This script will evaluate your AWS account against CIS Amazon Web Services Foundations Benchmark v1.2.0 - 05-23-2018. It automates the entire checklist, instead of manually checking each control. The policy script aws_script_policy.json is minimum permission that this script need to execute in AWS environment.
- Need to install
awscliin to your machine python3must be installed.Now follow these steps- Type
aws configurein CLI. - Now enter the Access Key, secret key and choose you region
First of all install the dependencies.
pip install -r requirements.txt
usage: python3 aws_cis_benchmark.py [optional arguments]
Tool to benchmark your AWS environment against CIS
optional arguments:
-h, --help show this help message and exit
-c, --csv Produces report in CSV format
-ht, --html Produces report in HTML format
-j, --json Produces report in JSON format
-v, --version Display version of the tool
-f FILE_NAME, --file_name FILE_NAME
To store output with given file name
-p PATH, --path PATH To store output in specified file path
- FILE_NAME - it's an optional argument, if no value is given the filename will be
aws_cis_benchmark_output.{json|csv|html}. - PATH - it's an optional argument, if no value is given the output path will the
current directorywhere you run this script.
This script helps you save the report in three formats, they are:
- JSON
- CSV
- HTML
[
{
'control_id': 'string',
'result': bool | null,
'scored': bool,
'desc', 'string',
'fail_reason': ['string',],
'offenders': ['string,]
},
]
- (Array)
- Object
- control_id (string) - Has the cis control number such as '1.1', etc.
- result (bool | null) - If the
true, the control has passed, iffalsethe control has failed, ifnullthe control is not assesed. - scored (bool) - If
truethe control is scored, iffalsethe control is not scored [According to CIS]. - desc (string) - The description of the control for the AWS CIS Benchmark foundations.
- fail_reason (Array)
- string - The reason why the control failed, if result is
false, otherwise it will be empty.
- string - The reason why the control failed, if result is
- offenders (Array)
- string - The offenders who cause the control to fail, if result is
false, otherwise it will be empty.
- string - The offenders who cause the control to fail, if result is
- Object
The CSV document is delimited with ; (because i had hard time implementing it in ,). So while opening it use ; as only delimiter without fail, otherwise the report will be in a messy format.
This report contains the Doughnut chart of each section that are Passed, Failed, Not Assessed and table with responsive format.
If the table background color is green, then it is a Passed control. If red then it is Failed control, if yellow then the control is not assessed and it should be assesed manually, because there no API is available to perform the action.
- Dependencies
- You need an active internet connection in order to view report in better format because it has these dependencies.
- Chart.js - for the doughnut chart.
- bootstrap - for the responsive design.
- Jquery - for the DOM manipulation
- You need an active internet connection in order to view report in better format because it has these dependencies.
This tool was inspired by these tools:
- aws-security-benchmark - https://github.com/awslabs/aws-security-benchmark
- SeBAz - https://github.com/Deepak710/SeBAz