Aws Secure Environment Accelerator Versions Save

The AWS Secure Environment Accelerator is a tool designed to help deploy and operate secure multi-account, multi-region AWS environments on an ongoing basis. The power of the solution is the configuration file which enables the completely automated deployment of customizable architectures within AWS without changing a single line of code.

v1.5.9-b

2 months ago

NOTES

  • Customers MUST use Landing Zone Accelerator on AWS (LZA) for new deployments

  • Customers MUST update their ASEA installer stack with the provided CloudFormation template for this release.

    • This release includes important runtime and bug fix updates that customers should install. This release focuses on stability and preparing for the end of support.
    • It's recommend customers on older versions upgrade to v1.5.8-d first before moving to v1.5.9-b.
    • Upgrade testing for future releases will only be for upgrades from v1.5.9-b or higher
    • ASEA is currently in maintenance with no new features or enhancements planned. It's expected that a future Release will help customers upgrade from ASEA to LZA.
    • End of support is expected in Q2 2025. Upgrades from ASEA to LZA will occur over the few quarters.

FEATURES

  • None

FIXES

  • Fix for cross-account Security Group rules using dynamic cidr ranges (#1220) (b31529a4)
  • Add ca-west-1 (#1218) (63ca3b37)
  • Added latest proxy-agent version (#1215) (76b4e8fb)
  • Removed strict flag (#1216) (e0eb93eb)
  • Removed proxy-agent dependency (#1209) (32ee10c5)
  • Update retry logic to match error (#1208) (8a62515f)
  • Increase memory size for ALB IP forwarding lambdas (#1204) (9c171656)
  • Fix cannot find module 'aws-sdk' on custom config rule lambdas (#1207) (1660d5cb)

v1.5.8-d

5 months ago

NOTES

  • Customers MUST use Landing Zone Accelerator on AWS (LZA) for new deployments

  • Customers MUST update their ASEA installer stack with the provided CloudFormation template for this release.

    • This release includes important runtime and bug fix updates that customers should install. This release focuses on stability and preparing for the end of support.
    • It's recommend customers on older versions upgrade to 1.5.7-b first before moving to v1.5.8-d.
    • Upgrade testing for future releases will only be for upgrades from v1.5.8-d or higher
    • ASEA is currently in maintenance with no new features or enhancements planned. It's expected that a future Release will help customers upgrade from ASEA to LZA.
    • End of support is expected in Q2 2025. Upgrades from ASEA to LZA will occur over the few quarters.

FEATURES

  • None

FIXES

  • Fix issue with vpcEndpoint az lookup (#1194) (8f590e03)
  • Upgrade to Node 18 runtimes (#1189) (d940dfa4)
  • Fix wrong argument passed to updateTerminationProtection function (#1197) (f93a1324)
  • increase lambda memory (#1201) (c09266c2)
  • added memory (#1202) (5e33f473)

v1.5.8-c

5 months ago

NOTES

  • Customers MUST use Landing Zone Accelerator on AWS (LZA) for new deployments

  • Customers MUST update their ASEA installer stack with the provided CloudFormation template for this release.

    • This release includes important runtime and bug fix updates that customers should install. This release focuses on stability and preparing for the end of support.
    • It's recommend customers on older versions upgrade to 1.5.7-b first before moving to v1.5.8-c.
    • Upgrade testing for future releases will only be for upgrades from v1.5.8-c or higher
    • ASEA is currently in maintenance with no new features or enhancements planned. It's expected that a future Release will help customers upgrade from ASEA to LZA.
    • End of support is expected in Q2 2025. Upgrades from ASEA to LZA will occur over the few quarters.

FEATURES

  • None

FIXES

  • Fix issue with vpcEndpoint az lookup (#1194) (8f590e03)
  • Upgrade to Node 18 runtimes (#1189) (d940dfa4)
  • Fix wrong argument passed to updateTerminationProtection function (#1197) (f93a1324)
  • increase lambda memory (#1201) (c09266c2)

v1.5.8-b

5 months ago

NOTES

  • Customers MUST use Landing Zone Accelerator on AWS (LZA) for new deployments

  • Customers MUST update their ASEA installer stack with the provided CloudFormation template for this release.

    • This release includes important runtime and bug fix updates that customers should install. This release focuses on stability and preparing for the end of support.
    • It's recommend customers on older versions upgrade to 1.5.7-b first before moving to v1.5.8-b.
    • Upgrade testing for future releases will only be for upgrades from v1.5.8-b or higher
    • ASEA is currently in maintenance with no new features or enhancements planned. It's expected that a future Release will help customers upgrade from ASEA to LZA.
    • End of support is expected in Q2 2025. Upgrades from ASEA to LZA will occur over the few quarters.

FEATURES

  • None

FIXES

  • Fix issue with vpcEndpoint az lookup (#1194) (8f590e03)
  • Upgrade to Node 18 runtimes (#1189) (d940dfa4)
  • Fix wrong argument passed to updateTerminationProtection function (#1197) (f93a1324)

v1.5.8

6 months ago

NOTES

  • Customers MUST use Landing Zone Accelerator on AWS (LZA) for new deployments

  • Customers MUST update their ASEA installer stack with the provided CloudFormation template for this release.

    • This release includes important runtime and bug fix updates that customers should install. This release focuses on stability and preparing for the end of support.
    • It's recommend customers on older versions upgrade to 1.5.7-b first before moving to v1.5.8.
    • Upgrade testing for future releases will only be for upgrades from v1.5.8 or higher
    • ASEA is currently in maintenance with no new features or enhancements planned. It's expected that a future Release will help customers upgrade from ASEA to LZA.
    • End of support is expected in Q2 2025. Upgrades from ASEA to LZA will occur over the few quarters.

FEATURES

  • None

FIXES

  • Fix issue with vpcEndpoint az lookup (#1194) (8f590e03)
  • Upgrade to Node 18 runtimes (#1189) (d940dfa4)

v1.5.7-b

10 months ago

NOTES

  • Customers MUST use Landing Zone Accelerator on AWS (LZA) for new deployments
    • Upgrade testing for future releases will only be for upgrades from v1.5.7-b or higher
    • ASEA is currently in maintenance with no new features or enhancements planned. It's expected that a future Release will help customers upgrade from ASEA to LZA.
    • End of support is expected in Q4 2024. Upgrades from ASEA to LZA will occur over the next year.
  • Note that the Organization SCPs (in Reference Artifacts) have multiple changes to address AWS service changes, etc. Customers should review and reconcile differences between these reference artifacts and the SCPs they currently have in place.

FEATURES

  • Configuration and docs to enable SSM Quick Setup patch policies (centralized patching) (#1157) (9478471d)
  • Implement versioning on ASEA Docs site (#1128) (7655c292)

FIXES

  • Cloudwatch Logs customer subscription filters being removed (#1172) (10d37906)
  • Policy changes rule must only revert SCPs; not backup or tag policies (#1169) (b363bf55)
  • Multiple Organizations SCP updates (#1167) (30e9be44)
  • Add support for EC2 IMDSv2 (#1161) (4e72decc)
  • Fix sfn deployment (#1158) (caee0513)
  • Support for EC2 Launch templates (#1156) (e571cf2f)
  • Fix for EventBridge notifications sent to SNS (#1132) (4df28a9d)
  • Node 16 ASEA update (#1149) (d628fd81)

v1.5.6-a

1 year ago

Notes

  • v1.5.6-a was released to address an issue with log replication. If you already upgraded to v1.5.6 reach out to your AWS Account Team for instructions on additional steps required while upgrading to v1.5.6-a from v1.5.6

  • Customers MUST use Landing Zone Accelerator on AWS (LZA) for new deployments

  • Existing customers MUST upgrade to v1.5.6 or higher to avoid impacts by 2023-06-01

    • Upgrade testing for future releases will only be for upgrades from v1.5.6 or higher
    • AWS CDK version 1 will reach its end-of-support, and will no longer receive updates or releases
    • ASEA is currently in maintenance with no new features or enhancements planned. It's expected that a future Release will help customers upgrade from ASEA to LZA.
    • End of support is expected in Q2 2024. Upgrades from ASEA to LZA will occur over the next year.

  • IMPORTANT - In order to implement the VPC flow log fix (#1112) (b5dc19cf):

  1. Before update: for every VPC of the configuration, change the “flow-logs” option to “CWL”
  2. Execute the State Machine in Full Apply mode. Wait for successful completion
  3. Change the “flow-logs” option to the original value (“BOTH”) (don’t re-run the state machine)
  4. Follow the general instructions to update ASEA to version 1.5.6
  5. Update the CloudFormation stack
  6. Run the ASEA-InstallerPipeline
  7. When the ASEA-InstallerPipeline completes it will trigger the State Machine. Verify that it completes successfully

FIXES

  • Fixes logging bucket replication not being applied.
  • CDK Rebase (from v1 to v2) (#1117) (6642b619)
  • Adjust vpc flow log creation logic (#1112) (b5dc19cf)
  • AWS Config rule IAM Password Policy boolean values (#1100) (58208ad7)
  • Update alb ip monitor dns lookup check (#1076) (fe0ed829)
  • Switch Log archive bucket policy to Org policy (#1051) (696adb8a)
  • Lambda timeout in large customer environments (#1020) (bed0a628)

DOCUMENTATION

  • Update install.md (#1115) (2a5ed547)

CONFIG FILE CHANGES

  • None

v1.5.6

1 year ago

Notes

  • This release was REPLACED by v1.5.6-a due to an issue, customers should upgrade to v1.5.6-a instead

  • Customers MUST use Landing Zone Accelerator on AWS (LZA) for new deployments

  • Existing customers MUST upgrade to v1.5.6 or higher to avoid impacts by 2023-06-01

    • Upgrade testing for future releases will only be for upgrades from v1.5.6 or higher
    • AWS CDK version 1 will reach its end-of-support, and will no longer receive updates or releases
    • ASEA is currently in maintenance with no new features or enhancements planned. It's expected that a future Release will help customers upgrade from ASEA to LZA.
    • End of support is expected in Q2 2024. Upgrades from ASEA to LZA will occur over the next year.

  • IMPORTANT - In order to implement the VPC flow log fix (#1112) (b5dc19cf):

  1. Before update: for every VPC of the configuration, change the “flow-logs” option to “CWL”
  2. Execute the State Machine in Full Apply mode. Wait for successful completion
  3. Change the “flow-logs” option to the original value (“BOTH”) (don’t re-run the state machine)
  4. Follow the general instructions to update ASEA to version 1.5.6
  5. Update the CloudFormation stack
  6. Run the ASEA-InstallerPipeline
  7. When the ASEA-InstallerPipeline completes it will trigger the State Machine. Verify that it completes successfully

FIXES

  • CDK Rebase (from v1 to v2) (#1117) (6642b619)
  • Adjust vpc flow log creation logic (#1112) (b5dc19cf)
  • AWS Config rule IAM Password Policy boolean values (#1100) (58208ad7)
  • Update alb ip monitor dns lookup check (#1076) (fe0ed829)
  • Switch Log archive bucket policy to Org policy (#1051) (696adb8a)
  • Lambda timeout in large customer environments (#1020) (bed0a628)

DOCUMENTATION

  • Update install.md (#1115) (2a5ed547)

CONFIG FILE CHANGES

  • None

v1.5.5

1 year ago

Notes

  • All new installations and upgrades MUST use v1.5.5 or higher
  • Existing customers MUST upgrade to v1.5.5 or higher to avoid impacts
    • Changes to tagging behavior (#1085) (impacts new and existing accounts now)
      • see ticket #1085 for potential manual workaround
    • Changes to IAM role trust behavior (impacts existing accounts effective Feb 14, 2023, new accounts now)
    • Node.js deprecation (See note by Brian969 on #1033) (impacts all customers effective March 31st, 2023)
  • Upgrades are only supported directly from v1.3.8, v1.3.9, and v1.5.0+

FIXES

  • Adjust CloudWatch Log role permissions based on changes to tagging behaviour (#1085)
    • current issue resolved, more updates may be required once root cause fully understood
  • Rollback delayFirstAttempt setting in back-off/retry code (#1077)

DOCUMENTATION

  • Updates to ASEA Sample Sensitive Architecture document (#1070)

CONFIG FILE CHANGES

  • Customers who hardcoded their RDGW AMI-id based on the issues we were having with cfn-init need to revert these changes back to the latest variable used in the sample config files. The latest AMI has been fixed. The hardcoded Windows AMI has been deprecated and will cause failures.

v1.5.4-a

1 year ago

Notes

  • This release is no longer installable based on changes to CloudWatch Log group tagging behavior
  • All new installations and upgrades MUST use v1.5.5 or higher
    • Previous releases were also impacted by changes to IAM role trust policy behavior
  • All existing customers MUST also update to v1.5.4-a or higher before Feb 14, 2023 Nov 14, 2022 to avoid both the Node.js 12 deprecation impacts and the IAM role trust policy changes
    • See note by Brian969 on Issue #1033 for Node.js specific impacts
    • the IAM role trust policy change may impact new account provisioning effective Sept 21, 2022 (existing accounts have been allow-listed until Feb 15, 2023)
  • Please be aware of the security advisory fixed in v1.5.3
  • Upgrades were only supported directly from v1.3.8, v1.3.9, and v1.5.0+

FIXES

  • Fix typo in new IAM role trust policy (#1069)