Merge pull request #46 from aws-solutions/release/v2.1.2

release v2.1.2
aws-solutions · Feb 5, 2025 · 3a38c85 · 3a38c85
2 parents e06791e + d5407a5
commit 3a38c85
Show file tree

Hide file tree

Showing 36 changed files with 197 additions and 159 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.1.2] - 2025-02-05
+
+### Changed
+
+- Updated all SQS Queue policies to specify a Resource in order to meet new SQS Queue policy validation.
+
 ## [2.1.1] - 2024-11-27
 
 ### Changed

diff --git a/README.md b/README.md
@@ -1,6 +1,5 @@
 # Automations for AWS Firewall Manager
 
-:grey_exclamation: Notice: This solution supersedes AWS Centralized WAF & VPC SG Management solution.
 |-----------------------------------------|
 
 **[🚀Solution Landing Page](https://aws.amazon.com/solutions/implementations/aws-firewall-mgr-automations-for-aws-orgs)** | **[🚧Feature request](https://github.com/aws-solutions/automations-for-aws-firewall-manager/issues/new?assignees=&labels=feature-request%2C+enhancement&template=feature_request.md&title=)** | **[🐛Bug Report](https://github.com/aws-solutions/automations-for-aws-firewall-manager/issues/new?assignees=&labels=bug%2C+triage&template=bug_report.md&title=)** | **[📜Documentation Improvement](https://github.com/aws-solutions/automations-for-aws-firewall-manager/issues/new?assignees=&labels=document-update&template=documentation_improvements.md&title=)**

diff --git a/SECURITY.md b/SECURITY.md
@@ -1,8 +1,9 @@
-Reporting Security Issues
--------------------------------------------------------------------------------------------------------------------------------------------------
-We take all security reports seriously. When we receive such reports, we will investigate and
-subsequently address any potential vulnerabilities as quickly as possible. If you discover a potential
-security issue in this project, please notify AWS/Amazon Security via
-our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/) or
-directly via email to [AWS Security](mailto:[email protected]). Please do not create a public GitHub issue in this
-project.
+## Reporting Security Issues
+
+We take all security reports seriously. When we receive such reports,
+we will investigate and subsequently address any potential vulnerabilities as
+quickly as possible. If you discover a potential security issue in this project,
+please notify AWS/Amazon Security via our [vulnerability reporting page]
+(http://aws.amazon.com/security/vulnerability-reporting/) or directly via email
+to [AWS Security](mailto:[email protected]).
+Please do *not* create a public GitHub issue in this project.
diff --git a/deployment/aws-fms-automations.template b/deployment/aws-fms-automations.template
@@ -1,5 +1,5 @@
 {
-  "Description": "(SO0134) - The AWS CloudFormation template for deployment of the automations-for-aws-firewall-manager. Version v2.1.1",
+  "Description": "(SO0134) - The AWS CloudFormation template for deployment of the automations-for-aws-firewall-manager. Version v2.1.2",
   "AWSTemplateFormatVersion": "2010-09-09",
   "Metadata": {
     "AWS::CloudFormation::Interface": {
@@ -58,7 +58,7 @@
       "Solution": {
         "SolutionId": "SO0134",
         "SolutionName": "automations-for-aws-firewall-manager",
-        "SolutionVersion": "v2.1.1",
+        "SolutionVersion": "v2.1.2",
         "UserAgentPrefix": "AwsSolution"
       }
     }
@@ -84,13 +84,13 @@
           "S3Bucket": {
             "Fn::Sub": "solutions-${AWS::Region}"
           },
-          "S3Key": "automations-for-aws-firewall-manager/v2.1.1/assetc965a81477226dc8ad191791e3f5719ab4fea400b7f1197de8016f0765c68b4f.zip"
+          "S3Key": "automations-for-aws-firewall-manager/v2.1.2/asset39e0fe65b28834a78b2a04686eb425d8da953f46e15d3c72e6183b0239da32b3.zip"
         },
         "LayerName": "AFM-UtilsLayer"
       },
       "Metadata": {
         "aws:cdk:path": "CommonResourceStack/AFM-UtilsLayer/AFM-UtilsLayer-Layer/Resource",
-        "aws:asset:path": "asset.c965a81477226dc8ad191791e3f5719ab4fea400b7f1197de8016f0765c68b4f.zip",
+        "aws:asset:path": "asset.39e0fe65b28834a78b2a04686eb425d8da953f46e15d3c72e6183b0239da32b3.zip",
         "aws:asset:is-bundled": false,
         "aws:asset:property": "Content"
       }
@@ -136,7 +136,7 @@
           "S3Bucket": {
             "Fn::Sub": "solutions-${AWS::Region}"
           },
-          "S3Key": "automations-for-aws-firewall-manager/v2.1.1/assete7cb5e2dea0686ba3f722f727f4b423ddd2bfac37dabf17c6c04f94a970a9553.zip"
+          "S3Key": "automations-for-aws-firewall-manager/v2.1.2/asset03f60342f65167cb6c1835c2700931f0b56e37fce2cd4a3c1c144c19c21c3123.zip"
         },
         "Description": {
           "Fn::Join": [
@@ -330,7 +330,7 @@
           "S3Bucket": {
             "Fn::Sub": "solutions-${AWS::Region}"
           },
-          "S3Key": "automations-for-aws-firewall-manager/v2.1.1/asset3542be390685e0c8353d92ccb5796d343cd93ca946b6b0de798004206a199adc.zip"
+          "S3Key": "automations-for-aws-firewall-manager/v2.1.2/asset3542be390685e0c8353d92ccb5796d343cd93ca946b6b0de798004206a199adc.zip"
         },
         "Description": "AWS CDK resource provider framework - onEvent (CommonResourceStack/HelperProvider)",
         "Environment": {
@@ -500,7 +500,7 @@
             ]
           }
         },
-        "TemplateURL": "https://solutions-reference.s3.amazonaws.com/automations-for-aws-firewall-manager/v2.1.1/aws-fms-compliance.template"
+        "TemplateURL": "https://solutions-reference.s3.amazonaws.com/automations-for-aws-firewall-manager/v2.1.2/aws-fms-compliance.template"
       },
       "UpdateReplacePolicy": "Delete",
       "DeletionPolicy": "Delete",
@@ -529,7 +529,7 @@
             "Ref": "EmailAddress"
           }
         },
-        "TemplateURL": "https://solutions-reference.s3.amazonaws.com/automations-for-aws-firewall-manager/v2.1.1/aws-fms-policy.template"
+        "TemplateURL": "https://solutions-reference.s3.amazonaws.com/automations-for-aws-firewall-manager/v2.1.2/aws-fms-policy.template"
       },
       "UpdateReplacePolicy": "Delete",
       "DeletionPolicy": "Delete",

diff --git a/deployment/aws-fms-compliance.template b/deployment/aws-fms-compliance.template
@@ -1,5 +1,5 @@
 {
-  "Description": "(SO0134-cr) - The AWS CloudFormation template for deployment of the automations-for-aws-firewall-manager compliance reporter resources. Version v2.1.1",
+  "Description": "(SO0134-cr) - The AWS CloudFormation template for deployment of the automations-for-aws-firewall-manager compliance reporter resources. Version v2.1.2",
   "AWSTemplateFormatVersion": "2010-09-09",
   "Metadata": {
     "AWS::CloudFormation::Interface": {
@@ -34,7 +34,7 @@
       },
       "Solution": {
         "SolutionId": "SO0134",
-        "SolutionVersion": "v2.1.1",
+        "SolutionVersion": "v2.1.2",
         "UserAgentPrefix": "AwsSolution"
       },
       "Compliance": {
@@ -53,13 +53,13 @@
           "S3Bucket": {
             "Fn::Sub": "solutions-${AWS::Region}"
           },
-          "S3Key": "automations-for-aws-firewall-manager/v2.1.1/assetc965a81477226dc8ad191791e3f5719ab4fea400b7f1197de8016f0765c68b4f.zip"
+          "S3Key": "automations-for-aws-firewall-manager/v2.1.2/asset39e0fe65b28834a78b2a04686eb425d8da953f46e15d3c72e6183b0239da32b3.zip"
         },
         "LayerName": "AFM-UtilsLayer"
       },
       "Metadata": {
         "aws:cdk:path": "CommonResourceStack/ComplianceGeneratorStack/AFM-UtilsLayer/AFM-UtilsLayer-Layer/Resource",
-        "aws:asset:path": "asset.c965a81477226dc8ad191791e3f5719ab4fea400b7f1197de8016f0765c68b4f.zip",
+        "aws:asset:path": "asset.39e0fe65b28834a78b2a04686eb425d8da953f46e15d3c72e6183b0239da32b3.zip",
         "aws:asset:is-bundled": false,
         "aws:asset:property": "Content"
       }
@@ -375,10 +375,10 @@
       "UpdateReplacePolicy": "Delete",
       "DeletionPolicy": "Delete",
       "Metadata": {
-        "aws:cdk:path": "CommonResourceStack/ComplianceGeneratorStack/DLQ/Resource"
+        "aws:cdk:path": "CommonResourceStack/ComplianceGeneratorStack/DLQConstruct/DLQ/Resource"
       }
     },
-    "QueuePolicyBEFD7452": {
+    "DLQConstructQueuePolicyD24D92D7": {
       "Type": "AWS::SQS::QueuePolicy",
       "Properties": {
         "PolicyDocument": {
@@ -394,6 +394,12 @@
               "Principal": {
                 "AWS": "*"
               },
+              "Resource": {
+                "Fn::GetAtt": [
+                  "DLQ581697C4",
+                  "Arn"
+                ]
+              },
               "Sid": "AllowPublishThroughSSLOnly"
             }
           ],
@@ -406,7 +412,7 @@
         ]
       },
       "Metadata": {
-        "aws:cdk:path": "CommonResourceStack/ComplianceGeneratorStack/QueuePolicy/Resource"
+        "aws:cdk:path": "CommonResourceStack/ComplianceGeneratorStack/DLQConstruct/QueuePolicy/Resource"
       }
     },
     "ComplianceGeneratorServiceRoleA6DF4428": {
@@ -494,7 +500,7 @@
           "S3Bucket": {
             "Fn::Sub": "solutions-${AWS::Region}"
           },
-          "S3Key": "automations-for-aws-firewall-manager/v2.1.1/asset7e132bb3e75b685b9582edb61790c7e0e5f6c82d1e1c6d7d57fad08d0f0f7843.zip"
+          "S3Key": "automations-for-aws-firewall-manager/v2.1.2/asset7416b022d5d3f823c18e63506d7823b6534e42aabd68aadc084c2ad916d7bf59.zip"
         },
         "DeadLetterConfig": {
           "TargetArn": {
@@ -778,7 +784,7 @@
     "CDKMetadata": {
       "Type": "AWS::CDK::Metadata",
       "Properties": {
-        "Analytics": "v2:deflate64:H4sIAAAAAAAA/1VQTW/CMAz9LdyDB3SHXQfSTvvoyrQrclMPhbZJFycgFPW/T0lA7S5+7/k9R3Y2sH5cwWqBF17Kpl12qobwTuyo2TuUrdj96BIt9uTIRvGGw6D0UeCFD6HDvm4QwiteyX6TZWV0DP3TL15LdzPmvCTbK46RUXBxQGZyDM8RBBcQtl625LbIJDKNQzeWoTSdktepnfUoWDOELzMoGb1MUp0G5nLva5ZWDffF5noU/MsQPj15il4mqU6PzeQoFPYQKtOleMIpeM/QmbRjCJW/xXxH4yjS7XuHx/jBFbHxVib/w7vBp/vn3Z3RjcpLatMQnPjhvH6CzQqKxYmVWlqvneoJqox/MBCYFuwBAAA="
+        "Analytics": "v2:deflate64:H4sIAAAAAAAA/1VQy27CMBD8Fu5my6Oqei1IPfWRhqpXtHEWZJLYqdcGISv/XtkGJb3szOzMWrtewfJxAYsZXngu62beqgrCB7GjeudQNmJ70AVa7MiRjeId+17po8AL70OLXVUjhDe8kv0hy8roGPqnX72W7mZMeUG2Uxwjg+D1HpnJMbxEELyGsPGyIbdBJpFpHLqxDIVplbyO7awHwZohfJteyehlkuo4MJU7X7G0qr8vNtWD4F+G8OXJU/QySXV8bCIHobCDUJo2xROOwXuGzqQdQyj9LeZbGgaRbt85PMYPLomNtzL5n971Pt0/7W6NrlVeUpua4MQP5+UzrBbwNDuxUnPrtVMdQZnxD/DnEV3sAQAA"
       },
       "Metadata": {
         "aws:cdk:path": "CommonResourceStack/ComplianceGeneratorStack/CDKMetadata/Default"

diff --git a/deployment/aws-fms-demo.template b/deployment/aws-fms-demo.template
@@ -1,5 +1,5 @@
 {
-  "Description": "(SO0134D) - The AWS CloudFormation template for deployment of the automations-for-aws-firewall-manager demo resources. Version v2.1.1",
+  "Description": "(SO0134D) - The AWS CloudFormation template for deployment of the automations-for-aws-firewall-manager demo resources. Version v2.1.2",
   "AWSTemplateFormatVersion": "2010-09-09",
   "Resources": {
     "testcloudfronts3S3LoggingBucket90D239DD": {
@@ -966,7 +966,7 @@
     "CDKMetadata": {
       "Type": "AWS::CDK::Metadata",
       "Properties": {
-        "Analytics": "v2:deflate64:H4sIAAAAAAAA/3VRwW7CMAz9Fu5pKHSH7TbWDcRlqyjiOqWu2QwlQbEDQlX/fWrLKBdO7/nZenmxp7qePMU6HpkzR1Duo4oKXediYK/Mmb9rTnT9FmCPotKtvbIeMlcRXAa5rxsFlQvl1jsrup4HC0LOtlM3/k4snorQFV+efsjOAJB5WaIVks4zbV3mrcujiXubRiFMdb05QtvZZKnKQlER5KGwffSBrVwQXJuiwkEftBmzAzL/obtGSz6WWQufRhZG8GwuKvN0MoKD8dIKeou3gT7JtZqJGPg9oBWVIwRPcll4F45dhnuhadQK2QUP3bv3PHW2pP67yYuOR6/t1dhV3Qo4AmdZfADhcXfO2x0iTvSwz7XLk0ZZV6Le8fg0edbTWCejHRNFPlihA+pVj38pTINfHwIAAA=="
+        "Analytics": "v2:deflate64:H4sIAAAAAAAA/3VRwW7CMAz9Fu5pKHSatttYNxCXraKI65S6ZjOUBMUOCFX996kto1x2es/P1suLPdX15CHW8cicOYJyH1VU6DoXA3tlzvxVc6Lr1wB7FJVu7ZX1kLmK4DLIfd0oqFwot95Z0fU8WBBytp268Tdi8VSErvj09E12BoDMyxKtkHSeaesyb13+m7i3aRTCVNebI7SdTZaqLBQVQR4K20cf2MoFwbUpKhz0QZsxOyDzF7prtOR9mbXwYWRhBM/mojJPJyM4GC+toLd4G+iTXKuZiIGfA1pROULwJJeFd+HYZbgXmkatkF3w0L17z1NnS+q/mzzrePTSXo1d1a2AI3CWxQcQHnfnvN0h4kQP+1y7PGmUdSXqHY9Pkyc9jfXjaMdEkQ9W6IB61eMv6bsKFB8CAAA="
       },
       "Metadata": {
         "aws:cdk:path": "DemoStack/CDKMetadata/Default"

diff --git a/deployment/aws-fms-policy.template b/deployment/aws-fms-policy.template
@@ -1,5 +1,5 @@
 {
-  "Description": "(SO0134-po) - The AWS CloudFormation template for deployment of the automations-for-aws-firewall-manager. Version v2.1.1",
+  "Description": "(SO0134-po) - The AWS CloudFormation template for deployment of the automations-for-aws-firewall-manager. Version v2.1.2",
   "AWSTemplateFormatVersion": "2010-09-09",
   "Metadata": {
     "AWS::CloudFormation::Interface": {
@@ -65,7 +65,7 @@
       },
       "Solution": {
         "SolutionId": "SO0134",
-        "SolutionVersion": "v2.1.1",
+        "SolutionVersion": "v2.1.2",
         "UserAgentPrefix": "AwsSolution"
       },
       "PolicyManager": {
@@ -307,13 +307,13 @@
           "S3Bucket": {
             "Fn::Sub": "solutions-${AWS::Region}"
           },
-          "S3Key": "automations-for-aws-firewall-manager/v2.1.1/assetc965a81477226dc8ad191791e3f5719ab4fea400b7f1197de8016f0765c68b4f.zip"
+          "S3Key": "automations-for-aws-firewall-manager/v2.1.2/asset39e0fe65b28834a78b2a04686eb425d8da953f46e15d3c72e6183b0239da32b3.zip"
         },
         "LayerName": "AFM-UtilsLayer"
       },
       "Metadata": {
         "aws:cdk:path": "CommonResourceStack/PolicyStack-DefaultPolicy/AFM-UtilsLayer/AFM-UtilsLayer-Layer/Resource",
-        "aws:asset:path": "asset.c965a81477226dc8ad191791e3f5719ab4fea400b7f1197de8016f0765c68b4f.zip",
+        "aws:asset:path": "asset.39e0fe65b28834a78b2a04686eb425d8da953f46e15d3c72e6183b0239da32b3.zip",
         "aws:asset:is-bundled": false,
         "aws:asset:property": "Content"
       }
@@ -760,7 +760,7 @@
               {
                 "Ref": "AWS::Region"
               },
-              "/automations-for-aws-firewall-manager/v2.1.1/policy_manifest.json\",\"Key\":\"policy_manifest.json\"},\"physicalResourceId\":{\"id\":\"1732588519861\"},\"logApiResponseData\":true}"
+              "/automations-for-aws-firewall-manager/v2.1.2/policy_manifest.json\",\"Key\":\"policy_manifest.json\"},\"physicalResourceId\":{\"id\":\"1738685405510\"},\"logApiResponseData\":true}"
             ]
           ]
         },
@@ -875,7 +875,7 @@
           "S3Bucket": {
             "Fn::Sub": "solutions-${AWS::Region}"
           },
-          "S3Key": "automations-for-aws-firewall-manager/v2.1.1/asset97f30e67419a1676a2215492723e5add1aa491caf0cbe2dd878fc4fab0468cd4.zip"
+          "S3Key": "automations-for-aws-firewall-manager/v2.1.2/asset97f30e67419a1676a2215492723e5add1aa491caf0cbe2dd878fc4fab0468cd4.zip"
         },
         "Handler": "index.handler",
         "Role": {
@@ -905,10 +905,10 @@
       "UpdateReplacePolicy": "Delete",
       "DeletionPolicy": "Delete",
       "Metadata": {
-        "aws:cdk:path": "CommonResourceStack/PolicyStack-DefaultPolicy/DLQ/Resource"
+        "aws:cdk:path": "CommonResourceStack/PolicyStack-DefaultPolicy/DLQConstruct/DLQ/Resource"
       }
     },
-    "QueuePolicyBEFD7452": {
+    "DLQConstructQueuePolicyD24D92D7": {
       "Type": "AWS::SQS::QueuePolicy",
       "Properties": {
         "PolicyDocument": {
@@ -924,6 +924,12 @@
               "Principal": {
                 "AWS": "*"
               },
+              "Resource": {
+                "Fn::GetAtt": [
+                  "DLQ581697C4",
+                  "Arn"
+                ]
+              },
               "Sid": "AllowPublishThroughSSLOnly"
             }
           ],
@@ -936,7 +942,7 @@
         ]
       },
       "Metadata": {
-        "aws:cdk:path": "CommonResourceStack/PolicyStack-DefaultPolicy/QueuePolicy/Resource"
+        "aws:cdk:path": "CommonResourceStack/PolicyStack-DefaultPolicy/DLQConstruct/QueuePolicy/Resource"
       }
     },
     "PolicyManagerTopicF9775E18": {
@@ -1070,7 +1076,7 @@
           "S3Bucket": {
             "Fn::Sub": "solutions-${AWS::Region}"
           },
-          "S3Key": "automations-for-aws-firewall-manager/v2.1.1/assetf91af2212d14e3f9d6376511d6c31f975d421193831cd9fd25e75990590c8cbb.zip"
+          "S3Key": "automations-for-aws-firewall-manager/v2.1.2/asset5d6ba088a94867c6b54457ea07a8b74f50ebbff66ed97686d9b6ae5489bac81c.zip"
         },
         "DeadLetterConfig": {
           "TargetArn": {
@@ -1834,7 +1840,7 @@
     "CDKMetadata": {
       "Type": "AWS::CDK::Metadata",
       "Properties": {
-        "Analytics": "v2:deflate64:H4sIAAAAAAAA/21SwW7bMAz9ltxlNW122G5rvW4YkG1pXOwaKDJtsLEpT5QSBIL+fZCc2G3Ri/ne4xMp0byT4fbTUi4X6sSFrg9Fh3sZfgM7qCun9EGUDW2UVT04sIn8UsOA1CZYGqrRoSGhTrwLner3tZJhrc5g/4LllCkbesMrpLYDZ+i7J53PTqBsZvHxCOR+0tEcoDTUYO73obgB2yOn2lHwaqeYwbG8T0HwSoYHrw/gHhSDGGE6dEFj2JgO9XmWRx4Fcy9D5SxSu0Z2b6Ywk9Ew8ShQ9TJsTQfJl+PcYCr9j2V48uCzaQT5O1tf0SiYWIZnM6BOqRFUfs/a4nCd3WseBaRZsQxbf7mI7yCKzrQsw9q0P6zxQ/45V/zkwZ6/QYOE14rvpBhFHmvlVHvZgC2w8VaDmID27Ey/sxfO8v7EZdYmy3va0B/vBu+iWH2Ry8XXtIpsOp96cqENsbNeO75JifyuvcW6heKycI+z9GzWWYuCTA3yhW+Ot5/l3VKuFi+MWFhPDnuQ2zH+B1bFFR/+AgAA"
+        "Analytics": "v2:deflate64:H4sIAAAAAAAA/21SwW7bMAz9ltxlNm2GYbut9bphQLalSbFroMi0wcaWPFFKEAj690GyY7fFLuZ7j0+kRPMOwu2HJSwX8syFqo5FSwcIv5AdVjsn1VGUtd5IKzt0aBP5KfuedJNgaXRFjowW8sz70MruUEkIa3lB+wctp0xZ6zd8R7pp0Rn9zWuVz06grGfx8YTa/dAnc8TS6Jpyv/+KG7QdcaodBa/2khkdw30KglcQHrw6onuQjGKA6dCIhrAxLanLLA88CuYOws5Z0s2a2L2ZwkwGw8SjINlB2JoWky/HucFU+i9DePLos2kA+TtbX9EoWDOEZ9OTSqkB7PyBlaX+OrvXPApMs2IIWz9exLcYRWsahrA2zXdrfJ9/zhU/ebSXr1iTpmvFd1KMIo9152QzbsAW2XirUExAeXam29uRM9yfuczaZHlPa/3bu967KFafYbn4klaRTetTTy6U0eysV45vUiK/62CparAYF+5xlp7NOmtRaFMhvPDN6fYT3C3h4+KFiQrrtaMOYTvEf5YynFT+AgAA"
       },
       "Metadata": {
         "aws:cdk:path": "CommonResourceStack/PolicyStack-DefaultPolicy/CDKMetadata/Default"