v3.1.0

What's Changed

Here are the major updates in Version 3:

1. Terraform Support: Introducing Terraform support, providing you with an additional deployment option for the AWS SRA code library. For environments that harness its capabilities to deploy cloud infrastructure, you can now deploy the code library using the new SRA Terraform edition.
2. Install Option for AWS Organization Environments: Tailored for AWS Organization account environments without AWS Control Tower, our new installation option ensures compatibility and flexibility across various organizational structures, empowering you to secure your environments effectively.
3. AWS Config Deployment for Organization Environments: Ensure compliance and governance across your AWS Organization environments without AWS Control Tower by deploying AWS Config. Easily track changes to your AWS resources and maintain a history of configurations for audit purposes.
4. Easy Setup with CloudFormation: Say goodbye to complexity with the new Easy Setup option! Utilizing a single AWS CloudFormation template, you can now simplify the deployment process for the SRA code library CloudFormation edition, streamlining your setup and configuration.
5. Amazon Inspector Solution: Seamlessly enable vulnerability assessments and security compliance checks with the deployment of Amazon Inspector solution into your AWS environment.
6. Amazon Detective Solution: Effortlessly deploy the Amazon Detective solution to investigate and identify the root cause of security findings within your AWS environment.
7. AWS Shield Advanced Solution: Enhance DDoS protection for your AWS applications seamlessly by deploying the AWS Shield Advanced solution into your environment.
8. AMI Bakery Feature: Say hello to the AMI bakery feature! This automated process for building and managing standard hardened Amazon Machine Image (AMI) images ensures consistency and security across your AWS instances, simplifying deployment and maintenance tasks.

There were many more minor updates not listed here.
Full Changelog: https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/CHANGELOG.md

New Contributors

We're excited to highlight that some major updates were made possible by the contributions from the internal community at AWS. These contributions showcase their dedication and expertise in enhancing the AWS SRA code library to better meet your security needs:

• AMI Bakery solution from Kinyasi Monyi @knmaws and David Bailey - #203
• Terraform Support from Thanh Nguyen @tnguye001 - #204

SRA v2.1.4

Contributions

• Thank you to @tekdj7 for his contributions with getting the Quick Setup completed

What was added?

• Added Quick Setup which provides the ability to deploy all the SRA solutions from a single centralized CloudFormation template either directly within the CloudFormation console or via the Customizations for AWS Control Tower (CFCT) solution.
  • Since the solutions are deployed in parallel, our testing resulted in the Quick Setup completing the deployment of all solutions in under 20 minutes (Environment = 3 accounts, 1 region).
  • SRA Example Solutions included in the Quick Setup are:
    • Account Alternate Contacts
    • CloudTrail
    • Config Management Account
    • Config Organization Conformance Pack
    • EC2 Default EBS Encryption
    • Firewall Manager
    • GuardDuty
    • IAM Access Analyzer
    • IAM Account Password Policy
    • Macie
    • S3 Block Account Public Access
    • Security Hub

What was changed?

• Updated all the solution main templates to use a consistent naming convention for solution parameter labels.
• Added pSourceStackName parameter to the AWS Config Conformance Pack and Security Hub Organization solutions to handle the DependsOn requirement for the Config Management Account solution within the Quick Setup solution.
• Updated the Firewall Manager, Macie, GuardDuty, and IAM Password Policy solutions to remove default parameters from the CFCT configuration and main templates.
• Updated the CFCT-DEPLOYMENT-INSTRUCTIONS.md to include instructions for disabling solutions within all accounts before deletion.
• Updated the Common Prerequisites solution to fix a spelling error.
• Updated all StackSet resources to use the Managed Execution setting, which allows queuing of operations.
• Updated all Stack resources in the main templates to include the DeletionPolicy and UpdateReplacePolicy with a value of Delete to resolve cfn-lint findings.
• Updated all the python boto3 clients to include configuration setting the max_attempts to 10 increasing from the default of 5. This prevents retry errors that we have started to see from some of the API calls.

SRA v2.1.0

Contributions

• Thank you to @tekdj7 for #96
• Thank you to @Firefishy for #94

What was added?

• Account Alternate Contacts solution to configure billing, operations, and security contacts within all accounts in the organization. Notable patterns included in this solution are:
  • Ability to exclude accounts via Account tags.
  • A scheduled event rule to capture Account status changes (e.g. suspended to active).
    • Also, we included the ability to trigger the Lambda Function ad hoc before the next scheduled run.
  • Global Organization events are forwarded to the Home region default EventBus for triggering the Lambda function.
  • The AWS Organizations Event Rule triggers the AWS Lambda Function when updates are made to accounts within the organization.
    • When AWS Accounts are added to the AWS Organization outside of the AWS Control Tower Account Factory. (e.g. account created via AWS Organizations console, account invited from another AWS Organization).
    • When tags are added or updated on AWS Accounts.
• GitHub Actions were added to perform quality and security checks on pull requests and pushes to the main branch.
• An Example Solution Table was added to the main README providing additional information about each solution like what Control Tower provides and dependencies.

What was changed?

• Security Hub solution was updated to enable the management account before adding it as a member to the delegated admin account.
• Security Hub and Common Prerequisites solution updates to handle Control Tower environments with a single governed region.
• Updated solutions to include a condition for Graviton supported regions.
• Updated the Common Prerequisites solution README to remove deploying the Staging S3 Bucket within the Solution Deployment steps.
• The DOWNLOAD-AND-STAGE-SOLUTIONS.md document now includes deploying the Staging S3 Bucket step.
• Updated the DOWNLOAD-AND-STAGE-SOLUTIONS.md document to include deploying the Staging S3 Bucket template. Also, added an AWS CLI command for deploying the template via the command line.
• Updated the Solution Deployment instructions in all solution README files to include AWS CLI commands for deploying the main templates. The AWS CLI command can be used to deploy the template via the command line within tools like CloudShell.
• Updated all main template parameters that allow a blank string to include a default empty string allowing the AWS CLI command to work without passing the optional parameters.

SRA v2.0.0

Contributions

• Thank you to @tekdj7 for his collaboration in this release

Summary

• All solutions modified to use the new staging script and nested stacks to simplify deployments.
• All documentation, diagrams, templates, and python scripts updated for consistency across all solutions.
• Secrets Manager used for sharing CloudFormation output values with the management account for other StackSet input parameters.
• SNS fanout used for scaling service configurations across all accounts and regions.
• A new Security Hub Organization solution was added with features including adding existing accounts as members, syncing enabled standards across all accounts and regions, and a region aggregator within the Control Tower home region.

What was added?

• Added new document DOWNLOAD-AND-STAGE-SOLUTIONS.md to explain the steps for downloading the SRA example code and staging the solutions within the S3 staging bucket.
• Added Security Hub Organization solution to configure Security Hub using AWS Organizations. All existing accounts are added to the central admin account, standards are enabled/disabled per
  provided parameters, a region aggregator is created per the provided paramenter, and a parameter is provided for disabling Security Hub within all accounts and regions via SNS fanout.

What was changed?

• Updated the CFCT-DEPLOYMENT-INSTRUCTIONS.md document to remove references to the common_cfct_setup solution.
• CloudTrail solution
  • Added main templates to simplify deployments via nested stacks.
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
  • Added integration with Secrets Manager to share CloudFormation output values with the management account.
  • Updated the bucket policy to use aws:SourceArn to align with the updated documentation
    Organization Trail Bucket Policy.
  • Updated the CFCT configuration to use the main templates and parameters.
• Common CFCT Setup solution
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
  • Removed the Lambda function that created a new OU and moved the management account. This is no longer required due to the latest version of the CFCT solution supporting deployments to the management account within the root OU.
• Common Prerequisites solution
  • Added a template to create a KMS key for sharing CloudFormation outputs via Secrets Manager secrets.
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
  • Updated the staging bucket policy to fix the reference to the AWSControlTowerExecution role ARN.
  • Added SRA version parameter to main templates for triggering updates to StackSets.
  • Added logic within the descriptions to reference the rControlTowerExecutionRoleStack resource if the cCreateAWSControlTowerExecutionRole condition is met. This logic avoids creating an empty stack when the condition is false.
• Common Register Delegated Administrator solution
  • Added main templates to simplify deployments via nested stacks.
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
  • Updated the CFCT configuration to use the main templates and parameters.
  • Added integration with Secrets Manager to share CloudFormation output values with the management account.
  • Updated the Lambda function to align with latest coding standards.
• AWS Config Aggregator solution
  • Added main templates to simplify deployments via nested stacks.
  • Updated the CFCT configuration to use the main templates and parameters.
  • Added pRegisterDelegatedAdminAccount parameter to determine whether or not to register the delegated administrator account. This allows the ability to register the delegated admin accounts outside of this solution.
• AWS Config Conformance Pack solution
  • Added main templates to simplify deployments via nested stacks.
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
  • Updated the CFCT configuration to use the main templates and parameters.
  • Added pRegisterDelegatedAdminAccount parameter to determine whether or not to register the delegated administrator account.
  • Moved the list_config_recorder_status.py script from the utils/aws_control_tower/helper_scripts to the solution scripts folder.
  • Updated and moved the Operational-Best-Practices-for-Encryption-and-Keys.yaml conformance pack template to the templates/aws_config_conformance_packs folder.
• AWS Config Management Account solution
  • Added SRA version parameter to main templates for triggering updates to StackSets.
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
• EC2 Default EBS Encryption solution
  • Added main templates to simplify deployments via nested stacks.
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
• Firewall Manager solution
  • Added main templates to simplify deployments via nested stacks.
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
• GuardDuty solution
  • Added main templates to simplify deployments via nested stacks.
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
  • Added a parameter and logic to disable GuardDuty within all accounts and regions using SNS fanout.
• IAM Access Analyzer solution
  • Added main templates to simplify deployments via nested stacks.
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
• IAM Password Policy solution
  • Renamed solution and files to remove _acct suffix
  • Added main templates to simplify deployments via nested stacks.
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
• Macie solution
  • Added main templates to simplify deployments via nested stacks.
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.
  • Added a parameter and logic to disable Macie within all accounts and regions using SNS fanout.
• S3 Block Account Public Access solution
  • Added main templates to simplify deployments via nested stacks.
  • Updated documentation, diagram, and templates to be consistent with the rest of the solutions.

What was removed?

• The Account Security Hub Enabler solution was replaced with the Security Hub Organization solution.
• The package-lambda.sh script was replaced by the stage_solution.sh script.
• The Prerequisites for AWS Control Tower solutions files were replaced with the Common Prerequisites solution.

What was fixed?

• Fixed checkov metadata entries to use updated check suppression via CFN Metadata.

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

SRA v1.5.0

Contributions

• Thank you to @tekdj7 for his contributions in this release - #78

What was added?

• Customizations for AWS Control Tower (CFCT) Setup solution deploys the Customizations for AWS Control Tower solution via a CloudFormation stack. This solution along with the required Common Prerequisites solution automates the implementation of the CFCT solution including its prerequisites (e.g. AWSControlTowerExecution role, moving the management account to an OU). By accelerating the environment setup, customers can now focus on deploying the SRA solutions to improve their security posture.

What was changed?

• Updated the main README.md to include a Getting Started with SRA section to provide guidance on how to use the solutions.
• Updates to the stage_solution.sh packaging script to support better error logging and include packaging of common solutions for reuse by other SRA solutions.
• In Common Prerequisites and AWS Config Management Account solutions:
  • Updates to logging to include tracebacks for when exceptions are raised.
• In Common Prerequisites solution:
  • Set DeletionPolicy=Retain and UpdateReplacePolicy=Retain for the IAM Role: AWSControlTowerExecution
• Renamed DEPLOYMENT-METHODS.md to CFCT-DEPLOYMENT-INSTRUCTIONS.md to provide manual and automated steps for deployment of Customizations for Control Tower (CFCT), including prerequisites.

What was removed?

• Removed the CFCT deployment option for the Common Prerequisites solution to simplify the setup process.

SRA v1.4.0

Contributions

• Thank you to @tekdj7 for his contributions in this release - #77

What was changed?

• AWS Config Management Account Solution.
• Minor changes to Common Prerequisites Solution

SRA 1.3.0

What was added?

• Thank you to @tekdj7 for his contributions in this release. - #75
• Common Prerequisites Solution solution
• Deployment Methods documentation
• Staging Script - stage_solution.sh

SRA 1.2.1

What was added?

• S3 block account public access solution to set the account level public access settings for all accounts in an AWS Organization
• EC2 default EBS encryption solution to configure the account level EBS default encryption within each region using the AWS managed KMS key

Bug fixes

• #69 Fixed minor issues with the S3 block account public access solution
• #70 Removed the space between README headers and the table of contents comment to allow the links within a page to work correctly

SRA 1.1.0

What was added?

• Added .flake8, poetry.lock, pyproject.toml, and .markdownlint.json to define coding standards that we will require and use when building future solutions
• Contributors should use the standards defined within these files before submitting pull requests
• Existing solutions will get refactored to these standards in future updates
• Added S3 BucketKeyEnabled to the solutions that create S3 objects (e.g. CloudTrail, GuardDuty, and Macie)

What was changed?

• Modified the directory structure to support multiple internal packages (e.g. 1 for each solution)
• The folder structure also allows for tests (integration, unit, etc.). See Real Python Application with Internal Packages.
• Renamed folders and files with snake_case to align with PEP8 Package and Module Names
• Modified links within README.md files to align with the updated folders and file names
• Updated the README.md files to provide consistency and improved formatting
• Renamed parameter and template files to sra-<solution_name>...
• Updated default values for parameters for resource names with sra- prefix to help with protecting resources deployed

What was removed?

• Removed the AWS Config Aggregator account solution since AWS Control Tower deploys an account aggregator within the Audit account

New Contributors

• @tekdj7 made his first contribution with #66, which will make a big impact on the overall code consistency and quality