Release v1.5.8

NOTES

• Customers MUST use Landing Zone Accelerator on AWS (LZA) for new deployments

• Customers MUST update their ASEA installer stack with the provided CloudFormation template for this release.

  • This release includes important runtime and bug fix updates that customers should install. This release focuses on stability and preparing for the end of support.
  • It's recommend customers on older versions upgrade to 1.5.7-b first before moving to v1.5.8.
  • Upgrade testing for future releases will only be for upgrades from v1.5.8 or higher
  • ASEA is currently in maintenance with no new features or enhancements planned. It's expected that a future Release will help customers upgrade from ASEA to LZA.
  • End of support is expected in Q2 2025. Upgrades from ASEA to LZA will occur over the few quarters.

FEATURES

• None

FIXES

• Fix issue with vpcEndpoint az lookup (#1194) (8f590e0)
• Upgrade to Node 18 runtimes (#1189) (d940dfa)

Release v1.5.7-b

NOTES

• Customers MUST use Landing Zone Accelerator on AWS (LZA) for new deployments
  • Upgrade testing for future releases will only be for upgrades from v1.5.7-b or higher
  • ASEA is currently in maintenance with no new features or enhancements planned. It's expected that a future Release will help customers upgrade from ASEA to LZA.
  • End of support is expected in Q4 2024. Upgrades from ASEA to LZA will occur over the next year.
• Note that the Organization SCPs (in Reference Artifacts) have multiple changes to address AWS service changes, etc. Customers should review and reconcile differences between these reference artifacts and the SCPs they currently have in place.

FEATURES

• Configuration and docs to enable SSM Quick Setup patch policies (centralized patching) (#1157) (9478471)
• Implement versioning on ASEA Docs site (#1128) (7655c29)

FIXES

• Cloudwatch Logs customer subscription filters being removed (#1172) (10d3790)
• Policy changes rule must only revert SCPs; not backup or tag policies (#1169) (b363bf5)
• Multiple Organizations SCP updates (#1167) (30e9be4)
• Add support for EC2 IMDSv2 (#1161) (4e72dec)
• Fix sfn deployment (#1158) (caee051)
• Support for EC2 Launch templates (#1156) (e571cf2)
• Fix for EventBridge notifications sent to SNS (#1132) (4df28a9)
• Node 16 ASEA update (#1149) (d628fd8)

Release v1.5.6-a

Notes

• v1.5.6-a was released to address an issue with log replication. If you already upgraded to v1.5.6 reach out to your AWS Account Team for instructions on additional steps required while upgrading to v1.5.6-a from v1.5.6

• Customers MUST use Landing Zone Accelerator on AWS (LZA) for new deployments

• Existing customers MUST upgrade to v1.5.6 or higher to avoid impacts by 2023-06-01

  • Upgrade testing for future releases will only be for upgrades from v1.5.6 or higher
  • AWS CDK version 1 will reach its end-of-support, and will no longer receive updates or releases
  • ASEA is currently in maintenance with no new features or enhancements planned. It's expected that a future Release will help customers upgrade from ASEA to LZA.
  • End of support is expected in Q2 2024. Upgrades from ASEA to LZA will occur over the next year.

• IMPORTANT - In order to implement the VPC flow log fix (#1112) (b5dc19c):

1. Before update: for every VPC of the configuration, change the “flow-logs” option to “CWL”
2. Execute the State Machine in Full Apply mode. Wait for successful completion
3. Change the “flow-logs” option to the original value (“BOTH”) (don’t re-run the state machine)
4. Follow the general instructions to update ASEA to version 1.5.6
5. Update the CloudFormation stack
6. Run the ASEA-InstallerPipeline
7. When the ASEA-InstallerPipeline completes it will trigger the State Machine. Verify that it completes successfully

FIXES

• Fixes logging bucket replication not being applied.
• CDK Rebase (from v1 to v2) (#1117) (6642b61)
• Adjust vpc flow log creation logic (#1112) (b5dc19c)
• AWS Config rule IAM Password Policy boolean values (#1100) (58208ad)
• Update alb ip monitor dns lookup check (#1076) (fe0ed82)
• Switch Log archive bucket policy to Org policy (#1051) (696adb8)
• Lambda timeout in large customer environments (#1020) (bed0a62)

DOCUMENTATION

• Update install.md (#1115) (2a5ed54)

CONFIG FILE CHANGES

• None

Release v1.5.6

Notes

• This release was REPLACED by v1.5.6-a due to an issue, customers should upgrade to v1.5.6-a instead

• Customers MUST use Landing Zone Accelerator on AWS (LZA) for new deployments

• Existing customers MUST upgrade to v1.5.6 or higher to avoid impacts by 2023-06-01

  • Upgrade testing for future releases will only be for upgrades from v1.5.6 or higher
  • AWS CDK version 1 will reach its end-of-support, and will no longer receive updates or releases
  • ASEA is currently in maintenance with no new features or enhancements planned. It's expected that a future Release will help customers upgrade from ASEA to LZA.
  • End of support is expected in Q2 2024. Upgrades from ASEA to LZA will occur over the next year.

• IMPORTANT - In order to implement the VPC flow log fix (#1112) (b5dc19c):

1. Before update: for every VPC of the configuration, change the “flow-logs” option to “CWL”
2. Execute the State Machine in Full Apply mode. Wait for successful completion
3. Change the “flow-logs” option to the original value (“BOTH”) (don’t re-run the state machine)
4. Follow the general instructions to update ASEA to version 1.5.6
5. Update the CloudFormation stack
6. Run the ASEA-InstallerPipeline
7. When the ASEA-InstallerPipeline completes it will trigger the State Machine. Verify that it completes successfully

FIXES

• CDK Rebase (from v1 to v2) (#1117) (6642b61)
• Adjust vpc flow log creation logic (#1112) (b5dc19c)
• AWS Config rule IAM Password Policy boolean values (#1100) (58208ad)
• Update alb ip monitor dns lookup check (#1076) (fe0ed82)
• Switch Log archive bucket policy to Org policy (#1051) (696adb8)
• Lambda timeout in large customer environments (#1020) (bed0a62)

DOCUMENTATION

• Update install.md (#1115) (2a5ed54)

CONFIG FILE CHANGES

• None

Release v1.5.5

Notes

• All new installations and upgrades MUST use v1.5.5 or higher
• Existing customers MUST upgrade to v1.5.5 or higher to avoid impacts
  • Changes to tagging behavior (#1085) (impacts new and existing accounts now)
    • see ticket #1085 for potential manual workaround
  • Changes to IAM role trust behavior (impacts existing accounts effective Feb 14, 2023, new accounts now)
  • Node.js deprecation (See note by Brian969 on #1033) (impacts all customers effective March 31st, 2023)
• Upgrades are only supported directly from v1.3.8, v1.3.9, and v1.5.0+

FIXES

• Adjust CloudWatch Log role permissions based on changes to tagging behaviour (#1085)
  • current issue resolved, more updates may be required once root cause fully understood
• Rollback delayFirstAttempt setting in back-off/retry code (#1077)

DOCUMENTATION

• Updates to ASEA Sample Sensitive Architecture document (#1070)

CONFIG FILE CHANGES

• Customers who hardcoded their RDGW AMI-id based on the issues we were having with cfn-init need to revert these changes back to the latest variable used in the sample config files. The latest AMI has been fixed. The hardcoded Windows AMI has been deprecated and will cause failures.

Release v1.5.4-a

Notes

• This release is no longer installable based on changes to CloudWatch Log group tagging behavior
• All new installations and upgrades MUST use v1.5.5 or higher
  • Previous releases were also impacted by changes to IAM role trust policy behavior
• All existing customers MUST also update to v1.5.4-a or higher before Feb 14, 2023 Nov 14, 2022 to avoid both the Node.js 12 deprecation impacts and the IAM role trust policy changes
  • See note by Brian969 on Issue #1033 for Node.js specific impacts
  • the IAM role trust policy change may impact new account provisioning effective Sept 21, 2022 (existing accounts have been allow-listed until Feb 15, 2023)
• Please be aware of the security advisory fixed in v1.5.3
• Upgrades were only supported directly from v1.3.8, v1.3.9, and v1.5.0+

FIXES

• Fix typo in new IAM role trust policy (#1069)

Release v1.5.4

Notes

• This release was REPLACED by v1.5.4-a due to an issue, customers should upgrade to v1.5.4-a instead

ENHANCEMENTS

• Add GuardDuty Kubernetes protection support (#1058)
• Add GuardDuty frequency customization support (#1057)

FIXES

• Address new IAM role trust policy behavior (#1066)
• Upgrade CDK to v1.174.0 to address Node.js 12 deprecation (#1066)
• Update EC2-INSTANCE-PROFILE-PERMISSIONS config rule to reduce CI generation noise (#1065)
• Add jitter to state machine back-off retry code to reduce retry failures (#1050)
• Decrease Lambda concurrency limit to 10 based on new customer limits (#1062)
• Fix issue with ALB forwarder when no HOSTS defined (#1019)

DOCUMENTATION

• Minor documentation tweaks (#1028)(#1067)(#1055)

ADD-ONS

• OpenSearch SIEM enhancements including Node.js 12 deprecation updates (#1056)

CONFIG FILE CHANGES

• Updates for Control Tower v3.0 (MANDATORY for Control Tower customers)
  • only deploy CloudWatch Alarms & Metrics in Management account (#1027)
• GuardDuty enhancements (OPTIONAL)
  • "guardduty-frequency": "FIFTEEN_MINUTES" or "ONE_HOUR" or "SIX_HOURS" (#1057)
  • "guardduty-eks": true and "guardduty-eks-excl-regions": [], (#1058)
• Remove duplicate line from SCP files (#1067)

Release v1.5.3

Notes

• This release is no longer installable based on changes to IAM role trust policy behavior and to tagging behavior (#1085), use v1.5.5 or above
• Please be aware of the security advisory impacting older releases
• Upgrades were only supported directly from v1.3.8, v1.3.9, and v1.5.0+

FIXES

• Fix SCP spelling issue, changing tagging to tag (#1014)
• Fix State Machine failure when account starts with a number and contained a local VPC (#1015)
• Fix Javascript issue (#1016)
  • prevented creation of IAM users defined in workload-account-configs
  • prevented creation of IAM roles with similar names when defined in workload-account-configs
  • fix issue with IAM workload account roles (security advisory)

DOCUMENTATION

• Very minor documentation tweaks (#1018)(#1017)

CONFIG FILE CHANGES

• Change "rsyslog-enforce-imdsv2" back to false (RECOMMENDED)
  • moving rsyslog to IMDSv2 broke rsyslog functionality

Release v1.5.2

Notes

• This release is no longer installable based on changes to IAM role trust policy behavior and to tagging behavior (#1085), use v1.5.5 or above
• Upgrades were only supported directly from v1.3.8, v1.3.9, and v1.5.0+

FEATURES

• Add AWS Outpost, Local Zone, and Wavelength support (#964) (Spec: #963)
  • Enable local subnet creation
  • Enable targeting customer created objects in ASEA managed route tables (required to target LGW)
• Add option to collect ASEA configuration and metadata in a new restricted log archive bucket (#976) (Spec: #1011)
  • Enables providing visibility into ASEA deployed configuration without access to the Org mgmt. account (i.e. SOC)

FIXES

• Enable support for IAM conditions w/role policies (#1003)
• Leverage region STS endpoints, rather than the global endpoint (#997)
• Fix issues w/ASEA removing Control Tower SCP's in certain situations (#998)
• Filter out non-active Organizational accounts from state machine activity (#981)
• Fix Lambda role permissions w/KMS keys which broke SNS alerting in v1.5.1 (#971)
• Fix spelling error in CloudWatch metric (#973)
• Add warn message when TGW route fails to deploy (#979)
• Allow reading tags outside Canada (enables installing OpenShift) (#977)

DOCUMENTATION

• Doc tweaks and enhancements, fix broken links, etc. following upgrade to MKDocs (#1008)(#975)(#970)(#961)(#959)(#958)(#956)(#955)(#948)

ADD-ONS

• DDB-Update - Enabled Versioning on the S3 Bucket (#954)
• opensiem - Move to SNS topics to enable supporting multiple log consumers (#952)
• opensiem - Update packages and cdk (#949)

CONFIG FILE CHANGES

• Add "meta-data-collection": true to global-options (OPTIONAL)
• Add "meta-data-read-only-access": true to any role to enable log archive bucket access (AS NEEDED)
  • similar to "ssm-log-archive-read-access" and "ssm-log-archive-write-access"
• Outposts support (AS NEEDED)
  • Add additional options to subnet "az" field (i.e. "us-east-1-atl-1a", instead of just "a")
  • Add "outpost-arn" field to subnet object
  • Add "lgw-route-table-id" field to VPC object
• Enable route tables to target externally created objects (AS NEEDED)
  • Add "customer" option to route table "target" field
  • Add "type" and "target-id" fields to route table entries (i.e. "localGatewayId" and "lgw-12345678901234567")

Release v1.5.1-a

NOTES

• This release is no longer installable based on changes to IAM role trust policy behavior and to tagging behavior (#1085), use v1.5.5 or above
• Upgrades were only supported directly from v1.3.8, v1.3.9, v1.5.0, and v1.5.1

FIXES

• Fix issue with YAML based config files in v1.5.1 (#947)
• Fix error finding log-archive bucket during new installs in v1.5.1 (#947)

Documentation

• Upgrade documentation to Material Theme for MKDocs & moved to GitHub Pages (#955)
  • Improved documentation navigation, improved documentation formatting, new documentation search capabilities
  • Moved config file schema online
  • New location