diff --git a/README.md b/README.md index b7b68c52..29dfea04 100644 --- a/README.md +++ b/README.md @@ -625,16 +625,16 @@ Deployment and monitoring (future) ## Extensions -AI-DLC supports an extension system that lets you layer additional rules on top of the core workflow. Extensions are markdown files organized under `aws-aidlc-rule-details/extensions/` and grouped by category (e.g., `security/`, `testing/`). +AI-DLC supports an extension system that lets you layer additional rules on top of the core workflow. Extensions are markdown files organized under `aws-aidlc-rule-details/extensions/` and grouped by category (e.g., `security/`, `compliance/`, `testing/`). ### How Extensions Work Each extension consists of two files placed in the same directory: - A **rules file** (e.g., `security-baseline.md`) containing the extension's rules. -- An **opt-in file** (e.g., `security-baseline.opt-in.md`) containing a structured multiple-choice question presented to the user during Requirements Analysis. +- An **opt-in file** (e.g., `security-baseline.opt-in.md`) containing metadata for the extension selection menu. -At workflow start, AI-DLC scans the `extensions/` directory and loads only `*.opt-in.md` files. During Requirements Analysis, it presents each opt-in prompt to the user. When the user opts in, the corresponding rules file is loaded (derived by naming convention: strip `.opt-in.md`, append `.md`). When the user opts out, the rules file is never loaded. Extensions without a matching `*.opt-in.md` file are always enforced. +At workflow start, AI-DLC scans the `extensions/` directory and loads only `*.opt-in.md` files. During Requirements Analysis, it presents a **consolidated selection menu** listing all available extensions — the user selects which ones to enable in a single answer. When the user opts in, the corresponding rules file is loaded (derived by naming convention: strip `.opt-in.md`, append `.md`). When the user opts out, the rules file is never loaded. Extensions without a matching `*.opt-in.md` file are always enforced. Once enabled, extension rules are blocking constraints — at each stage, the model verifies compliance before allowing the stage to proceed. @@ -645,31 +645,39 @@ The `extensions/` directory ships with the following (new extensions may be adde ```text aws-aidlc-rule-details/ └── extensions/ - ├── security/ # Extension category + ├── security/ # Security rules │ └── baseline/ - │ ├── security-baseline.md # Baseline security rules - │ └── security-baseline.opt-in.md # Opt-in prompt - └── testing/ # Extension category - └── property-based/ - ├── property-based-testing.md # Property-based testing rules - └── property-based-testing.opt-in.md # Opt-in prompt + │ ├── security-baseline.md + │ └── security-baseline.opt-in.md + ├── testing/ # Testing rules + │ └── property-based/ + │ ├── property-based-testing.md + │ └── property-based-testing.opt-in.md + └── compliance/ # Compliance frameworks + └── nist-800-53/ + ├── nist-800-53-controls.md + └── nist-800-53.opt-in.md ``` > [!IMPORTANT] -> The security extension rules are provided as a directional reference for building effective security rules within AI-DLC workflows. Each organization should build, customize, and thoroughly test their own security rules before deploying in production workflows. +> The security and compliance extension rules are provided as a directional reference for building effective rules within AI-DLC workflows. Each organization should build, customize, and thoroughly test their own rules before deploying in production workflows. ### Adding Your Own Extensions You can extend an existing category or create an entirely new one. -1. Create a directory under `extensions/` (e.g., `security/compliance/` or `performance/baseline/`). -2. Add a **rules file** (e.g., `compliance.md`). Follow the same structure as `security-baseline.md`: +1. Create a directory under `extensions/` (e.g., `compliance/pci-dss/` or `performance/baseline/`). +2. Add a **rules file** (e.g., `pci-dss-controls.md`). Follow the same structure as `security-baseline.md`: - Define each rule as a heading in the format `## Rule : ` where the prefix is a short category identifier and NN is a sequential number (e.g., `COMPLIANCE-01`, `COMPLIANCE-02`). These IDs are referenced in audit logs and compliance summaries, so they must be unique across all loaded extensions. - Include a **Rule** section describing the requirement. - Include a **Verification** section with concrete checks the model should evaluate. -3. Add a matching **opt-in file** using the naming convention `<name>.opt-in.md` (e.g., `compliance.opt-in.md`). See `security-baseline.opt-in.md` for the expected format. Omitting this file means the extension is always enforced with no user opt-out. +3. Add a matching **opt-in file** using the naming convention `<name>.opt-in.md` (e.g., `pci-dss.opt-in.md`). See `security-baseline.opt-in.md` for the expected format. Omitting this file means the extension is always enforced with no user opt-out. 4. Rules are blocking by default — if verification criteria are not met, the stage cannot proceed until the finding is resolved. +### Community Extensions + +Community extensions are authored in external repositories and registered in the `community-extensions-index.yaml` at the repository root. To install one, copy its files into the matching `extensions/` subdirectory. See the index file for available community extensions and install instructions. + --- ## Tenets diff --git a/aidlc-rules/aws-aidlc-rule-details/extensions/README.md b/aidlc-rules/aws-aidlc-rule-details/extensions/README.md new file mode 100644 index 00000000..8e16fee4 --- /dev/null +++ b/aidlc-rules/aws-aidlc-rule-details/extensions/README.md @@ -0,0 +1,59 @@ +# Extensions + +This folder is read by the AI-DLC rules loader at workflow start. Place installed extension files here — the AI will automatically detect and load them. + +**This README file is not processed by the extensions loader.** The loader scans subdirectories only. + +--- + +## Available Extensions + +| Extension | Category | Description | +|---|---|---| +| `security/baseline/` | security | OWASP-mapped security rules | +| `testing/property-based/` | testing | Property-based testing rules | +| `compliance/nist-800-53/` | compliance | NIST 800-53 controls mapped to AWS Control Tower, Config Rules, Security Hub, and GuardDuty | + +--- + +## NIST 800-53 Compliance Controls + +**Version**: 0.2.0 + +Maps ~90 NIST 800-53 controls to specific AWS mechanisms. When enabled, the workflow enforces applicable controls at each stage. + +**Coverage:** +- **AC** (Access Control): AC-3, AC-4, AC-6, AC-12, AC-17, AC-22 + enhancements +- **AU** (Audit & Accountability): AU-2, AU-3, AU-5(2), AU-6, AU-12 +- **CA** (Assessment & Monitoring): CA-3, CA-7 + +**Control Types**: Preventive (SCP, Declarative Policy), Proactive (CF Hook), Detective (Config Rule, Security Hub) + +**Files:** +- `compliance/nist-800-53/nist-800-53-controls.md` — Full control mappings +- `compliance/nist-800-53/nist-800-53.opt-in.md` — Opt-in metadata + +--- + +## How the Loader Works + +At workflow start, the AI scans subdirectories under `extensions/`: + +1. A subfolder containing a `*.opt-in.md` file is an **opt-in extension** — during Requirements Analysis, a consolidated selection menu is presented listing all available extensions for the user to choose from +2. A subfolder with rule `.md` files but no `*.opt-in.md` is **always enforced** — its rules are loaded immediately at workflow start +3. The `project-type/` subfolder is **excluded from this scan** — project-type extensions are loaded by Workspace Detection + +--- + +## Installing Community Extensions + +Community extensions are hosted in external repositories and listed in `community-extensions-index.yaml` at the repo root. To install one, copy its rule files into the matching category subdirectory here: + +```bash +mkdir -p extensions/<category>/<extension-name> +cp <source>/*.opt-in.md <source>/*-rules.md extensions/<category>/<extension-name>/ +``` + +Then start a new AI-DLC session to load the extension. + +--- diff --git a/aidlc-rules/aws-aidlc-rule-details/extensions/compliance/nist-800-53/nist-800-53-controls.md b/aidlc-rules/aws-aidlc-rule-details/extensions/compliance/nist-800-53/nist-800-53-controls.md new file mode 100644 index 00000000..969557bf --- /dev/null +++ b/aidlc-rules/aws-aidlc-rule-details/extensions/compliance/nist-800-53/nist-800-53-controls.md @@ -0,0 +1,423 @@ +# NIST 800-53 Controls + +**Extension**: nist-800-53 v0.2.0 | **Type**: compliance | **Framework**: NIST 800-53 + +> This extension provides NIST 800-53 control mappings. When installed and enabled, the AI-DLC workflow embeds these controls directly into each relevant stage (requirements, design, infrastructure, code generation, testing). + +--- + +## AC — Access Control + +### AC-3: Access Enforcement + +Controls that enforce approved authorizations for logical access to information and system resources. + +| Control ID | Description | AWS Service | Control Type | Severity | Implementation | Coverage | +|---|---|---|---|---|---|---| +| CONFIG.COGNITO-IDP.DT.1 | Checks if an Amazon Cognito user pool has advanced security enabled | Cognito | DETECTIVE | HIGH | Config Rule | Partially Covered | +| CONFIG.COGNITO-IDP.DT.2 | Checks if Amazon Cognito Identity Pool allows unauthenticated identities | Cognito | DETECTIVE | MEDIUM | Config Rule | Partially Covered | +| CT.APIGATEWAY.PR.5 | Checks whether Amazon API Gateway V2 API routes have an authorization type set | ApiGatewayV2 | PROACTIVE | MEDIUM | CF Hook (Proactive) | Partially Covered | +| CT.BACKUP.PV.1 | Limits changes to tags that AWS Control Tower applies to AWS Backup resources | Backup | PREVENTIVE | CRITICAL | SCP | Partially Covered | +| CT.BACKUP.PV.2 | Limits changes to the AWS Backup report plan that AWS Control Tower manages | Backup | PREVENTIVE | CRITICAL | SCP | Partially Covered | +| CT.BACKUP.PV.3 | Limits creation or modification of AWS Backup resources that AWS Control Tower manages | Backup | PREVENTIVE | CRITICAL | SCP | Partially Covered | +| CT.EC2.PV.11 | Prevents the public sharing of your AMIs by configuring block public access for AMIs | EC2 | PREVENTIVE | MEDIUM | Declarative Policy | Partially Covered | +| CT.EC2.PV.3 | Disallows sharing of an EBS snapshot with all AWS accounts | EC2 | PREVENTIVE | CRITICAL | SCP | Partially Covered | +| CT.EC2.PV.5 | Disallows use of EC2 VM Import/Export APIs | EC2 | PREVENTIVE | MEDIUM | SCP | Partially Covered | +| CT.EC2.PV.7 | Blocks the public sharing of your Amazon EBS snapshots | EC2 | PREVENTIVE | MEDIUM | Declarative Policy | Partially Covered | +| CT.EC2.PV.9 | Prevents access to the EC2 serial console of all EC2 instances | EC2 | PREVENTIVE | MEDIUM | Declarative Policy | Partially Covered | + +**Enforcement details:** +- **Scope**: Workload OU +- **Mechanism**: Mixed (SCP, Config Rule, Declarative Policy, CF Hook) +- **Status**: Elective - Not Yet Enabled (CT controls); Available (Config Rules) +- **Priority**: High + +--- + +### AC-4: Information Flow Enforcement + +Controls that enforce approved authorizations for controlling the flow of information within the system and between connected systems. + +| Control ID | Description | AWS Service | Control Type | Severity | Implementation | Coverage | +|---|---|---|---|---|---|---| +| AWS-GR_RESTRICTED_COMMON_PORTS | Reduces a server's exposure to risk by removing unfettered connectivity to remote console services such as RDP | EC2 | DETECTIVE | CRITICAL | Config Rule | Partially Covered | +| AWS-GR_RESTRICTED_SSH | Reduces a server's exposure to risk by removing unfettered connectivity to SSH | EC2 | DETECTIVE | HIGH | Config Rule | Partially Covered | +| CONFIG.EC2.DT.11 | Checks if non-default security groups are attached to elastic network interfaces | EC2 | DETECTIVE | MEDIUM | Config Rule | Partially Covered | +| CONFIG.EC2.DT.17 | Checks if internet gateways are attached to an authorized VPC | EC2 | DETECTIVE | HIGH | Config Rule | Partially Covered | +| CONFIG.EC2.DT.18 | Checks if all Elastic IP addresses allocated to an AWS account are attached to EC2 instances | EC2 | DETECTIVE | LOW | Config Rule | Partially Covered | +| CONFIG.EC2.DT.20 | Checks if DNS resolution from accepter/requester VPC to private IP is enabled | EC2 | DETECTIVE | MEDIUM | Config Rule | Partially Covered | +| CONFIG.EC2.DT.8 | Checks if the AWS Client VPN authorization rules authorizes connection access for all clients | EC2 | DETECTIVE | CRITICAL | Config Rule | Partially Covered | +| CT.APPSYNC.PR.2 | Checks whether an AWS AppSync GraphQL API has been configured with private visibility | AppSync | PROACTIVE | HIGH | CF Hook (Proactive) | Partially Covered | +| CT.EC2.PR.2 | Checks whether an Amazon EC2 launch template has a metadata token hop limit set to 1 | EC2 | PROACTIVE | HIGH | CF Hook (Proactive) | Partially Covered | +| CT.EC2.PR.3 | Checks whether the Amazon EC2 security group rule contains 0.0.0.0/0 or ::/0 as a source IP range | EC2 | PROACTIVE | HIGH | CF Hook (Proactive) | Partially Covered | +| CT.EC2.PR.4 | Checks whether an Amazon EC2 security group rule with 0.0.0.0/0 allows incoming traffic to high-risk ports | EC2 | PROACTIVE | CRITICAL | CF Hook (Proactive) | Partially Covered | +| CT.EC2.PR.9 | Checks whether your Amazon EC2 launch templates are configured to assign public IP addresses to network interfaces | EC2 | PROACTIVE | HIGH | CF Hook (Proactive) | Partially Covered | +| CT.EC2.PV.11 | Prevents the public sharing of your AMIs by configuring block public access for AMIs | EC2 | PREVENTIVE | MEDIUM | Declarative Policy | Partially Covered | +| SH.EC2.10 | Checks whether a service endpoint for Amazon EC2 is created for each VPC | EC2 | DETECTIVE | MEDIUM | Security Hub Control | Partially Covered | +| SH.EC2.16 | Checks to see if there are any NACLs that are unused | EC2 | DETECTIVE | LOW | Security Hub Control | Partially Covered | +| SH.EC2.18 | Checks whether the security groups allow unrestricted incoming traffic | EC2 | DETECTIVE | HIGH | Security Hub Control | Partially Covered | +| SH.EC2.19 | Checks whether unrestricted incoming traffic is accessible to high-risk ports | EC2 | DETECTIVE | CRITICAL | Security Hub Control | Partially Covered | +| SH.EC2.2 | Checks that the default security group of a VPC does not allow inbound or outbound traffic | EC2 | DETECTIVE | HIGH | Security Hub Control | Partially Covered | +| SH.EC2.21 | Checks whether a NACL allows unrestricted access to SSH/RDP ingress traffic | EC2 | DETECTIVE | MEDIUM | Security Hub Control | Partially Covered | +| SH.EC2.22 | Checks that security groups are attached to Amazon EC2 instances or to an elastic network interface | EC2 | DETECTIVE | MEDIUM | Security Hub Control | Partially Covered | +| SH.EC2.23 | Checks if EC2 Transit Gateways are automatically accepting shared VPC attachments requests | EC2 | DETECTIVE | HIGH | Security Hub Control | Partially Covered | + +**Enforcement details:** +- **Scope**: Mixed (Root, Workload OU) +- **Mechanism**: Mixed (Config Rule, SCP, Declarative Policy, CF Hook, Security Hub) +- **Status**: Mixed (Mandatory, Elective) +- **Priority**: High + +--- + +### AC-6: Least Privilege + +Controls that employ the principle of least privilege, allowing only authorized accesses necessary to accomplish assigned organizational tasks. + +| Control ID | Description | AWS Service | Control Type | Severity | Implementation | Coverage | +|---|---|---|---|---|---|---| +| AWS-GR_EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK | Detects whether all AWS accounts have access to restore Amazon EBS snapshots | EC2 | DETECTIVE | CRITICAL | Config Rule | Partially Covered | +| CT.APIGATEWAY.PR.5 | Checks whether Amazon API Gateway V2 API routes have an authorization type set | ApiGatewayV2 | PROACTIVE | MEDIUM | CF Hook (Proactive) | Partially Covered | +| CT.APPSYNC.PR.3 | Checks that an AWS AppSync GraphQL API has been configured with an authentication type other than API_KEY | AppSync | PROACTIVE | HIGH | CF Hook (Proactive) | Partially Covered | +| CT.EC2.PV.11 | Prevents the public sharing of your AMIs by configuring block public access for AMIs | EC2 | PREVENTIVE | MEDIUM | Declarative Policy | Partially Covered | +| CT.EC2.PV.4 | Disallows usage of all EBS direct APIs | EC2 | PREVENTIVE | HIGH | SCP | Partially Covered | +| CT.EC2.PV.5 | Disallows use of EC2 VM Import/Export APIs | EC2 | PREVENTIVE | MEDIUM | SCP | Partially Covered | +| CT.EC2.PV.9 | Prevents access to the EC2 serial console of all EC2 instances | EC2 | PREVENTIVE | MEDIUM | Declarative Policy | Partially Covered | + +**Enforcement details:** +- **Scope**: Mixed (Root, Workload OU) +- **Mechanism**: Mixed (Config Rule, SCP, Declarative Policy, CF Hook) +- **Status**: Mixed (Mandatory, Elective) +- **Priority**: High + +--- + +### AC-6(1): Least Privilege | Authorize Access to Security Functions + +Controls that authorize access to security functions and security-relevant information. + +| Control ID | Description | AWS Service | Control Type | Severity | Implementation | Coverage | +|---|---|---|---|---|---|---| +| AWS-GR_DISALLOW_VPC_INTERNET_ACCESS | Disallow internet access for an Amazon VPC instance managed by a customer | EC2 | PREVENTIVE | MEDIUM | SCP | Partially Covered | +| CT.BACKUP.PV.1 | Limits changes to tags that AWS Control Tower applies to AWS Backup resources | Backup | PREVENTIVE | CRITICAL | SCP | Partially Covered | +| CT.BACKUP.PV.2 | Limits changes to the AWS Backup report plan that AWS Control Tower manages | Backup | PREVENTIVE | CRITICAL | SCP | Partially Covered | +| CT.BACKUP.PV.3 | Limits creation or modification of AWS Backup resources that AWS Control Tower manages | Backup | PREVENTIVE | CRITICAL | SCP | Partially Covered | + +**Enforcement details:** +- **Scope**: Mixed (Root, Workload OU) +- **Mechanism**: CT-Managed SCP +- **Status**: Mixed (Mandatory, Elective) +- **Priority**: High + +--- + +### AC-6(10): Least Privilege | Prohibit Non-Privileged Users from Executing Privileged Functions + +Controls that prevent non-privileged users from executing privileged functions. + +| Control ID | Description | AWS Service | Control Type | Severity | Implementation | Coverage | +|---|---|---|---|---|---|---| +| CT.EC2.PV.4 | Disallows usage of all EBS direct APIs | EC2 | PREVENTIVE | HIGH | SCP | Partially Covered | +| CT.EC2.PV.9 | Prevents access to the EC2 serial console of all EC2 instances | EC2 | PREVENTIVE | MEDIUM | Declarative Policy | Partially Covered | + +**Enforcement details:** +- **Scope**: Workload OU +- **Mechanism**: Mixed (SCP, Declarative Policy) +- **Status**: Elective - Not Yet Enabled +- **Priority**: High + +--- + +### AC-6(9): Least Privilege | Log Use of Privileged Functions + +Controls that log the execution of privileged functions. + +| Control ID | Description | AWS Service | Control Type | Severity | Implementation | Coverage | +|---|---|---|---|---|---|---| +| SH.CloudTrail.1 | Checks that there is at least one multi-region AWS CloudTrail trail | CloudTrail | DETECTIVE | HIGH | Security Hub Control | Partially Covered | + +**Enforcement details:** +- **Scope**: All OUs (Security Hub) +- **Mechanism**: Security Hub +- **Status**: Available +- **Priority**: High + +--- + +### AC-12: Session Termination + +Controls that automatically terminate a user session after defined conditions or trigger events. + +| Control ID | Description | AWS Service | Control Type | Severity | Implementation | Coverage | +|---|---|---|---|---|---|---| +| CONFIG.COGNITO-IDP.DT.1 | Checks if an Amazon Cognito user pool has advanced security enabled | Cognito | DETECTIVE | HIGH | Config Rule | Partially Covered | + +**Enforcement details:** +- **Scope**: Workload OU +- **Mechanism**: Config Rule (Conformance Pack) +- **Status**: Available +- **Priority**: High + +--- + +### AC-17: Remote Access + +Controls that establish and manage remote access sessions. + +| Control ID | Description | AWS Service | Control Type | Severity | Implementation | Coverage | +|---|---|---|---|---|---|---| +| AWS-GR_DISALLOW_VPN_CONNECTIONS | Disallows Virtual Private Network (VPN) connections to an Amazon VPC | EC2 | PREVENTIVE | MEDIUM | SCP | Partially Covered | + +**Enforcement details:** +- **Scope**: Root OU (All Accounts) +- **Mechanism**: CT-Managed SCP +- **Status**: Mandatory - Verify Enabled in CT Console +- **Priority**: Moderate + +--- + +### AC-17(1): Remote Access | Monitoring and Control + +Controls that monitor and control remote access methods. + +| Control ID | Description | AWS Service | Control Type | Severity | Implementation | Coverage | +|---|---|---|---|---|---|---| +| AWS-GR_RESTRICTED_SSH | Reduces a server's exposure to risk by removing unfettered connectivity to SSH | EC2 | DETECTIVE | HIGH | Config Rule | Partially Covered | +| SH.EC2.21 | Checks whether a NACL allows unrestricted access to SSH/RDP ingress traffic | EC2 | DETECTIVE | MEDIUM | Security Hub Control | Partially Covered | + +**Enforcement details:** +- **Scope**: Mixed (Root, Workload OU) +- **Mechanism**: Mixed (Config Rule, Security Hub) +- **Status**: Mixed (Mandatory, Available) +- **Priority**: High + +--- + +### AC-17(3): Remote Access | Managed Access Control Points + +Controls that route remote accesses through authorized and managed network access control points. + +| Control ID | Description | AWS Service | Control Type | Severity | Implementation | Coverage | +|---|---|---|---|---|---|---| +| AWS-GR_RESTRICTED_SSH | Reduces a server's exposure to risk by removing unfettered connectivity to SSH | EC2 | DETECTIVE | HIGH | Config Rule | Partially Covered | +| CT.EC2.PR.5 | Checks whether the Amazon EC2 network ACL inbound entry allows unrestricted incoming traffic for SSH or RDP | EC2 | PROACTIVE | MEDIUM | CF Hook (Proactive) | Partially Covered | +| SH.EC2.21 | Checks whether a NACL allows unrestricted access to SSH/RDP ingress traffic | EC2 | DETECTIVE | MEDIUM | Security Hub Control | Partially Covered | + +**Enforcement details:** +- **Scope**: Mixed (Root, Workload OU) +- **Mechanism**: Mixed (Config Rule, CF Hook, Security Hub) +- **Status**: Mixed (Mandatory, Elective) +- **Priority**: High + +--- + +### AC-22: Publicly Accessible Content + +Controls that designate individuals authorized to make information publicly accessible and ensure procedures are in place to prevent unauthorized disclosure. + +| Control ID | Description | AWS Service | Control Type | Severity | Implementation | Coverage | +|---|---|---|---|---|---|---| +| CT.EC2.PV.11 | Prevents the public sharing of your AMIs by configuring block public access for AMIs | EC2 | PREVENTIVE | MEDIUM | Declarative Policy | Partially Covered | + +**Enforcement details:** +- **Scope**: Workload OU +- **Mechanism**: CT-Managed Declarative Policy +- **Status**: Elective - Not Yet Enabled +- **Priority**: Moderate + +--- + +## AU — Audit and Accountability + +### AU-2: Event Logging + +Controls that identify events requiring logging in accordance with applicable laws, policies, and organizational guidance. + +| Control ID | Description | AWS Service | Control Type | Severity | Implementation | Coverage | +|---|---|---|---|---|---|---| +| CONFIG.APPSYNC.DT.5 | Checks if an AWS AppSync API has logging enabled | AppSync | DETECTIVE | MEDIUM | Config Rule | Partially Covered | +| CONFIG.EC2.DT.7 | Checks if AWS Site-to-Site VPN connections have Amazon CloudWatch logging enabled for both tunnels | EC2 | DETECTIVE | MEDIUM | Config Rule | Partially Covered | +| CT.APIGATEWAY.PR.1 | Checks whether all methods in Amazon API Gateway stage have execution logging configured | ApiGateway | PROACTIVE | MEDIUM | CF Hook (Proactive) | Partially Covered | +| CT.APIGATEWAY.PR.2 | Ensures that AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs | ApiGateway | PROACTIVE | LOW | CF Hook (Proactive) | Partially Covered | +| CT.APIGATEWAY.PR.4 | Checks whether Amazon API Gateway V2 stages have access logging enabled | ApiGatewayV2 | PROACTIVE | MEDIUM | CF Hook (Proactive) | Partially Covered | +| CT.APPSYNC.PR.1 | Checks whether an AWS AppSync GraphQL API sends logs to Amazon CloudWatch Logs | AppSync | PROACTIVE | MEDIUM | CF Hook (Proactive) | Partially Covered | +| CT.EC2.PR.10 | Checks whether the Amazon EC2 launch template has detailed monitoring enabled | EC2 | PROACTIVE | LOW | CF Hook (Proactive) | Partially Covered | +| SH.APIGateway.1 | Checks whether all stages of Amazon API Gateway REST and WebSocket APIs have logging enabled | ApiGateway | DETECTIVE | MEDIUM | Security Hub Control | Partially Covered | + +**Enforcement details:** +- **Scope**: Workload OU +- **Mechanism**: Mixed (Config Rule, CF Hook, Security Hub) +- **Status**: Mixed (Available, Elective) +- **Priority**: Moderate + +--- + +### AU-3: Content of Audit Records + +Controls that ensure audit records contain sufficient information to establish what events occurred, when and where they occurred, and the sources and outcomes of events. + +| Control ID | Description | AWS Service | Control Type | Severity | Implementation | Coverage | +|---|---|---|---|---|---|---| +| CONFIG.APPSYNC.DT.5 | Checks if an AWS AppSync API has logging enabled | AppSync | DETECTIVE | MEDIUM | Config Rule | Partially Covered | +| CONFIG.EC2.DT.7 | Checks if AWS Site-to-Site VPN connections have Amazon CloudWatch logging enabled for both tunnels | EC2 | DETECTIVE | MEDIUM | Config Rule | Partially Covered | +| CT.APIGATEWAY.PR.1 | Checks whether all methods in Amazon API Gateway stage have execution logging configured | ApiGateway | PROACTIVE | MEDIUM | CF Hook (Proactive) | Partially Covered | +| CT.APIGATEWAY.PR.4 | Checks whether Amazon API Gateway V2 stages have access logging enabled | ApiGatewayV2 | PROACTIVE | MEDIUM | CF Hook (Proactive) | Partially Covered | +| CT.APPSYNC.PR.1 | Checks whether an AWS AppSync GraphQL API sends logs to Amazon CloudWatch Logs | AppSync | PROACTIVE | MEDIUM | CF Hook (Proactive) | Partially Covered | +| SH.APIGateway.1 | Checks whether all stages of Amazon API Gateway REST and WebSocket APIs have logging enabled | ApiGateway | DETECTIVE | MEDIUM | Security Hub Control | Partially Covered | + +**Enforcement details:** +- **Scope**: Workload OU +- **Mechanism**: Mixed (Config Rule, CF Hook, Security Hub) +- **Status**: Mixed (Available, Elective) +- **Priority**: Moderate + +--- + +### AU-5(2): Response to Audit Logging Process Failures | Real-Time Alerts + +Controls that provide alerts within defined time periods to personnel when audit logging process failures occur. + +| Control ID | Description | AWS Service | Control Type | Severity | Implementation | Coverage | +|---|---|---|---|---|---|---| +| CT.EC2.PR.10 | Checks whether the Amazon EC2 launch template has detailed monitoring enabled | EC2 | PROACTIVE | LOW | CF Hook (Proactive) | Partially Covered | + +**Enforcement details:** +- **Scope**: Workload OU +- **Mechanism**: CF Hook (Proactive) +- **Status**: Elective - Not Yet Enabled +- **Priority**: Low + +--- + +### AU-6: Audit Record Review, Analysis, and Reporting + +Controls that review and analyze system audit records for indications of inappropriate or unusual activity. + +| Control ID | Description | AWS Service | Control Type | Severity | Implementation | Coverage | +|---|---|---|---|---|---|---| +| CONFIG.GUARDDUTY.DT.3 | Checks if Audit Log Monitoring for EKS is enabled for an Amazon GuardDuty detector | GuardDuty | DETECTIVE | HIGH | Config Rule | Partially Covered | + +**Enforcement details:** +- **Scope**: Workload OU +- **Mechanism**: Config Rule (Conformance Pack) +- **Status**: Available +- **Priority**: High + +--- + +### AU-6(1): Audit Record Review, Analysis, and Reporting | Automated Process Integration + +Controls that integrate audit record review, analysis, and reporting using automated mechanisms. + +| Control ID | Description | AWS Service | Control Type | Severity | Implementation | Coverage | +|---|---|---|---|---|---|---| +| SH.GuardDuty.1 | Checks whether Amazon GuardDuty is enabled in your AWS account and region | GuardDuty | DETECTIVE | HIGH | Security Hub Control | Partially Covered | + +**Enforcement details:** +- **Scope**: All OUs (Security Hub) +- **Mechanism**: Security Hub Control +- **Status**: Available +- **Priority**: High + +--- + +### AU-12: Audit Record Generation + +Controls that provide audit record generation capability for defined auditable events. + +| Control ID | Description | AWS Service | Control Type | Severity | Implementation | Coverage | +|---|---|---|---|---|---|---| +| CONFIG.APPSYNC.DT.5 | Checks if an AWS AppSync API has logging enabled | AppSync | DETECTIVE | MEDIUM | Config Rule | Partially Covered | +| CONFIG.EC2.DT.7 | Checks if AWS Site-to-Site VPN connections have Amazon CloudWatch logging enabled for both tunnels | EC2 | DETECTIVE | MEDIUM | Config Rule | Partially Covered | +| CT.APIGATEWAY.PR.1 | Checks whether all methods in Amazon API Gateway stage have execution logging configured | ApiGateway | PROACTIVE | MEDIUM | CF Hook (Proactive) | Partially Covered | +| CT.APIGATEWAY.PR.2 | Ensures that AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs | ApiGateway | PROACTIVE | LOW | CF Hook (Proactive) | Partially Covered | +| CT.APIGATEWAY.PR.4 | Checks whether Amazon API Gateway V2 stages have access logging enabled | ApiGatewayV2 | PROACTIVE | MEDIUM | CF Hook (Proactive) | Partially Covered | +| CT.APPSYNC.PR.1 | Checks whether an AWS AppSync GraphQL API sends logs to Amazon CloudWatch Logs | AppSync | PROACTIVE | MEDIUM | CF Hook (Proactive) | Partially Covered | +| SH.APIGateway.1 | Checks whether all stages of Amazon API Gateway REST and WebSocket APIs have logging enabled | ApiGateway | DETECTIVE | MEDIUM | Security Hub Control | Partially Covered | + +**Enforcement details:** +- **Scope**: Workload OU +- **Mechanism**: Mixed (Config Rule, CF Hook, Security Hub) +- **Status**: Mixed (Available, Elective) +- **Priority**: Moderate + +--- + +## CA — Assessment, Authorization, and Monitoring + +### CA-3: Information Exchange + +Controls that approve and manage the exchange of information between systems using defined agreements. + +| Control ID | Description | AWS Service | Control Type | Severity | Implementation | Coverage | +|---|---|---|---|---|---|---| +| CT.EC2.PR.6 | Checks whether Amazon EC2 transit gateways are configured to accept Amazon VPC attachment requests automatically | EC2 | PROACTIVE | HIGH | CF Hook (Proactive) | Partially Covered | + +**Enforcement details:** +- **Scope**: Workload OU +- **Mechanism**: CF Hook (Proactive) +- **Status**: Elective - Not Yet Enabled +- **Priority**: High + +--- + +### CA-7: Continuous Monitoring + +Controls that develop a system-level continuous monitoring strategy and implement continuous monitoring. + +| Control ID | Description | AWS Service | Control Type | Severity | Implementation | Coverage | +|---|---|---|---|---|---|---| +| CONFIG.GUARDDUTY.DT.10 | Checks if Runtime Monitoring is enabled for Amazon GuardDuty detector | GuardDuty | DETECTIVE | HIGH | Config Rule | Partially Covered | +| CONFIG.GUARDDUTY.DT.2 | Checks if Malware Protection is enabled for an Amazon GuardDuty detector | GuardDuty | DETECTIVE | HIGH | Config Rule | Partially Covered | +| CONFIG.GUARDDUTY.DT.3 | Checks if Audit Log Monitoring for EKS is enabled for an Amazon GuardDuty detector | GuardDuty | DETECTIVE | HIGH | Config Rule | Partially Covered | +| CONFIG.GUARDDUTY.DT.4 | Checks if S3 Protection is enabled for an Amazon GuardDuty Detector | GuardDuty | DETECTIVE | HIGH | Config Rule | Partially Covered | +| CONFIG.GUARDDUTY.DT.5 | Checks if Amazon RDS protection is enabled for an Amazon GuardDuty detector | GuardDuty | DETECTIVE | HIGH | Config Rule | Partially Covered | +| CONFIG.GUARDDUTY.DT.6 | Checks if Lambda Protection is enabled for an Amazon GuardDuty detector | GuardDuty | DETECTIVE | HIGH | Config Rule | Partially Covered | +| CONFIG.GUARDDUTY.DT.7 | Checks if Amazon EKS Runtime Monitoring with automated agent management is enabled for GuardDuty | GuardDuty | DETECTIVE | MEDIUM | Config Rule | Partially Covered | +| CONFIG.GUARDDUTY.DT.8 | Checks if ECS Runtime Monitoring with automated agent management is enabled for Amazon GuardDuty detector | GuardDuty | DETECTIVE | MEDIUM | Config Rule | Partially Covered | +| CT.GUARDDUTY.PR.1 | Checks whether Amazon S3 protection is enabled on an Amazon GuardDuty detector | GuardDuty | PROACTIVE | HIGH | CF Hook (Proactive) | Partially Covered | + +**Enforcement details:** +- **Scope**: Workload OU +- **Mechanism**: Mixed (Config Rule, CF Hook) +- **Status**: Mixed (Available, Elective) +- **Priority**: High + +--- + +## Control Summary + +| NIST 800-53 Control | Control Name | # AWS Controls | Types | +|---|---|---|---| +| AC-3 | Access Enforcement | 11 | Preventive (SCP, Declarative Policy), Proactive (CF Hook), Detective (Config Rule) | +| AC-4 | Information Flow Enforcement | 22 | Preventive (Declarative Policy), Proactive (CF Hook), Detective (Config Rule, Security Hub) | +| AC-6 | Least Privilege | 7 | Preventive (SCP, Declarative Policy), Proactive (CF Hook), Detective (Config Rule) | +| AC-6(1) | Least Privilege - Authorize Access to Security Functions | 4 | Preventive (SCP) | +| AC-6(10) | Least Privilege - Prohibit Non-Privileged Users | 2 | Preventive (SCP, Declarative Policy) | +| AC-6(9) | Least Privilege - Log Use of Privileged Functions | 1 | Detective (Security Hub) | +| AC-12 | Session Termination | 1 | Detective (Config Rule) | +| AC-17 | Remote Access | 1 | Preventive (SCP) | +| AC-17(1) | Remote Access - Monitoring and Control | 2 | Detective (Config Rule, Security Hub) | +| AC-17(3) | Remote Access - Managed Access Control Points | 3 | Proactive (CF Hook), Detective (Config Rule, Security Hub) | +| AC-22 | Publicly Accessible Content | 1 | Preventive (Declarative Policy) | +| AU-2 | Event Logging | 8 | Proactive (CF Hook), Detective (Config Rule, Security Hub) | +| AU-3 | Content of Audit Records | 6 | Proactive (CF Hook), Detective (Config Rule, Security Hub) | +| AU-5(2) | Response to Audit Logging Process Failures | 1 | Proactive (CF Hook) | +| AU-6 | Audit Record Review, Analysis, and Reporting | 1 | Detective (Config Rule) | +| AU-6(1) | Audit Record Review - Automated Process Integration | 1 | Detective (Security Hub) | +| AU-12 | Audit Record Generation | 7 | Proactive (CF Hook), Detective (Config Rule, Security Hub) | +| CA-3 | Information Exchange | 1 | Proactive (CF Hook) | +| CA-7 | Continuous Monitoring | 9 | Proactive (CF Hook), Detective (Config Rule) | + +## Stage Applicability + +When this extension is enabled, the AI-DLC workflow applies these controls to: +- **Requirements**: Access control (AC family), audit/logging (AU family), and continuous monitoring (CA family) requirements +- **Design**: Architecture constraints for SCP enforcement, network segmentation (AC-4), VPC flow controls, and GuardDuty integration +- **Infrastructure**: AWS Control Tower landing zone configuration, SCP policies, Security Hub enablement, GuardDuty protection settings, CloudWatch logging +- **Code Generation**: IAM policy patterns, least-privilege examples, security group rules, API authorization patterns +- **Testing**: Compliance verification for SCP enforcement, network isolation, logging coverage, and GuardDuty detector configuration + +--- + +*v0.2.0 — Expanded AC family controls (AC-3 through AC-22), added AU family (Audit and Accountability), added CA family (Assessment, Authorization, and Monitoring). Future versions will add additional NIST 800-53 families (SC, SI, IA, etc.).* diff --git a/aidlc-rules/aws-aidlc-rule-details/extensions/compliance/nist-800-53/nist-800-53.opt-in.md b/aidlc-rules/aws-aidlc-rule-details/extensions/compliance/nist-800-53/nist-800-53.opt-in.md new file mode 100644 index 00000000..e132ebcb --- /dev/null +++ b/aidlc-rules/aws-aidlc-rule-details/extensions/compliance/nist-800-53/nist-800-53.opt-in.md @@ -0,0 +1,19 @@ +# NIST 800-53 — Opt-In + +**Extension**: NIST 800-53 Compliance Controls + +## Opt-In Prompt + +The following question is automatically included in the Requirements Analysis clarifying questions when this extension is loaded: + +```markdown +## Question: NIST 800-53 Compliance +Should NIST 800-53 compliance controls be enforced for this project? This extension maps NIST 800-53 controls to AWS Control Tower preventive and detective controls. + +A) Yes — enforce all applicable NIST 800-53 / AWS Control Tower controls as blocking constraints (recommended for regulated AWS workloads) +B) Yes — but only advisory (SHOULD/MAY, non-blocking) +C) No — skip NIST 800-53 / AWS Control Tower controls +X) Other (please describe after [Answer]: tag below) + +[Answer]: +``` diff --git a/aidlc-rules/aws-aidlc-rule-details/inception/requirements-analysis.md b/aidlc-rules/aws-aidlc-rule-details/inception/requirements-analysis.md index bf0ea729..8880cbd3 100644 --- a/aidlc-rules/aws-aidlc-rule-details/inception/requirements-analysis.md +++ b/aidlc-rules/aws-aidlc-rule-details/inception/requirements-analysis.md @@ -90,11 +90,34 @@ Analyze whatever the user has provided: **When in doubt, ask questions** - incomplete requirements lead to poor implementations. -### Step 5.1: Extension Opt-In Prompts +### Step 5.1: Extension Selection -**MANDATORY**: Scan all loaded `*.opt-in.md` files (loaded at workflow start from `extensions/` subdirectories) for an `## Opt-In Prompt` section. For each extension that declares one, include that question in the clarifying questions file created in Step 6. Present each opt-in question in the same language as the user's conversation. +**MANDATORY**: Scan all loaded `*.opt-in.md` files (loaded at workflow start from `extensions/` subdirectories). Present the user with a single consolidated extension selection menu listing ALL available extensions. Present the menu in the same language as the user's conversation. -After receiving answers: +**Selection Menu Format** (include as a question in the clarifying questions file from Step 6): + +```markdown +## Question: Extensions + +The following extensions are available for this project. Select which ones to enable: + +| # | Extension | Category | Description | +|---|---|---|---| +| 1 | [Extension Name] | [category] | [one-line description from opt-in file] | +| 2 | [Extension Name] | [category] | [one-line description from opt-in file] | +| ... | ... | ... | ... | + +Enter the numbers of extensions to enable (comma-separated), "all" to enable all, or "none" to skip. + +[Answer]: +``` + +**Rules**: +- List ALL extensions with `*.opt-in.md` files in a single table — do NOT present them as individual questions +- Populate the description from each extension's `*.opt-in.md` content +- If only one extension is available, still use this format for consistency + +After receiving the answer: 1. Record each extension's enablement status in `aidlc-docs/aidlc-state.md` under `## Extension Configuration`: ```markdown diff --git a/community-extensions-index.yaml b/community-extensions-index.yaml new file mode 100644 index 00000000..ff0e1289 --- /dev/null +++ b/community-extensions-index.yaml @@ -0,0 +1,32 @@ +# Community Extensions Index +# This file provides discovery and integrity verification for community-authored extensions. +# Community extensions are hosted in external repositories (Proposal C model). +# Official extensions ship in aidlc-rules/aws-aidlc-rule-details/extensions/ (Proposal B model). +# +# To add a community extension: submit a PR adding your entry below. +# See CONTRIBUTING.md for the full submission process. + +schema_version: "1.0" + +extensions: [] + +# Example entry (uncomment and fill in to register a community extension): +# +# extensions: +# - name: "my-extension" +# display_name: "My Extension" +# description: "What this extension does" +# category: "compliance" +# version: "1.0.0" +# maturity: "new" # new | incubating | reviewed | adopted +# author: "Your Name" +# repo: "https://github.com/your-org/your-repo" +# path: "path/to/extension" +# ref: "main" +# files: +# - name: "my-extension.opt-in.md" +# sha256: "" # Required for reviewed+ maturity +# - name: "my-extension-rules.md" +# sha256: "" +# tags: ["compliance", "example"] +# install_path: "extensions/compliance/my-extension" diff --git a/docs/WORKING-WITH-AIDLC.md b/docs/WORKING-WITH-AIDLC.md index 136fe9ab..de9ebf6f 100644 --- a/docs/WORKING-WITH-AIDLC.md +++ b/docs/WORKING-WITH-AIDLC.md @@ -257,7 +257,7 @@ See the answering tips in [Section 1](#the-question--doc--approval-flow) for the - **State deliberate "no" decisions clearly.** `D — no caching required at this time` signals intent. An empty answer invites the AI to make a speculative choice. - **Describe phased approaches inline.** `X — simple role-based workflow now; replace with external workflow engine when available` lets AIDLC design the current solution with the right extension points. -> **Advanced tip — Security Extensions**: During Requirements Analysis, AIDLC will ask whether you want to enforce security extension rules. For production-grade applications, choose Yes. For prototypes, No is fine. This decision is recorded and enforced throughout Construction, so choose deliberately. +> **Advanced tip — Extensions**: During Requirements Analysis, AIDLC presents a selection menu listing all available extensions (security, compliance, testing, etc.). Select the ones relevant to your project — for production-grade applications, enable security and compliance extensions. For prototypes, skip them. This decision is recorded and enforced throughout Construction, so choose deliberately. ---