PyPI - aws-cis-controls-assessment - Versions diffs - 1.1.4__py3-none-any.whl → 1.2.2__py3-none-any.whl - Mend

aws-cis-controls-assessment 1.1.4py3-none-any.whl → 1.2.2py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

aws_cis_assessment/controls/ig1/__init__.py CHANGED Viewed

@@ -61,13 +61,8 @@ from .control_data_protection import (
 )
 from .control_network_security import (
-    DMSReplicationNotPublicAssessment,
-    ElasticsearchInVPCOnlyAssessment,
-    EC2InstancesInVPCAssessment,
-    EMRMasterNoPublicIPAssessment,
-    LambdaFunctionPublicAccessProhibitedAssessment,
-    SageMakerNotebookNoDirectInternetAccessAssessment,
-    SubnetAutoAssignPublicIPDisabledAssessment
+    NetworkFirewallDeployedAssessment,
+    Route53ResolverFirewallEnabledAssessment
 )
 from .control_iam_governance import (
@@ -143,6 +138,85 @@ from .control_instance_optimization import (
     EBSOptimizedInstanceAssessment
 )
+# Phase 1-4: CIS Controls v8.1 IG1 Expansion
+from .control_guardduty import GuardDutyEnabledAssessment
+from .control_inspector import InspectorEnabledAssessment
+from .control_macie import MacieEnabledAssessment
+from .control_access_analyzer import IAMAccessAnalyzerEnabledAssessment
+from .control_vpc_flow_logs import VPCFlowLogsEnabledAssessment
+from .control_elb_logging import ELBLoggingEnabledAssessment
+from .control_cloudfront_logging import CloudFrontLoggingEnabledAssessment
+from .control_waf_logging import WAFLoggingEnabledAssessment
+from .control_ebs_encryption import EBSEncryptionByDefaultAssessment
+from .control_rds_encryption import RDSStorageEncryptedAssessment
+from .control_efs_encryption import EFSEncryptedCheckAssessment
+from .control_dynamodb_encryption import DynamoDBTableEncryptedKMSAssessment
+from .control_s3_encryption import S3DefaultEncryptionKMSAssessment
+from .control_patch_management import (
+    SSMPatchManagerEnabledAssessment,
+    SSMPatchBaselineConfiguredAssessment,
+    EC2PatchComplianceStatusAssessment
+)
+from .control_access_control import (
+    SSOEnabledCheckAssessment,
+    IdentityCenterConfiguredAssessment
+)
+from .control_mfa import (
+    IAMAdminMFARequiredAssessment,
+    CognitoMFAEnabledAssessment,
+    VPNMFAEnabledAssessment
+)
+from .control_tls_ssl import (
+    ALBHTTPToHTTPSRedirectionAssessment,
+    ELBTLSHTTPSListenersOnlyAssessment,
+    RDSSSLConnectionRequiredAssessment,
+    APIGatewaySSLEnabledAssessment,
+    RedshiftRequireTLSSSLAssessment
+)
+from .control_messaging_encryption import (
+    SNSEncryptedKMSAssessment,
+    SQSQueueEncryptedAssessment,
+    CloudTrailS3DataEventsEnabledAssessment
+)
+from .control_inventory import (
+    SSMInventoryEnabledAssessment,
+    ConfigEnabledAllRegionsAssessment,
+    AMIInventoryTrackingAssessment,
+    LambdaRuntimeInventoryAssessment,
+    IAMUserInventoryCheckAssessment
+)
+from .control_configuration_mgmt import (
+    ConfigConformancePackDeployedAssessment,
+    SecurityHubStandardsEnabledAssessment,
+    AssetTaggingComplianceAssessment,
+    InspectorAssessmentEnabledAssessment
+)
+from .control_version_mgmt import (
+    EC2OSVersionSupportedAssessment,
+    RDSEngineVersionSupportedAssessment,
+    LambdaRuntimeSupportedAssessment
+)
+from .control_access_asset_mgmt import (
+    IAMUserLastAccessCheckAssessment,
+    SSMSessionManagerEnabledAssessment,
+    UnauthorizedAssetDetectionAssessment
+)
+from .control_data_classification import (
+    DataClassificationTaggingAssessment,
+    S3BucketClassificationTagsAssessment
+)
+from .control_network_security import (
+    NetworkFirewallDeployedAssessment,
+    Route53ResolverFirewallEnabledAssessment
+)
+from .control_backup_security import (
+    BackupVaultEncryptionEnabledAssessment,
+    BackupCrossRegionCopyEnabledAssessment,
+    BackupVaultLockEnabledAssessment,
+    Route53QueryLoggingEnabledAssessment,
+    RDSBackupRetentionCheckAssessment
+)
 __all__ = [
     # Control 1.1 - Asset Inventory
     'EIPAttachedAssessment',
@@ -171,13 +245,6 @@ __all__ = [
     'RDSInstancePublicAccessCheckAssessment',
     'RedshiftClusterPublicAccessCheckAssessment',
     'S3BucketLevelPublicAccessProhibitedAssessment',
-    'DMSReplicationNotPublicAssessment',
-    'ElasticsearchInVPCOnlyAssessment',
-    'EC2InstancesInVPCAssessment',
-    'EMRMasterNoPublicIPAssessment',
-    'LambdaFunctionPublicAccessProhibitedAssessment',
-    'SageMakerNotebookNoDirectInternetAccessAssessment',
-    'SubnetAutoAssignPublicIPDisabledAssessment',
     'IAMGroupHasUsersCheckAssessment',
     'IAMPolicyNoStatementsWithFullAccessAssessment',
     'IAMUserNoPoliciesCheckAssessment',
@@ -252,5 +319,67 @@ __all__ = [
     'S3BucketPublicWriteProhibitedAssessment',
     # Instance Optimization
-    'EBSOptimizedInstanceAssessment'
+    'EBSOptimizedInstanceAssessment',
+    # Phase 1-4: CIS Controls v8.1 IG1 Expansion (50 new rules)
+    # Phase 1 - Quick Wins (13 rules)
+    'GuardDutyEnabledAssessment',
+    'InspectorEnabledAssessment',
+    'MacieEnabledAssessment',
+    'IAMAccessAnalyzerEnabledAssessment',
+    'VPCFlowLogsEnabledAssessment',
+    'ELBLoggingEnabledAssessment',
+    'CloudFrontLoggingEnabledAssessment',
+    'WAFLoggingEnabledAssessment',
+    'EBSEncryptionByDefaultAssessment',
+    'RDSStorageEncryptedAssessment',
+    'EFSEncryptedCheckAssessment',
+    'DynamoDBTableEncryptedKMSAssessment',
+    'S3DefaultEncryptionKMSAssessment',
+    # Phase 2 - Core Security (15 rules)
+    'SSMPatchManagerEnabledAssessment',
+    'SSMPatchBaselineConfiguredAssessment',
+    'EC2PatchComplianceStatusAssessment',
+    'SSOEnabledCheckAssessment',
+    'IdentityCenterConfiguredAssessment',
+    'IAMAdminMFARequiredAssessment',
+    'CognitoMFAEnabledAssessment',
+    'VPNMFAEnabledAssessment',
+    'ALBHTTPToHTTPSRedirectionAssessment',
+    'ELBTLSHTTPSListenersOnlyAssessment',
+    'RDSSSLConnectionRequiredAssessment',
+    'APIGatewaySSLEnabledAssessment',
+    'RedshiftRequireTLSSSLAssessment',
+    'SNSEncryptedKMSAssessment',
+    'SQSQueueEncryptedAssessment',
+    'CloudTrailS3DataEventsEnabledAssessment',
+    # Phase 3 - Advanced (15 rules)
+    'SSMInventoryEnabledAssessment',
+    'ConfigEnabledAllRegionsAssessment',
+    'AMIInventoryTrackingAssessment',
+    'LambdaRuntimeInventoryAssessment',
+    'IAMUserInventoryCheckAssessment',
+    'ConfigConformancePackDeployedAssessment',
+    'SecurityHubStandardsEnabledAssessment',
+    'AssetTaggingComplianceAssessment',
+    'InspectorAssessmentEnabledAssessment',
+    'EC2OSVersionSupportedAssessment',
+    'RDSEngineVersionSupportedAssessment',
+    'LambdaRuntimeSupportedAssessment',
+    'IAMUserLastAccessCheckAssessment',
+    'SSMSessionManagerEnabledAssessment',
+    'UnauthorizedAssetDetectionAssessment',
+    # Phase 4 - Enhanced (7 rules)
+    'DataClassificationTaggingAssessment',
+    'S3BucketClassificationTagsAssessment',
+    'NetworkFirewallDeployedAssessment',
+    'Route53ResolverFirewallEnabledAssessment',
+    'BackupVaultEncryptionEnabledAssessment',
+    'BackupCrossRegionCopyEnabledAssessment',
+    'BackupVaultLockEnabledAssessment',
+    'Route53QueryLoggingEnabledAssessment',
+    'RDSBackupRetentionCheckAssessment'
 ]

aws_cis_assessment/controls/ig1/control_4_1.py CHANGED Viewed

@@ -28,8 +28,8 @@ class AccountPartOfOrganizationsAssessment(BaseConfigRuleAssessment):
             return []
         try:
-            # Get account information
-            sts_client = aws_factory.get_client('sts', region)
+            # Get account information (use allow_global_region for account-level resources)
+            sts_client = aws_factory.get_client('sts', region, allow_global_region=True)
             response = aws_factory.aws_api_call_with_retry(
                 lambda: sts_client.get_caller_identity()
@@ -55,8 +55,8 @@ class AccountPartOfOrganizationsAssessment(BaseConfigRuleAssessment):
         account_id = resource.get('AccountId', 'unknown')
         try:
-            # Check if account is part of an organization
-            organizations_client = aws_factory.get_client('organizations', region)
+            # Check if account is part of an organization (use allow_global_region for account-level resources)
+            organizations_client = aws_factory.get_client('organizations', region, allow_global_region=True)
             # Try to describe the organization
             response = aws_factory.aws_api_call_with_retry(

aws_cis_assessment/controls/ig1/control_access_analyzer.py ADDED Viewed

@@ -0,0 +1,198 @@
+"""
+CIS Control 6.1 - IAM Access Analyzer
+Ensures IAM Access Analyzer is enabled for access control validation.
+"""
+import logging
+from typing import List, Dict, Any
+from botocore.exceptions import ClientError
+from aws_cis_assessment.controls.base_control import BaseConfigRuleAssessment
+from aws_cis_assessment.core.models import ComplianceResult, ComplianceStatus
+from aws_cis_assessment.core.aws_client_factory import AWSClientFactory
+logger = logging.getLogger(__name__)
+class IAMAccessAnalyzerEnabledAssessment(BaseConfigRuleAssessment):
+    """
+    CIS Control 6.1 - Establish an Access Granting Process
+    AWS Config Rule: iam-access-analyzer-enabled
+    Ensures IAM Access Analyzer is enabled to identify resources shared with
+    external entities. Access Analyzer helps identify unintended access to
+    resources and data, which is a security risk.
+    """
+    def __init__(self):
+        super().__init__(
+            rule_name="iam-access-analyzer-enabled",
+            control_id="6.1",
+            resource_types=["AWS::AccessAnalyzer::Analyzer"]
+        )
+    def _get_resources(self, aws_factory: AWSClientFactory, resource_type: str, region: str) -> List[Dict[str, Any]]:
+        """Get IAM Access Analyzer configuration for the region."""
+        if resource_type != "AWS::AccessAnalyzer::Analyzer":
+            return []
+        try:
+            access_analyzer_client = aws_factory.get_client('accessanalyzer', region)
+            # List all analyzers in the region
+            try:
+                response = access_analyzer_client.list_analyzers()
+                analyzers = response.get('analyzers', [])
+                if not analyzers:
+                    # No analyzer found
+                    return [{
+                        'AnalyzerArn': 'none',
+                        'AnalyzerName': 'none',
+                        'Status': 'NOT_ENABLED',
+                        'Type': 'UNKNOWN',
+                        'Region': region,
+                        'AccountId': aws_factory.get_account_info().get('account_id', 'unknown')
+                    }]
+                # Return all analyzers
+                analyzer_resources = []
+                for analyzer in analyzers:
+                    analyzer_resources.append({
+                        'AnalyzerArn': analyzer.get('arn', ''),
+                        'AnalyzerName': analyzer.get('name', ''),
+                        'Status': analyzer.get('status', 'UNKNOWN'),
+                        'Type': analyzer.get('type', 'UNKNOWN'),
+                        'Region': region,
+                        'AccountId': aws_factory.get_account_info().get('account_id', 'unknown'),
+                        'CreatedAt': analyzer.get('createdAt', ''),
+                        'LastResourceAnalyzed': analyzer.get('lastResourceAnalyzed', ''),
+                        'LastResourceAnalyzedAt': analyzer.get('lastResourceAnalyzedAt', '')
+                    })
+                return analyzer_resources
+            except ClientError as e:
+                error_code = e.response.get('Error', {}).get('Code', '')
+                if error_code in ['ResourceNotFoundException', 'AccessDeniedException']:
+                    # No analyzer or no access
+                    return [{
+                        'AnalyzerArn': 'none',
+                        'AnalyzerName': 'none',
+                        'Status': 'NOT_ENABLED',
+                        'Type': 'UNKNOWN',
+                        'Region': region,
+                        'AccountId': aws_factory.get_account_info().get('account_id', 'unknown')
+                    }]
+                raise
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            if error_code == 'AccessDeniedException':
+                logger.warning(f"Access denied to IAM Access Analyzer in {region}")
+            else:
+                logger.error(f"Error checking IAM Access Analyzer status in {region}: {e}")
+            return []
+    def _evaluate_resource_compliance(
+        self,
+        resource: Dict[str, Any],
+        aws_factory: AWSClientFactory,
+        region: str
+    ) -> ComplianceResult:
+        """Evaluate if IAM Access Analyzer is enabled."""
+        analyzer_name = resource.get('AnalyzerName', 'none')
+        analyzer_arn = resource.get('AnalyzerArn', 'none')
+        status = resource.get('Status', 'NOT_ENABLED')
+        analyzer_type = resource.get('Type', 'UNKNOWN')
+        # Check if Access Analyzer is enabled and active
+        is_compliant = status == 'ACTIVE' and analyzer_type in ['ACCOUNT', 'ORGANIZATION']
+        if is_compliant:
+            evaluation_reason = (
+                f"IAM Access Analyzer '{analyzer_name}' is active in {region}. "
+                f"Type: {analyzer_type}"
+            )
+            compliance_status = ComplianceStatus.COMPLIANT
+        else:
+            if analyzer_name == 'none' or status == 'NOT_ENABLED':
+                evaluation_reason = f"IAM Access Analyzer is not enabled in {region}."
+            elif status == 'CREATING':
+                evaluation_reason = f"IAM Access Analyzer '{analyzer_name}' is being created in {region}."
+                compliance_status = ComplianceStatus.NON_COMPLIANT
+            elif status == 'FAILED':
+                evaluation_reason = f"IAM Access Analyzer '{analyzer_name}' failed to create in {region}."
+                compliance_status = ComplianceStatus.NON_COMPLIANT
+            else:
+                evaluation_reason = f"IAM Access Analyzer '{analyzer_name}' status is {status} in {region}."
+                compliance_status = ComplianceStatus.NON_COMPLIANT
+            if not is_compliant:
+                compliance_status = ComplianceStatus.NON_COMPLIANT
+        return ComplianceResult(
+            resource_id=analyzer_arn if analyzer_arn != 'none' else 'none',
+            resource_type="AWS::AccessAnalyzer::Analyzer",
+            compliance_status=compliance_status,
+            evaluation_reason=evaluation_reason,
+            config_rule_name=self.rule_name,
+            region=region
+        )
+    def _get_rule_remediation_steps(self) -> List[str]:
+        """Get remediation steps for enabling IAM Access Analyzer."""
+        return [
+            "1. Enable IAM Access Analyzer in the AWS Console:",
+            "   - Navigate to IAM service",
+            "   - Click 'Access analyzer' in the left menu",
+            "   - Click 'Create analyzer'",
+            "   - Choose analyzer type:",
+            "     * Account: Analyzes resources in current account",
+            "     * Organization: Analyzes resources across AWS Organization",
+            "   - Enter analyzer name",
+            "   - Click 'Create analyzer'",
+            "",
+            "2. Enable Access Analyzer using AWS CLI:",
+            "   # For account-level analyzer",
+            "   aws accessanalyzer create-analyzer \\",
+            "     --analyzer-name MyAccountAnalyzer \\",
+            "     --type ACCOUNT \\",
+            "     --region <region>",
+            "",
+            "   # For organization-level analyzer (requires AWS Organizations)",
+            "   aws accessanalyzer create-analyzer \\",
+            "     --analyzer-name MyOrgAnalyzer \\",
+            "     --type ORGANIZATION \\",
+            "     --region <region>",
+            "",
+            "3. Review findings:",
+            "   - Access Analyzer automatically scans resources",
+            "   - Review findings in IAM console under 'Access analyzer'",
+            "   - Findings show resources accessible from outside your account/org",
+            "",
+            "4. Resolve findings:",
+            "   - Active findings: Resources with external access",
+            "   - Archived findings: Previously resolved or accepted risks",
+            "   - For each finding:",
+            "     * Review the resource and access path",
+            "     * Determine if access is intended",
+            "     * If unintended: Remove the external access",
+            "     * If intended: Archive the finding with justification",
+            "",
+            "5. Set up notifications:",
+            "   - Create EventBridge rules to route findings to SNS/Slack",
+            "   - Configure alerts for new findings",
+            "",
+            "6. Best practices:",
+            "   - Enable in all regions where you have resources",
+            "   - Review findings weekly",
+            "   - Use organization analyzer for centralized visibility",
+            "   - Integrate with Security Hub for consolidated findings",
+            "",
+            "Priority: HIGH - Unintended external access is a critical security risk",
+            "Effort: Low - Can be enabled in minutes",
+            "",
+            "AWS Documentation:",
+            "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html"
+        ]

aws-cis-controls-assessment 1.1.4__py3-none-any.whl → 1.2.2__py3-none-any.whl

aws-cis-controls-assessment 1.1.4py3-none-any.whl → 1.2.2py3-none-any.whl