sraverify 0.1.0__py3-none-any.whl

sraverify/services/accessanalyzer/checks/sra_accessanalyzer_03.py

@@ -0,0 +1,103 @@
+"""
+Check if IAM Access Analyzer delegated admin is the Audit account.
+"""
+from typing import Dict, List, Any
+from sraverify.services.accessanalyzer.base import AccessAnalyzerCheck
+from sraverify.core.logging import logger
+
+
+class SRA_ACCESSANALYZER_03(AccessAnalyzerCheck):
+    """Check if IAM Access Analyzer delegated admin is the Audit account."""
+    
+    def __init__(self):
+        """Initialize IAM Access Analyzer check."""
+        super().__init__()
+        self.check_id = "SRA-ACCESSANALYZER-03"
+        self.check_name = "IAM Access Analyzer Delegated Admin is the Audit Account"
+        self.description = ("This check verifies whether IAA delegated admin account is the "
+                          "audit account of your AWS organization. Audit account is "
+                          "dedicated to operating security services, monitoring AWS accounts, and "
+                          "automating security alerting and response. IAA helps monitor resources "
+                          "shared outside zone of trust.")
+        self.severity = "HIGH"
+        self.account_type = "management"
+        self.check_logic = ("Check if the delegated administrator account matches any of the specified Audit account IDs")
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """Execute the check."""
+        findings = []        
+        
+        delegated_admin = self.get_delegated_admin()
+        
+        if not delegated_admin:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",                    
+                    resource_id=f"organization/{self.account_id}",
+                    actual_value="No delegated administrator configured for IAM Access Analyzer",
+                    remediation="Configure a delegated administrator for IAM Access Analyzer first"
+                )
+            )
+            return findings
+
+        try:
+            # Get the delegated admin account ID
+            delegated_admin_id = delegated_admin.get('Id')
+            
+            # Check if audit_accounts is provided via _audit_accounts (new attribute name)
+            audit_accounts = []
+            if hasattr(self, '_audit_accounts') and self._audit_accounts:
+                audit_accounts = self._audit_accounts
+            # For backward compatibility, also check the old attribute name
+            elif hasattr(self, 'audit_accounts') and self.audit_accounts:
+                audit_accounts = self.audit_accounts
+                
+            if not audit_accounts:
+                findings.append(
+                    self.create_finding(
+                        status="ERROR",
+                        region="global",                        
+                        resource_id=delegated_admin_id,
+                        actual_value="Audit Account ID not provided",
+                        remediation="Provide the Audit account IDs using --audit-account flag"
+                    )
+                )
+                return findings
+            
+            # Check if delegated admin matches any of the specified Audit accounts
+            if delegated_admin_id in audit_accounts:
+                findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region="global",                        
+                        resource_id=delegated_admin_id,
+                        actual_value=f"IAM Access Analyzer delegated administrator (Account: {delegated_admin_id}) "
+                                   f"matches one of the specified Audit accounts {', '.join(audit_accounts)}",
+                        remediation="No remediation needed"
+                    )
+                )
+            else:
+                findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region="global",                        
+                        resource_id=delegated_admin_id,
+                        actual_value=f"IAM Access Analyzer delegated administrator (Account: {delegated_admin_id}) "
+                                   f"does not match any of the specified Audit accounts ({', '.join(audit_accounts)})",
+                        remediation=f"Update the delegated administrator to be one of the Audit accounts ({', '.join(audit_accounts)})"
+                    )
+                )
+                
+        except Exception as e:
+            findings.append(
+                self.create_finding(
+                    status="ERROR",
+                    region="global",                    
+                    resource_id=delegated_admin_id if 'delegated_admin_id' in locals() else f"organization/{self.account_id}",
+                    actual_value=f"Error checking delegated administrator: {str(e)}",
+                    remediation="Ensure proper permissions to check Organizations structure"
+                )
+            )
+
+        return findings

sraverify/services/accessanalyzer/checks/sra_accessanalyzer_04.py

@@ -0,0 +1,139 @@
+"""
+Check if IAM Access Analyzer external access analyzer is configured with Organization zone of trust in every region.
+"""
+from typing import Dict, List, Any
+from sraverify.services.accessanalyzer.base import AccessAnalyzerCheck
+from sraverify.core.logging import logger
+
+
+class SRA_ACCESSANALYZER_04(AccessAnalyzerCheck):
+    """Check if IAM Access Analyzer has an analyzer with Organization zone of trust in every region."""
+    
+    def __init__(self):
+        """Initialize IAM Access Analyzer check."""
+        super().__init__()
+        self.check_id = "SRA-ACCESSANALYZER-04"
+        self.check_name = "IAM Access Analyzer external access analyzer is configured with Organization zone of trust in every region"
+        self.description = ("This check verifies whether IAA external access analyzer is configured with a zone of trust "
+                          "of your AWS organization in every available region. IAM Access Analyzer generates a finding for each instance of a "
+                          "resource-based policy that grants access to a resource within your zone of trust to a "
+                          "principal that is not within your zone of trust. When you configure an organization as the "
+                          "zone of trust for an analyzer- IAA generates findings or each instance of a resource-based "
+                          "policy that grants access to a resource within your AWS organization to a principal that is "
+                          "not within your AWS organization.")
+        self.severity = "HIGH"
+        self.account_type = "audit"
+        self.check_logic = ("Check if an IAM Access Analyzer with Organization zone of trust exists in each region, created by the audit account")
+        self._analyzer_details_cache = {}
+        self._audit_accounts = []
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """Execute the check for each region."""
+        findings = []        
+        # First, verify this check is running from an audit account - silently add to findings without logging warnings
+        if hasattr(self, '_audit_accounts') and self._audit_accounts:
+            if self.account_id not in self._audit_accounts:
+                # Don't log a warning, just add to findings
+                findings.append(
+                    self.create_finding(
+                        status="ERROR",
+                        region="global",                        
+                        resource_id="accessanalyzer:account-validation",
+                        actual_value=f"Invalid account for IAM Access Analyzer check: Account {self.account_id} is not an audit account",
+                        remediation=f"This check must be run from an audit account ({', '.join(self._audit_accounts)}). Either run this check from one of the designated audit accounts or update your configuration to specify the correct audit account(s) using the --account-type parameter."
+                    )
+                )
+                return findings
+        
+        # If no regions have Access Analyzer available, return a single error
+        if not self._clients:
+            findings.append(
+                self.create_finding(
+                    status="ERROR",
+                    region="global",                    
+                    resource_id=f"accessanalyzer:global",
+                    actual_value="IAM Access Analyzer not available in any specified region",
+                    remediation="Ensure IAM Access Analyzer service is available in at least one region and you have proper permissions"
+                )
+            )
+            return findings
+        
+        # Check if any analyzers exist across all regions
+        total_analyzers = 0
+        for region, client in self._clients.items():
+            analyzers = self.get_analyzers(region)
+            total_analyzers += len(analyzers)
+        
+        # If no analyzers exist at all, return a single global finding
+        if total_analyzers == 0:
+            findings.append(
+                self.create_finding(
+                    status="FAIL",
+                    region="global",                    
+                    resource_id="accessanalyzer:global",
+                    actual_value="No IAM Access Analyzers found in any region",
+                    remediation=(
+                        "Create IAM Access Analyzers with Organization zone of trust in each region using the AWS CLI command: "
+                        "aws accessanalyzer create-analyzer --analyzer-name org-analyzer --type ORGANIZATION --region <region>"
+                    )
+                )
+            )
+            return findings
+        
+        # Track if we found organization analyzers in any region
+        found_org_analyzers = False
+        all_regions_checked = True
+        
+        # Check each region where Access Analyzer is available
+        for region, client in self._clients.items():
+            try:
+                # Get analyzers for this region using the base class method that handles caching
+                analyzers = self.get_analyzers(region)
+                
+                # Look for analyzers with organization zone of trust in this specific region
+                # that are created by this account
+                org_analyzers = [
+                    a for a in analyzers 
+                    if a.get('type') == 'ORGANIZATION' 
+                    and a.get('status') == 'ACTIVE'
+                    and a.get('arn', '').split(':')[4] == self.account_id
+                ]
+                
+                if org_analyzers:
+                    # If we found organization analyzers in this region created by this account, report a PASS
+                    found_org_analyzers = True
+                    analyzer_names = [a.get('name', 'Unknown') for a in org_analyzers]
+                    analyzer_arn = org_analyzers[0].get('arn', f"arn:aws:access-analyzer:{region}:{self.account_id}:analyzer/{region}")
+                    
+                    findings.append(
+                        self.create_finding(
+                            status="PASS",
+                            region=region,                            
+                            resource_id=analyzer_arn,
+                            actual_value=f"Found IAM Access Analyzer with Organization zone of trust in {region}: {', '.join(analyzer_names)}",
+                            remediation="No remediation needed"
+                        )
+                    )
+                else:
+                    # If no organization analyzers in this region created by this account
+                    findings.append(
+                        self.create_finding(
+                            status="FAIL",
+                            region=region,                            
+                            resource_id="No Organization analyzer found in this region",
+                            actual_value=f"No IAM Access Analyzer with Organization zone of trust found in {region}",
+                            remediation=f"Create an IAM Access Analyzer with Organization zone of trust in {region} using the AWS CLI command: aws accessanalyzer create-analyzer --analyzer-name org-analyzer --type ORGANIZATION --region {region}"
+                        )
+                    )
+            except Exception as e:
+                all_regions_checked = False
+                findings.append(
+                    self.create_finding(
+                        status="ERROR",
+                        region=region,                        resource_id="error",
+                        actual_value=f"Error checking IAM Access Analyzer in {region}: {str(e)}",
+                        remediation="Ensure you have proper permissions to list IAM Access Analyzers and that the service is available in this region"
+                    )
+                )
+        
+        return findings

sraverify/services/accessanalyzer/client.py

@@ -0,0 +1,123 @@
+"""
+IAM Access Analyzer client for interacting with AWS IAM Access Analyzer service.
+"""
+from typing import Dict, List, Optional, Any
+import boto3
+from botocore.exceptions import ClientError, EndpointConnectionError
+from sraverify.core.logging import logger
+
+
+class AccessAnalyzerClient:
+    """Client for interacting with AWS IAM Access Analyzer service."""
+    
+    def __init__(self, region: str, session: Optional[boto3.Session] = None):
+        """
+        Initialize IAM Access Analyzer client for a specific region.
+        
+        Args:
+            region: AWS region name
+            session: AWS session to use (if None, a new session will be created)
+        """
+        self.region = region
+        self.session = session or boto3.Session()
+        self.client = self.session.client('accessanalyzer', region_name=region)
+        self.org_client = self.session.client('organizations', region_name=region)
+        logger.debug(f"Initialized AccessAnalyzerClient for region {region}")
+    
+    def is_access_analyzer_available(self) -> bool:
+        """Check if Access Analyzer is available in the region."""
+        try:
+            logger.debug(f"Checking if Access Analyzer is available in {self.region}")
+            self.client.list_analyzers(maxResults=1)
+            logger.debug(f"Access Analyzer is available in {self.region}")
+            return True
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            if error_code == 'AccessDeniedException':
+                # If we get an access denied, the service exists but we don't have permissions
+                logger.debug(f"Access Analyzer exists in {self.region} but access is denied")
+                return True
+            logger.debug(f"Access Analyzer not available in {self.region}: {error_code}")
+            return False
+        except EndpointConnectionError:
+            # Service not available in this region
+            logger.debug(f"Access Analyzer endpoint not available in {self.region}")
+            return False
+        except Exception as e:
+            # Any other error, assume service is not available
+            logger.debug(f"Error checking Access Analyzer availability in {self.region}: {str(e)}")
+            return False
+    
+    def list_analyzers(self) -> List[Dict[str, Any]]:
+        """
+        List all analyzers in the region.
+        
+        Returns:
+            List of analyzer details
+        """
+        try:
+            analyzers = []
+            paginator = self.client.get_paginator('list_analyzers')
+            
+            logger.debug(f"Listing analyzers in {self.region}")
+            for page in paginator.paginate():
+                analyzers.extend(page.get('analyzers', []))
+            
+            logger.debug(f"Found {len(analyzers)} analyzers in {self.region}")
+            return analyzers
+        except ClientError as e:
+            logger.warning(f"Error listing analyzers in {self.region}: {e}")
+            return []
+        except Exception as e:
+            logger.warning(f"Unexpected error listing analyzers in {self.region}: {e}")
+            return []
+    
+    def get_analyzer_details(self, analyzer_arn: str) -> Dict[str, Any]:
+        """
+        Get details for a specific analyzer.
+        
+        Args:
+            analyzer_arn: ARN of the analyzer
+            
+        Returns:
+            Analyzer details
+        """
+        try:
+            logger.debug(f"Getting details for analyzer {analyzer_arn}")
+            response = self.client.get_analyzer(analyzerArn=analyzer_arn)
+            return response
+        except ClientError as e:
+            logger.warning(f"Error getting analyzer details for {analyzer_arn}: {e}")
+            return {}
+        except Exception as e:
+            logger.warning(f"Unexpected error getting analyzer details for {analyzer_arn}: {e}")
+            return {}
+    
+    def get_delegated_admin(self) -> Dict[str, Any]:
+        """
+        Get the delegated administrator for IAM Access Analyzer.
+        
+        Returns:
+            Dictionary containing delegated administrator details or empty dict if none
+        """
+        try:
+            logger.debug("Getting delegated administrator for IAM Access Analyzer")
+            response = self.org_client.list_delegated_administrators(ServicePrincipal='access-analyzer.amazonaws.com')
+            delegated_admins = response.get('DelegatedAdministrators', [])
+            
+            if delegated_admins:
+                logger.debug(f"Found delegated administrator for IAM Access Analyzer: {delegated_admins[0].get('Id')}")
+                return delegated_admins[0]
+            else:
+                logger.debug("No delegated administrator found for IAM Access Analyzer")
+                return {}
+        except ClientError as e:
+            error_code = e.response.get('Error', {}).get('Code', '')
+            if error_code == 'AWSOrganizationsNotInUseException':
+                logger.debug("AWS Organizations not in use")
+            else:
+                logger.warning(f"Error getting delegated administrator: {e}")
+            return {}
+        except Exception as e:
+            logger.warning(f"Unexpected error getting delegated administrator: {e}")
+            return {}

sraverify/services/account/__init__.py

@@ -0,0 +1,9 @@
+from sraverify.services.account.checks.sra_account_01 import SRA_ACCOUNT_01
+from sraverify.services.account.checks.sra_account_02 import SRA_ACCOUNT_02
+from sraverify.services.account.checks.sra_account_03 import SRA_ACCOUNT_03
+
+CHECKS = {
+    "SRA-ACCOUNT-01": SRA_ACCOUNT_01,
+    "SRA-ACCOUNT-02": SRA_ACCOUNT_02,
+    "SRA-ACCOUNT-03": SRA_ACCOUNT_03,
+}

sraverify/services/account/base.py

@@ -0,0 +1,56 @@
+"""
+Base class for Account security checks.
+"""
+from typing import Dict, Any
+from sraverify.core.check import SecurityCheck
+from sraverify.services.account.client import AccountClient
+from sraverify.core.logging import logger
+
+
+class AccountCheck(SecurityCheck):
+    """Base class for all Account security checks."""
+    
+    # Class-level cache shared across all instances
+    _contact_cache = {}
+    
+    def __init__(self):
+        """Initialize Account base check."""
+        super().__init__(
+            account_type="application",
+            service="Account",
+            resource_type="AWS::Account::AlternateContact"
+        )
+    
+    def _setup_clients(self):
+        """Set up Account clients for each region."""
+        self._clients.clear()
+        if hasattr(self, 'regions') and self.regions:
+            for region in self.regions:
+                self._clients[region] = AccountClient(region, session=self.session)
+    
+    def get_alternate_contact(self, region: str, contact_type: str, account_id: str = None) -> Dict[str, Any]:
+        """
+        Get alternate contact information with caching.
+        
+        Args:
+            region: AWS region name
+            contact_type: Type of contact (BILLING, OPERATIONS, or SECURITY)
+            account_id: Optional account ID
+            
+        Returns:
+            Dictionary containing contact details or empty dict if not available
+        """
+        cache_key = f"{self.account_id}:{region}:{contact_type}"
+        if cache_key in AccountCheck._contact_cache:
+            logger.debug(f"Account: Using cached {contact_type} contact for {region}")
+            return AccountCheck._contact_cache[cache_key]
+        
+        client = self.get_client(region)
+        if not client:
+            logger.warning(f"Account: No Account client available for region {region}")
+            return {}
+        
+        contact_info = client.get_alternate_contact(contact_type, account_id)
+        AccountCheck._contact_cache[cache_key] = contact_info
+        
+        return contact_info

sraverify/services/account/checks/__init__.py

@@ -0,0 +1 @@
+# Account checks module

sraverify/services/account/checks/sra_account_01.py

@@ -0,0 +1,65 @@
+"""
+SRA-ACCOUNT-01: Verify security alternate contact is configured
+"""
+from typing import Dict, List, Any
+from sraverify.services.account.base import AccountCheck
+
+
+class SRA_ACCOUNT_01(AccountCheck):
+    """Check if security alternate contact is configured for the AWS account."""
+    
+    def __init__(self):
+        super().__init__()
+        self.check_id = "SRA-ACCOUNT-01"
+        self.check_name = "Security alternate contact configured"
+        self.description = "Verifies that a security alternate contact is configured for the AWS account"
+        self.severity = "MEDIUM"
+        self.check_logic = "Uses GetAlternateContact API to verify security contact exists and has required fields"
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """Execute the security alternate contact check."""
+        account_id = self.account_id
+        
+        # Account-level check only needs to run once, use first region
+        region = self.regions[0] if self.regions else "us-east-1"
+        
+        contact_info = self.get_alternate_contact(region, "SECURITY")
+        
+        if "Error" in contact_info:
+            error_code = contact_info["Error"].get("Code", "")
+            if error_code == "ResourceNotFoundException":
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=f"account-{account_id}",
+                    actual_value="No security alternate contact configured",
+                    remediation="Configure a security alternate contact using AWS Console > Account Settings > Alternate contacts or AWS CLI: aws account put-alternate-contact --alternate-contact-type SECURITY --email-address <email> --name <name> --phone-number <phone> --title <title>"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=f"account-{account_id}",
+                    actual_value=contact_info["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Account Management API access"
+                ))
+        else:
+            contact = contact_info.get("AlternateContact", {})
+            if contact and contact.get("EmailAddress") and contact.get("Name"):
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id=f"account-{account_id}",
+                    actual_value=f"Security contact configured: {contact.get('Name')} ({contact.get('EmailAddress')})",
+                    remediation="No remediation needed"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=f"account-{account_id}",
+                    actual_value="Security alternate contact exists but missing required fields",
+                    remediation="Update security alternate contact to include name and email address using AWS Console > Account Settings > Alternate contacts"
+                ))
+        
+        return self.findings

sraverify/services/account/checks/sra_account_02.py

@@ -0,0 +1,63 @@
+"""
+SRA-ACCOUNT-02: Verify billing alternate contact is configured
+"""
+from typing import Dict, List, Any
+from sraverify.services.account.base import AccountCheck
+
+
+class SRA_ACCOUNT_02(AccountCheck):
+    """Check if billing alternate contact is configured for the AWS account."""
+    
+    def __init__(self):
+        super().__init__()
+        self.check_id = "SRA-ACCOUNT-02"
+        self.check_name = "Billing alternate contact configured"
+        self.description = "Verifies that a billing alternate contact is configured for the AWS account"
+        self.severity = "MEDIUM"
+        self.check_logic = "Uses GetAlternateContact API to verify billing contact exists and has required fields"
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """Execute the billing alternate contact check."""
+        account_id = self.account_id
+        region = self.regions[0] if self.regions else "us-east-1"
+        
+        contact_info = self.get_alternate_contact(region, "BILLING")
+        
+        if "Error" in contact_info:
+            error_code = contact_info["Error"].get("Code", "")
+            if error_code == "ResourceNotFoundException":
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=f"account-{account_id}",
+                    actual_value="No billing alternate contact configured",
+                    remediation="Configure a billing alternate contact using AWS Console > Account Settings > Alternate contacts or AWS CLI: aws account put-alternate-contact --alternate-contact-type BILLING --email-address <email> --name <name> --phone-number <phone> --title <title>"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=f"account-{account_id}",
+                    actual_value=contact_info["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Account Management API access"
+                ))
+        else:
+            contact = contact_info.get("AlternateContact", {})
+            if contact and contact.get("EmailAddress") and contact.get("Name"):
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id=f"account-{account_id}",
+                    actual_value=f"Billing contact configured: {contact.get('Name')} ({contact.get('EmailAddress')})",
+                    remediation="No remediation needed"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=f"account-{account_id}",
+                    actual_value="Billing alternate contact exists but missing required fields",
+                    remediation="Update billing alternate contact to include name and email address using AWS Console > Account Settings > Alternate contacts"
+                ))
+        
+        return self.findings

sraverify/services/account/checks/sra_account_03.py

@@ -0,0 +1,63 @@
+"""
+SRA-ACCOUNT-03: Verify operations alternate contact is configured
+"""
+from typing import Dict, List, Any
+from sraverify.services.account.base import AccountCheck
+
+
+class SRA_ACCOUNT_03(AccountCheck):
+    """Check if operations alternate contact is configured for the AWS account."""
+    
+    def __init__(self):
+        super().__init__()
+        self.check_id = "SRA-ACCOUNT-03"
+        self.check_name = "Operations alternate contact configured"
+        self.description = "Verifies that an operations alternate contact is configured for the AWS account"
+        self.severity = "MEDIUM"
+        self.check_logic = "Uses GetAlternateContact API to verify operations contact exists and has required fields"
+    
+    def execute(self) -> List[Dict[str, Any]]:
+        """Execute the operations alternate contact check."""
+        account_id = self.account_id
+        region = self.regions[0] if self.regions else "us-east-1"
+        
+        contact_info = self.get_alternate_contact(region, "OPERATIONS")
+        
+        if "Error" in contact_info:
+            error_code = contact_info["Error"].get("Code", "")
+            if error_code == "ResourceNotFoundException":
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=f"account-{account_id}",
+                    actual_value="No operations alternate contact configured",
+                    remediation="Configure an operations alternate contact using AWS Console > Account Settings > Alternate contacts or AWS CLI: aws account put-alternate-contact --alternate-contact-type OPERATIONS --email-address <email> --name <name> --phone-number <phone> --title <title>"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=f"account-{account_id}",
+                    actual_value=contact_info["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Account Management API access"
+                ))
+        else:
+            contact = contact_info.get("AlternateContact", {})
+            if contact and contact.get("EmailAddress") and contact.get("Name"):
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id=f"account-{account_id}",
+                    actual_value=f"Operations contact configured: {contact.get('Name')} ({contact.get('EmailAddress')})",
+                    remediation="No remediation needed"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=f"account-{account_id}",
+                    actual_value="Operations alternate contact exists but missing required fields",
+                    remediation="Update operations alternate contact to include name and email address using AWS Console > Account Settings > Alternate contacts"
+                ))
+        
+        return self.findings