Aws Secure Environment Accelerator Versions Save

Notes

• This release was REPLACED by v1.5.4-a due to an issue, customers should upgrade to v1.5.4-a instead

ENHANCEMENTS

• Add GuardDuty Kubernetes protection support (#1058)
• Add GuardDuty frequency customization support (#1057)

FIXES

• Address new IAM role trust policy behavior (#1066)
• Upgrade CDK to v1.174.0 to address Node.js 12 deprecation (#1066)
• Update EC2-INSTANCE-PROFILE-PERMISSIONS config rule to reduce CI generation noise (#1065)
• Add jitter to state machine back-off retry code to reduce retry failures (#1050)
• Decrease Lambda concurrency limit to 10 based on new customer limits (#1062)
• Fix issue with ALB forwarder when no HOSTS defined (#1019)

DOCUMENTATION

• Minor documentation tweaks (#1028)(#1067)(#1055)

ADD-ONS

• OpenSearch SIEM enhancements including Node.js 12 deprecation updates (#1056)

CONFIG FILE CHANGES

• Updates for Control Tower v3.0 (MANDATORY for Control Tower customers)
  • only deploy CloudWatch Alarms & Metrics in Management account (#1027)
• GuardDuty enhancements (OPTIONAL)
  • "guardduty-frequency": "FIFTEEN_MINUTES" or "ONE_HOUR" or "SIX_HOURS" (#1057)
  • "guardduty-eks": true and "guardduty-eks-excl-regions": [], (#1058)
• Remove duplicate line from SCP files (#1067)

Notes

• This release is no longer installable based on changes to IAM role trust policy behavior and to tagging behavior (#1085), use v1.5.5 or above
• Please be aware of the security advisory impacting older releases
• Upgrades were only supported directly from v1.3.8, v1.3.9, and v1.5.0+

FIXES

• Fix SCP spelling issue, changing tagging to tag (#1014)
• Fix State Machine failure when account starts with a number and contained a local VPC (#1015)
• Fix Javascript issue (#1016)
  • prevented creation of IAM users defined in workload-account-configs
  • prevented creation of IAM roles with similar names when defined in workload-account-configs
  • fix issue with IAM workload account roles (security advisory)

DOCUMENTATION

• Very minor documentation tweaks (#1018)(#1017)

CONFIG FILE CHANGES

• Change "rsyslog-enforce-imdsv2" back to false (RECOMMENDED)
  • moving rsyslog to IMDSv2 broke rsyslog functionality

Notes

• This release is no longer installable based on changes to IAM role trust policy behavior and to tagging behavior (#1085), use v1.5.5 or above
• Upgrades were only supported directly from v1.3.8, v1.3.9, and v1.5.0+

FEATURES

• Add AWS Outpost, Local Zone, and Wavelength support (#964) (Spec: #963)
  • Enable local subnet creation
  • Enable targeting customer created objects in ASEA managed route tables (required to target LGW)
• Add option to collect ASEA configuration and metadata in a new restricted log archive bucket (#976) (Spec: #1011)
  • Enables providing visibility into ASEA deployed configuration without access to the Org mgmt. account (i.e. SOC)

FIXES

• Enable support for IAM conditions w/role policies (#1003)
• Leverage region STS endpoints, rather than the global endpoint (#997)
• Fix issues w/ASEA removing Control Tower SCP's in certain situations (#998)
• Filter out non-active Organizational accounts from state machine activity (#981)
• Fix Lambda role permissions w/KMS keys which broke SNS alerting in v1.5.1 (#971)
• Fix spelling error in CloudWatch metric (#973)
• Add warn message when TGW route fails to deploy (#979)
• Allow reading tags outside Canada (enables installing OpenShift) (#977)

DOCUMENTATION

• Doc tweaks and enhancements, fix broken links, etc. following upgrade to MKDocs (#1008)(#975)(#970)(#961)(#959)(#958)(#956)(#955)(#948)

ADD-ONS

• DDB-Update - Enabled Versioning on the S3 Bucket (#954)
• opensiem - Move to SNS topics to enable supporting multiple log consumers (#952)
• opensiem - Update packages and cdk (#949)

CONFIG FILE CHANGES

• Add "meta-data-collection": true to global-options (OPTIONAL)
• Add "meta-data-read-only-access": true to any role to enable log archive bucket access (AS NEEDED)
  • similar to "ssm-log-archive-read-access" and "ssm-log-archive-write-access"
• Outposts support (AS NEEDED)
  • Add additional options to subnet "az" field (i.e. "us-east-1-atl-1a", instead of just "a")
  • Add "outpost-arn" field to subnet object
  • Add "lgw-route-table-id" field to VPC object
• Enable route tables to target externally created objects (AS NEEDED)
  • Add "customer" option to route table "target" field
  • Add "type" and "target-id" fields to route table entries (i.e. "localGatewayId" and "lgw-12345678901234567")

NOTES

• This release is no longer installable based on changes to IAM role trust policy behavior and to tagging behavior (#1085), use v1.5.5 or above
• Upgrades were only supported directly from v1.3.8, v1.3.9, v1.5.0, and v1.5.1

FIXES

• Fix issue with YAML based config files in v1.5.1 (#947)
• Fix error finding log-archive bucket during new installs in v1.5.1 (#947)

Documentation

• Upgrade documentation to Material Theme for MKDocs & moved to GitHub Pages (#955)
  • Improved documentation navigation, improved documentation formatting, new documentation search capabilities
  • Moved config file schema online
  • New location

NOTES

• This release is no longer installable based on changes to IAM role trust policy behavior and to tagging behavior (#1085), use v1.5.5 or above
• This release was REPLACED by v1.5.1-a due to two issues
• Upgrades were only supported directly from v1.3.8, v1.3.9, and v1.5.0

FEATURES

• Enable forwarding Security Hub findings to CloudWatch Logs (#867)
  • which also ensures they land in the central log archive S3 bucket
• Kinesis Firehose dynamic partitioning (#861)(#910)
  • enables separating customer specified CWL Groups into seperate folders in the central S3 bucket
  • enables seperating Security Hub logs to their own folder
• Add ability to enable SSM Inventory Collection by OU and/or accounts (#900)
• Added Accelerator Immersion days (Workshops) to the ASEA home page

ENHANCEMENTS

• Add ability to enforce IDMSv2 on all launch types (firewalls, rsyslog, RDGW and autoscaling groups) (#869)(#859)
• Add ability to specify rsyslog userdata in the config file (#902)
• Encrypt central logging Kinesis stream w/CMK (#888)
• Encrypt SNS topics w/CMK (#883)(#932)
• Set disable-api-termination on firewall and firewall manager instances (#858)
• Improve state machine config file error handling (#941)(#920)(#898)(#891)
• Update CDK version and various other dependencies (#933)(#925)(#866)(#865)
• Enhance GitHub test, release and doc generation scripts (#884)(#852)(#847)
• Improve ASEA developer script (#928)

FIXES

• Improve SCP error handling, ignore SCP attach/detach on nested OU's (#942)(#845)(#846)
• Fix for log archive bucket RO Role resource policies occasionally being overwritten (#921)
• Fix for read only access role on log archive AES bucket (#913)
• Multiple SCP and permissions fixes for Control Tower (#886)(#918)(#881)(#885)
• Various additional SCP enhancements (#914)(#842)(?)
• Improve NFW deployment error handling when CWL group already exists (#868)
• Ensure global region is always in supported-regions array (#930)(#934)
• Tweaks to the uninstall script and the v150 upgrade script (#906)(#872)(#848)(#840)
• Update issue in firewall-example-A-A-multitunnel.txt causing asymmetric routing (#894)
• Fix scaling issue with bootstrap state machine (#879)

DOCUMENTATION

• Add pricing estimates for example config files (#917)
• Improve central logging documentation / add log flow architecture diagram (#943)
• Add a list of ASEA leveraged and orchestrated services (#911)
• Various enhancements across the documentation:
  • FAQ, installation, v1.5.0 upgrade, sm-inputs, architecture, customization guides
• Enhance main readme page to make the config file schema more visible (#922)

CONFIG FILE CHANGES

• Renamed GCWide subnet to App2 subnet (NEW INSTALLS ONLY) (#864)
• Add "ssm-inventory-collection": true on each OU (OPTIONAL)
• Add "rdgw-enforce-imdsv2": true on rdgw instance(s) (RECOMMENDED)
• Add "rsyslog-enforce-imdsv2": true on rsyslog auto-scaling group (RECOMMENDED)
• Add "dynamic-s3-log-partitioning" section to global-options (RECOMMENDED)
• Add "enforce-imdsv2": true to 3rd party firewall configs (NOT recommended)
  • not supported by the utilized 3rd party vendors

ADD-ONS

Provide example add-on solutions and code to demonstrate extending ASEA functionality outside the core codebase

• OpenSearch SIEM for ASEA Add-on (#915)
• Auto-populate DDB CIDR management tables from S3 (#919)

IMPORTANT

• This release is no longer installable based on changes to IAM role trust policy behavior and to tagging behavior (#1085), use v1.5.5 or above
• This was a major release and includes custom upgrade instructions
• This release includes all fixes and enhancements up to and including previous v1.3.9

FEATURES

• Add support to install on top of and leverage AWS Control Tower (CT) features (#492)
  • add ability to create a separate Organization S3 DataPlane trail
  • extend CloudWatch Metrics and Alarms to support "accounts": ["ALL"]
  • when ct-baseline=true
    • existing deployments can NOT upgrade at this time, new installs only
    • changes to support all 4 account creation methods (Orgs, ASEA, Account Factory, AWS API)
    • tweak SCP code to allow inter-operability with Control Tower
    • does not create the Organization control plane CloudTrail (as CT creates account based Trails)
    • only deploys Config Recorders in the root account and non-CT regions in sub-accounts (as CT covers remainder)
    • uses global-options/organizationAdminRole to createConfigRecorders (or blocked by CT SCPs)
    • does not create Config Aggregator in root account (as CT creates in Management and Security accounts)
    • reference the new Control Tower example config file
• Add option to deploy AWS Network Firewall on any VPC (#505)
• Add option to deploy Gateway Load Balancer (GWLB) with an Auto Scaling Group of appliance instances (#504)
  • Update existing VPN code to move vendor specific hard coded parameters to the config file
• Add ability to create and remove a Config Aggregator in any central services account (Security, Operations, Log) (#769)
  • includes option to NOT deploy the Aggregator in the Mgmt account for NEW installs
• Added a new alb-forwarding feature (#505)
  • See bullet 2. in section 1.7. Post-Installation steps of the Accelerator Install Guide
• Add functionality to auto-generate config file schema documentation from the codebase
  • add mandatory friendly field translations and descriptions in src\lib\config-i18n\src\en.ts (fr.ts to follow)
  • these field definitions are DRAFT and have not been fully validated
• Added the capability to manage CIDR ranges in DynamoDB, rather than within the config file (#494)
  • added ability to perform dynamic CIDR assignments (unlocks spoke VPC architectures at scale)
  • leverages the concept of CIDR pools
  • added new automatic config file variables to enable defining all VPCs in a single nested config file
  • Details in ticket #494 and in the custom upgrade instructions
• Added the capability to deploy opt-in VPC's (#714)
  • VPCs are defined in the OU, but not created until a flag added to the account level config
  • details in ticket #714 and the custom upgrade instructions

ENHANCEMENTS

• SCP optimizations and restructuring (#501)
• Change default ‘AcceleratorName’ to ‘ASEA’, ‘AcceleratorPrefix’ to ‘ASEA-‘ and ‘ConfigRepositoryName’ to ‘ASEA-Config-Repo’ for new installs (#752)
• Add support for installation from CodeCommit in addition to GitHub (#752)
• Changes to account warming process to improve odds of perimeter firewall deployment not being skipped on first state machine execution (#752)
• Optionally add new SNS topics in root account/home region which forward to Ops account topics (fix Security Hub alarm validations) (#752)
• Enable rotation on cdk-assets-key in Operations account (contains all the cdk buckets) (#752)
• Add “Publish sensitive data findings to” Security Hub option for Macie (#752)
• Enable Firewall Manager alerting, set SNS topics to chosen alerting topic (#752)
• Enable Security Hub alerting by forwarding SH events/findings to the existing alerting topics (events of the specified priority AND above) (#498)
  • add central-security-services\security-hub-findings-sns: "None || Low || Medium || High || Critical" (#752)
• Enable creating "dedicated tenancy" VPCs (#752)
• Move RDGW image name to config file (enable customers to change Windows versions) (#752)
• Update state machine to use direct CodeBuild integration (simplifies log access) (#752)
• Replace Webpack with esbuild (significant performance improvement) (#752)
• Enhance CloudWatch-CrossAccountSharing policy and central config bucket security permissions (#752)
• Add copyright and license info to all code files (#752)
• Cleanup type deviations throughout config file
  • Move Typescript schema to: src\lib\config\src\config.v2.ts
  • Rename global-options\aws-org-master to global-options\aws-org-management in config file
• Update all dependencies throughout (#676)
  • Nodejs 14, CDK 1.113.0, npm 6.2.3, AWS SDK 2.944.0, Codebuild STANDARD_5_0, etc.
• Add support to deploy CGWs without deploying appliances for TGW attachment (#739)
• Enhance EBS KMS key policy to support EKS (#685)
• Enable CodeBuild image caching for installer pipeline (#658)
• Add a script to assist with generating outputs for local development (#753)
• Script to convert v1.3.8 customers config file to v1.5.0 format and populate DynamoDB with assigned CIDRs (#790)
  • See v1.5.0 custom upgrade instructions
• aligned OU structure with latest AWS multi-account guidance
• Other minor enhancements to improve OOB Security Hub scores (DDB PITR, encryption, on-demand scaling, etc.)

FIXES

• Fix IAM password complexity occasionally causing state machine failures (#756)
• Fixed spelling in state machine auto-start scope parameter used on new accounts creation (#752)
• Fix creation of 2nd VPC containing identical name prefix (#731)
• GuardDuty occasionally not enabled in Management account (#754)
• IAM role creation did not apply the specified trust policy (#824)

DOCUMENTATION

• Added a v1.3.9 to v1.5.0 custom upgrade instructions
• Re-write installation guide to include Control Tower, NFW, GWLB, and alb-forwarding functionality
• General improvements throughout documentation, updated architecture diagrams
• Update all example config files, add new examples for ControlTower, GWLB, NFW
• Add DRAFT config file schema documentation (attached to release artifacts)
  • accessed by unzipping, navigating to: src\lib\docs-gen\output-docs\en, and opening index.html in a browser

CONFIG FILE CHANGES (Major mandatory changes throughout)

• Review the latest example config files
• Leverage the config file conversion script
• Review the v1.5.0 upgrade guide

ALPHA/PREVIEW

• We are releasing a very early GUI mock-up (attached to release artifacts)
• It is NOT ready for use with customer config files, even in test installations
• Test by unzipping, navigating to: src\ui\build, and opening index.html in a browser
• Requires utilization of a v1.5.0 config file found in the reference-artifacts\SAMPLE_CONFIGS folder
• We are only releasing to get feedback on the gui's direction

Important

• Upgrades to the v1.5.x release require customers first upgrade to v1.3.8 or higher
• This release is no longer installable by customers based on changes to IAM role trust policy behavior, to tagging behavior (#1085), and due to the deprecation of Python 3.6
• Existing customers will likely no longer be able to upgrade to this release based on changes to tagging behavior (#1085) and the deprecation of Python 3.6
• Existing customers will no longer be able to upgrade to this release based on changes to tagging behavior (#1085) without manual intervention
• Existing customers can continue to upgrade to this release until Feb 14, 2023 Nov 14, 2022 - As this release is based entirely on Node.js 12, upgrades to this release are NOT possible after Nov 14, 2022
• All Accelerator releases prior to v1.5.0 will cease to function on Feb 14, 2023 Nov 14, 2022 when Node.js 12 is deprecated and role policy allow-listing expires

NOTE: Before attempting to upgrade to this release, the config file has several Python 3.6 config rules defined. The upgrade will fail, if these are not FIRST updated to deploy using Python 3.7 in the customer config file (no code changes required).

Enhancements

• Enable static IP assignment for private ENIs on Fortinet firewalls (also in fix/v1.3.8-a) (#796)
• Add s3:ListBucket permission to log archive read only role enabling Athena (#799)

Fixes

• Adjust R53 zone names for interface endpoint names with periods (i.e. ECR)(#810)
• Various logging, scaling and retry enhancements (#807, #813, #815, #816, #817, #819, #818)
• Update SCP's to fix CloudFront console and customer CDK S3 issue (#801, #803)

Config file changes

• Fix UltraLite config file (us-east-1 is reqyuired as a supported-region (RECOMMENDED)(#808)
• Update Fortinet AMI's to v6.4.7 (NEW INSTALLS ONLY)(#820)

Notes

• This release is no longer installable based on changes to IAM role trust policy behavior and to tagging behavior (#1085)
• If upgrading, please upgrade directly to v1.3.9

Fixes

Scaling related:

• DynamoDB throttling storing outputs
• GuardDuty infinite loop
• Paginate API calls for MAD sharing, Security Hub activation, and parallel stack deployments
• Stack verification failure in bootstrap phase

Enhancements

• Add a developer local development script

Config file changes

• None

Fixes

• State Machine fails on new installs with GuardDuty and/or Macie activation issues (#780)

Documentation

• Minor tweaks to FAQ and Install Guide (#781)

Config file changes

• None

IMPORTANT

• This release has an outstanding issue during new installations
  • State machine will fail when Org enabling/delegating GuardDuty and/or Macie in Phase 1
  • To finish the installation successfully, simply rerun the state machine
  • This release was pushed out so customers do not need to perform any manual cleanup when this failure occurs (required in v1.3.5 due to #777) as we need more time to fix the issue

Fixes

• State Machine fails on new installs when Macie already enabled (#766)
• NATGW's deployed by ASEA are not protected by guardrails - SCP tweak (#774)
• Access Analyzer Validate Policy API is blocked by guardrails - SCP tweak (#776)
• Empty "license" parameter passed to BYOL firewall appliances not properly populated (#776)

Documentation

• Add an object naming document detailing prefix's, suffix's, tags for Accelerator created objects (#776)
• Update known issues section of install guide (#776)

Config file changes

• Tweak perimeter ALB configuration for availability, moving both firewalls to one target group (RECOMMENDED) (#774)
• Reduce rsyslog and RDGW auto-scaling group max instance age from 30 days to 7 (RECOMMENDED) (#774)