runbooks 1.1.4__py3-none-any.whl → 1.1.6__py3-none-any.whl

runbooks/security/multi_account_security_controls.py

@@ -10,13 +10,13 @@ Framework: Multi-account security orchestration with proven coordination pattern
 Status: Enterprise-ready with systematic delegation and FAANG SDLC compliance
 
 Strategic Alignment:
-- 3 Strategic Objectives: runbooks package + FAANG SDLC + GitHub SSoT  
+- 3 Strategic Objectives: runbooks package + FAANG SDLC + GitHub SSoT
 - Core Principles: "Do one thing and do it well" + "Move Fast, But Not So Fast We Crash"
 - Enterprise Coordination: Multi-agent security validation with systematic delegation
 
 Key Capabilities:
 - 61-account concurrent security control deployment
-- Cross-account role-based security policy enforcement  
+- Cross-account role-based security policy enforcement
 - Organization-wide compliance monitoring and reporting
 - Automated security baseline implementation
 - Executive security posture dashboards
@@ -53,7 +53,7 @@ from runbooks.common.rich_utils import (
 
 class SecurityControlType(Enum):
     """Types of security controls for multi-account deployment."""
-    
+
     IAM_BASELINE = "IAM_BASELINE"
     ENCRYPTION_ENFORCEMENT = "ENCRYPTION_ENFORCEMENT"
     NETWORK_SECURITY = "NETWORK_SECURITY"
@@ -66,16 +66,16 @@ class SecurityControlType(Enum):
 
 class DeploymentStrategy(Enum):
     """Security control deployment strategies."""
-    
-    PARALLEL_ALL = "PARALLEL_ALL"          # Deploy to all accounts simultaneously
-    STAGED_ROLLOUT = "STAGED_ROLLOUT"      # Deploy in waves with validation gates
-    PILOT_FIRST = "PILOT_FIRST"           # Deploy to pilot accounts first
-    CRITICAL_FIRST = "CRITICAL_FIRST"     # Deploy to critical accounts first
+
+    PARALLEL_ALL = "PARALLEL_ALL"  # Deploy to all accounts simultaneously
+    STAGED_ROLLOUT = "STAGED_ROLLOUT"  # Deploy in waves with validation gates
+    PILOT_FIRST = "PILOT_FIRST"  # Deploy to pilot accounts first
+    CRITICAL_FIRST = "CRITICAL_FIRST"  # Deploy to critical accounts first
 
 
 class ControlStatus(Enum):
     """Status of security control deployment."""
-    
+
     PENDING = "PENDING"
     DEPLOYING = "DEPLOYING"
     DEPLOYED = "DEPLOYED"
@@ -88,7 +88,7 @@ class ControlStatus(Enum):
 @dataclass
 class SecurityControl:
     """Represents a security control for multi-account deployment."""
-    
+
     control_id: str
     control_name: str
     control_type: SecurityControlType
@@ -103,7 +103,7 @@ class SecurityControl:
     estimated_deployment_time: int  # minutes
     requires_approval: bool = False
     cross_account_role_required: bool = True
-    
+
     # Deployment tracking
     deployment_status: ControlStatus = ControlStatus.PENDING
     deployed_accounts: List[str] = field(default_factory=list)
@@ -114,7 +114,7 @@ class SecurityControl:
 @dataclass
 class AccountSecurityProfile:
     """Security profile for individual AWS account."""
-    
+
     account_id: str
     account_name: str
     environment_type: str  # prod, staging, dev, sandbox
@@ -130,7 +130,7 @@ class AccountSecurityProfile:
 @dataclass
 class MultiAccountSecurityReport:
     """Comprehensive security report across all accounts."""
-    
+
     report_id: str
     timestamp: datetime
     total_accounts: int
@@ -150,10 +150,10 @@ class MultiAccountSecurityController:
     """
     Multi-Account Security Controls Framework
     ========================================
-    
+
     Orchestrates security control deployment and compliance monitoring across
     enterprise AWS Organizations with up to 61 concurrent account operations.
-    
+
     Enterprise Features:
     - Parallel security control deployment with intelligent batching
     - Cross-account role-based policy enforcement
@@ -163,34 +163,34 @@ class MultiAccountSecurityController:
     """
 
     def __init__(
-        self, 
-        profile: str = "default", 
+        self,
+        profile: str = "default",
         output_dir: str = "./artifacts/multi-account-security",
         max_concurrent_accounts: int = 61,
-        dry_run: bool = True
+        dry_run: bool = True,
     ):
         self.profile = profile
         self.output_dir = Path(output_dir)
         self.output_dir.mkdir(parents=True, exist_ok=True)
         self.max_concurrent_accounts = max_concurrent_accounts
         self.dry_run = dry_run
-        
+
         # Initialize secure management session
         self.session = self._create_secure_session()
-        
+
         # Security control definitions
         self.security_controls = self._initialize_security_controls()
-        
+
         # Account discovery and profiling
         self.account_profiles = {}
         self.organization_structure = {}
-        
+
         # Cross-account role management
         self.cross_account_role_arn = self._get_cross_account_role_arn()
-        
+
         # Deployment tracking
         self.deployment_tracker = MultiAccountDeploymentTracker(self.output_dir)
-        
+
         print_header("Multi-Account Security Controller", "1.0.0")
         print_info(f"Profile: {profile}")
         print_info(f"Max concurrent accounts: {max_concurrent_accounts}")
@@ -200,282 +200,260 @@ class MultiAccountSecurityController:
     def _create_secure_session(self) -> boto3.Session:
         """Create secure AWS session with organization-level permissions."""
         try:
-            session = create_management_session(profile=self.profile)
-            
+            session = create_management_session(profile_name=self.profile)
+
             # Validate organization access
             try:
-                organizations = session.client('organizations')
+                organizations = session.client("organizations")
                 org_info = organizations.describe_organization()
                 print_success(f"Organization access validated: {org_info['Organization']['Id']}")
             except ClientError as e:
                 print_warning(f"Limited organization access: {str(e)}")
-            
+
             # Validate session credentials
             sts_client = session.client("sts")
             identity = sts_client.get_caller_identity()
-            
+
             print_info(f"Management session established for: {identity.get('Arn', 'Unknown')}")
             return session
-            
+
         except (ClientError, NoCredentialsError) as e:
             print_error(f"Failed to establish management session: {str(e)}")
             raise
 
     def _get_cross_account_role_arn(self) -> str:
         """Get cross-account role ARN for security operations."""
-        
+
         # Standard cross-account security role
         return "arn:aws:iam::{account_id}:role/CloudOpsSecurityRole"
 
     def _initialize_security_controls(self) -> List[SecurityControl]:
         """Initialize comprehensive security controls for enterprise deployment."""
-        
+
         controls = []
-        
+
         # IAM Baseline Controls
-        controls.append(SecurityControl(
-            control_id="IAM-001",
-            control_name="IAM Password Policy Enforcement",
-            control_type=SecurityControlType.IAM_BASELINE,
-            description="Enforce strong password policy across all accounts",
-            aws_services=["iam"],
-            compliance_frameworks=["SOC2", "CIS Benchmarks", "AWS Well-Architected"],
-            deployment_template={
-                "MinimumPasswordLength": 14,
-                "RequireUppercaseCharacters": True,
-                "RequireLowercaseCharacters": True,
-                "RequireNumbers": True,
-                "RequireSymbols": True,
-                "MaxPasswordAge": 90,
-                "PasswordReusePrevention": 24,
-                "HardExpiry": False
-            },
-            validation_checks=[
-                "verify_password_policy_applied",
-                "check_minimum_password_length",
-                "validate_complexity_requirements"
-            ],
-            rollback_procedure=[
-                "revert_to_previous_password_policy",
-                "notify_security_team_of_rollback"
-            ],
-            business_justification="Reduces account compromise risk by 80%",
-            risk_if_not_implemented="High risk of credential-based attacks",
-            estimated_deployment_time=5,
-            requires_approval=False
-        ))
-        
-        controls.append(SecurityControl(
-            control_id="IAM-002",
-            control_name="Root Account MFA Enforcement",
-            control_type=SecurityControlType.IAM_BASELINE,
-            description="Ensure MFA is enabled on all root accounts",
-            aws_services=["iam"],
-            compliance_frameworks=["SOC2", "CIS Benchmarks", "PCI-DSS"],
-            deployment_template={
-                "mfa_required": True,
-                "virtual_mfa_preferred": True,
-                "hardware_mfa_fallback": True
-            },
-            validation_checks=[
-                "verify_root_mfa_enabled",
-                "check_mfa_device_type",
-                "validate_mfa_functionality"
-            ],
-            rollback_procedure=[
-                "document_mfa_removal_justification",
-                "notify_compliance_team"
-            ],
-            business_justification="Prevents root account compromise - critical for enterprise security",
-            risk_if_not_implemented="Critical - complete account takeover possible",
-            estimated_deployment_time=10,
-            requires_approval=True  # Root account changes require approval
-        ))
-        
+        controls.append(
+            SecurityControl(
+                control_id="IAM-001",
+                control_name="IAM Password Policy Enforcement",
+                control_type=SecurityControlType.IAM_BASELINE,
+                description="Enforce strong password policy across all accounts",
+                aws_services=["iam"],
+                compliance_frameworks=["SOC2", "CIS Benchmarks", "AWS Well-Architected"],
+                deployment_template={
+                    "MinimumPasswordLength": 14,
+                    "RequireUppercaseCharacters": True,
+                    "RequireLowercaseCharacters": True,
+                    "RequireNumbers": True,
+                    "RequireSymbols": True,
+                    "MaxPasswordAge": 90,
+                    "PasswordReusePrevention": 24,
+                    "HardExpiry": False,
+                },
+                validation_checks=[
+                    "verify_password_policy_applied",
+                    "check_minimum_password_length",
+                    "validate_complexity_requirements",
+                ],
+                rollback_procedure=["revert_to_previous_password_policy", "notify_security_team_of_rollback"],
+                business_justification="Reduces account compromise risk by 80%",
+                risk_if_not_implemented="High risk of credential-based attacks",
+                estimated_deployment_time=5,
+                requires_approval=False,
+            )
+        )
+
+        controls.append(
+            SecurityControl(
+                control_id="IAM-002",
+                control_name="Root Account MFA Enforcement",
+                control_type=SecurityControlType.IAM_BASELINE,
+                description="Ensure MFA is enabled on all root accounts",
+                aws_services=["iam"],
+                compliance_frameworks=["SOC2", "CIS Benchmarks", "PCI-DSS"],
+                deployment_template={
+                    "mfa_required": True,
+                    "virtual_mfa_preferred": True,
+                    "hardware_mfa_fallback": True,
+                },
+                validation_checks=["verify_root_mfa_enabled", "check_mfa_device_type", "validate_mfa_functionality"],
+                rollback_procedure=["document_mfa_removal_justification", "notify_compliance_team"],
+                business_justification="Prevents root account compromise - critical for enterprise security",
+                risk_if_not_implemented="Critical - complete account takeover possible",
+                estimated_deployment_time=10,
+                requires_approval=True,  # Root account changes require approval
+            )
+        )
+
         # Encryption Controls
-        controls.append(SecurityControl(
-            control_id="ENC-001",
-            control_name="S3 Bucket Encryption Enforcement",
-            control_type=SecurityControlType.ENCRYPTION_ENFORCEMENT,
-            description="Enforce encryption at rest for all S3 buckets",
-            aws_services=["s3"],
-            compliance_frameworks=["SOC2", "PCI-DSS", "HIPAA"],
-            deployment_template={
-                "encryption_algorithm": "AES256",
-                "kms_encryption_preferred": True,
-                "bucket_key_enabled": True,
-                "deny_unencrypted_object_uploads": True
-            },
-            validation_checks=[
-                "verify_bucket_encryption_enabled",
-                "check_default_encryption_configuration",
-                "validate_object_encryption_status"
-            ],
-            rollback_procedure=[
-                "disable_encryption_requirement",
-                "restore_previous_bucket_policies"
-            ],
-            business_justification="Protects sensitive data and meets compliance requirements",
-            risk_if_not_implemented="Data breach risk, compliance violations",
-            estimated_deployment_time=15
-        ))
-        
-        controls.append(SecurityControl(
-            control_id="ENC-002",
-            control_name="EBS Volume Encryption",
-            control_type=SecurityControlType.ENCRYPTION_ENFORCEMENT,
-            description="Enforce encryption for all EBS volumes",
-            aws_services=["ec2"],
-            compliance_frameworks=["SOC2", "PCI-DSS", "HIPAA"],
-            deployment_template={
-                "default_encryption_enabled": True,
-                "kms_key_id": "alias/aws/ebs",
-                "delete_on_termination": True
-            },
-            validation_checks=[
-                "verify_ebs_encryption_default",
-                "check_existing_volume_encryption",
-                "validate_kms_key_permissions"
-            ],
-            rollback_procedure=[
-                "disable_default_ebs_encryption",
-                "document_encryption_rollback"
-            ],
-            business_justification="Protects data at rest on compute instances",
-            risk_if_not_implemented="Data exposure from compromised or lost instances",
-            estimated_deployment_time=10
-        ))
-        
+        controls.append(
+            SecurityControl(
+                control_id="ENC-001",
+                control_name="S3 Bucket Encryption Enforcement",
+                control_type=SecurityControlType.ENCRYPTION_ENFORCEMENT,
+                description="Enforce encryption at rest for all S3 buckets",
+                aws_services=["s3"],
+                compliance_frameworks=["SOC2", "PCI-DSS", "HIPAA"],
+                deployment_template={
+                    "encryption_algorithm": "AES256",
+                    "kms_encryption_preferred": True,
+                    "bucket_key_enabled": True,
+                    "deny_unencrypted_object_uploads": True,
+                },
+                validation_checks=[
+                    "verify_bucket_encryption_enabled",
+                    "check_default_encryption_configuration",
+                    "validate_object_encryption_status",
+                ],
+                rollback_procedure=["disable_encryption_requirement", "restore_previous_bucket_policies"],
+                business_justification="Protects sensitive data and meets compliance requirements",
+                risk_if_not_implemented="Data breach risk, compliance violations",
+                estimated_deployment_time=15,
+            )
+        )
+
+        controls.append(
+            SecurityControl(
+                control_id="ENC-002",
+                control_name="EBS Volume Encryption",
+                control_type=SecurityControlType.ENCRYPTION_ENFORCEMENT,
+                description="Enforce encryption for all EBS volumes",
+                aws_services=["ec2"],
+                compliance_frameworks=["SOC2", "PCI-DSS", "HIPAA"],
+                deployment_template={
+                    "default_encryption_enabled": True,
+                    "kms_key_id": "alias/aws/ebs",
+                    "delete_on_termination": True,
+                },
+                validation_checks=[
+                    "verify_ebs_encryption_default",
+                    "check_existing_volume_encryption",
+                    "validate_kms_key_permissions",
+                ],
+                rollback_procedure=["disable_default_ebs_encryption", "document_encryption_rollback"],
+                business_justification="Protects data at rest on compute instances",
+                risk_if_not_implemented="Data exposure from compromised or lost instances",
+                estimated_deployment_time=10,
+            )
+        )
+
         # Network Security Controls
-        controls.append(SecurityControl(
-            control_id="NET-001",
-            control_name="VPC Flow Logs Enablement",
-            control_type=SecurityControlType.NETWORK_SECURITY,
-            description="Enable VPC Flow Logs for all VPCs",
-            aws_services=["ec2", "logs"],
-            compliance_frameworks=["SOC2", "AWS Well-Architected"],
-            deployment_template={
-                "log_destination_type": "cloud-watch-logs",
-                "traffic_type": "ALL",
-                "log_format": "${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${windowstart} ${windowend} ${action}",
-                "max_aggregation_interval": 60
-            },
-            validation_checks=[
-                "verify_flow_logs_enabled",
-                "check_log_destination_access",
-                "validate_log_format_compliance"
-            ],
-            rollback_procedure=[
-                "disable_vpc_flow_logs",
-                "clean_up_log_groups"
-            ],
-            business_justification="Enables network security monitoring and forensics",
-            risk_if_not_implemented="Limited visibility into network traffic and security events",
-            estimated_deployment_time=20
-        ))
-        
+        controls.append(
+            SecurityControl(
+                control_id="NET-001",
+                control_name="VPC Flow Logs Enablement",
+                control_type=SecurityControlType.NETWORK_SECURITY,
+                description="Enable VPC Flow Logs for all VPCs",
+                aws_services=["ec2", "logs"],
+                compliance_frameworks=["SOC2", "AWS Well-Architected"],
+                deployment_template={
+                    "log_destination_type": "cloud-watch-logs",
+                    "traffic_type": "ALL",
+                    "log_format": "${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${windowstart} ${windowend} ${action}",
+                    "max_aggregation_interval": 60,
+                },
+                validation_checks=[
+                    "verify_flow_logs_enabled",
+                    "check_log_destination_access",
+                    "validate_log_format_compliance",
+                ],
+                rollback_procedure=["disable_vpc_flow_logs", "clean_up_log_groups"],
+                business_justification="Enables network security monitoring and forensics",
+                risk_if_not_implemented="Limited visibility into network traffic and security events",
+                estimated_deployment_time=20,
+            )
+        )
+
         # Audit Logging Controls
-        controls.append(SecurityControl(
-            control_id="AUD-001",
-            control_name="CloudTrail Organization-wide Logging",
-            control_type=SecurityControlType.AUDIT_LOGGING,
-            description="Enable comprehensive CloudTrail logging across organization",
-            aws_services=["cloudtrail", "s3"],
-            compliance_frameworks=["SOC2", "PCI-DSS", "AWS Well-Architected"],
-            deployment_template={
-                "include_global_service_events": True,
-                "is_multi_region_trail": True,
-                "enable_log_file_validation": True,
-                "event_selectors": [
-                    {
-                        "read_write_type": "All",
-                        "include_management_events": True,
-                        "data_resources": [
-                            {
-                                "type": "AWS::S3::Object",
-                                "values": ["arn:aws:s3:::*/*"]
-                            }
-                        ]
-                    }
-                ]
-            },
-            validation_checks=[
-                "verify_cloudtrail_enabled",
-                "check_log_file_validation",
-                "validate_s3_bucket_security"
-            ],
-            rollback_procedure=[
-                "disable_organization_cloudtrail",
-                "remove_log_bucket_policies"
-            ],
-            business_justification="Essential for compliance, security monitoring, and forensics",
-            risk_if_not_implemented="No audit trail for security investigations",
-            estimated_deployment_time=30,
-            requires_approval=True  # Organization-wide changes require approval
-        ))
-        
+        controls.append(
+            SecurityControl(
+                control_id="AUD-001",
+                control_name="CloudTrail Organization-wide Logging",
+                control_type=SecurityControlType.AUDIT_LOGGING,
+                description="Enable comprehensive CloudTrail logging across organization",
+                aws_services=["cloudtrail", "s3"],
+                compliance_frameworks=["SOC2", "PCI-DSS", "AWS Well-Architected"],
+                deployment_template={
+                    "include_global_service_events": True,
+                    "is_multi_region_trail": True,
+                    "enable_log_file_validation": True,
+                    "event_selectors": [
+                        {
+                            "read_write_type": "All",
+                            "include_management_events": True,
+                            "data_resources": [{"type": "AWS::S3::Object", "values": ["arn:aws:s3:::*/*"]}],
+                        }
+                    ],
+                },
+                validation_checks=[
+                    "verify_cloudtrail_enabled",
+                    "check_log_file_validation",
+                    "validate_s3_bucket_security",
+                ],
+                rollback_procedure=["disable_organization_cloudtrail", "remove_log_bucket_policies"],
+                business_justification="Essential for compliance, security monitoring, and forensics",
+                risk_if_not_implemented="No audit trail for security investigations",
+                estimated_deployment_time=30,
+                requires_approval=True,  # Organization-wide changes require approval
+            )
+        )
+
         # Compliance Monitoring Controls
-        controls.append(SecurityControl(
-            control_id="CMP-001",
-            control_name="AWS Config Multi-Account Setup",
-            control_type=SecurityControlType.COMPLIANCE_MONITORING,
-            description="Deploy AWS Config for continuous compliance monitoring",
-            aws_services=["config", "s3"],
-            compliance_frameworks=["SOC2", "CIS Benchmarks", "AWS Well-Architected"],
-            deployment_template={
-                "configuration_recorder": {
-                    "record_all_supported": True,
-                    "include_global_resource_types": True,
-                    "recording_group": {
-                        "all_supported": True,
-                        "include_global_resource_types": True
-                    }
+        controls.append(
+            SecurityControl(
+                control_id="CMP-001",
+                control_name="AWS Config Multi-Account Setup",
+                control_type=SecurityControlType.COMPLIANCE_MONITORING,
+                description="Deploy AWS Config for continuous compliance monitoring",
+                aws_services=["config", "s3"],
+                compliance_frameworks=["SOC2", "CIS Benchmarks", "AWS Well-Architected"],
+                deployment_template={
+                    "configuration_recorder": {
+                        "record_all_supported": True,
+                        "include_global_resource_types": True,
+                        "recording_group": {"all_supported": True, "include_global_resource_types": True},
+                    },
+                    "delivery_channel": {
+                        "s3_bucket_name": "organization-config-bucket",
+                        "config_snapshot_delivery_properties": {"delivery_frequency": "TwentyFour_Hours"},
+                    },
                 },
-                "delivery_channel": {
-                    "s3_bucket_name": "organization-config-bucket",
-                    "config_snapshot_delivery_properties": {
-                        "delivery_frequency": "TwentyFour_Hours"
-                    }
-                }
-            },
-            validation_checks=[
-                "verify_config_recorder_status",
-                "check_delivery_channel_status", 
-                "validate_config_rules_deployment"
-            ],
-            rollback_procedure=[
-                "stop_configuration_recorder",
-                "delete_delivery_channel",
-                "clean_up_config_rules"
-            ],
-            business_justification="Automated compliance monitoring reduces manual audit overhead",
-            risk_if_not_implemented="Manual compliance checking, delayed non-compliance detection",
-            estimated_deployment_time=45
-        ))
-        
+                validation_checks=[
+                    "verify_config_recorder_status",
+                    "check_delivery_channel_status",
+                    "validate_config_rules_deployment",
+                ],
+                rollback_procedure=["stop_configuration_recorder", "delete_delivery_channel", "clean_up_config_rules"],
+                business_justification="Automated compliance monitoring reduces manual audit overhead",
+                risk_if_not_implemented="Manual compliance checking, delayed non-compliance detection",
+                estimated_deployment_time=45,
+            )
+        )
+
         return controls
 
     async def deploy_security_controls_organization_wide(
         self,
         control_ids: Optional[List[str]] = None,
         target_accounts: Optional[List[str]] = None,
-        deployment_strategy: DeploymentStrategy = DeploymentStrategy.STAGED_ROLLOUT
+        deployment_strategy: DeploymentStrategy = DeploymentStrategy.STAGED_ROLLOUT,
     ) -> MultiAccountSecurityReport:
         """
         Deploy security controls across the entire AWS Organization.
-        
+
         Args:
             control_ids: Specific controls to deploy (None for all controls)
             target_accounts: Specific accounts to target (None for all accounts)
             deployment_strategy: How to deploy controls across accounts
-            
+
         Returns:
             MultiAccountSecurityReport with comprehensive deployment results
         """
-        
+
         deployment_id = f"deploy-{int(time.time())}"
         start_time = datetime.utcnow()
-        
+
         console.print(
             create_panel(
                 f"[bold cyan]Organization-wide Security Control Deployment[/bold cyan]\n\n"
@@ -486,105 +464,93 @@ class MultiAccountSecurityController:
                 border_style="cyan",
             )
         )
-        
+
         # Discover and profile target accounts
         if not target_accounts:
             target_accounts = await self._discover_organization_accounts()
-        
+
         await self._profile_target_accounts(target_accounts)
-        
+
         # Select controls to deploy
         controls_to_deploy = self._select_controls_for_deployment(control_ids)
-        
+
         print_info(f"Target accounts: {len(target_accounts)}")
         print_info(f"Controls to deploy: {len(controls_to_deploy)}")
-        
+
         # Execute deployment based on strategy
         deployment_results = await self._execute_deployment_strategy(
-            controls_to_deploy,
-            target_accounts,
-            deployment_strategy,
-            deployment_id
+            controls_to_deploy, target_accounts, deployment_strategy, deployment_id
         )
-        
+
         # Validate deployments
-        validation_results = await self._validate_control_deployments(
-            deployment_results,
-            target_accounts
-        )
-        
+        validation_results = await self._validate_control_deployments(deployment_results, target_accounts)
+
         # Generate comprehensive report
         report = await self._generate_deployment_report(
-            deployment_id,
-            start_time,
-            controls_to_deploy,
-            target_accounts,
-            deployment_results,
-            validation_results
+            deployment_id, start_time, controls_to_deploy, target_accounts, deployment_results, validation_results
         )
-        
+
         # Display summary
         self._display_deployment_summary(report)
-        
+
         # Export report
         await self._export_deployment_report(report)
-        
+
         return report
 
     async def _discover_organization_accounts(self) -> List[str]:
         """Discover all active accounts in the AWS Organization."""
-        
+
         accounts = []
-        
+
         try:
-            organizations = self.session.client('organizations')
-            
+            organizations = self.session.client("organizations")
+
             # Get organization details
             org_info = organizations.describe_organization()
             print_info(f"Organization ID: {org_info['Organization']['Id']}")
-            
+
             # List all accounts
-            paginator = organizations.get_paginator('list_accounts')
-            
+            paginator = organizations.get_paginator("list_accounts")
+
             for page in paginator.paginate():
-                for account in page.get('Accounts', []):
-                    if account['Status'] == 'ACTIVE':
-                        accounts.append(account['Id'])
-            
+                for account in page.get("Accounts", []):
+                    if account["Status"] == "ACTIVE":
+                        accounts.append(account["Id"])
+
             print_success(f"Discovered {len(accounts)} active organization accounts")
-            
+
             # Limit to max concurrent if needed
             if len(accounts) > self.max_concurrent_accounts:
                 print_warning(f"Limiting to {self.max_concurrent_accounts} accounts for deployment")
-                accounts = accounts[:self.max_concurrent_accounts]
-            
+                accounts = accounts[: self.max_concurrent_accounts]
+
         except ClientError as e:
             print_warning(f"Could not discover organization accounts: {str(e)}")
             # Fallback to current account
-            sts = self.session.client('sts')
-            current_account = sts.get_caller_identity()['Account']
+            sts = self.session.client("sts")
+            current_account = sts.get_caller_identity()["Account"]
             accounts = [current_account]
             print_info(f"Using current account: {current_account}")
-        
+
         return accounts
 
     async def _profile_target_accounts(self, target_accounts: List[str]):
         """Profile target accounts for deployment planning."""
-        
+
         print_info(f"Profiling {len(target_accounts)} target accounts...")
-        
+
         with create_progress_bar() as progress:
             task = progress.add_task("[cyan]Profiling accounts...", total=len(target_accounts))
-            
+
             # Use ThreadPoolExecutor for concurrent account profiling
             with ThreadPoolExecutor(max_workers=min(10, len(target_accounts))) as executor:
-                
                 # Submit profiling tasks
                 future_to_account = {
-                    executor.submit(self._profile_single_account, account_id): account_id 
+                    executor.submit(self._profile_single_account, account_id): account_id
                     for account_id in target_accounts
                 }
-                
+
                 # Process results as they complete
                 for future in as_completed(future_to_account):
                     account_id = future_to_account[future]
@@ -599,244 +565,232 @@ class MultiAccountSecurityController:
                             account_name=f"Account-{account_id}",
                             environment_type="unknown",
                             business_criticality="medium",
-                            compliance_requirements=["SOC2"]  # Default
+                            compliance_requirements=["SOC2"],  # Default
                         )
-                    
+
                     progress.update(task, advance=1)
-        
+
         print_success(f"Account profiling completed: {len(self.account_profiles)} profiles created")
 
     def _profile_single_account(self, account_id: str) -> AccountSecurityProfile:
         """Profile a single account for security control deployment."""
-        
+
         try:
             # Attempt to assume cross-account role
             account_session = self._assume_cross_account_role(account_id)
-            
+
             if not account_session:
                 # Use management session if cross-account role not available
                 account_session = self.session
-            
+
             # Gather account information
             account_info = self._gather_account_info(account_session, account_id)
-            
+
             # Determine environment type from account name/tags
             environment_type = self._determine_environment_type(account_info)
-            
+
             # Assess business criticality
             business_criticality = self._assess_business_criticality(account_info, environment_type)
-            
+
             # Determine compliance requirements
-            compliance_requirements = self._determine_compliance_requirements(
-                environment_type, business_criticality
-            )
-            
+            compliance_requirements = self._determine_compliance_requirements(environment_type, business_criticality)
+
             # Check existing security controls
             deployed_controls = self._check_existing_security_controls(account_session)
-            
+
             # Calculate current security score
             security_score = self._calculate_security_score(deployed_controls, compliance_requirements)
-            
+
             return AccountSecurityProfile(
                 account_id=account_id,
-                account_name=account_info.get('name', f'Account-{account_id}'),
+                account_name=account_info.get("name", f"Account-{account_id}"),
                 environment_type=environment_type,
                 business_criticality=business_criticality,
                 compliance_requirements=compliance_requirements,
                 deployed_controls=deployed_controls,
                 security_score=security_score,
-                last_assessment=datetime.utcnow()
+                last_assessment=datetime.utcnow(),
             )
-            
+
         except Exception as e:
             print_warning(f"Error profiling account {account_id}: {str(e)}")
-            
+
             # Return minimal profile on error
             return AccountSecurityProfile(
                 account_id=account_id,
-                account_name=f'Account-{account_id}',
+                account_name=f"Account-{account_id}",
                 environment_type="unknown",
                 business_criticality="medium",
-                compliance_requirements=["SOC2"]
+                compliance_requirements=["SOC2"],
             )
 
     def _assume_cross_account_role(self, account_id: str) -> Optional[boto3.Session]:
         """Assume cross-account role for security operations."""
-        
+
         try:
             role_arn = self.cross_account_role_arn.format(account_id=account_id)
-            
-            sts = self.session.client('sts')
+
+            sts = self.session.client("sts")
             response = sts.assume_role(
-                RoleArn=role_arn,
-                RoleSessionName=f'CloudOpsSecurityDeployment-{int(time.time())}'
+                RoleArn=role_arn, RoleSessionName=f"CloudOpsSecurityDeployment-{int(time.time())}"
             )
-            
-            credentials = response['Credentials']
-            
+
+            credentials = response["Credentials"]
+
             return boto3.Session(
-                aws_access_key_id=credentials['AccessKeyId'],
-                aws_secret_access_key=credentials['SecretAccessKey'],
-                aws_session_token=credentials['SessionToken']
+                aws_access_key_id=credentials["AccessKeyId"],
+                aws_secret_access_key=credentials["SecretAccessKey"],
+                aws_session_token=credentials["SessionToken"],
             )
-            
+
         except ClientError as e:
             print_warning(f"Could not assume role in account {account_id}: {str(e)}")
             return None
 
     def _gather_account_info(self, session: boto3.Session, account_id: str) -> Dict[str, Any]:
         """Gather basic account information."""
-        
-        account_info = {'id': account_id}
-        
+
+        account_info = {"id": account_id}
+
         try:
             # Try to get account alias
-            iam = session.client('iam')
-            aliases = iam.list_account_aliases()['AccountAliases']
+            iam = session.client("iam")
+            aliases = iam.list_account_aliases()["AccountAliases"]
             if aliases:
-                account_info['name'] = aliases[0]
-                account_info['alias'] = aliases[0]
+                account_info["name"] = aliases[0]
+                account_info["alias"] = aliases[0]
         except ClientError:
             pass
-        
+
         try:
             # Get account attributes if possible
-            organizations = self.session.client('organizations')
+            organizations = self.session.client("organizations")
             account_details = organizations.describe_account(AccountId=account_id)
-            account_info['name'] = account_details['Account']['Name']
-            account_info['email'] = account_details['Account']['Email']
-            account_info['status'] = account_details['Account']['Status']
+            account_info["name"] = account_details["Account"]["Name"]
+            account_info["email"] = account_details["Account"]["Email"]
+            account_info["status"] = account_details["Account"]["Status"]
         except ClientError:
             pass
-        
+
         return account_info
 
     def _determine_environment_type(self, account_info: Dict[str, Any]) -> str:
         """Determine environment type from account information."""
-        
-        account_name = account_info.get('name', '').lower()
-        
-        if any(keyword in account_name for keyword in ['prod', 'production', 'prd']):
-            return 'production'
-        elif any(keyword in account_name for keyword in ['stg', 'staging', 'stage']):
-            return 'staging'  
-        elif any(keyword in account_name for keyword in ['dev', 'development', 'develop']):
-            return 'development'
-        elif any(keyword in account_name for keyword in ['test', 'testing', 'qa']):
-            return 'testing'
-        elif any(keyword in account_name for keyword in ['sandbox', 'sb', 'demo']):
-            return 'sandbox'
+
+        account_name = account_info.get("name", "").lower()
+
+        if any(keyword in account_name for keyword in ["prod", "production", "prd"]):
+            return "production"
+        elif any(keyword in account_name for keyword in ["stg", "staging", "stage"]):
+            return "staging"
+        elif any(keyword in account_name for keyword in ["dev", "development", "develop"]):
+            return "development"
+        elif any(keyword in account_name for keyword in ["test", "testing", "qa"]):
+            return "testing"
+        elif any(keyword in account_name for keyword in ["sandbox", "sb", "demo"]):
+            return "sandbox"
         else:
-            return 'unknown'
+            return "unknown"
 
     def _assess_business_criticality(self, account_info: Dict[str, Any], environment_type: str) -> str:
         """Assess business criticality of account."""
-        
+
         # Production accounts are typically high/critical
-        if environment_type == 'production':
-            return 'critical'
-        elif environment_type in ['staging', 'testing']:
-            return 'high'
-        elif environment_type == 'development':
-            return 'medium'
+        if environment_type == "production":
+            return "critical"
+        elif environment_type in ["staging", "testing"]:
+            return "high"
+        elif environment_type == "development":
+            return "medium"
         else:
-            return 'low'
+            return "low"
 
-    def _determine_compliance_requirements(
-        self, 
-        environment_type: str, 
-        business_criticality: str
-    ) -> List[str]:
+    def _determine_compliance_requirements(self, environment_type: str, business_criticality: str) -> List[str]:
         """Determine compliance requirements based on account characteristics."""
-        
-        requirements = ['SOC2']  # Base requirement
-        
-        if business_criticality in ['critical', 'high']:
-            requirements.extend(['AWS Well-Architected', 'CIS Benchmarks'])
-        
-        if environment_type == 'production':
-            requirements.extend(['PCI-DSS', 'HIPAA'])  # May be applicable
-        
+
+        requirements = ["SOC2"]  # Base requirement
+
+        if business_criticality in ["critical", "high"]:
+            requirements.extend(["AWS Well-Architected", "CIS Benchmarks"])
+
+        if environment_type == "production":
+            requirements.extend(["PCI-DSS", "HIPAA"])  # May be applicable
+
         return list(set(requirements))  # Remove duplicates
 
     def _check_existing_security_controls(self, session: boto3.Session) -> List[str]:
         """Check what security controls are already deployed in account."""
-        
+
         deployed_controls = []
-        
+
         try:
             # Check IAM password policy
-            iam = session.client('iam')
+            iam = session.client("iam")
             try:
                 iam.get_account_password_policy()
-                deployed_controls.append('IAM-001')
+                deployed_controls.append("IAM-001")
             except ClientError:
                 pass
-            
+
             # Check CloudTrail
-            cloudtrail = session.client('cloudtrail')
-            trails = cloudtrail.describe_trails()['trailList']
+            cloudtrail = session.client("cloudtrail")
+            trails = cloudtrail.describe_trails()["trailList"]
             if trails:
-                deployed_controls.append('AUD-001')
-            
+                deployed_controls.append("AUD-001")
+
             # Check Config
-            config = session.client('config')
+            config = session.client("config")
             try:
                 config.describe_configuration_recorders()
-                deployed_controls.append('CMP-001')
+                deployed_controls.append("CMP-001")
             except ClientError:
                 pass
-            
+
             # Check VPC Flow Logs (simplified check)
-            ec2 = session.client('ec2')
-            vpcs = ec2.describe_vpcs()['Vpcs']
-            flow_logs = ec2.describe_flow_logs()['FlowLogs']
-            
-            vpc_with_flow_logs = {fl['ResourceId'] for fl in flow_logs if fl['ResourceType'] == 'VPC'}
+            ec2 = session.client("ec2")
+            vpcs = ec2.describe_vpcs()["Vpcs"]
+            flow_logs = ec2.describe_flow_logs()["FlowLogs"]
+
+            vpc_with_flow_logs = {fl["ResourceId"] for fl in flow_logs if fl["ResourceType"] == "VPC"}
             if len(vpc_with_flow_logs) > 0:
-                deployed_controls.append('NET-001')
-            
+                deployed_controls.append("NET-001")
+
         except Exception as e:
             print_warning(f"Error checking existing controls: {str(e)}")
-        
+
         return deployed_controls
 
-    def _calculate_security_score(
-        self, 
-        deployed_controls: List[str], 
-        compliance_requirements: List[str]
-    ) -> float:
+    def _calculate_security_score(self, deployed_controls: List[str], compliance_requirements: List[str]) -> float:
         """Calculate security score based on deployed controls."""
-        
+
         total_applicable_controls = len(self.security_controls)
         deployed_count = len(deployed_controls)
-        
+
         base_score = (deployed_count / total_applicable_controls) * 100
-        
+
         # Adjust based on compliance requirements
         compliance_multiplier = 1.0 + (len(compliance_requirements) * 0.1)
-        
+
         return min(100.0, base_score * compliance_multiplier)
 
     def _select_controls_for_deployment(self, control_ids: Optional[List[str]]) -> List[SecurityControl]:
         """Select security controls for deployment."""
-        
+
         if control_ids:
             # Deploy specific controls
-            selected_controls = [
-                control for control in self.security_controls 
-                if control.control_id in control_ids
-            ]
+            selected_controls = [control for control in self.security_controls if control.control_id in control_ids]
         else:
             # Deploy all controls
             selected_controls = self.security_controls.copy()
-        
+
         # Sort by deployment priority (critical controls first)
-        selected_controls.sort(key=lambda c: (
-            c.requires_approval,  # Non-approval controls first
-            c.estimated_deployment_time  # Faster deployments first
-        ))
-        
+        selected_controls.sort(
+            key=lambda c: (
+                c.requires_approval,  # Non-approval controls first
+                c.estimated_deployment_time,  # Faster deployments first
+            )
+        )
+
         return selected_controls
 
     async def _execute_deployment_strategy(
@@ -844,26 +798,22 @@ class MultiAccountSecurityController:
         controls_to_deploy: List[SecurityControl],
         target_accounts: List[str],
         deployment_strategy: DeploymentStrategy,
-        deployment_id: str
+        deployment_id: str,
     ) -> Dict[str, Any]:
         """Execute security control deployment based on strategy."""
-        
+
         deployment_results = {
-            'deployment_id': deployment_id,
-            'strategy': deployment_strategy.value,
-            'total_controls': len(controls_to_deploy),
-            'total_accounts': len(target_accounts),
-            'control_results': {},
-            'account_results': {},
-            'summary': {
-                'successful_deployments': 0,
-                'failed_deployments': 0,
-                'total_deployment_time': 0
-            }
+            "deployment_id": deployment_id,
+            "strategy": deployment_strategy.value,
+            "total_controls": len(controls_to_deploy),
+            "total_accounts": len(target_accounts),
+            "control_results": {},
+            "account_results": {},
+            "summary": {"successful_deployments": 0, "failed_deployments": 0, "total_deployment_time": 0},
         }
-        
+
         start_time = time.time()
-        
+
         if deployment_strategy == DeploymentStrategy.PARALLEL_ALL:
             deployment_results = await self._parallel_deployment(
                 controls_to_deploy, target_accounts, deployment_results
@@ -880,375 +830,317 @@ class MultiAccountSecurityController:
             deployment_results = await self._critical_first_deployment(
                 controls_to_deploy, target_accounts, deployment_results
             )
-        
-        deployment_results['summary']['total_deployment_time'] = time.time() - start_time
-        
+
+        deployment_results["summary"]["total_deployment_time"] = time.time() - start_time
+
         return deployment_results
 
     async def _parallel_deployment(
-        self,
-        controls_to_deploy: List[SecurityControl],
-        target_accounts: List[str],
-        deployment_results: Dict[str, Any]
+        self, controls_to_deploy: List[SecurityControl], target_accounts: List[str], deployment_results: Dict[str, Any]
     ) -> Dict[str, Any]:
         """Deploy all controls to all accounts in parallel."""
-        
+
         print_info("Executing parallel deployment strategy")
-        
+
         # Create deployment tasks for all control-account combinations
         deployment_tasks = []
-        
+
         for control in controls_to_deploy:
             for account_id in target_accounts:
-                task = asyncio.create_task(
-                    self._deploy_control_to_account(control, account_id)
-                )
-                deployment_tasks.append({
-                    'task': task,
-                    'control_id': control.control_id,
-                    'account_id': account_id
-                })
-        
+                task = asyncio.create_task(self._deploy_control_to_account(control, account_id))
+                deployment_tasks.append({"task": task, "control_id": control.control_id, "account_id": account_id})
+
         # Execute all deployments with progress tracking
         with create_progress_bar() as progress:
-            deploy_task = progress.add_task(
-                "[green]Deploying controls...", 
-                total=len(deployment_tasks)
-            )
-            
+            deploy_task = progress.add_task("[green]Deploying controls...", total=len(deployment_tasks))
+
             # Process deployments as they complete
-            for task_info in asyncio.as_completed([t['task'] for t in deployment_tasks]):
+            for task_info in asyncio.as_completed([t["task"] for t in deployment_tasks]):
                 try:
                     result = await task_info
-                    
+
                     # Find the corresponding task info
-                    completed_task = next(
-                        t for t in deployment_tasks 
-                        if t['task'] == task_info
-                    )
-                    
+                    completed_task = next(t for t in deployment_tasks if t["task"] == task_info)
+
                     # Store result
-                    control_id = completed_task['control_id']
-                    account_id = completed_task['account_id']
-                    
-                    if control_id not in deployment_results['control_results']:
-                        deployment_results['control_results'][control_id] = {}
-                    
-                    deployment_results['control_results'][control_id][account_id] = result
-                    
-                    if result['success']:
-                        deployment_results['summary']['successful_deployments'] += 1
+                    control_id = completed_task["control_id"]
+                    account_id = completed_task["account_id"]
+
+                    if control_id not in deployment_results["control_results"]:
+                        deployment_results["control_results"][control_id] = {}
+
+                    deployment_results["control_results"][control_id][account_id] = result
+
+                    if result["success"]:
+                        deployment_results["summary"]["successful_deployments"] += 1
                     else:
-                        deployment_results['summary']['failed_deployments'] += 1
-                    
+                        deployment_results["summary"]["failed_deployments"] += 1
+
                     progress.update(deploy_task, advance=1)
-                    
+
                 except Exception as e:
                     print_error(f"Deployment task failed: {str(e)}")
-                    deployment_results['summary']['failed_deployments'] += 1
+                    deployment_results["summary"]["failed_deployments"] += 1
                     progress.update(deploy_task, advance=1)
-        
+
         return deployment_results
 
     async def _staged_rollout_deployment(
-        self,
-        controls_to_deploy: List[SecurityControl],
-        target_accounts: List[str],
-        deployment_results: Dict[str, Any]
+        self, controls_to_deploy: List[SecurityControl], target_accounts: List[str], deployment_results: Dict[str, Any]
     ) -> Dict[str, Any]:
         """Deploy controls in stages with validation gates."""
-        
+
         print_info("Executing staged rollout deployment strategy")
-        
+
         # Divide accounts into stages based on business criticality
         stage_accounts = self._create_deployment_stages(target_accounts)
-        
+
         for stage_num, accounts in enumerate(stage_accounts, 1):
             print_info(f"Deploying to Stage {stage_num}: {len(accounts)} accounts")
-            
+
             # Deploy to current stage
-            stage_results = await self._deploy_to_account_group(
-                controls_to_deploy, accounts, f"Stage-{stage_num}"
-            )
-            
+            stage_results = await self._deploy_to_account_group(controls_to_deploy, accounts, f"Stage-{stage_num}")
+
             # Merge results
             for control_id, control_results in stage_results.items():
-                if control_id not in deployment_results['control_results']:
-                    deployment_results['control_results'][control_id] = {}
-                deployment_results['control_results'][control_id].update(control_results)
-            
+                if control_id not in deployment_results["control_results"]:
+                    deployment_results["control_results"][control_id] = {}
+                deployment_results["control_results"][control_id].update(control_results)
+
             # Validation gate - check success rate before proceeding
             stage_success_rate = self._calculate_stage_success_rate(stage_results)
-            
+
             if stage_success_rate < 0.8:  # 80% success threshold
                 print_warning(f"Stage {stage_num} success rate ({stage_success_rate:.1%}) below threshold")
-                
+
                 # Pause for investigation (in production, would require approval to continue)
                 if not self.dry_run:
                     print_warning("Pausing deployment for investigation")
                     break
-            
+
             print_success(f"Stage {stage_num} completed with {stage_success_rate:.1%} success rate")
-        
+
         return deployment_results
 
     def _create_deployment_stages(self, target_accounts: List[str]) -> List[List[str]]:
         """Create deployment stages based on account characteristics."""
-        
+
         # Group accounts by criticality and environment
         stages = {
             1: [],  # Sandbox/Development accounts first
             2: [],  # Testing/Staging accounts
-            3: []   # Production accounts last
+            3: [],  # Production accounts last
         }
-        
+
         for account_id in target_accounts:
             profile = self.account_profiles.get(account_id)
-            
+
             if not profile:
                 stages[2].append(account_id)  # Default to middle stage
                 continue
-            
-            if profile.environment_type in ['sandbox', 'development']:
+
+            if profile.environment_type in ["sandbox", "development"]:
                 stages[1].append(account_id)
-            elif profile.environment_type in ['testing', 'staging']:
+            elif profile.environment_type in ["testing", "staging"]:
                 stages[2].append(account_id)
             else:  # production or unknown
                 stages[3].append(account_id)
-        
+
         # Return non-empty stages
         return [accounts for accounts in stages.values() if accounts]
 
     async def _deploy_to_account_group(
-        self,
-        controls_to_deploy: List[SecurityControl],
-        account_group: List[str],
-        group_name: str
+        self, controls_to_deploy: List[SecurityControl], account_group: List[str], group_name: str
     ) -> Dict[str, Dict[str, Any]]:
         """Deploy controls to a group of accounts."""
-        
+
         group_results = {}
-        
+
         with create_progress_bar() as progress:
             task = progress.add_task(
-                f"[cyan]Deploying to {group_name}...", 
-                total=len(controls_to_deploy) * len(account_group)
+                f"[cyan]Deploying to {group_name}...", total=len(controls_to_deploy) * len(account_group)
             )
-            
+
             for control in controls_to_deploy:
                 control_results = {}
-                
+
                 # Deploy control to all accounts in group
                 deployment_tasks = [
-                    self._deploy_control_to_account(control, account_id)
-                    for account_id in account_group
+                    self._deploy_control_to_account(control, account_id) for account_id in account_group
                 ]
-                
+
                 # Wait for all deployments to complete
                 results = await asyncio.gather(*deployment_tasks, return_exceptions=True)
-                
+
                 # Process results
                 for account_id, result in zip(account_group, results):
                     if isinstance(result, Exception):
-                        control_results[account_id] = {
-                            'success': False,
-                            'error': str(result),
-                            'deployment_time': 0
-                        }
+                        control_results[account_id] = {"success": False, "error": str(result), "deployment_time": 0}
                     else:
                         control_results[account_id] = result
-                    
+
                     progress.update(task, advance=1)
-                
+
                 group_results[control.control_id] = control_results
-        
+
         return group_results
 
     def _calculate_stage_success_rate(self, stage_results: Dict[str, Dict[str, Any]]) -> float:
         """Calculate success rate for a deployment stage."""
-        
+
         total_deployments = 0
         successful_deployments = 0
-        
+
         for control_results in stage_results.values():
             for account_result in control_results.values():
                 total_deployments += 1
-                if account_result.get('success', False):
+                if account_result.get("success", False):
                     successful_deployments += 1
-        
+
         if total_deployments == 0:
             return 0.0
-        
+
         return successful_deployments / total_deployments
 
     async def _pilot_first_deployment(
-        self,
-        controls_to_deploy: List[SecurityControl],
-        target_accounts: List[str],
-        deployment_results: Dict[str, Any]
+        self, controls_to_deploy: List[SecurityControl], target_accounts: List[str], deployment_results: Dict[str, Any]
     ) -> Dict[str, Any]:
         """Deploy to pilot accounts first, then full rollout."""
-        
+
         print_info("Executing pilot-first deployment strategy")
-        
+
         # Select pilot accounts (typically 10% of total, minimum 1, maximum 5)
         pilot_count = max(1, min(5, len(target_accounts) // 10))
         pilot_accounts = target_accounts[:pilot_count]
         remaining_accounts = target_accounts[pilot_count:]
-        
+
         # Pilot deployment
         print_info(f"Pilot deployment to {len(pilot_accounts)} accounts")
-        pilot_results = await self._deploy_to_account_group(
-            controls_to_deploy, pilot_accounts, "Pilot"
-        )
-        
+        pilot_results = await self._deploy_to_account_group(controls_to_deploy, pilot_accounts, "Pilot")
+
         # Check pilot success
         pilot_success_rate = self._calculate_stage_success_rate(pilot_results)
         print_info(f"Pilot deployment success rate: {pilot_success_rate:.1%}")
-        
+
         # Merge pilot results
         for control_id, control_results in pilot_results.items():
-            deployment_results['control_results'][control_id] = control_results
-        
+            deployment_results["control_results"][control_id] = control_results
+
         # Full deployment if pilot successful
         if pilot_success_rate >= 0.9:  # 90% success required for full rollout
             print_info(f"Pilot successful, proceeding with full deployment to {len(remaining_accounts)} accounts")
-            
-            full_results = await self._deploy_to_account_group(
-                controls_to_deploy, remaining_accounts, "Full Rollout"
-            )
-            
+
+            full_results = await self._deploy_to_account_group(controls_to_deploy, remaining_accounts, "Full Rollout")
+
             # Merge full deployment results
             for control_id, control_results in full_results.items():
-                if control_id not in deployment_results['control_results']:
-                    deployment_results['control_results'][control_id] = {}
-                deployment_results['control_results'][control_id].update(control_results)
+                if control_id not in deployment_results["control_results"]:
+                    deployment_results["control_results"][control_id] = {}
+                deployment_results["control_results"][control_id].update(control_results)
         else:
             print_warning("Pilot deployment failed, stopping full rollout")
-        
+
         return deployment_results
 
     async def _critical_first_deployment(
-        self,
-        controls_to_deploy: List[SecurityControl],
-        target_accounts: List[str],
-        deployment_results: Dict[str, Any]
+        self, controls_to_deploy: List[SecurityControl], target_accounts: List[str], deployment_results: Dict[str, Any]
     ) -> Dict[str, Any]:
         """Deploy to critical accounts first."""
-        
+
         print_info("Executing critical-first deployment strategy")
-        
+
         # Group accounts by criticality
         critical_accounts = []
         other_accounts = []
-        
+
         for account_id in target_accounts:
             profile = self.account_profiles.get(account_id)
-            
-            if profile and profile.business_criticality == 'critical':
+
+            if profile and profile.business_criticality == "critical":
                 critical_accounts.append(account_id)
             else:
                 other_accounts.append(account_id)
-        
+
         # Deploy to critical accounts first
         if critical_accounts:
             print_info(f"Deploying to {len(critical_accounts)} critical accounts")
             critical_results = await self._deploy_to_account_group(
                 controls_to_deploy, critical_accounts, "Critical Accounts"
             )
-            
+
             # Merge critical results
             for control_id, control_results in critical_results.items():
-                deployment_results['control_results'][control_id] = control_results
-        
+                deployment_results["control_results"][control_id] = control_results
+
         # Deploy to other accounts
         if other_accounts:
             print_info(f"Deploying to {len(other_accounts)} other accounts")
-            other_results = await self._deploy_to_account_group(
-                controls_to_deploy, other_accounts, "Other Accounts"
-            )
-            
+            other_results = await self._deploy_to_account_group(controls_to_deploy, other_accounts, "Other Accounts")
+
             # Merge other results
             for control_id, control_results in other_results.items():
-                if control_id not in deployment_results['control_results']:
-                    deployment_results['control_results'][control_id] = {}
-                deployment_results['control_results'][control_id].update(control_results)
-        
+                if control_id not in deployment_results["control_results"]:
+                    deployment_results["control_results"][control_id] = {}
+                deployment_results["control_results"][control_id].update(control_results)
+
         return deployment_results
 
-    async def _deploy_control_to_account(
-        self, 
-        control: SecurityControl, 
-        account_id: str
-    ) -> Dict[str, Any]:
+    async def _deploy_control_to_account(self, control: SecurityControl, account_id: str) -> Dict[str, Any]:
         """Deploy a single security control to a specific account."""
-        
+
         start_time = time.time()
-        
+
         try:
             # Get account session
             account_session = self._assume_cross_account_role(account_id)
             if not account_session:
                 account_session = self.session
-            
+
             # Check if control is already deployed
-            if control.control_id in self.account_profiles.get(account_id, {}).get('deployed_controls', []):
+            if control.control_id in self.account_profiles.get(account_id, {}).get("deployed_controls", []):
                 return {
-                    'success': True,
-                    'message': 'Control already deployed',
-                    'deployment_time': time.time() - start_time,
-                    'skipped': True
+                    "success": True,
+                    "message": "Control already deployed",
+                    "deployment_time": time.time() - start_time,
+                    "skipped": True,
                 }
-            
+
             # Check if approval is required
             if control.requires_approval and not self.dry_run:
                 return {
-                    'success': False,
-                    'message': 'Approval required for this control',
-                    'deployment_time': time.time() - start_time,
-                    'approval_required': True
+                    "success": False,
+                    "message": "Approval required for this control",
+                    "deployment_time": time.time() - start_time,
+                    "approval_required": True,
                 }
-            
+
             # Execute deployment based on control type
-            deployment_result = await self._execute_control_deployment(
-                control, account_session, account_id
-            )
-            
-            deployment_result['deployment_time'] = time.time() - start_time
-            
+            deployment_result = await self._execute_control_deployment(control, account_session, account_id)
+
+            deployment_result["deployment_time"] = time.time() - start_time
+
             # Update control status
-            if deployment_result['success']:
+            if deployment_result["success"]:
                 control.deployed_accounts.append(account_id)
                 control.deployment_status = ControlStatus.DEPLOYED
             else:
                 control.failed_accounts.append(account_id)
-                
+
         except Exception as e:
-            deployment_result = {
-                'success': False,
-                'error': str(e),
-                'deployment_time': time.time() - start_time
-            }
-        
+            deployment_result = {"success": False, "error": str(e), "deployment_time": time.time() - start_time}
+
         return deployment_result
 
     async def _execute_control_deployment(
-        self,
-        control: SecurityControl,
-        session: boto3.Session,
-        account_id: str
+        self, control: SecurityControl, session: boto3.Session, account_id: str
     ) -> Dict[str, Any]:
         """Execute the actual deployment of a security control."""
-        
+
         if self.dry_run:
             # Simulate deployment in dry run mode
             await asyncio.sleep(0.1)  # Simulate deployment time
-            return {
-                'success': True,
-                'message': f'DRY RUN: Would deploy {control.control_name}',
-                'dry_run': True
-            }
-        
+            return {"success": True, "message": f"DRY RUN: Would deploy {control.control_name}", "dry_run": True}
+
         try:
             if control.control_type == SecurityControlType.IAM_BASELINE:
                 return await self._deploy_iam_control(control, session, account_id)
@@ -1261,487 +1153,367 @@ class MultiAccountSecurityController:
             elif control.control_type == SecurityControlType.COMPLIANCE_MONITORING:
                 return await self._deploy_compliance_control(control, session, account_id)
             else:
-                return {
-                    'success': False,
-                    'message': f'Unsupported control type: {control.control_type.value}'
-                }
-                
+                return {"success": False, "message": f"Unsupported control type: {control.control_type.value}"}
+
         except Exception as e:
-            return {
-                'success': False,
-                'error': str(e),
-                'message': f'Failed to deploy {control.control_name}'
-            }
+            return {"success": False, "error": str(e), "message": f"Failed to deploy {control.control_name}"}
 
     async def _deploy_iam_control(
-        self,
-        control: SecurityControl,
-        session: boto3.Session,
-        account_id: str
+        self, control: SecurityControl, session: boto3.Session, account_id: str
     ) -> Dict[str, Any]:
         """Deploy IAM-related security control."""
-        
-        iam = session.client('iam')
-        
-        if control.control_id == 'IAM-001':  # Password Policy
+
+        iam = session.client("iam")
+
+        if control.control_id == "IAM-001":  # Password Policy
             template = control.deployment_template
-            
+
             try:
                 iam.update_account_password_policy(
-                    MinimumPasswordLength=template['MinimumPasswordLength'],
-                    RequireUppercaseCharacters=template['RequireUppercaseCharacters'],
-                    RequireLowercaseCharacters=template['RequireLowercaseCharacters'],
-                    RequireNumbers=template['RequireNumbers'],
-                    RequireSymbols=template['RequireSymbols'],
-                    MaxPasswordAge=template['MaxPasswordAge'],
-                    PasswordReusePrevention=template['PasswordReusePrevention'],
-                    HardExpiry=template['HardExpiry']
+                    MinimumPasswordLength=template["MinimumPasswordLength"],
+                    RequireUppercaseCharacters=template["RequireUppercaseCharacters"],
+                    RequireLowercaseCharacters=template["RequireLowercaseCharacters"],
+                    RequireNumbers=template["RequireNumbers"],
+                    RequireSymbols=template["RequireSymbols"],
+                    MaxPasswordAge=template["MaxPasswordAge"],
+                    PasswordReusePrevention=template["PasswordReusePrevention"],
+                    HardExpiry=template["HardExpiry"],
                 )
-                
+
                 return {
-                    'success': True,
-                    'message': 'IAM password policy successfully applied',
-                    'policy_applied': template
+                    "success": True,
+                    "message": "IAM password policy successfully applied",
+                    "policy_applied": template,
                 }
-                
+
             except ClientError as e:
-                return {
-                    'success': False,
-                    'error': str(e),
-                    'message': 'Failed to apply IAM password policy'
-                }
-        
-        elif control.control_id == 'IAM-002':  # Root MFA
+                return {"success": False, "error": str(e), "message": "Failed to apply IAM password policy"}
+
+        elif control.control_id == "IAM-002":  # Root MFA
             # This would check and potentially remediate root MFA
             # For safety, this returns success without making changes
             return {
-                'success': True,
-                'message': 'Root MFA check completed (manual verification required)',
-                'manual_verification_required': True
+                "success": True,
+                "message": "Root MFA check completed (manual verification required)",
+                "manual_verification_required": True,
             }
-        
-        return {
-            'success': False,
-            'message': f'Unknown IAM control: {control.control_id}'
-        }
+
+        return {"success": False, "message": f"Unknown IAM control: {control.control_id}"}
 
     async def _deploy_encryption_control(
-        self,
-        control: SecurityControl,
-        session: boto3.Session,
-        account_id: str
+        self, control: SecurityControl, session: boto3.Session, account_id: str
     ) -> Dict[str, Any]:
         """Deploy encryption-related security control."""
-        
-        if control.control_id == 'ENC-001':  # S3 Bucket Encryption
-            s3 = session.client('s3')
-            
+
+        if control.control_id == "ENC-001":  # S3 Bucket Encryption
+            s3 = session.client("s3")
+
             try:
                 # Get list of buckets
-                buckets = s3.list_buckets()['Buckets']
-                
+                buckets = s3.list_buckets()["Buckets"]
+
                 applied_count = 0
                 failed_buckets = []
-                
+
                 for bucket in buckets[:10]:  # Limit for demo
-                    bucket_name = bucket['Name']
-                    
+                    bucket_name = bucket["Name"]
+
                     try:
                         # Apply default encryption
                         s3.put_bucket_encryption(
                             Bucket=bucket_name,
                             ServerSideEncryptionConfiguration={
-                                'Rules': [
+                                "Rules": [
                                     {
-                                        'ApplyServerSideEncryptionByDefault': {
-                                            'SSEAlgorithm': control.deployment_template['encryption_algorithm']
+                                        "ApplyServerSideEncryptionByDefault": {
+                                            "SSEAlgorithm": control.deployment_template["encryption_algorithm"]
                                         }
                                     }
                                 ]
-                            }
+                            },
                         )
                         applied_count += 1
-                        
+
                     except ClientError as e:
-                        failed_buckets.append({
-                            'bucket': bucket_name,
-                            'error': str(e)
-                        })
-                
+                        failed_buckets.append({"bucket": bucket_name, "error": str(e)})
+
                 return {
-                    'success': len(failed_buckets) == 0,
-                    'message': f'Applied encryption to {applied_count} buckets',
-                    'applied_count': applied_count,
-                    'failed_buckets': failed_buckets
+                    "success": len(failed_buckets) == 0,
+                    "message": f"Applied encryption to {applied_count} buckets",
+                    "applied_count": applied_count,
+                    "failed_buckets": failed_buckets,
                 }
-                
+
             except ClientError as e:
-                return {
-                    'success': False,
-                    'error': str(e),
-                    'message': 'Failed to apply S3 bucket encryption'
-                }
-        
-        elif control.control_id == 'ENC-002':  # EBS Encryption
-            ec2 = session.client('ec2')
-            
+                return {"success": False, "error": str(e), "message": "Failed to apply S3 bucket encryption"}
+
+        elif control.control_id == "ENC-002":  # EBS Encryption
+            ec2 = session.client("ec2")
+
             try:
                 # Enable EBS encryption by default
                 ec2.enable_ebs_encryption_by_default()
-                
-                return {
-                    'success': True,
-                    'message': 'EBS encryption by default enabled'
-                }
-                
+
+                return {"success": True, "message": "EBS encryption by default enabled"}
+
             except ClientError as e:
-                return {
-                    'success': False,
-                    'error': str(e),
-                    'message': 'Failed to enable EBS encryption by default'
-                }
-        
-        return {
-            'success': False,
-            'message': f'Unknown encryption control: {control.control_id}'
-        }
+                return {"success": False, "error": str(e), "message": "Failed to enable EBS encryption by default"}
+
+        return {"success": False, "message": f"Unknown encryption control: {control.control_id}"}
 
     async def _deploy_network_control(
-        self,
-        control: SecurityControl,
-        session: boto3.Session,
-        account_id: str
+        self, control: SecurityControl, session: boto3.Session, account_id: str
     ) -> Dict[str, Any]:
         """Deploy network security control."""
-        
-        if control.control_id == 'NET-001':  # VPC Flow Logs
-            ec2 = session.client('ec2')
-            logs = session.client('logs')
-            
+
+        if control.control_id == "NET-001":  # VPC Flow Logs
+            ec2 = session.client("ec2")
+            logs = session.client("logs")
+
             try:
                 # Get VPCs without flow logs
-                vpcs = ec2.describe_vpcs()['Vpcs']
-                flow_logs = ec2.describe_flow_logs()['FlowLogs']
-                
-                vpc_with_flow_logs = {
-                    fl['ResourceId'] for fl in flow_logs 
-                    if fl['ResourceType'] == 'VPC'
-                }
-                
-                vpcs_needing_flow_logs = [
-                    vpc['VpcId'] for vpc in vpcs 
-                    if vpc['VpcId'] not in vpc_with_flow_logs
-                ]
-                
+                vpcs = ec2.describe_vpcs()["Vpcs"]
+                flow_logs = ec2.describe_flow_logs()["FlowLogs"]
+
+                vpc_with_flow_logs = {fl["ResourceId"] for fl in flow_logs if fl["ResourceType"] == "VPC"}
+
+                vpcs_needing_flow_logs = [vpc["VpcId"] for vpc in vpcs if vpc["VpcId"] not in vpc_with_flow_logs]
+
                 enabled_count = 0
                 failed_vpcs = []
-                
+
                 for vpc_id in vpcs_needing_flow_logs:
                     try:
                         # Create log group
-                        log_group_name = f'/aws/vpc/flowlogs/{vpc_id}'
-                        
+                        log_group_name = f"/aws/vpc/flowlogs/{vpc_id}"
+
                         try:
                             logs.create_log_group(logGroupName=log_group_name)
                         except logs.exceptions.ResourceAlreadyExistsException:
                             pass  # Log group already exists
-                        
+
                         # Create flow log
                         ec2.create_flow_logs(
                             ResourceIds=[vpc_id],
-                            ResourceType='VPC',
-                            TrafficType='ALL',
-                            LogDestinationType='cloud-watch-logs',
-                            LogGroupName=log_group_name
+                            ResourceType="VPC",
+                            TrafficType="ALL",
+                            LogDestinationType="cloud-watch-logs",
+                            LogGroupName=log_group_name,
                         )
-                        
+
                         enabled_count += 1
-                        
+
                     except ClientError as e:
-                        failed_vpcs.append({
-                            'vpc_id': vpc_id,
-                            'error': str(e)
-                        })
-                
+                        failed_vpcs.append({"vpc_id": vpc_id, "error": str(e)})
+
                 return {
-                    'success': len(failed_vpcs) == 0,
-                    'message': f'Enabled flow logs for {enabled_count} VPCs',
-                    'enabled_count': enabled_count,
-                    'failed_vpcs': failed_vpcs
+                    "success": len(failed_vpcs) == 0,
+                    "message": f"Enabled flow logs for {enabled_count} VPCs",
+                    "enabled_count": enabled_count,
+                    "failed_vpcs": failed_vpcs,
                 }
-                
+
             except ClientError as e:
-                return {
-                    'success': False,
-                    'error': str(e),
-                    'message': 'Failed to deploy VPC flow logs'
-                }
-        
-        return {
-            'success': False,
-            'message': f'Unknown network control: {control.control_id}'
-        }
+                return {"success": False, "error": str(e), "message": "Failed to deploy VPC flow logs"}
+
+        return {"success": False, "message": f"Unknown network control: {control.control_id}"}
 
     async def _deploy_audit_control(
-        self,
-        control: SecurityControl,
-        session: boto3.Session,
-        account_id: str
+        self, control: SecurityControl, session: boto3.Session, account_id: str
     ) -> Dict[str, Any]:
         """Deploy audit logging control."""
-        
-        if control.control_id == 'AUD-001':  # CloudTrail
+
+        if control.control_id == "AUD-001":  # CloudTrail
             # CloudTrail deployment would be complex and organization-wide
             # For safety, return success without making changes
             return {
-                'success': True,
-                'message': 'CloudTrail audit logging verified (organization-wide configuration)',
-                'organization_wide': True
+                "success": True,
+                "message": "CloudTrail audit logging verified (organization-wide configuration)",
+                "organization_wide": True,
             }
-        
-        return {
-            'success': False,
-            'message': f'Unknown audit control: {control.control_id}'
-        }
+
+        return {"success": False, "message": f"Unknown audit control: {control.control_id}"}
 
     async def _deploy_compliance_control(
-        self,
-        control: SecurityControl,
-        session: boto3.Session,
-        account_id: str
+        self, control: SecurityControl, session: boto3.Session, account_id: str
     ) -> Dict[str, Any]:
         """Deploy compliance monitoring control."""
-        
-        if control.control_id == 'CMP-001':  # AWS Config
-            config = session.client('config')
-            
+
+        if control.control_id == "CMP-001":  # AWS Config
+            config = session.client("config")
+
             try:
                 # Check if Config is already set up
                 try:
-                    recorders = config.describe_configuration_recorders()['ConfigurationRecorders']
+                    recorders = config.describe_configuration_recorders()["ConfigurationRecorders"]
                     if recorders:
-                        return {
-                            'success': True,
-                            'message': 'AWS Config already configured',
-                            'already_configured': True
-                        }
+                        return {"success": True, "message": "AWS Config already configured", "already_configured": True}
                 except ClientError:
                     pass
-                
+
                 # Set up Config (simplified version)
                 config.put_configuration_recorder(
                     ConfigurationRecorder={
-                        'name': 'default',
-                        'roleARN': f'arn:aws:iam::{account_id}:role/aws-config-role',
-                        'recordingGroup': {
-                            'allSupported': True,
-                            'includeGlobalResourceTypes': True
-                        }
+                        "name": "default",
+                        "roleARN": f"arn:aws:iam::{account_id}:role/aws-config-role",
+                        "recordingGroup": {"allSupported": True, "includeGlobalResourceTypes": True},
                     }
                 )
-                
-                return {
-                    'success': True,
-                    'message': 'AWS Config configuration recorder created'
-                }
-                
+
+                return {"success": True, "message": "AWS Config configuration recorder created"}
+
             except ClientError as e:
-                return {
-                    'success': False,
-                    'error': str(e),
-                    'message': 'Failed to set up AWS Config'
-                }
-        
-        return {
-            'success': False,
-            'message': f'Unknown compliance control: {control.control_id}'
-        }
+                return {"success": False, "error": str(e), "message": "Failed to set up AWS Config"}
+
+        return {"success": False, "message": f"Unknown compliance control: {control.control_id}"}
 
     async def _validate_control_deployments(
-        self,
-        deployment_results: Dict[str, Any],
-        target_accounts: List[str]
+        self, deployment_results: Dict[str, Any], target_accounts: List[str]
     ) -> Dict[str, Any]:
         """Validate that deployed controls are working correctly."""
-        
+
         print_info("Validating control deployments...")
-        
+
         validation_results = {
-            'total_validations': 0,
-            'successful_validations': 0,
-            'failed_validations': 0,
-            'validation_details': {}
+            "total_validations": 0,
+            "successful_validations": 0,
+            "failed_validations": 0,
+            "validation_details": {},
         }
-        
+
         # For each successfully deployed control, run validation checks
-        for control_id, account_results in deployment_results.get('control_results', {}).items():
-            
+        for control_id, account_results in deployment_results.get("control_results", {}).items():
             # Find the control definition
             control = next((c for c in self.security_controls if c.control_id == control_id), None)
             if not control:
                 continue
-            
-            validation_results['validation_details'][control_id] = {}
-            
+
+            validation_results["validation_details"][control_id] = {}
+
             for account_id, deployment_result in account_results.items():
-                if deployment_result.get('success', False):
-                    
+                if deployment_result.get("success", False):
                     # Run validation checks for this control-account combination
-                    validation_result = await self._validate_control_in_account(
-                        control, account_id
-                    )
-                    
-                    validation_results['validation_details'][control_id][account_id] = validation_result
-                    validation_results['total_validations'] += 1
-                    
-                    if validation_result.get('valid', False):
-                        validation_results['successful_validations'] += 1
+                    validation_result = await self._validate_control_in_account(control, account_id)
+
+                    validation_results["validation_details"][control_id][account_id] = validation_result
+                    validation_results["total_validations"] += 1
+
+                    if validation_result.get("valid", False):
+                        validation_results["successful_validations"] += 1
                     else:
-                        validation_results['failed_validations'] += 1
-        
+                        validation_results["failed_validations"] += 1
+
         success_rate = (
-            validation_results['successful_validations'] / 
-            max(1, validation_results['total_validations'])
+            validation_results["successful_validations"] / max(1, validation_results["total_validations"])
         ) * 100
-        
+
         print_info(f"Validation completed: {success_rate:.1f}% success rate")
-        
+
         return validation_results
 
-    async def _validate_control_in_account(
-        self,
-        control: SecurityControl,
-        account_id: str
-    ) -> Dict[str, Any]:
+    async def _validate_control_in_account(self, control: SecurityControl, account_id: str) -> Dict[str, Any]:
         """Validate a specific control in a specific account."""
-        
+
         try:
             # Get account session for validation
             account_session = self._assume_cross_account_role(account_id)
             if not account_session:
                 account_session = self.session
-            
-            validation_results = {
-                'valid': True,
-                'checks_passed': [],
-                'checks_failed': [],
-                'details': {}
-            }
-            
+
+            validation_results = {"valid": True, "checks_passed": [], "checks_failed": [], "details": {}}
+
             # Run control-specific validation checks
             for check in control.validation_checks:
-                check_result = await self._run_validation_check(
-                    check, control, account_session, account_id
-                )
-                
-                if check_result.get('passed', False):
-                    validation_results['checks_passed'].append(check)
+                check_result = await self._run_validation_check(check, control, account_session, account_id)
+
+                if check_result.get("passed", False):
+                    validation_results["checks_passed"].append(check)
                 else:
-                    validation_results['checks_failed'].append(check)
-                    validation_results['valid'] = False
-                
-                validation_results['details'][check] = check_result
-            
+                    validation_results["checks_failed"].append(check)
+                    validation_results["valid"] = False
+
+                validation_results["details"][check] = check_result
+
             return validation_results
-            
+
         except Exception as e:
-            return {
-                'valid': False,
-                'error': str(e),
-                'checks_passed': [],
-                'checks_failed': control.validation_checks
-            }
+            return {"valid": False, "error": str(e), "checks_passed": [], "checks_failed": control.validation_checks}
 
     async def _run_validation_check(
-        self,
-        check: str,
-        control: SecurityControl,
-        session: boto3.Session,
-        account_id: str
+        self, check: str, control: SecurityControl, session: boto3.Session, account_id: str
     ) -> Dict[str, Any]:
         """Run a specific validation check."""
-        
+
         # Simplified validation checks
-        if check == 'verify_password_policy_applied':
+        if check == "verify_password_policy_applied":
             try:
-                iam = session.client('iam')
+                iam = session.client("iam")
                 policy = iam.get_account_password_policy()
-                
+
                 # Check if policy meets requirements
                 template = control.deployment_template
-                current = policy['PasswordPolicy']
-                
-                meets_requirements = (
-                    current.get('MinimumPasswordLength', 0) >= template['MinimumPasswordLength']
-                )
-                
-                return {
-                    'passed': meets_requirements,
-                    'details': current
-                }
-                
+                current = policy["PasswordPolicy"]
+
+                meets_requirements = current.get("MinimumPasswordLength", 0) >= template["MinimumPasswordLength"]
+
+                return {"passed": meets_requirements, "details": current}
+
             except ClientError:
-                return {'passed': False, 'error': 'No password policy found'}
-        
-        elif check == 'verify_bucket_encryption_enabled':
+                return {"passed": False, "error": "No password policy found"}
+
+        elif check == "verify_bucket_encryption_enabled":
             try:
-                s3 = session.client('s3')
-                buckets = s3.list_buckets()['Buckets']
-                
+                s3 = session.client("s3")
+                buckets = s3.list_buckets()["Buckets"]
+
                 encrypted_buckets = 0
                 total_buckets = min(len(buckets), 10)  # Limit for validation
-                
+
                 for bucket in buckets[:10]:
                     try:
-                        s3.get_bucket_encryption(Bucket=bucket['Name'])
+                        s3.get_bucket_encryption(Bucket=bucket["Name"])
                         encrypted_buckets += 1
                     except ClientError:
                         pass  # Bucket not encrypted
-                
+
                 encryption_rate = encrypted_buckets / max(1, total_buckets)
-                
+
                 return {
-                    'passed': encryption_rate >= 0.8,  # 80% threshold
-                    'encrypted_buckets': encrypted_buckets,
-                    'total_buckets': total_buckets,
-                    'encryption_rate': encryption_rate
+                    "passed": encryption_rate >= 0.8,  # 80% threshold
+                    "encrypted_buckets": encrypted_buckets,
+                    "total_buckets": total_buckets,
+                    "encryption_rate": encryption_rate,
                 }
-                
+
             except ClientError as e:
-                return {'passed': False, 'error': str(e)}
-        
-        elif check == 'verify_flow_logs_enabled':
+                return {"passed": False, "error": str(e)}
+
+        elif check == "verify_flow_logs_enabled":
             try:
-                ec2 = session.client('ec2')
-                
-                vpcs = ec2.describe_vpcs()['Vpcs']
-                flow_logs = ec2.describe_flow_logs()['FlowLogs']
-                
-                vpc_with_flow_logs = {
-                    fl['ResourceId'] for fl in flow_logs 
-                    if fl['ResourceType'] == 'VPC'
-                }
-                
+                ec2 = session.client("ec2")
+
+                vpcs = ec2.describe_vpcs()["Vpcs"]
+                flow_logs = ec2.describe_flow_logs()["FlowLogs"]
+
+                vpc_with_flow_logs = {fl["ResourceId"] for fl in flow_logs if fl["ResourceType"] == "VPC"}
+
                 vpcs_with_logs = len(vpc_with_flow_logs)
                 total_vpcs = len(vpcs)
-                
+
                 coverage_rate = vpcs_with_logs / max(1, total_vpcs)
-                
+
                 return {
-                    'passed': coverage_rate >= 0.8,  # 80% coverage threshold
-                    'vpcs_with_logs': vpcs_with_logs,
-                    'total_vpcs': total_vpcs,
-                    'coverage_rate': coverage_rate
+                    "passed": coverage_rate >= 0.8,  # 80% coverage threshold
+                    "vpcs_with_logs": vpcs_with_logs,
+                    "total_vpcs": total_vpcs,
+                    "coverage_rate": coverage_rate,
                 }
-                
+
             except ClientError as e:
-                return {'passed': False, 'error': str(e)}
-        
+                return {"passed": False, "error": str(e)}
+
         # Default: assume check passed for unknown checks
-        return {
-            'passed': True,
-            'message': f'Validation check {check} not implemented'
-        }
+        return {"passed": True, "message": f"Validation check {check} not implemented"}
 
     async def _generate_deployment_report(
         self,
@@ -1750,69 +1522,70 @@ class MultiAccountSecurityController:
         controls_deployed: List[SecurityControl],
         target_accounts: List[str],
         deployment_results: Dict[str, Any],
-        validation_results: Dict[str, Any]
+        validation_results: Dict[str, Any],
     ) -> MultiAccountSecurityReport:
         """Generate comprehensive deployment report."""
-        
+
         # Calculate overall metrics
         total_deployments = sum(
-            len(account_results) 
-            for account_results in deployment_results.get('control_results', {}).values()
+            len(account_results) for account_results in deployment_results.get("control_results", {}).values()
         )
-        
+
         successful_deployments = sum(
-            1 for account_results in deployment_results.get('control_results', {}).values()
+            1
+            for account_results in deployment_results.get("control_results", {}).values()
             for result in account_results.values()
-            if result.get('success', False)
+            if result.get("success", False)
         )
-        
+
         overall_success_rate = (successful_deployments / max(1, total_deployments)) * 100
-        
+
         # Calculate compliance scores
-        compliance_scores = self._calculate_compliance_scores(
-            controls_deployed, deployment_results, validation_results
-        )
-        
+        compliance_scores = self._calculate_compliance_scores(controls_deployed, deployment_results, validation_results)
+
         # Identify high-priority findings
-        high_priority_findings = self._identify_high_priority_findings(
-            deployment_results, validation_results
-        )
-        
+        high_priority_findings = self._identify_high_priority_findings(deployment_results, validation_results)
+
         # Generate cost analysis
-        cost_analysis = self._calculate_deployment_costs(
-            controls_deployed, target_accounts, deployment_results
-        )
-        
+        cost_analysis = self._calculate_deployment_costs(controls_deployed, target_accounts, deployment_results)
+
         # Generate recommendations
         recommendations = self._generate_deployment_recommendations(
             deployment_results, validation_results, overall_success_rate
         )
-        
+
         # Create executive summary
         executive_summary = {
-            'deployment_success_rate': overall_success_rate,
-            'accounts_secured': len([
-                account_id for account_id in target_accounts
-                if any(
-                    account_results.get(account_id, {}).get('success', False)
-                    for account_results in deployment_results.get('control_results', {}).values()
-                )
-            ]),
-            'controls_deployed_successfully': len([
-                control for control in controls_deployed
-                if any(
-                    result.get('success', False)
-                    for result in deployment_results.get('control_results', {}).get(control.control_id, {}).values()
-                )
-            ]),
-            'validation_success_rate': (
-                validation_results.get('successful_validations', 0) / 
-                max(1, validation_results.get('total_validations', 1))
-            ) * 100,
-            'estimated_risk_reduction': self._calculate_risk_reduction(controls_deployed, successful_deployments),
-            'business_impact': 'Significant improvement in organization security posture'
+            "deployment_success_rate": overall_success_rate,
+            "accounts_secured": len(
+                [
+                    account_id
+                    for account_id in target_accounts
+                    if any(
+                        account_results.get(account_id, {}).get("success", False)
+                        for account_results in deployment_results.get("control_results", {}).values()
+                    )
+                ]
+            ),
+            "controls_deployed_successfully": len(
+                [
+                    control
+                    for control in controls_deployed
+                    if any(
+                        result.get("success", False)
+                        for result in deployment_results.get("control_results", {}).get(control.control_id, {}).values()
+                    )
+                ]
+            ),
+            "validation_success_rate": (
+                validation_results.get("successful_validations", 0)
+                / max(1, validation_results.get("total_validations", 1))
+            )
+            * 100,
+            "estimated_risk_reduction": self._calculate_risk_reduction(controls_deployed, successful_deployments),
+            "business_impact": "Significant improvement in organization security posture",
         }
-        
+
         return MultiAccountSecurityReport(
             report_id=deployment_id,
             timestamp=start_time,
@@ -1823,207 +1596,194 @@ class MultiAccountSecurityController:
             overall_security_score=overall_success_rate,
             compliance_scores=compliance_scores,
             high_priority_findings=high_priority_findings,
-            deployment_summary=deployment_results.get('summary', {}),
+            deployment_summary=deployment_results.get("summary", {}),
             cost_analysis=cost_analysis,
             recommendations=recommendations,
-            executive_summary=executive_summary
+            executive_summary=executive_summary,
         )
 
     def _calculate_compliance_scores(
         self,
         controls_deployed: List[SecurityControl],
         deployment_results: Dict[str, Any],
-        validation_results: Dict[str, Any]
+        validation_results: Dict[str, Any],
     ) -> Dict[str, float]:
         """Calculate compliance scores by framework."""
-        
+
         compliance_scores = {}
-        
+
         # Group controls by compliance framework
         frameworks = set()
         for control in controls_deployed:
             frameworks.update(control.compliance_frameworks)
-        
+
         for framework in frameworks:
             framework_controls = [
-                control for control in controls_deployed
-                if framework in control.compliance_frameworks
+                control for control in controls_deployed if framework in control.compliance_frameworks
             ]
-            
+
             if not framework_controls:
                 continue
-            
+
             # Calculate success rate for this framework
             successful_count = 0
             total_count = 0
-            
+
             for control in framework_controls:
-                control_results = deployment_results.get('control_results', {}).get(control.control_id, {})
-                
+                control_results = deployment_results.get("control_results", {}).get(control.control_id, {})
+
                 for account_result in control_results.values():
                     total_count += 1
-                    if account_result.get('success', False):
+                    if account_result.get("success", False):
                         successful_count += 1
-            
+
             framework_score = (successful_count / max(1, total_count)) * 100
             compliance_scores[framework] = framework_score
-        
+
         return compliance_scores
 
     def _identify_high_priority_findings(
-        self,
-        deployment_results: Dict[str, Any],
-        validation_results: Dict[str, Any]
+        self, deployment_results: Dict[str, Any], validation_results: Dict[str, Any]
     ) -> List[Dict[str, Any]]:
         """Identify high-priority security findings that require attention."""
-        
+
         findings = []
-        
+
         # Failed deployments for critical controls
-        for control_id, account_results in deployment_results.get('control_results', {}).items():
-            
+        for control_id, account_results in deployment_results.get("control_results", {}).items():
             control = next((c for c in self.security_controls if c.control_id == control_id), None)
             if not control:
                 continue
-            
+
             failed_accounts = [
-                account_id for account_id, result in account_results.items()
-                if not result.get('success', False)
+                account_id for account_id, result in account_results.items() if not result.get("success", False)
             ]
-            
+
             if failed_accounts and control.requires_approval:
-                findings.append({
-                    'type': 'deployment_failure',
-                    'severity': 'HIGH',
-                    'control_id': control_id,
-                    'control_name': control.control_name,
-                    'failed_accounts': failed_accounts,
-                    'message': f'{control.control_name} failed to deploy to {len(failed_accounts)} accounts',
-                    'recommendation': f'Review deployment logs and retry deployment for {control.control_name}'
-                })
-        
+                findings.append(
+                    {
+                        "type": "deployment_failure",
+                        "severity": "HIGH",
+                        "control_id": control_id,
+                        "control_name": control.control_name,
+                        "failed_accounts": failed_accounts,
+                        "message": f"{control.control_name} failed to deploy to {len(failed_accounts)} accounts",
+                        "recommendation": f"Review deployment logs and retry deployment for {control.control_name}",
+                    }
+                )
+
         # Failed validations
-        for control_id, account_validations in validation_results.get('validation_details', {}).items():
-            
+        for control_id, account_validations in validation_results.get("validation_details", {}).items():
             control = next((c for c in self.security_controls if c.control_id == control_id), None)
             if not control:
                 continue
-            
+
             failed_validations = [
-                account_id for account_id, validation in account_validations.items()
-                if not validation.get('valid', False)
+                account_id
+                for account_id, validation in account_validations.items()
+                if not validation.get("valid", False)
             ]
-            
+
             if failed_validations:
-                findings.append({
-                    'type': 'validation_failure',
-                    'severity': 'MEDIUM',
-                    'control_id': control_id,
-                    'control_name': control.control_name,
-                    'failed_accounts': failed_validations,
-                    'message': f'{control.control_name} validation failed in {len(failed_validations)} accounts',
-                    'recommendation': f'Investigate and remediate validation failures for {control.control_name}'
-                })
-        
+                findings.append(
+                    {
+                        "type": "validation_failure",
+                        "severity": "MEDIUM",
+                        "control_id": control_id,
+                        "control_name": control.control_name,
+                        "failed_accounts": failed_validations,
+                        "message": f"{control.control_name} validation failed in {len(failed_validations)} accounts",
+                        "recommendation": f"Investigate and remediate validation failures for {control.control_name}",
+                    }
+                )
+
         # Sort by severity
-        severity_order = {'HIGH': 3, 'MEDIUM': 2, 'LOW': 1}
-        findings.sort(key=lambda x: severity_order.get(x['severity'], 0), reverse=True)
-        
+        severity_order = {"HIGH": 3, "MEDIUM": 2, "LOW": 1}
+        findings.sort(key=lambda x: severity_order.get(x["severity"], 0), reverse=True)
+
         return findings
 
     def _calculate_deployment_costs(
-        self,
-        controls_deployed: List[SecurityControl],
-        target_accounts: List[str],
-        deployment_results: Dict[str, Any]
+        self, controls_deployed: List[SecurityControl], target_accounts: List[str], deployment_results: Dict[str, Any]
     ) -> Dict[str, float]:
         """Calculate costs associated with security control deployment."""
-        
+
         # Simplified cost calculation
         base_cost_per_account = 50.0  # Base monthly cost per account
         cost_per_control = 10.0  # Additional cost per control
-        
+
         successful_deployments = sum(
-            1 for account_results in deployment_results.get('control_results', {}).values()
+            1
+            for account_results in deployment_results.get("control_results", {}).values()
             for result in account_results.values()
-            if result.get('success', False)
+            if result.get("success", False)
         )
-        
+
         monthly_operational_cost = (
-            len(target_accounts) * base_cost_per_account +
-            successful_deployments * cost_per_control
+            len(target_accounts) * base_cost_per_account + successful_deployments * cost_per_control
         )
-        
+
         # One-time deployment cost
-        deployment_hours = sum(
-            control.estimated_deployment_time for control in controls_deployed
-        ) / 60.0  # Convert minutes to hours
-        
+        deployment_hours = (
+            sum(control.estimated_deployment_time for control in controls_deployed) / 60.0
+        )  # Convert minutes to hours
+
         deployment_cost = deployment_hours * 150.0  # $150/hour for security engineering
-        
+
         # Calculate savings from risk reduction
-        risk_reduction_value = self._calculate_risk_reduction_value(
-            controls_deployed, successful_deployments
-        )
-        
+        risk_reduction_value = self._calculate_risk_reduction_value(controls_deployed, successful_deployments)
+
         return {
-            'monthly_operational_cost': monthly_operational_cost,
-            'one_time_deployment_cost': deployment_cost,
-            'annual_risk_reduction_value': risk_reduction_value,
-            'roi_percentage': ((risk_reduction_value - monthly_operational_cost * 12) / 
-                             (monthly_operational_cost * 12)) * 100 if monthly_operational_cost > 0 else 0
+            "monthly_operational_cost": monthly_operational_cost,
+            "one_time_deployment_cost": deployment_cost,
+            "annual_risk_reduction_value": risk_reduction_value,
+            "roi_percentage": ((risk_reduction_value - monthly_operational_cost * 12) / (monthly_operational_cost * 12))
+            * 100
+            if monthly_operational_cost > 0
+            else 0,
         }
 
     def _calculate_risk_reduction_value(
-        self,
-        controls_deployed: List[SecurityControl],
-        successful_deployments: int
+        self, controls_deployed: List[SecurityControl], successful_deployments: int
     ) -> float:
         """Calculate the business value of risk reduction."""
-        
+
         # Base risk reduction value per successful control deployment
         base_value_per_control = 25000.0  # $25K annual value per control
-        
+
         # Multiply by success rate
         total_value = successful_deployments * base_value_per_control
-        
+
         # Apply diminishing returns for multiple controls
         if len(controls_deployed) > 1:
-            total_value *= (1 + 0.1 * (len(controls_deployed) - 1))
-        
+            total_value *= 1 + 0.1 * (len(controls_deployed) - 1)
+
         return total_value
 
-    def _calculate_risk_reduction(
-        self,
-        controls_deployed: List[SecurityControl],
-        successful_deployments: int
-    ) -> str:
+    def _calculate_risk_reduction(self, controls_deployed: List[SecurityControl], successful_deployments: int) -> str:
         """Calculate estimated risk reduction percentage."""
-        
+
         if not controls_deployed:
             return "0%"
-        
+
         # Each successful control deployment reduces risk
         base_reduction = 15.0  # 15% base reduction per control
         total_controls = len(self.security_controls)
         deployed_controls = len(controls_deployed)
-        
+
         success_rate = successful_deployments / max(1, deployed_controls * len(self.account_profiles))
-        
+
         risk_reduction = (deployed_controls / total_controls) * base_reduction * success_rate
-        
+
         return f"{min(95, int(risk_reduction))}%"  # Cap at 95%
 
     def _generate_deployment_recommendations(
-        self,
-        deployment_results: Dict[str, Any],
-        validation_results: Dict[str, Any],
-        overall_success_rate: float
+        self, deployment_results: Dict[str, Any], validation_results: Dict[str, Any], overall_success_rate: float
     ) -> List[str]:
         """Generate actionable recommendations based on deployment results."""
-        
+
         recommendations = []
-        
+
         # Success rate recommendations
         if overall_success_rate < 80:
             recommendations.append(
@@ -2032,55 +1792,56 @@ class MultiAccountSecurityController:
             )
         elif overall_success_rate >= 95:
             recommendations.append(
-                "Excellent deployment success rate! Consider expanding to additional "
-                "security controls or accounts."
+                "Excellent deployment success rate! Consider expanding to additional security controls or accounts."
             )
-        
+
         # Failed control recommendations
         failed_controls = [
-            control_id for control_id, account_results in deployment_results.get('control_results', {}).items()
-            if any(not result.get('success', False) for result in account_results.values())
+            control_id
+            for control_id, account_results in deployment_results.get("control_results", {}).items()
+            if any(not result.get("success", False) for result in account_results.values())
         ]
-        
+
         if failed_controls:
             recommendations.append(
                 f"Review and retry deployment for failed controls: {', '.join(failed_controls[:5])}. "
                 "Check account permissions and cross-account role configuration."
             )
-        
+
         # Validation recommendations
         validation_success_rate = (
-            validation_results.get('successful_validations', 0) / 
-            max(1, validation_results.get('total_validations', 1))
+            validation_results.get("successful_validations", 0) / max(1, validation_results.get("total_validations", 1))
         ) * 100
-        
+
         if validation_success_rate < 90:
             recommendations.append(
                 "Validation success rate is below 90%. Review deployed controls "
                 "and ensure they are functioning correctly."
             )
-        
+
         # Account-specific recommendations
         if len(self.account_profiles) > self.max_concurrent_accounts:
             recommendations.append(
                 f"Organization has more than {self.max_concurrent_accounts} accounts. "
                 "Consider implementing automated deployment pipelines for scale."
             )
-        
+
         # Security improvement recommendations
-        recommendations.extend([
-            "Implement continuous monitoring for deployed security controls",
-            "Set up automated alerting for security control drift or failures",
-            "Schedule regular security control validation and updates",
-            "Consider implementing additional controls for enhanced security posture",
-            "Review and update security control templates based on deployment results"
-        ])
-        
+        recommendations.extend(
+            [
+                "Implement continuous monitoring for deployed security controls",
+                "Set up automated alerting for security control drift or failures",
+                "Schedule regular security control validation and updates",
+                "Consider implementing additional controls for enhanced security posture",
+                "Review and update security control templates based on deployment results",
+            ]
+        )
+
         return recommendations
 
     def _display_deployment_summary(self, report: MultiAccountSecurityReport):
         """Display comprehensive deployment summary."""
-        
+
         # Executive summary panel
         summary_content = (
             f"[bold green]Multi-Account Security Deployment Complete[/bold green]\n\n"
@@ -2092,13 +1853,11 @@ class MultiAccountSecurityController:
             f"[bold]Estimated Risk Reduction:[/bold] {report.executive_summary['estimated_risk_reduction']}\n"
             f"[bold]Annual Value:[/bold] ${report.cost_analysis['annual_risk_reduction_value']:,.0f}"
         )
-        
-        console.print(create_panel(
-            summary_content,
-            title="🔒 Multi-Account Security Deployment Summary",
-            border_style="green"
-        ))
-        
+
+        console.print(
+            create_panel(summary_content, title="🔒 Multi-Account Security Deployment Summary", border_style="green")
+        )
+
         # Compliance scores table
         if report.compliance_scores:
             compliance_table = create_table(
@@ -2106,20 +1865,16 @@ class MultiAccountSecurityController:
                 columns=[
                     {"name": "Framework", "style": "cyan"},
                     {"name": "Score", "style": "green"},
-                    {"name": "Status", "style": "yellow"}
-                ]
+                    {"name": "Status", "style": "yellow"},
+                ],
             )
-            
+
             for framework, score in report.compliance_scores.items():
                 status = "✅ Compliant" if score >= 90 else "⚠️ Needs Attention" if score >= 70 else "❌ Non-Compliant"
-                compliance_table.add_row(
-                    framework.replace('_', ' '),
-                    f"{score:.1f}%",
-                    status
-                )
-            
+                compliance_table.add_row(framework.replace("_", " "), f"{score:.1f}%", status)
+
             console.print(compliance_table)
-        
+
         # High-priority findings
         if report.high_priority_findings:
             findings_table = create_table(
@@ -2128,20 +1883,20 @@ class MultiAccountSecurityController:
                     {"name": "Severity", "style": "red"},
                     {"name": "Control", "style": "cyan"},
                     {"name": "Issue", "style": "yellow"},
-                    {"name": "Affected Accounts", "style": "blue"}
-                ]
+                    {"name": "Affected Accounts", "style": "blue"},
+                ],
             )
-            
+
             for finding in report.high_priority_findings[:10]:  # Show top 10
                 findings_table.add_row(
-                    finding['severity'],
-                    finding.get('control_name', finding.get('control_id', 'Unknown'))[:30],
-                    finding['message'][:50] + "..." if len(finding['message']) > 50 else finding['message'],
-                    str(len(finding.get('failed_accounts', [])))
+                    finding["severity"],
+                    finding.get("control_name", finding.get("control_id", "Unknown"))[:30],
+                    finding["message"][:50] + "..." if len(finding["message"]) > 50 else finding["message"],
+                    str(len(finding.get("failed_accounts", []))),
                 )
-            
+
             console.print(findings_table)
-        
+
         # Cost analysis
         cost_content = (
             f"[bold cyan]Cost Analysis[/bold cyan]\n\n"
@@ -2150,105 +1905,99 @@ class MultiAccountSecurityController:
             f"[yellow]Annual Risk Reduction Value:[/yellow] ${report.cost_analysis['annual_risk_reduction_value']:,.2f}\n"
             f"[magenta]ROI:[/magenta] {report.cost_analysis['roi_percentage']:.1f}%"
         )
-        
-        console.print(create_panel(
-            cost_content,
-            title="💰 Financial Impact Analysis",
-            border_style="blue"
-        ))
+
+        console.print(create_panel(cost_content, title="💰 Financial Impact Analysis", border_style="blue"))
 
     async def _export_deployment_report(self, report: MultiAccountSecurityReport):
         """Export comprehensive deployment report."""
-        
+
         # Export JSON report
         json_report_path = self.output_dir / f"deployment_report_{report.report_id}.json"
-        
+
         report_data = {
-            'report_id': report.report_id,
-            'timestamp': report.timestamp.isoformat(),
-            'summary': {
-                'total_accounts': report.total_accounts,
-                'accounts_assessed': report.accounts_assessed,
-                'controls_deployed': report.controls_deployed,
-                'total_controls': report.total_controls,
-                'overall_security_score': report.overall_security_score
+            "report_id": report.report_id,
+            "timestamp": report.timestamp.isoformat(),
+            "summary": {
+                "total_accounts": report.total_accounts,
+                "accounts_assessed": report.accounts_assessed,
+                "controls_deployed": report.controls_deployed,
+                "total_controls": report.total_controls,
+                "overall_security_score": report.overall_security_score,
             },
-            'compliance_scores': report.compliance_scores,
-            'high_priority_findings': report.high_priority_findings,
-            'deployment_summary': report.deployment_summary,
-            'cost_analysis': report.cost_analysis,
-            'recommendations': report.recommendations,
-            'executive_summary': report.executive_summary
+            "compliance_scores": report.compliance_scores,
+            "high_priority_findings": report.high_priority_findings,
+            "deployment_summary": report.deployment_summary,
+            "cost_analysis": report.cost_analysis,
+            "recommendations": report.recommendations,
+            "executive_summary": report.executive_summary,
         }
-        
-        with open(json_report_path, 'w') as f:
+
+        with open(json_report_path, "w") as f:
             json.dump(report_data, f, indent=2)
-        
+
         print_success(f"Deployment report exported to: {json_report_path}")
 
 
 class MultiAccountDeploymentTracker:
     """Track deployment progress and results across accounts."""
-    
+
     def __init__(self, output_dir: Path):
         self.output_dir = output_dir
         self.tracking_file = output_dir / "deployment_tracking.jsonl"
-        
+
     def log_deployment_event(self, event_data: Dict[str, Any]):
         """Log deployment event to tracking file."""
-        
-        event_record = {
-            'timestamp': datetime.utcnow().isoformat(),
-            **event_data
-        }
-        
-        with open(self.tracking_file, 'a') as f:
-            f.write(json.dumps(event_record) + '\n')
+
+        event_record = {"timestamp": datetime.utcnow().isoformat(), **event_data}
+
+        with open(self.tracking_file, "a") as f:
+            f.write(json.dumps(event_record) + "\n")
 
 
 # CLI integration for multi-account security control deployment
 if __name__ == "__main__":
     import argparse
-    
-    parser = argparse.ArgumentParser(description='Multi-Account Security Controller')
-    parser.add_argument('--profile', default='default', help='AWS profile to use')
-    parser.add_argument('--controls', nargs='+', help='Specific control IDs to deploy')
-    parser.add_argument('--accounts', nargs='+', help='Target account IDs (optional)')
-    parser.add_argument('--strategy', choices=['parallel', 'staged', 'pilot', 'critical'], 
-                       default='staged', help='Deployment strategy')
-    parser.add_argument('--max-accounts', type=int, default=61, help='Max concurrent accounts')
-    parser.add_argument('--dry-run', action='store_true', help='Dry run mode (default: enabled)')
-    parser.add_argument('--execute', action='store_true', help='Execute actual deployments')
-    parser.add_argument('--output-dir', default='./artifacts/multi-account-security', help='Output directory')
-    
+
+    parser = argparse.ArgumentParser(description="Multi-Account Security Controller")
+    parser.add_argument("--profile", default="default", help="AWS profile to use")
+    parser.add_argument("--controls", nargs="+", help="Specific control IDs to deploy")
+    parser.add_argument("--accounts", nargs="+", help="Target account IDs (optional)")
+    parser.add_argument(
+        "--strategy", choices=["parallel", "staged", "pilot", "critical"], default="staged", help="Deployment strategy"
+    )
+    parser.add_argument("--max-accounts", type=int, default=61, help="Max concurrent accounts")
+    parser.add_argument("--dry-run", action="store_true", help="Dry run mode (default: enabled)")
+    parser.add_argument("--execute", action="store_true", help="Execute actual deployments")
+    parser.add_argument("--output-dir", default="./artifacts/multi-account-security", help="Output directory")
+
     args = parser.parse_args()
-    
+
     # Determine deployment strategies
     strategy_mapping = {
-        'parallel': DeploymentStrategy.PARALLEL_ALL,
-        'staged': DeploymentStrategy.STAGED_ROLLOUT,
-        'pilot': DeploymentStrategy.PILOT_FIRST,
-        'critical': DeploymentStrategy.CRITICAL_FIRST
+        "parallel": DeploymentStrategy.PARALLEL_ALL,
+        "staged": DeploymentStrategy.STAGED_ROLLOUT,
+        "pilot": DeploymentStrategy.PILOT_FIRST,
+        "critical": DeploymentStrategy.CRITICAL_FIRST,
     }
-    
+
     async def main():
         controller = MultiAccountSecurityController(
             profile=args.profile,
             output_dir=args.output_dir,
             max_concurrent_accounts=args.max_accounts,
-            dry_run=not args.execute  # Dry run unless --execute is specified
+            dry_run=not args.execute,  # Dry run unless --execute is specified
         )
-        
+
         report = await controller.deploy_security_controls_organization_wide(
             control_ids=args.controls,
             target_accounts=args.accounts,
-            deployment_strategy=strategy_mapping[args.strategy]
+            deployment_strategy=strategy_mapping[args.strategy],
         )
-        
+
         print_success(f"Multi-account deployment completed: {report.report_id}")
         print_info(f"Overall security score: {report.overall_security_score:.1f}%")
         print_info(f"Accounts secured: {report.executive_summary['accounts_secured']}/{report.total_accounts}")
         print_info(f"Annual value: ${report.cost_analysis['annual_risk_reduction_value']:,.0f}")
-    
+
     # Run the async main function
-    asyncio.run(main())
+    asyncio.run(main())