PyPI - aws-cis-controls-assessment - Versions diffs - 1.1.4__py3-none-any.whl → 1.2.0__py3-none-any.whl - Mend

aws-cis-controls-assessment 1.1.4py3-none-any.whl → 1.2.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

aws_cis_assessment/controls/ig1/control_version_mgmt.py ADDED Viewed

@@ -0,0 +1,329 @@
+"""
+CIS Control 2.2 - Version Management
+Ensures software versions are current and supported.
+"""
+import logging
+from typing import List, Dict, Any
+from botocore.exceptions import ClientError
+from aws_cis_assessment.controls.base_control import BaseConfigRuleAssessment
+from aws_cis_assessment.core.models import ComplianceResult, ComplianceStatus
+from aws_cis_assessment.core.aws_client_factory import AWSClientFactory
+logger = logging.getLogger(__name__)
+class EC2OSVersionSupportedAssessment(BaseConfigRuleAssessment):
+    """
+    CIS Control 2.2 - Ensure Authorized Software is Currently Supported
+    AWS Config Rule: ec2-os-version-supported
+    Ensures EC2 instances run supported operating system versions.
+    """
+    def __init__(self):
+        super().__init__(
+            rule_name="ec2-os-version-supported",
+            control_id="2.2",
+            resource_types=["AWS::EC2::Instance"]
+        )
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get EC2 instances with OS information."""
+        if resource_type != "AWS::EC2::Instance":
+            return []
+        try:
+            ssm_client = aws_factory.get_client('ssm', region)
+            # Get instance information from SSM
+            response = ssm_client.describe_instance_information()
+            instances = []
+            for instance in response.get('InstanceInformationList', []):
+                platform_name = instance.get('PlatformName', 'Unknown')
+                platform_version = instance.get('PlatformVersion', 'Unknown')
+                # Simple heuristic for supported versions
+                is_supported = self._check_version_support(platform_name, platform_version)
+                instances.append({
+                    'InstanceId': instance.get('InstanceId'),
+                    'PlatformName': platform_name,
+                    'PlatformVersion': platform_version,
+                    'IsSupported': is_supported
+                })
+            return instances
+        except ClientError as e:
+            logger.error(f"Error retrieving instance information in {region}: {e}")
+            return []
+    def _check_version_support(self, platform_name: str, platform_version: str) -> bool:
+        """Check if OS version is supported (simplified logic)."""
+        # This is a simplified check - in production, maintain a list of EOL versions
+        deprecated_keywords = ['2008', '2012', 'centos 6', 'ubuntu 14', 'ubuntu 16']
+        platform_lower = f"{platform_name} {platform_version}".lower()
+        return not any(keyword in platform_lower for keyword in deprecated_keywords)
+    def _evaluate_resource_compliance(
+        self,
+        resource: Dict[str, Any],
+        aws_factory: AWSClientFactory,
+        region: str
+    ) -> ComplianceResult:
+        """Evaluate if EC2 instance runs supported OS version."""
+        instance_id = resource.get('InstanceId', 'unknown')
+        platform_name = resource.get('PlatformName', 'Unknown')
+        platform_version = resource.get('PlatformVersion', 'Unknown')
+        is_supported = resource.get('IsSupported', True)
+        if is_supported:
+            evaluation_reason = f"Instance {instance_id} runs supported OS: {platform_name} {platform_version}"
+            compliance_status = ComplianceStatus.COMPLIANT
+        else:
+            evaluation_reason = f"Instance {instance_id} runs unsupported OS: {platform_name} {platform_version}"
+            compliance_status = ComplianceStatus.NON_COMPLIANT
+        return ComplianceResult(
+            resource_id=instance_id,
+            resource_type="AWS::EC2::Instance",
+            compliance_status=compliance_status,
+            evaluation_reason=evaluation_reason,
+            config_rule_name=self.rule_name,
+            region=region
+        )
+    def _get_rule_remediation_steps(self) -> List[str]:
+        """Get remediation steps for OS version support."""
+        return [
+            "1. Identify instances with unsupported OS:",
+            "   aws ssm describe-instance-information \\",
+            "     --query 'InstanceInformationList[].{ID:InstanceId,OS:PlatformName,Version:PlatformVersion}'",
+            "",
+            "2. Plan migration to supported OS versions",
+            "3. Create new instances with supported OS",
+            "4. Migrate workloads to new instances",
+            "5. Decommission old instances",
+            "",
+            "Priority: HIGH - Security risk with unsupported OS",
+            "Effort: High - Requires migration planning",
+            "",
+            "AWS Documentation:",
+            "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html"
+        ]
+class RDSEngineVersionSupportedAssessment(BaseConfigRuleAssessment):
+    """
+    CIS Control 2.2 - Ensure Authorized Software is Currently Supported
+    AWS Config Rule: rds-engine-version-supported
+    Ensures RDS instances run supported database engine versions.
+    """
+    def __init__(self):
+        super().__init__(
+            rule_name="rds-engine-version-supported",
+            control_id="2.2",
+            resource_types=["AWS::RDS::DBInstance"]
+        )
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get RDS instances with engine version information."""
+        if resource_type != "AWS::RDS::DBInstance":
+            return []
+        try:
+            rds_client = aws_factory.get_client('rds', region)
+            response = rds_client.describe_db_instances()
+            instances = []
+            for db in response.get('DBInstances', []):
+                engine = db.get('Engine')
+                engine_version = db.get('EngineVersion')
+                # Check if version is deprecated
+                try:
+                    versions_response = rds_client.describe_db_engine_versions(
+                        Engine=engine,
+                        EngineVersion=engine_version
+                    )
+                    if versions_response.get('DBEngineVersions'):
+                        version_info = versions_response['DBEngineVersions'][0]
+                        is_deprecated = version_info.get('Status') == 'deprecated'
+                    else:
+                        is_deprecated = False
+                except ClientError:
+                    is_deprecated = False
+                instances.append({
+                    'DBInstanceIdentifier': db.get('DBInstanceIdentifier'),
+                    'Engine': engine,
+                    'EngineVersion': engine_version,
+                    'IsDeprecated': is_deprecated
+                })
+            return instances
+        except ClientError as e:
+            logger.error(f"Error retrieving RDS instances in {region}: {e}")
+            return []
+    def _evaluate_resource_compliance(
+        self,
+        resource: Dict[str, Any],
+        aws_factory: AWSClientFactory,
+        region: str
+    ) -> ComplianceResult:
+        """Evaluate if RDS instance runs supported engine version."""
+        db_id = resource.get('DBInstanceIdentifier', 'unknown')
+        engine = resource.get('Engine', 'unknown')
+        engine_version = resource.get('EngineVersion', 'unknown')
+        is_deprecated = resource.get('IsDeprecated', False)
+        if not is_deprecated:
+            evaluation_reason = f"RDS instance {db_id} runs supported {engine} version {engine_version}"
+            compliance_status = ComplianceStatus.COMPLIANT
+        else:
+            evaluation_reason = f"RDS instance {db_id} runs deprecated {engine} version {engine_version}"
+            compliance_status = ComplianceStatus.NON_COMPLIANT
+        return ComplianceResult(
+            resource_id=db_id,
+            resource_type="AWS::RDS::DBInstance",
+            compliance_status=compliance_status,
+            evaluation_reason=evaluation_reason,
+            config_rule_name=self.rule_name,
+            region=region
+        )
+    def _get_rule_remediation_steps(self) -> List[str]:
+        """Get remediation steps for RDS version support."""
+        return [
+            "1. Check for available engine versions:",
+            "   aws rds describe-db-engine-versions \\",
+            "     --engine <engine-name> \\",
+            "     --query 'DBEngineVersions[?Status!=`deprecated`]'",
+            "",
+            "2. Upgrade RDS instance:",
+            "   aws rds modify-db-instance \\",
+            "     --db-instance-identifier <db-id> \\",
+            "     --engine-version <new-version> \\",
+            "     --apply-immediately",
+            "",
+            "3. Test application compatibility before upgrading",
+            "",
+            "Priority: HIGH - Deprecated versions lack security updates",
+            "Effort: Medium - Requires testing and maintenance window",
+            "",
+            "AWS Documentation:",
+            "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upgrading.html"
+        ]
+class LambdaRuntimeSupportedAssessment(BaseConfigRuleAssessment):
+    """
+    CIS Control 2.2 - Ensure Authorized Software is Currently Supported
+    AWS Config Rule: lambda-runtime-supported
+    Ensures Lambda functions use supported runtimes.
+    """
+    def __init__(self):
+        super().__init__(
+            rule_name="lambda-runtime-supported",
+            control_id="2.2",
+            resource_types=["AWS::Lambda::Function"]
+        )
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get Lambda functions with runtime information."""
+        if resource_type != "AWS::Lambda::Function":
+            return []
+        try:
+            lambda_client = aws_factory.get_client('lambda', region)
+            functions = []
+            # Deprecated runtimes as of 2026
+            deprecated_runtimes = [
+                'python2.7', 'python3.6', 'python3.7',
+                'nodejs10.x', 'nodejs12.x', 'nodejs14.x',
+                'ruby2.5', 'ruby2.7',
+                'dotnetcore2.1', 'dotnetcore3.1',
+                'go1.x'
+            ]
+            paginator = lambda_client.get_paginator('list_functions')
+            for page in paginator.paginate():
+                for func in page.get('Functions', []):
+                    runtime = func.get('Runtime', 'unknown')
+                    is_deprecated = runtime in deprecated_runtimes
+                    functions.append({
+                        'FunctionName': func.get('FunctionName'),
+                        'FunctionArn': func.get('FunctionArn'),
+                        'Runtime': runtime,
+                        'IsDeprecated': is_deprecated
+                    })
+            return functions
+        except ClientError as e:
+            logger.error(f"Error retrieving Lambda functions in {region}: {e}")
+            return []
+    def _evaluate_resource_compliance(
+        self,
+        resource: Dict[str, Any],
+        aws_factory: AWSClientFactory,
+        region: str
+    ) -> ComplianceResult:
+        """Evaluate if Lambda function uses supported runtime."""
+        function_name = resource.get('FunctionName', 'unknown')
+        runtime = resource.get('Runtime', 'unknown')
+        is_deprecated = resource.get('IsDeprecated', False)
+        if not is_deprecated:
+            evaluation_reason = f"Lambda function {function_name} uses supported runtime: {runtime}"
+            compliance_status = ComplianceStatus.COMPLIANT
+        else:
+            evaluation_reason = f"Lambda function {function_name} uses deprecated runtime: {runtime}"
+            compliance_status = ComplianceStatus.NON_COMPLIANT
+        return ComplianceResult(
+            resource_id=resource.get('FunctionArn', function_name),
+            resource_type="AWS::Lambda::Function",
+            compliance_status=compliance_status,
+            evaluation_reason=evaluation_reason,
+            config_rule_name=self.rule_name,
+            region=region
+        )
+    def _get_rule_remediation_steps(self) -> List[str]:
+        """Get remediation steps for Lambda runtime support."""
+        return [
+            "1. List functions with deprecated runtimes:",
+            "   aws lambda list-functions \\",
+            "     --query 'Functions[?Runtime==`python3.7`].FunctionName'",
+            "",
+            "2. Update function runtime:",
+            "   aws lambda update-function-configuration \\",
+            "     --function-name <function-name> \\",
+            "     --runtime python3.11",
+            "",
+            "3. Test function after runtime update",
+            "4. Update deployment packages if needed",
+            "",
+            "Priority: HIGH - Deprecated runtimes lose security support",
+            "Effort: Medium - Requires testing and code updates",
+            "",
+            "AWS Documentation:",
+            "https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html"
+        ]

aws_cis_assessment/controls/ig1/control_vpc_flow_logs.py ADDED Viewed

@@ -0,0 +1,205 @@
+"""
+CIS Control 8.2 - VPC Flow Logs
+Ensures VPC Flow Logs are enabled for network traffic visibility.
+"""
+import logging
+from typing import List, Dict, Any
+from botocore.exceptions import ClientError
+from aws_cis_assessment.controls.base_control import BaseConfigRuleAssessment
+from aws_cis_assessment.core.models import ComplianceResult, ComplianceStatus
+from aws_cis_assessment.core.aws_client_factory import AWSClientFactory
+logger = logging.getLogger(__name__)
+class VPCFlowLogsEnabledAssessment(BaseConfigRuleAssessment):
+    """
+    CIS Control 8.2 - Collect Audit Logs
+    AWS Config Rule: vpc-flow-logs-enabled
+    Ensures VPC Flow Logs are enabled for network traffic monitoring.
+    Flow Logs capture information about IP traffic going to and from
+    network interfaces in VPCs, essential for security analysis and troubleshooting.
+    """
+    def __init__(self):
+        super().__init__(
+            rule_name="vpc-flow-logs-enabled",
+            control_id="8.2",
+            resource_types=["AWS::EC2::VPC"]
+        )
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get VPCs and their Flow Logs configuration."""
+        if resource_type != "AWS::EC2::VPC":
+            return []
+        try:
+            ec2_client = aws_factory.get_client('ec2', region)
+            # Get all VPCs
+            vpcs_response = ec2_client.describe_vpcs()
+            vpcs = vpcs_response.get('Vpcs', [])
+            if not vpcs:
+                return []
+            # Get all Flow Logs
+            flow_logs_response = ec2_client.describe_flow_logs()
+            flow_logs = flow_logs_response.get('FlowLogs', [])
+            # Create a mapping of VPC ID to Flow Logs
+            vpc_flow_logs = {}
+            for flow_log in flow_logs:
+                resource_id = flow_log.get('ResourceId', '')
+                if resource_id.startswith('vpc-'):
+                    if resource_id not in vpc_flow_logs:
+                        vpc_flow_logs[resource_id] = []
+                    vpc_flow_logs[resource_id].append(flow_log)
+            # Build resource list with Flow Log status
+            vpc_resources = []
+            for vpc in vpcs:
+                vpc_id = vpc.get('VpcId', '')
+                vpc_flow_log_list = vpc_flow_logs.get(vpc_id, [])
+                # Check if any active Flow Logs exist
+                active_flow_logs = [
+                    fl for fl in vpc_flow_log_list
+                    if fl.get('FlowLogStatus') == 'ACTIVE'
+                ]
+                vpc_resources.append({
+                    'VpcId': vpc_id,
+                    'IsDefault': vpc.get('IsDefault', False),
+                    'CidrBlock': vpc.get('CidrBlock', ''),
+                    'State': vpc.get('State', ''),
+                    'Region': region,
+                    'FlowLogs': active_flow_logs,
+                    'HasActiveFlowLogs': len(active_flow_logs) > 0,
+                    'Tags': vpc.get('Tags', [])
+                })
+            return vpc_resources
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            if error_code == 'UnauthorizedOperation':
+                logger.warning(f"Access denied to describe VPCs/Flow Logs in {region}")
+            else:
+                logger.error(f"Error describing VPCs/Flow Logs in {region}: {e}")
+            return []
+    def _evaluate_resource_compliance(
+        self,
+        resource: Dict[str, Any],
+        aws_factory: AWSClientFactory,
+        region: str
+    ) -> ComplianceResult:
+        """Evaluate if VPC has Flow Logs enabled."""
+        vpc_id = resource.get('VpcId', '')
+        has_flow_logs = resource.get('HasActiveFlowLogs', False)
+        flow_logs = resource.get('FlowLogs', [])
+        is_default = resource.get('IsDefault', False)
+        # Check if VPC has active Flow Logs
+        is_compliant = has_flow_logs
+        if is_compliant:
+            # Provide details about the Flow Logs
+            flow_log_details = []
+            for fl in flow_logs:
+                destination = fl.get('LogDestinationType', 'unknown')
+                traffic_type = fl.get('TrafficType', 'unknown')
+                flow_log_details.append(f"{traffic_type} to {destination}")
+            evaluation_reason = (
+                f"VPC {vpc_id} has {len(flow_logs)} active Flow Log(s) enabled: "
+                f"{', '.join(flow_log_details)}"
+            )
+            if is_default:
+                evaluation_reason += " (Default VPC)"
+            compliance_status = ComplianceStatus.COMPLIANT
+        else:
+            evaluation_reason = f"VPC {vpc_id} does not have Flow Logs enabled."
+            if is_default:
+                evaluation_reason += " (Default VPC - should be monitored)"
+            compliance_status = ComplianceStatus.NON_COMPLIANT
+        return ComplianceResult(
+            resource_id=vpc_id,
+            resource_type="AWS::EC2::VPC",
+            compliance_status=compliance_status,
+            evaluation_reason=evaluation_reason,
+            config_rule_name=self.rule_name,
+            region=region
+        )
+    def _get_rule_remediation_steps(self) -> List[str]:
+        """Get remediation steps for enabling VPC Flow Logs."""
+        return [
+            "1. Enable VPC Flow Logs in the AWS Console:",
+            "   - Navigate to VPC service",
+            "   - Select the VPC",
+            "   - Click 'Actions' > 'Create flow log'",
+            "   - Configure:",
+            "     * Filter: ALL (captures accepted and rejected traffic)",
+            "     * Destination: CloudWatch Logs or S3",
+            "     * IAM role: Create or select role with permissions",
+            "   - Click 'Create flow log'",
+            "",
+            "2. Enable Flow Logs using AWS CLI (CloudWatch Logs):",
+            "   # Create IAM role first (one-time setup)",
+            "   aws iam create-role \\",
+            "     --role-name VPCFlowLogsRole \\",
+            "     --assume-role-policy-document file://trust-policy.json",
+            "",
+            "   # Create Flow Log",
+            "   aws ec2 create-flow-logs \\",
+            "     --resource-type VPC \\",
+            "     --resource-ids <vpc-id> \\",
+            "     --traffic-type ALL \\",
+            "     --log-destination-type cloud-watch-logs \\",
+            "     --log-group-name /aws/vpc/flowlogs \\",
+            "     --deliver-logs-permission-arn <role-arn> \\",
+            "     --region <region>",
+            "",
+            "3. Enable Flow Logs using AWS CLI (S3):",
+            "   aws ec2 create-flow-logs \\",
+            "     --resource-type VPC \\",
+            "     --resource-ids <vpc-id> \\",
+            "     --traffic-type ALL \\",
+            "     --log-destination-type s3 \\",
+            "     --log-destination arn:aws:s3:::<bucket-name> \\",
+            "     --region <region>",
+            "",
+            "4. Best practices:",
+            "   - Enable for ALL traffic (not just ACCEPT or REJECT)",
+            "   - Use S3 for cost-effective long-term storage",
+            "   - Use CloudWatch Logs for real-time analysis and alerting",
+            "   - Set appropriate log retention (30-90 days minimum)",
+            "   - Enable for all VPCs, including default VPC",
+            "",
+            "5. Analyze Flow Logs:",
+            "   - Use CloudWatch Insights for queries",
+            "   - Use Athena for S3-based logs",
+            "   - Look for:",
+            "     * Rejected traffic (potential attacks)",
+            "     * Unusual traffic patterns",
+            "     * Data exfiltration attempts",
+            "     * Unauthorized access attempts",
+            "",
+            "6. Cost optimization:",
+            "   - Flow Logs incur charges for data ingestion and storage",
+            "   - Use sampling if full capture is too expensive",
+            "   - Archive old logs to S3 Glacier",
+            "",
+            "Priority: HIGH - Network visibility is essential for security",
+            "Effort: Low - Can be enabled in minutes per VPC",
+            "",
+            "AWS Documentation:",
+            "https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html"
+        ]

aws-cis-controls-assessment 1.1.4__py3-none-any.whl → 1.2.0__py3-none-any.whl

aws-cis-controls-assessment 1.1.4py3-none-any.whl → 1.2.0py3-none-any.whl