aws-cis-controls-assessment 1.1.4__py3-none-any.whl → 1.2.2__py3-none-any.whl

aws_cis_assessment/__init__.py

@@ -2,10 +2,10 @@
 AWS CIS Controls Compliance Assessment Framework
 
 A production-ready, enterprise-grade framework for evaluating AWS account configurations against 
-CIS Controls Implementation Groups (IG1, IG2, IG3). Implements 163 comprehensive AWS Config rules 
-across all implementation groups for complete security compliance assessment.
+CIS Controls Implementation Groups (IG1, IG2, IG3). Implements 175 comprehensive AWS Config rules 
+across all implementation groups with 75%+ coverage of CIS Controls v8.1 IG1 safeguards.
 """
 
-__version__ = "1.1.4"
+__version__ = "1.2.2"
 __author__ = "AWS CIS Assessment Team"
-__description__ = "Production-ready AWS CIS Controls Compliance Assessment Framework"
+__description__ = "Production-ready AWS CIS Controls Compliance Assessment Framework with Enhanced IG1 Coverage"

aws_cis_assessment/config/rules/cis_controls_ig1.yaml

@@ -1,5 +1,5 @@
 implementation_group: IG1
-total_rules: 77
+total_rules: 125
 description: Essential cyber hygiene - foundational safeguards for all enterprises
 controls:
   '1.1':
@@ -39,6 +39,48 @@ controls:
       parameters: {}
       description: Assessment for ec2-security-group-attached-to-eni Config rule.
       remediation_guidance: Follow AWS Config rule guidance for ec2-security-group-attached-to-eni
+    - name: ssm-inventory-enabled
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory\n    AWS Config Rule: ssm-inventory-enabled\n    \n    Ensures AWS Systems Manager Inventory is enabled for comprehensive asset tracking."
+      remediation_guidance: Follow AWS Config rule guidance for ssm-inventory-enabled
+    - name: config-enabled-all-regions
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory\n    AWS Config Rule: config-enabled-all-regions\n    \n    Ensures AWS Config is enabled in all regions for complete resource tracking."
+      remediation_guidance: Follow AWS Config rule guidance for config-enabled-all-regions
+    - name: ami-inventory-tracking
+      resource_types:
+      - AWS::EC2::Image
+      parameters: {}
+      description: "CIS Control 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory\n    AWS Config Rule: ami-inventory-tracking\n    \n    Ensures AMIs are properly tagged for inventory management."
+      remediation_guidance: Follow AWS Config rule guidance for ami-inventory-tracking
+    - name: lambda-runtime-inventory
+      resource_types:
+      - AWS::Lambda::Function
+      parameters: {}
+      description: "CIS Control 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory\n    AWS Config Rule: lambda-runtime-inventory\n    \n    Tracks Lambda function runtimes for inventory purposes."
+      remediation_guidance: Follow AWS Config rule guidance for lambda-runtime-inventory
+    - name: iam-user-inventory-check
+      resource_types:
+      - AWS::IAM::User
+      parameters: {}
+      description: "CIS Control 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory\n    AWS Config Rule: iam-user-inventory-check\n    \n    Ensures IAM users have proper inventory tags for asset management."
+      remediation_guidance: Follow AWS Config rule guidance for iam-user-inventory-check
+    - name: asset-tagging-compliance
+      resource_types:
+      - AWS::EC2::Instance
+      parameters: {}
+      description: "CIS Control 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory\n    AWS Config Rule: asset-tagging-compliance\n    \n    Ensures resources have required tags for asset management."
+      remediation_guidance: Follow AWS Config rule guidance for asset-tagging-compliance
+    - name: unauthorized-asset-detection
+      resource_types:
+      - AWS::EC2::Instance
+      parameters: {}
+      description: "CIS Control 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory\n    AWS Config Rule: unauthorized-asset-detection\n    \n    Detects resources without proper authorization tags."
+      remediation_guidance: Follow AWS Config rule guidance for unauthorized-asset-detection
   '1.5':
     title: Control 1.5
     weight: 1.0
@@ -201,6 +243,18 @@ controls:
             "ConditionValue": "true"
           }]
         }'
+    - name: rds-backup-retention-check
+      resource_types:
+      - AWS::RDS::DBInstance
+      parameters: {}
+      description: "CIS Control 11.2 - Perform Automated Backups\n    AWS Config Rule: rds-backup-retention-check\n    \n    Ensures RDS instances have adequate backup retention periods (minimum 7 days)."
+      remediation_guidance: Follow AWS Config rule guidance for rds-backup-retention-check
+    - name: route53-query-logging-enabled
+      resource_types:
+      - AWS::Route53::HostedZone
+      parameters: {}
+      description: "CIS Control 8.2 - Collect Audit Logs\n    AWS Config Rule: route53-query-logging-enabled\n    \n    Ensures Route 53 hosted zones have query logging enabled."
+      remediation_guidance: Follow AWS Config rule guidance for route53-query-logging-enabled
   '12.2':
     title: Control 12.2
     weight: 1.0
@@ -238,6 +292,24 @@ controls:
       parameters: {}
       description: Assessment for ecs-fargate-latest-platform-version Config rule.
       remediation_guidance: Follow AWS Config rule guidance for ecs-fargate-latest-platform-version
+    - name: ec2-os-version-supported
+      resource_types:
+      - AWS::EC2::Instance
+      parameters: {}
+      description: "CIS Control 2.2 - Ensure Authorized Software is Currently Supported\n    AWS Config Rule: ec2-os-version-supported\n    \n    Ensures EC2 instances run supported operating system versions."
+      remediation_guidance: Follow AWS Config rule guidance for ec2-os-version-supported
+    - name: rds-engine-version-supported
+      resource_types:
+      - AWS::RDS::DBInstance
+      parameters: {}
+      description: "CIS Control 2.2 - Ensure Authorized Software is Currently Supported\n    AWS Config Rule: rds-engine-version-supported\n    \n    Ensures RDS instances run supported database engine versions."
+      remediation_guidance: Follow AWS Config rule guidance for rds-engine-version-supported
+    - name: lambda-runtime-supported
+      resource_types:
+      - AWS::Lambda::Function
+      parameters: {}
+      description: "CIS Control 2.2 - Ensure Authorized Software is Currently Supported\n    AWS Config Rule: lambda-runtime-supported\n    \n    Ensures Lambda functions use supported runtimes."
+      remediation_guidance: Follow AWS Config rule guidance for lambda-runtime-supported
   2.2.1:
     title: Control 2.2.1
     weight: 1.0
@@ -271,6 +343,36 @@ controls:
         \ Rule: cloudwatch-log-group-encrypted\n    \n    Ensures CloudWatch Log Groups\
         \ are encrypted with KMS keys."
       remediation_guidance: Follow AWS Config rule guidance for cloudwatch-log-group-encrypted
+    - name: ebs-encryption-by-default
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 3.11 - Encrypt Sensitive Data at Rest\n    AWS Config Rule: ebs-encryption-by-default\n    \n    Ensures EBS encryption by default is enabled at the account level for automatic volume encryption."
+      remediation_guidance: Follow AWS Config rule guidance for ebs-encryption-by-default
+    - name: rds-storage-encrypted
+      resource_types:
+      - AWS::RDS::DBInstance
+      parameters: {}
+      description: "CIS Control 3.11 - Encrypt Sensitive Data at Rest\n    AWS Config Rule: rds-storage-encrypted\n    \n    Ensures RDS database instances have storage encryption enabled."
+      remediation_guidance: Follow AWS Config rule guidance for rds-storage-encrypted
+    - name: efs-encrypted-check
+      resource_types:
+      - AWS::EFS::FileSystem
+      parameters: {}
+      description: "CIS Control 3.11 - Encrypt Sensitive Data at Rest\n    AWS Config Rule: efs-encrypted-check\n    \n    Ensures EFS file systems have encryption at rest enabled."
+      remediation_guidance: Follow AWS Config rule guidance for efs-encrypted-check
+    - name: dynamodb-table-encrypted-kms
+      resource_types:
+      - AWS::DynamoDB::Table
+      parameters: {}
+      description: "CIS Control 3.11 - Encrypt Sensitive Data at Rest\n    AWS Config Rule: dynamodb-table-encrypted-kms\n    \n    Ensures DynamoDB tables are encrypted with customer-managed KMS keys."
+      remediation_guidance: Follow AWS Config rule guidance for dynamodb-table-encrypted-kms
+    - name: s3-default-encryption-kms
+      resource_types:
+      - AWS::S3::Bucket
+      parameters: {}
+      description: "CIS Control 3.11 - Encrypt Sensitive Data at Rest\n    AWS Config Rule: s3-default-encryption-kms\n    \n    Ensures S3 buckets have default encryption enabled with customer-managed KMS keys."
+      remediation_guidance: Follow AWS Config rule guidance for s3-default-encryption-kms
   '3.3':
     title: Configure Data Access Control Lists
     weight: 1.0
@@ -648,6 +750,18 @@ controls:
       parameters: {}
       description: Assessment for access-keys-rotated Config rule.
       remediation_guidance: Follow AWS Config rule guidance for access-keys-rotated
+    - name: config-conformance-pack-deployed
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 4.1 - Establish and Maintain a Secure Configuration Process\n    AWS Config Rule: config-conformance-pack-deployed\n    \n    Ensures AWS Config conformance packs are deployed for configuration management."
+      remediation_guidance: Follow AWS Config rule guidance for config-conformance-pack-deployed
+    - name: securityhub-standards-enabled
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 4.1 - Establish and Maintain a Secure Configuration Process\n    AWS Config Rule: securityhub-standards-enabled\n    \n    Ensures Security Hub standards are enabled for security configuration management."
+      remediation_guidance: Follow AWS Config rule guidance for securityhub-standards-enabled
   '5.2':
     title: Use Unique Passwords
     weight: 1.0
@@ -659,8 +773,36 @@ controls:
       description: Assessment for iam-password-policy Config rule - ensures strong
         password policy.
       remediation_guidance: Follow AWS Config rule guidance for iam-password-policy
+  '6.2':
+    title: Establish and Maintain a Secure Network Architecture
+    weight: 1.0
+    config_rules:
+    - name: guardduty-enabled-centralized
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 6.2 - Establish and Maintain a Secure Network Architecture\n    AWS Config Rule: guardduty-enabled-centralized\n    \n    Ensures GuardDuty is enabled for threat detection and continuous monitoring."
+      remediation_guidance: Follow AWS Config rule guidance for guardduty-enabled-centralized
+    - name: inspector-enabled
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 6.2 - Establish and Maintain a Secure Network Architecture\n    AWS Config Rule: inspector-enabled\n    \n    Ensures Amazon Inspector is enabled for vulnerability scanning and security assessments."
+      remediation_guidance: Follow AWS Config rule guidance for inspector-enabled
+    - name: macie-enabled
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 6.2 - Establish and Maintain a Secure Network Architecture\n    AWS Config Rule: macie-enabled\n    \n    Ensures Amazon Macie is enabled for sensitive data discovery and protection."
+      remediation_guidance: Follow AWS Config rule guidance for macie-enabled
+    - name: iam-access-analyzer-enabled
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 6.2 - Establish and Maintain a Secure Network Architecture\n    AWS Config Rule: iam-access-analyzer-enabled\n    \n    Ensures IAM Access Analyzer is enabled to detect external access to resources."
+      remediation_guidance: Follow AWS Config rule guidance for iam-access-analyzer-enabled
   '8.2':
-    title: Control 8.2
+    title: Collect Audit Logs
     weight: 1.0
     config_rules:
     - name: cloudtrail-enabled
@@ -671,6 +813,30 @@ controls:
         \    \n    Ensures CloudTrail is enabled to record AWS Management Console\
         \ actions and API calls."
       remediation_guidance: Follow AWS Config rule guidance for cloudtrail-enabled
+    - name: vpc-flow-logs-enabled
+      resource_types:
+      - AWS::EC2::VPC
+      parameters: {}
+      description: "CIS Control 8.2 - Collect Audit Logs\n    AWS Config Rule: vpc-flow-logs-enabled\n    \n    Ensures VPC Flow Logs are enabled for network traffic monitoring and analysis."
+      remediation_guidance: Follow AWS Config rule guidance for vpc-flow-logs-enabled
+    - name: elb-logging-enabled
+      resource_types:
+      - AWS::ElasticLoadBalancingV2::LoadBalancer
+      parameters: {}
+      description: "CIS Control 8.2 - Collect Audit Logs\n    AWS Config Rule: elb-logging-enabled\n    \n    Ensures Elastic Load Balancer access logs are enabled for request tracking."
+      remediation_guidance: Follow AWS Config rule guidance for elb-logging-enabled
+    - name: cloudfront-accesslogs-enabled
+      resource_types:
+      - AWS::CloudFront::Distribution
+      parameters: {}
+      description: "CIS Control 8.2 - Collect Audit Logs\n    AWS Config Rule: cloudfront-accesslogs-enabled\n    \n    Ensures CloudFront distributions have access logging enabled."
+      remediation_guidance: Follow AWS Config rule guidance for cloudfront-accesslogs-enabled
+    - name: wafv2-logging-enabled
+      resource_types:
+      - AWS::WAFv2::WebACL
+      parameters: {}
+      description: "CIS Control 8.2 - Collect Audit Logs\n    AWS Config Rule: wafv2-logging-enabled\n    \n    Ensures WAF web ACLs have logging enabled for security monitoring."
+      remediation_guidance: Follow AWS Config rule guidance for wafv2-logging-enabled
   '8.8':
     title: Control 8.8
     weight: 1.0
@@ -681,3 +847,200 @@ controls:
       parameters: {}
       description: Assessment for securityhub-enabled AWS Config rule.
       remediation_guidance: Follow AWS Config rule guidance for securityhub-enabled
+  '7.1':
+    title: Establish and Maintain a Vulnerability Management Process
+    weight: 1.0
+    config_rules:
+    - name: ssm-patch-manager-enabled
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 7.1 - Establish and Maintain a Vulnerability Management Process\n    AWS Config Rule: ssm-patch-manager-enabled\n    \n    Ensures AWS Systems Manager Patch Manager is configured with patch baselines."
+      remediation_guidance: Follow AWS Config rule guidance for ssm-patch-manager-enabled
+    - name: ssm-patch-baseline-configured
+      resource_types:
+      - AWS::SSM::PatchBaseline
+      parameters: {}
+      description: "CIS Control 7.1 - Establish and Maintain a Vulnerability Management Process\n    AWS Config Rule: ssm-patch-baseline-configured\n    \n    Ensures SSM patch baselines have proper approval rules and patch filters configured."
+      remediation_guidance: Follow AWS Config rule guidance for ssm-patch-baseline-configured
+    - name: ec2-patch-compliance-status
+      resource_types:
+      - AWS::EC2::Instance
+      parameters: {}
+      description: "CIS Control 7.1 - Establish and Maintain a Vulnerability Management Process\n    AWS Config Rule: ec2-patch-compliance-status\n    \n    Ensures EC2 instances are compliant with patch baselines and have no missing patches."
+      remediation_guidance: Follow AWS Config rule guidance for ec2-patch-compliance-status
+  '5.3':
+    title: Disable Dormant Accounts
+    weight: 1.0
+    config_rules:
+    - name: sso-enabled-check
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 5.3 - Disable Dormant Accounts\n    AWS Config Rule: sso-enabled-check\n    \n    Ensures AWS SSO (Identity Center) is enabled for centralized identity management."
+      remediation_guidance: Follow AWS Config rule guidance for sso-enabled-check
+    - name: identity-center-configured
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 5.3 - Disable Dormant Accounts\n    AWS Config Rule: identity-center-configured\n    \n    Ensures AWS Identity Center has permission sets and proper configuration."
+      remediation_guidance: Follow AWS Config rule guidance for identity-center-configured
+    - name: iam-user-last-access-check
+      resource_types:
+      - AWS::IAM::User
+      parameters: {}
+      description: "CIS Control 5.3 - Disable Dormant Accounts\n    AWS Config Rule: iam-user-last-access-check\n    \n    Ensures IAM users have been accessed recently (within 90 days)."
+      remediation_guidance: Follow AWS Config rule guidance for iam-user-last-access-check
+  '6.5':
+    title: Require MFA for Administrative Access
+    weight: 1.0
+    config_rules:
+    - name: iam-admin-mfa-required
+      resource_types:
+      - AWS::IAM::User
+      parameters: {}
+      description: "CIS Control 6.5 - Require MFA for Administrative Access\n    AWS Config Rule: iam-admin-mfa-required\n    \n    Ensures IAM users with administrative privileges have MFA enabled."
+      remediation_guidance: Follow AWS Config rule guidance for iam-admin-mfa-required
+    - name: cognito-mfa-enabled
+      resource_types:
+      - AWS::Cognito::UserPool
+      parameters: {}
+      description: "CIS Control 6.5 - Require MFA for Administrative Access\n    AWS Config Rule: cognito-mfa-enabled\n    \n    Ensures Cognito user pools require MFA for user authentication."
+      remediation_guidance: Follow AWS Config rule guidance for cognito-mfa-enabled
+    - name: vpn-mfa-enabled
+      resource_types:
+      - AWS::EC2::ClientVpnEndpoint
+      parameters: {}
+      description: "CIS Control 6.5 - Require MFA for Administrative Access\n    AWS Config Rule: vpn-mfa-enabled\n    \n    Ensures Client VPN endpoints require MFA for authentication."
+      remediation_guidance: Follow AWS Config rule guidance for vpn-mfa-enabled
+  '3.10':
+    title: Encrypt Sensitive Data in Transit
+    weight: 1.0
+    config_rules:
+    - name: alb-http-to-https-redirection-check
+      resource_types:
+      - AWS::ElasticLoadBalancingV2::LoadBalancer
+      parameters: {}
+      description: "CIS Control 3.10 - Encrypt Sensitive Data in Transit\n    AWS Config Rule: alb-http-to-https-redirection-check\n    \n    Ensures Application Load Balancers redirect HTTP traffic to HTTPS."
+      remediation_guidance: Follow AWS Config rule guidance for alb-http-to-https-redirection-check
+    - name: elb-tls-https-listeners-only
+      resource_types:
+      - AWS::ElasticLoadBalancingV2::LoadBalancer
+      parameters: {}
+      description: "CIS Control 3.10 - Encrypt Sensitive Data in Transit\n    AWS Config Rule: elb-tls-https-listeners-only\n    \n    Ensures Elastic Load Balancers use only HTTPS/TLS listeners."
+      remediation_guidance: Follow AWS Config rule guidance for elb-tls-https-listeners-only
+    - name: rds-ssl-connection-required
+      resource_types:
+      - AWS::RDS::DBInstance
+      parameters: {}
+      description: "CIS Control 3.10 - Encrypt Sensitive Data in Transit\n    AWS Config Rule: rds-ssl-connection-required\n    \n    Ensures RDS database instances require SSL/TLS connections."
+      remediation_guidance: Follow AWS Config rule guidance for rds-ssl-connection-required
+    - name: api-gateway-ssl-enabled
+      resource_types:
+      - AWS::ApiGateway::RestApi
+      parameters: {}
+      description: "CIS Control 3.10 - Encrypt Sensitive Data in Transit\n    AWS Config Rule: api-gateway-ssl-enabled\n    \n    Ensures API Gateway REST APIs use SSL/TLS certificates."
+      remediation_guidance: Follow AWS Config rule guidance for api-gateway-ssl-enabled
+    - name: redshift-require-tls-ssl
+      resource_types:
+      - AWS::Redshift::Cluster
+      parameters: {}
+      description: "CIS Control 3.10 - Encrypt Sensitive Data in Transit\n    AWS Config Rule: redshift-require-tls-ssl\n    \n    Ensures Redshift clusters require TLS/SSL for connections."
+      remediation_guidance: Follow AWS Config rule guidance for redshift-require-tls-ssl
+    - name: sns-encrypted-kms
+      resource_types:
+      - AWS::SNS::Topic
+      parameters: {}
+      description: "CIS Control 3.11 - Encrypt Sensitive Data at Rest\n    AWS Config Rule: sns-encrypted-kms\n    \n    Ensures SNS topics are encrypted with customer-managed KMS keys."
+      remediation_guidance: Follow AWS Config rule guidance for sns-encrypted-kms
+    - name: sqs-queue-encrypted
+      resource_types:
+      - AWS::SQS::Queue
+      parameters: {}
+      description: "CIS Control 3.11 - Encrypt Sensitive Data at Rest\n    AWS Config Rule: sqs-queue-encrypted\n    \n    Ensures SQS queues are encrypted at rest."
+      remediation_guidance: Follow AWS Config rule guidance for sqs-queue-encrypted
+    - name: cloudtrail-s3-dataevents-enabled
+      resource_types:
+      - AWS::CloudTrail::Trail
+      parameters: {}
+      description: "CIS Control 8.2 - Collect Audit Logs\n    AWS Config Rule: cloudtrail-s3-dataevents-enabled\n    \n    Ensures CloudTrail logs S3 data events for object-level operations monitoring."
+      remediation_guidance: Follow AWS Config rule guidance for cloudtrail-s3-dataevents-enabled
+  '7.5':
+    title: Perform Automated Vulnerability Scans
+    weight: 1.0
+    config_rules:
+    - name: inspector-assessment-enabled
+      resource_types:
+      - AWS::::Account
+      parameters: {}
+      description: "CIS Control 7.5 - Perform Automated Vulnerability Scans\n    AWS Config Rule: inspector-assessment-enabled\n    \n    Ensures Amazon Inspector assessments are actively running for vulnerability detection."
+      remediation_guidance: Follow AWS Config rule guidance for inspector-assessment-enabled
+  '12.4':
+    title: Establish and Maintain Architecture Diagram(s)
+    weight: 1.0
+    config_rules:
+    - name: ssm-session-manager-enabled
+      resource_types:
+      - AWS::EC2::Instance
+      parameters: {}
+      description: "CIS Control 12.4 - Establish and Maintain Architecture Diagram(s)\n    AWS Config Rule: ssm-session-manager-enabled\n    \n    Ensures Systems Manager Session Manager is available for secure instance access."
+      remediation_guidance: Follow AWS Config rule guidance for ssm-session-manager-enabled
+  '3.12':
+    title: Segment Data Processing and Storage Based on Sensitivity
+    weight: 1.0
+    config_rules:
+    - name: data-classification-tagging
+      resource_types:
+      - AWS::RDS::DBInstance
+      - AWS::DynamoDB::Table
+      parameters: {}
+      description: "CIS Control 3.12 - Segment Data Processing and Storage Based on Sensitivity\n    AWS Config Rule: data-classification-tagging\n    \n    Ensures data resources have proper classification tags (DataClassification, Sensitivity, or Compliance)."
+      remediation_guidance: Follow AWS Config rule guidance for data-classification-tagging
+    - name: s3-bucket-classification-tags
+      resource_types:
+      - AWS::S3::Bucket
+      parameters: {}
+      description: "CIS Control 3.12 - Segment Data Processing and Storage Based on Sensitivity\n    AWS Config Rule: s3-bucket-classification-tags\n    \n    Ensures S3 buckets have proper data classification tags."
+      remediation_guidance: Follow AWS Config rule guidance for s3-bucket-classification-tags
+  '13.6':
+    title: Deny Communications with Known Malicious IP Addresses
+    weight: 1.0
+    config_rules:
+    - name: network-firewall-deployed
+      resource_types:
+      - AWS::EC2::VPC
+      parameters: {}
+      description: "CIS Control 13.6 - Deny Communications with Known Malicious IP Addresses\n    AWS Config Rule: network-firewall-deployed\n    \n    Ensures AWS Network Firewall is deployed for advanced network protection."
+      remediation_guidance: Follow AWS Config rule guidance for network-firewall-deployed
+    - name: route53-resolver-firewall-enabled
+      resource_types:
+      - AWS::EC2::VPC
+      parameters: {}
+      description: "CIS Control 13.6 - Deny Communications with Known Malicious IP Addresses\n    AWS Config Rule: route53-resolver-firewall-enabled\n    \n    Ensures Route 53 Resolver DNS Firewall is enabled for DNS-level protection."
+      remediation_guidance: Follow AWS Config rule guidance for route53-resolver-firewall-enabled
+  '11.3':
+    title: Protect Recovery Data
+    weight: 1.0
+    config_rules:
+    - name: backup-vault-encryption-enabled
+      resource_types:
+      - AWS::Backup::BackupVault
+      parameters: {}
+      description: "CIS Control 11.3 - Protect Recovery Data\n    AWS Config Rule: backup-vault-encryption-enabled\n    \n    Ensures AWS Backup vaults are encrypted with KMS."
+      remediation_guidance: Follow AWS Config rule guidance for backup-vault-encryption-enabled
+    - name: backup-vault-lock-enabled
+      resource_types:
+      - AWS::Backup::BackupVault
+      parameters: {}
+      description: "CIS Control 11.3 - Protect Recovery Data\n    AWS Config Rule: backup-vault-lock-enabled\n    \n    Ensures backup vaults have vault lock enabled to prevent deletion."
+      remediation_guidance: Follow AWS Config rule guidance for backup-vault-lock-enabled
+  '11.4':
+    title: Establish and Maintain an Isolated Instance of Recovery Data
+    weight: 1.0
+    config_rules:
+    - name: backup-cross-region-copy-enabled
+      resource_types:
+      - AWS::Backup::BackupPlan
+      parameters: {}
+      description: "CIS Control 11.4 - Establish and Maintain an Isolated Instance of Recovery Data\n    AWS Config Rule: backup-cross-region-copy-enabled\n    \n    Ensures backup plans include cross-region copy for disaster recovery."
+      remediation_guidance: Follow AWS Config rule guidance for backup-cross-region-copy-enabled

aws_cis_assessment/controls/base_control.py

@@ -56,25 +56,37 @@ class BaseConfigRuleAssessment(ABC):
         results = []
         
         try:
-            # Validate that we can access required services
-            if not self._validate_service_access(aws_factory, region):
-                return [self._create_error_result(
-                    "SERVICE_UNAVAILABLE",
-                    f"Required AWS services not accessible in region {region}",
-                    region
-                )]
-            
             # Evaluate each resource type
             for resource_type in self.resource_types:
                 try:
+                    # Determine evaluation region (us-east-1 for account-level resources)
+                    eval_region = self._get_evaluation_region(resource_type, region)
+                    is_account_level = self._is_account_level_resource(resource_type)
+                    
+                    # Skip account-level resources in non-primary regions to prevent duplication
+                    # Account-level resources are only evaluated once in us-east-1
+                    if is_account_level and region != 'us-east-1':
+                        logger.debug(f"Skipping {resource_type} in {region} (account-level resource, evaluated in us-east-1 only)")
+                        continue
+                    
+                    # Validate that we can access required services in the evaluation region
+                    if not self._validate_service_access(aws_factory, eval_region):
+                        results.append(self._create_error_result(
+                            "SERVICE_UNAVAILABLE",
+                            f"Required AWS services not accessible in region {eval_region}",
+                            eval_region,
+                            resource_type
+                        ))
+                        continue
+                    
                     # Use error handler for resource discovery if available
                     def get_resources():
-                        return self._get_resources(aws_factory, resource_type, region)
+                        return self._get_resources(aws_factory, resource_type, eval_region)
                     
                     if self.error_handler:
                         context = ErrorContext(
                             service_name=self._get_required_services()[0] if self._get_required_services() else "",
-                            region=region,
+                            region=eval_region,
                             resource_type=resource_type,
                             operation="get_resources",
                             control_id=self.control_id,
@@ -90,18 +102,18 @@ class BaseConfigRuleAssessment(ABC):
                     else:
                         resources = get_resources()
                     
-                    logger.debug(f"Found {len(resources)} resources of type {resource_type} in {region}")
+                    logger.debug(f"Found {len(resources)} resources of type {resource_type} in {eval_region}")
                     
                     for resource in resources:
                         try:
                             # Use error handler for resource evaluation if available
                             def evaluate_resource():
-                                return self._evaluate_resource_compliance(resource, aws_factory, region)
+                                return self._evaluate_resource_compliance(resource, aws_factory, eval_region)
                             
                             if self.error_handler:
                                 context = ErrorContext(
                                     service_name=self._get_required_services()[0] if self._get_required_services() else "",
-                                    region=region,
+                                    region=eval_region,
                                     resource_type=resource_type,
                                     resource_id=resource.get('id', 'unknown'),
                                     operation="evaluate_compliance",
@@ -121,13 +133,20 @@ class BaseConfigRuleAssessment(ABC):
                             results.append(compliance)
                             
                         except Exception as e:
-                            logger.error(f"Error evaluating resource {resource.get('id', 'unknown')}: {e}")
+                            error_str = str(e)
+                            # Log expected errors at DEBUG level
+                            if ("Parameter validation failed" in error_str or 
+                                "Missing required parameter" in error_str or
+                                "Could not connect to the endpoint URL" in error_str):
+                                logger.debug(f"Expected error for resource {resource.get('id', 'unknown')}: {e}")
+                            else:
+                                logger.error(f"Error evaluating resource {resource.get('id', 'unknown')}: {e}")
                             
                             # Handle error with error handler if available
                             if self.error_handler:
                                 context = ErrorContext(
                                     service_name=self._get_required_services()[0] if self._get_required_services() else "",
-                                    region=region,
+                                    region=eval_region,
                                     resource_type=resource_type,
                                     resource_id=resource.get('id', 'unknown'),
                                     operation="evaluate_compliance",
@@ -139,19 +158,27 @@ class BaseConfigRuleAssessment(ABC):
                             results.append(self._create_error_result(
                                 resource.get('id', 'unknown'),
                                 f"Evaluation error: {str(e)}",
-                                region,
+                                eval_region,
                                 resource_type
                             ))
                 
                 except ClientError as e:
                     error_code = e.response.get('Error', {}).get('Code', '')
-                    error_message = f"AWS API error: {str(e)}"
+                    error_message = str(e)
+                    
+                    # Log parameter validation errors at DEBUG level (expected for some resources)
+                    if 'Parameter' in error_code or 'parameter' in error_message.lower():
+                        logger.debug(f"Parameter validation error for {resource_type} in {eval_region}: {e}")
+                    elif error_code in ['AccessDenied', 'UnauthorizedOperation']:
+                        logger.debug(f"Access denied for {resource_type} in {eval_region}")
+                    else:
+                        logger.error(f"AWS API error for {resource_type} in {eval_region}: {e}")
                     
                     # Handle error with error handler if available
                     if self.error_handler:
                         context = ErrorContext(
                             service_name=self._get_required_services()[0] if self._get_required_services() else "",
-                            region=region,
+                            region=eval_region,
                             resource_type=resource_type,
                             operation="get_resources",
                             control_id=self.control_id,
@@ -163,25 +190,29 @@ class BaseConfigRuleAssessment(ABC):
                         results.append(self._create_error_result(
                             f"{resource_type}_PERMISSION_ERROR",
                             f"Insufficient permissions to evaluate {resource_type}",
-                            region,
+                            eval_region,
                             resource_type
                         ))
                     else:
                         results.append(self._create_error_result(
                             f"{resource_type}_API_ERROR",
-                            error_message,
-                            region,
+                            f"AWS API error: {error_message}",
+                            eval_region,
                             resource_type
                         ))
                 
                 except Exception as e:
-                    logger.error(f"Unexpected error evaluating {resource_type}: {e}")
+                    # Log parameter validation errors at DEBUG level (expected for some resources)
+                    if "Parameter validation failed" in str(e) or "Missing required parameter" in str(e):
+                        logger.debug(f"Parameter validation error for {resource_type} in {eval_region}: {e}")
+                    else:
+                        logger.error(f"Unexpected error evaluating {resource_type}: {e}")
                     
                     # Handle error with error handler if available
                     if self.error_handler:
                         context = ErrorContext(
                             service_name=self._get_required_services()[0] if self._get_required_services() else "",
-                            region=region,
+                            region=eval_region,
                             resource_type=resource_type,
                             operation="evaluate_resource_type",
                             control_id=self.control_id,
@@ -192,7 +223,7 @@ class BaseConfigRuleAssessment(ABC):
                     results.append(self._create_error_result(
                         f"{resource_type}_UNKNOWN_ERROR",
                         f"Unexpected error: {str(e)}",
-                        region,
+                        eval_region,
                         resource_type
                     ))
         
@@ -298,6 +329,57 @@ class BaseConfigRuleAssessment(ABC):
         
         return list(services)
     
+    def _is_account_level_resource(self, resource_type: str) -> bool:
+        """Check if resource type is account-level (global).
+        
+        Account-level resources should be evaluated in us-east-1 only once,
+        not per region. This prevents duplicate evaluations and region validation errors.
+        
+        Args:
+            resource_type: AWS resource type (e.g., "AWS::::Account", "AWS::IAM::User")
+            
+        Returns:
+            True if resource is account-level/global
+        """
+        # Explicit account-level marker
+        if resource_type == 'AWS::::Account':
+            return True
+        
+        # Global services that should only be evaluated in us-east-1
+        global_service_prefixes = [
+            'AWS::IAM::',           # IAM is global
+            'AWS::CloudFront::',    # CloudFront is global
+            'AWS::Route53::',       # Route53 is global
+            'AWS::Organizations::', # Organizations is global
+        ]
+        
+        for prefix in global_service_prefixes:
+            if resource_type.startswith(prefix):
+                return True
+        
+        # S3 buckets are special - they're global but region-specific
+        # We handle them in controls by checking region == 'us-east-1'
+        
+        return False
+    
+    def _get_evaluation_region(self, resource_type: str, requested_region: str) -> str:
+        """Determine which region to use for resource evaluation.
+        
+        Account-level and global resources must be evaluated in us-east-1
+        to avoid region validation errors and ensure proper API access.
+        
+        Args:
+            resource_type: AWS resource type
+            requested_region: Region requested for evaluation
+            
+        Returns:
+            Region to use (us-east-1 for account-level, requested_region otherwise)
+        """
+        if self._is_account_level_resource(resource_type):
+            return 'us-east-1'
+        return requested_region
+    
+    
     def _create_error_result(self, resource_id: str, error_message: str, region: str, resource_type: str = "Unknown") -> ComplianceResult:
         """Create a ComplianceResult for error conditions.