Release v1.5.1

NOTES

• This release is no longer installable based on changes to IAM role trust policy behavior and to tagging behavior (#1085), use v1.5.5 or above
• This release was REPLACED by v1.5.1-a due to two issues
• Upgrades were only supported directly from v1.3.8, v1.3.9, and v1.5.0

FEATURES

• Enable forwarding Security Hub findings to CloudWatch Logs (#867)
  • which also ensures they land in the central log archive S3 bucket
• Kinesis Firehose dynamic partitioning (#861)(#910)
  • enables separating customer specified CWL Groups into seperate folders in the central S3 bucket
  • enables seperating Security Hub logs to their own folder
• Add ability to enable SSM Inventory Collection by OU and/or accounts (#900)
• Added Accelerator Immersion days (Workshops) to the ASEA home page

ENHANCEMENTS

• Add ability to enforce IDMSv2 on all launch types (firewalls, rsyslog, RDGW and autoscaling groups) (#869)(#859)
• Add ability to specify rsyslog userdata in the config file (#902)
• Encrypt central logging Kinesis stream w/CMK (#888)
• Encrypt SNS topics w/CMK (#883)(#932)
• Set disable-api-termination on firewall and firewall manager instances (#858)
• Improve state machine config file error handling (#941)(#920)(#898)(#891)
• Update CDK version and various other dependencies (#933)(#925)(#866)(#865)
• Enhance GitHub test, release and doc generation scripts (#884)(#852)(#847)
• Improve ASEA developer script (#928)

FIXES

• Improve SCP error handling, ignore SCP attach/detach on nested OU's (#942)(#845)(#846)
• Fix for log archive bucket RO Role resource policies occasionally being overwritten (#921)
• Fix for read only access role on log archive AES bucket (#913)
• Multiple SCP and permissions fixes for Control Tower (#886)(#918)(#881)(#885)
• Various additional SCP enhancements (#914)(#842)(?)
• Improve NFW deployment error handling when CWL group already exists (#868)
• Ensure global region is always in supported-regions array (#930)(#934)
• Tweaks to the uninstall script and the v150 upgrade script (#906)(#872)(#848)(#840)
• Update issue in firewall-example-A-A-multitunnel.txt causing asymmetric routing (#894)
• Fix scaling issue with bootstrap state machine (#879)

DOCUMENTATION

• Add pricing estimates for example config files (#917)
• Improve central logging documentation / add log flow architecture diagram (#943)
• Add a list of ASEA leveraged and orchestrated services (#911)
• Various enhancements across the documentation:
  • FAQ, installation, v1.5.0 upgrade, sm-inputs, architecture, customization guides
• Enhance main readme page to make the config file schema more visible (#922)

CONFIG FILE CHANGES

• Renamed GCWide subnet to App2 subnet (NEW INSTALLS ONLY) (#864)
• Add "ssm-inventory-collection": true on each OU (OPTIONAL)
• Add "rdgw-enforce-imdsv2": true on rdgw instance(s) (RECOMMENDED)
• Add "rsyslog-enforce-imdsv2": true on rsyslog auto-scaling group (RECOMMENDED)
• Add "dynamic-s3-log-partitioning" section to global-options (RECOMMENDED)
• Add "enforce-imdsv2": true to 3rd party firewall configs (NOT recommended)
  • not supported by the utilized 3rd party vendors

ADD-ONS

Provide example add-on solutions and code to demonstrate extending ASEA functionality outside the core codebase

• OpenSearch SIEM for ASEA Add-on (#915)
• Auto-populate DDB CIDR management tables from S3 (#919)

Release v1.5.0

IMPORTANT

• This release is no longer installable based on changes to IAM role trust policy behavior and to tagging behavior (#1085), use v1.5.5 or above
• This was a major release and includes custom upgrade instructions
• This release includes all fixes and enhancements up to and including previous v1.3.9

FEATURES

• Add support to install on top of and leverage AWS Control Tower (CT) features (#492)
  • add ability to create a separate Organization S3 DataPlane trail
  • extend CloudWatch Metrics and Alarms to support "accounts": ["ALL"]
  • when ct-baseline=true
    • existing deployments can NOT upgrade at this time, new installs only
    • changes to support all 4 account creation methods (Orgs, ASEA, Account Factory, AWS API)
    • tweak SCP code to allow inter-operability with Control Tower
    • does not create the Organization control plane CloudTrail (as CT creates account based Trails)
    • only deploys Config Recorders in the root account and non-CT regions in sub-accounts (as CT covers remainder)
    • uses global-options/organizationAdminRole to createConfigRecorders (or blocked by CT SCPs)
    • does not create Config Aggregator in root account (as CT creates in Management and Security accounts)
    • reference the new Control Tower example config file
• Add option to deploy AWS Network Firewall on any VPC (#505)
• Add option to deploy Gateway Load Balancer (GWLB) with an Auto Scaling Group of appliance instances (#504)
  • Update existing VPN code to move vendor specific hard coded parameters to the config file
• Add ability to create and remove a Config Aggregator in any central services account (Security, Operations, Log) (#769)
  • includes option to NOT deploy the Aggregator in the Mgmt account for NEW installs
• Added a new alb-forwarding feature (#505)
  • See bullet 2. in section 1.7. Post-Installation steps of the Accelerator Install Guide
• Add functionality to auto-generate config file schema documentation from the codebase
  • add mandatory friendly field translations and descriptions in src\lib\config-i18n\src\en.ts (fr.ts to follow)
  • these field definitions are DRAFT and have not been fully validated
• Added the capability to manage CIDR ranges in DynamoDB, rather than within the config file (#494)
  • added ability to perform dynamic CIDR assignments (unlocks spoke VPC architectures at scale)
  • leverages the concept of CIDR pools
  • added new automatic config file variables to enable defining all VPCs in a single nested config file
  • Details in ticket #494 and in the custom upgrade instructions
• Added the capability to deploy opt-in VPC's (#714)
  • VPCs are defined in the OU, but not created until a flag added to the account level config
  • details in ticket #714 and the custom upgrade instructions

ENHANCEMENTS

• SCP optimizations and restructuring (#501)
• Change default ‘AcceleratorName’ to ‘ASEA’, ‘AcceleratorPrefix’ to ‘ASEA-‘ and ‘ConfigRepositoryName’ to ‘ASEA-Config-Repo’ for new installs (#752)
• Add support for installation from CodeCommit in addition to GitHub (#752)
• Changes to account warming process to improve odds of perimeter firewall deployment not being skipped on first state machine execution (#752)
• Optionally add new SNS topics in root account/home region which forward to Ops account topics (fix Security Hub alarm validations) (#752)
• Enable rotation on cdk-assets-key in Operations account (contains all the cdk buckets) (#752)
• Add “Publish sensitive data findings to” Security Hub option for Macie (#752)
• Enable Firewall Manager alerting, set SNS topics to chosen alerting topic (#752)
• Enable Security Hub alerting by forwarding SH events/findings to the existing alerting topics (events of the specified priority AND above) (#498)
  • add central-security-services\security-hub-findings-sns: "None || Low || Medium || High || Critical" (#752)
• Enable creating "dedicated tenancy" VPCs (#752)
• Move RDGW image name to config file (enable customers to change Windows versions) (#752)
• Update state machine to use direct CodeBuild integration (simplifies log access) (#752)
• Replace Webpack with esbuild (significant performance improvement) (#752)
• Enhance CloudWatch-CrossAccountSharing policy and central config bucket security permissions (#752)
• Add copyright and license info to all code files (#752)
• Cleanup type deviations throughout config file
  • Move Typescript schema to: src\lib\config\src\config.v2.ts
  • Rename global-options\aws-org-master to global-options\aws-org-management in config file
• Update all dependencies throughout (#676)
  • Nodejs 14, CDK 1.113.0, npm 6.2.3, AWS SDK 2.944.0, Codebuild STANDARD_5_0, etc.
• Add support to deploy CGWs without deploying appliances for TGW attachment (#739)
• Enhance EBS KMS key policy to support EKS (#685)
• Enable CodeBuild image caching for installer pipeline (#658)
• Add a script to assist with generating outputs for local development (#753)
• Script to convert v1.3.8 customers config file to v1.5.0 format and populate DynamoDB with assigned CIDRs (#790)
  • See v1.5.0 custom upgrade instructions
• aligned OU structure with latest AWS multi-account guidance
• Other minor enhancements to improve OOB Security Hub scores (DDB PITR, encryption, on-demand scaling, etc.)

FIXES

• Fix IAM password complexity occasionally causing state machine failures (#756)
• Fixed spelling in state machine auto-start scope parameter used on new accounts creation (#752)
• Fix creation of 2nd VPC containing identical name prefix (#731)
• GuardDuty occasionally not enabled in Management account (#754)
• IAM role creation did not apply the specified trust policy (#824)

DOCUMENTATION

• Added a v1.3.9 to v1.5.0 custom upgrade instructions
• Re-write installation guide to include Control Tower, NFW, GWLB, and alb-forwarding functionality
• General improvements throughout documentation, updated architecture diagrams
• Update all example config files, add new examples for ControlTower, GWLB, NFW
• Add DRAFT config file schema documentation (attached to release artifacts)
  • accessed by unzipping, navigating to: src\lib\docs-gen\output-docs\en, and opening index.html in a browser

CONFIG FILE CHANGES (Major mandatory changes throughout)

• Review the latest example config files
• Leverage the config file conversion script
• Review the v1.5.0 upgrade guide

ALPHA/PREVIEW

• We are releasing a very early GUI mock-up (attached to release artifacts)
• It is NOT ready for use with customer config files, even in test installations
• Test by unzipping, navigating to: src\ui\build, and opening index.html in a browser
• Requires utilization of a v1.5.0 config file found in the reference-artifacts\SAMPLE_CONFIGS folder
• We are only releasing to get feedback on the gui's direction

Release v1.3.9

Important

• Upgrades to the v1.5.x release require customers first upgrade to v1.3.8 or higher
• This release is no longer installable by customers based on changes to IAM role trust policy behavior, to tagging behavior (#1085), and due to the deprecation of Python 3.6
• Existing customers will likely no longer be able to upgrade to this release based on changes to tagging behavior (#1085) and the deprecation of Python 3.6
• Existing customers will no longer be able to upgrade to this release based on changes to tagging behavior (#1085) without manual intervention
• Existing customers can continue to upgrade to this release until Feb 14, 2023 Nov 14, 2022
  - As this release is based entirely on Node.js 12, upgrades to this release are NOT possible after Nov 14, 2022
• All Accelerator releases prior to v1.5.0 will cease to function on Feb 14, 2023 Nov 14, 2022 when Node.js 12 is deprecated and role policy allow-listing expires

NOTE: Before attempting to upgrade to this release, the config file has several Python 3.6 config rules defined. The upgrade will fail, if these are not FIRST updated to deploy using Python 3.7 in the customer config file (no code changes required).

Enhancements

• Enable static IP assignment for private ENIs on Fortinet firewalls (also in fix/v1.3.8-a) (#796)
• Add s3:ListBucket permission to log archive read only role enabling Athena (#799)

Fixes

• Adjust R53 zone names for interface endpoint names with periods (i.e. ECR)(#810)
• Various logging, scaling and retry enhancements (#807, #813, #815, #816, #817, #819, #818)
• Update SCP's to fix CloudFront console and customer CDK S3 issue (#801, #803)

Config file changes

• Fix UltraLite config file (us-east-1 is reqyuired as a supported-region (RECOMMENDED)(#808)
• Update Fortinet AMI's to v6.4.7 (NEW INSTALLS ONLY)(#820)

Release v1.3.8

Notes

• This release is no longer installable based on changes to IAM role trust policy behavior and to tagging behavior (#1085)
• If upgrading, please upgrade directly to v1.3.9

Fixes

Scaling related:

• DynamoDB throttling storing outputs
• GuardDuty infinite loop
• Paginate API calls for MAD sharing, Security Hub activation, and parallel stack deployments
• Stack verification failure in bootstrap phase

Enhancements

• Add a developer local development script

Config file changes

• None

Release v1.3.7

Fixes

• State Machine fails on new installs with GuardDuty and/or Macie activation issues (#780)

Documentation

• Minor tweaks to FAQ and Install Guide (#781)

Config file changes

• None

Release v1.3.6

IMPORTANT

• This release has an outstanding issue during new installations
  • State machine will fail when Org enabling/delegating GuardDuty and/or Macie in Phase 1
  • To finish the installation successfully, simply rerun the state machine
  • This release was pushed out so customers do not need to perform any manual cleanup when this failure occurs (required in v1.3.5 due to #777) as we need more time to fix the issue

Fixes

• State Machine fails on new installs when Macie already enabled (#766)
• NATGW's deployed by ASEA are not protected by guardrails - SCP tweak (#774)
• Access Analyzer Validate Policy API is blocked by guardrails - SCP tweak (#776)
• Empty "license" parameter passed to BYOL firewall appliances not properly populated (#776)

Documentation

• Add an object naming document detailing prefix's, suffix's, tags for Accelerator created objects (#776)
• Update known issues section of install guide (#776)

Config file changes

• Tweak perimeter ALB configuration for availability, moving both firewalls to one target group (RECOMMENDED) (#774)
• Reduce rsyslog and RDGW auto-scaling group max instance age from 30 days to 7 (RECOMMENDED) (#774)

Release v1.3.5

IMPORTANT

• All new installations and upgrades must use v1.3.5 or higher
  • Fix #763 fixed an issue where all installs or state machine executions which include a new TGW deployment fail

Fixes

• New TGW deployments cause SM failure due to tagging issue (#763)
  (caused by AWS platform behavior change)
• Fixing VPN Tunnel options for static CGW routing (#751)

Enhancements

• Update Fortinet AMI's to v6.4.6 (v6.4.5 went EOL) (#764)

Documentation

• Document describing steps to move an ALZ linked account "as is" to an ASEA Org (#750)
• Minor FAQ tweaks (#747)

Config file changes

• None

Release v1.3.4

Enhancements

• Update Fortinet AMI's to v6.4.5 (v6.4.4 went EOL)(#745)
• Update to latest Codebuild build image (previous went EOL)(#732)
• Tweak SCP's (#734)
  • block services without 3rd party assessments (Lightsail, Sumerian, Cloud9, Gamelift, Appflow)
  • block Amazon IQ (Freelancer Marketplace)
  • remove services from global services exception list (Import/Export, Mobile Analytics, Well Architected)
  • remove deletion prevention for cf-template-* S3 buckets (no longer required)
• Add a new lower cost PBMM config file for PoC/test purposes (#5 in customization-index.md)(#734)

Fixes

• Fix TGW cross account VPC attachments issue (#732)
• Enable TGW static routes on non-peered TGW's (#735)
• Enable static routing on VPN Attachments (#741)(#743)
• Fix issue when multiple VPC peering connections created in same account (#743)
• Enable multiple routes in VPC route tables pointing to same PCX, TGW or NATGW connection (#743)

Documentation

• Minor FAQ and Installation document enhancements (#730)(#734)

Config file changes

• Tweak Security Hub disabled rules (OPTIONAL)(#734)
  • Enable PCI.KMS.1 and CIS2.8

Release v1.3.3

Enhancements

• Add a new optional verbose logging level for the state machine (#698)
• Add the ability to optionally control account level SCP's with the Accelerator (#708)
• Add support for up to 5 CIDR ranges on VPCs (#705)
• Minor security enhancements (#704)
  • Tighten permissions on one role
  • Tighten VPC interface endpoint security group permissions and enable customization
• Accelerator uninstall script improvements (#709)(#719)
• Add SCP to block ClientVPN Setup/Configuration (#725)

Fixes

• Fail the state machine if a CloudWatch Metric cannot be deployed due to a missing log group (#697)
• Extra validation to ensure GuardDuty enabled on all member accounts (#721)
• Handle SCP attachment events on Accelerator managed OUs and accounts (#720)
• Stop removal of customer SCPs from accounts when not Accelerator managed (#711)
• Only attach NATGW's to subnets as defined in the config file (#705)
• Remove assumerole block on Accelerator role SCP (#723)

Documentation

• Update documentation for v1.3.2 and v1.3.3 (#699) (#723)
  • Install guide, FAQ, Sample Snippets, State Machine Inputs

Config file changes

• Subnet level "cidr2": objects renamed to "cidr": (MANDATORY)(#723)
• VPC level "cidr2": "a.b.c.d/z" field changed to array "cidr2": ["a.b.c.d/z"] (MANDATORY)(#723)
• Replaced several CIDR ranges with variables (OPTIONAL)(#723)
  • Enables updating these values in one place rather than many
  • Highlights values that may need to be updated by customers
• Updated the default organization-admin-role to align with AWS default (NEW INSTALLS ONLY)(#723)
• Removed duplicate NIST800-53 Config rules which overlapped with deployed Security Hub rules (RECOMMENDED)(#722)
• In release v1.3.1 we missed adding "security-hub": true to the sample config files (RECOMMENDED) (#690)
• Add logs and monitoring endpoints to the lite sample config file to resolve session manager issues (RECOMMENDED) (#712)

Release v1.3.2

IMPORTANT

• All new installations and upgrades must use v1.3.2 or higher

Fixes

• Pin pnpm version (breaking issue for new installs/upgrades)
• Improve SCP for root user
• Improve SEA cleanup script