sraverify 0.1.0__py3-none-any.whl

sraverify/services/securitylake/checks/sra_securitylake_08.py

@@ -0,0 +1,107 @@
+"""Check if Security Hub findings are enabled for Security Lake."""
+
+from typing import List, Dict, Any
+from sraverify.services.securitylake.base import SecurityLakeCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYLAKE_08(SecurityLakeCheck):
+    """Check if Security Hub findings are enabled for Security Lake."""
+
+    def __init__(self):
+        """Initialize check."""
+        super().__init__()
+        self.account_type = "log-archive"  # Check all org accounts from delegated admin
+        self.check_id = "SRA-SECURITYLAKE-08"
+        self.check_name = "Security Lake Security Hub findings enabled with version 2.0 for all organization accounts"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether Amazon Security Lake is configured with "
+            "SecurityHub findings log and event source version 2.0 for all active accounts in the organization. "
+            "Security Hub findings help you understand your security posture in AWS and let you check your "
+            "environment against security industry standards and best practices. "
+            "Security Lake collects findings directly from Security Hub through "
+            "an independent and duplicated stream of events. "
+            "This check runs from the delegated administrator account "
+            "and validates configuration across all organization member accounts."
+        )
+        self.check_logic = (
+            "Checks if the Security Hub findings log source version 2.0 is enabled in Security Lake "
+            "for all active organization accounts. The check passes if the SH_FINDINGS log source version 2.0 is enabled. "
+            "The check fails if the SH_FINDINGS log source is not enabled or configured with version 1.0."
+        )
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+
+        for region in self.regions:
+            logger.debug(f"Checking if Security Hub findings are enabled in {region}")
+
+            # Get all organization accounts
+            org_accounts = self.get_organization_accounts(region)
+            if not org_accounts:
+                logger.debug("No organization accounts found, checking current account only")
+                org_accounts = [{'Id': self.account_id, 'Status': 'ACTIVE'}]
+
+            # Create sets of active account IDs
+            active_org_account_ids = set()
+            for account in org_accounts:
+                if account.get('Status') == 'ACTIVE':
+                    active_org_account_ids.add(account.get('Id'))
+
+            # Check each account in the organization
+            for account_id in active_org_account_ids:
+                resource_id = f"arn:aws:securitylake:{region}:{account_id}:log-source/SH_FINDINGS"
+
+                # Check Security Hub findings configuration
+                sh_findings_v2_enabled = self.check_log_source_configured(region, "SH_FINDINGS", account_id, "2.0")
+                
+                if not sh_findings_v2_enabled:
+                    # Only check v1.0 if v2.0 is not enabled (uses cached data)
+                    sh_findings_v1_enabled = self.check_log_source_configured(region, "SH_FINDINGS", account_id, "1.0")
+                    
+                    if sh_findings_v1_enabled:
+                        actual_value = f"Security Hub findings are configured with version 1.0 instead of 2.0 for account {account_id}"
+                        remediation = (
+                            f"Update Security Hub findings to version 2.0 for account {account_id}. "
+                            "In the Security Lake console, navigate to Sources and update the Security Hub findings source version. "
+                            "Alternatively, use the AWS CLI command: "
+                            f"aws securitylake update-data-lake --sources '[{{\"regions\":[\"{region}\"],\"sourceName\":\"SH_FINDINGS\",\"sourceVersion\":\"2.0\"}}]' --region {region}"
+                        )
+                    else:
+                        actual_value = f"Security Hub findings are not configured for account {account_id}"
+                        remediation = (
+                            "Enable Security Hub findings in Security Lake. In the Security Lake console, "
+                            "navigate to Settings > Log Sources and enable Security Hub findings. "
+                            "Alternatively, use the AWS CLI command: "
+                            f"aws securitylake create-aws-log-source --sources '[{{\"regions\":[\"{region}\"],\"sourceName\":\"SH_FINDINGS\",\"sourceVersion\":\"2.0\"}}]' --region {region}"
+                        )
+                    
+                    self.findings.append(
+                        self.create_finding(
+                            status="FAIL",
+                            region=region,
+                            resource_id=resource_id,
+                            checked_value="Security Hub findings enabled with version 2.0",
+                            actual_value=actual_value,
+                            remediation=remediation
+                        )
+                    )
+                else:
+                    self.findings.append(
+                        self.create_finding(
+                            status="PASS",
+                            region=region,
+                            resource_id=resource_id,
+                            checked_value="Security Hub findings enabled with version 2.0",
+                            actual_value=f"Security Hub findings are enabled with version 2.0 in {region} for account {account_id}",
+                            remediation="No remediation needed"
+                        )
+                    )
+
+        return self.findings

sraverify/services/securitylake/checks/sra_securitylake_09.py

@@ -0,0 +1,107 @@
+"""Check if EKS Audit logs are enabled for Security Lake."""
+
+from typing import List, Dict, Any
+from sraverify.services.securitylake.base import SecurityLakeCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYLAKE_09(SecurityLakeCheck):
+    """Check if EKS Audit logs are enabled for Security Lake."""
+
+    def __init__(self):
+        """Initialize check."""
+        super().__init__()
+        self.account_type = "log-archive"  # Check all org accounts from delegated admin
+        self.check_id = "SRA-SECURITYLAKE-09"
+        self.check_name = "Security Lake EKS audit logs enabled with version 2.0 for all organization accounts"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether Amazon Security Lake is configured with "
+            "EKS Audit log and event source version 2.0 for all active accounts in the organization. "
+            "EKS Audit Logs help you detect potentially suspicious activities in your EKS clusters within the "
+            "Amazon Elastic Kubernetes Service. Security Lake consumes EKS Audit "
+            "Log events directly from the Amazon EKS control plane logging feature "
+            "through an independent and duplicative stream of audit logs. "
+            "This check runs from the delegated administrator account "
+            "and validates configuration across all organization member accounts."
+        )
+        self.check_logic = (
+            "Checks if the EKS Audit logs source version 2.0 is enabled in Security Lake "
+            "for all active organization accounts. The check passes if the EKS_AUDIT log source version 2.0 is enabled. "
+            "The check fails if the EKS_AUDIT log source is not enabled or configured with version 1.0."
+        )
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+
+        for region in self.regions:
+            logger.debug(f"Checking if EKS Audit logs are enabled in {region}")
+
+            # Get all organization accounts
+            org_accounts = self.get_organization_accounts(region)
+            if not org_accounts:
+                logger.debug("No organization accounts found, checking current account only")
+                org_accounts = [{'Id': self.account_id, 'Status': 'ACTIVE'}]
+
+            # Create sets of active account IDs
+            active_org_account_ids = set()
+            for account in org_accounts:
+                if account.get('Status') == 'ACTIVE':
+                    active_org_account_ids.add(account.get('Id'))
+
+            # Check each account in the organization
+            for account_id in active_org_account_ids:
+                resource_id = f"arn:aws:securitylake:{region}:{account_id}:log-source/EKS_AUDIT"
+
+                # Check EKS Audit logs configuration
+                eks_audit_v2_enabled = self.check_log_source_configured(region, "EKS_AUDIT", account_id, "2.0")
+                
+                if not eks_audit_v2_enabled:
+                    # Only check v1.0 if v2.0 is not enabled (uses cached data)
+                    eks_audit_v1_enabled = self.check_log_source_configured(region, "EKS_AUDIT", account_id, "1.0")
+                    
+                    if eks_audit_v1_enabled:
+                        actual_value = f"EKS Audit logs are configured with version 1.0 instead of 2.0 for account {account_id}"
+                        remediation = (
+                            f"Update EKS Audit logs to version 2.0 for account {account_id}. "
+                            "In the Security Lake console, navigate to Sources and update the EKS Audit logs source version. "
+                            "Alternatively, use the AWS CLI command: "
+                            f"aws securitylake update-data-lake --sources '[{{\"regions\":[\"{region}\"],\"sourceName\":\"EKS_AUDIT\",\"sourceVersion\":\"2.0\"}}]' --region {region}"
+                        )
+                    else:
+                        actual_value = f"EKS Audit logs are not configured for account {account_id}"
+                        remediation = (
+                            "Enable EKS Audit logs in Security Lake. In the Security Lake console, "
+                            "navigate to Settings > Log Sources and enable EKS Audit logs. "
+                            "Alternatively, use the AWS CLI command: "
+                            f"aws securitylake create-aws-log-source --sources '[{{\"regions\":[\"{region}\"],\"sourceName\":\"EKS_AUDIT\",\"sourceVersion\":\"2.0\"}}]' --region {region}"
+                        )
+                    
+                    self.findings.append(
+                        self.create_finding(
+                            status="FAIL",
+                            region=region,
+                            resource_id=resource_id,
+                            checked_value="EKS Audit logs enabled with version 2.0",
+                            actual_value=actual_value,
+                            remediation=remediation
+                        )
+                    )
+                else:
+                    self.findings.append(
+                        self.create_finding(
+                            status="PASS",
+                            region=region,
+                            resource_id=resource_id,
+                            checked_value="EKS Audit logs enabled with version 2.0",
+                            actual_value=f"EKS Audit logs are enabled with version 2.0 in {region} for account {account_id}",
+                            remediation="No remediation needed"
+                        )
+                    )
+
+        return self.findings

sraverify/services/securitylake/checks/sra_securitylake_10.py

@@ -0,0 +1,106 @@
+"""Check if Lambda execution logs are enabled for Security Lake."""
+
+from typing import List, Dict, Any
+from sraverify.services.securitylake.base import SecurityLakeCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYLAKE_10(SecurityLakeCheck):
+    """Check if Lambda execution logs are enabled for Security Lake."""
+
+    def __init__(self):
+        """Initialize check."""
+        super().__init__()
+        self.account_type = "log-archive"  # Check all org accounts from delegated admin
+        self.check_id = "SRA-SECURITYLAKE-10"
+        self.check_name = "Security Lake Lambda execution logs enabled with version 2.0 for all organization accounts"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether Amazon Security Lake is configured with "
+            "Lambda execution log and event source version 2.0 for all active accounts in the organization. "
+            "These operations are often high-volume activities and should be enabled as per your requirement. "
+            "Security Lake pulls data directly from Lambda through an independent "
+            "and duplicated stream of events. "
+            "This check runs from the delegated administrator account "
+            "and validates configuration across all organization member accounts."
+        )
+        self.check_logic = (
+            "Checks if the Lambda execution logs source version 2.0 is enabled in Security Lake "
+            "for all active organization accounts. The check passes if the LAMBDA_EXECUTION log source version 2.0 is enabled. "
+            "The check fails if the LAMBDA_EXECUTION log source is not enabled or configured with version 1.0."
+        )
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+
+        for region in self.regions:
+            logger.debug(f"Checking if Lambda execution logs are enabled in {region}")
+
+            # Get all organization accounts
+            org_accounts = self.get_organization_accounts(region)
+            if not org_accounts:
+                logger.debug("No organization accounts found, checking current account only")
+                org_accounts = [{'Id': self.account_id, 'Status': 'ACTIVE'}]
+
+            # Create sets of active account IDs
+            active_org_account_ids = set()
+            for account in org_accounts:
+                if account.get('Status') == 'ACTIVE':
+                    active_org_account_ids.add(account.get('Id'))
+
+            # Check each account in the organization
+            for account_id in active_org_account_ids:
+                resource_id = f"arn:aws:securitylake:{region}:{account_id}:log-source/LAMBDA_EXECUTION"
+
+                # Check Lambda execution logs configuration
+                lambda_v2_enabled = self.check_log_source_configured(region, "LAMBDA_EXECUTION", account_id, "2.0")
+                
+                if not lambda_v2_enabled:
+                    # Only check v1.0 if v2.0 is not enabled (uses cached data)
+                    lambda_v1_enabled = self.check_log_source_configured(region, "LAMBDA_EXECUTION", account_id, "1.0")
+                    
+                    if lambda_v1_enabled:
+                        actual_value = f"Lambda execution logs are configured with version 1.0 instead of 2.0 for account {account_id}"
+                        remediation = (
+                            f"Update Lambda execution logs to version 2.0 for account {account_id}. "
+                            "In the Security Lake console, navigate to Sources and update the Lambda execution logs source version. "
+                            "Alternatively, use the AWS CLI command: "
+                            f"aws securitylake update-data-lake --sources '[{{\"regions\":[\"{region}\"],\"sourceName\":\"LAMBDA_EXECUTION\",\"sourceVersion\":\"2.0\"}}]' --region {region}"
+                        )
+                    else:
+                        actual_value = f"Lambda execution logs are not configured for account {account_id}"
+                        remediation = (
+                            "Enable Lambda execution logs in Security Lake. In the Security Lake console, "
+                            "navigate to Settings > Log Sources and enable Lambda execution logs. "
+                            "Alternatively, use the AWS CLI command: "
+                            f"aws securitylake create-aws-log-source --sources '[{{\"regions\":[\"{region}\"],\"sourceName\":\"LAMBDA_EXECUTION\",\"sourceVersion\":\"2.0\"}}]' --region {region}"
+                        )
+                    
+                    self.findings.append(
+                        self.create_finding(
+                            status="FAIL",
+                            region=region,
+                            resource_id=resource_id,
+                            checked_value="Lambda execution logs enabled with version 2.0",
+                            actual_value=actual_value,
+                            remediation=remediation
+                        )
+                    )
+                else:
+                    self.findings.append(
+                        self.create_finding(
+                            status="PASS",
+                            region=region,
+                            resource_id=resource_id,
+                            checked_value="Lambda execution logs enabled with version 2.0",
+                            actual_value=f"Lambda execution logs are enabled with version 2.0 in {region} for account {account_id}",
+                            remediation="No remediation needed"
+                        )
+                    )
+
+        return self.findings

sraverify/services/securitylake/checks/sra_securitylake_11.py

@@ -0,0 +1,109 @@
+"""Check if CloudTrail management logs are enabled for Security Lake."""
+
+from typing import List, Dict, Any
+from sraverify.services.securitylake.base import SecurityLakeCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYLAKE_11(SecurityLakeCheck):
+    """Check if CloudTrail management logs are enabled for Security Lake."""
+
+    def __init__(self):
+        """Initialize check."""
+        super().__init__()
+        self.account_type = "log-archive"  # Check all org accounts from delegated admin
+        self.check_id = "SRA-SECURITYLAKE-11"
+        self.check_name = "Security Lake CloudTrail management logs enabled with version 2.0 for all organization accounts"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether Amazon Security Lake is configured with "
+            "CloudTrail management log and event source version 2.0 for all active accounts in the organization. "
+            "CloudTrail management events, also known as control plane events, provide insight into management "
+            "operations that are performed on CloudTrail in your AWS account. To "
+            "collect CloudTrail management events in Security Lake, there must be at "
+            "least one CloudTrail multi-Region organization trail that collects read "
+            "and write CloudTrail management events. Logging must be enabled for the trail. "
+            "This check runs from the delegated administrator account "
+            "and validates configuration across all organization member accounts."
+        )
+        self.check_logic = (
+            "Checks if the CloudTrail management logs source version 2.0 is enabled in Security Lake "
+            "for all active organization accounts. The check passes if the CLOUD_TRAIL_MGMT log source version 2.0 is enabled. "
+            "The check fails if the CLOUD_TRAIL_MGMT log source is not enabled or configured with version 1.0."
+        )
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+
+        for region in self.regions:
+            logger.debug(f"Checking if CloudTrail management logs are enabled in {region}")
+
+            # Get all organization accounts
+            org_accounts = self.get_organization_accounts(region)
+            if not org_accounts:
+                logger.debug("No organization accounts found, checking current account only")
+                org_accounts = [{'Id': self.account_id, 'Status': 'ACTIVE'}]
+
+            # Create sets of active account IDs
+            active_org_account_ids = set()
+            for account in org_accounts:
+                if account.get('Status') == 'ACTIVE':
+                    active_org_account_ids.add(account.get('Id'))
+
+            # Check each account in the organization
+            for account_id in active_org_account_ids:
+                resource_id = f"arn:aws:securitylake:{region}:{account_id}:log-source/CLOUD_TRAIL_MGMT"
+
+                # Check CloudTrail management logs configuration
+                cloudtrail_v2_enabled = self.check_log_source_configured(region, "CLOUD_TRAIL_MGMT", account_id, "2.0")
+                
+                if not cloudtrail_v2_enabled:
+                    # Only check v1.0 if v2.0 is not enabled (uses cached data)
+                    cloudtrail_v1_enabled = self.check_log_source_configured(region, "CLOUD_TRAIL_MGMT", account_id, "1.0")
+                    
+                    if cloudtrail_v1_enabled:
+                        actual_value = f"CloudTrail management logs are configured with version 1.0 instead of 2.0 for account {account_id}"
+                        remediation = (
+                            f"Update CloudTrail management logs to version 2.0 for account {account_id}. "
+                            "In the Security Lake console, navigate to Sources and update the CloudTrail management logs source version. "
+                            "Alternatively, use the AWS CLI command: "
+                            f"aws securitylake update-data-lake --sources '[{{\"regions\":[\"{region}\"],\"sourceName\":\"CLOUD_TRAIL_MGMT\",\"sourceVersion\":\"2.0\"}}]' --region {region}"
+                        )
+                    else:
+                        actual_value = f"CloudTrail management logs are not configured for account {account_id}"
+                        remediation = (
+                            "Enable CloudTrail management logs in Security Lake. In the Security Lake console, "
+                            "navigate to Settings > Log Sources and enable CloudTrail management logs. "
+                            "Ensure you have at least one CloudTrail multi-Region organization trail that collects "
+                            "read and write management events. Alternatively, use the AWS CLI command: "
+                            f"aws securitylake create-aws-log-source --sources '[{{\"regions\":[\"{region}\"],\"sourceName\":\"CLOUD_TRAIL_MGMT\",\"sourceVersion\":\"2.0\"}}]' --region {region}"
+                        )
+                    
+                    self.findings.append(
+                        self.create_finding(
+                            status="FAIL",
+                            region=region,
+                            resource_id=resource_id,
+                            checked_value="CloudTrail management logs enabled with version 2.0",
+                            actual_value=actual_value,
+                            remediation=remediation
+                        )
+                    )
+                else:
+                    self.findings.append(
+                        self.create_finding(
+                            status="PASS",
+                            region=region,
+                            resource_id=resource_id,
+                            checked_value="CloudTrail management logs enabled with version 2.0",
+                            actual_value=f"CloudTrail management logs are enabled with version 2.0 in {region} for account {account_id}",
+                            remediation="No remediation needed"
+                        )
+                    )
+
+        return self.findings

sraverify/services/securitylake/checks/sra_securitylake_12.py

@@ -0,0 +1,108 @@
+"""Check if WAF logs are enabled for Security Lake."""
+
+from typing import List, Dict, Any
+from sraverify.services.securitylake.base import SecurityLakeCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYLAKE_12(SecurityLakeCheck):
+    """Check if WAF logs are enabled for Security Lake."""
+
+    def __init__(self):
+        """Initialize check."""
+        super().__init__()
+        self.account_type = "log-archive"  # Check all org accounts from delegated admin
+        self.check_id = "SRA-SECURITYLAKE-12"
+        self.check_name = "Security Lake WAF logs enabled with version 2.0 for all organization accounts"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether Amazon Security Lake is configured with "
+            "WAF log and event source version 2.0 for all active accounts in the organization. "
+            "AWS WAF is a web application firewall that "
+            "helps protect your web applications or APIs against common web exploits "
+            "and bots that may affect availability, compromise security, or consume "
+            "excessive resources. Security Lake collects WAF logs directly from "
+            "AWS WAF through an independent and duplicated stream of events. "
+            "This check runs from the delegated administrator account "
+            "and validates configuration across all organization member accounts."
+        )
+        self.check_logic = (
+            "Checks if the WAF logs source version 2.0 is enabled in Security Lake "
+            "for all active organization accounts. The check passes if the WAF log source version 2.0 is enabled. "
+            "The check fails if the WAF log source is not enabled or configured with version 1.0."
+        )
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+
+        for region in self.regions:
+            logger.debug(f"Checking if WAF logs are enabled in {region}")
+
+            # Get all organization accounts
+            org_accounts = self.get_organization_accounts(region)
+            if not org_accounts:
+                logger.debug("No organization accounts found, checking current account only")
+                org_accounts = [{'Id': self.account_id, 'Status': 'ACTIVE'}]
+
+            # Create sets of active account IDs
+            active_org_account_ids = set()
+            for account in org_accounts:
+                if account.get('Status') == 'ACTIVE':
+                    active_org_account_ids.add(account.get('Id'))
+
+            # Check each account in the organization
+            for account_id in active_org_account_ids:
+                resource_id = f"arn:aws:securitylake:{region}:{account_id}:log-source/WAF"
+
+                # Check WAF logs configuration
+                waf_v2_enabled = self.check_log_source_configured(region, "WAF", account_id, "2.0")
+                
+                if not waf_v2_enabled:
+                    # Only check v1.0 if v2.0 is not enabled (uses cached data)
+                    waf_v1_enabled = self.check_log_source_configured(region, "WAF", account_id, "1.0")
+                    
+                    if waf_v1_enabled:
+                        actual_value = f"WAF logs are configured with version 1.0 instead of 2.0 for account {account_id}"
+                        remediation = (
+                            f"Update WAF logs to version 2.0 for account {account_id}. "
+                            "In the Security Lake console, navigate to Sources and update the WAF logs source version. "
+                            "Alternatively, use the AWS CLI command: "
+                            f"aws securitylake update-data-lake --sources '[{{\"regions\":[\"{region}\"],\"sourceName\":\"WAF\",\"sourceVersion\":\"2.0\"}}]' --region {region}"
+                        )
+                    else:
+                        actual_value = f"WAF logs are not configured for account {account_id}"
+                        remediation = (
+                            "Enable WAF logs in Security Lake. In the Security Lake console, "
+                            "navigate to Settings > Log Sources and enable WAF logs. "
+                            "Alternatively, use the AWS CLI command: "
+                            f"aws securitylake create-aws-log-source --sources '[{{\"regions\":[\"{region}\"],\"sourceName\":\"WAF\",\"sourceVersion\":\"2.0\"}}]' --region {region}"
+                        )
+                    
+                    self.findings.append(
+                        self.create_finding(
+                            status="FAIL",
+                            region=region,
+                            resource_id=resource_id,
+                            checked_value="WAF logs enabled with version 2.0",
+                            actual_value=actual_value,
+                            remediation=remediation
+                        )
+                    )
+                else:
+                    self.findings.append(
+                        self.create_finding(
+                            status="PASS",
+                            region=region,
+                            resource_id=resource_id,
+                            checked_value="WAF logs enabled with version 2.0",
+                            actual_value=f"WAF logs are enabled with version 2.0 in {region} for account {account_id}",
+                            remediation="No remediation needed"
+                        )
+                    )
+
+        return self.findings

sraverify/services/securitylake/checks/sra_securitylake_13.py

@@ -0,0 +1,108 @@
+"""Check if VPC Flow logs are enabled for Security Lake."""
+
+from typing import List, Dict, Any
+from sraverify.services.securitylake.base import SecurityLakeCheck
+from sraverify.core.logging import logger
+
+
+class SRA_SECURITYLAKE_13(SecurityLakeCheck):
+    """Check if VPC Flow logs are enabled for Security Lake."""
+
+    def __init__(self):
+        """Initialize check."""
+        super().__init__()
+        self.account_type = "log-archive"  # Check all org accounts from delegated admin
+        self.check_id = "SRA-SECURITYLAKE-13"
+        self.check_name = "Security Lake VPC flow logs enabled with version 2.0 for all organization accounts"
+        self.severity = "HIGH"
+        self.description = (
+            "This check verifies whether Amazon Security Lake is configured with "
+            "VPC Flow log and event source version 2.0 for all active accounts in the organization. "
+            "VPC Flow Logs is a feature that enables "
+            "you to capture information about the IP traffic going to and from "
+            "network interfaces in your VPC. Security Lake collects VPC Flow Logs "
+            "directly from Amazon VPC through an independent and duplicated stream "
+            "of events. "
+            "This check runs from the delegated administrator account "
+            "and validates configuration across all organization member accounts."
+        )
+        self.check_logic = (
+            "Checks if the VPC Flow logs source version 2.0 is enabled in Security Lake "
+            "for all active organization accounts. The check passes if the VPC_FLOW log source version 2.0 is enabled. "
+            "The check fails if the VPC_FLOW log source is not enabled or configured with version 1.0."
+        )
+
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+
+        Returns:
+            List of findings
+        """
+
+        for region in self.regions:
+            logger.debug(f"Checking if VPC Flow logs are enabled in {region}")
+
+            # Get all organization accounts
+            org_accounts = self.get_organization_accounts(region)
+            if not org_accounts:
+                logger.debug("No organization accounts found, checking current account only")
+                org_accounts = [{'Id': self.account_id, 'Status': 'ACTIVE'}]
+
+            # Create sets of active account IDs
+            active_org_account_ids = set()
+            for account in org_accounts:
+                if account.get('Status') == 'ACTIVE':
+                    active_org_account_ids.add(account.get('Id'))
+
+            # Check each account in the organization
+            for account_id in active_org_account_ids:
+                resource_id = f"arn:aws:securitylake:{region}:{account_id}:log-source/VPC_FLOW"
+
+                # Check VPC Flow logs configuration
+                vpc_flow_v2_enabled = self.check_log_source_configured(region, "VPC_FLOW", account_id, "2.0")
+                
+                if not vpc_flow_v2_enabled:
+                    # Only check v1.0 if v2.0 is not enabled (uses cached data)
+                    vpc_flow_v1_enabled = self.check_log_source_configured(region, "VPC_FLOW", account_id, "1.0")
+                    
+                    if vpc_flow_v1_enabled:
+                        actual_value = f"VPC Flow logs are configured with version 1.0 instead of 2.0 for account {account_id}"
+                        remediation = (
+                            f"Update VPC Flow logs to version 2.0 for account {account_id}. "
+                            "In the Security Lake console, navigate to Sources and update the VPC Flow logs source version. "
+                            "Alternatively, use the AWS CLI command: "
+                            f"aws securitylake update-data-lake --sources '[{{\"regions\":[\"{region}\"],\"sourceName\":\"VPC_FLOW\",\"sourceVersion\":\"2.0\"}}]' --region {region}"
+                        )
+                    else:
+                        actual_value = f"VPC Flow logs are not configured for account {account_id}"
+                        remediation = (
+                            "Enable VPC Flow logs in Security Lake. In the Security Lake console, "
+                            "navigate to Settings > Log Sources and enable VPC Flow logs. "
+                            "Alternatively, use the AWS CLI command: "
+                            f"aws securitylake create-aws-log-source --sources '[{{\"regions\":[\"{region}\"],\"sourceName\":\"VPC_FLOW\",\"sourceVersion\":\"2.0\"}}]' --region {region}"
+                        )
+                    
+                    self.findings.append(
+                        self.create_finding(
+                            status="FAIL",
+                            region=region,
+                            resource_id=resource_id,
+                            checked_value="VPC Flow logs enabled with version 2.0",
+                            actual_value=actual_value,
+                            remediation=remediation
+                        )
+                    )
+                else:
+                    self.findings.append(
+                        self.create_finding(
+                            status="PASS",
+                            region=region,
+                            resource_id=resource_id,
+                            checked_value="VPC Flow logs enabled with version 2.0",
+                            actual_value=f"VPC Flow logs are enabled with version 2.0 in {region} for account {account_id}",
+                            remediation="No remediation needed"
+                        )
+                    )
+
+        return self.findings