Release v1.3.3

Enhancements

• Add a new optional verbose logging level for the state machine (#698)
• Add the ability to optionally control account level SCP's with the Accelerator (#708)
• Add support for up to 5 CIDR ranges on VPCs (#705)
• Minor security enhancements (#704)
  • Tighten permissions on one role
  • Tighten VPC interface endpoint security group permissions and enable customization
• Accelerator uninstall script improvements (#709)(#719)
• Add SCP to block ClientVPN Setup/Configuration (#725)

Fixes

• Fail the state machine if a CloudWatch Metric cannot be deployed due to a missing log group (#697)
• Extra validation to ensure GuardDuty enabled on all member accounts (#721)
• Handle SCP attachment events on Accelerator managed OUs and accounts (#720)
• Stop removal of customer SCPs from accounts when not Accelerator managed (#711)
• Only attach NATGW's to subnets as defined in the config file (#705)
• Remove assumerole block on Accelerator role SCP (#723)

Documentation

• Update documentation for v1.3.2 and v1.3.3 (#699) (#723)
  • Install guide, FAQ, Sample Snippets, State Machine Inputs

Config file changes

• Subnet level "cidr2": objects renamed to "cidr": (MANDATORY)(#723)
• VPC level "cidr2": "a.b.c.d/z" field changed to array "cidr2": ["a.b.c.d/z"] (MANDATORY)(#723)
• Replaced several CIDR ranges with variables (OPTIONAL)(#723)
  • Enables updating these values in one place rather than many
  • Highlights values that may need to be updated by customers
• Updated the default organization-admin-role to align with AWS default (NEW INSTALLS ONLY)(#723)
• Removed duplicate NIST800-53 Config rules which overlapped with deployed Security Hub rules (RECOMMENDED)(#722)
• In release v1.3.1 we missed adding "security-hub": true to the sample config files (RECOMMENDED) (#690)
• Add logs and monitoring endpoints to the lite sample config file to resolve session manager issues (RECOMMENDED) (#712)

Release v1.3.2

IMPORTANT

• All new installations and upgrades must use v1.3.2 or higher

Fixes

• Pin pnpm version (breaking issue for new installs/upgrades)
• Improve SCP for root user
• Improve SEA cleanup script

Release v1.3.1

STOP

• This release is no longer supported for new installations or upgrades, use v1.3.2 or above
• Existing installations continue to function

Enhancements

• Enable deletion protection on all SEA deployed ELB's
• Enable central logging for rsyslog NLB
• Add bucket policies on all SEA buckets to enforce https access
• Enable guardrail deployment in new ap-northeast-3 region in sample config files
• Enhance SCPs to block making snapshots public/sharing

Fixes

• Add pagination to SSM document sharing API call
  • deploying new documents to orgs with more than 20 accounts causes failure
• CloudWatch log groups created in Phase5 missing subscription and retention settings
• Improve API error handling (back-off, retry improvements)
• Add pnpm lock file to pin all nested dependencies
  • this issue breaks all previous releases

Documentation

• Update installation document for v1.3.1 release

Config file changes UPDATE (missed in original release notes)

• Added new parameters to allow enable/disable of security hub to allow guardrail deployment in eu-norteast-3 region
  • customers must add global-options\central-security-services\security-hub: true, or existing security hub deployments will be removed (MANDATORY)

Release v1.3.0

STOP

• This release is no longer supported for new installations or upgrades, use v1.3.2 or above
• Existing installations continue to function

IMPORTANT

• Please note MAJOR changes to state machine behavior, as documented here.

Features

• Centralize Accelerator CDK buckets (one bucket per region instead of one per account per region) (#572)
  • move to new CDK default synthesizer from the legacy synthesizer
• Enable customer control of State Machine execution scope (#606)(#637)
• Enable deploying customer provided config rules (#654)
  • Detect and remediate EC2 instances without a role (to allow using Systems Manager and Centralized Logging)
  • Detect and remediate EC2 instance profiles without desired permissions (to allow using Systems Manager and Centralized Logging)

Enhancements

• Convert to Org based permissions to avoid policy size challenges (#622)
• Update firewalls to v6.4.4, refine configs and add option to provision the 2nd tunnel/connection (#638)
• Enable changing Accelerator prefix for NEW installs (#632)(#639)
• Change the default Github and CodeCommit repo branch names to main (#647)(#648)(#643)(#645)

Fixes

• Fix intermittent issue with ssm-log-archive-write-access feature (#653)
• Revert SCP change to enable root to suspend accounts

Documentation

• Update sample config files (#659)
• Update Docs to reflect v1.2.6 and v1.3.0 releases (#634)(#656)
• Improve ACM cert import documentation (add "chain" attribute) (#640)

Config file changes

• Removed "managed-rules" level from aws-config json object (MANDATORY)
• Renamed master account keys to management account keys (New installs ONLY)
• Added new VPCFlow log fields (Optional)
• Replaced all uses of the Accelerator prefix (PBMMAccel) with variables (Optional)
• Deploy new SSM document Attach-IAM-Instance-Profile (Optional)
• Deploy new custom config rule EC2-INSTANCE-PROFILE (Optional)
• Updated firewall AMI's to v6.4.4 (New installs ONLY)

Release v1.2.6-a

STOP

• This release is no longer supported for new installations or upgrades, use v1.3.2 or above
• Existing installations continue to function

Enhancements

• Enable automatic KMS key rotation on Accelerator created KMS keys (#619)
• SCP Policy enhancements (#614)
  • remove references to ALZ solution freeing SCP space
  • fix overly permissive Unclass OU permissions
  • enable KMS key deletion in Sandbox OU
• Add additional Firewall config replacement variables (for future use) (#625)
• Add SCP and config file variable replacement capabilities (#623)
  • Enable changing region settings without requiring customers to manually update SCP files
  • add ${HOME_REGION} and ${GBL_REGION} to simplify installing in non ca-central-1 regions
  • add customer provided replacement variable options, defined in the config file to allow all updates in one spot
  • add ${ACCELERATOR_PREFIX}, ${ACCELERATOR_NAME}, ${ACCELERATOR_PREFIX_LND}, ${ACCELERATOR_PREFIX_ND} variables
    • first step to enable installing with a different Accelerator Prefix
    • while the installer prefix is now a CloudFormation parameter, setting the prefix will NOT be supported until v1.3.0
    • changing the prefix on existing deployments will NEVER be supported

Fixes

• Fix catch exception on ssm GetParam for accelerator/version with new installs (#635)
• Fix failure when both inbound and outbound resolvers are defined but set to false (#609)
• Fix enabling new IAM policy creation based on Org config (#610)
• Fix remove account or leave organization action trigger (#618)

Documentation

• Improve upgrade instructions incl. clarify v1.2.4 config file requirements (#602)(#628)
• FAQ Enhancements, incl. ACM and customer provided SCP upgrade handling procedures (#603)(#616)(#617)
• Updated the "What we do where" document (#625)

Config file changes

• Added auto-remediating s3 encryption rule in Sandbox OU to reduce Security Hub noise (Optional)
• Tweaked Access Denied Cloud Watch Alarm to reduce noise (Optional)
• Renamed Accelerator provided default files containing references to 'PBMM' (Mandatory)
  • Repo provided SCP Files and RDGW policy files need to be updated to reflect new filenames
  • Additionally, updated SCP names and descriptions
• add new major config file replacements section (Mandatory)
• replaced references to regions and Accelerator prefix throughout with variables (Optional)
• Prettier on SCP files

Release v1.2.5

STOP

• This release is no longer supported for new installations or upgrades, use v1.3.2 or above
• Existing installations of v1.2.5 continue to function

IMPORTANT

• Releases prior to v1.2.5 leverage API's being deprecated on March 31, 2021, please upgrade accordingly
• A manual pre-upgrade procedure is required before upgrading to v1.2.5, see Upgrade Considerations in the Intsallation Guide
• UPDATE: The Organization Account Access Role (default: AWSCloudFormationStackSetExecutionRole) has been moved within the governance structure. This role can continue to be used for troubleshooting/investigative purposes, without the previous associated risk. It can no longer be used to perform corrective actions or make changes to ASEA controlled resources.

Enhancements

• Pinned all dependencies to exact versions (#563)(#558)(#588)
• Upgraded CDK from 1.75.0 to 1.85.0 (#587)
• Removed references to deprecated CDK modules (#585)
• Migrated off StackSets, enabling customers to define a custom Org account trust role (#568)(#576)(#579)(#583)
• Added state machine flag to enable rebuilding "storeAllOutputs" (#554)
• Prevent multiple concurrent Accelerator executions (#575)
• Add ability to create cross-account role with read-only access to log-archive bucket (#543)(#589)(#596)
  • Used to feed SIEM solutions in Ops account
• Minor CloudWatch Event and SCP enhancements

Fixes

• Add missing rsysLog parameter to SSM ParameterStore in perimeter account (#555)
• Fix new installations w/3AZ's which caused MAD deployments to fail (#565)
• Resolve S3 'consistency' issues caused by enabling bucket versioning (#564)
• Fix issue when CloudWatch central logging was only enabled on a single central account (#566)
• After 100 upgrades, parameter store truncates version history, dropping initial install version (#574)(#577)
• CreateAccount trigger fails when triggered with IAM user (#573)
• Fix missing protections for unsupported or risky config file changes (#584)
• Continue to leverage customer customizations to non-core config files found in customer bucket after upgrades (#591)
• Bypass SCP change prevention on ignored-ous (#595)

Documentation

• Add additional sample Accelerator config files (ultra-lite and multi-region) (#562)
• Add documentation to detail Accelerator config file protections
• Update documents for v1.2.5 release, clarify upgrade process, remove pre-1.2.0 references
• Minor tweaks and clarifications
• Fix PDF document generator

Config file changes

• renamed ssm-log-archive-access to ssm-log-archive-write-access (both supported interchangeably for several releases)
• added ssm-log-archive-read-only-access parameter (Optional)
• Tweaked MFA Cloud Watch Alarm to reduce noise (Optional)
• Add additional Cloud Watch Alarm (IAM Unapproved IP) (Optional)

Release v1.2.4

STOP

• This release is no longer supported for new installations or upgrades, use v1.3.2 or above
• Given the API deprecations resolved in v1.2.5, we recommend upgrading to v1.2.5 or above before March 31st, 2021

IMPORTANT

• Upgrading to this release (or a newer release) requires mandatory updates to the configuration file as described below

Enhancements

• Set S3 bucket ownership flag on log-archive buckets (#522) (5bb589a)
• Script to generate Accelerator config rules based on AWS Conformance packs (#530) (a19cb57)
• Add an additional 94 config rules based on the NIST800-53 Conformance pack (#540) (4785097)
• Add a 2nd remediating config rule (S3 bucket KMS encryption) (#536) (cea5fe1)
  • while customers can provide their own SSM documents, this remediation required a minor code change
• Switch to Amazon ECR Public image for the build image to avoid Docker throttling issues (#544) (4e3d68d)
• CDK upgrade to v1.75.0 (#520) (372aba4)

Fixes

• Fix issues related to suspending AWS accounts (#518/#546) (3ad41ad)(a8aec1a)
  • Updated SCPs to allow for account suspension (#542) (11a98ed)
  • Updated FAQ document to reflect suspension process
• Pin Lambda versions to prevent old Lambda versions from executing during upgrades (#537) (6223d8d)
• Pin a 3rd party dependency which broke new installs (#553) (22ed587)
• Move zone configuration to VPC config / add a central-endpoint vpc flag (#528/#535) (47cd70b)(15647d7)
  • fixes issues with an ultra-lite config file (i.e. removal of endpoint VPC)
  • enables defining R53 zones on any VPC, not just the central VPC
• Update Security Hub automation to enable disabling security standards and controls using Accelerator config file (#526) (e76f581)
• Fix issue related to not deploying any IAM policies in the Accelerator config file (#529) (71c48fb)
• Fix issue related to using arrays with multi-part config files (#521) (c364f85)

Documentation

• Enhance Installation and Operations Guides
  • Add v1.1.4 to v1.2.3 upgrade instructions
• Finalize Developer guide
• Move FAQ from Installation Guide to separate document, enhance content
• Move config file customization info from Installation Guide to Customization Guide
• Tweak sample configuration files

Config file changes

• Upgrading to this release requires mandatory updates to the configuration file (see latest sample config files) (PR528)
  • the zones section should be removed from global-options (will simply be ignored if not removed)
  • "central-endpoint": true MUST be added to the endpoint VPC config in the shared-network account
  • any previously deployed zones MUST be added to the endpoint VPC config in the shared-network account, i.e.

    "zones": {
            "public": ["cloud-hosted-publicdomain.example.ca"],
            "private": ["cloud-hosted-privatedomain.example.ca"] }

• Optionally decide to deploy the 94 new config rules (PR540) and the new S3 bucket auto-remediation (PR536)

Release v1.2.3

STOP

• This release is no longer supported for new installations or upgrades, use v1.3.2 or above
• Given the API deprecations resolved in v1.2.5, we recommend upgrading to v1.2.5 or above before March 31st, 2021

Features

• Enable new GuardDuty S3 protection feature (#509) (ab572db)
• Deploy and share SSM Documents (ELB sample remediation document) (#469) (b47977f)
• Deploy Config Rules with SSM remediation (ELB sample rule) (#469) (b47977f)
  • additional rules will be added via a config file update prior to next release

Enhancements

• Code: Update AWS SDK to v2.787.0 (#469) (b47977f)
• Code: Update prettier to v2.2.0 (#475) (6d366c3)

Fixes

• Lambda Timeout (OU-Validation) when using YAML (#475) (6d366c3)
• Adding new AZs (subnets) to a TGW attached subnet causes SM failures (#470) (0ba50a2)
• SCP tweak - fix Neptune/DocDB issue (#468) (b3aa4da)
• Fix adding local interface endpoints when VPC already using central endpoints (#463) (fcb9f26)
• Improve limit check logic to handle removals at same time as additions (#460) (0378ab8)
• Properly manage suspended AWS accounts (#464) (d2946a7)
• Issue when upgrading from older releases (i.e. v1.1.4) (#513)
• Fix typo in account move logic (#513)

Documentation

• Refine and update Installation Guide
  • Add detailed Fortigate configuration document
• Update, clarify and improve Developer Guide
• Document what we do where (which services in which regions)
• Migrate roadmap to GitHub Projects
• Migrate Issues management to GitHub Issues
• Minor readme.md modifications

Release v1.2.2

STOP

• This release is no longer supported for new installations or upgrades, use v1.3.2 or above
• Given the API deprecations resolved in v1.2.5, we recommend upgrading to v1.2.5 or above before March 31st, 2021

Fixes

• ALB's fail to deploy when Accelerator home region not ca-central-1
• Add additional back-off, retry code for ConfigRecorder bucket permission errors (eventual consistency)
• Fix the security group naming fix

Enhancements

• Code: Replace TSLint with ESLint
• Minor SCP improvements to better protect Accelerator integrity
• Sample config file refinements (optional)

Documentation

• Update repo files for open sourcing (License, Notice, Changelog, Contributing, etc.)
• Clarify and improve installation instructions, operating instructions and FAQ's
• Minor tweaks throughout documentation

Release v1.2.1b

STOP

• This release is no longer supported for new installations or upgrades, use v1.3.2 or above
• Given the API deprecations resolved in v1.2.5, we recommend upgrading to v1.2.5 or above before March 31st, 2021

Fixes

• Fix upgrade failure from v1.2.0 from v1.2.1 (#422) (86647d2)
• Fix clean installation issue created in v1.2.1 (#423)
• Minor documentation Tweaks

Documentation

• Added unofficial Secure Environment Accelerator feature Roadmap