complio 0.1.1__py3-none-any.whl

complio/tests_library/security/kms_key_rotation.py

@@ -0,0 +1,314 @@
+"""
+KMS key rotation compliance test.
+
+Checks that all customer-managed KMS keys have automatic rotation enabled.
+
+ISO 27001 Control: A.8.24 - Use of cryptography
+Requirement: Cryptographic keys must be rotated regularly
+
+Example:
+    >>> from complio.connectors.aws.client import AWSConnector
+    >>> from complio.tests_library.security.kms_key_rotation import KMSKeyRotationTest
+    >>>
+    >>> connector = AWSConnector("production", "us-east-1")
+    >>> connector.connect()
+    >>>
+    >>> test = KMSKeyRotationTest(connector)
+    >>> result = test.run()
+    >>> print(f"Passed: {result.passed}, Score: {result.score}")
+"""
+
+from typing import Any, Dict
+
+from botocore.exceptions import ClientError
+
+from complio.connectors.aws.client import AWSConnector
+from complio.tests_library.base import (
+    ComplianceTest,
+    Severity,
+    TestResult,
+    TestStatus,
+)
+
+
+class KMSKeyRotationTest(ComplianceTest):
+    """Test for KMS key rotation compliance.
+
+    Verifies that all customer-managed KMS keys have automatic rotation enabled.
+    AWS-managed keys are automatically rotated and are skipped.
+
+    Compliance Requirements:
+        - Customer-managed keys must have KeyRotationEnabled=True
+        - AWS-managed keys are automatically rotated (not checked)
+        - Keys without rotation enabled are non-compliant
+
+    Scoring:
+        - 100% if all customer-managed keys have rotation enabled
+        - Proportional score based on compliant/total ratio
+        - 0% if no keys have rotation enabled
+
+    Example:
+        >>> test = KMSKeyRotationTest(connector)
+        >>> result = test.execute()
+        >>> for finding in result.findings:
+        ...     print(f"{finding.resource_id}: {finding.title}")
+    """
+
+    def __init__(self, connector: AWSConnector) -> None:
+        """Initialize KMS key rotation test.
+
+        Args:
+            connector: AWS connector instance
+        """
+        super().__init__(
+            test_id="kms_key_rotation",
+            test_name="KMS Key Rotation Check",
+            description="Verify all customer-managed KMS keys have automatic rotation enabled",
+            control_id="A.8.24",
+            connector=connector,
+            scope="regional",
+        )
+
+    def execute(self) -> TestResult:
+        """Execute KMS key rotation compliance test.
+
+        Returns:
+            TestResult with findings for keys without rotation
+
+        Example:
+            >>> test = KMSKeyRotationTest(connector)
+            >>> result = test.execute()
+            >>> print(result.score)
+            100.0
+        """
+        result = TestResult(
+            test_id=self.test_id,
+            test_name=self.test_name,
+            status=TestStatus.PASSED,
+            passed=True,
+            score=100.0,
+        )
+
+        try:
+            # Get KMS client
+            kms_client = self.connector.get_client("kms")
+
+            # List all keys
+            self.logger.info("listing_kms_keys")
+            key_ids = []
+
+            # Handle pagination
+            paginator = kms_client.get_paginator("list_keys")
+            for page in paginator.paginate():
+                for key in page.get("Keys", []):
+                    key_ids.append(key["KeyId"])
+
+            if not key_ids:
+                self.logger.info("no_kms_keys_found")
+                result.metadata["message"] = "No KMS keys found in region"
+                return result
+
+            self.logger.info("kms_keys_found", count=len(key_ids))
+
+            # Filter customer-managed keys and check rotation
+            customer_managed_keys = []
+            rotation_enabled_count = 0
+
+            for key_id in key_ids:
+                try:
+                    # Describe key to get metadata
+                    key_metadata_response = kms_client.describe_key(KeyId=key_id)
+                    key_metadata = key_metadata_response.get("KeyMetadata", {})
+
+                    # Skip AWS-managed keys (they are automatically rotated)
+                    key_manager = key_metadata.get("KeyManager")
+                    if key_manager == "AWS":
+                        self.logger.debug("skipping_aws_managed_key", key_id=key_id)
+                        continue
+
+                    # Skip keys that are not enabled
+                    key_state = key_metadata.get("KeyState")
+                    if key_state not in ["Enabled", "Disabled"]:
+                        # Skip keys in PendingDeletion, PendingImport, etc.
+                        self.logger.debug("skipping_key_in_state", key_id=key_id, state=key_state)
+                        continue
+
+                    # This is a customer-managed key
+                    customer_managed_keys.append(key_id)
+                    result.resources_scanned += 1
+
+                    # Get key alias for better reporting
+                    key_alias = "no-alias"
+                    try:
+                        aliases_response = kms_client.list_aliases(KeyId=key_id)
+                        aliases = aliases_response.get("Aliases", [])
+                        if aliases:
+                            key_alias = aliases[0].get("AliasName", "no-alias")
+                    except Exception:
+                        pass
+
+                    # Check rotation status
+                    try:
+                        rotation_response = kms_client.get_key_rotation_status(KeyId=key_id)
+                        rotation_enabled = rotation_response.get("KeyRotationEnabled", False)
+                    except ClientError as e:
+                        error_code = e.response.get("Error", {}).get("Code")
+                        if error_code == "UnsupportedOperationException":
+                            # Asymmetric keys don't support automatic rotation
+                            self.logger.debug("key_rotation_not_supported", key_id=key_id)
+                            rotation_enabled = False
+                        else:
+                            raise
+
+                    # Get key details
+                    key_arn = key_metadata.get("Arn")
+                    creation_date = key_metadata.get("CreationDate")
+                    description = key_metadata.get("Description", "")
+                    key_usage = key_metadata.get("KeyUsage", "unknown")
+                    key_spec = key_metadata.get("KeySpec", "unknown")
+
+                    # Create evidence
+                    evidence = self.create_evidence(
+                        resource_id=key_id,
+                        resource_type="kms_key",
+                        data={
+                            "key_id": key_id,
+                            "key_arn": key_arn,
+                            "key_alias": key_alias,
+                            "rotation_enabled": rotation_enabled,
+                            "key_state": key_state,
+                            "key_manager": key_manager,
+                            "key_usage": key_usage,
+                            "key_spec": key_spec,
+                            "description": description,
+                            "creation_date": creation_date.isoformat() if creation_date else None,
+                        }
+                    )
+                    result.add_evidence(evidence)
+
+                    if rotation_enabled:
+                        rotation_enabled_count += 1
+                        self.logger.debug(
+                            "kms_key_rotation_enabled",
+                            key_id=key_id,
+                            key_alias=key_alias
+                        )
+                    else:
+                        # Create finding for key without rotation
+                        finding = self.create_finding(
+                            resource_id=key_id,
+                            resource_type="kms_key",
+                            severity=Severity.HIGH,
+                            title="KMS key automatic rotation not enabled",
+                            description=f"Customer-managed KMS key '{key_alias}' ({key_id}) does not have "
+                                        f"automatic rotation enabled. Key is {key_state.lower()} and used for {key_usage}. "
+                                        "Without rotation, compromised keys remain valid indefinitely. "
+                                        "ISO 27001 A.8.24 requires regular key rotation to minimize risk.",
+                            remediation=(
+                                f"Enable automatic key rotation for KMS key '{key_id}':\n\n"
+                                "Using AWS CLI:\n"
+                                f"aws kms enable-key-rotation --key-id {key_id}\n\n"
+                                "Or use AWS Console:\n"
+                                "1. Go to AWS KMS → Customer managed keys\n"
+                                f"2. Select key '{key_alias}' ({key_id})\n"
+                                "3. Go to 'Key rotation' tab\n"
+                                "4. Enable 'Automatic key rotation'\n"
+                                "5. Click 'Save'\n\n"
+                                "Note: KMS automatically rotates the key material every year.\n"
+                                "Existing ciphertext can still be decrypted with old key material.\n"
+                                "Asymmetric keys do not support automatic rotation."
+                            ),
+                            evidence=evidence
+                        )
+                        result.add_finding(finding)
+
+                        self.logger.warning(
+                            "kms_key_rotation_disabled",
+                            key_id=key_id,
+                            key_alias=key_alias,
+                            key_state=key_state
+                        )
+
+                except ClientError as e:
+                    error_code = e.response.get("Error", {}).get("Code")
+                    if error_code in ["AccessDeniedException", "NotFoundException"]:
+                        self.logger.warning("key_access_denied", key_id=key_id, error_code=error_code)
+                        continue
+                    else:
+                        raise
+
+            total_customer_keys = len(customer_managed_keys)
+
+            if total_customer_keys == 0:
+                self.logger.info("no_customer_managed_keys_found")
+                result.metadata["message"] = "No customer-managed KMS keys found in region"
+                return result
+
+            # Calculate compliance score
+            result.score = (rotation_enabled_count / total_customer_keys) * 100
+
+            # Determine pass/fail
+            result.passed = rotation_enabled_count == total_customer_keys
+            result.status = TestStatus.PASSED if result.passed else TestStatus.FAILED
+
+            # Add metadata
+            result.metadata = {
+                "total_keys_scanned": len(key_ids),
+                "customer_managed_keys": total_customer_keys,
+                "rotation_enabled": rotation_enabled_count,
+                "rotation_disabled": total_customer_keys - rotation_enabled_count,
+                "compliance_percentage": result.score,
+                "region": self.connector.region,
+            }
+
+            self.logger.info(
+                "kms_key_rotation_test_completed",
+                total_customer_keys=total_customer_keys,
+                rotation_enabled=rotation_enabled_count,
+                score=result.score,
+                passed=result.passed
+            )
+
+        except ClientError as e:
+            error_code = e.response.get("Error", {}).get("Code")
+            self.logger.error("kms_key_rotation_test_error", error_code=error_code, error=str(e))
+            result.status = TestStatus.ERROR
+            result.passed = False
+            result.score = 0.0
+            result.error_message = f"AWS API Error: {error_code} - {str(e)}"
+
+        except Exception as e:
+            self.logger.error("kms_key_rotation_test_error", error=str(e))
+            result.status = TestStatus.ERROR
+            result.passed = False
+            result.score = 0.0
+            result.error_message = str(e)
+
+        return result
+
+
+# ============================================================================
+# CONVENIENCE FUNCTION
+# ============================================================================
+
+
+def run_kms_key_rotation_test(connector: AWSConnector) -> TestResult:
+    """Run KMS key rotation compliance test.
+
+    Convenience function for running the test.
+
+    Args:
+        connector: AWS connector
+
+    Returns:
+        TestResult
+
+    Example:
+        >>> from complio.connectors.aws.client import AWSConnector
+        >>> connector = AWSConnector("production", "us-east-1")
+        >>> connector.connect()
+        >>> result = run_kms_key_rotation_test(connector)
+        >>> print(f"Score: {result.score}%")
+    """
+    test = KMSKeyRotationTest(connector)
+    return test.execute()

complio/tests_library/storage/backup_encryption.py

@@ -0,0 +1,288 @@
+"""
+AWS Backup encryption compliance test.
+
+Checks that all AWS Backup recovery points use encryption.
+
+ISO 27001 Control: A.8.24 - Use of cryptography
+Requirement: Backup data must be encrypted at rest
+
+Example:
+    >>> from complio.connectors.aws.client import AWSConnector
+    >>> from complio.tests_library.storage.backup_encryption import BackupEncryptionTest
+    >>>
+    >>> connector = AWSConnector("production", "us-east-1")
+    >>> connector.connect()
+    >>>
+    >>> test = BackupEncryptionTest(connector)
+    >>> result = test.run()
+    >>> print(f"Passed: {result.passed}, Score: {result.score}")
+"""
+
+from typing import Any, Dict
+
+from botocore.exceptions import ClientError
+
+from complio.connectors.aws.client import AWSConnector
+from complio.tests_library.base import (
+    ComplianceTest,
+    Severity,
+    TestResult,
+    TestStatus,
+)
+
+
+class BackupEncryptionTest(ComplianceTest):
+    """Test for AWS Backup encryption compliance.
+
+    Verifies that all AWS Backup recovery points use encryption to protect
+    backup data at rest.
+
+    Compliance Requirements:
+        - All backup recovery points must be encrypted
+        - Encryption protects backup data from unauthorized access
+        - Applies to all supported AWS resources (EC2, RDS, EBS, EFS, DynamoDB, etc.)
+
+    Scoring:
+        - 100% if all recovery points are encrypted
+        - Proportional score based on compliant/total ratio
+        - 100% if no recovery points exist (no backups configured)
+
+    Example:
+        >>> test = BackupEncryptionTest(connector)
+        >>> result = test.execute()
+        >>> for finding in result.findings:
+        ...     print(f"{finding.resource_id}: {finding.title}")
+    """
+
+    def __init__(self, connector: AWSConnector) -> None:
+        """Initialize AWS Backup encryption test.
+
+        Args:
+            connector: AWS connector instance
+        """
+        super().__init__(
+            test_id="backup_encryption",
+            test_name="AWS Backup Encryption Check",
+            description="Verify all AWS Backup recovery points are encrypted",
+            control_id="A.8.24",
+            connector=connector,
+            scope="regional",
+        )
+
+    def execute(self) -> TestResult:
+        """Execute AWS Backup encryption compliance test.
+
+        Returns:
+            TestResult with findings for unencrypted recovery points
+
+        Example:
+            >>> test = BackupEncryptionTest(connector)
+            >>> result = test.execute()
+            >>> print(result.score)
+            100.0
+        """
+        result = TestResult(
+            test_id=self.test_id,
+            test_name=self.test_name,
+            status=TestStatus.PASSED,
+            passed=True,
+            score=100.0,
+        )
+
+        try:
+            # Get Backup client
+            backup_client = self.connector.get_client("backup")
+
+            # List all backup vaults
+            self.logger.info("listing_backup_vaults")
+            vaults_response = backup_client.list_backup_vaults()
+            vaults = vaults_response.get("BackupVaultList", [])
+
+            if not vaults:
+                self.logger.info("no_backup_vaults_found")
+                result.metadata["message"] = "No AWS Backup vaults found in region"
+                return result
+
+            self.logger.info("backup_vaults_found", count=len(vaults))
+
+            # Track recovery points across all vaults
+            total_recovery_points = 0
+            encrypted_recovery_points = 0
+
+            # Check recovery points in each vault
+            for vault in vaults:
+                vault_name = vault["BackupVaultName"]
+
+                try:
+                    # List recovery points in vault
+                    paginator = backup_client.get_paginator("list_recovery_points_by_backup_vault")
+
+                    for page in paginator.paginate(BackupVaultName=vault_name):
+                        recovery_points = page.get("RecoveryPoints", [])
+
+                        for recovery_point in recovery_points:
+                            recovery_point_arn = recovery_point.get("RecoveryPointArn")
+                            resource_arn = recovery_point.get("ResourceArn")
+                            resource_type = recovery_point.get("ResourceType")
+                            is_encrypted = recovery_point.get("IsEncrypted", False)
+                            creation_date = recovery_point.get("CreationDate")
+                            status = recovery_point.get("Status")
+
+                            # Only check completed recovery points
+                            if status != "COMPLETED":
+                                continue
+
+                            total_recovery_points += 1
+                            result.resources_scanned += 1
+
+                            # Create evidence
+                            evidence = self.create_evidence(
+                                resource_id=recovery_point_arn,
+                                resource_type="backup_recovery_point",
+                                data={
+                                    "recovery_point_arn": recovery_point_arn,
+                                    "resource_arn": resource_arn,
+                                    "resource_type": resource_type,
+                                    "is_encrypted": is_encrypted,
+                                    "backup_vault_name": vault_name,
+                                    "creation_date": creation_date.isoformat() if creation_date else None,
+                                    "status": status,
+                                }
+                            )
+                            result.add_evidence(evidence)
+
+                            if is_encrypted:
+                                encrypted_recovery_points += 1
+                                self.logger.debug(
+                                    "recovery_point_encrypted",
+                                    recovery_point_arn=recovery_point_arn,
+                                    resource_type=resource_type
+                                )
+                            else:
+                                # Create finding for unencrypted recovery point
+                                finding = self.create_finding(
+                                    resource_id=recovery_point_arn,
+                                    resource_type="backup_recovery_point",
+                                    severity=Severity.HIGH,
+                                    title="AWS Backup recovery point not encrypted",
+                                    description=f"Backup recovery point for resource '{resource_arn}' "
+                                                f"(type: {resource_type}) in vault '{vault_name}' is not encrypted. "
+                                                "Unencrypted backups expose sensitive data to unauthorized access. "
+                                                "All backup data must be encrypted at rest to comply with "
+                                                "ISO 27001 A.8.24 cryptographic controls.",
+                                    remediation=(
+                                        "AWS Backup automatically encrypts recovery points based on the source resource encryption:\n\n"
+                                        "1. Enable encryption on source resources BEFORE backing them up:\n"
+                                        "   - EBS volumes: Enable encryption\n"
+                                        "   - RDS instances: Enable storage encryption\n"
+                        "   - EFS file systems: Enable encryption at rest\n"
+                                        "   - DynamoDB tables: Enable encryption\n"
+                                        "   - S3 buckets: Enable default encryption\n\n"
+                                        "2. Delete existing unencrypted recovery points:\n"
+                                        f"   aws backup delete-recovery-point \\\n"
+                                        f"     --backup-vault-name {vault_name} \\\n"
+                                        f"     --recovery-point-arn {recovery_point_arn}\n\n"
+                                        "3. Create new backup after encrypting source resource:\n"
+                                        "   aws backup start-backup-job \\\n"
+                                        f"     --backup-vault-name {vault_name} \\\n"
+                                        f"     --resource-arn {resource_arn} \\\n"
+                                        "     --iam-role-arn <backup-role-arn>\n\n"
+                                        "Note: You cannot encrypt existing recovery points in-place. "
+                                        "You must encrypt the source resource and create new backups."
+                                    ),
+                                    evidence=evidence
+                                )
+                                result.add_finding(finding)
+
+                                self.logger.warning(
+                                    "recovery_point_not_encrypted",
+                                    recovery_point_arn=recovery_point_arn,
+                                    resource_type=resource_type,
+                                    vault=vault_name
+                                )
+
+                except ClientError as e:
+                    error_code = e.response.get("Error", {}).get("Code")
+                    if error_code in ["ResourceNotFoundException", "AccessDeniedException"]:
+                        self.logger.warning(
+                            "backup_vault_access_error",
+                            vault=vault_name,
+                            error_code=error_code
+                        )
+                        continue
+                    else:
+                        raise
+
+            # Handle case where no recovery points exist
+            if total_recovery_points == 0:
+                self.logger.info("no_recovery_points_found")
+                result.metadata["message"] = "No completed recovery points found in any backup vault"
+                return result
+
+            # Calculate compliance score
+            result.score = (encrypted_recovery_points / total_recovery_points) * 100
+
+            # Determine pass/fail
+            result.passed = encrypted_recovery_points == total_recovery_points
+            result.status = TestStatus.PASSED if result.passed else TestStatus.FAILED
+
+            # Add metadata
+            result.metadata = {
+                "total_vaults": len(vaults),
+                "total_recovery_points": total_recovery_points,
+                "encrypted_recovery_points": encrypted_recovery_points,
+                "unencrypted_recovery_points": total_recovery_points - encrypted_recovery_points,
+                "compliance_percentage": result.score,
+            }
+
+            self.logger.info(
+                "backup_encryption_test_completed",
+                total_recovery_points=total_recovery_points,
+                encrypted=encrypted_recovery_points,
+                score=result.score,
+                passed=result.passed
+            )
+
+        except ClientError as e:
+            error_code = e.response.get("Error", {}).get("Code")
+            self.logger.error("backup_encryption_test_error", error_code=error_code, error=str(e))
+            result.status = TestStatus.ERROR
+            result.passed = False
+            result.score = 0.0
+            result.error_message = f"AWS API Error: {error_code} - {str(e)}"
+
+        except Exception as e:
+            self.logger.error("backup_encryption_test_error", error=str(e))
+            result.status = TestStatus.ERROR
+            result.passed = False
+            result.score = 0.0
+            result.error_message = str(e)
+
+        return result
+
+
+# ============================================================================
+# CONVENIENCE FUNCTION
+# ============================================================================
+
+
+def run_backup_encryption_test(connector: AWSConnector) -> TestResult:
+    """Run AWS Backup encryption compliance test.
+
+    Convenience function for running the test.
+
+    Args:
+        connector: AWS connector
+
+    Returns:
+        TestResult
+
+    Example:
+        >>> from complio.connectors.aws.client import AWSConnector
+        >>> connector = AWSConnector("production", "us-east-1")
+        >>> connector.connect()
+        >>> result = run_backup_encryption_test(connector)
+        >>> print(f"Score: {result.score}%")
+    """
+    test = BackupEncryptionTest(connector)
+    return test.execute()