Release v1.3.7

Fixes

• State Machine fails on new installs with GuardDuty and/or Macie activation issues (#780)

Documentation

• Minor tweaks to FAQ and Install Guide (#781)

Config file changes

• None

Release v1.3.6

IMPORTANT

• This release has an outstanding issue during new installations
  • State machine will fail when Org enabling/delegating GuardDuty and/or Macie in Phase 1
  • To finish the installation successfully, simply rerun the state machine
  • This release was pushed out so customers do not need to perform any manual cleanup when this failure occurs (required in v1.3.5 due to #777) as we need more time to fix the issue

Fixes

• State Machine fails on new installs when Macie already enabled (#766)
• NATGW's deployed by ASEA are not protected by guardrails - SCP tweak (#774)
• Access Analyzer Validate Policy API is blocked by guardrails - SCP tweak (#776)
• Empty "license" parameter passed to BYOL firewall appliances not properly populated (#776)

Documentation

• Add an object naming document detailing prefix's, suffix's, tags for Accelerator created objects (#776)
• Update known issues section of install guide (#776)

Config file changes

• Tweak perimeter ALB configuration for availability, moving both firewalls to one target group (RECOMMENDED) (#774)
• Reduce rsyslog and RDGW auto-scaling group max instance age from 30 days to 7 (RECOMMENDED) (#774)

Release v1.3.5

IMPORTANT

• All new installations and upgrades must use v1.3.5 or higher
  • Fix #763 fixed an issue where all installs or state machine executions which include a new TGW deployment fail

Fixes

• New TGW deployments cause SM failure due to tagging issue (#763)
  (caused by AWS platform behavior change)
• Fixing VPN Tunnel options for static CGW routing (#751)

Enhancements

• Update Fortinet AMI's to v6.4.6 (v6.4.5 went EOL) (#764)

Documentation

• Document describing steps to move an ALZ linked account "as is" to an ASEA Org (#750)
• Minor FAQ tweaks (#747)

Config file changes

• None

Release v1.3.4

Enhancements

• Update Fortinet AMI's to v6.4.5 (v6.4.4 went EOL)(#745)
• Update to latest Codebuild build image (previous went EOL)(#732)
• Tweak SCP's (#734)
  • block services without 3rd party assessments (Lightsail, Sumerian, Cloud9, Gamelift, Appflow)
  • block Amazon IQ (Freelancer Marketplace)
  • remove services from global services exception list (Import/Export, Mobile Analytics, Well Architected)
  • remove deletion prevention for cf-template-* S3 buckets (no longer required)
• Add a new lower cost PBMM config file for PoC/test purposes (#5 in customization-index.md)(#734)

Fixes

• Fix TGW cross account VPC attachments issue (#732)
• Enable TGW static routes on non-peered TGW's (#735)
• Enable static routing on VPN Attachments (#741)(#743)
• Fix issue when multiple VPC peering connections created in same account (#743)
• Enable multiple routes in VPC route tables pointing to same PCX, TGW or NATGW connection (#743)

Documentation

• Minor FAQ and Installation document enhancements (#730)(#734)

Config file changes

• Tweak Security Hub disabled rules (OPTIONAL)(#734)
  • Enable PCI.KMS.1 and CIS2.8

Release v1.3.3

Enhancements

• Add a new optional verbose logging level for the state machine (#698)
• Add the ability to optionally control account level SCP's with the Accelerator (#708)
• Add support for up to 5 CIDR ranges on VPCs (#705)
• Minor security enhancements (#704)
  • Tighten permissions on one role
  • Tighten VPC interface endpoint security group permissions and enable customization
• Accelerator uninstall script improvements (#709)(#719)
• Add SCP to block ClientVPN Setup/Configuration (#725)

Fixes

• Fail the state machine if a CloudWatch Metric cannot be deployed due to a missing log group (#697)
• Extra validation to ensure GuardDuty enabled on all member accounts (#721)
• Handle SCP attachment events on Accelerator managed OUs and accounts (#720)
• Stop removal of customer SCPs from accounts when not Accelerator managed (#711)
• Only attach NATGW's to subnets as defined in the config file (#705)
• Remove assumerole block on Accelerator role SCP (#723)

Documentation

• Update documentation for v1.3.2 and v1.3.3 (#699) (#723)
  • Install guide, FAQ, Sample Snippets, State Machine Inputs

Config file changes

• Subnet level "cidr2": objects renamed to "cidr": (MANDATORY)(#723)
• VPC level "cidr2": "a.b.c.d/z" field changed to array "cidr2": ["a.b.c.d/z"] (MANDATORY)(#723)
• Replaced several CIDR ranges with variables (OPTIONAL)(#723)
  • Enables updating these values in one place rather than many
  • Highlights values that may need to be updated by customers
• Updated the default organization-admin-role to align with AWS default (NEW INSTALLS ONLY)(#723)
• Removed duplicate NIST800-53 Config rules which overlapped with deployed Security Hub rules (RECOMMENDED)(#722)
• In release v1.3.1 we missed adding "security-hub": true to the sample config files (RECOMMENDED) (#690)
• Add logs and monitoring endpoints to the lite sample config file to resolve session manager issues (RECOMMENDED) (#712)

Release v1.3.2

IMPORTANT

• All new installations and upgrades must use v1.3.2 or higher

Fixes

• Pin pnpm version (breaking issue for new installs/upgrades)
• Improve SCP for root user
• Improve SEA cleanup script

Release v1.3.1

STOP

• This release is no longer supported for new installations or upgrades, use v1.3.2 or above
• Existing installations continue to function

Enhancements

• Enable deletion protection on all SEA deployed ELB's
• Enable central logging for rsyslog NLB
• Add bucket policies on all SEA buckets to enforce https access
• Enable guardrail deployment in new ap-northeast-3 region in sample config files
• Enhance SCPs to block making snapshots public/sharing

Fixes

• Add pagination to SSM document sharing API call
  • deploying new documents to orgs with more than 20 accounts causes failure
• CloudWatch log groups created in Phase5 missing subscription and retention settings
• Improve API error handling (back-off, retry improvements)
• Add pnpm lock file to pin all nested dependencies
  • this issue breaks all previous releases

Documentation

• Update installation document for v1.3.1 release

Config file changes UPDATE (missed in original release notes)

• Added new parameters to allow enable/disable of security hub to allow guardrail deployment in eu-norteast-3 region
  • customers must add global-options\central-security-services\security-hub: true, or existing security hub deployments will be removed (MANDATORY)

Release v1.3.0

STOP

• This release is no longer supported for new installations or upgrades, use v1.3.2 or above
• Existing installations continue to function

IMPORTANT

• Please note MAJOR changes to state machine behavior, as documented here.

Features

• Centralize Accelerator CDK buckets (one bucket per region instead of one per account per region) (#572)
  • move to new CDK default synthesizer from the legacy synthesizer
• Enable customer control of State Machine execution scope (#606)(#637)
• Enable deploying customer provided config rules (#654)
  • Detect and remediate EC2 instances without a role (to allow using Systems Manager and Centralized Logging)
  • Detect and remediate EC2 instance profiles without desired permissions (to allow using Systems Manager and Centralized Logging)

Enhancements

• Convert to Org based permissions to avoid policy size challenges (#622)
• Update firewalls to v6.4.4, refine configs and add option to provision the 2nd tunnel/connection (#638)
• Enable changing Accelerator prefix for NEW installs (#632)(#639)
• Change the default Github and CodeCommit repo branch names to main (#647)(#648)(#643)(#645)

Fixes

• Fix intermittent issue with ssm-log-archive-write-access feature (#653)
• Revert SCP change to enable root to suspend accounts

Documentation

• Update sample config files (#659)
• Update Docs to reflect v1.2.6 and v1.3.0 releases (#634)(#656)
• Improve ACM cert import documentation (add "chain" attribute) (#640)

Config file changes

• Removed "managed-rules" level from aws-config json object (MANDATORY)
• Renamed master account keys to management account keys (New installs ONLY)
• Added new VPCFlow log fields (Optional)
• Replaced all uses of the Accelerator prefix (PBMMAccel) with variables (Optional)
• Deploy new SSM document Attach-IAM-Instance-Profile (Optional)
• Deploy new custom config rule EC2-INSTANCE-PROFILE (Optional)
• Updated firewall AMI's to v6.4.4 (New installs ONLY)

Release v1.2.6-a

STOP

• This release is no longer supported for new installations or upgrades, use v1.3.2 or above
• Existing installations continue to function

Enhancements

• Enable automatic KMS key rotation on Accelerator created KMS keys (#619)
• SCP Policy enhancements (#614)
  • remove references to ALZ solution freeing SCP space
  • fix overly permissive Unclass OU permissions
  • enable KMS key deletion in Sandbox OU
• Add additional Firewall config replacement variables (for future use) (#625)
• Add SCP and config file variable replacement capabilities (#623)
  • Enable changing region settings without requiring customers to manually update SCP files
  • add ${HOME_REGION} and ${GBL_REGION} to simplify installing in non ca-central-1 regions
  • add customer provided replacement variable options, defined in the config file to allow all updates in one spot
  • add ${ACCELERATOR_PREFIX}, ${ACCELERATOR_NAME}, ${ACCELERATOR_PREFIX_LND}, ${ACCELERATOR_PREFIX_ND} variables
    • first step to enable installing with a different Accelerator Prefix
    • while the installer prefix is now a CloudFormation parameter, setting the prefix will NOT be supported until v1.3.0
    • changing the prefix on existing deployments will NEVER be supported

Fixes

• Fix catch exception on ssm GetParam for accelerator/version with new installs (#635)
• Fix failure when both inbound and outbound resolvers are defined but set to false (#609)
• Fix enabling new IAM policy creation based on Org config (#610)
• Fix remove account or leave organization action trigger (#618)

Documentation

• Improve upgrade instructions incl. clarify v1.2.4 config file requirements (#602)(#628)
• FAQ Enhancements, incl. ACM and customer provided SCP upgrade handling procedures (#603)(#616)(#617)
• Updated the "What we do where" document (#625)

Config file changes

• Added auto-remediating s3 encryption rule in Sandbox OU to reduce Security Hub noise (Optional)
• Tweaked Access Denied Cloud Watch Alarm to reduce noise (Optional)
• Renamed Accelerator provided default files containing references to 'PBMM' (Mandatory)
  • Repo provided SCP Files and RDGW policy files need to be updated to reflect new filenames
  • Additionally, updated SCP names and descriptions
• add new major config file replacements section (Mandatory)
• replaced references to regions and Accelerator prefix throughout with variables (Optional)
• Prettier on SCP files

Release v1.2.5

STOP

• This release is no longer supported for new installations or upgrades, use v1.3.2 or above
• Existing installations of v1.2.5 continue to function

IMPORTANT

• Releases prior to v1.2.5 leverage API's being deprecated on March 31, 2021, please upgrade accordingly
• A manual pre-upgrade procedure is required before upgrading to v1.2.5, see Upgrade Considerations in the Intsallation Guide
• UPDATE: The Organization Account Access Role (default: AWSCloudFormationStackSetExecutionRole) has been moved within the governance structure. This role can continue to be used for troubleshooting/investigative purposes, without the previous associated risk. It can no longer be used to perform corrective actions or make changes to ASEA controlled resources.

Enhancements

• Pinned all dependencies to exact versions (#563)(#558)(#588)
• Upgraded CDK from 1.75.0 to 1.85.0 (#587)
• Removed references to deprecated CDK modules (#585)
• Migrated off StackSets, enabling customers to define a custom Org account trust role (#568)(#576)(#579)(#583)
• Added state machine flag to enable rebuilding "storeAllOutputs" (#554)
• Prevent multiple concurrent Accelerator executions (#575)
• Add ability to create cross-account role with read-only access to log-archive bucket (#543)(#589)(#596)
  • Used to feed SIEM solutions in Ops account
• Minor CloudWatch Event and SCP enhancements

Fixes

• Add missing rsysLog parameter to SSM ParameterStore in perimeter account (#555)
• Fix new installations w/3AZ's which caused MAD deployments to fail (#565)
• Resolve S3 'consistency' issues caused by enabling bucket versioning (#564)
• Fix issue when CloudWatch central logging was only enabled on a single central account (#566)
• After 100 upgrades, parameter store truncates version history, dropping initial install version (#574)(#577)
• CreateAccount trigger fails when triggered with IAM user (#573)
• Fix missing protections for unsupported or risky config file changes (#584)
• Continue to leverage customer customizations to non-core config files found in customer bucket after upgrades (#591)
• Bypass SCP change prevention on ignored-ous (#595)

Documentation

• Add additional sample Accelerator config files (ultra-lite and multi-region) (#562)
• Add documentation to detail Accelerator config file protections
• Update documents for v1.2.5 release, clarify upgrade process, remove pre-1.2.0 references
• Minor tweaks and clarifications
• Fix PDF document generator

Config file changes

• renamed ssm-log-archive-access to ssm-log-archive-write-access (both supported interchangeably for several releases)
• added ssm-log-archive-read-only-access parameter (Optional)
• Tweaked MFA Cloud Watch Alarm to reduce noise (Optional)
• Add additional Cloud Watch Alarm (IAM Unapproved IP) (Optional)