PyPI - complio - Versions diffs - 0.1.1__py3-none-any.whl - Mend

complio 0.1.1__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (79) hide show

CHANGELOG.md +208 -0
README.md +343 -0
complio/__init__.py +48 -0
complio/cli/__init__.py +0 -0
complio/cli/banner.py +87 -0
complio/cli/commands/__init__.py +0 -0
complio/cli/commands/history.py +439 -0
complio/cli/commands/scan.py +700 -0
complio/cli/main.py +115 -0
complio/cli/output.py +338 -0
complio/config/__init__.py +17 -0
complio/config/settings.py +333 -0
complio/connectors/__init__.py +9 -0
complio/connectors/aws/__init__.py +0 -0
complio/connectors/aws/client.py +342 -0
complio/connectors/base.py +135 -0
complio/core/__init__.py +10 -0
complio/core/registry.py +228 -0
complio/core/runner.py +351 -0
complio/py.typed +0 -0
complio/reporters/__init__.py +7 -0
complio/reporters/generator.py +417 -0
complio/tests_library/__init__.py +0 -0
complio/tests_library/base.py +492 -0
complio/tests_library/identity/__init__.py +0 -0
complio/tests_library/identity/access_key_rotation.py +302 -0
complio/tests_library/identity/mfa_enforcement.py +327 -0
complio/tests_library/identity/root_account_protection.py +470 -0
complio/tests_library/infrastructure/__init__.py +0 -0
complio/tests_library/infrastructure/cloudtrail_encryption.py +286 -0
complio/tests_library/infrastructure/cloudtrail_log_validation.py +274 -0
complio/tests_library/infrastructure/cloudtrail_logging.py +400 -0
complio/tests_library/infrastructure/ebs_encryption.py +244 -0
complio/tests_library/infrastructure/ec2_security_groups.py +321 -0
complio/tests_library/infrastructure/iam_password_policy.py +460 -0
complio/tests_library/infrastructure/nacl_security.py +356 -0
complio/tests_library/infrastructure/rds_encryption.py +252 -0
complio/tests_library/infrastructure/s3_encryption.py +301 -0
complio/tests_library/infrastructure/s3_public_access.py +369 -0
complio/tests_library/infrastructure/secrets_manager_encryption.py +248 -0
complio/tests_library/infrastructure/vpc_flow_logs.py +287 -0
complio/tests_library/logging/__init__.py +0 -0
complio/tests_library/logging/cloudwatch_alarms.py +354 -0
complio/tests_library/logging/cloudwatch_logs_encryption.py +281 -0
complio/tests_library/logging/cloudwatch_retention.py +252 -0
complio/tests_library/logging/config_enabled.py +393 -0
complio/tests_library/logging/eventbridge_rules.py +460 -0
complio/tests_library/logging/guardduty_enabled.py +436 -0
complio/tests_library/logging/security_hub_enabled.py +416 -0
complio/tests_library/logging/sns_encryption.py +273 -0
complio/tests_library/network/__init__.py +0 -0
complio/tests_library/network/alb_nlb_security.py +421 -0
complio/tests_library/network/api_gateway_security.py +452 -0
complio/tests_library/network/cloudfront_https.py +332 -0
complio/tests_library/network/direct_connect_security.py +343 -0
complio/tests_library/network/nacl_configuration.py +367 -0
complio/tests_library/network/network_firewall.py +355 -0
complio/tests_library/network/transit_gateway_security.py +318 -0
complio/tests_library/network/vpc_endpoints_security.py +339 -0
complio/tests_library/network/vpn_security.py +333 -0
complio/tests_library/network/waf_configuration.py +428 -0
complio/tests_library/security/__init__.py +0 -0
complio/tests_library/security/kms_key_rotation.py +314 -0
complio/tests_library/storage/__init__.py +0 -0
complio/tests_library/storage/backup_encryption.py +288 -0
complio/tests_library/storage/dynamodb_encryption.py +280 -0
complio/tests_library/storage/efs_encryption.py +257 -0
complio/tests_library/storage/elasticache_encryption.py +370 -0
complio/tests_library/storage/redshift_encryption.py +252 -0
complio/tests_library/storage/s3_versioning.py +264 -0
complio/utils/__init__.py +26 -0
complio/utils/errors.py +179 -0
complio/utils/exceptions.py +151 -0
complio/utils/history.py +243 -0
complio/utils/logger.py +391 -0
complio-0.1.1.dist-info/METADATA +385 -0
complio-0.1.1.dist-info/RECORD +79 -0
complio-0.1.1.dist-info/WHEEL +4 -0
complio-0.1.1.dist-info/entry_points.txt +3 -0

complio/tests_library/identity/access_key_rotation.py ADDED Viewed

@@ -0,0 +1,302 @@
+"""
+IAM access key rotation compliance test.
+Checks that all IAM access keys are rotated regularly (< 90 days).
+ISO 27001 Control: A.8.5 - Access control
+Requirement: Access credentials must be rotated regularly
+Example:
+    >>> from complio.connectors.aws.client import AWSConnector
+    >>> from complio.tests_library.identity.access_key_rotation import AccessKeyRotationTest
+    >>>
+    >>> connector = AWSConnector("production", "us-east-1")
+    >>> connector.connect()
+    >>>
+    >>> test = AccessKeyRotationTest(connector)
+    >>> result = test.run()
+    >>> print(f"Passed: {result.passed}, Score: {result.score}")
+"""
+from datetime import datetime, timezone
+from typing import Any, Dict
+from botocore.exceptions import ClientError
+from complio.connectors.aws.client import AWSConnector
+from complio.tests_library.base import (
+    ComplianceTest,
+    Severity,
+    TestResult,
+    TestStatus,
+)
+class AccessKeyRotationTest(ComplianceTest):
+    """Test for IAM access key rotation compliance.
+    Verifies that all IAM access keys are rotated regularly.
+    Keys older than 90 days are flagged.
+    Compliance Requirements:
+        - Access keys should be < 90 days old (COMPLIANT)
+        - Access keys 90-180 days old (MEDIUM severity)
+        - Access keys > 180 days old (HIGH severity)
+    Scoring:
+        - 100% if all keys are < 90 days old
+        - Proportional score based on compliant/total ratio
+        - 0% if no keys are compliant
+    Example:
+        >>> test = AccessKeyRotationTest(connector)
+        >>> result = test.execute()
+        >>> for finding in result.findings:
+        ...     print(f"{finding.resource_id}: {finding.title}")
+    """
+    def __init__(self, connector: AWSConnector) -> None:
+        """Initialize access key rotation test.
+        Args:
+            connector: AWS connector instance
+        """
+        super().__init__(
+            test_id="access_key_rotation",
+            test_name="IAM Access Key Rotation Check",
+            description="Verify all IAM access keys are rotated regularly (< 90 days)",
+            control_id="A.8.5",
+            connector=connector,
+            scope="global",
+        )
+    def execute(self) -> TestResult:
+        """Execute access key rotation compliance test.
+        Returns:
+            TestResult with findings for old access keys
+        Example:
+            >>> test = AccessKeyRotationTest(connector)
+            >>> result = test.execute()
+            >>> print(result.score)
+            85.0
+        """
+        result = TestResult(
+            test_id=self.test_id,
+            test_name=self.test_name,
+            status=TestStatus.PASSED,
+            passed=True,
+            score=100.0,
+        )
+        try:
+            # Get IAM client
+            iam_client = self.connector.get_client("iam")
+            # List all users
+            self.logger.info("listing_iam_users")
+            users = []
+            paginator = iam_client.get_paginator("list_users")
+            for page in paginator.paginate():
+                users.extend(page.get("Users", []))
+            if not users:
+                self.logger.info("no_iam_users_found")
+                result.metadata["message"] = "No IAM users found in account"
+                return result
+            self.logger.info("iam_users_found", count=len(users))
+            # Check access keys for each user
+            total_keys = 0
+            compliant_keys = 0
+            now = datetime.now(timezone.utc)
+            for user in users:
+                user_name = user["UserName"]
+                # List access keys for user
+                try:
+                    keys_response = iam_client.list_access_keys(UserName=user_name)
+                    access_keys = keys_response.get("AccessKeyMetadata", [])
+                    for access_key in access_keys:
+                        access_key_id = access_key["AccessKeyId"]
+                        create_date = access_key["CreateDate"]
+                        status = access_key["Status"]
+                        # Skip inactive keys
+                        if status != "Active":
+                            self.logger.debug("skipping_inactive_key", access_key_id=access_key_id, user=user_name)
+                            continue
+                        total_keys += 1
+                        result.resources_scanned += 1
+                        # Calculate age
+                        age_delta = now - create_date
+                        age_days = age_delta.days
+                        # Determine severity based on age
+                        if age_days <= 90:
+                            compliant = True
+                            severity = None
+                        elif age_days <= 180:
+                            compliant = False
+                            severity = Severity.MEDIUM
+                        else:
+                            compliant = False
+                            severity = Severity.HIGH
+                        # Create evidence
+                        evidence = self.create_evidence(
+                            resource_id=access_key_id,
+                            resource_type="iam_access_key",
+                            data={
+                                "access_key_id": access_key_id,
+                                "user_name": user_name,
+                                "create_date": create_date.isoformat(),
+                                "age_days": age_days,
+                                "status": status,
+                                "compliant": compliant,
+                            }
+                        )
+                        result.add_evidence(evidence)
+                        if compliant:
+                            compliant_keys += 1
+                            self.logger.debug(
+                                "access_key_compliant",
+                                access_key_id=access_key_id,
+                                user=user_name,
+                                age_days=age_days
+                            )
+                        else:
+                            # Create finding for old access key
+                            finding = self.create_finding(
+                                resource_id=access_key_id,
+                                resource_type="iam_access_key",
+                                severity=severity,
+                                title=f"IAM access key not rotated ({age_days} days old)",
+                                description=f"Access key '{access_key_id}' for user '{user_name}' is {age_days} days old. "
+                                            f"Keys should be rotated every 90 days. This key has not been rotated in "
+                                            f"{age_days // 30} months. Old credentials increase the risk of unauthorized access. "
+                                            "ISO 27001 A.8.5 requires regular rotation of access credentials.",
+                                remediation=(
+                                    f"Rotate access key for user '{user_name}':\n\n"
+                                    "1. Create a new access key:\n"
+                                    f"   aws iam create-access-key --user-name {user_name}\n\n"
+                                    "2. Update all applications/services using the old key\n"
+                                    "   with the new access key ID and secret access key\n\n"
+                                    "3. Test that applications work with the new key\n\n"
+                                    "4. Deactivate the old key (don't delete yet):\n"
+                                    f"   aws iam update-access-key --user-name {user_name} \\\n"
+                                    f"     --access-key-id {access_key_id} --status Inactive\n\n"
+                                    "5. Monitor for a few days to ensure no errors\n\n"
+                                    "6. Delete the old key:\n"
+                                    f"   aws iam delete-access-key --user-name {user_name} \\\n"
+                                    f"     --access-key-id {access_key_id}\n\n"
+                                    "Or use AWS Console:\n"
+                                    "1. Go to IAM → Users\n"
+                                    f"2. Select user '{user_name}'\n"
+                                    "3. Go to 'Security credentials' tab\n"
+                                    "4. Click 'Create access key'\n"
+                                    "5. Update applications with new key\n"
+                                    f"6. Deactivate and delete old key '{access_key_id}'\n\n"
+                                    "Best practice: Rotate keys every 90 days."
+                                ),
+                                evidence=evidence
+                            )
+                            result.add_finding(finding)
+                            self.logger.warning(
+                                "access_key_rotation_overdue",
+                                access_key_id=access_key_id,
+                                user=user_name,
+                                age_days=age_days,
+                                severity=severity.value
+                            )
+                except ClientError as e:
+                    error_code = e.response.get("Error", {}).get("Code")
+                    self.logger.warning(
+                        "user_access_keys_list_error",
+                        user=user_name,
+                        error_code=error_code
+                    )
+                    continue
+            if total_keys == 0:
+                self.logger.info("no_active_access_keys_found")
+                result.metadata["message"] = "No active IAM access keys found in account"
+                return result
+            # Calculate compliance score
+            result.score = (compliant_keys / total_keys) * 100
+            # Determine pass/fail
+            result.passed = compliant_keys == total_keys
+            result.status = TestStatus.PASSED if result.passed else TestStatus.FAILED
+            # Add metadata
+            result.metadata = {
+                "total_users": len(users),
+                "total_active_keys": total_keys,
+                "compliant_keys": compliant_keys,
+                "non_compliant_keys": total_keys - compliant_keys,
+                "compliance_percentage": result.score,
+            }
+            self.logger.info(
+                "access_key_rotation_test_completed",
+                total_keys=total_keys,
+                compliant=compliant_keys,
+                score=result.score,
+                passed=result.passed
+            )
+        except ClientError as e:
+            error_code = e.response.get("Error", {}).get("Code")
+            self.logger.error("access_key_rotation_test_error", error_code=error_code, error=str(e))
+            result.status = TestStatus.ERROR
+            result.passed = False
+            result.score = 0.0
+            result.error_message = f"AWS API Error: {error_code} - {str(e)}"
+        except Exception as e:
+            self.logger.error("access_key_rotation_test_error", error=str(e))
+            result.status = TestStatus.ERROR
+            result.passed = False
+            result.score = 0.0
+            result.error_message = str(e)
+        return result
+# ============================================================================
+# CONVENIENCE FUNCTION
+# ============================================================================
+def run_access_key_rotation_test(connector: AWSConnector) -> TestResult:
+    """Run IAM access key rotation compliance test.
+    Convenience function for running the test.
+    Args:
+        connector: AWS connector
+    Returns:
+        TestResult
+    Example:
+        >>> from complio.connectors.aws.client import AWSConnector
+        >>> connector = AWSConnector("production", "us-east-1")
+        >>> connector.connect()
+        >>> result = run_access_key_rotation_test(connector)
+        >>> print(f"Score: {result.score}%")
+    """
+    test = AccessKeyRotationTest(connector)
+    return test.execute()

complio/tests_library/identity/mfa_enforcement.py ADDED Viewed

@@ -0,0 +1,327 @@
+"""
+MFA enforcement compliance test.
+Checks that all IAM users have MFA (Multi-Factor Authentication) enabled.
+ISO 27001 Control: A.8.5 - Access control
+Requirement: Multi-factor authentication for user access
+Example:
+    >>> from complio.connectors.aws.client import AWSConnector
+    >>> from complio.tests_library.identity.mfa_enforcement import MFAEnforcementTest
+    >>>
+    >>> connector = AWSConnector("production", "us-east-1")
+    >>> connector.connect()
+    >>>
+    >>> test = MFAEnforcementTest(connector)
+    >>> result = test.run()
+    >>> print(f"Passed: {result.passed}, Score: {result.score}")
+"""
+import csv
+import io
+import time
+from typing import Any, Dict
+from botocore.exceptions import ClientError
+from complio.connectors.aws.client import AWSConnector
+from complio.tests_library.base import (
+    ComplianceTest,
+    Severity,
+    TestResult,
+    TestStatus,
+)
+class MFAEnforcementTest(ComplianceTest):
+    """Test for MFA enforcement compliance.
+    Verifies that all IAM users have MFA enabled by parsing the
+    IAM credential report.
+    Compliance Requirements:
+        - All IAM users must have MFA enabled
+        - Users without MFA are vulnerable to credential compromise
+        - Password-based access requires MFA protection
+    Scoring:
+        - 100% if all users have MFA enabled
+        - Proportional score based on MFA-enabled/total ratio
+        - 0% if no users have MFA enabled
+    Example:
+        >>> test = MFAEnforcementTest(connector)
+        >>> result = test.execute()
+        >>> for finding in result.findings:
+        ...     print(f"{finding.resource_id}: {finding.title}")
+    """
+    def __init__(self, connector: AWSConnector) -> None:
+        """Initialize MFA enforcement test.
+        Args:
+            connector: AWS connector instance
+        """
+        super().__init__(
+            test_id="mfa_enforcement",
+            test_name="IAM MFA Enforcement Check",
+            description="Verify all IAM users have MFA (Multi-Factor Authentication) enabled",
+            control_id="A.8.5",
+            connector=connector,
+            scope="global",
+        )
+    def execute(self) -> TestResult:
+        """Execute MFA enforcement compliance test.
+        Returns:
+            TestResult with findings for users without MFA
+        Example:
+            >>> test = MFAEnforcementTest(connector)
+            >>> result = test.execute()
+            >>> print(result.score)
+            92.5
+        """
+        result = TestResult(
+            test_id=self.test_id,
+            test_name=self.test_name,
+            status=TestStatus.PASSED,
+            passed=True,
+            score=100.0,
+        )
+        try:
+            # Get IAM client
+            iam_client = self.connector.get_client("iam")
+            # Generate credential report (may need to wait)
+            self.logger.info("generating_credential_report")
+            report_ready = self._generate_credential_report(iam_client)
+            if not report_ready:
+                self.logger.error("credential_report_generation_failed")
+                result.status = TestStatus.ERROR
+                result.passed = False
+                result.score = 0.0
+                result.error_message = "Failed to generate IAM credential report after retries"
+                return result
+            # Get credential report
+            self.logger.info("retrieving_credential_report")
+            report_response = iam_client.get_credential_report()
+            report_content = report_response["Content"]
+            # Parse CSV report
+            report_csv = report_content.decode("utf-8")
+            csv_reader = csv.DictReader(io.StringIO(report_csv))
+            users_with_mfa = 0
+            total_users = 0
+            root_user_checked = False
+            for row in csv_reader:
+                user_name = row.get("user", "")
+                # Skip root account (checked in separate test)
+                if user_name == "<root_account>":
+                    root_user_checked = True
+                    continue
+                # Check if user has console access (password enabled)
+                password_enabled = row.get("password_enabled", "false") == "true"
+                # If no console password, MFA is not required
+                if not password_enabled:
+                    self.logger.debug("user_no_console_access", user=user_name)
+                    continue
+                total_users += 1
+                result.resources_scanned += 1
+                # Check MFA status
+                mfa_active = row.get("mfa_active", "false") == "true"
+                # Get user creation date and last login
+                user_creation_time = row.get("user_creation_time", "")
+                password_last_used = row.get("password_last_used", "no_information")
+                # Create evidence
+                evidence = self.create_evidence(
+                    resource_id=user_name,
+                    resource_type="iam_user",
+                    data={
+                        "user_name": user_name,
+                        "mfa_active": mfa_active,
+                        "password_enabled": password_enabled,
+                        "user_creation_time": user_creation_time,
+                        "password_last_used": password_last_used,
+                        "access_key_1_active": row.get("access_key_1_active", "false") == "true",
+                        "access_key_2_active": row.get("access_key_2_active", "false") == "true",
+                    }
+                )
+                result.add_evidence(evidence)
+                if mfa_active:
+                    users_with_mfa += 1
+                    self.logger.debug(
+                        "user_has_mfa",
+                        user=user_name
+                    )
+                else:
+                    # Create finding for user without MFA
+                    finding = self.create_finding(
+                        resource_id=user_name,
+                        resource_type="iam_user",
+                        severity=Severity.HIGH,
+                        title="IAM user does not have MFA enabled",
+                        description=f"IAM user '{user_name}' has console access (password enabled) but does not have "
+                                    "Multi-Factor Authentication (MFA) enabled. This leaves the account vulnerable to "
+                                    "credential compromise through phishing, password leaks, or brute force attacks. "
+                                    f"User was created on {user_creation_time} and last used password on {password_last_used}. "
+                                    "ISO 27001 A.8.5 requires multi-factor authentication for privileged access.",
+                        remediation=(
+                            f"Enable MFA for IAM user '{user_name}':\n\n"
+                            "User must enable MFA themselves:\n"
+                            "1. Sign in to AWS Console as the user\n"
+                            "2. Go to IAM → Users → Your username → Security credentials\n"
+                            "3. Under 'Multi-factor authentication (MFA)', click 'Assign MFA device'\n"
+                            "4. Choose virtual MFA device (Google Authenticator, Authy, etc.)\n"
+                            "5. Scan QR code with authenticator app\n"
+                            "6. Enter two consecutive MFA codes to verify\n\n"
+                            "Administrator can enforce MFA:\n"
+                            "1. Create IAM policy requiring MFA for API calls\n"
+                            "2. Attach policy to users or groups\n"
+                            "3. Set up console login with MFA requirement\n\n"
+                            f"Or use AWS CLI to check MFA devices:\n"
+                            f"aws iam list-mfa-devices --user-name {user_name}\n\n"
+                            "Best practice: Enforce MFA for all users with console access."
+                        ),
+                        evidence=evidence
+                    )
+                    result.add_finding(finding)
+                    self.logger.warning(
+                        "user_without_mfa",
+                        user=user_name,
+                        password_last_used=password_last_used
+                    )
+            if total_users == 0:
+                self.logger.info("no_users_with_console_access")
+                result.metadata["message"] = "No IAM users with console access found"
+                return result
+            # Calculate compliance score
+            result.score = (users_with_mfa / total_users) * 100
+            # Determine pass/fail
+            result.passed = users_with_mfa == total_users
+            result.status = TestStatus.PASSED if result.passed else TestStatus.FAILED
+            # Add metadata
+            result.metadata = {
+                "total_users_with_console_access": total_users,
+                "users_with_mfa": users_with_mfa,
+                "users_without_mfa": total_users - users_with_mfa,
+                "compliance_percentage": result.score,
+                "root_user_checked": root_user_checked,
+            }
+            self.logger.info(
+                "mfa_enforcement_test_completed",
+                total_users=total_users,
+                with_mfa=users_with_mfa,
+                score=result.score,
+                passed=result.passed
+            )
+        except ClientError as e:
+            error_code = e.response.get("Error", {}).get("Code")
+            self.logger.error("mfa_enforcement_test_error", error_code=error_code, error=str(e))
+            result.status = TestStatus.ERROR
+            result.passed = False
+            result.score = 0.0
+            result.error_message = f"AWS API Error: {error_code} - {str(e)}"
+        except Exception as e:
+            self.logger.error("mfa_enforcement_test_error", error=str(e))
+            result.status = TestStatus.ERROR
+            result.passed = False
+            result.score = 0.0
+            result.error_message = str(e)
+        return result
+    def _generate_credential_report(self, iam_client: Any, max_retries: int = 3, retry_delay: int = 5) -> bool:
+        """Generate IAM credential report with retry logic.
+        Args:
+            iam_client: Boto3 IAM client
+            max_retries: Maximum number of retries
+            retry_delay: Delay between retries in seconds
+        Returns:
+            True if report is ready, False otherwise
+        """
+        for attempt in range(max_retries):
+            try:
+                response = iam_client.generate_credential_report()
+                state = response.get("State")
+                if state == "COMPLETE":
+                    self.logger.info("credential_report_ready")
+                    return True
+                elif state == "INPROGRESS":
+                    self.logger.info(
+                        "credential_report_generating",
+                        attempt=attempt + 1,
+                        max_retries=max_retries
+                    )
+                    time.sleep(retry_delay)
+                else:
+                    self.logger.warning("credential_report_unexpected_state", state=state)
+                    time.sleep(retry_delay)
+            except ClientError as e:
+                error_code = e.response.get("Error", {}).get("Code")
+                if error_code == "LimitExceededException":
+                    self.logger.warning("credential_report_rate_limited", attempt=attempt + 1)
+                    time.sleep(retry_delay)
+                else:
+                    raise
+        # Final check
+        try:
+            response = iam_client.generate_credential_report()
+            return response.get("State") == "COMPLETE"
+        except Exception:
+            return False
+# ============================================================================
+# CONVENIENCE FUNCTION
+# ============================================================================
+def run_mfa_enforcement_test(connector: AWSConnector) -> TestResult:
+    """Run MFA enforcement compliance test.
+    Convenience function for running the test.
+    Args:
+        connector: AWS connector
+    Returns:
+        TestResult
+    Example:
+        >>> from complio.connectors.aws.client import AWSConnector
+        >>> connector = AWSConnector("production", "us-east-1")
+        >>> connector.connect()
+        >>> result = run_mfa_enforcement_test(connector)
+        >>> print(f"Score: {result.score}%")
+    """
+    test = MFAEnforcementTest(connector)
+    return test.execute()