aws-cis-controls-assessment 1.1.4__py3-none-any.whl → 1.2.2__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- aws_cis_assessment/__init__.py +4 -4
- aws_cis_assessment/config/rules/cis_controls_ig1.yaml +365 -2
- aws_cis_assessment/controls/base_control.py +106 -24
- aws_cis_assessment/controls/ig1/__init__.py +144 -15
- aws_cis_assessment/controls/ig1/control_4_1.py +4 -4
- aws_cis_assessment/controls/ig1/control_access_analyzer.py +198 -0
- aws_cis_assessment/controls/ig1/control_access_asset_mgmt.py +360 -0
- aws_cis_assessment/controls/ig1/control_access_control.py +323 -0
- aws_cis_assessment/controls/ig1/control_backup_security.py +579 -0
- aws_cis_assessment/controls/ig1/control_cloudfront_logging.py +215 -0
- aws_cis_assessment/controls/ig1/control_configuration_mgmt.py +407 -0
- aws_cis_assessment/controls/ig1/control_data_classification.py +255 -0
- aws_cis_assessment/controls/ig1/control_dynamodb_encryption.py +279 -0
- aws_cis_assessment/controls/ig1/control_ebs_encryption.py +177 -0
- aws_cis_assessment/controls/ig1/control_efs_encryption.py +243 -0
- aws_cis_assessment/controls/ig1/control_elb_logging.py +195 -0
- aws_cis_assessment/controls/ig1/control_guardduty.py +156 -0
- aws_cis_assessment/controls/ig1/control_inspector.py +184 -0
- aws_cis_assessment/controls/ig1/control_inventory.py +511 -0
- aws_cis_assessment/controls/ig1/control_macie.py +165 -0
- aws_cis_assessment/controls/ig1/control_messaging_encryption.py +419 -0
- aws_cis_assessment/controls/ig1/control_mfa.py +485 -0
- aws_cis_assessment/controls/ig1/control_network_security.py +194 -619
- aws_cis_assessment/controls/ig1/control_patch_management.py +626 -0
- aws_cis_assessment/controls/ig1/control_rds_encryption.py +228 -0
- aws_cis_assessment/controls/ig1/control_s3_encryption.py +383 -0
- aws_cis_assessment/controls/ig1/control_tls_ssl.py +556 -0
- aws_cis_assessment/controls/ig1/control_version_mgmt.py +337 -0
- aws_cis_assessment/controls/ig1/control_vpc_flow_logs.py +205 -0
- aws_cis_assessment/controls/ig1/control_waf_logging.py +226 -0
- aws_cis_assessment/core/assessment_engine.py +160 -11
- aws_cis_assessment/core/aws_client_factory.py +17 -5
- aws_cis_assessment/core/models.py +20 -1
- aws_cis_assessment/core/scoring_engine.py +102 -1
- aws_cis_assessment/reporters/base_reporter.py +58 -13
- aws_cis_assessment/reporters/html_reporter.py +186 -9
- aws_cis_controls_assessment-1.2.2.dist-info/METADATA +320 -0
- {aws_cis_controls_assessment-1.1.4.dist-info → aws_cis_controls_assessment-1.2.2.dist-info}/RECORD +44 -20
- docs/developer-guide.md +204 -5
- docs/user-guide.md +137 -4
- aws_cis_controls_assessment-1.1.4.dist-info/METADATA +0 -404
- {aws_cis_controls_assessment-1.1.4.dist-info → aws_cis_controls_assessment-1.2.2.dist-info}/WHEEL +0 -0
- {aws_cis_controls_assessment-1.1.4.dist-info → aws_cis_controls_assessment-1.2.2.dist-info}/entry_points.txt +0 -0
- {aws_cis_controls_assessment-1.1.4.dist-info → aws_cis_controls_assessment-1.2.2.dist-info}/licenses/LICENSE +0 -0
- {aws_cis_controls_assessment-1.1.4.dist-info → aws_cis_controls_assessment-1.2.2.dist-info}/top_level.txt +0 -0
aws_cis_assessment/__init__.py
CHANGED
|
@@ -2,10 +2,10 @@
|
|
|
2
2
|
AWS CIS Controls Compliance Assessment Framework
|
|
3
3
|
|
|
4
4
|
A production-ready, enterprise-grade framework for evaluating AWS account configurations against
|
|
5
|
-
CIS Controls Implementation Groups (IG1, IG2, IG3). Implements
|
|
6
|
-
across all implementation groups
|
|
5
|
+
CIS Controls Implementation Groups (IG1, IG2, IG3). Implements 175 comprehensive AWS Config rules
|
|
6
|
+
across all implementation groups with 75%+ coverage of CIS Controls v8.1 IG1 safeguards.
|
|
7
7
|
"""
|
|
8
8
|
|
|
9
|
-
__version__ = "1.
|
|
9
|
+
__version__ = "1.2.2"
|
|
10
10
|
__author__ = "AWS CIS Assessment Team"
|
|
11
|
-
__description__ = "Production-ready AWS CIS Controls Compliance Assessment Framework"
|
|
11
|
+
__description__ = "Production-ready AWS CIS Controls Compliance Assessment Framework with Enhanced IG1 Coverage"
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
implementation_group: IG1
|
|
2
|
-
total_rules:
|
|
2
|
+
total_rules: 125
|
|
3
3
|
description: Essential cyber hygiene - foundational safeguards for all enterprises
|
|
4
4
|
controls:
|
|
5
5
|
'1.1':
|
|
@@ -39,6 +39,48 @@ controls:
|
|
|
39
39
|
parameters: {}
|
|
40
40
|
description: Assessment for ec2-security-group-attached-to-eni Config rule.
|
|
41
41
|
remediation_guidance: Follow AWS Config rule guidance for ec2-security-group-attached-to-eni
|
|
42
|
+
- name: ssm-inventory-enabled
|
|
43
|
+
resource_types:
|
|
44
|
+
- AWS::::Account
|
|
45
|
+
parameters: {}
|
|
46
|
+
description: "CIS Control 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory\n AWS Config Rule: ssm-inventory-enabled\n \n Ensures AWS Systems Manager Inventory is enabled for comprehensive asset tracking."
|
|
47
|
+
remediation_guidance: Follow AWS Config rule guidance for ssm-inventory-enabled
|
|
48
|
+
- name: config-enabled-all-regions
|
|
49
|
+
resource_types:
|
|
50
|
+
- AWS::::Account
|
|
51
|
+
parameters: {}
|
|
52
|
+
description: "CIS Control 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory\n AWS Config Rule: config-enabled-all-regions\n \n Ensures AWS Config is enabled in all regions for complete resource tracking."
|
|
53
|
+
remediation_guidance: Follow AWS Config rule guidance for config-enabled-all-regions
|
|
54
|
+
- name: ami-inventory-tracking
|
|
55
|
+
resource_types:
|
|
56
|
+
- AWS::EC2::Image
|
|
57
|
+
parameters: {}
|
|
58
|
+
description: "CIS Control 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory\n AWS Config Rule: ami-inventory-tracking\n \n Ensures AMIs are properly tagged for inventory management."
|
|
59
|
+
remediation_guidance: Follow AWS Config rule guidance for ami-inventory-tracking
|
|
60
|
+
- name: lambda-runtime-inventory
|
|
61
|
+
resource_types:
|
|
62
|
+
- AWS::Lambda::Function
|
|
63
|
+
parameters: {}
|
|
64
|
+
description: "CIS Control 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory\n AWS Config Rule: lambda-runtime-inventory\n \n Tracks Lambda function runtimes for inventory purposes."
|
|
65
|
+
remediation_guidance: Follow AWS Config rule guidance for lambda-runtime-inventory
|
|
66
|
+
- name: iam-user-inventory-check
|
|
67
|
+
resource_types:
|
|
68
|
+
- AWS::IAM::User
|
|
69
|
+
parameters: {}
|
|
70
|
+
description: "CIS Control 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory\n AWS Config Rule: iam-user-inventory-check\n \n Ensures IAM users have proper inventory tags for asset management."
|
|
71
|
+
remediation_guidance: Follow AWS Config rule guidance for iam-user-inventory-check
|
|
72
|
+
- name: asset-tagging-compliance
|
|
73
|
+
resource_types:
|
|
74
|
+
- AWS::EC2::Instance
|
|
75
|
+
parameters: {}
|
|
76
|
+
description: "CIS Control 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory\n AWS Config Rule: asset-tagging-compliance\n \n Ensures resources have required tags for asset management."
|
|
77
|
+
remediation_guidance: Follow AWS Config rule guidance for asset-tagging-compliance
|
|
78
|
+
- name: unauthorized-asset-detection
|
|
79
|
+
resource_types:
|
|
80
|
+
- AWS::EC2::Instance
|
|
81
|
+
parameters: {}
|
|
82
|
+
description: "CIS Control 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory\n AWS Config Rule: unauthorized-asset-detection\n \n Detects resources without proper authorization tags."
|
|
83
|
+
remediation_guidance: Follow AWS Config rule guidance for unauthorized-asset-detection
|
|
42
84
|
'1.5':
|
|
43
85
|
title: Control 1.5
|
|
44
86
|
weight: 1.0
|
|
@@ -201,6 +243,18 @@ controls:
|
|
|
201
243
|
"ConditionValue": "true"
|
|
202
244
|
}]
|
|
203
245
|
}'
|
|
246
|
+
- name: rds-backup-retention-check
|
|
247
|
+
resource_types:
|
|
248
|
+
- AWS::RDS::DBInstance
|
|
249
|
+
parameters: {}
|
|
250
|
+
description: "CIS Control 11.2 - Perform Automated Backups\n AWS Config Rule: rds-backup-retention-check\n \n Ensures RDS instances have adequate backup retention periods (minimum 7 days)."
|
|
251
|
+
remediation_guidance: Follow AWS Config rule guidance for rds-backup-retention-check
|
|
252
|
+
- name: route53-query-logging-enabled
|
|
253
|
+
resource_types:
|
|
254
|
+
- AWS::Route53::HostedZone
|
|
255
|
+
parameters: {}
|
|
256
|
+
description: "CIS Control 8.2 - Collect Audit Logs\n AWS Config Rule: route53-query-logging-enabled\n \n Ensures Route 53 hosted zones have query logging enabled."
|
|
257
|
+
remediation_guidance: Follow AWS Config rule guidance for route53-query-logging-enabled
|
|
204
258
|
'12.2':
|
|
205
259
|
title: Control 12.2
|
|
206
260
|
weight: 1.0
|
|
@@ -238,6 +292,24 @@ controls:
|
|
|
238
292
|
parameters: {}
|
|
239
293
|
description: Assessment for ecs-fargate-latest-platform-version Config rule.
|
|
240
294
|
remediation_guidance: Follow AWS Config rule guidance for ecs-fargate-latest-platform-version
|
|
295
|
+
- name: ec2-os-version-supported
|
|
296
|
+
resource_types:
|
|
297
|
+
- AWS::EC2::Instance
|
|
298
|
+
parameters: {}
|
|
299
|
+
description: "CIS Control 2.2 - Ensure Authorized Software is Currently Supported\n AWS Config Rule: ec2-os-version-supported\n \n Ensures EC2 instances run supported operating system versions."
|
|
300
|
+
remediation_guidance: Follow AWS Config rule guidance for ec2-os-version-supported
|
|
301
|
+
- name: rds-engine-version-supported
|
|
302
|
+
resource_types:
|
|
303
|
+
- AWS::RDS::DBInstance
|
|
304
|
+
parameters: {}
|
|
305
|
+
description: "CIS Control 2.2 - Ensure Authorized Software is Currently Supported\n AWS Config Rule: rds-engine-version-supported\n \n Ensures RDS instances run supported database engine versions."
|
|
306
|
+
remediation_guidance: Follow AWS Config rule guidance for rds-engine-version-supported
|
|
307
|
+
- name: lambda-runtime-supported
|
|
308
|
+
resource_types:
|
|
309
|
+
- AWS::Lambda::Function
|
|
310
|
+
parameters: {}
|
|
311
|
+
description: "CIS Control 2.2 - Ensure Authorized Software is Currently Supported\n AWS Config Rule: lambda-runtime-supported\n \n Ensures Lambda functions use supported runtimes."
|
|
312
|
+
remediation_guidance: Follow AWS Config rule guidance for lambda-runtime-supported
|
|
241
313
|
2.2.1:
|
|
242
314
|
title: Control 2.2.1
|
|
243
315
|
weight: 1.0
|
|
@@ -271,6 +343,36 @@ controls:
|
|
|
271
343
|
\ Rule: cloudwatch-log-group-encrypted\n \n Ensures CloudWatch Log Groups\
|
|
272
344
|
\ are encrypted with KMS keys."
|
|
273
345
|
remediation_guidance: Follow AWS Config rule guidance for cloudwatch-log-group-encrypted
|
|
346
|
+
- name: ebs-encryption-by-default
|
|
347
|
+
resource_types:
|
|
348
|
+
- AWS::::Account
|
|
349
|
+
parameters: {}
|
|
350
|
+
description: "CIS Control 3.11 - Encrypt Sensitive Data at Rest\n AWS Config Rule: ebs-encryption-by-default\n \n Ensures EBS encryption by default is enabled at the account level for automatic volume encryption."
|
|
351
|
+
remediation_guidance: Follow AWS Config rule guidance for ebs-encryption-by-default
|
|
352
|
+
- name: rds-storage-encrypted
|
|
353
|
+
resource_types:
|
|
354
|
+
- AWS::RDS::DBInstance
|
|
355
|
+
parameters: {}
|
|
356
|
+
description: "CIS Control 3.11 - Encrypt Sensitive Data at Rest\n AWS Config Rule: rds-storage-encrypted\n \n Ensures RDS database instances have storage encryption enabled."
|
|
357
|
+
remediation_guidance: Follow AWS Config rule guidance for rds-storage-encrypted
|
|
358
|
+
- name: efs-encrypted-check
|
|
359
|
+
resource_types:
|
|
360
|
+
- AWS::EFS::FileSystem
|
|
361
|
+
parameters: {}
|
|
362
|
+
description: "CIS Control 3.11 - Encrypt Sensitive Data at Rest\n AWS Config Rule: efs-encrypted-check\n \n Ensures EFS file systems have encryption at rest enabled."
|
|
363
|
+
remediation_guidance: Follow AWS Config rule guidance for efs-encrypted-check
|
|
364
|
+
- name: dynamodb-table-encrypted-kms
|
|
365
|
+
resource_types:
|
|
366
|
+
- AWS::DynamoDB::Table
|
|
367
|
+
parameters: {}
|
|
368
|
+
description: "CIS Control 3.11 - Encrypt Sensitive Data at Rest\n AWS Config Rule: dynamodb-table-encrypted-kms\n \n Ensures DynamoDB tables are encrypted with customer-managed KMS keys."
|
|
369
|
+
remediation_guidance: Follow AWS Config rule guidance for dynamodb-table-encrypted-kms
|
|
370
|
+
- name: s3-default-encryption-kms
|
|
371
|
+
resource_types:
|
|
372
|
+
- AWS::S3::Bucket
|
|
373
|
+
parameters: {}
|
|
374
|
+
description: "CIS Control 3.11 - Encrypt Sensitive Data at Rest\n AWS Config Rule: s3-default-encryption-kms\n \n Ensures S3 buckets have default encryption enabled with customer-managed KMS keys."
|
|
375
|
+
remediation_guidance: Follow AWS Config rule guidance for s3-default-encryption-kms
|
|
274
376
|
'3.3':
|
|
275
377
|
title: Configure Data Access Control Lists
|
|
276
378
|
weight: 1.0
|
|
@@ -648,6 +750,18 @@ controls:
|
|
|
648
750
|
parameters: {}
|
|
649
751
|
description: Assessment for access-keys-rotated Config rule.
|
|
650
752
|
remediation_guidance: Follow AWS Config rule guidance for access-keys-rotated
|
|
753
|
+
- name: config-conformance-pack-deployed
|
|
754
|
+
resource_types:
|
|
755
|
+
- AWS::::Account
|
|
756
|
+
parameters: {}
|
|
757
|
+
description: "CIS Control 4.1 - Establish and Maintain a Secure Configuration Process\n AWS Config Rule: config-conformance-pack-deployed\n \n Ensures AWS Config conformance packs are deployed for configuration management."
|
|
758
|
+
remediation_guidance: Follow AWS Config rule guidance for config-conformance-pack-deployed
|
|
759
|
+
- name: securityhub-standards-enabled
|
|
760
|
+
resource_types:
|
|
761
|
+
- AWS::::Account
|
|
762
|
+
parameters: {}
|
|
763
|
+
description: "CIS Control 4.1 - Establish and Maintain a Secure Configuration Process\n AWS Config Rule: securityhub-standards-enabled\n \n Ensures Security Hub standards are enabled for security configuration management."
|
|
764
|
+
remediation_guidance: Follow AWS Config rule guidance for securityhub-standards-enabled
|
|
651
765
|
'5.2':
|
|
652
766
|
title: Use Unique Passwords
|
|
653
767
|
weight: 1.0
|
|
@@ -659,8 +773,36 @@ controls:
|
|
|
659
773
|
description: Assessment for iam-password-policy Config rule - ensures strong
|
|
660
774
|
password policy.
|
|
661
775
|
remediation_guidance: Follow AWS Config rule guidance for iam-password-policy
|
|
776
|
+
'6.2':
|
|
777
|
+
title: Establish and Maintain a Secure Network Architecture
|
|
778
|
+
weight: 1.0
|
|
779
|
+
config_rules:
|
|
780
|
+
- name: guardduty-enabled-centralized
|
|
781
|
+
resource_types:
|
|
782
|
+
- AWS::::Account
|
|
783
|
+
parameters: {}
|
|
784
|
+
description: "CIS Control 6.2 - Establish and Maintain a Secure Network Architecture\n AWS Config Rule: guardduty-enabled-centralized\n \n Ensures GuardDuty is enabled for threat detection and continuous monitoring."
|
|
785
|
+
remediation_guidance: Follow AWS Config rule guidance for guardduty-enabled-centralized
|
|
786
|
+
- name: inspector-enabled
|
|
787
|
+
resource_types:
|
|
788
|
+
- AWS::::Account
|
|
789
|
+
parameters: {}
|
|
790
|
+
description: "CIS Control 6.2 - Establish and Maintain a Secure Network Architecture\n AWS Config Rule: inspector-enabled\n \n Ensures Amazon Inspector is enabled for vulnerability scanning and security assessments."
|
|
791
|
+
remediation_guidance: Follow AWS Config rule guidance for inspector-enabled
|
|
792
|
+
- name: macie-enabled
|
|
793
|
+
resource_types:
|
|
794
|
+
- AWS::::Account
|
|
795
|
+
parameters: {}
|
|
796
|
+
description: "CIS Control 6.2 - Establish and Maintain a Secure Network Architecture\n AWS Config Rule: macie-enabled\n \n Ensures Amazon Macie is enabled for sensitive data discovery and protection."
|
|
797
|
+
remediation_guidance: Follow AWS Config rule guidance for macie-enabled
|
|
798
|
+
- name: iam-access-analyzer-enabled
|
|
799
|
+
resource_types:
|
|
800
|
+
- AWS::::Account
|
|
801
|
+
parameters: {}
|
|
802
|
+
description: "CIS Control 6.2 - Establish and Maintain a Secure Network Architecture\n AWS Config Rule: iam-access-analyzer-enabled\n \n Ensures IAM Access Analyzer is enabled to detect external access to resources."
|
|
803
|
+
remediation_guidance: Follow AWS Config rule guidance for iam-access-analyzer-enabled
|
|
662
804
|
'8.2':
|
|
663
|
-
title:
|
|
805
|
+
title: Collect Audit Logs
|
|
664
806
|
weight: 1.0
|
|
665
807
|
config_rules:
|
|
666
808
|
- name: cloudtrail-enabled
|
|
@@ -671,6 +813,30 @@ controls:
|
|
|
671
813
|
\ \n Ensures CloudTrail is enabled to record AWS Management Console\
|
|
672
814
|
\ actions and API calls."
|
|
673
815
|
remediation_guidance: Follow AWS Config rule guidance for cloudtrail-enabled
|
|
816
|
+
- name: vpc-flow-logs-enabled
|
|
817
|
+
resource_types:
|
|
818
|
+
- AWS::EC2::VPC
|
|
819
|
+
parameters: {}
|
|
820
|
+
description: "CIS Control 8.2 - Collect Audit Logs\n AWS Config Rule: vpc-flow-logs-enabled\n \n Ensures VPC Flow Logs are enabled for network traffic monitoring and analysis."
|
|
821
|
+
remediation_guidance: Follow AWS Config rule guidance for vpc-flow-logs-enabled
|
|
822
|
+
- name: elb-logging-enabled
|
|
823
|
+
resource_types:
|
|
824
|
+
- AWS::ElasticLoadBalancingV2::LoadBalancer
|
|
825
|
+
parameters: {}
|
|
826
|
+
description: "CIS Control 8.2 - Collect Audit Logs\n AWS Config Rule: elb-logging-enabled\n \n Ensures Elastic Load Balancer access logs are enabled for request tracking."
|
|
827
|
+
remediation_guidance: Follow AWS Config rule guidance for elb-logging-enabled
|
|
828
|
+
- name: cloudfront-accesslogs-enabled
|
|
829
|
+
resource_types:
|
|
830
|
+
- AWS::CloudFront::Distribution
|
|
831
|
+
parameters: {}
|
|
832
|
+
description: "CIS Control 8.2 - Collect Audit Logs\n AWS Config Rule: cloudfront-accesslogs-enabled\n \n Ensures CloudFront distributions have access logging enabled."
|
|
833
|
+
remediation_guidance: Follow AWS Config rule guidance for cloudfront-accesslogs-enabled
|
|
834
|
+
- name: wafv2-logging-enabled
|
|
835
|
+
resource_types:
|
|
836
|
+
- AWS::WAFv2::WebACL
|
|
837
|
+
parameters: {}
|
|
838
|
+
description: "CIS Control 8.2 - Collect Audit Logs\n AWS Config Rule: wafv2-logging-enabled\n \n Ensures WAF web ACLs have logging enabled for security monitoring."
|
|
839
|
+
remediation_guidance: Follow AWS Config rule guidance for wafv2-logging-enabled
|
|
674
840
|
'8.8':
|
|
675
841
|
title: Control 8.8
|
|
676
842
|
weight: 1.0
|
|
@@ -681,3 +847,200 @@ controls:
|
|
|
681
847
|
parameters: {}
|
|
682
848
|
description: Assessment for securityhub-enabled AWS Config rule.
|
|
683
849
|
remediation_guidance: Follow AWS Config rule guidance for securityhub-enabled
|
|
850
|
+
'7.1':
|
|
851
|
+
title: Establish and Maintain a Vulnerability Management Process
|
|
852
|
+
weight: 1.0
|
|
853
|
+
config_rules:
|
|
854
|
+
- name: ssm-patch-manager-enabled
|
|
855
|
+
resource_types:
|
|
856
|
+
- AWS::::Account
|
|
857
|
+
parameters: {}
|
|
858
|
+
description: "CIS Control 7.1 - Establish and Maintain a Vulnerability Management Process\n AWS Config Rule: ssm-patch-manager-enabled\n \n Ensures AWS Systems Manager Patch Manager is configured with patch baselines."
|
|
859
|
+
remediation_guidance: Follow AWS Config rule guidance for ssm-patch-manager-enabled
|
|
860
|
+
- name: ssm-patch-baseline-configured
|
|
861
|
+
resource_types:
|
|
862
|
+
- AWS::SSM::PatchBaseline
|
|
863
|
+
parameters: {}
|
|
864
|
+
description: "CIS Control 7.1 - Establish and Maintain a Vulnerability Management Process\n AWS Config Rule: ssm-patch-baseline-configured\n \n Ensures SSM patch baselines have proper approval rules and patch filters configured."
|
|
865
|
+
remediation_guidance: Follow AWS Config rule guidance for ssm-patch-baseline-configured
|
|
866
|
+
- name: ec2-patch-compliance-status
|
|
867
|
+
resource_types:
|
|
868
|
+
- AWS::EC2::Instance
|
|
869
|
+
parameters: {}
|
|
870
|
+
description: "CIS Control 7.1 - Establish and Maintain a Vulnerability Management Process\n AWS Config Rule: ec2-patch-compliance-status\n \n Ensures EC2 instances are compliant with patch baselines and have no missing patches."
|
|
871
|
+
remediation_guidance: Follow AWS Config rule guidance for ec2-patch-compliance-status
|
|
872
|
+
'5.3':
|
|
873
|
+
title: Disable Dormant Accounts
|
|
874
|
+
weight: 1.0
|
|
875
|
+
config_rules:
|
|
876
|
+
- name: sso-enabled-check
|
|
877
|
+
resource_types:
|
|
878
|
+
- AWS::::Account
|
|
879
|
+
parameters: {}
|
|
880
|
+
description: "CIS Control 5.3 - Disable Dormant Accounts\n AWS Config Rule: sso-enabled-check\n \n Ensures AWS SSO (Identity Center) is enabled for centralized identity management."
|
|
881
|
+
remediation_guidance: Follow AWS Config rule guidance for sso-enabled-check
|
|
882
|
+
- name: identity-center-configured
|
|
883
|
+
resource_types:
|
|
884
|
+
- AWS::::Account
|
|
885
|
+
parameters: {}
|
|
886
|
+
description: "CIS Control 5.3 - Disable Dormant Accounts\n AWS Config Rule: identity-center-configured\n \n Ensures AWS Identity Center has permission sets and proper configuration."
|
|
887
|
+
remediation_guidance: Follow AWS Config rule guidance for identity-center-configured
|
|
888
|
+
- name: iam-user-last-access-check
|
|
889
|
+
resource_types:
|
|
890
|
+
- AWS::IAM::User
|
|
891
|
+
parameters: {}
|
|
892
|
+
description: "CIS Control 5.3 - Disable Dormant Accounts\n AWS Config Rule: iam-user-last-access-check\n \n Ensures IAM users have been accessed recently (within 90 days)."
|
|
893
|
+
remediation_guidance: Follow AWS Config rule guidance for iam-user-last-access-check
|
|
894
|
+
'6.5':
|
|
895
|
+
title: Require MFA for Administrative Access
|
|
896
|
+
weight: 1.0
|
|
897
|
+
config_rules:
|
|
898
|
+
- name: iam-admin-mfa-required
|
|
899
|
+
resource_types:
|
|
900
|
+
- AWS::IAM::User
|
|
901
|
+
parameters: {}
|
|
902
|
+
description: "CIS Control 6.5 - Require MFA for Administrative Access\n AWS Config Rule: iam-admin-mfa-required\n \n Ensures IAM users with administrative privileges have MFA enabled."
|
|
903
|
+
remediation_guidance: Follow AWS Config rule guidance for iam-admin-mfa-required
|
|
904
|
+
- name: cognito-mfa-enabled
|
|
905
|
+
resource_types:
|
|
906
|
+
- AWS::Cognito::UserPool
|
|
907
|
+
parameters: {}
|
|
908
|
+
description: "CIS Control 6.5 - Require MFA for Administrative Access\n AWS Config Rule: cognito-mfa-enabled\n \n Ensures Cognito user pools require MFA for user authentication."
|
|
909
|
+
remediation_guidance: Follow AWS Config rule guidance for cognito-mfa-enabled
|
|
910
|
+
- name: vpn-mfa-enabled
|
|
911
|
+
resource_types:
|
|
912
|
+
- AWS::EC2::ClientVpnEndpoint
|
|
913
|
+
parameters: {}
|
|
914
|
+
description: "CIS Control 6.5 - Require MFA for Administrative Access\n AWS Config Rule: vpn-mfa-enabled\n \n Ensures Client VPN endpoints require MFA for authentication."
|
|
915
|
+
remediation_guidance: Follow AWS Config rule guidance for vpn-mfa-enabled
|
|
916
|
+
'3.10':
|
|
917
|
+
title: Encrypt Sensitive Data in Transit
|
|
918
|
+
weight: 1.0
|
|
919
|
+
config_rules:
|
|
920
|
+
- name: alb-http-to-https-redirection-check
|
|
921
|
+
resource_types:
|
|
922
|
+
- AWS::ElasticLoadBalancingV2::LoadBalancer
|
|
923
|
+
parameters: {}
|
|
924
|
+
description: "CIS Control 3.10 - Encrypt Sensitive Data in Transit\n AWS Config Rule: alb-http-to-https-redirection-check\n \n Ensures Application Load Balancers redirect HTTP traffic to HTTPS."
|
|
925
|
+
remediation_guidance: Follow AWS Config rule guidance for alb-http-to-https-redirection-check
|
|
926
|
+
- name: elb-tls-https-listeners-only
|
|
927
|
+
resource_types:
|
|
928
|
+
- AWS::ElasticLoadBalancingV2::LoadBalancer
|
|
929
|
+
parameters: {}
|
|
930
|
+
description: "CIS Control 3.10 - Encrypt Sensitive Data in Transit\n AWS Config Rule: elb-tls-https-listeners-only\n \n Ensures Elastic Load Balancers use only HTTPS/TLS listeners."
|
|
931
|
+
remediation_guidance: Follow AWS Config rule guidance for elb-tls-https-listeners-only
|
|
932
|
+
- name: rds-ssl-connection-required
|
|
933
|
+
resource_types:
|
|
934
|
+
- AWS::RDS::DBInstance
|
|
935
|
+
parameters: {}
|
|
936
|
+
description: "CIS Control 3.10 - Encrypt Sensitive Data in Transit\n AWS Config Rule: rds-ssl-connection-required\n \n Ensures RDS database instances require SSL/TLS connections."
|
|
937
|
+
remediation_guidance: Follow AWS Config rule guidance for rds-ssl-connection-required
|
|
938
|
+
- name: api-gateway-ssl-enabled
|
|
939
|
+
resource_types:
|
|
940
|
+
- AWS::ApiGateway::RestApi
|
|
941
|
+
parameters: {}
|
|
942
|
+
description: "CIS Control 3.10 - Encrypt Sensitive Data in Transit\n AWS Config Rule: api-gateway-ssl-enabled\n \n Ensures API Gateway REST APIs use SSL/TLS certificates."
|
|
943
|
+
remediation_guidance: Follow AWS Config rule guidance for api-gateway-ssl-enabled
|
|
944
|
+
- name: redshift-require-tls-ssl
|
|
945
|
+
resource_types:
|
|
946
|
+
- AWS::Redshift::Cluster
|
|
947
|
+
parameters: {}
|
|
948
|
+
description: "CIS Control 3.10 - Encrypt Sensitive Data in Transit\n AWS Config Rule: redshift-require-tls-ssl\n \n Ensures Redshift clusters require TLS/SSL for connections."
|
|
949
|
+
remediation_guidance: Follow AWS Config rule guidance for redshift-require-tls-ssl
|
|
950
|
+
- name: sns-encrypted-kms
|
|
951
|
+
resource_types:
|
|
952
|
+
- AWS::SNS::Topic
|
|
953
|
+
parameters: {}
|
|
954
|
+
description: "CIS Control 3.11 - Encrypt Sensitive Data at Rest\n AWS Config Rule: sns-encrypted-kms\n \n Ensures SNS topics are encrypted with customer-managed KMS keys."
|
|
955
|
+
remediation_guidance: Follow AWS Config rule guidance for sns-encrypted-kms
|
|
956
|
+
- name: sqs-queue-encrypted
|
|
957
|
+
resource_types:
|
|
958
|
+
- AWS::SQS::Queue
|
|
959
|
+
parameters: {}
|
|
960
|
+
description: "CIS Control 3.11 - Encrypt Sensitive Data at Rest\n AWS Config Rule: sqs-queue-encrypted\n \n Ensures SQS queues are encrypted at rest."
|
|
961
|
+
remediation_guidance: Follow AWS Config rule guidance for sqs-queue-encrypted
|
|
962
|
+
- name: cloudtrail-s3-dataevents-enabled
|
|
963
|
+
resource_types:
|
|
964
|
+
- AWS::CloudTrail::Trail
|
|
965
|
+
parameters: {}
|
|
966
|
+
description: "CIS Control 8.2 - Collect Audit Logs\n AWS Config Rule: cloudtrail-s3-dataevents-enabled\n \n Ensures CloudTrail logs S3 data events for object-level operations monitoring."
|
|
967
|
+
remediation_guidance: Follow AWS Config rule guidance for cloudtrail-s3-dataevents-enabled
|
|
968
|
+
'7.5':
|
|
969
|
+
title: Perform Automated Vulnerability Scans
|
|
970
|
+
weight: 1.0
|
|
971
|
+
config_rules:
|
|
972
|
+
- name: inspector-assessment-enabled
|
|
973
|
+
resource_types:
|
|
974
|
+
- AWS::::Account
|
|
975
|
+
parameters: {}
|
|
976
|
+
description: "CIS Control 7.5 - Perform Automated Vulnerability Scans\n AWS Config Rule: inspector-assessment-enabled\n \n Ensures Amazon Inspector assessments are actively running for vulnerability detection."
|
|
977
|
+
remediation_guidance: Follow AWS Config rule guidance for inspector-assessment-enabled
|
|
978
|
+
'12.4':
|
|
979
|
+
title: Establish and Maintain Architecture Diagram(s)
|
|
980
|
+
weight: 1.0
|
|
981
|
+
config_rules:
|
|
982
|
+
- name: ssm-session-manager-enabled
|
|
983
|
+
resource_types:
|
|
984
|
+
- AWS::EC2::Instance
|
|
985
|
+
parameters: {}
|
|
986
|
+
description: "CIS Control 12.4 - Establish and Maintain Architecture Diagram(s)\n AWS Config Rule: ssm-session-manager-enabled\n \n Ensures Systems Manager Session Manager is available for secure instance access."
|
|
987
|
+
remediation_guidance: Follow AWS Config rule guidance for ssm-session-manager-enabled
|
|
988
|
+
'3.12':
|
|
989
|
+
title: Segment Data Processing and Storage Based on Sensitivity
|
|
990
|
+
weight: 1.0
|
|
991
|
+
config_rules:
|
|
992
|
+
- name: data-classification-tagging
|
|
993
|
+
resource_types:
|
|
994
|
+
- AWS::RDS::DBInstance
|
|
995
|
+
- AWS::DynamoDB::Table
|
|
996
|
+
parameters: {}
|
|
997
|
+
description: "CIS Control 3.12 - Segment Data Processing and Storage Based on Sensitivity\n AWS Config Rule: data-classification-tagging\n \n Ensures data resources have proper classification tags (DataClassification, Sensitivity, or Compliance)."
|
|
998
|
+
remediation_guidance: Follow AWS Config rule guidance for data-classification-tagging
|
|
999
|
+
- name: s3-bucket-classification-tags
|
|
1000
|
+
resource_types:
|
|
1001
|
+
- AWS::S3::Bucket
|
|
1002
|
+
parameters: {}
|
|
1003
|
+
description: "CIS Control 3.12 - Segment Data Processing and Storage Based on Sensitivity\n AWS Config Rule: s3-bucket-classification-tags\n \n Ensures S3 buckets have proper data classification tags."
|
|
1004
|
+
remediation_guidance: Follow AWS Config rule guidance for s3-bucket-classification-tags
|
|
1005
|
+
'13.6':
|
|
1006
|
+
title: Deny Communications with Known Malicious IP Addresses
|
|
1007
|
+
weight: 1.0
|
|
1008
|
+
config_rules:
|
|
1009
|
+
- name: network-firewall-deployed
|
|
1010
|
+
resource_types:
|
|
1011
|
+
- AWS::EC2::VPC
|
|
1012
|
+
parameters: {}
|
|
1013
|
+
description: "CIS Control 13.6 - Deny Communications with Known Malicious IP Addresses\n AWS Config Rule: network-firewall-deployed\n \n Ensures AWS Network Firewall is deployed for advanced network protection."
|
|
1014
|
+
remediation_guidance: Follow AWS Config rule guidance for network-firewall-deployed
|
|
1015
|
+
- name: route53-resolver-firewall-enabled
|
|
1016
|
+
resource_types:
|
|
1017
|
+
- AWS::EC2::VPC
|
|
1018
|
+
parameters: {}
|
|
1019
|
+
description: "CIS Control 13.6 - Deny Communications with Known Malicious IP Addresses\n AWS Config Rule: route53-resolver-firewall-enabled\n \n Ensures Route 53 Resolver DNS Firewall is enabled for DNS-level protection."
|
|
1020
|
+
remediation_guidance: Follow AWS Config rule guidance for route53-resolver-firewall-enabled
|
|
1021
|
+
'11.3':
|
|
1022
|
+
title: Protect Recovery Data
|
|
1023
|
+
weight: 1.0
|
|
1024
|
+
config_rules:
|
|
1025
|
+
- name: backup-vault-encryption-enabled
|
|
1026
|
+
resource_types:
|
|
1027
|
+
- AWS::Backup::BackupVault
|
|
1028
|
+
parameters: {}
|
|
1029
|
+
description: "CIS Control 11.3 - Protect Recovery Data\n AWS Config Rule: backup-vault-encryption-enabled\n \n Ensures AWS Backup vaults are encrypted with KMS."
|
|
1030
|
+
remediation_guidance: Follow AWS Config rule guidance for backup-vault-encryption-enabled
|
|
1031
|
+
- name: backup-vault-lock-enabled
|
|
1032
|
+
resource_types:
|
|
1033
|
+
- AWS::Backup::BackupVault
|
|
1034
|
+
parameters: {}
|
|
1035
|
+
description: "CIS Control 11.3 - Protect Recovery Data\n AWS Config Rule: backup-vault-lock-enabled\n \n Ensures backup vaults have vault lock enabled to prevent deletion."
|
|
1036
|
+
remediation_guidance: Follow AWS Config rule guidance for backup-vault-lock-enabled
|
|
1037
|
+
'11.4':
|
|
1038
|
+
title: Establish and Maintain an Isolated Instance of Recovery Data
|
|
1039
|
+
weight: 1.0
|
|
1040
|
+
config_rules:
|
|
1041
|
+
- name: backup-cross-region-copy-enabled
|
|
1042
|
+
resource_types:
|
|
1043
|
+
- AWS::Backup::BackupPlan
|
|
1044
|
+
parameters: {}
|
|
1045
|
+
description: "CIS Control 11.4 - Establish and Maintain an Isolated Instance of Recovery Data\n AWS Config Rule: backup-cross-region-copy-enabled\n \n Ensures backup plans include cross-region copy for disaster recovery."
|
|
1046
|
+
remediation_guidance: Follow AWS Config rule guidance for backup-cross-region-copy-enabled
|
|
@@ -56,25 +56,37 @@ class BaseConfigRuleAssessment(ABC):
|
|
|
56
56
|
results = []
|
|
57
57
|
|
|
58
58
|
try:
|
|
59
|
-
# Validate that we can access required services
|
|
60
|
-
if not self._validate_service_access(aws_factory, region):
|
|
61
|
-
return [self._create_error_result(
|
|
62
|
-
"SERVICE_UNAVAILABLE",
|
|
63
|
-
f"Required AWS services not accessible in region {region}",
|
|
64
|
-
region
|
|
65
|
-
)]
|
|
66
|
-
|
|
67
59
|
# Evaluate each resource type
|
|
68
60
|
for resource_type in self.resource_types:
|
|
69
61
|
try:
|
|
62
|
+
# Determine evaluation region (us-east-1 for account-level resources)
|
|
63
|
+
eval_region = self._get_evaluation_region(resource_type, region)
|
|
64
|
+
is_account_level = self._is_account_level_resource(resource_type)
|
|
65
|
+
|
|
66
|
+
# Skip account-level resources in non-primary regions to prevent duplication
|
|
67
|
+
# Account-level resources are only evaluated once in us-east-1
|
|
68
|
+
if is_account_level and region != 'us-east-1':
|
|
69
|
+
logger.debug(f"Skipping {resource_type} in {region} (account-level resource, evaluated in us-east-1 only)")
|
|
70
|
+
continue
|
|
71
|
+
|
|
72
|
+
# Validate that we can access required services in the evaluation region
|
|
73
|
+
if not self._validate_service_access(aws_factory, eval_region):
|
|
74
|
+
results.append(self._create_error_result(
|
|
75
|
+
"SERVICE_UNAVAILABLE",
|
|
76
|
+
f"Required AWS services not accessible in region {eval_region}",
|
|
77
|
+
eval_region,
|
|
78
|
+
resource_type
|
|
79
|
+
))
|
|
80
|
+
continue
|
|
81
|
+
|
|
70
82
|
# Use error handler for resource discovery if available
|
|
71
83
|
def get_resources():
|
|
72
|
-
return self._get_resources(aws_factory, resource_type,
|
|
84
|
+
return self._get_resources(aws_factory, resource_type, eval_region)
|
|
73
85
|
|
|
74
86
|
if self.error_handler:
|
|
75
87
|
context = ErrorContext(
|
|
76
88
|
service_name=self._get_required_services()[0] if self._get_required_services() else "",
|
|
77
|
-
region=
|
|
89
|
+
region=eval_region,
|
|
78
90
|
resource_type=resource_type,
|
|
79
91
|
operation="get_resources",
|
|
80
92
|
control_id=self.control_id,
|
|
@@ -90,18 +102,18 @@ class BaseConfigRuleAssessment(ABC):
|
|
|
90
102
|
else:
|
|
91
103
|
resources = get_resources()
|
|
92
104
|
|
|
93
|
-
logger.debug(f"Found {len(resources)} resources of type {resource_type} in {
|
|
105
|
+
logger.debug(f"Found {len(resources)} resources of type {resource_type} in {eval_region}")
|
|
94
106
|
|
|
95
107
|
for resource in resources:
|
|
96
108
|
try:
|
|
97
109
|
# Use error handler for resource evaluation if available
|
|
98
110
|
def evaluate_resource():
|
|
99
|
-
return self._evaluate_resource_compliance(resource, aws_factory,
|
|
111
|
+
return self._evaluate_resource_compliance(resource, aws_factory, eval_region)
|
|
100
112
|
|
|
101
113
|
if self.error_handler:
|
|
102
114
|
context = ErrorContext(
|
|
103
115
|
service_name=self._get_required_services()[0] if self._get_required_services() else "",
|
|
104
|
-
region=
|
|
116
|
+
region=eval_region,
|
|
105
117
|
resource_type=resource_type,
|
|
106
118
|
resource_id=resource.get('id', 'unknown'),
|
|
107
119
|
operation="evaluate_compliance",
|
|
@@ -121,13 +133,20 @@ class BaseConfigRuleAssessment(ABC):
|
|
|
121
133
|
results.append(compliance)
|
|
122
134
|
|
|
123
135
|
except Exception as e:
|
|
124
|
-
|
|
136
|
+
error_str = str(e)
|
|
137
|
+
# Log expected errors at DEBUG level
|
|
138
|
+
if ("Parameter validation failed" in error_str or
|
|
139
|
+
"Missing required parameter" in error_str or
|
|
140
|
+
"Could not connect to the endpoint URL" in error_str):
|
|
141
|
+
logger.debug(f"Expected error for resource {resource.get('id', 'unknown')}: {e}")
|
|
142
|
+
else:
|
|
143
|
+
logger.error(f"Error evaluating resource {resource.get('id', 'unknown')}: {e}")
|
|
125
144
|
|
|
126
145
|
# Handle error with error handler if available
|
|
127
146
|
if self.error_handler:
|
|
128
147
|
context = ErrorContext(
|
|
129
148
|
service_name=self._get_required_services()[0] if self._get_required_services() else "",
|
|
130
|
-
region=
|
|
149
|
+
region=eval_region,
|
|
131
150
|
resource_type=resource_type,
|
|
132
151
|
resource_id=resource.get('id', 'unknown'),
|
|
133
152
|
operation="evaluate_compliance",
|
|
@@ -139,19 +158,27 @@ class BaseConfigRuleAssessment(ABC):
|
|
|
139
158
|
results.append(self._create_error_result(
|
|
140
159
|
resource.get('id', 'unknown'),
|
|
141
160
|
f"Evaluation error: {str(e)}",
|
|
142
|
-
|
|
161
|
+
eval_region,
|
|
143
162
|
resource_type
|
|
144
163
|
))
|
|
145
164
|
|
|
146
165
|
except ClientError as e:
|
|
147
166
|
error_code = e.response.get('Error', {}).get('Code', '')
|
|
148
|
-
error_message =
|
|
167
|
+
error_message = str(e)
|
|
168
|
+
|
|
169
|
+
# Log parameter validation errors at DEBUG level (expected for some resources)
|
|
170
|
+
if 'Parameter' in error_code or 'parameter' in error_message.lower():
|
|
171
|
+
logger.debug(f"Parameter validation error for {resource_type} in {eval_region}: {e}")
|
|
172
|
+
elif error_code in ['AccessDenied', 'UnauthorizedOperation']:
|
|
173
|
+
logger.debug(f"Access denied for {resource_type} in {eval_region}")
|
|
174
|
+
else:
|
|
175
|
+
logger.error(f"AWS API error for {resource_type} in {eval_region}: {e}")
|
|
149
176
|
|
|
150
177
|
# Handle error with error handler if available
|
|
151
178
|
if self.error_handler:
|
|
152
179
|
context = ErrorContext(
|
|
153
180
|
service_name=self._get_required_services()[0] if self._get_required_services() else "",
|
|
154
|
-
region=
|
|
181
|
+
region=eval_region,
|
|
155
182
|
resource_type=resource_type,
|
|
156
183
|
operation="get_resources",
|
|
157
184
|
control_id=self.control_id,
|
|
@@ -163,25 +190,29 @@ class BaseConfigRuleAssessment(ABC):
|
|
|
163
190
|
results.append(self._create_error_result(
|
|
164
191
|
f"{resource_type}_PERMISSION_ERROR",
|
|
165
192
|
f"Insufficient permissions to evaluate {resource_type}",
|
|
166
|
-
|
|
193
|
+
eval_region,
|
|
167
194
|
resource_type
|
|
168
195
|
))
|
|
169
196
|
else:
|
|
170
197
|
results.append(self._create_error_result(
|
|
171
198
|
f"{resource_type}_API_ERROR",
|
|
172
|
-
error_message,
|
|
173
|
-
|
|
199
|
+
f"AWS API error: {error_message}",
|
|
200
|
+
eval_region,
|
|
174
201
|
resource_type
|
|
175
202
|
))
|
|
176
203
|
|
|
177
204
|
except Exception as e:
|
|
178
|
-
|
|
205
|
+
# Log parameter validation errors at DEBUG level (expected for some resources)
|
|
206
|
+
if "Parameter validation failed" in str(e) or "Missing required parameter" in str(e):
|
|
207
|
+
logger.debug(f"Parameter validation error for {resource_type} in {eval_region}: {e}")
|
|
208
|
+
else:
|
|
209
|
+
logger.error(f"Unexpected error evaluating {resource_type}: {e}")
|
|
179
210
|
|
|
180
211
|
# Handle error with error handler if available
|
|
181
212
|
if self.error_handler:
|
|
182
213
|
context = ErrorContext(
|
|
183
214
|
service_name=self._get_required_services()[0] if self._get_required_services() else "",
|
|
184
|
-
region=
|
|
215
|
+
region=eval_region,
|
|
185
216
|
resource_type=resource_type,
|
|
186
217
|
operation="evaluate_resource_type",
|
|
187
218
|
control_id=self.control_id,
|
|
@@ -192,7 +223,7 @@ class BaseConfigRuleAssessment(ABC):
|
|
|
192
223
|
results.append(self._create_error_result(
|
|
193
224
|
f"{resource_type}_UNKNOWN_ERROR",
|
|
194
225
|
f"Unexpected error: {str(e)}",
|
|
195
|
-
|
|
226
|
+
eval_region,
|
|
196
227
|
resource_type
|
|
197
228
|
))
|
|
198
229
|
|
|
@@ -298,6 +329,57 @@ class BaseConfigRuleAssessment(ABC):
|
|
|
298
329
|
|
|
299
330
|
return list(services)
|
|
300
331
|
|
|
332
|
+
def _is_account_level_resource(self, resource_type: str) -> bool:
|
|
333
|
+
"""Check if resource type is account-level (global).
|
|
334
|
+
|
|
335
|
+
Account-level resources should be evaluated in us-east-1 only once,
|
|
336
|
+
not per region. This prevents duplicate evaluations and region validation errors.
|
|
337
|
+
|
|
338
|
+
Args:
|
|
339
|
+
resource_type: AWS resource type (e.g., "AWS::::Account", "AWS::IAM::User")
|
|
340
|
+
|
|
341
|
+
Returns:
|
|
342
|
+
True if resource is account-level/global
|
|
343
|
+
"""
|
|
344
|
+
# Explicit account-level marker
|
|
345
|
+
if resource_type == 'AWS::::Account':
|
|
346
|
+
return True
|
|
347
|
+
|
|
348
|
+
# Global services that should only be evaluated in us-east-1
|
|
349
|
+
global_service_prefixes = [
|
|
350
|
+
'AWS::IAM::', # IAM is global
|
|
351
|
+
'AWS::CloudFront::', # CloudFront is global
|
|
352
|
+
'AWS::Route53::', # Route53 is global
|
|
353
|
+
'AWS::Organizations::', # Organizations is global
|
|
354
|
+
]
|
|
355
|
+
|
|
356
|
+
for prefix in global_service_prefixes:
|
|
357
|
+
if resource_type.startswith(prefix):
|
|
358
|
+
return True
|
|
359
|
+
|
|
360
|
+
# S3 buckets are special - they're global but region-specific
|
|
361
|
+
# We handle them in controls by checking region == 'us-east-1'
|
|
362
|
+
|
|
363
|
+
return False
|
|
364
|
+
|
|
365
|
+
def _get_evaluation_region(self, resource_type: str, requested_region: str) -> str:
|
|
366
|
+
"""Determine which region to use for resource evaluation.
|
|
367
|
+
|
|
368
|
+
Account-level and global resources must be evaluated in us-east-1
|
|
369
|
+
to avoid region validation errors and ensure proper API access.
|
|
370
|
+
|
|
371
|
+
Args:
|
|
372
|
+
resource_type: AWS resource type
|
|
373
|
+
requested_region: Region requested for evaluation
|
|
374
|
+
|
|
375
|
+
Returns:
|
|
376
|
+
Region to use (us-east-1 for account-level, requested_region otherwise)
|
|
377
|
+
"""
|
|
378
|
+
if self._is_account_level_resource(resource_type):
|
|
379
|
+
return 'us-east-1'
|
|
380
|
+
return requested_region
|
|
381
|
+
|
|
382
|
+
|
|
301
383
|
def _create_error_result(self, resource_id: str, error_message: str, region: str, resource_type: str = "Unknown") -> ComplianceResult:
|
|
302
384
|
"""Create a ComplianceResult for error conditions.
|
|
303
385
|
|