Skip to content

Release v1.5.0
Compare
Choose a tag to compare
@github-actions github-actions released this 26 Oct 21:44
v1.5.0
db86cdd
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

IMPORTANT

  • This release is no longer installable based on changes to IAM role trust policy behavior and to tagging behavior (#1085), use v1.5.5 or above
  • This was a major release and includes custom upgrade instructions
  • This release includes all fixes and enhancements up to and including previous v1.3.9

FEATURES

  • Add support to install on top of and leverage AWS Control Tower (CT) features (#492)
    • add ability to create a separate Organization S3 DataPlane trail
    • extend CloudWatch Metrics and Alarms to support "accounts": ["ALL"]
    • when ct-baseline=true
      • existing deployments can NOT upgrade at this time, new installs only
      • changes to support all 4 account creation methods (Orgs, ASEA, Account Factory, AWS API)
      • tweak SCP code to allow inter-operability with Control Tower
      • does not create the Organization control plane CloudTrail (as CT creates account based Trails)
      • only deploys Config Recorders in the root account and non-CT regions in sub-accounts (as CT covers remainder)
      • uses global-options/organizationAdminRole to createConfigRecorders (or blocked by CT SCPs)
      • does not create Config Aggregator in root account (as CT creates in Management and Security accounts)
      • reference the new Control Tower example config file
  • Add option to deploy AWS Network Firewall on any VPC (#505)
  • Add option to deploy Gateway Load Balancer (GWLB) with an Auto Scaling Group of appliance instances (#504)
    • Update existing VPN code to move vendor specific hard coded parameters to the config file
  • Add ability to create and remove a Config Aggregator in any central services account (Security, Operations, Log) (#769)
    • includes option to NOT deploy the Aggregator in the Mgmt account for NEW installs
  • Added a new alb-forwarding feature (#505)
  • Add functionality to auto-generate config file schema documentation from the codebase
    • add mandatory friendly field translations and descriptions in src\lib\config-i18n\src\en.ts (fr.ts to follow)
    • these field definitions are DRAFT and have not been fully validated
  • Added the capability to manage CIDR ranges in DynamoDB, rather than within the config file (#494)
    • added ability to perform dynamic CIDR assignments (unlocks spoke VPC architectures at scale)
    • leverages the concept of CIDR pools
    • added new automatic config file variables to enable defining all VPCs in a single nested config file
    • Details in ticket #494 and in the custom upgrade instructions
  • Added the capability to deploy opt-in VPC's (#714)

ENHANCEMENTS

  • SCP optimizations and restructuring (#501)
  • Change default ‘AcceleratorName’ to ‘ASEA’, ‘AcceleratorPrefix’ to ‘ASEA-‘ and ‘ConfigRepositoryName’ to ‘ASEA-Config-Repo’ for new installs (#752)
  • Add support for installation from CodeCommit in addition to GitHub (#752)
  • Changes to account warming process to improve odds of perimeter firewall deployment not being skipped on first state machine execution (#752)
  • Optionally add new SNS topics in root account/home region which forward to Ops account topics (fix Security Hub alarm validations) (#752)
  • Enable rotation on cdk-assets-key in Operations account (contains all the cdk buckets) (#752)
  • Add “Publish sensitive data findings to” Security Hub option for Macie (#752)
  • Enable Firewall Manager alerting, set SNS topics to chosen alerting topic (#752)
  • Enable Security Hub alerting by forwarding SH events/findings to the existing alerting topics (events of the specified priority AND above) (#498)
    • add central-security-services\security-hub-findings-sns: "None || Low || Medium || High || Critical" (#752)
  • Enable creating "dedicated tenancy" VPCs (#752)
  • Move RDGW image name to config file (enable customers to change Windows versions) (#752)
  • Update state machine to use direct CodeBuild integration (simplifies log access) (#752)
  • Replace Webpack with esbuild (significant performance improvement) (#752)
  • Enhance CloudWatch-CrossAccountSharing policy and central config bucket security permissions (#752)
  • Add copyright and license info to all code files (#752)
  • Cleanup type deviations throughout config file
    • Move Typescript schema to: src\lib\config\src\config.v2.ts
    • Rename global-options\aws-org-master to global-options\aws-org-management in config file
  • Update all dependencies throughout (#676)
    • Nodejs 14, CDK 1.113.0, npm 6.2.3, AWS SDK 2.944.0, Codebuild STANDARD_5_0, etc.
  • Add support to deploy CGWs without deploying appliances for TGW attachment (#739)
  • Enhance EBS KMS key policy to support EKS (#685)
  • Enable CodeBuild image caching for installer pipeline (#658)
  • Add a script to assist with generating outputs for local development (#753)
  • Script to convert v1.3.8 customers config file to v1.5.0 format and populate DynamoDB with assigned CIDRs (#790)
  • aligned OU structure with latest AWS multi-account guidance
  • Other minor enhancements to improve OOB Security Hub scores (DDB PITR, encryption, on-demand scaling, etc.)

FIXES

  • Fix IAM password complexity occasionally causing state machine failures (#756)
  • Fixed spelling in state machine auto-start scope parameter used on new accounts creation (#752)
  • Fix creation of 2nd VPC containing identical name prefix (#731)
  • GuardDuty occasionally not enabled in Management account (#754)
  • IAM role creation did not apply the specified trust policy (#824)

DOCUMENTATION

  • Added a v1.3.9 to v1.5.0 custom upgrade instructions
  • Re-write installation guide to include Control Tower, NFW, GWLB, and alb-forwarding functionality
  • General improvements throughout documentation, updated architecture diagrams
  • Update all example config files, add new examples for ControlTower, GWLB, NFW
  • Add DRAFT config file schema documentation (attached to release artifacts)
    • accessed by unzipping, navigating to: src\lib\docs-gen\output-docs\en, and opening index.html in a browser

CONFIG FILE CHANGES (Major mandatory changes throughout)

  • Review the latest example config files
  • Leverage the config file conversion script
  • Review the v1.5.0 upgrade guide

ALPHA/PREVIEW

  • We are releasing a very early GUI mock-up (attached to release artifacts)
  • It is NOT ready for use with customer config files, even in test installations
  • Test by unzipping, navigating to: src\ui\build, and opening index.html in a browser
  • Requires utilization of a v1.5.0 config file found in the reference-artifacts\SAMPLE_CONFIGS folder
  • We are only releasing to get feedback on the gui's direction
Assets 7
Loading