Skip to content

Latest commit

 

History

History
377 lines (262 loc) · 21.4 KB

CHANGELOG.md

File metadata and controls

377 lines (262 loc) · 21.4 KB
Raw

Change Log

Table of Contents

Introduction

All notable changes to this project will be documented in this file.

2022-12-02

Changed

2022-09-15

Changed

2022-07-29

Added

  • Added Quick Setup which provides the ability to deploy all the solutions from a single centralized CloudFormation template.

Changed

  • Updated all the solution main templates to use a consistent naming convention for solution parameter labels.
  • Added pSourceStackName parameter to the AWS Config Conformance Pack and Security Hub Organization solutions to handle the DependsOn requirement for the Config Management Account solution within the Quick Setup solution.
  • Updated the Firewall Manager, Macie, GuardDuty, and IAM Password Policy solutions to remove default parameters from the CFCT configuration and main templates.
  • Updated the CFCT-DEPLOYMENT-INSTRUCTIONS.md to include instructions for disabling solutions within all accounts before deletion.
  • Updated the Common Prerequisites solution to fix a spelling error.
  • Updated all StackSet resources to use the Managed Execution setting, which allows queuing of operations.
  • Updated all Stack resources in the main templates to include the DeletionPolicy and UpdateReplacePolicy with a value of Delete to resolve cfn-lint findings.
  • Updated all the python boto3 clients to include configuration setting the max_attempts to 10 increasing from the default of 5. This prevents retry errors that we have started to see from some of the API calls.

2022-07-15

Changed

  • Added Checkov Lambda Function suppressions for CKV_AWS_115 (Reserved Concurrent Executions) and CKV_AWS_117 (Run within a VPC) to all solution templates with Lambda Function configurations.
  • Updated Lambda python files to fix mypy finding for log_level to always be a string value.
  • Updated the customizations-for-aws-control-tower.template to the latest version v2.4.0 and added Checkov suppressions.
  • Updated pyproject.toml dependencies to the latest versions.
  • Updated Macie solution to increase retries and handle API errors when creating existing members.
  • Updated EC2 Default EBS Encryption to include default string value for the pExcludeEC2DefaultEBSEncryptionTags parameter.
  • Updated Account Alternate Contacts to include default string value for the pExcludeAlternateContactAccountTags parameter.

2022-05-23

Changed

2022-05-15

Added

  • Added customizations-for-aws-control-tower.template to align with the latest user guide instructions.

Changed

  • Common CFCT Setup solution updates:
    • Replaced the S3 template link with the latest template from the GitHub repository.
  • EC2 Default EBS Encryption solution updates:
    • Added account and organization event support.
    • Added SNS fanout for configuring accounts to replace multi-threading.
    • Added Lambda environment variables to replace SSM parameter for configuration.
  • S3 Block Account Public Access solution updates:
    • Added account and organization event support.
    • Added SNS fanout for configuring accounts to replace multi-threading.
    • Added Lambda environment variables to replace SSM parameter for configuration.
  • Security Hub Organization updates:
    • Added account and organization event support.
  • Updated the staging script to include *.template files.

2022-04-25

Added

  • Added Account Alternate Contacts solution to set alternate contacts (Billing, Security, Operations) for all existing and future AWS Organization accounts.

2022-04-14

Changed

  • Security Hub Organization updates:
    • Use environment variables instead of an SSM parameter for configuration parameters.
    • Batch SNS messages in groups of 10 instead of individual messages for each account.
    • Removed boto3 from the requirements.txt to use the recently updated Lambda runtime default boto3.
  • Updated the .flake8 configuration to exclude E203 (whitespace before ':') and TYP001 (guard import by if False: # TYPE_CHECKING)

Fixed

  • Security Hub Organization fix for enabling the management account before adding it as a member in the delegated admin account configuration.

2022-04-10

Added

  • Added GitHub action workflow templates to run code quality and security checks.

Changed

  • Updated Lambda python files to fix and suppress flake8 findings.
  • Updated dependencies within the pyproject.toml file to the latest version.

2022-04-04

Changed

  • Updated the DOWNLOAD-AND-STAGE-SOLUTIONS.md document to change the order of the steps to have the authenticate step before deploying the staging S3 bucket.

Fixed

  • Fixed all solution templates that deploy Lambda functions to include a condition that determines if the region supports Graviton (arm64) architecture.

2022-03-29

Changed

  • Updated the Common Prerequisites solution README to remove deploying the Staging S3 Bucket within the Solution Deployment steps. The DOWNLOAD-AND-STAGE-SOLUTIONS.md document now includes this step.
  • Updated the DOWNLOAD-AND-STAGE-SOLUTIONS.md document to include deploying the Staging S3 Bucket template. Also, added an AWS CLI command for deploying the template via the command line.
  • Updated the Solution Deployment instructions in all solution README files to include AWS CLI commands for deploying the main templates. The AWS CLI command can be used to deploy the template via the command line within tools like CloudShell.
  • Updated all main template parameters that allow a blank string to include a default empty string allowing the AWS CLI command to work without passing the optional parameters.
  • Added an allowed pattern for email address parameters.
  • All solution template description were updated.

Removed

  • Removed the sra-common-cfct-setup-main-ssm.yaml template as it was the same as the other main template.

2022-03-16

Fixed

  • Fixed the Common Prerequisites solution to support Control Tower configurations with a single governed region.

2022-03-14

Added

  • Added new document DOWNLOAD-AND-STAGE-SOLUTIONS.md to explain the steps for downloading the SRA example code and staging the solutions within the S3 staging bucket.
  • Added Security Hub Organization solution to configure Security Hub using AWS Organizations. All existing accounts are added to the central admin account, standards are enabled/disabled per provided parameters, a region aggregator is created per the provided paramenter, and a parameter is provided for disabling Security Hub within all accounts and regions via SNS fanout.

Changed

  • Updated the CFCT-DEPLOYMENT-INSTRUCTIONS.md document to remove references to the common_cfct_setup solution.
  • CloudTrail solution
    • Added main templates to simplify deployments via nested stacks.
    • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
    • Added integration with Secrets Manager to share CloudFormation output values with the management account.
    • Updated the bucket policy to use aws:SourceArn to align with the updated documentation Organization Trail Bucket Policy.
    • Updated the CFCT configuration to use the main templates and parameters.
  • Common CFCT Setup solution
    • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
    • Removed the Lambda function that created a new OU and moved the management account. This is no longer required due to the latest version of the CFCT solution supporting deployments to the management account within the root OU.
  • Common Prerequisites solution
    • Added a template to create a KMS key for sharing CloudFormation outputs via Secrets Manager secrets.
    • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
    • Updated the staging bucket policy to fix the reference to the AWSControlTowerExecution role ARN.
    • Added SRA version parameter to main templates for triggering updates to StackSets.
    • Added logic within the descriptions to reference the rControlTowerExecutionRoleStack resource if the cCreateAWSControlTowerExecutionRole condition is met. This logic avoids creating an empty stack when the condition is false.
  • Common Register Delegated Administrator solution
    • Added main templates to simplify deployments via nested stacks.
    • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
    • Updated the CFCT configuration to use the main templates and parameters.
    • Added integration with Secrets Manager to share CloudFormation output values with the management account.
    • Updated the Lambda function to align with latest coding standards.
  • AWS Config Aggregator solution
    • Added main templates to simplify deployments via nested stacks.
    • Updated the CFCT configuration to use the main templates and parameters.
    • Added pRegisterDelegatedAdminAccount parameter to determine whether or not to register the delegated administrator account. This allows the ability to register the delegated admin accounts outside of this solution.
  • AWS Config Conformance Pack solution
    • Added main templates to simplify deployments via nested stacks.
    • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
    • Updated the CFCT configuration to use the main templates and parameters.
    • Added pRegisterDelegatedAdminAccount parameter to determine whether or not to register the delegated administrator account.
    • Moved the list_config_recorder_status.py script from the utils/aws_control_tower/helper_scripts to the solution scripts folder.
    • Updated and moved the Operational-Best-Practices-for-Encryption-and-Keys.yaml conformance pack template to the templates/aws_config_conformance_packs folder.
  • AWS Config Management Account solution
    • Added SRA version parameter to main templates for triggering updates to StackSets.
    • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
  • EC2 Default EBS Encryption solution
    • Added main templates to simplify deployments via nested stacks.
    • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
  • Firewall Manager solution
    • Added main templates to simplify deployments via nested stacks.
    • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
  • GuardDuty solution
    • Added main templates to simplify deployments via nested stacks.
    • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
    • Added a parameter and logic to disable GuardDuty within all accounts and regions using SNS fanout.
  • IAM Access Analyzer solution
    • Added main templates to simplify deployments via nested stacks.
    • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
  • IAM Password Policy solution
    • Renamed solution and files to remove _acct suffix
    • Added main templates to simplify deployments via nested stacks.
    • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
  • Macie solution
    • Added main templates to simplify deployments via nested stacks.
    • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
    • Added a parameter and logic to disable Macie within all accounts and regions using SNS fanout.
  • S3 Block Account Public Access solution
    • Added main templates to simplify deployments via nested stacks.
    • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.

Removed

  • The Account Security Hub Enabler solution was replaced with the Security Hub Organization solution.
  • The package-lambda.sh script was replaced by the stage_solution.sh script.
  • The Prerequisites for AWS Control Tower solutions files were replaced with the Common Prerequisites solution.

Fixed

2022-01-07

Added

Changed

  • Updates to the stage_solution.sh packaging script to support better error logging and include packaging of common solutions.
  • In Common Prerequisites and AWS Config Management Account solutions:
    • Updates to logging to include tracebacks for when exceptions are raised.
  • In Common Prerequisites solution:
    • Set DeletionPolicy=Retain and UpdateReplacePolicy=Retain for the IAM Role: AWSControlTowerExecution
  • Renamed DEPLOYMENT-METHODS.md to CFCT-DEPLOYMENT-INSTRUCTIONS.md to provide manual and automated steps for deployment of Customizations for Control Tower (CFCT), including prerequisites.

Removed

2021-12-16

Added

Changed

  • In Common Prerequisites solution:
    • Removed TAG_KEY/TAG_VALUE as environment variables and only kept them as Custom Resource Properties, since CloudWatch event is no longer needed in this solution.
    • Removed pManagementAccountId from multiple templates, and instead used as needed AWS::AccountId.

Fixed

  • Nothing Fixed

2021-12-10

Added

Changed

  • Nothing Changed

Fixed

  • Nothing Fixed

2021-11-22

Added

Changed

  • Nothing Changed

2021-11-20

Added

Changed

  • Nothing Changed

2021-11-19

Added

  • Added .flake8, poetry.lock, pyproject.toml, and .markdownlint.json to define coding standards that we will require and use when building future solutions. Contributors should use the standards defined within these files before submitting pull requests. Existing solutions will get refactored to these standards in future updates.
  • Added S3 BucketKeyEnabled to the solutions that create S3 objects (e.g. CloudTrail, GuardDuty, and Macie)

Changed

  • Removed the AWS Config Aggregator account solution since AWS Control Tower deploys an account aggregator within the Audit account.
  • Modified the directory structure to support multiple internal packages (e.g. 1 for each solution). The folder structure also allows for tests (integration, unit, etc.). See Real Python Application with Internal Packages
  • Renamed folders and files with snake_case to align with PEP8 Package and Module Names
  • Modified links within README.md files to align with the updated folders and file names
  • Updated the README.md files to provide consistency and improved formatting.
  • Renamed parameter and template files to sra-<solution_name>...
  • Updated default values for parameters for resource names with sra- prefix to help with protecting resources deployed

2021-09-02

Added

  • Nothing Added

Changed

  • Removed all code and references to AWS Landing Zone as it is currently in Long-term Support and will not receive any additional features.

Fixed

  • Nothing Fixed

2021-09-01

Added

Changed

  • Nothing Changed

Fixed

  • Nothing Fixed