regscale-cli 6.27.2.0__py3-none-any.whl → 6.28.0.0__py3-none-any.whl

regscale/integrations/commercial/aws/conformance_pack_mappings.py

@@ -0,0 +1,198 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""AWS Config Conformance Pack to Control Mappings."""
+
+import logging
+import re
+from typing import Dict, List, Optional
+
+logger = logging.getLogger("regscale")
+
+# Control ID constants
+CONTROL_IA_2_1 = "IA-2(1)"
+
+# NIST 800-53 R5 Conformance Pack Control Mappings
+# Maps AWS Config rule names to NIST 800-53 R5 control IDs
+NIST_80053_R5_MAPPINGS = {
+    # Access Control (AC) Family
+    "iam-password-policy": ["AC-2", "IA-5"],
+    "iam-user-mfa-enabled": ["AC-2", CONTROL_IA_2_1],
+    "iam-root-access-key-check": ["AC-2", "AC-6"],
+    "iam-user-unused-credentials-check": ["AC-2"],
+    "iam-user-group-membership-check": ["AC-2"],
+    "iam-policy-no-statements-with-admin-access": ["AC-6"],
+    "iam-policy-no-statements-with-full-access": ["AC-6"],
+    "s3-bucket-public-read-prohibited": ["AC-3", "AC-4"],
+    "s3-bucket-public-write-prohibited": ["AC-3", "AC-4"],
+    "ec2-security-group-attached-to-eni": ["AC-4"],
+    "restricted-ssh": ["AC-4", "AC-17"],
+    "restricted-common-ports": ["AC-4"],
+    # Audit and Accountability (AU) Family
+    "cloudtrail-enabled": ["AU-2", "AU-3", "AU-6", "AU-12"],
+    "cloud-trail-cloud-watch-logs-enabled": ["AU-6"],
+    "cloudtrail-log-file-validation-enabled": ["AU-9"],
+    "cloudtrail-encryption-enabled": ["AU-9"],
+    "cloudtrail-s3-dataevents-enabled": ["AU-2"],
+    "multi-region-cloudtrail-enabled": ["AU-2"],
+    "s3-bucket-logging-enabled": ["AU-2"],
+    "rds-logging-enabled": ["AU-2"],
+    "elb-logging-enabled": ["AU-2"],
+    "cloudwatch-alarm-action-check": ["AU-6"],
+    # Configuration Management (CM) Family
+    "ec2-instance-managed-by-systems-manager": ["CM-2", "CM-6"],
+    "ec2-managedinstance-patch-compliance-status-check": ["CM-6", "SI-2"],  # Maps to both CM and SI families
+    "approved-amis-by-tag": ["CM-2"],
+    # Identification and Authentication (IA) Family
+    "mfa-enabled-for-iam-console-access": [CONTROL_IA_2_1],
+    "root-account-mfa-enabled": [CONTROL_IA_2_1],
+    # System and Communications Protection (SC) Family
+    "s3-bucket-ssl-requests-only": ["SC-8", "SC-13"],
+    "alb-http-to-https-redirection-check": ["SC-8"],
+    "elb-tls-https-listeners-only": ["SC-8"],
+    "rds-snapshot-encrypted": ["SC-13"],
+    "encrypted-volumes": ["SC-13"],
+    "s3-bucket-server-side-encryption-enabled": ["SC-13"],
+    "ec2-ebs-encryption-by-default": ["SC-13"],
+    "rds-storage-encrypted": ["SC-13"],
+    "dynamodb-table-encrypted-kms": ["SC-13"],
+    # System and Information Integrity (SI) Family
+    "guardduty-enabled-centralized": ["SI-4"],
+    "securityhub-enabled": ["SI-4"],
+    "access-keys-rotated": ["SI-4"],
+    "vpc-flow-logs-enabled": ["SI-4"],
+    # Risk Assessment (RA) Family
+    "security-account-information-provided": ["RA-5"],
+}
+
+
+def extract_control_ids_from_rule_name(rule_name: str) -> List[str]:
+    """
+    Extract control IDs from AWS Config rule name using pattern matching.
+
+    Supports patterns like:
+    - "ac-2-iam-user-mfa-enabled"
+    - "nist-800-53-r5-ac-2"
+    - "iam-password-policy-ac-2-ia-5"
+
+    :param str rule_name: Config rule name
+    :return: List of extracted control IDs
+    :rtype: List[str]
+    """
+    control_ids = []
+
+    # Pattern for NIST control IDs: AC-2, SI-3(1), etc.
+    pattern = r"\b([A-Z]{2}-\d+(?:\(\d+\))?)\b"
+
+    matches = re.findall(pattern, rule_name.upper())
+    control_ids.extend(matches)
+
+    return list(set(control_ids))  # Remove duplicates
+
+
+def extract_control_ids_from_tags(tags: Dict[str, str]) -> List[str]:
+    """
+    Extract control IDs from AWS Config rule tags.
+
+    Expected tag format:
+    - ControlID=AC-2
+    - ControlID=AC-2,AU-3,SI-2
+    - ControlIDs=AC-2,AU-3
+
+    :param Dict[str, str] tags: Dictionary of tag key-value pairs
+    :return: List of extracted control IDs
+    :rtype: List[str]
+    """
+    control_ids = []
+
+    # Check for ControlID or ControlIDs tags
+    for tag_key in ["ControlID", "ControlIDs", "Control-ID", "Control-IDs"]:
+        if tag_key in tags:
+            tag_value = tags[tag_key]
+            # Split by comma and clean up
+            ids = [cid.strip().upper() for cid in tag_value.split(",") if cid.strip()]
+            control_ids.extend(ids)
+
+    return list(set(control_ids))  # Remove duplicates
+
+
+def get_control_mappings_for_framework(framework: str) -> Dict[str, List[str]]:
+    """
+    Get control mappings for a specific framework.
+
+    :param str framework: Framework name (e.g., "NIST800-53R5")
+    :return: Dictionary mapping rule names to control IDs
+    :rtype: Dict[str, List[str]]
+    """
+    framework_upper = framework.upper().replace("-", "").replace("_", "")
+
+    if "NIST80053" in framework_upper or "NIST800" in framework_upper:
+        return NIST_80053_R5_MAPPINGS
+
+    # Add more framework mappings as needed
+    # elif "PCI" in framework_upper:
+    #     return PCI_DSS_MAPPINGS
+    # elif "CIS" in framework_upper:
+    #     return CIS_MAPPINGS
+
+    logger.warning(f"No built-in control mappings available for framework: {framework}")
+    return {}
+
+
+def map_rule_to_controls(
+    rule_name: str,
+    rule_description: Optional[str] = None,
+    rule_tags: Optional[Dict[str, str]] = None,
+    framework: str = "NIST800-53R5",
+) -> List[str]:
+    """
+    Map an AWS Config rule to control IDs using multiple strategies.
+
+    Priority order:
+    1. Framework-specific mappings (conformance pack)
+    2. Rule tags (ControlID tag)
+    3. Pattern matching in rule name
+    4. Pattern matching in rule description
+
+    :param str rule_name: Config rule name
+    :param Optional[str] rule_description: Config rule description
+    :param Optional[Dict[str, str]] rule_tags: Config rule tags
+    :param str framework: Target framework
+    :return: List of mapped control IDs
+    :rtype: List[str]
+    """
+    control_ids = []
+
+    # Strategy 1: Check framework-specific mappings
+    framework_mappings = get_control_mappings_for_framework(framework)
+    if rule_name in framework_mappings:
+        control_ids.extend(framework_mappings[rule_name])
+        logger.debug(f"Rule '{rule_name}' mapped to controls via framework mappings: {control_ids}")
+
+    # Strategy 2: Check rule tags
+    if rule_tags:
+        tag_control_ids = extract_control_ids_from_tags(rule_tags)
+        if tag_control_ids:
+            control_ids.extend(tag_control_ids)
+            logger.debug(f"Rule '{rule_name}' mapped to controls via tags: {tag_control_ids}")
+
+    # Strategy 3: Pattern matching in rule name
+    if not control_ids:
+        name_control_ids = extract_control_ids_from_rule_name(rule_name)
+        if name_control_ids:
+            control_ids.extend(name_control_ids)
+            logger.debug(f"Rule '{rule_name}' mapped to controls via name pattern: {name_control_ids}")
+
+    # Strategy 4: Pattern matching in rule description
+    if not control_ids and rule_description:
+        desc_control_ids = extract_control_ids_from_rule_name(rule_description)
+        if desc_control_ids:
+            control_ids.extend(desc_control_ids)
+            logger.debug(f"Rule '{rule_name}' mapped to controls via description pattern: {desc_control_ids}")
+
+    # Remove duplicates and sort
+    control_ids = sorted(set(control_ids))
+
+    if not control_ids:
+        logger.debug(f"Rule '{rule_name}' could not be mapped to any controls")
+
+    return control_ids

regscale/integrations/commercial/aws/evidence_generator.py

@@ -0,0 +1,283 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""AWS Evidence Generator for SSP compliance documentation"""
+
+import gzip
+import json
+import logging
+from datetime import datetime, timedelta
+from io import BytesIO
+from typing import List, Optional
+
+from regscale.core.app.api import Api
+from regscale.models.regscale_models.evidence import Evidence
+from regscale.models.regscale_models.evidence_mapping import EvidenceMapping
+from regscale.models.regscale_models.file import File
+
+logger = logging.getLogger("regscale")
+
+
+class AWSEvidenceGenerator:
+    """Generate compliance evidence from AWS security findings"""
+
+    def __init__(self, api: Api, ssp_id: Optional[int] = None):
+        """
+        Initialize evidence generator
+
+        :param Api api: RegScale API instance
+        :param Optional[int] ssp_id: Security Plan ID to link evidence
+        """
+        self.api = api
+        self.ssp_id = ssp_id
+
+    def create_evidence_from_scan(
+        self,
+        service_name: str,
+        findings: List[dict],
+        ocsf_data: Optional[List[dict]] = None,
+        update_frequency: int = 30,
+        control_ids: Optional[List[int]] = None,
+    ) -> Optional[Evidence]:
+        """
+        Create evidence record from AWS service scan
+
+        :param str service_name: AWS service name (GuardDuty, SecurityHub, etc.)
+        :param List[dict] findings: List of AWS findings (native format)
+        :param Optional[List[dict]] ocsf_data: OCSF-formatted findings
+        :param int update_frequency: Evidence update frequency in days (default: 30)
+        :param Optional[List[int]] control_ids: Control IDs to link evidence
+        :return: Created Evidence object or None
+        :rtype: Optional[Evidence]
+        """
+        if not findings:
+            logger.warning("No findings provided, skipping evidence creation")
+            return None
+
+        # Generate evidence title with timestamp
+        scan_date = datetime.now().strftime("%Y-%m-%d")
+        title = f"{service_name} Findings Scan - {scan_date}"
+
+        # Create description with finding summary
+        total_findings = len(findings)
+        severity_counts = self._count_severities(findings, service_name)
+        description = self._build_evidence_description(service_name, total_findings, severity_counts, ocsf_data)
+
+        # Calculate due date based on update frequency
+        due_date = (datetime.now() + timedelta(days=update_frequency)).isoformat()
+
+        try:
+            # Create evidence record
+            evidence = Evidence(
+                title=title,
+                description=description,
+                status="Collected",
+                updateFrequency=update_frequency,
+                dueDate=due_date,
+            )
+
+            # Create evidence in RegScale
+            created_evidence = evidence.create()
+            if not created_evidence or not created_evidence.id:
+                logger.error("Failed to create evidence record")
+                return None
+
+            logger.info("Created evidence record %s: %s", created_evidence.id, title)
+
+            # Upload findings as file attachments
+            self._attach_findings_files(
+                created_evidence.id,
+                findings,
+                ocsf_data,
+                service_name,
+            )
+
+            # Link evidence to SSP if provided
+            if self.ssp_id:
+                self._link_to_ssp(created_evidence.id)
+
+            # Link evidence to specific controls if provided
+            if control_ids:
+                self._link_to_controls(created_evidence.id, control_ids)
+
+            return created_evidence
+
+        except Exception as ex:
+            logger.error("Failed to create evidence: %s", ex)
+            return None
+
+    def _count_severities(self, findings: List[dict], service_name: str) -> dict:
+        """
+        Count findings by severity level
+
+        :param List[dict] findings: AWS findings
+        :param str service_name: AWS service name for severity field mapping
+        :return: Dictionary with severity counts
+        :rtype: dict
+        """
+        severity_counts = {"CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "LOW": 0, "INFO": 0}
+
+        for finding in findings:
+            # Map service-specific severity fields
+            if service_name == "GuardDuty":
+                severity = finding.get("Severity", 0)
+                # GuardDuty uses numeric severity (1.0-8.9)
+                if severity >= 7.0:
+                    severity_counts["HIGH"] += 1
+                elif severity >= 4.0:
+                    severity_counts["MEDIUM"] += 1
+                else:
+                    severity_counts["LOW"] += 1
+
+            elif service_name == "SecurityHub":
+                # Security Hub uses normalized severity
+                severity_label = finding.get("Severity", {}).get("Label", "INFO")
+                severity_counts[severity_label] = severity_counts.get(severity_label, 0) + 1
+
+            elif service_name == "CloudTrail":
+                # CloudTrail events don't have severity, count as INFO
+                severity_counts["INFO"] += 1
+
+        return severity_counts
+
+    def _build_evidence_description(
+        self,
+        service_name: str,
+        total_findings: int,
+        severity_counts: dict,
+        ocsf_data: Optional[List[dict]],
+    ) -> str:
+        """
+        Build evidence description with finding summary
+
+        :param str service_name: AWS service name
+        :param int total_findings: Total number of findings
+        :param dict severity_counts: Severity breakdown
+        :param Optional[List[dict]] ocsf_data: OCSF-formatted findings
+        :return: Evidence description text
+        :rtype: str
+        """
+        description_parts = [
+            f"Automated evidence collection from AWS {service_name}.",
+            f"Total findings: {total_findings}",
+            "",
+            "Severity Breakdown:",
+        ]
+
+        for severity, count in severity_counts.items():
+            if count > 0:
+                description_parts.append(f"  - {severity}: {count}")
+
+        description_parts.extend(["", "Files attached:"])
+        description_parts.append(f"  - {service_name.lower()}_findings_native.jsonl.gz (AWS native format, compressed)")
+
+        if ocsf_data:
+            description_parts.append(
+                f"  - {service_name.lower()}_findings_ocsf.jsonl.gz (OCSF normalized format, compressed)"
+            )
+
+        return "\n".join(description_parts)
+
+    def _attach_findings_files(
+        self,
+        evidence_id: int,
+        findings: List[dict],
+        ocsf_data: Optional[List[dict]],
+        service_name: str,
+    ) -> None:
+        """
+        Upload findings as file attachments to evidence
+
+        :param int evidence_id: Evidence record ID
+        :param List[dict] findings: Native AWS findings
+        :param Optional[List[dict]] ocsf_data: OCSF-formatted findings
+        :param str service_name: AWS service name
+        """
+        # Upload native findings as compressed JSONL
+        native_jsonl = "\n".join([json.dumps(f) for f in findings])
+
+        # Compress the JSONL data
+        compressed_buffer = BytesIO()
+        with gzip.open(compressed_buffer, "wt", encoding="utf-8", compresslevel=9) as gz_file:
+            gz_file.write(native_jsonl)
+
+        compressed_data = compressed_buffer.getvalue()
+
+        success = File.upload_file_to_regscale(
+            file_name=f"{service_name.lower()}_findings_native.jsonl.gz",
+            parent_id=evidence_id,
+            parent_module="evidence",
+            api=self.api,
+            file_data=compressed_data,
+            tags=f"aws,{service_name.lower()},native,compressed",
+        )
+
+        if success:
+            logger.info("Uploaded compressed native findings file for evidence %s", evidence_id)
+        else:
+            logger.warning("Failed to upload compressed native findings file for evidence %s", evidence_id)
+
+        # Upload OCSF findings if available
+        if ocsf_data:
+            ocsf_jsonl = "\n".join([json.dumps(f) for f in ocsf_data])
+
+            # Compress the OCSF JSONL data
+            compressed_buffer = BytesIO()
+            with gzip.open(compressed_buffer, "wt", encoding="utf-8", compresslevel=9) as gz_file:
+                gz_file.write(ocsf_jsonl)
+
+            compressed_data = compressed_buffer.getvalue()
+
+            success = File.upload_file_to_regscale(
+                file_name=f"{service_name.lower()}_findings_ocsf.jsonl.gz",
+                parent_id=evidence_id,
+                parent_module="evidence",
+                api=self.api,
+                file_data=compressed_data,
+                tags=f"aws,{service_name.lower()},ocsf,compressed",
+            )
+
+            if success:
+                logger.info("Uploaded compressed OCSF findings file for evidence %s", evidence_id)
+            else:
+                logger.warning("Failed to upload compressed OCSF findings file for evidence %s", evidence_id)
+
+    def _link_to_ssp(self, evidence_id: int) -> None:
+        """
+        Link evidence to Security Plan
+
+        :param int evidence_id: Evidence record ID
+        """
+        if not self.ssp_id:
+            return
+
+        mapping = EvidenceMapping(
+            evidenceID=evidence_id,
+            mappedID=self.ssp_id,
+            mappingType="securityplans",
+        )
+
+        try:
+            mapping.create()
+            logger.info("Linked evidence %s to SSP %s", evidence_id, self.ssp_id)
+        except Exception as ex:
+            logger.warning("Failed to link evidence to SSP: %s", ex)
+
+    def _link_to_controls(self, evidence_id: int, control_ids: List[int]) -> None:
+        """
+        Link evidence to specific security controls
+
+        :param int evidence_id: Evidence record ID
+        :param List[int] control_ids: List of control IDs
+        """
+        for control_id in control_ids:
+            mapping = EvidenceMapping(
+                evidenceID=evidence_id,
+                mappedID=control_id,
+                mappingType="securityControlAssessments",
+            )
+
+            try:
+                mapping.create()
+                logger.info("Linked evidence %s to control %s", evidence_id, control_id)
+            except Exception as ex:
+                logger.warning("Failed to link evidence to control %s: %s", control_id, ex)