Skip to content

Release v1.5.1
Compare
Choose a tag to compare
@github-actions github-actions released this 17 Mar 05:15
v1.5.1
61fb150
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

NOTES

  • This release is no longer installable based on changes to IAM role trust policy behavior and to tagging behavior (#1085), use v1.5.5 or above
  • This release was REPLACED by v1.5.1-a due to two issues
  • Upgrades were only supported directly from v1.3.8, v1.3.9, and v1.5.0

FEATURES

  • Enable forwarding Security Hub findings to CloudWatch Logs (#867)
    • which also ensures they land in the central log archive S3 bucket
  • Kinesis Firehose dynamic partitioning (#861)(#910)
    • enables separating customer specified CWL Groups into seperate folders in the central S3 bucket
    • enables seperating Security Hub logs to their own folder
  • Add ability to enable SSM Inventory Collection by OU and/or accounts (#900)
  • Added Accelerator Immersion days (Workshops) to the ASEA home page

ENHANCEMENTS

  • Add ability to enforce IDMSv2 on all launch types (firewalls, rsyslog, RDGW and autoscaling groups) (#869)(#859)
  • Add ability to specify rsyslog userdata in the config file (#902)
  • Encrypt central logging Kinesis stream w/CMK (#888)
  • Encrypt SNS topics w/CMK (#883)(#932)
  • Set disable-api-termination on firewall and firewall manager instances (#858)
  • Improve state machine config file error handling (#941)(#920)(#898)(#891)
  • Update CDK version and various other dependencies (#933)(#925)(#866)(#865)
  • Enhance GitHub test, release and doc generation scripts (#884)(#852)(#847)
  • Improve ASEA developer script (#928)

FIXES

  • Improve SCP error handling, ignore SCP attach/detach on nested OU's (#942)(#845)(#846)
  • Fix for log archive bucket RO Role resource policies occasionally being overwritten (#921)
  • Fix for read only access role on log archive AES bucket (#913)
  • Multiple SCP and permissions fixes for Control Tower (#886)(#918)(#881)(#885)
  • Various additional SCP enhancements (#914)(#842)(?)
  • Improve NFW deployment error handling when CWL group already exists (#868)
  • Ensure global region is always in supported-regions array (#930)(#934)
  • Tweaks to the uninstall script and the v150 upgrade script (#906)(#872)(#848)(#840)
  • Update issue in firewall-example-A-A-multitunnel.txt causing asymmetric routing (#894)
  • Fix scaling issue with bootstrap state machine (#879)

DOCUMENTATION

  • Add pricing estimates for example config files (#917)
  • Improve central logging documentation / add log flow architecture diagram (#943)
  • Add a list of ASEA leveraged and orchestrated services (#911)
  • Various enhancements across the documentation:
    • FAQ, installation, v1.5.0 upgrade, sm-inputs, architecture, customization guides
  • Enhance main readme page to make the config file schema more visible (#922)

CONFIG FILE CHANGES

  • Renamed GCWide subnet to App2 subnet (NEW INSTALLS ONLY) (#864)
  • Add "ssm-inventory-collection": true on each OU (OPTIONAL)
  • Add "rdgw-enforce-imdsv2": true on rdgw instance(s) (RECOMMENDED)
  • Add "rsyslog-enforce-imdsv2": true on rsyslog auto-scaling group (RECOMMENDED)
  • Add "dynamic-s3-log-partitioning" section to global-options (RECOMMENDED)
  • Add "enforce-imdsv2": true to 3rd party firewall configs (NOT recommended)
    • not supported by the utilized 3rd party vendors

ADD-ONS

Provide example add-on solutions and code to demonstrate extending ASEA functionality outside the core codebase

  • OpenSearch SIEM for ASEA Add-on (#915)
  • Auto-populate DDB CIDR management tables from S3 (#919)
Assets 7
Loading