complio 0.1.1__py3-none-any.whl

complio/tests_library/logging/cloudwatch_alarms.py

@@ -0,0 +1,354 @@
+"""
+CloudWatch Alarms compliance test.
+
+Checks that critical CloudWatch alarms are configured for monitoring.
+
+ISO 27001 Control: A.8.16 - Monitoring activities
+Requirement: Critical resources should have monitoring alarms configured
+
+Example:
+    >>> from complio.connectors.aws.client import AWSConnector
+    >>> from complio.tests_library.logging.cloudwatch_alarms import CloudWatchAlarmsTest
+    >>>
+    >>> connector = AWSConnector("production", "us-east-1")
+    >>> connector.connect()
+    >>>
+    >>> test = CloudWatchAlarmsTest(connector)
+    >>> result = test.run()
+    >>> print(f"Passed: {result.passed}, Score: {result.score}")
+"""
+
+from typing import Any, Dict, List
+
+from botocore.exceptions import ClientError
+
+from complio.connectors.aws.client import AWSConnector
+from complio.tests_library.base import (
+    ComplianceTest,
+    Severity,
+    TestResult,
+    TestStatus,
+)
+
+
+class CloudWatchAlarmsTest(ComplianceTest):
+    """Test for CloudWatch Alarms compliance.
+
+    Verifies that critical CloudWatch alarms are configured:
+    - Alarms should be in OK or ALARM state (not INSUFFICIENT_DATA for long)
+    - Alarms should have actions configured (SNS notifications)
+    - Critical metrics should have alarms (EC2, RDS, Lambda, etc.)
+
+    Compliance Requirements:
+        - Alarms configured for critical resources
+        - Actions configured (SNS topics for notifications)
+        - Alarms in actionable states (not stuck in INSUFFICIENT_DATA)
+
+    Scoring:
+        - Based on alarm configuration and health
+        - Checks for presence of critical alarms
+        - Validates alarm actions are configured
+
+    Example:
+        >>> test = CloudWatchAlarmsTest(connector)
+        >>> result = test.execute()
+        >>> for finding in result.findings:
+        ...     print(f"{finding.resource_id}: {finding.title}")
+    """
+
+    def __init__(self, connector: AWSConnector) -> None:
+        """Initialize CloudWatch Alarms test.
+
+        Args:
+            connector: AWS connector instance
+        """
+        super().__init__(
+            test_id="cloudwatch_alarms",
+            test_name="CloudWatch Alarms Check",
+            description="Verify critical CloudWatch alarms are configured for monitoring",
+            control_id="A.8.16",
+            connector=connector,
+            scope="regional",
+        )
+
+    def execute(self) -> TestResult:
+        """Execute CloudWatch Alarms compliance test.
+
+        Returns:
+            TestResult with findings for missing or misconfigured alarms
+
+        Example:
+            >>> test = CloudWatchAlarmsTest(connector)
+            >>> result = test.execute()
+            >>> print(result.score)
+            85.0
+        """
+        result = TestResult(
+            test_id=self.test_id,
+            test_name=self.test_name,
+            status=TestStatus.PASSED,
+            passed=True,
+            score=100.0,
+        )
+
+        try:
+            # Get CloudWatch client
+            cloudwatch_client = self.connector.get_client("cloudwatch")
+
+            # List all metric alarms
+            self.logger.info("listing_cloudwatch_alarms")
+            alarms = []
+
+            paginator = cloudwatch_client.get_paginator("describe_alarms")
+            for page in paginator.paginate():
+                metric_alarms = page.get("MetricAlarms", [])
+                alarms.extend(metric_alarms)
+
+            if not alarms:
+                self.logger.info("no_cloudwatch_alarms_found")
+                result.metadata["message"] = "No CloudWatch alarms found (consider creating alarms for critical resources)"
+                result.metadata["recommendation"] = "Create alarms for EC2, RDS, Lambda, and other critical resources"
+                # Not a hard failure, but should be monitored
+                result.score = 50.0  # Partial score for having no alarms
+                result.passed = False
+                result.status = TestStatus.FAILED
+                return result
+
+            self.logger.info("cloudwatch_alarms_found", count=len(alarms))
+
+            # Analyze alarm configurations
+            properly_configured_count = 0
+            alarms_without_actions = 0
+            alarms_insufficient_data = 0
+
+            for alarm in alarms:
+                alarm_name = alarm.get("AlarmName", "")
+                alarm_arn = alarm.get("AlarmArn", "")
+                state_value = alarm.get("StateValue", "")
+                actions_enabled = alarm.get("ActionsEnabled", False)
+                alarm_actions = alarm.get("AlarmActions", [])
+                metric_name = alarm.get("MetricName", "")
+                namespace = alarm.get("Namespace", "")
+
+                result.resources_scanned += 1
+
+                # Determine issues
+                issues = []
+                severity = Severity.MEDIUM
+
+                # Check if alarm has actions configured
+                if actions_enabled and len(alarm_actions) == 0:
+                    issues.append("Alarm has actions enabled but no actions configured")
+                    alarms_without_actions += 1
+                    severity = Severity.MEDIUM
+
+                if not actions_enabled:
+                    issues.append("Alarm actions are disabled")
+                    alarms_without_actions += 1
+                    severity = Severity.MEDIUM
+
+                # Check alarm state
+                if state_value == "INSUFFICIENT_DATA":
+                    issues.append("Alarm in INSUFFICIENT_DATA state (may indicate misconfiguration)")
+                    alarms_insufficient_data += 1
+                    severity = Severity.LOW
+
+                # Create evidence
+                evidence = self.create_evidence(
+                    resource_id=alarm_arn,
+                    resource_type="cloudwatch_alarm",
+                    data={
+                        "alarm_name": alarm_name,
+                        "alarm_arn": alarm_arn,
+                        "state_value": state_value,
+                        "actions_enabled": actions_enabled,
+                        "alarm_actions_count": len(alarm_actions),
+                        "metric_name": metric_name,
+                        "namespace": namespace,
+                        "has_issues": len(issues) > 0,
+                        "issues": issues,
+                    }
+                )
+                result.add_evidence(evidence)
+
+                if len(issues) == 0:
+                    properly_configured_count += 1
+                    self.logger.debug(
+                        "alarm_properly_configured",
+                        alarm_name=alarm_name
+                    )
+                else:
+                    # Create finding for misconfigured alarm
+                    finding = self.create_finding(
+                        resource_id=alarm_arn,
+                        resource_type="cloudwatch_alarm",
+                        severity=severity,
+                        title="CloudWatch alarm has configuration issues",
+                        description=f"CloudWatch alarm '{alarm_name}' (monitoring {namespace}/{metric_name}) has "
+                                    f"configuration issues: {'; '.join(issues)}. Alarms should have actions "
+                                    "configured (SNS notifications) and be in actionable states to effectively "
+                                    "monitor resources. ISO 27001 A.8.16 requires monitoring of system activities.",
+                        remediation=(
+                            f"Improve CloudWatch alarm '{alarm_name}' configuration:\n\n"
+                            "1. Enable alarm actions:\n"
+                            f"aws cloudwatch enable-alarm-actions \\\n"
+                            f"  --alarm-names {alarm_name}\n\n"
+                            "2. Configure SNS topic for notifications:\n"
+                            "# Create SNS topic if needed\n"
+                            "aws sns create-topic --name alarm-notifications\n\n"
+                            "# Subscribe email to topic\n"
+                            "aws sns subscribe \\\n"
+                            "  --topic-arn <SNS-TOPIC-ARN> \\\n"
+                            "  --protocol email \\\n"
+                            "  --notification-endpoint your-email@example.com\n\n"
+                            "# Add SNS topic to alarm\n"
+                            f"aws cloudwatch put-metric-alarm \\\n"
+                            f"  --alarm-name {alarm_name} \\\n"
+                            f"  --metric-name {metric_name} \\\n"
+                            f"  --namespace {namespace} \\\n"
+                            "  --statistic Average \\\n"
+                            "  --period 300 \\\n"
+                            "  --evaluation-periods 2 \\\n"
+                            "  --threshold 80 \\\n"
+                            "  --comparison-operator GreaterThanThreshold \\\n"
+                            "  --alarm-actions <SNS-TOPIC-ARN> \\\n"
+                            "  --ok-actions <SNS-TOPIC-ARN> \\\n"
+                            "  --insufficient-data-actions <SNS-TOPIC-ARN>\n\n"
+                            "3. Fix INSUFFICIENT_DATA state:\n"
+                            "# Check if metric is publishing data\n"
+                            f"aws cloudwatch get-metric-statistics \\\n"
+                            f"  --namespace {namespace} \\\n"
+                            f"  --metric-name {metric_name} \\\n"
+                            "  --start-time $(date -u -d '1 hour ago' +%Y-%m-%dT%H:%M:%S) \\\n"
+                            "  --end-time $(date -u +%Y-%m-%dT%H:%M:%S) \\\n"
+                            "  --period 300 \\\n"
+                            "  --statistics Average\n\n"
+                            "# Adjust alarm configuration if needed:\n"
+                            "- Increase evaluation periods\n"
+                            "- Adjust metric dimensions\n"
+                            "- Verify resource is active and publishing metrics\n\n"
+                            "Or use AWS Console:\n"
+                            "1. Go to CloudWatch console → Alarms\n"
+                            f"2. Select alarm '{alarm_name}'\n"
+                            "3. Click 'Actions' → 'Edit'\n"
+                            "4. Configure notification:\n"
+                            "   - Send notification to: Select or create SNS topic\n"
+                            "   - Add email/SMS endpoints to SNS topic\n"
+                            "5. Verify 'Enable actions' is checked\n"
+                            "6. Configure actions for:\n"
+                            "   - In alarm\n"
+                            "   - OK\n"
+                            "   - Insufficient data\n"
+                            "7. Save changes\n\n"
+                            "Critical alarms to configure:\n"
+                            "EC2 Instances:\n"
+                            "- CPUUtilization > 80%\n"
+                            "- StatusCheckFailed (system + instance)\n"
+                            "- DiskReadOps/WriteOps (high I/O)\n\n"
+                            "RDS Databases:\n"
+                            "- CPUUtilization > 80%\n"
+                            "- FreeableMemory < 1GB\n"
+                            "- DatabaseConnections > 80% of max\n"
+                            "- ReadLatency/WriteLatency\n\n"
+                            "Lambda Functions:\n"
+                            "- Errors > 0\n"
+                            "- Duration > threshold\n"
+                            "- Throttles > 0\n"
+                            "- ConcurrentExecutions near limit\n\n"
+                            "ELB/ALB:\n"
+                            "- UnHealthyHostCount > 0\n"
+                            "- TargetResponseTime\n"
+                            "- HTTPCode_Target_5XX_Count\n\n"
+                            "S3 Buckets:\n"
+                            "- 4xxErrors\n"
+                            "- 5xxErrors\n\n"
+                            "Best practices:\n"
+                            "- Use composite alarms for complex conditions\n"
+                            "- Configure multiple notification channels\n"
+                            "- Set appropriate thresholds based on baselines\n"
+                            "- Use alarm descriptions for runbook links\n"
+                            "- Test alarm notifications regularly\n"
+                            "- Use anomaly detection for dynamic thresholds\n"
+                            "- Create alarms using Infrastructure as Code (Terraform, CloudFormation)\n"
+                            "- Monitor alarm state changes in EventBridge\n"
+                            "- Use alarm actions for auto-remediation (Lambda, Auto Scaling)\n"
+                            "- Tag alarms for organization and cost allocation"
+                        ),
+                        evidence=evidence
+                    )
+                    result.add_finding(finding)
+
+                    self.logger.warning(
+                        "alarm_misconfigured",
+                        alarm_name=alarm_name,
+                        issues=issues
+                    )
+
+            # Calculate compliance score
+            result.score = (properly_configured_count / len(alarms)) * 100
+
+            # Determine pass/fail
+            result.passed = properly_configured_count == len(alarms)
+            result.status = TestStatus.PASSED if result.passed else TestStatus.FAILED
+
+            # Add metadata
+            result.metadata = {
+                "total_alarms": len(alarms),
+                "properly_configured": properly_configured_count,
+                "alarms_without_actions": alarms_without_actions,
+                "alarms_insufficient_data": alarms_insufficient_data,
+                "misconfigured": len(alarms) - properly_configured_count,
+                "compliance_percentage": result.score,
+            }
+
+            self.logger.info(
+                "cloudwatch_alarms_test_completed",
+                total_alarms=len(alarms),
+                properly_configured=properly_configured_count,
+                score=result.score,
+                passed=result.passed
+            )
+
+        except ClientError as e:
+            error_code = e.response.get("Error", {}).get("Code")
+            self.logger.error("cloudwatch_alarms_test_error", error_code=error_code, error=str(e))
+            result.status = TestStatus.ERROR
+            result.passed = False
+            result.score = 0.0
+            result.error_message = f"AWS API Error: {error_code} - {str(e)}"
+
+        except Exception as e:
+            self.logger.error("cloudwatch_alarms_test_error", error=str(e))
+            result.status = TestStatus.ERROR
+            result.passed = False
+            result.score = 0.0
+            result.error_message = str(e)
+
+        return result
+
+
+# ============================================================================
+# CONVENIENCE FUNCTION
+# ============================================================================
+
+
+def run_cloudwatch_alarms_test(connector: AWSConnector) -> TestResult:
+    """Run CloudWatch Alarms compliance test.
+
+    Convenience function for running the test.
+
+    Args:
+        connector: AWS connector
+
+    Returns:
+        TestResult
+
+    Example:
+        >>> from complio.connectors.aws.client import AWSConnector
+        >>> connector = AWSConnector("production", "us-east-1")
+        >>> connector.connect()
+        >>> result = run_cloudwatch_alarms_test(connector)
+        >>> print(f"Score: {result.score}%")
+    """
+    test = CloudWatchAlarmsTest(connector)
+    return test.execute()

complio/tests_library/logging/cloudwatch_logs_encryption.py

@@ -0,0 +1,281 @@
+"""
+CloudWatch Logs encryption compliance test.
+
+Checks that all CloudWatch log groups use encryption at rest with KMS.
+
+ISO 27001 Control: A.8.24 - Use of cryptography
+Requirement: Log groups must be encrypted with KMS keys
+
+Example:
+    >>> from complio.connectors.aws.client import AWSConnector
+    >>> from complio.tests_library.logging.cloudwatch_logs_encryption import CloudWatchLogsEncryptionTest
+    >>>
+    >>> connector = AWSConnector("production", "us-east-1")
+    >>> connector.connect()
+    >>>
+    >>> test = CloudWatchLogsEncryptionTest(connector)
+    >>> result = test.run()
+    >>> print(f"Passed: {result.passed}, Score: {result.score}")
+"""
+
+from typing import Any, Dict
+
+from botocore.exceptions import ClientError
+
+from complio.connectors.aws.client import AWSConnector
+from complio.tests_library.base import (
+    ComplianceTest,
+    Severity,
+    TestResult,
+    TestStatus,
+)
+
+
+class CloudWatchLogsEncryptionTest(ComplianceTest):
+    """Test for CloudWatch Logs encryption compliance.
+
+    Verifies that all CloudWatch log groups use server-side encryption
+    with AWS KMS keys to protect log data at rest.
+
+    Compliance Requirements:
+        - All log groups must have kmsKeyId configured
+        - Encryption protects sensitive log data
+        - Customer-managed KMS keys recommended for audit trail
+
+    Scoring:
+        - 100% if all log groups are encrypted
+        - Proportional score based on compliant/total ratio
+        - 100% if no log groups exist
+
+    Example:
+        >>> test = CloudWatchLogsEncryptionTest(connector)
+        >>> result = test.execute()
+        >>> for finding in result.findings:
+        ...     print(f"{finding.resource_id}: {finding.title}")
+    """
+
+    def __init__(self, connector: AWSConnector) -> None:
+        """Initialize CloudWatch Logs encryption test.
+
+        Args:
+            connector: AWS connector instance
+        """
+        super().__init__(
+            test_id="cloudwatch_logs_encryption",
+            test_name="CloudWatch Logs Encryption Check",
+            description="Verify all CloudWatch log groups use encryption at rest with KMS",
+            control_id="A.8.24",
+            connector=connector,
+            scope="regional",
+        )
+
+    def execute(self) -> TestResult:
+        """Execute CloudWatch Logs encryption compliance test.
+
+        Returns:
+            TestResult with findings for unencrypted log groups
+
+        Example:
+            >>> test = CloudWatchLogsEncryptionTest(connector)
+            >>> result = test.execute()
+            >>> print(result.score)
+            100.0
+        """
+        result = TestResult(
+            test_id=self.test_id,
+            test_name=self.test_name,
+            status=TestStatus.PASSED,
+            passed=True,
+            score=100.0,
+        )
+
+        try:
+            # Get CloudWatch Logs client
+            logs_client = self.connector.get_client("logs")
+
+            # List all log groups
+            self.logger.info("listing_log_groups")
+            log_groups = []
+
+            paginator = logs_client.get_paginator("describe_log_groups")
+            for page in paginator.paginate():
+                log_groups.extend(page.get("logGroups", []))
+
+            if not log_groups:
+                self.logger.info("no_log_groups_found")
+                result.metadata["message"] = "No CloudWatch log groups found in region"
+                return result
+
+            self.logger.info("log_groups_found", count=len(log_groups))
+
+            # Check encryption for each log group
+            encrypted_count = 0
+
+            for log_group in log_groups:
+                log_group_name = log_group["logGroupName"]
+                result.resources_scanned += 1
+
+                # Check if KMS key is configured
+                kms_key_id = log_group.get("kmsKeyId")
+                is_encrypted = kms_key_id is not None and kms_key_id != ""
+
+                # Create evidence
+                evidence = self.create_evidence(
+                    resource_id=log_group_name,
+                    resource_type="cloudwatch_log_group",
+                    data={
+                        "log_group_name": log_group_name,
+                        "kms_key_id": kms_key_id,
+                        "is_encrypted": is_encrypted,
+                        "creation_time": log_group.get("creationTime"),
+                        "stored_bytes": log_group.get("storedBytes", 0),
+                        "retention_in_days": log_group.get("retentionInDays"),
+                    }
+                )
+                result.add_evidence(evidence)
+
+                if is_encrypted:
+                    encrypted_count += 1
+                    self.logger.debug(
+                        "log_group_encrypted",
+                        log_group=log_group_name,
+                        kms_key_id=kms_key_id
+                    )
+                else:
+                    # Create finding for unencrypted log group
+                    finding = self.create_finding(
+                        resource_id=log_group_name,
+                        resource_type="cloudwatch_log_group",
+                        severity=Severity.HIGH,
+                        title="CloudWatch log group encryption not enabled",
+                        description=f"CloudWatch log group '{log_group_name}' does not have encryption enabled. "
+                                    "Without encryption, log data is stored unencrypted at rest, potentially "
+                                    "exposing sensitive information such as application logs, system events, "
+                                    "security events, and operational data. CloudWatch Logs encryption with "
+                                    "AWS KMS provides an additional layer of security for sensitive log data. "
+                                    "ISO 27001 A.8.24 requires cryptographic controls for protecting "
+                                    "sensitive information.",
+                        remediation=(
+                            f"Enable encryption for CloudWatch log group:\n\n"
+                            "Note: You cannot add encryption to existing log groups. "
+                            "You must create a new encrypted log group and migrate.\n\n"
+                            "Step 1: Create new encrypted log group:\n"
+                            f"aws logs create-log-group \\\n"
+                            f"  --log-group-name {log_group_name}-encrypted \\\n"
+                            "  --kms-key-id arn:aws:kms:REGION:ACCOUNT:key/KEY-ID\n\n"
+                            "Step 2: Update applications to use new log group\n\n"
+                            "Step 3: Copy retention settings if needed:\n"
+                            f"aws logs put-retention-policy \\\n"
+                            f"  --log-group-name {log_group_name}-encrypted \\\n"
+                            "  --retention-in-days <RETENTION-DAYS>\n\n"
+                            "Step 4: Verify logs are flowing to new group\n\n"
+                            "Step 5: Delete old unencrypted log group:\n"
+                            f"aws logs delete-log-group \\\n"
+                            f"  --log-group-name {log_group_name}\n\n"
+                            "Or use AWS Console:\n"
+                            "1. Go to CloudWatch Logs console\n"
+                            "2. Click 'Create log group'\n"
+                            "3. Enter new log group name\n"
+                            "4. Under 'KMS key', select a customer-managed key\n"
+                            "5. Click 'Create'\n"
+                            "6. Update applications to use new log group\n"
+                            "7. Delete old log group after migration\n\n"
+                            "KMS Key Policy Requirements:\n"
+                            "Ensure the KMS key policy allows CloudWatch Logs:\n"
+                            "{\n"
+                            '  "Sid": "Allow CloudWatch Logs",\n'
+                            '  "Effect": "Allow",\n'
+                            '  "Principal": {\n'
+                            '    "Service": "logs.REGION.amazonaws.com"\n'
+                            '  },\n'
+                            '  "Action": [\n'
+                            '    "kms:Encrypt",\n'
+                            '    "kms:Decrypt",\n'
+                            '    "kms:ReEncrypt*",\n'
+                            '    "kms:GenerateDataKey*",\n'
+                            '    "kms:CreateGrant",\n'
+                            '    "kms:DescribeKey"\n'
+                            '  ],\n'
+                            '  "Resource": "*",\n'
+                            '  "Condition": {\n'
+                            '    "ArnLike": {\n'
+                            f'      "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:REGION:ACCOUNT:log-group:{log_group_name}*"\n'
+                            '    }\n'
+                            '  }\n'
+                            '}'
+                        ),
+                        evidence=evidence
+                    )
+                    result.add_finding(finding)
+
+                    self.logger.warning(
+                        "log_group_not_encrypted",
+                        log_group=log_group_name
+                    )
+
+            # Calculate compliance score
+            result.score = (encrypted_count / len(log_groups)) * 100
+
+            # Determine pass/fail
+            result.passed = encrypted_count == len(log_groups)
+            result.status = TestStatus.PASSED if result.passed else TestStatus.FAILED
+
+            # Add metadata
+            result.metadata = {
+                "total_log_groups": len(log_groups),
+                "encrypted_log_groups": encrypted_count,
+                "unencrypted_log_groups": len(log_groups) - encrypted_count,
+                "compliance_percentage": result.score,
+            }
+
+            self.logger.info(
+                "cloudwatch_logs_encryption_test_completed",
+                total_log_groups=len(log_groups),
+                encrypted=encrypted_count,
+                score=result.score,
+                passed=result.passed
+            )
+
+        except ClientError as e:
+            error_code = e.response.get("Error", {}).get("Code")
+            self.logger.error("cloudwatch_logs_encryption_test_error", error_code=error_code, error=str(e))
+            result.status = TestStatus.ERROR
+            result.passed = False
+            result.score = 0.0
+            result.error_message = f"AWS API Error: {error_code} - {str(e)}"
+
+        except Exception as e:
+            self.logger.error("cloudwatch_logs_encryption_test_error", error=str(e))
+            result.status = TestStatus.ERROR
+            result.passed = False
+            result.score = 0.0
+            result.error_message = str(e)
+
+        return result
+
+
+# ============================================================================
+# CONVENIENCE FUNCTION
+# ============================================================================
+
+
+def run_cloudwatch_logs_encryption_test(connector: AWSConnector) -> TestResult:
+    """Run CloudWatch Logs encryption compliance test.
+
+    Convenience function for running the test.
+
+    Args:
+        connector: AWS connector
+
+    Returns:
+        TestResult
+
+    Example:
+        >>> from complio.connectors.aws.client import AWSConnector
+        >>> connector = AWSConnector("production", "us-east-1")
+        >>> connector.connect()
+        >>> result = run_cloudwatch_logs_encryption_test(connector)
+        >>> print(f"Score: {result.score}%")
+    """
+    test = CloudWatchLogsEncryptionTest(connector)
+    return test.execute()