PyPI - aws-cis-controls-assessment - Versions diffs - 1.1.3__py3-none-any.whl → 1.2.0__py3-none-any.whl - Mend

aws-cis-controls-assessment 1.1.3py3-none-any.whl → 1.2.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

aws_cis_assessment/controls/ig1/control_guardduty.py ADDED Viewed

@@ -0,0 +1,156 @@
+"""
+CIS Control 10.1 - GuardDuty Malware Defense
+Ensures GuardDuty is enabled for threat detection and malware defense.
+"""
+import logging
+from typing import List, Dict, Any
+from botocore.exceptions import ClientError
+from aws_cis_assessment.controls.base_control import BaseConfigRuleAssessment
+from aws_cis_assessment.core.models import ComplianceResult, ComplianceStatus
+from aws_cis_assessment.core.aws_client_factory import AWSClientFactory
+logger = logging.getLogger(__name__)
+class GuardDutyEnabledAssessment(BaseConfigRuleAssessment):
+    """
+    CIS Control 10.1 - Deploy and Maintain Anti-Malware Software
+    AWS Config Rule: guardduty-enabled
+    Ensures GuardDuty is enabled for threat detection and malware defense.
+    GuardDuty provides intelligent threat detection by analyzing VPC Flow Logs,
+    CloudTrail events, and DNS logs to identify malicious activity.
+    """
+    def __init__(self):
+        super().__init__(
+            rule_name="guardduty-enabled",
+            control_id="10.1",
+            resource_types=["AWS::GuardDuty::Detector"]
+        )
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get GuardDuty detector configuration for the region."""
+        if resource_type != "AWS::GuardDuty::Detector":
+            return []
+        try:
+            guardduty_client = aws_factory.get_client('guardduty', region)
+            # List all detectors in the region
+            response = guardduty_client.list_detectors()
+            detector_ids = response.get('DetectorIds', [])
+            if not detector_ids:
+                # No detector found - return a placeholder resource for non-compliance
+                return [{
+                    'DetectorId': 'none',
+                    'Status': 'DISABLED',
+                    'Region': region,
+                    'AccountId': aws_factory.get_account_info().get('account_id', 'unknown')
+                }]
+            # Get details for each detector
+            detectors = []
+            for detector_id in detector_ids:
+                try:
+                    detector_response = guardduty_client.get_detector(DetectorId=detector_id)
+                    detectors.append({
+                        'DetectorId': detector_id,
+                        'Status': detector_response.get('Status', 'UNKNOWN'),
+                        'FindingPublishingFrequency': detector_response.get('FindingPublishingFrequency', 'UNKNOWN'),
+                        'DataSources': detector_response.get('DataSources', {}),
+                        'Region': region,
+                        'AccountId': aws_factory.get_account_info().get('account_id', 'unknown')
+                    })
+                except ClientError as e:
+                    logger.warning(f"Error getting detector {detector_id} details: {e}")
+                    continue
+            return detectors if detectors else [{
+                'DetectorId': 'none',
+                'Status': 'DISABLED',
+                'Region': region,
+                'AccountId': aws_factory.get_account_info().get('account_id', 'unknown')
+            }]
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            if error_code == 'AccessDeniedException':
+                logger.warning(f"Access denied to GuardDuty in {region}")
+            else:
+                logger.error(f"Error listing GuardDuty detectors in {region}: {e}")
+            return []
+    def _evaluate_resource_compliance(
+        self,
+        resource: Dict[str, Any],
+        aws_factory: AWSClientFactory,
+        region: str
+    ) -> ComplianceResult:
+        """Evaluate if GuardDuty is enabled."""
+        detector_id = resource.get('DetectorId', 'none')
+        status = resource.get('Status', 'DISABLED')
+        # Check if GuardDuty is enabled
+        is_compliant = status == 'ENABLED'
+        if is_compliant:
+            evaluation_reason = (
+                f"GuardDuty detector {detector_id} is enabled in {region}. "
+                f"Finding publishing frequency: {resource.get('FindingPublishingFrequency', 'UNKNOWN')}"
+            )
+            compliance_status = ComplianceStatus.COMPLIANT
+        else:
+            if detector_id == 'none':
+                evaluation_reason = f"GuardDuty is not enabled in {region}. No detector found."
+            else:
+                evaluation_reason = f"GuardDuty detector {detector_id} is disabled in {region}."
+            compliance_status = ComplianceStatus.NON_COMPLIANT
+        return ComplianceResult(
+            resource_id=detector_id,
+            resource_type="AWS::GuardDuty::Detector",
+            compliance_status=compliance_status,
+            evaluation_reason=evaluation_reason,
+            config_rule_name=self.rule_name,
+            region=region
+        )
+    def _get_rule_remediation_steps(self) -> List[str]:
+        """Get remediation steps for enabling GuardDuty."""
+        return [
+            "1. Enable GuardDuty in the AWS Console:",
+            "   - Navigate to GuardDuty service",
+            "   - Click 'Get Started' or 'Enable GuardDuty'",
+            "   - Review and accept the service terms",
+            "   - Click 'Enable GuardDuty'",
+            "",
+            "2. Enable GuardDuty using AWS CLI:",
+            "   aws guardduty create-detector --enable --region <region>",
+            "",
+            "3. Configure finding publishing frequency (optional):",
+            "   aws guardduty update-detector \\",
+            "     --detector-id <detector-id> \\",
+            "     --finding-publishing-frequency FIFTEEN_MINUTES \\",
+            "     --region <region>",
+            "",
+            "4. Enable additional data sources (recommended):",
+            "   - S3 Protection: Monitors S3 data events",
+            "   - EKS Protection: Monitors Kubernetes audit logs",
+            "   - Malware Protection: Scans EBS volumes",
+            "",
+            "5. Set up notifications:",
+            "   - Create an SNS topic for GuardDuty findings",
+            "   - Configure EventBridge rules to route findings",
+            "",
+            "Priority: HIGH - GuardDuty provides critical threat detection",
+            "Effort: Low - Can be enabled in minutes",
+            "",
+            "AWS Documentation:",
+            "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html"
+        ]

aws_cis_assessment/controls/ig1/control_inspector.py ADDED Viewed

@@ -0,0 +1,184 @@
+"""
+CIS Control 7.1 - Amazon Inspector Vulnerability Management
+Ensures Amazon Inspector is enabled for vulnerability scanning.
+"""
+import logging
+from typing import List, Dict, Any
+from botocore.exceptions import ClientError
+from aws_cis_assessment.controls.base_control import BaseConfigRuleAssessment
+from aws_cis_assessment.core.models import ComplianceResult, ComplianceStatus
+from aws_cis_assessment.core.aws_client_factory import AWSClientFactory
+logger = logging.getLogger(__name__)
+class InspectorEnabledAssessment(BaseConfigRuleAssessment):
+    """
+    CIS Control 7.1 - Establish and Maintain a Vulnerability Management Process
+    AWS Config Rule: inspector-enabled
+    Ensures Amazon Inspector v2 is enabled for automated vulnerability scanning.
+    Inspector scans EC2 instances, container images, and Lambda functions for
+    software vulnerabilities and network exposure.
+    """
+    def __init__(self):
+        super().__init__(
+            rule_name="inspector-enabled",
+            control_id="7.1",
+            resource_types=["AWS::Inspector::AssessmentTarget"]
+        )
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get Amazon Inspector configuration for the region."""
+        if resource_type != "AWS::Inspector::AssessmentTarget":
+            return []
+        try:
+            inspector_client = aws_factory.get_client('inspector2', region)
+            # Check if Inspector is enabled by getting account status
+            try:
+                status_response = inspector_client.batch_get_account_status(
+                    accountIds=[aws_factory.get_account_info().get('account_id', '')]
+                )
+                accounts = status_response.get('accounts', [])
+                if not accounts:
+                    # Inspector not enabled
+                    return [{
+                        'InspectorId': 'none',
+                        'Status': 'DISABLED',
+                        'Region': region,
+                        'AccountId': aws_factory.get_account_info().get('account_id', 'unknown'),
+                        'ResourceTypes': []
+                    }]
+                account_status = accounts[0]
+                state = account_status.get('state', {}).get('status', 'DISABLED')
+                # Get coverage statistics
+                coverage_response = inspector_client.list_coverage(
+                    maxResults=1  # Just checking if any resources are covered
+                )
+                covered_resources = coverage_response.get('coveredResources', [])
+                has_coverage = len(covered_resources) > 0
+                # Get resource types being scanned
+                resource_state = account_status.get('resourceState', {})
+                enabled_resource_types = [
+                    rt for rt, status in resource_state.items()
+                    if status.get('status') == 'ENABLED'
+                ]
+                return [{
+                    'InspectorId': f"inspector-{region}",
+                    'Status': state,
+                    'Region': region,
+                    'AccountId': aws_factory.get_account_info().get('account_id', 'unknown'),
+                    'ResourceTypes': enabled_resource_types,
+                    'HasCoverage': has_coverage
+                }]
+            except ClientError as e:
+                error_code = e.response.get('Error', {}).get('Code', '')
+                if error_code == 'ResourceNotFoundException':
+                    # Inspector not enabled
+                    return [{
+                        'InspectorId': 'none',
+                        'Status': 'DISABLED',
+                        'Region': region,
+                        'AccountId': aws_factory.get_account_info().get('account_id', 'unknown'),
+                        'ResourceTypes': []
+                    }]
+                raise
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            if error_code == 'AccessDeniedException':
+                logger.warning(f"Access denied to Inspector in {region}")
+            else:
+                logger.error(f"Error checking Inspector status in {region}: {e}")
+            return []
+    def _evaluate_resource_compliance(
+        self,
+        resource: Dict[str, Any],
+        aws_factory: AWSClientFactory,
+        region: str
+    ) -> ComplianceResult:
+        """Evaluate if Amazon Inspector is enabled."""
+        inspector_id = resource.get('InspectorId', 'none')
+        status = resource.get('Status', 'DISABLED')
+        resource_types = resource.get('ResourceTypes', [])
+        # Check if Inspector is enabled
+        is_compliant = status == 'ENABLED' and len(resource_types) > 0
+        if is_compliant:
+            evaluation_reason = (
+                f"Amazon Inspector is enabled in {region}. "
+                f"Scanning resource types: {', '.join(resource_types)}"
+            )
+            compliance_status = ComplianceStatus.COMPLIANT
+        else:
+            if inspector_id == 'none' or status == 'DISABLED':
+                evaluation_reason = f"Amazon Inspector is not enabled in {region}."
+            elif len(resource_types) == 0:
+                evaluation_reason = f"Amazon Inspector is enabled but no resource types are being scanned in {region}."
+            else:
+                evaluation_reason = f"Amazon Inspector status is {status} in {region}."
+            compliance_status = ComplianceStatus.NON_COMPLIANT
+        return ComplianceResult(
+            resource_id=inspector_id,
+            resource_type="AWS::Inspector::AssessmentTarget",
+            compliance_status=compliance_status,
+            evaluation_reason=evaluation_reason,
+            config_rule_name=self.rule_name,
+            region=region
+        )
+    def _get_rule_remediation_steps(self) -> List[str]:
+        """Get remediation steps for enabling Amazon Inspector."""
+        return [
+            "1. Enable Amazon Inspector v2 in the AWS Console:",
+            "   - Navigate to Amazon Inspector service",
+            "   - Click 'Get Started' or 'Enable Inspector'",
+            "   - Select resource types to scan:",
+            "     * EC2 instances (for OS vulnerabilities)",
+            "     * ECR container images (for container vulnerabilities)",
+            "     * Lambda functions (for code vulnerabilities)",
+            "   - Click 'Enable'",
+            "",
+            "2. Enable Inspector using AWS CLI:",
+            "   aws inspector2 enable \\",
+            "     --resource-types EC2 ECR LAMBDA \\",
+            "     --region <region>",
+            "",
+            "3. Verify Inspector is scanning resources:",
+            "   aws inspector2 list-coverage \\",
+            "     --region <region>",
+            "",
+            "4. Configure finding aggregation (optional):",
+            "   - Set up cross-region aggregation for centralized findings",
+            "   - Configure finding suppression rules for false positives",
+            "",
+            "5. Set up notifications:",
+            "   - Create EventBridge rules to route findings to SNS/Slack",
+            "   - Configure Security Hub integration for centralized findings",
+            "",
+            "6. Review findings regularly:",
+            "   - Critical and High severity findings should be addressed immediately",
+            "   - Medium findings within 30 days",
+            "   - Low findings within 90 days",
+            "",
+            "Priority: HIGH - Vulnerability scanning is critical for security",
+            "Effort: Low - Can be enabled in minutes, ongoing effort for remediation",
+            "",
+            "AWS Documentation:",
+            "https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html"
+        ]

aws-cis-controls-assessment 1.1.3__py3-none-any.whl → 1.2.0__py3-none-any.whl

aws-cis-controls-assessment 1.1.3py3-none-any.whl → 1.2.0py3-none-any.whl