sraverify 0.1.0__py3-none-any.whl

sraverify/services/securitylake/checks/sra_securitylake_02.py

@@ -0,0 +1,133 @@
+"""Check if Security Lake SQS queues are encrypted with CMK."""
+
+from typing import List, Dict, Any
+from sraverify.services.securitylake.base import SecurityLakeCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYLAKE_02(SecurityLakeCheck):
+    """Check if Security Lake SQS queues are encrypted with CMK."""
+
+    def __init__(self):
+        """Initialize check."""
+        super().__init__()
+        self.check_id = "SRA-SECURITYLAKE-02"
+        self.check_name = "Security Lake SQS queues encrypted with CMK"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether Security Lake manager SQS Queues within "
+            "delegated admin account is encrypted with a customer managed key from "
+            "AWS KMS. These SQS queues are used by AWS Lambda function for ETL job "
+            "and also by subscribers looking for new logs deposited into the data lake. "
+            "You must use a customer managed KMS key for the encryption as you have "
+            "greater control on the key usage and permission."
+        )
+        self.check_logic = (
+            "Gets all subscribers for Security Lake in the region. "
+            "For each subscriber with an SQS endpoint, checks if the queue is encrypted with a customer managed KMS key. "
+            "The check passes if all SQS queues are encrypted with customer managed keys (not AWS managed keys). "
+            "The check fails if any SQS queue is not encrypted or uses an AWS managed key (alias/aws/*)."
+        )
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+
+        for region in self.regions:
+            logger.debug(f"Checking if Security Lake SQS queues are encrypted with CMK in {region}")
+
+            # Get subscribers for the region using the base class method
+            subscribers = self.get_subscribers(region)
+
+            # Find SQS queues
+            sqs_queues = []
+            for subscriber in subscribers:
+                endpoint = subscriber.get("subscriberEndpoint", "")
+                if endpoint and "sqs" in endpoint.lower():
+                    # Convert ARN to queue URL if needed
+                    if endpoint.startswith("arn:aws:sqs:"):
+                        # Extract components from ARN: arn:aws:sqs:region:account:queue-name
+                        arn_parts = endpoint.split(":")
+                        if len(arn_parts) >= 6:
+                            queue_region = arn_parts[3]
+                            account_id = arn_parts[4]
+                            queue_name = arn_parts[5]
+                            queue_url = f"https://sqs.{queue_region}.amazonaws.com/{account_id}/{queue_name}"
+                        else:
+                            continue
+                    else:
+                        queue_url = endpoint
+                        queue_name = queue_url.split("/")[-1]
+
+                    sqs_queues.append((queue_name, queue_url))
+
+            if not subscribers or not sqs_queues:
+                resource_id = f"arn:aws:securitylake:{region}:{self.account_id}:subscriber/none"
+                self.findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value="SQS queues present and encrypted with CMK",
+                        actual_value=f"No SQS queues found in {region}",
+                        remediation=(
+                            "Configure subscribers with SQS queues. In the Security Lake console, "
+                            "navigate to Subscribers and add subscribers with SQS queue endpoints."
+                        )
+                    )
+                )
+                continue
+
+            # Check encryption for each queue
+            unencrypted_queues = []
+            for queue_name, queue_url in sqs_queues:
+                resource_id = f"arn:aws:sqs:{region}:{self.account_id}:{queue_name}"
+
+                # Check encryption using base class method
+                kms_key = self.get_sqs_queue_encryption(region, queue_url)
+
+                if not kms_key or kms_key.startswith("alias/aws/"):
+                    unencrypted_queues.append((queue_name, queue_url))
+
+            if unencrypted_queues:
+                # Use the first unencrypted queue for the resource ID
+                queue_name = unencrypted_queues[0][0]
+                resource_id = f"arn:aws:sqs:{region}:{self.account_id}:{queue_name}"
+
+                logger.debug(f"Found {len(unencrypted_queues)} unencrypted SQS queues in {region}")
+                self.findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value="All SQS queues encrypted with CMK",
+                        actual_value=f"The following SQS queues are not encrypted with CMK: {', '.join([name for name, _ in unencrypted_queues])}",
+                        remediation=(
+                            "Configure SQS queue encryption with a customer managed KMS key. In the SQS console, "
+                            "select each queue and under Server-side encryption, choose 'Enable server-side encryption' "
+                            "and select a customer managed KMS key."
+                        )
+                    )
+                )
+            else:
+                # Use the first queue for the resource ID in the PASS case
+                queue_name = sqs_queues[0][0]
+                resource_id = f"arn:aws:sqs:{region}:{self.account_id}:{queue_name}"
+
+                logger.debug(f"All Security Lake SQS queues are encrypted with CMK in {region}")
+                self.findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value="All SQS queues encrypted with CMK",
+                        actual_value=f"All Security Lake SQS queues are encrypted with CMK in {region}",
+                        remediation="No remediation needed"
+                    )
+                )
+
+        return self.findings

sraverify/services/securitylake/checks/sra_securitylake_03.py

@@ -0,0 +1,116 @@
+"""Check if Security Lake SQS DLQ is encrypted with CMK."""
+
+from typing import List, Dict, Any
+from sraverify.services.securitylake.base import SecurityLakeCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYLAKE_03(SecurityLakeCheck):
+    """Check if Security Lake SQS DLQ is encrypted with CMK."""
+
+    def __init__(self):
+        """Initialize check."""
+        super().__init__()
+        self.check_id = "SRA-SECURITYLAKE-03"
+        self.check_name = "Security Lake DLQ encrypted with CMK"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether Security Lake SQS DLQ is encrypted in this "
+            "region with a customer managed key from AWS KMS. You must use a customer "
+            "managed KMS key for the encryption as you have greater control on the key "
+            "usage and permission."
+        )
+        self.check_logic = (
+            "Gets all subscribers for Security Lake in the region. "
+            "For each subscriber with a DLQ endpoint, checks if the queue is encrypted with a customer managed KMS key. "
+            "The check passes if all DLQ queues are encrypted with customer managed keys (not AWS managed keys). "
+            "The check fails if any DLQ queue is not encrypted or uses an AWS managed key (alias/aws/*)."
+        )
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+
+        for region in self.regions:
+            logger.debug(f"Checking if Security Lake SQS DLQ is encrypted with CMK in {region}")
+
+            # Get subscribers for the region using the base class method
+            subscribers = self.get_subscribers(region)
+
+            # Find DLQ queues
+            dlq_queues = []
+            for subscriber in subscribers:
+                endpoint = subscriber.get("subscriberEndpoint", "")
+                if endpoint and "sqs" in endpoint.lower() and "dlq" in endpoint.lower():
+                    queue_url = endpoint
+                    queue_name = queue_url.split("/")[-1]
+                    dlq_queues.append((queue_name, queue_url))
+
+            if not subscribers or not dlq_queues:
+                resource_id = f"arn:aws:securitylake:{region}:{self.account_id}:dlq/none"
+                self.findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value="DLQ queues present and encrypted with CMK",
+                        actual_value=f"No DLQ queues found - Security Lake may not be enabled in {region}",
+                        remediation=(
+                            "Enable Security Lake and configure subscribers with DLQ queues. In the Security Lake console, "
+                            "navigate to Subscribers and add subscribers with DLQ queue endpoints."
+                        )
+                    )
+                )
+                continue
+
+            # Check encryption for each queue
+            unencrypted_dlqs = []
+            for queue_name, queue_url in dlq_queues:
+                # Check encryption using base class method
+                kms_key = self.get_sqs_queue_encryption(region, queue_url)
+
+                if not kms_key or kms_key.startswith("alias/aws/"):
+                    unencrypted_dlqs.append((queue_name, queue_url))
+
+            if unencrypted_dlqs:
+                # Use the first unencrypted queue for the resource ID
+                queue_name = unencrypted_dlqs[0][0]
+                resource_id = f"arn:aws:sqs:{region}:{self.account_id}:{queue_name}"
+
+                logger.debug(f"Found {len(unencrypted_dlqs)} unencrypted DLQ queues in {region}")
+                self.findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value="All DLQ queues encrypted with CMK",
+                        actual_value=f"The following DLQ queues are not encrypted with CMK: {', '.join([name for name, _ in unencrypted_dlqs])}",
+                        remediation=(
+                            "Configure DLQ queue encryption with a customer managed KMS key. In the SQS console, "
+                            "select each DLQ queue and under Server-side encryption, choose 'Enable server-side encryption' "
+                            "and select a customer managed KMS key."
+                        )
+                    )
+                )
+            else:
+                # Use the first queue for the resource ID in the PASS case
+                queue_name = dlq_queues[0][0]
+                resource_id = f"arn:aws:sqs:{region}:{self.account_id}:{queue_name}"
+
+                logger.debug(f"All Security Lake DLQ queues are encrypted with CMK in {region}")
+                self.findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value="All DLQ queues encrypted with CMK",
+                        actual_value=f"All Security Lake DLQ queues are encrypted with CMK in {region}",
+                        remediation="No remediation needed"
+                    )
+                )
+
+        return self.findings

sraverify/services/securitylake/checks/sra_securitylake_04.py

@@ -0,0 +1,72 @@
+"""Check if Security Lake organization configuration is enabled."""
+
+from typing import List, Dict, Any
+from sraverify.services.securitylake.base import SecurityLakeCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYLAKE_04(SecurityLakeCheck):
+    """Check if Security Lake organization configuration is enabled."""
+
+    def __init__(self):
+        """Initialize check."""
+        super().__init__()
+        self.check_id = "SRA-SECURITYLAKE-04"
+        self.check_name = "Security Lake organization configuration enabled"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether Amazon Security Lake has configuration that "
+            "will automatically enable new organization accounts as member accounts "
+            "from an Amazon Security Lake administrator account."
+        )
+        self.check_logic = (
+            "Gets the organization configuration for Security Lake in the region. "
+            "The check passes if organization configuration exists, indicating that "
+            "Security Lake is configured to automatically enable new organization accounts. "
+            "The check fails if no organization configuration is found."
+        )
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+
+        for region in self.regions:
+            logger.debug(f"Checking if Security Lake organization configuration is enabled in {region}")
+            resource_id = f"arn:aws:securitylake:{region}:{self.account_id}:organization-configuration/default"
+
+            # Get organization configuration using the base class method
+            config = self.get_organization_configuration(region)
+
+            if not config:
+                self.findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value="Organization configuration enabled",
+                        actual_value=f"Security Lake organization configuration is not enabled in {region}",
+                        remediation=(
+                            "Enable Security Lake organization configuration. In the Security Lake console, "
+                            "navigate to Settings > Organization Configuration and enable organization configuration. "
+                            "Alternatively, use the AWS CLI command: "
+                            f"aws securitylake enable-organization-configuration --region {region}"
+                        )
+                    )
+                )
+            else:
+                self.findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value="Organization configuration enabled",
+                        actual_value=f"Security Lake organization configuration is enabled in {region}",
+                        remediation="No remediation needed"
+                    )
+                )
+
+        return self.findings

sraverify/services/securitylake/checks/sra_securitylake_05.py

@@ -0,0 +1,116 @@
+"""Check if Security Lake organization auto-enable configuration matches AWS defaults."""
+
+from typing import List, Dict, Any
+from sraverify.services.securitylake.base import SecurityLakeCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYLAKE_05(SecurityLakeCheck):
+    """Check if Security Lake organization auto-enable configuration matches AWS defaults."""
+
+    # AWS default/recommended log sources for new accounts
+    AWS_DEFAULT_LOG_SOURCES = {
+        "CLOUD_TRAIL_MGMT",
+        "LAMBDA_EXECUTION", 
+        "EKS_AUDIT",
+        "ROUTE53",
+        "SH_FINDINGS",
+        "VPC_FLOW"
+    }
+
+    def __init__(self):
+        """Initialize check."""
+        super().__init__()
+        self.account_type = "log-archive"  # Organization config managed by delegated admin
+        self.check_id = "SRA-SECURITYLAKE-05"
+        self.check_name = "Security Lake organization auto-enable matches AWS defaults"
+        self.severity = "MEDIUM"
+        self.description = (
+            "This check verifies whether Amazon Security Lake organization auto-enable "
+            "configuration matches AWS default/recommended log sources for new accounts "
+            "(CLOUD_TRAIL_MGMT, LAMBDA_EXECUTION, EKS_AUDIT, ROUTE53, SH_FINDINGS, VPC_FLOW). "
+            "S3_DATA and WAF are excluded as they are optional due to high volume."
+        )
+        self.check_logic = (
+            "Gets the organization configuration for Security Lake auto-enable settings. "
+            "The check passes if all AWS default log sources are configured for auto-enable. "
+            "The check fails if any default log sources are missing from auto-enable configuration."
+        )
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+
+        for region in self.regions:
+            logger.debug(f"Checking Security Lake organization auto-enable configuration in {region}")
+            resource_id = f"arn:aws:securitylake:{region}:{self.account_id}:organization-configuration/auto-enable"
+
+            # Get organization configuration using the base class method
+            config = self.get_organization_configuration(region)
+
+            if not config:
+                self.findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value=f"Auto-enable configured with AWS defaults: {', '.join(sorted(self.AWS_DEFAULT_LOG_SOURCES))}",
+                        actual_value=f"No organization configuration found in {region}",
+                        remediation=(
+                            "Configure Security Lake organization auto-enable settings. In the Security Lake console, "
+                            "navigate to Settings > Organization Configuration and enable auto-enable for new accounts "
+                            "with the AWS default log sources."
+                        )
+                    )
+                )
+                continue
+
+            # Extract auto-enable sources from configuration
+            auto_enable_sources = set()
+            auto_enable_config = config.get("autoEnableNewAccount", [])
+            
+            # Find the configuration for this region
+            for region_config in auto_enable_config:
+                if region_config.get("region") == region:
+                    sources = region_config.get("sources", [])
+                    for source in sources:
+                        source_name = source.get("sourceName")
+                        if source_name:
+                            auto_enable_sources.add(source_name)
+                    break
+
+            missing_sources = self.AWS_DEFAULT_LOG_SOURCES - auto_enable_sources
+
+            if missing_sources:
+                actual_configured = ', '.join(sorted(auto_enable_sources)) if auto_enable_sources else "None"
+                self.findings.append(
+                    self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value=f"Auto-enable configured with AWS defaults: {', '.join(sorted(self.AWS_DEFAULT_LOG_SOURCES))}",
+                        actual_value=f"Currently configured: {actual_configured}. Missing: {', '.join(sorted(missing_sources))}",
+                        remediation=(
+                            "Update Security Lake organization auto-enable configuration to include missing sources. "
+                            "In the Security Lake console, navigate to Settings > Organization Configuration and "
+                            f"add the missing sources: {', '.join(sorted(missing_sources))}."
+                        )
+                    )
+                )
+            else:
+                self.findings.append(
+                    self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=resource_id,
+                        checked_value=f"Auto-enable configured with AWS defaults: {', '.join(sorted(self.AWS_DEFAULT_LOG_SOURCES))}",
+                        actual_value=f"Currently configured: {', '.join(sorted(auto_enable_sources))}",
+                        remediation="No remediation needed"
+                    )
+                )
+
+        return self.findings

sraverify/services/securitylake/checks/sra_securitylake_06.py

@@ -0,0 +1,104 @@
+"""Check if Route 53 log source is enabled for Security Lake."""
+
+from typing import List, Dict, Any
+from sraverify.services.securitylake.base import SecurityLakeCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYLAKE_06(SecurityLakeCheck):
+    """Check if Route 53 log source is enabled for Security Lake."""
+
+    def __init__(self):
+        """Initialize check."""
+        super().__init__()
+        self.account_type = "log-archive"  # Check from log archive account
+        self.check_id = "SRA-SECURITYLAKE-06"
+        self.check_name = "Security Lake Route 53 log source enabled with version 2.0 for all organization accounts"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether Amazon Security Lake is configured with "
+            "Route 53 log and event source version 2.0 for all active accounts in the organization. "
+            "Route 53 resolver query logs track DNS queries made by resources within Amazon VPC. "
+            "Security Lake collects resolver query logs directly from Route 53 through an independent "
+            "and duplicated stream of events. This check runs from the delegated administrator account "
+            "and validates configuration across all organization member accounts."
+        )
+        self.check_logic = (
+            "Checks if the Route 53 log source is enabled in Security Lake with version 2.0. "
+            "The check passes if the ROUTE53 log source is configured. "
+            "The check fails if the ROUTE53 log source is not configured."
+        )
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+        for region in self.regions:
+            logger.debug(f"Checking if Route 53 log source is enabled in {region}")
+
+            # Get all organization accounts to check
+            org_accounts = self.get_organization_accounts(region)
+            if not org_accounts:
+                logger.warning("No organization accounts found")
+                org_accounts = [self.account_id]  # Fall back to current account
+
+            # Create sets of active account IDs
+            active_org_account_ids = set()
+            for account in org_accounts:
+                if account.get('Status') == 'ACTIVE':
+                    active_org_account_ids.add(account.get('Id'))
+
+            # Check each account in the organization
+            for account_id in active_org_account_ids:
+                resource_id = f"arn:aws:securitylake:{region}:{account_id}:log-source/ROUTE53"
+
+                # Check Route 53 log source configuration (call API once, check both versions)
+                route53_v2_enabled = self.check_log_source_configured(region, "ROUTE53", account_id, "2.0")
+
+                if not route53_v2_enabled:
+                    # Only check v1.0 if v2.0 is not enabled (uses cached data)
+                    route53_v1_enabled = self.check_log_source_configured(region, "ROUTE53", account_id, "1.0")
+
+                    if route53_v1_enabled:
+                        actual_value = f"Route 53 log source is configured with version 1.0 instead of 2.0 for account {account_id}"
+                        remediation = (
+                            f"Update Route 53 log source to version 2.0 for account {account_id}. "
+                            "In the Security Lake console, navigate to Sources and update the Route 53 source version. "
+                            "Alternatively, use the AWS CLI command: "
+                            f"aws securitylake update-data-lake --sources '[{{\"regions\":[\"{region}\"],\"sourceName\":\"ROUTE53\",\"sourceVersion\":\"2.0\"}}]' --region {region}"
+                        )
+                    else:
+                        actual_value = f"Route 53 log source is not configured for account {account_id}"
+                        remediation = (
+                            "Enable Route 53 log source in Security Lake. In the Security Lake console, "
+                            "navigate to Settings > Log Sources and enable Route 53 logs. "
+                            "Alternatively, use the AWS CLI command: "
+                            f"aws securitylake create-aws-log-source --sources '[{{\"regions\":[\"{region}\"],\"sourceName\":\"ROUTE53\",\"sourceVersion\":\"2.0\"}}]' --region {region}"
+                        )
+
+                    self.findings.append(
+                        self.create_finding(
+                            status="FAIL",
+                            region=region,
+                            resource_id=resource_id,
+                            checked_value="Route 53 log source enabled with version 2.0",
+                            actual_value=actual_value,
+                            remediation=remediation
+                        )
+                    )
+                else:
+                    self.findings.append(
+                        self.create_finding(
+                            status="PASS",
+                            region=region,
+                            resource_id=resource_id,
+                            checked_value="Route 53 log source enabled with version 2.0",
+                            actual_value=f"Route 53 log source is configured in {region} for account {account_id}",
+                            remediation="No remediation needed"
+                        )
+                    )
+
+        return self.findings

sraverify/services/securitylake/checks/sra_securitylake_07.py

@@ -0,0 +1,108 @@
+"""Check if CloudTrail S3 data events are enabled for Security Lake."""
+
+from typing import List, Dict, Any
+from sraverify.services.securitylake.base import SecurityLakeCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYLAKE_07(SecurityLakeCheck):
+    """Check if CloudTrail S3 data events are enabled for Security Lake."""
+
+    def __init__(self):
+        """Initialize check."""
+        super().__init__()
+        self.account_type = "log-archive"  # Check all org accounts from delegated admin
+        self.check_id = "SRA-SECURITYLAKE-07"
+        self.check_name = "Security Lake CloudTrail S3 data events enabled with version 2.0 for all organization accounts"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether Amazon Security Lake is configured with "
+            "CloudTrail data event for S3 log and event source version 2.0 for all active accounts in the organization. "
+            "CloudTrail data events, also known as data plane operations, show "
+            "the resource operations performed on or within resources in your AWS "
+            "account. These operations are often high-volume activities and should "
+            "be enabled as per your requirement. Security Lake pulls data directly "
+            "from S3 through an independent and duplicated stream of events. "
+            "This check runs from the delegated administrator account "
+            "and validates configuration across all organization member accounts."
+        )
+        self.check_logic = (
+            "Checks if the CloudTrail S3 data events log source version 2.0 is enabled in Security Lake "
+            "for all active organization accounts. The check passes if the S3_DATA log source version 2.0 is enabled. "
+            "The check fails if the S3_DATA log source is not enabled or configured with version 1.0."
+        )
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+
+        for region in self.regions:
+            logger.debug(f"Checking if CloudTrail S3 data events are enabled in {region}")
+
+            # Get all organization accounts
+            org_accounts = self.get_organization_accounts(region)
+            if not org_accounts:
+                logger.debug("No organization accounts found, checking current account only")
+                org_accounts = [{'Id': self.account_id, 'Status': 'ACTIVE'}]
+
+            # Create sets of active account IDs
+            active_org_account_ids = set()
+            for account in org_accounts:
+                if account.get('Status') == 'ACTIVE':
+                    active_org_account_ids.add(account.get('Id'))
+
+            # Check each account in the organization
+            for account_id in active_org_account_ids:
+                resource_id = f"arn:aws:securitylake:{region}:{account_id}:log-source/S3_DATA"
+
+                # Check CloudTrail S3 data events configuration
+                s3_data_v2_enabled = self.check_log_source_configured(region, "S3_DATA", account_id, "2.0")
+                
+                if not s3_data_v2_enabled:
+                    # Only check v1.0 if v2.0 is not enabled (uses cached data)
+                    s3_data_v1_enabled = self.check_log_source_configured(region, "S3_DATA", account_id, "1.0")
+                    
+                    if s3_data_v1_enabled:
+                        actual_value = f"CloudTrail S3 data events are configured with version 1.0 instead of 2.0 for account {account_id}"
+                        remediation = (
+                            f"Update CloudTrail S3 data events to version 2.0 for account {account_id}. "
+                            "In the Security Lake console, navigate to Sources and update the S3 data events source version. "
+                            "Alternatively, use the AWS CLI command: "
+                            f"aws securitylake update-data-lake --sources '[{{\"regions\":[\"{region}\"],\"sourceName\":\"S3_DATA\",\"sourceVersion\":\"2.0\"}}]' --region {region}"
+                        )
+                    else:
+                        actual_value = f"CloudTrail S3 data events are not configured for account {account_id}"
+                        remediation = (
+                            "Enable CloudTrail S3 data events in Security Lake. In the Security Lake console, "
+                            "navigate to Settings > Log Sources and enable CloudTrail S3 data events. "
+                            "Alternatively, use the AWS CLI command: "
+                            f"aws securitylake create-aws-log-source --sources '[{{\"regions\":[\"{region}\"],\"sourceName\":\"S3_DATA\",\"sourceVersion\":\"2.0\"}}]' --region {region}"
+                        )
+                    
+                    self.findings.append(
+                        self.create_finding(
+                            status="FAIL",
+                            region=region,
+                            resource_id=resource_id,
+                            checked_value="CloudTrail S3 data events enabled with version 2.0",
+                            actual_value=actual_value,
+                            remediation=remediation
+                        )
+                    )
+                else:
+                    self.findings.append(
+                        self.create_finding(
+                            status="PASS",
+                            region=region,
+                            resource_id=resource_id,
+                            checked_value="CloudTrail S3 data events enabled with version 2.0",
+                            actual_value=f"CloudTrail S3 data events are enabled with version 2.0 in {region} for account {account_id}",
+                            remediation="No remediation needed"
+                        )
+                    )
+
+        return self.findings