aws-cis-controls-assessment 1.2.0__tar.gz → 1.2.2__tar.gz

{aws_cis_controls_assessment-1.2.0/aws_cis_controls_assessment.egg-info → aws_cis_controls_assessment-1.2.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: aws-cis-controls-assessment
-Version: 1.2.0
+Version: 1.2.2
 Summary: Production-ready AWS CIS Controls compliance assessment framework with 175 comprehensive rules and 75%+ IG1 coverage
 Author-email: AWS CIS Assessment Team <security@example.com>
 Maintainer-email: AWS CIS Assessment Team <security@example.com>

{aws_cis_controls_assessment-1.2.0 → aws_cis_controls_assessment-1.2.2}/aws_cis_assessment/__init__.py

@@ -6,6 +6,6 @@ CIS Controls Implementation Groups (IG1, IG2, IG3). Implements 175 comprehensive
 across all implementation groups with 75%+ coverage of CIS Controls v8.1 IG1 safeguards.
 """
 
-__version__ = "1.2.0"
+__version__ = "1.2.2"
 __author__ = "AWS CIS Assessment Team"
 __description__ = "Production-ready AWS CIS Controls Compliance Assessment Framework with Enhanced IG1 Coverage"

{aws_cis_controls_assessment-1.2.0 → aws_cis_controls_assessment-1.2.2}/aws_cis_assessment/config/rules/cis_controls_ig1.yaml

@@ -917,12 +917,12 @@ controls:
     title: Encrypt Sensitive Data in Transit
     weight: 1.0
     config_rules:
-    - name: alb-http-to-https-redirection
+    - name: alb-http-to-https-redirection-check
       resource_types:
       - AWS::ElasticLoadBalancingV2::LoadBalancer
       parameters: {}
-      description: "CIS Control 3.10 - Encrypt Sensitive Data in Transit\n    AWS Config Rule: alb-http-to-https-redirection\n    \n    Ensures Application Load Balancers redirect HTTP traffic to HTTPS."
-      remediation_guidance: Follow AWS Config rule guidance for alb-http-to-https-redirection
+      description: "CIS Control 3.10 - Encrypt Sensitive Data in Transit\n    AWS Config Rule: alb-http-to-https-redirection-check\n    \n    Ensures Application Load Balancers redirect HTTP traffic to HTTPS."
+      remediation_guidance: Follow AWS Config rule guidance for alb-http-to-https-redirection-check
     - name: elb-tls-https-listeners-only
       resource_types:
       - AWS::ElasticLoadBalancingV2::LoadBalancer

{aws_cis_controls_assessment-1.2.0 → aws_cis_controls_assessment-1.2.2}/aws_cis_assessment/controls/base_control.py

@@ -56,25 +56,37 @@ class BaseConfigRuleAssessment(ABC):
         results = []
         
         try:
-            # Validate that we can access required services
-            if not self._validate_service_access(aws_factory, region):
-                return [self._create_error_result(
-                    "SERVICE_UNAVAILABLE",
-                    f"Required AWS services not accessible in region {region}",
-                    region
-                )]
-            
             # Evaluate each resource type
             for resource_type in self.resource_types:
                 try:
+                    # Determine evaluation region (us-east-1 for account-level resources)
+                    eval_region = self._get_evaluation_region(resource_type, region)
+                    is_account_level = self._is_account_level_resource(resource_type)
+                    
+                    # Skip account-level resources in non-primary regions to prevent duplication
+                    # Account-level resources are only evaluated once in us-east-1
+                    if is_account_level and region != 'us-east-1':
+                        logger.debug(f"Skipping {resource_type} in {region} (account-level resource, evaluated in us-east-1 only)")
+                        continue
+                    
+                    # Validate that we can access required services in the evaluation region
+                    if not self._validate_service_access(aws_factory, eval_region):
+                        results.append(self._create_error_result(
+                            "SERVICE_UNAVAILABLE",
+                            f"Required AWS services not accessible in region {eval_region}",
+                            eval_region,
+                            resource_type
+                        ))
+                        continue
+                    
                     # Use error handler for resource discovery if available
                     def get_resources():
-                        return self._get_resources(aws_factory, resource_type, region)
+                        return self._get_resources(aws_factory, resource_type, eval_region)
                     
                     if self.error_handler:
                         context = ErrorContext(
                             service_name=self._get_required_services()[0] if self._get_required_services() else "",
-                            region=region,
+                            region=eval_region,
                             resource_type=resource_type,
                             operation="get_resources",
                             control_id=self.control_id,
@@ -90,18 +102,18 @@ class BaseConfigRuleAssessment(ABC):
                     else:
                         resources = get_resources()
                     
-                    logger.debug(f"Found {len(resources)} resources of type {resource_type} in {region}")
+                    logger.debug(f"Found {len(resources)} resources of type {resource_type} in {eval_region}")
                     
                     for resource in resources:
                         try:
                             # Use error handler for resource evaluation if available
                             def evaluate_resource():
-                                return self._evaluate_resource_compliance(resource, aws_factory, region)
+                                return self._evaluate_resource_compliance(resource, aws_factory, eval_region)
                             
                             if self.error_handler:
                                 context = ErrorContext(
                                     service_name=self._get_required_services()[0] if self._get_required_services() else "",
-                                    region=region,
+                                    region=eval_region,
                                     resource_type=resource_type,
                                     resource_id=resource.get('id', 'unknown'),
                                     operation="evaluate_compliance",
@@ -121,13 +133,20 @@ class BaseConfigRuleAssessment(ABC):
                             results.append(compliance)
                             
                         except Exception as e:
-                            logger.error(f"Error evaluating resource {resource.get('id', 'unknown')}: {e}")
+                            error_str = str(e)
+                            # Log expected errors at DEBUG level
+                            if ("Parameter validation failed" in error_str or 
+                                "Missing required parameter" in error_str or
+                                "Could not connect to the endpoint URL" in error_str):
+                                logger.debug(f"Expected error for resource {resource.get('id', 'unknown')}: {e}")
+                            else:
+                                logger.error(f"Error evaluating resource {resource.get('id', 'unknown')}: {e}")
                             
                             # Handle error with error handler if available
                             if self.error_handler:
                                 context = ErrorContext(
                                     service_name=self._get_required_services()[0] if self._get_required_services() else "",
-                                    region=region,
+                                    region=eval_region,
                                     resource_type=resource_type,
                                     resource_id=resource.get('id', 'unknown'),
                                     operation="evaluate_compliance",
@@ -139,19 +158,27 @@ class BaseConfigRuleAssessment(ABC):
                             results.append(self._create_error_result(
                                 resource.get('id', 'unknown'),
                                 f"Evaluation error: {str(e)}",
-                                region,
+                                eval_region,
                                 resource_type
                             ))
                 
                 except ClientError as e:
                     error_code = e.response.get('Error', {}).get('Code', '')
-                    error_message = f"AWS API error: {str(e)}"
+                    error_message = str(e)
+                    
+                    # Log parameter validation errors at DEBUG level (expected for some resources)
+                    if 'Parameter' in error_code or 'parameter' in error_message.lower():
+                        logger.debug(f"Parameter validation error for {resource_type} in {eval_region}: {e}")
+                    elif error_code in ['AccessDenied', 'UnauthorizedOperation']:
+                        logger.debug(f"Access denied for {resource_type} in {eval_region}")
+                    else:
+                        logger.error(f"AWS API error for {resource_type} in {eval_region}: {e}")
                     
                     # Handle error with error handler if available
                     if self.error_handler:
                         context = ErrorContext(
                             service_name=self._get_required_services()[0] if self._get_required_services() else "",
-                            region=region,
+                            region=eval_region,
                             resource_type=resource_type,
                             operation="get_resources",
                             control_id=self.control_id,
@@ -163,25 +190,29 @@ class BaseConfigRuleAssessment(ABC):
                         results.append(self._create_error_result(
                             f"{resource_type}_PERMISSION_ERROR",
                             f"Insufficient permissions to evaluate {resource_type}",
-                            region,
+                            eval_region,
                             resource_type
                         ))
                     else:
                         results.append(self._create_error_result(
                             f"{resource_type}_API_ERROR",
-                            error_message,
-                            region,
+                            f"AWS API error: {error_message}",
+                            eval_region,
                             resource_type
                         ))
                 
                 except Exception as e:
-                    logger.error(f"Unexpected error evaluating {resource_type}: {e}")
+                    # Log parameter validation errors at DEBUG level (expected for some resources)
+                    if "Parameter validation failed" in str(e) or "Missing required parameter" in str(e):
+                        logger.debug(f"Parameter validation error for {resource_type} in {eval_region}: {e}")
+                    else:
+                        logger.error(f"Unexpected error evaluating {resource_type}: {e}")
                     
                     # Handle error with error handler if available
                     if self.error_handler:
                         context = ErrorContext(
                             service_name=self._get_required_services()[0] if self._get_required_services() else "",
-                            region=region,
+                            region=eval_region,
                             resource_type=resource_type,
                             operation="evaluate_resource_type",
                             control_id=self.control_id,
@@ -192,7 +223,7 @@ class BaseConfigRuleAssessment(ABC):
                     results.append(self._create_error_result(
                         f"{resource_type}_UNKNOWN_ERROR",
                         f"Unexpected error: {str(e)}",
-                        region,
+                        eval_region,
                         resource_type
                     ))
         
@@ -298,6 +329,57 @@ class BaseConfigRuleAssessment(ABC):
         
         return list(services)
     
+    def _is_account_level_resource(self, resource_type: str) -> bool:
+        """Check if resource type is account-level (global).
+        
+        Account-level resources should be evaluated in us-east-1 only once,
+        not per region. This prevents duplicate evaluations and region validation errors.
+        
+        Args:
+            resource_type: AWS resource type (e.g., "AWS::::Account", "AWS::IAM::User")
+            
+        Returns:
+            True if resource is account-level/global
+        """
+        # Explicit account-level marker
+        if resource_type == 'AWS::::Account':
+            return True
+        
+        # Global services that should only be evaluated in us-east-1
+        global_service_prefixes = [
+            'AWS::IAM::',           # IAM is global
+            'AWS::CloudFront::',    # CloudFront is global
+            'AWS::Route53::',       # Route53 is global
+            'AWS::Organizations::', # Organizations is global
+        ]
+        
+        for prefix in global_service_prefixes:
+            if resource_type.startswith(prefix):
+                return True
+        
+        # S3 buckets are special - they're global but region-specific
+        # We handle them in controls by checking region == 'us-east-1'
+        
+        return False
+    
+    def _get_evaluation_region(self, resource_type: str, requested_region: str) -> str:
+        """Determine which region to use for resource evaluation.
+        
+        Account-level and global resources must be evaluated in us-east-1
+        to avoid region validation errors and ensure proper API access.
+        
+        Args:
+            resource_type: AWS resource type
+            requested_region: Region requested for evaluation
+            
+        Returns:
+            Region to use (us-east-1 for account-level, requested_region otherwise)
+        """
+        if self._is_account_level_resource(resource_type):
+            return 'us-east-1'
+        return requested_region
+    
+    
     def _create_error_result(self, resource_id: str, error_message: str, region: str, resource_type: str = "Unknown") -> ComplianceResult:
         """Create a ComplianceResult for error conditions.
         

{aws_cis_controls_assessment-1.2.0 → aws_cis_controls_assessment-1.2.2}/aws_cis_assessment/controls/ig1/__init__.py

@@ -61,13 +61,8 @@ from .control_data_protection import (
 )
 
 from .control_network_security import (
-    DMSReplicationNotPublicAssessment,
-    ElasticsearchInVPCOnlyAssessment,
-    EC2InstancesInVPCAssessment,
-    EMRMasterNoPublicIPAssessment,
-    LambdaFunctionPublicAccessProhibitedAssessment,
-    SageMakerNotebookNoDirectInternetAccessAssessment,
-    SubnetAutoAssignPublicIPDisabledAssessment
+    NetworkFirewallDeployedAssessment,
+    Route53ResolverFirewallEnabledAssessment
 )
 
 from .control_iam_governance import (
@@ -143,6 +138,85 @@ from .control_instance_optimization import (
     EBSOptimizedInstanceAssessment
 )
 
+# Phase 1-4: CIS Controls v8.1 IG1 Expansion
+from .control_guardduty import GuardDutyEnabledAssessment
+from .control_inspector import InspectorEnabledAssessment
+from .control_macie import MacieEnabledAssessment
+from .control_access_analyzer import IAMAccessAnalyzerEnabledAssessment
+from .control_vpc_flow_logs import VPCFlowLogsEnabledAssessment
+from .control_elb_logging import ELBLoggingEnabledAssessment
+from .control_cloudfront_logging import CloudFrontLoggingEnabledAssessment
+from .control_waf_logging import WAFLoggingEnabledAssessment
+from .control_ebs_encryption import EBSEncryptionByDefaultAssessment
+from .control_rds_encryption import RDSStorageEncryptedAssessment
+from .control_efs_encryption import EFSEncryptedCheckAssessment
+from .control_dynamodb_encryption import DynamoDBTableEncryptedKMSAssessment
+from .control_s3_encryption import S3DefaultEncryptionKMSAssessment
+from .control_patch_management import (
+    SSMPatchManagerEnabledAssessment,
+    SSMPatchBaselineConfiguredAssessment,
+    EC2PatchComplianceStatusAssessment
+)
+from .control_access_control import (
+    SSOEnabledCheckAssessment,
+    IdentityCenterConfiguredAssessment
+)
+from .control_mfa import (
+    IAMAdminMFARequiredAssessment,
+    CognitoMFAEnabledAssessment,
+    VPNMFAEnabledAssessment
+)
+from .control_tls_ssl import (
+    ALBHTTPToHTTPSRedirectionAssessment,
+    ELBTLSHTTPSListenersOnlyAssessment,
+    RDSSSLConnectionRequiredAssessment,
+    APIGatewaySSLEnabledAssessment,
+    RedshiftRequireTLSSSLAssessment
+)
+from .control_messaging_encryption import (
+    SNSEncryptedKMSAssessment,
+    SQSQueueEncryptedAssessment,
+    CloudTrailS3DataEventsEnabledAssessment
+)
+from .control_inventory import (
+    SSMInventoryEnabledAssessment,
+    ConfigEnabledAllRegionsAssessment,
+    AMIInventoryTrackingAssessment,
+    LambdaRuntimeInventoryAssessment,
+    IAMUserInventoryCheckAssessment
+)
+from .control_configuration_mgmt import (
+    ConfigConformancePackDeployedAssessment,
+    SecurityHubStandardsEnabledAssessment,
+    AssetTaggingComplianceAssessment,
+    InspectorAssessmentEnabledAssessment
+)
+from .control_version_mgmt import (
+    EC2OSVersionSupportedAssessment,
+    RDSEngineVersionSupportedAssessment,
+    LambdaRuntimeSupportedAssessment
+)
+from .control_access_asset_mgmt import (
+    IAMUserLastAccessCheckAssessment,
+    SSMSessionManagerEnabledAssessment,
+    UnauthorizedAssetDetectionAssessment
+)
+from .control_data_classification import (
+    DataClassificationTaggingAssessment,
+    S3BucketClassificationTagsAssessment
+)
+from .control_network_security import (
+    NetworkFirewallDeployedAssessment,
+    Route53ResolverFirewallEnabledAssessment
+)
+from .control_backup_security import (
+    BackupVaultEncryptionEnabledAssessment,
+    BackupCrossRegionCopyEnabledAssessment,
+    BackupVaultLockEnabledAssessment,
+    Route53QueryLoggingEnabledAssessment,
+    RDSBackupRetentionCheckAssessment
+)
+
 __all__ = [
     # Control 1.1 - Asset Inventory
     'EIPAttachedAssessment',
@@ -171,13 +245,6 @@ __all__ = [
     'RDSInstancePublicAccessCheckAssessment',
     'RedshiftClusterPublicAccessCheckAssessment',
     'S3BucketLevelPublicAccessProhibitedAssessment',
-    'DMSReplicationNotPublicAssessment',
-    'ElasticsearchInVPCOnlyAssessment',
-    'EC2InstancesInVPCAssessment',
-    'EMRMasterNoPublicIPAssessment',
-    'LambdaFunctionPublicAccessProhibitedAssessment',
-    'SageMakerNotebookNoDirectInternetAccessAssessment',
-    'SubnetAutoAssignPublicIPDisabledAssessment',
     'IAMGroupHasUsersCheckAssessment',
     'IAMPolicyNoStatementsWithFullAccessAssessment',
     'IAMUserNoPoliciesCheckAssessment',
@@ -252,5 +319,67 @@ __all__ = [
     'S3BucketPublicWriteProhibitedAssessment',
     
     # Instance Optimization
-    'EBSOptimizedInstanceAssessment'
+    'EBSOptimizedInstanceAssessment',
+    
+    # Phase 1-4: CIS Controls v8.1 IG1 Expansion (50 new rules)
+    # Phase 1 - Quick Wins (13 rules)
+    'GuardDutyEnabledAssessment',
+    'InspectorEnabledAssessment',
+    'MacieEnabledAssessment',
+    'IAMAccessAnalyzerEnabledAssessment',
+    'VPCFlowLogsEnabledAssessment',
+    'ELBLoggingEnabledAssessment',
+    'CloudFrontLoggingEnabledAssessment',
+    'WAFLoggingEnabledAssessment',
+    'EBSEncryptionByDefaultAssessment',
+    'RDSStorageEncryptedAssessment',
+    'EFSEncryptedCheckAssessment',
+    'DynamoDBTableEncryptedKMSAssessment',
+    'S3DefaultEncryptionKMSAssessment',
+    
+    # Phase 2 - Core Security (15 rules)
+    'SSMPatchManagerEnabledAssessment',
+    'SSMPatchBaselineConfiguredAssessment',
+    'EC2PatchComplianceStatusAssessment',
+    'SSOEnabledCheckAssessment',
+    'IdentityCenterConfiguredAssessment',
+    'IAMAdminMFARequiredAssessment',
+    'CognitoMFAEnabledAssessment',
+    'VPNMFAEnabledAssessment',
+    'ALBHTTPToHTTPSRedirectionAssessment',
+    'ELBTLSHTTPSListenersOnlyAssessment',
+    'RDSSSLConnectionRequiredAssessment',
+    'APIGatewaySSLEnabledAssessment',
+    'RedshiftRequireTLSSSLAssessment',
+    'SNSEncryptedKMSAssessment',
+    'SQSQueueEncryptedAssessment',
+    'CloudTrailS3DataEventsEnabledAssessment',
+    
+    # Phase 3 - Advanced (15 rules)
+    'SSMInventoryEnabledAssessment',
+    'ConfigEnabledAllRegionsAssessment',
+    'AMIInventoryTrackingAssessment',
+    'LambdaRuntimeInventoryAssessment',
+    'IAMUserInventoryCheckAssessment',
+    'ConfigConformancePackDeployedAssessment',
+    'SecurityHubStandardsEnabledAssessment',
+    'AssetTaggingComplianceAssessment',
+    'InspectorAssessmentEnabledAssessment',
+    'EC2OSVersionSupportedAssessment',
+    'RDSEngineVersionSupportedAssessment',
+    'LambdaRuntimeSupportedAssessment',
+    'IAMUserLastAccessCheckAssessment',
+    'SSMSessionManagerEnabledAssessment',
+    'UnauthorizedAssetDetectionAssessment',
+    
+    # Phase 4 - Enhanced (7 rules)
+    'DataClassificationTaggingAssessment',
+    'S3BucketClassificationTagsAssessment',
+    'NetworkFirewallDeployedAssessment',
+    'Route53ResolverFirewallEnabledAssessment',
+    'BackupVaultEncryptionEnabledAssessment',
+    'BackupCrossRegionCopyEnabledAssessment',
+    'BackupVaultLockEnabledAssessment',
+    'Route53QueryLoggingEnabledAssessment',
+    'RDSBackupRetentionCheckAssessment'
 ]

{aws_cis_controls_assessment-1.2.0 → aws_cis_controls_assessment-1.2.2}/aws_cis_assessment/controls/ig1/control_4_1.py

@@ -28,8 +28,8 @@ class AccountPartOfOrganizationsAssessment(BaseConfigRuleAssessment):
             return []
         
         try:
-            # Get account information
-            sts_client = aws_factory.get_client('sts', region)
+            # Get account information (use allow_global_region for account-level resources)
+            sts_client = aws_factory.get_client('sts', region, allow_global_region=True)
             
             response = aws_factory.aws_api_call_with_retry(
                 lambda: sts_client.get_caller_identity()
@@ -55,8 +55,8 @@ class AccountPartOfOrganizationsAssessment(BaseConfigRuleAssessment):
         account_id = resource.get('AccountId', 'unknown')
         
         try:
-            # Check if account is part of an organization
-            organizations_client = aws_factory.get_client('organizations', region)
+            # Check if account is part of an organization (use allow_global_region for account-level resources)
+            organizations_client = aws_factory.get_client('organizations', region, allow_global_region=True)
             
             # Try to describe the organization
             response = aws_factory.aws_api_call_with_retry(

{aws_cis_controls_assessment-1.2.0 → aws_cis_controls_assessment-1.2.2}/aws_cis_assessment/controls/ig1/control_guardduty.py

@@ -16,8 +16,8 @@ logger = logging.getLogger(__name__)
 
 class GuardDutyEnabledAssessment(BaseConfigRuleAssessment):
     """
-    CIS Control 10.1 - Deploy and Maintain Anti-Malware Software
-    AWS Config Rule: guardduty-enabled
+    CIS Control 6.2 - Establish and Maintain a Secure Network Architecture
+    AWS Config Rule: guardduty-enabled-centralized
     
     Ensures GuardDuty is enabled for threat detection and malware defense.
     GuardDuty provides intelligent threat detection by analyzing VPC Flow Logs,
@@ -26,8 +26,8 @@ class GuardDutyEnabledAssessment(BaseConfigRuleAssessment):
     
     def __init__(self):
         super().__init__(
-            rule_name="guardduty-enabled",
-            control_id="10.1",
+            rule_name="guardduty-enabled-centralized",
+            control_id="6.2",
             resource_types=["AWS::GuardDuty::Detector"]
         )
     

{aws_cis_controls_assessment-1.2.0 → aws_cis_controls_assessment-1.2.2}/aws_cis_assessment/controls/ig1/control_s3_encryption.py

@@ -304,7 +304,7 @@ class S3DefaultEncryptionKMSAssessment(BaseConfigRuleAssessment):
             '         "Rules": [{',
             '           "ApplyServerSideEncryptionByDefault": {',
             '             "SSEAlgorithm": "aws:kms",',
-            '             "KMSMasterKeyID": "'\"$KMS_KEY_ID\"'"',
+            '             "KMSMasterKeyID": "'"$KMS_KEY_ID"'"',
             "           },",
             '           "BucketKeyEnabled": true',
             "         }]",

{aws_cis_controls_assessment-1.2.0 → aws_cis_controls_assessment-1.2.2}/aws_cis_assessment/controls/ig1/control_tls_ssl.py

@@ -16,16 +16,16 @@ logger = logging.getLogger(__name__)
 
 class ALBHTTPToHTTPSRedirectionAssessment(BaseConfigRuleAssessment):
     """
-    CIS Control 2.8 - Encrypt Sensitive Data in Transit
-    AWS Config Rule: alb-http-to-https-redirection
+    CIS Control 3.10 - Encrypt Sensitive Data in Transit
+    AWS Config Rule: alb-http-to-https-redirection-check
     
     Ensures Application Load Balancers redirect HTTP traffic to HTTPS.
     """
     
     def __init__(self):
         super().__init__(
-            rule_name="alb-http-to-https-redirection",
-            control_id="2.8",
+            rule_name="alb-http-to-https-redirection-check",
+            control_id="3.10",
             resource_types=["AWS::ElasticLoadBalancingV2::LoadBalancer"]
         )
     

{aws_cis_controls_assessment-1.2.0 → aws_cis_controls_assessment-1.2.2}/aws_cis_assessment/controls/ig1/control_version_mgmt.py

@@ -58,7 +58,15 @@ class EC2OSVersionSupportedAssessment(BaseConfigRuleAssessment):
             return instances
             
         except ClientError as e:
-            logger.error(f"Error retrieving instance information in {region}: {e}")
+            error_code = e.response.get('Error', {}).get('Code', '')
+            # Log parameter validation errors at DEBUG level (expected for some resources)
+            if 'Parameter' in error_code or 'parameter' in str(e).lower():
+                logger.debug(f"Parameter validation issue retrieving instance information in {region}: {e}")
+            else:
+                logger.error(f"Error retrieving instance information in {region}: {e}")
+            return []
+        except Exception as e:
+            logger.error(f"Unexpected error retrieving instance information in {region}: {e}")
             return []
     
     def _check_version_support(self, platform_name: str, platform_version: str) -> bool: