Releases: aws-samples/aws-secure-environment-accelerator
Releases · aws-samples/aws-secure-environment-accelerator
Release v1.3.9
Important
- Upgrades to the v1.5.x release require customers first upgrade to v1.3.8 or higher
- This release is no longer installable by customers based on changes to IAM role trust policy behavior, to tagging behavior (#1085), and due to the deprecation of Python 3.6
- Existing customers will likely no longer be able to upgrade to this release based on changes to tagging behavior (#1085) and the deprecation of Python 3.6
Existing customers will no longer be able to upgrade to this release based on changes to tagging behavior (#1085) without manual interventionExisting customers can continue to upgrade to this release until Feb 14, 2023Nov 14, 2022
- As this release is based entirely on Node.js 12, upgrades to this release are NOT possible after Nov 14, 2022- All Accelerator releases prior to v1.5.0 will cease to function on Feb 14, 2023
Nov 14, 2022when Node.js 12 is deprecated and role policy allow-listing expires
NOTE: Before attempting to upgrade to this release, the config file has several Python 3.6 config rules defined. The upgrade will fail, if these are not FIRST updated to deploy using Python 3.7 in the customer config file (no code changes required).
Enhancements
- Enable static IP assignment for private ENIs on Fortinet firewalls (also in fix/v1.3.8-a) (#796)
- Add s3:ListBucket permission to log archive read only role enabling Athena (#799)
Fixes
- Adjust R53 zone names for interface endpoint names with periods (i.e. ECR)(#810)
- Various logging, scaling and retry enhancements (#807, #813, #815, #816, #817, #819, #818)
- Update SCP's to fix CloudFront console and customer CDK S3 issue (#801, #803)
Config file changes
Release v1.3.8
Notes
- This release is no longer installable based on changes to IAM role trust policy behavior and to tagging behavior (#1085)
- If upgrading, please upgrade directly to v1.3.9
Fixes
Scaling related:
- DynamoDB throttling storing outputs
- GuardDuty infinite loop
- Paginate API calls for MAD sharing, Security Hub activation, and parallel stack deployments
- Stack verification failure in bootstrap phase
Enhancements
- Add a developer local development script
Config file changes
- None
Release v1.3.7
Release v1.3.6
IMPORTANT
- This release has an outstanding issue during new installations
- State machine will fail when Org enabling/delegating GuardDuty and/or Macie in Phase 1
- To finish the installation successfully, simply rerun the state machine
- This release was pushed out so customers do not need to perform any manual cleanup when this failure occurs (required in v1.3.5 due to #777) as we need more time to fix the issue
Fixes
- State Machine fails on new installs when Macie already enabled (#766)
- NATGW's deployed by ASEA are not protected by guardrails - SCP tweak (#774)
- Access Analyzer Validate Policy API is blocked by guardrails - SCP tweak (#776)
- Empty "license" parameter passed to BYOL firewall appliances not properly populated (#776)
Documentation
- Add an object naming document detailing prefix's, suffix's, tags for Accelerator created objects (#776)
- Update known issues section of install guide (#776)
Config file changes
Release v1.3.5
IMPORTANT
- All new installations and upgrades must use v1.3.5 or higher
- Fix #763 fixed an issue where all installs or state machine executions which include a new TGW deployment fail
Fixes
- New TGW deployments cause SM failure due to tagging issue (#763)
(caused by AWS platform behavior change) - Fixing VPN Tunnel options for static CGW routing (#751)
Enhancements
- Update Fortinet AMI's to v6.4.6 (v6.4.5 went EOL) (#764)
Documentation
- Document describing steps to move an ALZ linked account "as is" to an ASEA Org (#750)
- Minor FAQ tweaks (#747)
Config file changes
- None
Release v1.3.4
Enhancements
- Update Fortinet AMI's to v6.4.5 (v6.4.4 went EOL)(#745)
- Update to latest Codebuild build image (previous went EOL)(#732)
- Tweak SCP's (#734)
- block services without 3rd party assessments (Lightsail, Sumerian, Cloud9, Gamelift, Appflow)
- block Amazon IQ (Freelancer Marketplace)
- remove services from global services exception list (Import/Export, Mobile Analytics, Well Architected)
- remove deletion prevention for cf-template-* S3 buckets (no longer required)
- Add a new lower cost PBMM config file for PoC/test purposes (#5 in customization-index.md)(#734)
Fixes
- Fix TGW cross account VPC attachments issue (#732)
- Enable TGW static routes on non-peered TGW's (#735)
- Enable static routing on VPN Attachments (#741)(#743)
- Fix issue when multiple VPC peering connections created in same account (#743)
- Enable multiple routes in VPC route tables pointing to same PCX, TGW or NATGW connection (#743)
Documentation
Config file changes
- Tweak Security Hub disabled rules (OPTIONAL)(#734)
- Enable PCI.KMS.1 and CIS2.8
Release v1.3.3
Enhancements
- Add a new optional verbose logging level for the state machine (#698)
- Add the ability to optionally control account level SCP's with the Accelerator (#708)
- Add support for up to 5 CIDR ranges on VPCs (#705)
- Minor security enhancements (#704)
- Tighten permissions on one role
- Tighten VPC interface endpoint security group permissions and enable customization
- Accelerator uninstall script improvements (#709)(#719)
- Add SCP to block ClientVPN Setup/Configuration (#725)
Fixes
- Fail the state machine if a CloudWatch Metric cannot be deployed due to a missing log group (#697)
- Extra validation to ensure GuardDuty enabled on all member accounts (#721)
- Handle SCP attachment events on Accelerator managed OUs and accounts (#720)
- Stop removal of customer SCPs from accounts when not Accelerator managed (#711)
- Only attach NATGW's to subnets as defined in the config file (#705)
- Remove assumerole block on Accelerator role SCP (#723)
Documentation
- Update documentation for v1.3.2 and v1.3.3 (#699) (#723)
- Install guide, FAQ, Sample Snippets, State Machine Inputs
Config file changes
- Subnet level
"cidr2":objects renamed to"cidr":(MANDATORY)(#723) - VPC level
"cidr2": "a.b.c.d/z"field changed to array"cidr2": ["a.b.c.d/z"](MANDATORY)(#723) - Replaced several CIDR ranges with variables (OPTIONAL)(#723)
- Enables updating these values in one place rather than many
- Highlights values that may need to be updated by customers
- Updated the default
organization-admin-roleto align with AWS default (NEW INSTALLS ONLY)(#723) - Removed duplicate NIST800-53 Config rules which overlapped with deployed Security Hub rules (RECOMMENDED)(#722)
- In release v1.3.1 we missed adding
"security-hub": trueto the sample config files (RECOMMENDED) (#690) - Add
logsandmonitoringendpoints to thelitesample config file to resolve session manager issues (RECOMMENDED) (#712)
Release v1.3.2
IMPORTANT
- All new installations and upgrades must use v1.3.2 or higher
Fixes
- Pin pnpm version (breaking issue for new installs/upgrades)
- Improve SCP for root user
- Improve SEA cleanup script
Release v1.3.1
STOP
- This release is no longer supported for new installations or upgrades, use v1.3.2 or above
- Existing installations continue to function
Enhancements
- Enable deletion protection on all SEA deployed ELB's
- Enable central logging for rsyslog NLB
- Add bucket policies on all SEA buckets to enforce https access
- Enable guardrail deployment in new ap-northeast-3 region in sample config files
- Enhance SCPs to block making snapshots public/sharing
Fixes
- Add pagination to SSM document sharing API call
- deploying new documents to orgs with more than 20 accounts causes failure
- CloudWatch log groups created in Phase5 missing subscription and retention settings
- Improve API error handling (back-off, retry improvements)
- Add pnpm lock file to pin all nested dependencies
- this issue breaks all previous releases
Documentation
- Update installation document for v1.3.1 release
Config file changes UPDATE (missed in original release notes)
- Added new parameters to allow enable/disable of security hub to allow guardrail deployment in eu-norteast-3 region
- customers must add
global-options\central-security-services\security-hub: true, or existing security hub deployments will be removed (MANDATORY)
- customers must add
Release v1.3.0
STOP
- This release is no longer supported for new installations or upgrades, use v1.3.2 or above
- Existing installations continue to function
IMPORTANT
- Please note MAJOR changes to state machine behavior, as documented here.
Features
- Centralize Accelerator CDK buckets (one bucket per region instead of one per account per region) (#572)
- move to new CDK
defaultsynthesizer from thelegacysynthesizer
- move to new CDK
- Enable customer control of State Machine execution scope (#606)(#637)
- Enable deploying customer provided config rules (#654)
- Detect and remediate EC2 instances without a role (to allow using Systems Manager and Centralized Logging)
- Detect and remediate EC2 instance profiles without desired permissions (to allow using Systems Manager and Centralized Logging)
Enhancements
- Convert to Org based permissions to avoid policy size challenges (#622)
- Update firewalls to v6.4.4, refine configs and add option to provision the 2nd tunnel/connection (#638)
- Enable changing Accelerator prefix for NEW installs (#632)(#639)
- Change the default Github and CodeCommit repo branch names to
main(#647)(#648)(#643)(#645)
Fixes
- Fix intermittent issue with
ssm-log-archive-write-accessfeature (#653) - Revert SCP change to enable root to suspend accounts
Documentation
- Update sample config files (#659)
- Update Docs to reflect v1.2.6 and v1.3.0 releases (#634)(#656)
- Improve ACM cert import documentation (add "chain" attribute) (#640)
Config file changes
- Removed "managed-rules" level from
aws-configjson object (MANDATORY) - Renamed
masteraccount keys tomanagementaccount keys (New installs ONLY) - Added new VPCFlow log fields (Optional)
- Replaced all uses of the Accelerator prefix (
PBMMAccel) with variables (Optional) - Deploy new SSM document
Attach-IAM-Instance-Profile(Optional) - Deploy new custom config rule
EC2-INSTANCE-PROFILE(Optional) - Updated firewall AMI's to v6.4.4 (New installs ONLY)