MFA",
+            "   - Options:",
+            "     * Authenticator apps",
+            "     * Security keys and built-in authenticators",
+            "   - Set MFA requirement level",
+            "",
+            "7. Set up user portal:",
+            "   - Users access: https://<your-subdomain>.awsapps.com/start",
+            "   - Customize portal URL (optional)",
+            "   - Configure portal settings",
+            "",
+            "8. Best practices:",
+            "   - Enable MFA for all users",
+            "   - Use permission sets instead of inline policies",
+            "   - Implement least privilege access",
+            "   - Use groups for permission assignment",
+            "   - Enable CloudTrail logging for SSO events",
+            "   - Regularly review access assignments",
+            "   - Set appropriate session durations",
+            "",
+            "9. Integrate with external identity providers:",
+            "   # For SAML 2.0 IdPs (Okta, Azure AD, etc.)",
+            "   - Download AWS SSO SAML metadata",
+            "   - Configure in your IdP",
+            "   - Upload IdP SAML metadata to AWS SSO",
+            "   - Test SSO login",
+            "",
+            "10. Verify SSO configuration:",
+            "    aws sso-admin list-instances --region us-east-1",
+            "",
+            "Priority: HIGH - Centralized identity management improves security",
+            "Effort: Medium - Requires initial setup and user migration",
+            "",
+            "AWS Documentation:",
+            "https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html"
+        ]
+class IdentityCenterConfiguredAssessment(BaseConfigRuleAssessment):
+    """
+    CIS Control 2.5 - Centralize Account Management
+    AWS Config Rule: identity-center-configured
+    Ensures Identity Center is properly configured with users and permission sets.
+    """
+    def __init__(self):
+        super().__init__(
+            rule_name="identity-center-configured",
+            control_id="2.5",
+            resource_types=["AWS::::Account"]
+        )
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get Identity Center configuration details."""
+        if resource_type != "AWS::::Account":
+            return []
+        if region != 'us-east-1':
+            return []
+        try:
+            sso_admin_client = aws_factory.get_client('sso-admin', region)
+            # Get SSO instances
+            instances_response = sso_admin_client.list_instances()
+            instances = instances_response.get('Instances', [])
+            if not instances:
+                return [{
+                    'AccountId': aws_factory.get_account_info().get('account_id', 'unknown'),
+                    'Region': region,
+                    'HasInstances': False,
+                    'PermissionSetCount': 0,
+                    'IsConfigured': False
+                }]
+            instance_arn = instances[0].get('InstanceArn', '')
+            # Count permission sets
+            permission_sets = []
+            paginator = sso_admin_client.get_paginator('list_permission_sets')
+            for page in paginator.paginate(InstanceArn=instance_arn):
+                permission_sets.extend(page.get('PermissionSets', []))
+            is_configured = len(permission_sets) > 0
+            return [{
+                'AccountId': aws_factory.get_account_info().get('account_id', 'unknown'),
+                'Region': region,
+                'HasInstances': True,
+                'InstanceArn': instance_arn,
+                'PermissionSetCount': len(permission_sets),
+                'IsConfigured': is_configured
+            }]
+        except ClientError as e:
+            logger.warning(f"Error checking Identity Center configuration: {e}")
+            return []
+    def _evaluate_resource_compliance(
+        self,
+        resource: Dict[str, Any],
+        aws_factory: AWSClientFactory,
+        region: str
+    ) -> ComplianceResult:
+        """Evaluate if Identity Center is properly configured."""
+        account_id = resource.get('AccountId', 'unknown')
+        is_configured = resource.get('IsConfigured', False)
+        permission_set_count = resource.get('PermissionSetCount', 0)
+        has_instances = resource.get('HasInstances', False)
+        if is_configured:
+            evaluation_reason = (
+                f"Identity Center is properly configured with {permission_set_count} permission set(s)."
+            )
+            compliance_status = ComplianceStatus.COMPLIANT
+        else:
+            if not has_instances:
+                evaluation_reason = "Identity Center is not enabled."
+            else:
+                evaluation_reason = "Identity Center is enabled but has no permission sets configured."
+            compliance_status = ComplianceStatus.NON_COMPLIANT
+        return ComplianceResult(
+            resource_id=account_id,
+            resource_type="AWS::::Account",
+            compliance_status=compliance_status,
+            evaluation_reason=evaluation_reason,
+            config_rule_name=self.rule_name,
+            region=region
+        )
+    def _get_rule_remediation_steps(self) -> List[str]:
+        """Get remediation steps for configuring Identity Center."""
+        return [
+            "1. Create permission sets in Identity Center:",
+            "   - Navigate to IAM Identity Center",
+            "   - Click 'Permission sets'",
+            "   - Click 'Create permission set'",
+            "   - Choose type: Predefined or Custom",
+            "   - Configure policies and session duration",
+            "",
+            "2. Add users to Identity Center:",
+            "   - Navigate to 'Users'",
+            "   - Click 'Add user'",
+            "   - Enter user details",
+            "   - Send invitation email",
+            "",
+            "3. Create groups and assign users:",
+            "   - Navigate to 'Groups'",
+            "   - Click 'Create group'",
+            "   - Add users to group",
+            "",
+            "4. Assign access to AWS accounts:",
+            "   - Navigate to 'AWS accounts'",
+            "   - Select account(s)",
+            "   - Click 'Assign users or groups'",
+            "   - Select users/groups and permission sets",
+            "",
+            "Priority: HIGH - Proper configuration is essential for SSO",
+            "Effort: Medium - Requires permission set and user setup",
+            "",
+            "AWS Documentation:",
+            "https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsets.html"
+        ]

aws-cis-controls-assessment 1.1.3__py3-none-any.whl → 1.2.0__py3-none-any.whl

aws-cis-controls-assessment 1.1.3py3-none-any.whl → 1.2.0py3-none-any.whl