Releases: aws-samples/aws-secure-environment-accelerator
Releases · aws-samples/aws-secure-environment-accelerator
Release v1.2.5
STOP
- This release is no longer supported for new installations or upgrades, use v1.3.2 or above
- Existing installations of v1.2.5 continue to function
IMPORTANT
- Releases prior to v1.2.5 leverage API's being deprecated on March 31, 2021, please upgrade accordingly
- A manual pre-upgrade procedure is required before upgrading to v1.2.5, see Upgrade Considerations in the Intsallation Guide
- UPDATE: The Organization Account Access Role (default: AWSCloudFormationStackSetExecutionRole) has been moved within the governance structure. This role can continue to be used for troubleshooting/investigative purposes, without the previous associated risk. It can no longer be used to perform corrective actions or make changes to ASEA controlled resources.
Enhancements
- Pinned all dependencies to exact versions (#563)(#558)(#588)
- Upgraded CDK from 1.75.0 to 1.85.0 (#587)
- Removed references to deprecated CDK modules (#585)
- Migrated off StackSets, enabling customers to define a custom Org account trust role (#568)(#576)(#579)(#583)
- Added state machine flag to enable rebuilding "storeAllOutputs" (#554)
- Prevent multiple concurrent Accelerator executions (#575)
- Add ability to create cross-account role with read-only access to log-archive bucket (#543)(#589)(#596)
- Used to feed SIEM solutions in Ops account
- Minor CloudWatch Event and SCP enhancements
Fixes
- Add missing rsysLog parameter to SSM ParameterStore in perimeter account (#555)
- Fix new installations w/3AZ's which caused MAD deployments to fail (#565)
- Resolve S3 'consistency' issues caused by enabling bucket versioning (#564)
- Fix issue when CloudWatch central logging was only enabled on a single central account (#566)
- After 100 upgrades, parameter store truncates version history, dropping initial install version (#574)(#577)
- CreateAccount trigger fails when triggered with IAM user (#573)
- Fix missing protections for unsupported or risky config file changes (#584)
- Continue to leverage customer customizations to non-core config files found in customer bucket after upgrades (#591)
- Bypass SCP change prevention on ignored-ous (#595)
Documentation
- Add additional sample Accelerator config files (ultra-lite and multi-region) (#562)
- Add documentation to detail Accelerator config file protections
- Update documents for v1.2.5 release, clarify upgrade process, remove pre-1.2.0 references
- Minor tweaks and clarifications
- Fix PDF document generator
Config file changes
- renamed
ssm-log-archive-accesstossm-log-archive-write-access(both supported interchangeably for several releases) - added
ssm-log-archive-read-only-accessparameter (Optional) - Tweaked MFA Cloud Watch Alarm to reduce noise (Optional)
- Add additional Cloud Watch Alarm (IAM Unapproved IP) (Optional)
Release v1.2.4
STOP
- This release is no longer supported for new installations or upgrades, use v1.3.2 or above
- Given the API deprecations resolved in v1.2.5, we recommend upgrading to v1.2.5 or above before March 31st, 2021
IMPORTANT
- Upgrading to this release (or a newer release) requires mandatory updates to the configuration file as described below
Enhancements
- Set S3 bucket ownership flag on log-archive buckets (#522) (5bb589a)
- Script to generate Accelerator config rules based on AWS Conformance packs (#530) (a19cb57)
- Add an additional 94 config rules based on the NIST800-53 Conformance pack (#540) (4785097)
- Add a 2nd remediating config rule (S3 bucket KMS encryption) (#536) (cea5fe1)
- while customers can provide their own SSM documents, this remediation required a minor code change
- Switch to Amazon ECR Public image for the build image to avoid Docker throttling issues (#544) (4e3d68d)
- CDK upgrade to v1.75.0 (#520) (372aba4)
Fixes
- Fix issues related to suspending AWS accounts (#518/#546) (3ad41ad)(a8aec1a)
- Pin Lambda versions to prevent old Lambda versions from executing during upgrades (#537) (6223d8d)
- Pin a 3rd party dependency which broke new installs (#553) (22ed587)
- Move zone configuration to VPC config / add a central-endpoint vpc flag (#528/#535) (47cd70b)(15647d7)
- fixes issues with an ultra-lite config file (i.e. removal of endpoint VPC)
- enables defining R53 zones on any VPC, not just the central VPC
- Update Security Hub automation to enable disabling security standards and controls using Accelerator config file (#526) (e76f581)
- Fix issue related to not deploying any IAM policies in the Accelerator config file (#529) (71c48fb)
- Fix issue related to using arrays with multi-part config files (#521) (c364f85)
Documentation
- Enhance Installation and Operations Guides
- Add v1.1.4 to v1.2.3 upgrade instructions
- Finalize Developer guide
- Move FAQ from Installation Guide to separate document, enhance content
- Move config file customization info from Installation Guide to Customization Guide
- Tweak sample configuration files
Config file changes
- Upgrading to this release requires mandatory updates to the configuration file (see latest sample config files) (PR528)
- the
zonessection should be removed fromglobal-options(will simply be ignored if not removed) "central-endpoint": trueMUST be added to the endpoint VPC config in the shared-network account- any previously deployed zones MUST be added to the endpoint VPC config in the shared-network account, i.e.
- the
"zones": {
"public": ["cloud-hosted-publicdomain.example.ca"],
"private": ["cloud-hosted-privatedomain.example.ca"] }
- Optionally decide to deploy the 94 new config rules (PR540) and the new S3 bucket auto-remediation (PR536)
Release v1.2.3
STOP
- This release is no longer supported for new installations or upgrades, use v1.3.2 or above
- Given the API deprecations resolved in v1.2.5, we recommend upgrading to v1.2.5 or above before March 31st, 2021
Features
- Enable new GuardDuty S3 protection feature (#509) (ab572db)
- Deploy and share SSM Documents (ELB sample remediation document) (#469) (b47977f)
- Deploy Config Rules with SSM remediation (ELB sample rule) (#469) (b47977f)
- additional rules will be added via a config file update prior to next release
Enhancements
Fixes
- Lambda Timeout (OU-Validation) when using YAML (#475) (6d366c3)
- Adding new AZs (subnets) to a TGW attached subnet causes SM failures (#470) (0ba50a2)
- SCP tweak - fix Neptune/DocDB issue (#468) (b3aa4da)
- Fix adding local interface endpoints when VPC already using central endpoints (#463) (fcb9f26)
- Improve limit check logic to handle removals at same time as additions (#460) (0378ab8)
- Properly manage suspended AWS accounts (#464) (d2946a7)
- Issue when upgrading from older releases (i.e. v1.1.4) (#513)
- Fix typo in account move logic (#513)
Documentation
- Refine and update Installation Guide
- Add detailed Fortigate configuration document
- Update, clarify and improve Developer Guide
- Document what we do where (which services in which regions)
- Migrate roadmap to GitHub Projects
- Migrate Issues management to GitHub Issues
- Minor readme.md modifications
Release v1.2.2
STOP
- This release is no longer supported for new installations or upgrades, use v1.3.2 or above
- Given the API deprecations resolved in v1.2.5, we recommend upgrading to v1.2.5 or above before March 31st, 2021
Fixes
- ALB's fail to deploy when Accelerator home region not ca-central-1
- Add additional back-off, retry code for ConfigRecorder bucket permission errors (eventual consistency)
- Fix the security group naming fix
Enhancements
- Code: Replace TSLint with ESLint
- Minor SCP improvements to better protect Accelerator integrity
- Sample config file refinements (optional)
Documentation
- Update repo files for open sourcing (License, Notice, Changelog, Contributing, etc.)
- Clarify and improve installation instructions, operating instructions and FAQ's
- Minor tweaks throughout documentation
Release v1.2.1b
STOP
- This release is no longer supported for new installations or upgrades, use v1.3.2 or above
- Given the API deprecations resolved in v1.2.5, we recommend upgrading to v1.2.5 or above before March 31st, 2021
Fixes
- Fix upgrade failure from v1.2.0 from v1.2.1 (#422) (86647d2)
- Fix clean installation issue created in v1.2.1 (#423)
- Minor documentation Tweaks
Documentation
- Added unofficial Secure Environment Accelerator feature Roadmap
Release v1.2.1 (Pre-Release)
This is a pre-release and not officially supported
Features:
- Store outputs in SSM Parameter Store for customer consumption (z121) (#404) (400f2a0)
- Add VPC DNS query logging (7.70) (#414) (6a1e796)
- Add an Accelerator uninstall-script - developers ONLY - non-production (#408) (ecf724b)
- Add option to exclude alb deployment on a specific workload account (z129) (#380) (771beaa)
- Add option to exclude specific regions from delete default vpcs in a specific account (z130) (#383) (887a550)
- Add sleep before SM execution on move account to allow multiple account creation (z132) (#391) (1f5e8df)
- Moved SSM inline policy to managed policy (z128) (#378) (31c9761)
- Updated CDK version from 1.46 to 1.66
- SCP Updates (EFS Encryption, Better protect: KMS, IAM Policies, CWL) (#419)
- Automated generation of PDF format of all documentation during release (#417) (2029e9a)
- Add support for multi-region central endpoints, PHZs (z136/z137) (#410) (816a0b9)
Fixes:
- Updated to new IAM policy for AWS Config (old policy flagged for deprecation) (z138) (#407) (03d509d)
- Fix log group creation issue for Public Hosted Zone logging (z117) (#406) (5845d28)
- Fix multi-region PHZ Resolver rules (z127) (#395) (c50c0fe)
- Fix Macie stabilization issue (z133) (#394) (48de21b)
- Added check for file exists in the account bucket (firewall configs) (z135) (#392) (a04aa26)
- Improved hash for launch config properties (z112) (#388) (ff03bae)
- Fix retention on local account S3 buckets (z113) (#385) (f8625d1)
- Email IgnoreCaseCheck in store outputs and create config recorder (#376) (5769f16)
- Fixed remote region tagger for shared resources (z124) (#377) (dbfab38)
- Reduce SM input (z123) (#374) (af64545)
- upgrades break cwl to s3 functionality (z126) (#375) (0a7712d)
- security group description tweaks for new installs (z111) (#373) (f2596fc)
Documentation:
Release v1.2.0
Release v1.1.9
Features:
- 6.25 - Enable TGW inter-region peering & route table mgmt (#364) (1219237)
- 7.50 - Deploy global SNS topics (#360) (49fff99)
- 7.55 - Create Metrics and Alarms (#363) (dc2164f)
Fixes:
- Added region to resolver cleanup script (#369) (903143c)
- Check proper accountkey while creating role for SSM Document (#368) (88d03fb)
Documentation:
- Document multi-file config file and YAML config file options
- Document Firewall variables
- Cleanup config file sample snippets
- Add Table of Contents to each document
- Remove unused config file parameters
- Add optional config file values for SNS, CW Metrics and CW Alarms
Release v1.1.8
Features
- 6.30 - Regionalize CWL to S3 functionality (#346) (15e5779)
- 7.40 - Update SCPs for Standalone Version (#353) (ed0e715)
Fix
- Code base review and stabilization, ensure error handling coverage (#351) (2f965c3)
- Fix creation of LogGroup for Route53 hosted zone Logging (#356) (4ff03a8)
- Move Security Hub control settings to next phase
- Turn on "Include Global Resources" for Config in all regions (Security Hub requirement)(#355)
- Tweak AWS Config role permissions (#359) (015d122)
- Remove extra resolver rule for private hosted zones (#345) (4e23b86)
- Move master account to core OU, email address validation case insensitive (#344) (cca2f2f)
- Updating reference SCPs to exclude NetworkManager from Region Restriction (#352) (7cd51d8)