|
| 1 | +# aws-cis-security-benchmark |
| 2 | + |
| 3 | +This script will evaluate your AWS account against CIS Amazon Web Services Foundations Benchmark `v1.2.0 - 05-23-2018`. It automates the entire checklist, instead of manually checking each control manually. |
| 4 | + |
| 5 | +## How to Setup and run |
| 6 | + |
| 7 | +First of all install the dependencies. |
| 8 | + |
| 9 | +> `pip install -r requirements.txt` |
| 10 | +
|
| 11 | +``` |
| 12 | +usage: python3 aws-cis-benchmarker [optional arguments] |
| 13 | +
|
| 14 | +Tool to benchmark your AWS environment against CIS |
| 15 | +
|
| 16 | +optional arguments: |
| 17 | + -h, --help show this help message and exit |
| 18 | + -c, --csv Produces report in CSV format |
| 19 | + -ht, --html Produces report in HTML format |
| 20 | + -j, --json Produces report in JSON format |
| 21 | + -v, --version Display version of the tool |
| 22 | + -f FILE_NAME, --file_name FILE_NAME |
| 23 | + To store output with given file name |
| 24 | + -p PATH, --path PATH To store output in specified file path |
| 25 | +``` |
| 26 | + |
| 27 | +- **FILE_NAME** - it's an optional argument, if no value is given the filename will be `aws_cis_benvhamrk_output.{json|csv|html}`. |
| 28 | +- **PATH** - it's an optional argument, if no value is given the output path will the `current directory` where you run this script. |
| 29 | + |
| 30 | +## Features |
| 31 | + |
| 32 | +This script helps you save the report in three formats, they are: |
| 33 | + |
| 34 | +- JSON |
| 35 | +- CSV |
| 36 | +- HTML |
| 37 | + |
| 38 | +## JSON Structure |
| 39 | + |
| 40 | +``` |
| 41 | +[ |
| 42 | + { |
| 43 | + 'control_id': 'string', |
| 44 | + 'result': bool | null, |
| 45 | + 'scored': bool, |
| 46 | + 'desc', 'string', |
| 47 | + 'fail_reason': ['string',], |
| 48 | + 'offenders': ['string,] |
| 49 | + }, |
| 50 | +] |
| 51 | +``` |
| 52 | + |
| 53 | +- (Array) |
| 54 | + - Object |
| 55 | + - **control_id** (string) - Has the cis control number such as '1.1', etc. |
| 56 | + - **result** (bool | null) - If the `true`, the control has passed, if `false` the control has failed, if `null` the control is not assesed. |
| 57 | + - **scored** (bool) - If `true` the control is scored, if `false` the control is not scored [According to CIS]. |
| 58 | + - **desc** (string) - The description of the control for the AWS CIS Benchmark foundations. |
| 59 | + - **fail_reason** (Array) |
| 60 | + - **string** - The reason why the control failed, if result is `false`, otherwise it will be empty. |
| 61 | + - **offenders** (Array) |
| 62 | + - **string** - The offenders who cause the control to fail, if result is `false`, otherwise it will be empty. |
| 63 | + |
| 64 | +## CSV Format |
| 65 | + |
| 66 | +The CSV document is delimited with `;` (because i had hard time implementing it in `,`). So while opening it use `;` as **only** delimiter without fail, otherwise the report will be in a messy format. |
| 67 | + |
| 68 | +## HTML Report |
| 69 | + |
| 70 | +This report contains the Doughnut chart of each section that are `Passed, Failed, Not Assessed` and table with responsive format. |
| 71 | + |
| 72 | +If the table background color is `green`, then it is a `Passed` control. If `red` then it is `Failed` control, if `yellow` then the control is not assessed and it should be assesed manually, because there no API is available to perform the action. |
| 73 | + |
| 74 | +- Dependencies |
| 75 | + - You need an **active internet** connection in order to view report in better format because it has these dependencies. |
| 76 | + - Chart.js - for the doughnut chart. |
| 77 | + - bootstrap - for the responsive design. |
| 78 | + - Jquery - for the DOM manipulation |
| 79 | + |
| 80 | +## KUDOS |
| 81 | + |
| 82 | +This tool was inspired by these tools: |
| 83 | +* aws-security-benchmark - https://github.com/awslabs/aws-security-benchmark |
| 84 | +* SeBAz - https://github.com/Deepak710/SeBAz |
0 commit comments