Release v1.5.6

Notes

• This release was REPLACED by v1.5.6-a due to an issue, customers should upgrade to v1.5.6-a instead

• Customers MUST use Landing Zone Accelerator on AWS (LZA) for new deployments

• Existing customers MUST upgrade to v1.5.6 or higher to avoid impacts by 2023-06-01

  • Upgrade testing for future releases will only be for upgrades from v1.5.6 or higher
  • AWS CDK version 1 will reach its end-of-support, and will no longer receive updates or releases
  • ASEA is currently in maintenance with no new features or enhancements planned. It's expected that a future Release will help customers upgrade from ASEA to LZA.
  • End of support is expected in Q2 2024. Upgrades from ASEA to LZA will occur over the next year.

• IMPORTANT - In order to implement the VPC flow log fix (#1112) (b5dc19c):

1. Before update: for every VPC of the configuration, change the “flow-logs” option to “CWL”
2. Execute the State Machine in Full Apply mode. Wait for successful completion
3. Change the “flow-logs” option to the original value (“BOTH”) (don’t re-run the state machine)
4. Follow the general instructions to update ASEA to version 1.5.6
5. Update the CloudFormation stack
6. Run the ASEA-InstallerPipeline
7. When the ASEA-InstallerPipeline completes it will trigger the State Machine. Verify that it completes successfully

FIXES

• CDK Rebase (from v1 to v2) (#1117) (6642b61)
• Adjust vpc flow log creation logic (#1112) (b5dc19c)
• AWS Config rule IAM Password Policy boolean values (#1100) (58208ad)
• Update alb ip monitor dns lookup check (#1076) (fe0ed82)
• Switch Log archive bucket policy to Org policy (#1051) (696adb8)
• Lambda timeout in large customer environments (#1020) (bed0a62)

DOCUMENTATION

• Update install.md (#1115) (2a5ed54)

CONFIG FILE CHANGES

• None

Release v1.5.5

Notes

• All new installations and upgrades MUST use v1.5.5 or higher
• Existing customers MUST upgrade to v1.5.5 or higher to avoid impacts
  • Changes to tagging behavior (#1085) (impacts new and existing accounts now)
    • see ticket #1085 for potential manual workaround
  • Changes to IAM role trust behavior (impacts existing accounts effective Feb 14, 2023, new accounts now)
  • Node.js deprecation (See note by Brian969 on #1033) (impacts all customers effective March 31st, 2023)
• Upgrades are only supported directly from v1.3.8, v1.3.9, and v1.5.0+

FIXES

• Adjust CloudWatch Log role permissions based on changes to tagging behaviour (#1085)
  • current issue resolved, more updates may be required once root cause fully understood
• Rollback delayFirstAttempt setting in back-off/retry code (#1077)

DOCUMENTATION

• Updates to ASEA Sample Sensitive Architecture document (#1070)

CONFIG FILE CHANGES

• Customers who hardcoded their RDGW AMI-id based on the issues we were having with cfn-init need to revert these changes back to the latest variable used in the sample config files. The latest AMI has been fixed. The hardcoded Windows AMI has been deprecated and will cause failures.

Release v1.5.4-a

Notes

• This release is no longer installable based on changes to CloudWatch Log group tagging behavior
• All new installations and upgrades MUST use v1.5.5 or higher
  • Previous releases were also impacted by changes to IAM role trust policy behavior
• All existing customers MUST also update to v1.5.4-a or higher before Feb 14, 2023 Nov 14, 2022 to avoid both the Node.js 12 deprecation impacts and the IAM role trust policy changes
  • See note by Brian969 on Issue #1033 for Node.js specific impacts
  • the IAM role trust policy change may impact new account provisioning effective Sept 21, 2022 (existing accounts have been allow-listed until Feb 15, 2023)
• Please be aware of the security advisory fixed in v1.5.3
• Upgrades were only supported directly from v1.3.8, v1.3.9, and v1.5.0+

FIXES

• Fix typo in new IAM role trust policy (#1069)

Release v1.5.4

Notes

• This release was REPLACED by v1.5.4-a due to an issue, customers should upgrade to v1.5.4-a instead

ENHANCEMENTS

• Add GuardDuty Kubernetes protection support (#1058)
• Add GuardDuty frequency customization support (#1057)

FIXES

• Address new IAM role trust policy behavior (#1066)
• Upgrade CDK to v1.174.0 to address Node.js 12 deprecation (#1066)
• Update EC2-INSTANCE-PROFILE-PERMISSIONS config rule to reduce CI generation noise (#1065)
• Add jitter to state machine back-off retry code to reduce retry failures (#1050)
• Decrease Lambda concurrency limit to 10 based on new customer limits (#1062)
• Fix issue with ALB forwarder when no HOSTS defined (#1019)

DOCUMENTATION

• Minor documentation tweaks (#1028)(#1067)(#1055)

ADD-ONS

• OpenSearch SIEM enhancements including Node.js 12 deprecation updates (#1056)

CONFIG FILE CHANGES

• Updates for Control Tower v3.0 (MANDATORY for Control Tower customers)
  • only deploy CloudWatch Alarms & Metrics in Management account (#1027)
• GuardDuty enhancements (OPTIONAL)
  • "guardduty-frequency": "FIFTEEN_MINUTES" or "ONE_HOUR" or "SIX_HOURS" (#1057)
  • "guardduty-eks": true and "guardduty-eks-excl-regions": [], (#1058)
• Remove duplicate line from SCP files (#1067)

Release v1.5.3

Notes

• This release is no longer installable based on changes to IAM role trust policy behavior and to tagging behavior (#1085), use v1.5.5 or above
• Please be aware of the security advisory impacting older releases
• Upgrades were only supported directly from v1.3.8, v1.3.9, and v1.5.0+

FIXES

• Fix SCP spelling issue, changing tagging to tag (#1014)
• Fix State Machine failure when account starts with a number and contained a local VPC (#1015)
• Fix Javascript issue (#1016)
  • prevented creation of IAM users defined in workload-account-configs
  • prevented creation of IAM roles with similar names when defined in workload-account-configs
  • fix issue with IAM workload account roles (security advisory)

DOCUMENTATION

• Very minor documentation tweaks (#1018)(#1017)

CONFIG FILE CHANGES

• Change "rsyslog-enforce-imdsv2" back to false (RECOMMENDED)
  • moving rsyslog to IMDSv2 broke rsyslog functionality

Release v1.5.2

Notes

• This release is no longer installable based on changes to IAM role trust policy behavior and to tagging behavior (#1085), use v1.5.5 or above
• Upgrades were only supported directly from v1.3.8, v1.3.9, and v1.5.0+

FEATURES

• Add AWS Outpost, Local Zone, and Wavelength support (#964) (Spec: #963)
  • Enable local subnet creation
  • Enable targeting customer created objects in ASEA managed route tables (required to target LGW)
• Add option to collect ASEA configuration and metadata in a new restricted log archive bucket (#976) (Spec: #1011)
  • Enables providing visibility into ASEA deployed configuration without access to the Org mgmt. account (i.e. SOC)

FIXES

• Enable support for IAM conditions w/role policies (#1003)
• Leverage region STS endpoints, rather than the global endpoint (#997)
• Fix issues w/ASEA removing Control Tower SCP's in certain situations (#998)
• Filter out non-active Organizational accounts from state machine activity (#981)
• Fix Lambda role permissions w/KMS keys which broke SNS alerting in v1.5.1 (#971)
• Fix spelling error in CloudWatch metric (#973)
• Add warn message when TGW route fails to deploy (#979)
• Allow reading tags outside Canada (enables installing OpenShift) (#977)

DOCUMENTATION

• Doc tweaks and enhancements, fix broken links, etc. following upgrade to MKDocs (#1008)(#975)(#970)(#961)(#959)(#958)(#956)(#955)(#948)

ADD-ONS

• DDB-Update - Enabled Versioning on the S3 Bucket (#954)
• opensiem - Move to SNS topics to enable supporting multiple log consumers (#952)
• opensiem - Update packages and cdk (#949)

CONFIG FILE CHANGES

• Add "meta-data-collection": true to global-options (OPTIONAL)
• Add "meta-data-read-only-access": true to any role to enable log archive bucket access (AS NEEDED)
  • similar to "ssm-log-archive-read-access" and "ssm-log-archive-write-access"
• Outposts support (AS NEEDED)
  • Add additional options to subnet "az" field (i.e. "us-east-1-atl-1a", instead of just "a")
  • Add "outpost-arn" field to subnet object
  • Add "lgw-route-table-id" field to VPC object
• Enable route tables to target externally created objects (AS NEEDED)
  • Add "customer" option to route table "target" field
  • Add "type" and "target-id" fields to route table entries (i.e. "localGatewayId" and "lgw-12345678901234567")

Release v1.5.1-a

NOTES

• This release is no longer installable based on changes to IAM role trust policy behavior and to tagging behavior (#1085), use v1.5.5 or above
• Upgrades were only supported directly from v1.3.8, v1.3.9, v1.5.0, and v1.5.1

FIXES

• Fix issue with YAML based config files in v1.5.1 (#947)
• Fix error finding log-archive bucket during new installs in v1.5.1 (#947)

Documentation

• Upgrade documentation to Material Theme for MKDocs & moved to GitHub Pages (#955)
  • Improved documentation navigation, improved documentation formatting, new documentation search capabilities
  • Moved config file schema online
  • New location

Release v1.5.1

NOTES

• This release is no longer installable based on changes to IAM role trust policy behavior and to tagging behavior (#1085), use v1.5.5 or above
• This release was REPLACED by v1.5.1-a due to two issues
• Upgrades were only supported directly from v1.3.8, v1.3.9, and v1.5.0

FEATURES

• Enable forwarding Security Hub findings to CloudWatch Logs (#867)
  • which also ensures they land in the central log archive S3 bucket
• Kinesis Firehose dynamic partitioning (#861)(#910)
  • enables separating customer specified CWL Groups into seperate folders in the central S3 bucket
  • enables seperating Security Hub logs to their own folder
• Add ability to enable SSM Inventory Collection by OU and/or accounts (#900)
• Added Accelerator Immersion days (Workshops) to the ASEA home page

ENHANCEMENTS

• Add ability to enforce IDMSv2 on all launch types (firewalls, rsyslog, RDGW and autoscaling groups) (#869)(#859)
• Add ability to specify rsyslog userdata in the config file (#902)
• Encrypt central logging Kinesis stream w/CMK (#888)
• Encrypt SNS topics w/CMK (#883)(#932)
• Set disable-api-termination on firewall and firewall manager instances (#858)
• Improve state machine config file error handling (#941)(#920)(#898)(#891)
• Update CDK version and various other dependencies (#933)(#925)(#866)(#865)
• Enhance GitHub test, release and doc generation scripts (#884)(#852)(#847)
• Improve ASEA developer script (#928)

FIXES

• Improve SCP error handling, ignore SCP attach/detach on nested OU's (#942)(#845)(#846)
• Fix for log archive bucket RO Role resource policies occasionally being overwritten (#921)
• Fix for read only access role on log archive AES bucket (#913)
• Multiple SCP and permissions fixes for Control Tower (#886)(#918)(#881)(#885)
• Various additional SCP enhancements (#914)(#842)(?)
• Improve NFW deployment error handling when CWL group already exists (#868)
• Ensure global region is always in supported-regions array (#930)(#934)
• Tweaks to the uninstall script and the v150 upgrade script (#906)(#872)(#848)(#840)
• Update issue in firewall-example-A-A-multitunnel.txt causing asymmetric routing (#894)
• Fix scaling issue with bootstrap state machine (#879)

DOCUMENTATION

• Add pricing estimates for example config files (#917)
• Improve central logging documentation / add log flow architecture diagram (#943)
• Add a list of ASEA leveraged and orchestrated services (#911)
• Various enhancements across the documentation:
  • FAQ, installation, v1.5.0 upgrade, sm-inputs, architecture, customization guides
• Enhance main readme page to make the config file schema more visible (#922)

CONFIG FILE CHANGES

• Renamed GCWide subnet to App2 subnet (NEW INSTALLS ONLY) (#864)
• Add "ssm-inventory-collection": true on each OU (OPTIONAL)
• Add "rdgw-enforce-imdsv2": true on rdgw instance(s) (RECOMMENDED)
• Add "rsyslog-enforce-imdsv2": true on rsyslog auto-scaling group (RECOMMENDED)
• Add "dynamic-s3-log-partitioning" section to global-options (RECOMMENDED)
• Add "enforce-imdsv2": true to 3rd party firewall configs (NOT recommended)
  • not supported by the utilized 3rd party vendors

ADD-ONS

Provide example add-on solutions and code to demonstrate extending ASEA functionality outside the core codebase

• OpenSearch SIEM for ASEA Add-on (#915)
• Auto-populate DDB CIDR management tables from S3 (#919)

Release v1.5.0

IMPORTANT

• This release is no longer installable based on changes to IAM role trust policy behavior and to tagging behavior (#1085), use v1.5.5 or above
• This was a major release and includes custom upgrade instructions
• This release includes all fixes and enhancements up to and including previous v1.3.9

FEATURES

• Add support to install on top of and leverage AWS Control Tower (CT) features (#492)
  • add ability to create a separate Organization S3 DataPlane trail
  • extend CloudWatch Metrics and Alarms to support "accounts": ["ALL"]
  • when ct-baseline=true
    • existing deployments can NOT upgrade at this time, new installs only
    • changes to support all 4 account creation methods (Orgs, ASEA, Account Factory, AWS API)
    • tweak SCP code to allow inter-operability with Control Tower
    • does not create the Organization control plane CloudTrail (as CT creates account based Trails)
    • only deploys Config Recorders in the root account and non-CT regions in sub-accounts (as CT covers remainder)
    • uses global-options/organizationAdminRole to createConfigRecorders (or blocked by CT SCPs)
    • does not create Config Aggregator in root account (as CT creates in Management and Security accounts)
    • reference the new Control Tower example config file
• Add option to deploy AWS Network Firewall on any VPC (#505)
• Add option to deploy Gateway Load Balancer (GWLB) with an Auto Scaling Group of appliance instances (#504)
  • Update existing VPN code to move vendor specific hard coded parameters to the config file
• Add ability to create and remove a Config Aggregator in any central services account (Security, Operations, Log) (#769)
  • includes option to NOT deploy the Aggregator in the Mgmt account for NEW installs
• Added a new alb-forwarding feature (#505)
  • See bullet 2. in section 1.7. Post-Installation steps of the Accelerator Install Guide
• Add functionality to auto-generate config file schema documentation from the codebase
  • add mandatory friendly field translations and descriptions in src\lib\config-i18n\src\en.ts (fr.ts to follow)
  • these field definitions are DRAFT and have not been fully validated
• Added the capability to manage CIDR ranges in DynamoDB, rather than within the config file (#494)
  • added ability to perform dynamic CIDR assignments (unlocks spoke VPC architectures at scale)
  • leverages the concept of CIDR pools
  • added new automatic config file variables to enable defining all VPCs in a single nested config file
  • Details in ticket #494 and in the custom upgrade instructions
• Added the capability to deploy opt-in VPC's (#714)
  • VPCs are defined in the OU, but not created until a flag added to the account level config
  • details in ticket #714 and the custom upgrade instructions

ENHANCEMENTS

• SCP optimizations and restructuring (#501)
• Change default ‘AcceleratorName’ to ‘ASEA’, ‘AcceleratorPrefix’ to ‘ASEA-‘ and ‘ConfigRepositoryName’ to ‘ASEA-Config-Repo’ for new installs (#752)
• Add support for installation from CodeCommit in addition to GitHub (#752)
• Changes to account warming process to improve odds of perimeter firewall deployment not being skipped on first state machine execution (#752)
• Optionally add new SNS topics in root account/home region which forward to Ops account topics (fix Security Hub alarm validations) (#752)
• Enable rotation on cdk-assets-key in Operations account (contains all the cdk buckets) (#752)
• Add “Publish sensitive data findings to” Security Hub option for Macie (#752)
• Enable Firewall Manager alerting, set SNS topics to chosen alerting topic (#752)
• Enable Security Hub alerting by forwarding SH events/findings to the existing alerting topics (events of the specified priority AND above) (#498)
  • add central-security-services\security-hub-findings-sns: "None || Low || Medium || High || Critical" (#752)
• Enable creating "dedicated tenancy" VPCs (#752)
• Move RDGW image name to config file (enable customers to change Windows versions) (#752)
• Update state machine to use direct CodeBuild integration (simplifies log access) (#752)
• Replace Webpack with esbuild (significant performance improvement) (#752)
• Enhance CloudWatch-CrossAccountSharing policy and central config bucket security permissions (#752)
• Add copyright and license info to all code files (#752)
• Cleanup type deviations throughout config file
  • Move Typescript schema to: src\lib\config\src\config.v2.ts
  • Rename global-options\aws-org-master to global-options\aws-org-management in config file
• Update all dependencies throughout (#676)
  • Nodejs 14, CDK 1.113.0, npm 6.2.3, AWS SDK 2.944.0, Codebuild STANDARD_5_0, etc.
• Add support to deploy CGWs without deploying appliances for TGW attachment (#739)
• Enhance EBS KMS key policy to support EKS (#685)
• Enable CodeBuild image caching for installer pipeline (#658)
• Add a script to assist with generating outputs for local development (#753)
• Script to convert v1.3.8 customers config file to v1.5.0 format and populate DynamoDB with assigned CIDRs (#790)
  • See v1.5.0 custom upgrade instructions
• aligned OU structure with latest AWS multi-account guidance
• Other minor enhancements to improve OOB Security Hub scores (DDB PITR, encryption, on-demand scaling, etc.)

FIXES

• Fix IAM password complexity occasionally causing state machine failures (#756)
• Fixed spelling in state machine auto-start scope parameter used on new accounts creation (#752)
• Fix creation of 2nd VPC containing identical name prefix (#731)
• GuardDuty occasionally not enabled in Management account (#754)
• IAM role creation did not apply the specified trust policy (#824)

DOCUMENTATION

• Added a v1.3.9 to v1.5.0 custom upgrade instructions
• Re-write installation guide to include Control Tower, NFW, GWLB, and alb-forwarding functionality
• General improvements throughout documentation, updated architecture diagrams
• Update all example config files, add new examples for ControlTower, GWLB, NFW
• Add DRAFT config file schema documentation (attached to release artifacts)
  • accessed by unzipping, navigating to: src\lib\docs-gen\output-docs\en, and opening index.html in a browser

CONFIG FILE CHANGES (Major mandatory changes throughout)

• Review the latest example config files
• Leverage the config file conversion script
• Review the v1.5.0 upgrade guide

ALPHA/PREVIEW

• We are releasing a very early GUI mock-up (attached to release artifacts)
• It is NOT ready for use with customer config files, even in test installations
• Test by unzipping, navigating to: src\ui\build, and opening index.html in a browser
• Requires utilization of a v1.5.0 config file found in the reference-artifacts\SAMPLE_CONFIGS folder
• We are only releasing to get feedback on the gui's direction

Release v1.3.9

Important

• Upgrades to the v1.5.x release require customers first upgrade to v1.3.8 or higher
• This release is no longer installable by customers based on changes to IAM role trust policy behavior, to tagging behavior (#1085), and due to the deprecation of Python 3.6
• Existing customers will likely no longer be able to upgrade to this release based on changes to tagging behavior (#1085) and the deprecation of Python 3.6
• Existing customers will no longer be able to upgrade to this release based on changes to tagging behavior (#1085) without manual intervention
• Existing customers can continue to upgrade to this release until Feb 14, 2023 Nov 14, 2022
  - As this release is based entirely on Node.js 12, upgrades to this release are NOT possible after Nov 14, 2022
• All Accelerator releases prior to v1.5.0 will cease to function on Feb 14, 2023 Nov 14, 2022 when Node.js 12 is deprecated and role policy allow-listing expires

NOTE: Before attempting to upgrade to this release, the config file has several Python 3.6 config rules defined. The upgrade will fail, if these are not FIRST updated to deploy using Python 3.7 in the customer config file (no code changes required).

Enhancements

• Enable static IP assignment for private ENIs on Fortinet firewalls (also in fix/v1.3.8-a) (#796)
• Add s3:ListBucket permission to log archive read only role enabling Athena (#799)

Fixes

• Adjust R53 zone names for interface endpoint names with periods (i.e. ECR)(#810)
• Various logging, scaling and retry enhancements (#807, #813, #815, #816, #817, #819, #818)
• Update SCP's to fix CloudFront console and customer CDK S3 issue (#801, #803)

Config file changes

• Fix UltraLite config file (us-east-1 is reqyuired as a supported-region (RECOMMENDED)(#808)
• Update Fortinet AMI's to v6.4.7 (NEW INSTALLS ONLY)(#820)