PyPI - aws-cis-controls-assessment - Versions diffs - 1.1.3__py3-none-any.whl → 1.2.0__py3-none-any.whl - Mend

aws-cis-controls-assessment 1.1.3py3-none-any.whl → 1.2.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

aws_cis_assessment/controls/ig1/control_ebs_encryption.py ADDED Viewed

@@ -0,0 +1,177 @@
+"""
+CIS Control 3.11 - EBS Encryption by Default
+Ensures EBS encryption by default is enabled for data at rest protection.
+"""
+import logging
+from typing import List, Dict, Any
+from botocore.exceptions import ClientError
+from aws_cis_assessment.controls.base_control import BaseConfigRuleAssessment
+from aws_cis_assessment.core.models import ComplianceResult, ComplianceStatus
+from aws_cis_assessment.core.aws_client_factory import AWSClientFactory
+logger = logging.getLogger(__name__)
+class EBSEncryptionByDefaultAssessment(BaseConfigRuleAssessment):
+    """
+    CIS Control 3.11 - Encrypt Sensitive Data at Rest
+    AWS Config Rule: ebs-encryption-by-default
+    Ensures EBS encryption by default is enabled at the account level.
+    When enabled, all new EBS volumes and snapshots are automatically encrypted,
+    protecting data at rest without requiring manual configuration.
+    """
+    def __init__(self):
+        super().__init__(
+            rule_name="ebs-encryption-by-default",
+            control_id="3.11",
+            resource_types=["AWS::::Account"]
+        )
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get EBS encryption by default status for the account in this region."""
+        if resource_type != "AWS::::Account":
+            return []
+        try:
+            ec2_client = aws_factory.get_client('ec2', region)
+            # Get EBS encryption by default status
+            response = ec2_client.get_ebs_encryption_by_default()
+            encryption_enabled = response.get('EbsEncryptionByDefault', False)
+            # Get default KMS key if encryption is enabled
+            default_kms_key = None
+            if encryption_enabled:
+                try:
+                    key_response = ec2_client.get_ebs_default_kms_key_id()
+                    default_kms_key = key_response.get('KmsKeyId', '')
+                except ClientError:
+                    pass
+            return [{
+                'AccountId': aws_factory.get_account_info().get('account_id', 'unknown'),
+                'Region': region,
+                'EbsEncryptionByDefault': encryption_enabled,
+                'DefaultKmsKeyId': default_kms_key
+            }]
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            if error_code == 'UnauthorizedOperation':
+                logger.warning(f"Access denied to check EBS encryption by default in {region}")
+            else:
+                logger.error(f"Error checking EBS encryption by default in {region}: {e}")
+            return []
+    def _evaluate_resource_compliance(
+        self,
+        resource: Dict[str, Any],
+        aws_factory: AWSClientFactory,
+        region: str
+    ) -> ComplianceResult:
+        """Evaluate if EBS encryption by default is enabled."""
+        account_id = resource.get('AccountId', 'unknown')
+        encryption_enabled = resource.get('EbsEncryptionByDefault', False)
+        kms_key = resource.get('DefaultKmsKeyId', '')
+        # Check if encryption by default is enabled
+        is_compliant = encryption_enabled
+        if is_compliant:
+            if kms_key:
+                evaluation_reason = (
+                    f"EBS encryption by default is enabled in {region}. "
+                    f"Default KMS key: {kms_key}"
+                )
+            else:
+                evaluation_reason = (
+                    f"EBS encryption by default is enabled in {region} "
+                    f"using AWS managed key (aws/ebs)."
+                )
+            compliance_status = ComplianceStatus.COMPLIANT
+        else:
+            evaluation_reason = f"EBS encryption by default is not enabled in {region}."
+            compliance_status = ComplianceStatus.NON_COMPLIANT
+        return ComplianceResult(
+            resource_id=f"{account_id}-{region}",
+            resource_type="AWS::::Account",
+            compliance_status=compliance_status,
+            evaluation_reason=evaluation_reason,
+            config_rule_name=self.rule_name,
+            region=region
+        )
+    def _get_rule_remediation_steps(self) -> List[str]:
+        """Get remediation steps for enabling EBS encryption by default."""
+        return [
+            "1. Enable EBS encryption by default in the AWS Console:",
+            "   - Navigate to EC2 service",
+            "   - Click 'Account Attributes' in the left menu",
+            "   - Click 'EBS encryption'",
+            "   - Click 'Manage'",
+            "   - Check 'Enable' for 'Always encrypt new EBS volumes'",
+            "   - Optionally select a custom KMS key (recommended)",
+            "   - Click 'Update EBS encryption'",
+            "",
+            "2. Enable using AWS CLI (with AWS managed key):",
+            "   aws ec2 enable-ebs-encryption-by-default \\",
+            "     --region <region>",
+            "",
+            "3. Enable using AWS CLI (with custom KMS key):",
+            "   # First, enable encryption by default",
+            "   aws ec2 enable-ebs-encryption-by-default \\",
+            "     --region <region>",
+            "",
+            "   # Then, set the default KMS key",
+            "   aws ec2 modify-ebs-default-kms-key-id \\",
+            "     --kms-key-id <kms-key-id> \\",
+            "     --region <region>",
+            "",
+            "4. Enable in all regions (recommended):",
+            "   # Script to enable in all regions",
+            "   for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do",
+            "     echo \"Enabling EBS encryption in $region\"",
+            "     aws ec2 enable-ebs-encryption-by-default --region $region",
+            "   done",
+            "",
+            "5. Best practices:",
+            "   - Enable in ALL regions where you use EC2",
+            "   - Use customer-managed KMS keys for better control",
+            "   - Set up KMS key rotation",
+            "   - Grant appropriate IAM permissions for KMS key usage",
+            "   - Document the KMS key used in each region",
+            "",
+            "6. Important notes:",
+            "   - Only affects NEW volumes created after enabling",
+            "   - Existing unencrypted volumes remain unencrypted",
+            "   - To encrypt existing volumes:",
+            "     * Create encrypted snapshot from unencrypted volume",
+            "     * Create new encrypted volume from encrypted snapshot",
+            "     * Replace the unencrypted volume",
+            "   - No performance impact from encryption",
+            "   - No additional cost for encryption (KMS key costs apply)",
+            "",
+            "7. Verify encryption is working:",
+            "   # Create a test volume",
+            "   aws ec2 create-volume \\",
+            "     --availability-zone <az> \\",
+            "     --size 1 \\",
+            "     --region <region>",
+            "",
+            "   # Check if it's encrypted",
+            "   aws ec2 describe-volumes \\",
+            "     --volume-ids <volume-id> \\",
+            "     --query 'Volumes[0].Encrypted' \\",
+            "     --region <region>",
+            "",
+            "Priority: HIGH - Data at rest encryption is critical for compliance",
+            "Effort: Very Low - Can be enabled in seconds per region",
+            "",
+            "AWS Documentation:",
+            "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html"
+        ]

aws_cis_assessment/controls/ig1/control_efs_encryption.py ADDED Viewed

@@ -0,0 +1,243 @@
+"""
+CIS Control 3.11 - EFS Encryption
+Ensures EFS file systems have encryption enabled for data at rest protection.
+"""
+import logging
+from typing import List, Dict, Any
+from botocore.exceptions import ClientError
+from aws_cis_assessment.controls.base_control import BaseConfigRuleAssessment
+from aws_cis_assessment.core.models import ComplianceResult, ComplianceStatus
+from aws_cis_assessment.core.aws_client_factory import AWSClientFactory
+logger = logging.getLogger(__name__)
+class EFSEncryptedCheckAssessment(BaseConfigRuleAssessment):
+    """
+    CIS Control 3.11 - Encrypt Sensitive Data at Rest
+    AWS Config Rule: efs-encrypted-check
+    Ensures EFS file systems have encryption at rest enabled.
+    Encrypted file systems protect data stored in EFS, including all files,
+    directories, and metadata.
+    """
+    def __init__(self):
+        super().__init__(
+            rule_name="efs-encrypted-check",
+            control_id="3.11",
+            resource_types=["AWS::EFS::FileSystem"]
+        )
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get all EFS file systems in the region."""
+        if resource_type != "AWS::EFS::FileSystem":
+            return []
+        try:
+            efs_client = aws_factory.get_client('efs', region)
+            file_systems = []
+            paginator = efs_client.get_paginator('describe_file_systems')
+            for page in paginator.paginate():
+                for fs in page.get('FileSystems', []):
+                    file_system_id = fs.get('FileSystemId', '')
+                    encrypted = fs.get('Encrypted', False)
+                    kms_key_id = fs.get('KmsKeyId', '')
+                    name = fs.get('Name', '')
+                    lifecycle_state = fs.get('LifeCycleState', '')
+                    # Get tags to find Name tag
+                    tags = fs.get('Tags', [])
+                    name_tag = next((tag['Value'] for tag in tags if tag['Key'] == 'Name'), '')
+                    file_systems.append({
+                        'FileSystemId': file_system_id,
+                        'Encrypted': encrypted,
+                        'KmsKeyId': kms_key_id,
+                        'Name': name_tag or name,
+                        'LifeCycleState': lifecycle_state,
+                        'FileSystemArn': fs.get('FileSystemArn', ''),
+                        'SizeInBytes': fs.get('SizeInBytes', {}).get('Value', 0),
+                        'NumberOfMountTargets': fs.get('NumberOfMountTargets', 0)
+                    })
+            logger.debug(f"Found {len(file_systems)} EFS file systems in {region}")
+            return file_systems
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            if error_code == 'AccessDeniedException':
+                logger.warning(f"Access denied to list EFS file systems in {region}")
+            else:
+                logger.error(f"Error retrieving EFS file systems from {region}: {e}")
+            return []
+        except Exception as e:
+            logger.error(f"Unexpected error retrieving EFS file systems from {region}: {e}")
+            return []
+    def _evaluate_resource_compliance(
+        self,
+        resource: Dict[str, Any],
+        aws_factory: AWSClientFactory,
+        region: str
+    ) -> ComplianceResult:
+        """Evaluate if EFS file system has encryption enabled."""
+        file_system_id = resource.get('FileSystemId', 'unknown')
+        encrypted = resource.get('Encrypted', False)
+        kms_key_id = resource.get('KmsKeyId', '')
+        name = resource.get('Name', '')
+        lifecycle_state = resource.get('LifeCycleState', '')
+        # Check if file system is encrypted
+        is_compliant = encrypted
+        if is_compliant:
+            if kms_key_id:
+                evaluation_reason = (
+                    f"EFS file system '{file_system_id}' "
+                    f"{f'({name}) ' if name else ''}"
+                    f"has encryption enabled with KMS key: {kms_key_id}"
+                )
+            else:
+                evaluation_reason = (
+                    f"EFS file system '{file_system_id}' "
+                    f"{f'({name}) ' if name else ''}"
+                    f"has encryption enabled with AWS managed key"
+                )
+            compliance_status = ComplianceStatus.COMPLIANT
+        else:
+            evaluation_reason = (
+                f"EFS file system '{file_system_id}' "
+                f"{f'({name}) ' if name else ''}"
+                f"does not have encryption enabled. "
+                f"State: {lifecycle_state}"
+            )
+            compliance_status = ComplianceStatus.NON_COMPLIANT
+        return ComplianceResult(
+            resource_id=file_system_id,
+            resource_type="AWS::EFS::FileSystem",
+            compliance_status=compliance_status,
+            evaluation_reason=evaluation_reason,
+            config_rule_name=self.rule_name,
+            region=region
+        )
+    def _get_rule_remediation_steps(self) -> List[str]:
+        """Get remediation steps for enabling EFS encryption."""
+        return [
+            "1. IMPORTANT: You CANNOT enable encryption on an existing unencrypted EFS file system.",
+            "   You must create a new encrypted file system and migrate data.",
+            "",
+            "2. Create a new encrypted EFS file system:",
+            "   aws efs create-file-system \\",
+            "     --encrypted \\",
+            "     --kms-key-id <kms-key-id> \\",  # Optional, uses default aws/elasticfilesystem if omitted",
+            "     --performance-mode <generalPurpose|maxIO> \\",
+            "     --throughput-mode <bursting|provisioned> \\",
+            "     --tags Key=Name,Value=<name> \\",
+            "     --region <region>",
+            "",
+            "3. Create mount targets in the same subnets as the old file system:",
+            "   # Get the new file system ID from the previous command",
+            "   NEW_FS_ID=<new-file-system-id>",
+            "",
+            "   # Create mount target for each subnet",
+            "   aws efs create-mount-target \\",
+            "     --file-system-id $NEW_FS_ID \\",
+            "     --subnet-id <subnet-id> \\",
+            "     --security-groups <security-group-id> \\",
+            "     --region <region>",
+            "",
+            "4. Wait for the new file system to become available:",
+            "   aws efs describe-file-systems \\",
+            "     --file-system-id $NEW_FS_ID \\",
+            "     --query 'FileSystems[0].LifeCycleState' \\",
+            "     --output text \\",
+            "     --region <region>",
+            "",
+            "5. Migrate data from old file system to new encrypted file system:",
+            "   # Option A: Using rsync from an EC2 instance with both file systems mounted",
+            "   # Mount old file system",
+            "   sudo mount -t nfs4 -o nfsvers=4.1 <old-fs-id>.efs.<region>.amazonaws.com:/ /mnt/old-efs",
+            "",
+            "   # Mount new file system",
+            "   sudo mount -t nfs4 -o nfsvers=4.1 <new-fs-id>.efs.<region>.amazonaws.com:/ /mnt/new-efs",
+            "",
+            "   # Copy data preserving permissions and timestamps",
+            "   sudo rsync -avh --progress /mnt/old-efs/ /mnt/new-efs/",
+            "",
+            "   # Option B: Using AWS DataSync for large datasets",
+            "   # Create DataSync task to migrate data",
+            "   # See: https://docs.aws.amazon.com/datasync/latest/userguide/create-efs-location.html",
+            "",
+            "6. Verify data integrity after migration:",
+            "   # Compare file counts",
+            "   find /mnt/old-efs -type f | wc -l",
+            "   find /mnt/new-efs -type f | wc -l",
+            "",
+            "   # Compare total size",
+            "   du -sh /mnt/old-efs",
+            "   du -sh /mnt/new-efs",
+            "",
+            "7. Update application mount points to use the new file system:",
+            "   # Update /etc/fstab or application configuration",
+            "   # Old: <old-fs-id>.efs.<region>.amazonaws.com:/",
+            "   # New: <new-fs-id>.efs.<region>.amazonaws.com:/",
+            "",
+            "8. Test applications thoroughly with the new encrypted file system:",
+            "   - Verify read/write operations",
+            "   - Verify application functionality",
+            "   - Verify performance is acceptable",
+            "   - Test backup and restore procedures",
+            "",
+            "9. After successful testing, delete the old unencrypted file system:",
+            "   # First, delete all mount targets",
+            "   aws efs describe-mount-targets \\",
+            "     --file-system-id <old-fs-id> \\",
+            "     --region <region> \\",
+            "     --query 'MountTargets[].MountTargetId' \\",
+            "     --output text | xargs -n1 aws efs delete-mount-target --mount-target-id",
+            "",
+            "   # Wait for mount targets to be deleted",
+            "   # Then delete the file system",
+            "   aws efs delete-file-system \\",
+            "     --file-system-id <old-fs-id> \\",
+            "     --region <region>",
+            "",
+            "10. For NEW file systems, always enable encryption at creation:",
+            "    # Console method:",
+            "    - Navigate to EFS service",
+            "    - Click 'Create file system'",
+            "    - Click 'Customize'",
+            "    - Under 'Encryption', check 'Enable encryption of data at rest'",
+            "    - Select KMS key (or use default aws/elasticfilesystem)",
+            "    - Complete the configuration",
+            "",
+            "11. Best practices:",
+            "    - Use customer-managed KMS keys for better control",
+            "    - Enable automatic key rotation for KMS keys",
+            "    - Grant appropriate IAM permissions for KMS key usage",
+            "    - Enable encryption in transit (TLS) in addition to at-rest encryption",
+            "    - Document the KMS key used for each file system",
+            "    - Use EFS Access Points for application-specific access control",
+            "    - Enable EFS Backup for encrypted file systems",
+            "",
+            "12. Important notes:",
+            "    - Encryption cannot be removed once enabled",
+            "    - Encrypted file systems can only be restored to encrypted file systems",
+            "    - Backups inherit encryption from source file system",
+            "    - Performance impact is negligible",
+            "    - No additional cost for encryption (KMS key costs apply)",
+            "    - Encryption in transit (TLS) is separate and should also be enabled",
+            "",
+            "Priority: HIGH - File system encryption is critical for compliance and data protection",
+            "Effort: High - Requires creating new file system and migrating data",
+            "",
+            "AWS Documentation:",
+            "https://docs.aws.amazon.com/efs/latest/ug/encryption.html"
+        ]

aws_cis_assessment/controls/ig1/control_elb_logging.py ADDED Viewed

@@ -0,0 +1,195 @@
+"""
+CIS Control 8.2 - ELB Access Logging
+Ensures ELB access logs are enabled for load balancer traffic visibility.
+"""
+import logging
+from typing import List, Dict, Any
+from botocore.exceptions import ClientError
+from aws_cis_assessment.controls.base_control import BaseConfigRuleAssessment
+from aws_cis_assessment.core.models import ComplianceResult, ComplianceStatus
+from aws_cis_assessment.core.aws_client_factory import AWSClientFactory
+logger = logging.getLogger(__name__)
+class ELBLoggingEnabledAssessment(BaseConfigRuleAssessment):
+    """
+    CIS Control 8.2 - Collect Audit Logs
+    AWS Config Rule: elb-logging-enabled
+    Ensures Elastic Load Balancer access logs are enabled.
+    Access logs capture detailed information about requests sent to the load balancer,
+    essential for security analysis, troubleshooting, and compliance.
+    """
+    def __init__(self):
+        super().__init__(
+            rule_name="elb-logging-enabled",
+            control_id="8.2",
+            resource_types=["AWS::ElasticLoadBalancingV2::LoadBalancer"]
+        )
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get load balancers and their logging configuration."""
+        if resource_type != "AWS::ElasticLoadBalancingV2::LoadBalancer":
+            return []
+        try:
+            elbv2_client = aws_factory.get_client('elbv2', region)
+            # Get all load balancers
+            response = elbv2_client.describe_load_balancers()
+            load_balancers = response.get('LoadBalancers', [])
+            if not load_balancers:
+                return []
+            # Get attributes for each load balancer
+            lb_resources = []
+            for lb in load_balancers:
+                lb_arn = lb.get('LoadBalancerArn', '')
+                try:
+                    # Get load balancer attributes
+                    attrs_response = elbv2_client.describe_load_balancer_attributes(
+                        LoadBalancerArn=lb_arn
+                    )
+                    attributes = attrs_response.get('Attributes', [])
+                    # Check if access logs are enabled
+                    logging_enabled = False
+                    s3_bucket = ''
+                    s3_prefix = ''
+                    for attr in attributes:
+                        if attr.get('Key') == 'access_logs.s3.enabled':
+                            logging_enabled = attr.get('Value', 'false').lower() == 'true'
+                        elif attr.get('Key') == 'access_logs.s3.bucket':
+                            s3_bucket = attr.get('Value', '')
+                        elif attr.get('Key') == 'access_logs.s3.prefix':
+                            s3_prefix = attr.get('Value', '')
+                    lb_resources.append({
+                        'LoadBalancerArn': lb_arn,
+                        'LoadBalancerName': lb.get('LoadBalancerName', ''),
+                        'Type': lb.get('Type', ''),
+                        'Scheme': lb.get('Scheme', ''),
+                        'State': lb.get('State', {}).get('Code', ''),
+                        'Region': region,
+                        'LoggingEnabled': logging_enabled,
+                        'S3Bucket': s3_bucket,
+                        'S3Prefix': s3_prefix
+                    })
+                except ClientError as e:
+                    logger.warning(f"Error getting attributes for load balancer {lb_arn}: {e}")
+                    continue
+            return lb_resources
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            if error_code == 'AccessDenied':
+                logger.warning(f"Access denied to describe load balancers in {region}")
+            else:
+                logger.error(f"Error describing load balancers in {region}: {e}")
+            return []
+    def _evaluate_resource_compliance(
+        self,
+        resource: Dict[str, Any],
+        aws_factory: AWSClientFactory,
+        region: str
+    ) -> ComplianceResult:
+        """Evaluate if load balancer has access logging enabled."""
+        lb_arn = resource.get('LoadBalancerArn', '')
+        lb_name = resource.get('LoadBalancerName', '')
+        logging_enabled = resource.get('LoggingEnabled', False)
+        s3_bucket = resource.get('S3Bucket', '')
+        lb_type = resource.get('Type', '')
+        # Check if logging is enabled
+        is_compliant = logging_enabled and s3_bucket
+        if is_compliant:
+            evaluation_reason = (
+                f"Load balancer '{lb_name}' ({lb_type}) has access logging enabled. "
+                f"Logs are stored in S3 bucket: {s3_bucket}"
+            )
+            compliance_status = ComplianceStatus.COMPLIANT
+        else:
+            if not logging_enabled:
+                evaluation_reason = f"Load balancer '{lb_name}' ({lb_type}) does not have access logging enabled."
+            else:
+                evaluation_reason = f"Load balancer '{lb_name}' ({lb_type}) has logging enabled but no S3 bucket configured."
+            compliance_status = ComplianceStatus.NON_COMPLIANT
+        return ComplianceResult(
+            resource_id=lb_arn,
+            resource_type="AWS::ElasticLoadBalancingV2::LoadBalancer",
+            compliance_status=compliance_status,
+            evaluation_reason=evaluation_reason,
+            config_rule_name=self.rule_name,
+            region=region
+        )
+    def _get_rule_remediation_steps(self) -> List[str]:
+        """Get remediation steps for enabling ELB access logging."""
+        return [
+            "1. Enable ELB access logging in the AWS Console:",
+            "   - Navigate to EC2 > Load Balancers",
+            "   - Select the load balancer",
+            "   - Click 'Actions' > 'Edit attributes'",
+            "   - Under 'Access logs', click 'Enable'",
+            "   - Specify S3 bucket name (bucket must exist)",
+            "   - Optionally specify S3 prefix",
+            "   - Click 'Save'",
+            "",
+            "2. Create S3 bucket for logs (if needed):",
+            "   aws s3 mb s3://<bucket-name> --region <region>",
+            "",
+            "3. Add bucket policy to allow ELB to write logs:",
+            "   # Get ELB service account ID for your region from AWS docs",
+            "   # Apply this policy to your S3 bucket:",
+            "   {",
+            '     "Version": "2012-10-17",',
+            '     "Statement": [{',
+            '       "Effect": "Allow",',
+            '       "Principal": {"AWS": "arn:aws:iam::<elb-account-id>:root"},',
+            '       "Action": "s3:PutObject",',
+            '       "Resource": "arn:aws:s3:::<bucket-name>/*"',
+            "     }]",
+            "   }",
+            "",
+            "4. Enable access logging using AWS CLI:",
+            "   aws elbv2 modify-load-balancer-attributes \\",
+            "     --load-balancer-arn <lb-arn> \\",
+            "     --attributes \\",
+            "       Key=access_logs.s3.enabled,Value=true \\",
+            "       Key=access_logs.s3.bucket,Value=<bucket-name> \\",
+            "       Key=access_logs.s3.prefix,Value=<prefix> \\",
+            "     --region <region>",
+            "",
+            "5. Best practices:",
+            "   - Use a dedicated S3 bucket for logs",
+            "   - Enable S3 bucket encryption",
+            "   - Set appropriate lifecycle policies (30-90 days retention)",
+            "   - Use S3 Intelligent-Tiering or Glacier for cost optimization",
+            "   - Enable for all load balancers (ALB, NLB, CLB)",
+            "",
+            "6. Analyze access logs:",
+            "   - Use Athena to query logs",
+            "   - Look for:",
+            "     * Unusual traffic patterns",
+            "     * Failed requests (4xx, 5xx errors)",
+            "     * Potential attacks (SQL injection, XSS)",
+            "     * Performance issues",
+            "",
+            "Priority: HIGH - Load balancer logs are essential for security and troubleshooting",
+            "Effort: Low - Can be enabled in minutes per load balancer",
+            "",
+            "AWS Documentation:",
+            "https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html"
+        ]

aws-cis-controls-assessment 1.1.3__py3-none-any.whl → 1.2.0__py3-none-any.whl

aws-cis-controls-assessment 1.1.3py3-none-any.whl → 1.2.0py3-none-any.whl