complio 0.1.1__py3-none-any.whl

complio/tests_library/infrastructure/secrets_manager_encryption.py

@@ -0,0 +1,248 @@
+"""
+Secrets Manager encryption compliance test.
+
+Checks that all secrets use customer-managed KMS keys for encryption.
+
+ISO 27001 Control: A.8.24 - Use of cryptography
+Requirement: Sensitive data must be encrypted with customer-controlled keys
+
+Example:
+    >>> from complio.connectors.aws.client import AWSConnector
+    >>> from complio.tests_library.infrastructure.secrets_manager_encryption import SecretsManagerEncryptionTest
+    >>>
+    >>> connector = AWSConnector("production", "us-east-1")
+    >>> connector.connect()
+    >>>
+    >>> test = SecretsManagerEncryptionTest(connector)
+    >>> result = test.run()
+    >>> print(f"Passed: {result.passed}, Score: {result.score}")
+"""
+
+from typing import Any, Dict
+
+from botocore.exceptions import ClientError
+
+from complio.connectors.aws.client import AWSConnector
+from complio.tests_library.base import (
+    ComplianceTest,
+    Severity,
+    TestResult,
+    TestStatus,
+)
+
+
+class SecretsManagerEncryptionTest(ComplianceTest):
+    """Test for Secrets Manager encryption compliance.
+
+    Verifies that all secrets use customer-managed KMS keys for encryption
+    rather than the default AWS-managed key.
+
+    Compliance Requirements:
+        - All secrets should use customer-managed KMS keys
+        - AWS-managed keys provide less control over rotation and access
+        - Secrets without custom KMS keys are flagged as medium severity
+
+    Scoring:
+        - 100% if all secrets use customer-managed keys
+        - Proportional score based on compliant/total ratio
+        - 0% if no secrets use customer-managed keys
+
+    Example:
+        >>> test = SecretsManagerEncryptionTest(connector)
+        >>> result = test.execute()
+        >>> for finding in result.findings:
+        ...     print(f"{finding.resource_id}: {finding.title}")
+    """
+
+    def __init__(self, connector: AWSConnector) -> None:
+        """Initialize Secrets Manager encryption test.
+
+        Args:
+            connector: AWS connector instance
+        """
+        super().__init__(
+            test_id="secrets_manager_encryption",
+            test_name="Secrets Manager KMS Encryption Check",
+            description="Verify all secrets use customer-managed KMS keys for encryption",
+            control_id="A.8.24",
+            connector=connector,
+            scope="regional",
+        )
+
+    def execute(self) -> TestResult:
+        """Execute Secrets Manager encryption compliance test.
+
+        Returns:
+            TestResult with findings for secrets using AWS-managed keys
+
+        Example:
+            >>> test = SecretsManagerEncryptionTest(connector)
+            >>> result = test.execute()
+            >>> print(result.score)
+            85.0
+        """
+        result = TestResult(
+            test_id=self.test_id,
+            test_name=self.test_name,
+            status=TestStatus.PASSED,
+            passed=True,
+            score=100.0,
+        )
+
+        try:
+            # Get Secrets Manager client
+            sm_client = self.connector.get_client("secretsmanager")
+
+            # List all secrets
+            self.logger.info("listing_secrets")
+            secrets = []
+            paginator = sm_client.get_paginator("list_secrets")
+
+            for page in paginator.paginate():
+                secrets.extend(page.get("SecretList", []))
+
+            if not secrets:
+                self.logger.info("no_secrets_found")
+                result.metadata["message"] = "No secrets found in region"
+                return result
+
+            self.logger.info("secrets_found", count=len(secrets))
+
+            # Check each secret for customer-managed KMS key
+            compliant_count = 0
+            total_count = len(secrets)
+
+            for secret in secrets:
+                secret_name = secret["Name"]
+                secret_arn = secret["ARN"]
+                kms_key_id = secret.get("KmsKeyId")
+                result.resources_scanned += 1
+
+                # Check if using customer-managed key
+                # If KmsKeyId is not present or is alias/aws/secretsmanager, it's using AWS-managed key
+                using_customer_key = (
+                    kms_key_id is not None and
+                    "alias/aws/secretsmanager" not in str(kms_key_id) and
+                    kms_key_id != ""
+                )
+
+                # Create evidence
+                evidence = self.create_evidence(
+                    resource_id=secret_name,
+                    resource_type="secrets_manager_secret",
+                    data={
+                        "secret_name": secret_name,
+                        "secret_arn": secret_arn,
+                        "kms_key_id": kms_key_id,
+                        "using_customer_managed_key": using_customer_key,
+                        "last_changed_date": secret.get("LastChangedDate").isoformat() if secret.get("LastChangedDate") else None,
+                        "last_accessed_date": secret.get("LastAccessedDate").isoformat() if secret.get("LastAccessedDate") else None,
+                    }
+                )
+                result.add_evidence(evidence)
+
+                if using_customer_key:
+                    compliant_count += 1
+                    self.logger.debug(
+                        "secret_using_customer_key",
+                        secret_name=secret_name,
+                        kms_key_id=kms_key_id
+                    )
+                else:
+                    # Create finding for secret using AWS-managed key
+                    finding = self.create_finding(
+                        resource_id=secret_name,
+                        resource_type="secrets_manager_secret",
+                        severity=Severity.MEDIUM,
+                        title="Secret using AWS-managed KMS key",
+                        description=f"Secret '{secret_name}' is using the default AWS-managed KMS key instead of a "
+                                    "customer-managed key. This reduces control over key rotation, access policies, "
+                                    "and audit trails. ISO 27001 A.8.24 recommends customer-controlled encryption keys.",
+                        remediation=(
+                            "Update the secret to use a customer-managed KMS key:\n"
+                            "1. Create a customer-managed KMS key (if not already created):\n"
+                            "   aws kms create-key --description 'Secrets Manager encryption key'\n"
+                            "2. Update the secret to use the customer-managed key:\n"
+                            f"   aws secretsmanager update-secret --secret-id {secret_name} "
+                            "--kms-key-id <your-kms-key-id>\n\n"
+                            "Note: Ensure your IAM roles/users have permission to use the KMS key.\n"
+                            "Add a key policy that allows the Secrets Manager service to use the key."
+                        ),
+                        evidence=evidence
+                    )
+                    result.add_finding(finding)
+
+                    self.logger.warning(
+                        "secret_using_aws_managed_key",
+                        secret_name=secret_name,
+                        kms_key_id=kms_key_id
+                    )
+
+            # Calculate compliance score
+            if total_count > 0:
+                result.score = (compliant_count / total_count) * 100
+
+            # Determine pass/fail
+            result.passed = compliant_count == total_count
+            result.status = TestStatus.PASSED if result.passed else TestStatus.FAILED
+
+            # Add metadata
+            result.metadata = {
+                "total_secrets": total_count,
+                "secrets_with_customer_keys": compliant_count,
+                "secrets_with_aws_managed_keys": total_count - compliant_count,
+                "compliance_percentage": result.score,
+                "region": self.connector.region,
+            }
+
+            self.logger.info(
+                "secrets_manager_encryption_test_completed",
+                total=total_count,
+                compliant=compliant_count,
+                score=result.score,
+                passed=result.passed
+            )
+
+        except ClientError as e:
+            error_code = e.response.get("Error", {}).get("Code")
+            self.logger.error("secrets_manager_test_error", error_code=error_code, error=str(e))
+            result.status = TestStatus.ERROR
+            result.passed = False
+            result.score = 0.0
+            result.error_message = f"AWS API Error: {error_code} - {str(e)}"
+
+        except Exception as e:
+            self.logger.error("secrets_manager_test_error", error=str(e))
+            result.status = TestStatus.ERROR
+            result.passed = False
+            result.score = 0.0
+            result.error_message = str(e)
+
+        return result
+
+
+# ============================================================================
+# CONVENIENCE FUNCTION
+# ============================================================================
+
+
+def run_secrets_manager_encryption_test(connector: AWSConnector) -> TestResult:
+    """Run Secrets Manager encryption compliance test.
+
+    Convenience function for running the test.
+
+    Args:
+        connector: AWS connector
+
+    Returns:
+        TestResult
+
+    Example:
+        >>> from complio.connectors.aws.client import AWSConnector
+        >>> connector = AWSConnector("production", "us-east-1")
+        >>> connector.connect()
+        >>> result = run_secrets_manager_encryption_test(connector)
+        >>> print(f"Score: {result.score}%")
+    """
+    test = SecretsManagerEncryptionTest(connector)
+    return test.execute()

complio/tests_library/infrastructure/vpc_flow_logs.py

@@ -0,0 +1,287 @@
+"""
+VPC Flow Logs compliance test.
+
+Checks that all VPCs have flow logs enabled for network traffic monitoring.
+
+ISO 27001 Control: A.8.16 - Monitoring of network traffic
+Requirement: Network traffic must be logged for security monitoring
+
+Example:
+    >>> from complio.connectors.aws.client import AWSConnector
+    >>> from complio.tests_library.infrastructure.vpc_flow_logs import VPCFlowLogsTest
+    >>>
+    >>> connector = AWSConnector("production", "us-east-1")
+    >>> connector.connect()
+    >>>
+    >>> test = VPCFlowLogsTest(connector)
+    >>> result = test.run()
+    >>> print(f"Passed: {result.passed}, Score: {result.score}")
+"""
+
+from typing import Any, Dict, List
+
+from botocore.exceptions import ClientError
+
+from complio.connectors.aws.client import AWSConnector
+from complio.tests_library.base import (
+    ComplianceTest,
+    Severity,
+    TestResult,
+    TestStatus,
+)
+
+
+class VPCFlowLogsTest(ComplianceTest):
+    """Test for VPC Flow Logs compliance.
+
+    Verifies that all VPCs have flow logs enabled to capture network
+    traffic information for security monitoring and troubleshooting.
+
+    Compliance Requirements:
+        - Each VPC must have at least one flow log configured
+        - Flow logs should capture accepted, rejected, or all traffic
+        - VPCs without flow logs are non-compliant
+
+    Scoring:
+        - 100% if all VPCs have flow logs
+        - Proportional score based on compliant/total ratio
+        - 0% if no VPCs have flow logs
+
+    Example:
+        >>> test = VPCFlowLogsTest(connector)
+        >>> result = test.execute()
+        >>> for finding in result.findings:
+        ...     print(f"{finding.resource_id}: {finding.title}")
+    """
+
+    def __init__(self, connector: AWSConnector) -> None:
+        """Initialize VPC Flow Logs test.
+
+        Args:
+            connector: AWS connector instance
+        """
+        super().__init__(
+            test_id="vpc_flow_logs",
+            test_name="VPC Flow Logs Check",
+            description="Verify all VPCs have flow logs enabled for network traffic monitoring",
+            control_id="A.8.16",
+            connector=connector,
+            scope="regional",
+        )
+
+    def execute(self) -> TestResult:
+        """Execute VPC Flow Logs compliance test.
+
+        Returns:
+            TestResult with findings for VPCs without flow logs
+
+        Example:
+            >>> test = VPCFlowLogsTest(connector)
+            >>> result = test.execute()
+            >>> print(result.score)
+            80.0
+        """
+        result = TestResult(
+            test_id=self.test_id,
+            test_name=self.test_name,
+            status=TestStatus.PASSED,
+            passed=True,
+            score=100.0,
+        )
+
+        try:
+            # Get EC2 client
+            ec2_client = self.connector.get_client("ec2")
+
+            # List all VPCs
+            self.logger.info("listing_vpcs")
+            vpcs_response = ec2_client.describe_vpcs()
+            vpcs = vpcs_response.get("Vpcs", [])
+
+            if not vpcs:
+                self.logger.info("no_vpcs_found")
+                result.metadata["message"] = "No VPCs found in region"
+                return result
+
+            self.logger.info("vpcs_found", count=len(vpcs))
+
+            # Get all flow logs in the region
+            self.logger.info("listing_flow_logs")
+            flow_logs_response = ec2_client.describe_flow_logs()
+            flow_logs = flow_logs_response.get("FlowLogs", [])
+
+            # Create a map of VPC ID -> flow logs
+            vpc_flow_logs_map: Dict[str, List[Dict[str, Any]]] = {}
+            for flow_log in flow_logs:
+                resource_id = flow_log.get("ResourceId")
+                if resource_id and resource_id.startswith("vpc-"):
+                    if resource_id not in vpc_flow_logs_map:
+                        vpc_flow_logs_map[resource_id] = []
+                    vpc_flow_logs_map[resource_id].append(flow_log)
+
+            # Check each VPC for flow logs
+            compliant_count = 0
+            total_count = len(vpcs)
+
+            for vpc in vpcs:
+                vpc_id = vpc["VpcId"]
+                is_default = vpc.get("IsDefault", False)
+                cidr_block = vpc.get("CidrBlock", "unknown")
+                result.resources_scanned += 1
+
+                # Get VPC name from tags
+                vpc_name = "unnamed"
+                for tag in vpc.get("Tags", []):
+                    if tag.get("Key") == "Name":
+                        vpc_name = tag.get("Value", "unnamed")
+                        break
+
+                # Check if VPC has flow logs
+                vpc_flow_logs = vpc_flow_logs_map.get(vpc_id, [])
+                has_flow_logs = len(vpc_flow_logs) > 0
+
+                # Create evidence
+                evidence = self.create_evidence(
+                    resource_id=vpc_id,
+                    resource_type="vpc",
+                    data={
+                        "vpc_id": vpc_id,
+                        "vpc_name": vpc_name,
+                        "is_default": is_default,
+                        "cidr_block": cidr_block,
+                        "has_flow_logs": has_flow_logs,
+                        "flow_logs_count": len(vpc_flow_logs),
+                        "flow_logs": [
+                            {
+                                "flow_log_id": fl.get("FlowLogId"),
+                                "traffic_type": fl.get("TrafficType"),
+                                "log_destination_type": fl.get("LogDestinationType"),
+                                "log_destination": fl.get("LogDestination"),
+                                "log_group_name": fl.get("LogGroupName"),
+                            }
+                            for fl in vpc_flow_logs
+                        ] if vpc_flow_logs else [],
+                    }
+                )
+                result.add_evidence(evidence)
+
+                if has_flow_logs:
+                    compliant_count += 1
+                    self.logger.debug(
+                        "vpc_has_flow_logs",
+                        vpc_id=vpc_id,
+                        vpc_name=vpc_name,
+                        flow_logs_count=len(vpc_flow_logs)
+                    )
+                else:
+                    # Create finding for VPC without flow logs
+                    finding = self.create_finding(
+                        resource_id=vpc_id,
+                        resource_type="vpc",
+                        severity=Severity.HIGH,
+                        title="VPC Flow Logs not enabled",
+                        description=f"VPC '{vpc_name}' ({vpc_id}, {cidr_block}) does not have flow logs enabled. "
+                                    "Flow logs capture information about IP traffic going to and from network interfaces. "
+                                    "Without flow logs, network security monitoring and troubleshooting are severely limited. "
+                                    "This violates ISO 27001 A.8.16 requirement for network traffic monitoring.",
+                        remediation=(
+                            f"Enable VPC Flow Logs for VPC '{vpc_id}':\n"
+                            "1. Create a CloudWatch log group (if using CloudWatch Logs):\n"
+                            f"   aws logs create-log-group --log-group-name /aws/vpc/flowlogs/{vpc_id}\n"
+                            "2. Create an IAM role for flow logs:\n"
+                            "   (See AWS documentation for required trust policy and permissions)\n"
+                            "3. Create the flow log:\n"
+                            f"   aws ec2 create-flow-logs --resource-type VPC \\\n"
+                            f"     --resource-ids {vpc_id} \\\n"
+                            "     --traffic-type ALL \\\n"
+                            "     --log-destination-type cloud-watch-logs \\\n"
+                            f"     --log-group-name /aws/vpc/flowlogs/{vpc_id} \\\n"
+                            "     --deliver-logs-permission-arn <iam-role-arn>\n\n"
+                            "Or use AWS Console:\n"
+                            "1. Go to VPC → Your VPCs\n"
+                            f"2. Select VPC '{vpc_id}'\n"
+                            "3. Actions → Create flow log\n"
+                            "4. Configure destination (CloudWatch Logs or S3)\n"
+                            "5. Set traffic type to 'All'\n"
+                            "6. Click Create flow log"
+                        ),
+                        evidence=evidence
+                    )
+                    result.add_finding(finding)
+
+                    self.logger.warning(
+                        "vpc_without_flow_logs",
+                        vpc_id=vpc_id,
+                        vpc_name=vpc_name,
+                        is_default=is_default
+                    )
+
+            # Calculate compliance score
+            if total_count > 0:
+                result.score = (compliant_count / total_count) * 100
+
+            # Determine pass/fail
+            result.passed = compliant_count == total_count
+            result.status = TestStatus.PASSED if result.passed else TestStatus.FAILED
+
+            # Add metadata
+            result.metadata = {
+                "total_vpcs": total_count,
+                "vpcs_with_flow_logs": compliant_count,
+                "vpcs_without_flow_logs": total_count - compliant_count,
+                "total_flow_logs": len(flow_logs),
+                "compliance_percentage": result.score,
+                "region": self.connector.region,
+            }
+
+            self.logger.info(
+                "vpc_flow_logs_test_completed",
+                total=total_count,
+                compliant=compliant_count,
+                score=result.score,
+                passed=result.passed
+            )
+
+        except ClientError as e:
+            error_code = e.response.get("Error", {}).get("Code")
+            self.logger.error("vpc_flow_logs_test_error", error_code=error_code, error=str(e))
+            result.status = TestStatus.ERROR
+            result.passed = False
+            result.score = 0.0
+            result.error_message = f"AWS API Error: {error_code} - {str(e)}"
+
+        except Exception as e:
+            self.logger.error("vpc_flow_logs_test_error", error=str(e))
+            result.status = TestStatus.ERROR
+            result.passed = False
+            result.score = 0.0
+            result.error_message = str(e)
+
+        return result
+
+
+# ============================================================================
+# CONVENIENCE FUNCTION
+# ============================================================================
+
+
+def run_vpc_flow_logs_test(connector: AWSConnector) -> TestResult:
+    """Run VPC Flow Logs compliance test.
+
+    Convenience function for running the test.
+
+    Args:
+        connector: AWS connector
+
+    Returns:
+        TestResult
+
+    Example:
+        >>> from complio.connectors.aws.client import AWSConnector
+        >>> connector = AWSConnector("production", "us-east-1")
+        >>> connector.connect()
+        >>> result = run_vpc_flow_logs_test(connector)
+        >>> print(f"Score: {result.score}%")
+    """
+    test = VPCFlowLogsTest(connector)
+    return test.execute()