Releases: digitc1/AWSLandingZone
Releases · digitc1/AWSLandingZone
Updates to installations scripts
- removed execution of from Setup and Update LZ installation scripts EC-Enable-SecurityHub-Controls-All-Regions.sh
- reactivated put-permission --action events:PutEvents on setup and upadate LZ for client
Updates to remove stackset changes from update scripts
- minor fix ec-update-seclog.sh script - removal of embeeded securityhub controls on all regions
- Updated timeout to 600 sec lamdas, removed stackset execution from update scripts.
- New update strategy
Throttling, log muting and handling describe logstream response limit
-
implemented throttling for put_log_events (5 issues/sec)
-
Added extra checks on config lambda to prevent non json files to be
processed -
Reduced logging on INFO (no log entry per log push on log group)
-
Describe logstream call limited to the loggroup to be processed (to prevent
reaching the response limit)
Fixes for lambda limitations, EventBus policy and enabling securityhub on all regions for seclog and linked accounts
Release Notes:
- enable securityhub controls for both seclog and linked accounts on all regions
- added condition to SecLogEventBusPolicy to allow only accounts under the organisation account to send put events (#60)
- fix to handle putlogevents limitation of 256kb by handling each event from the S3 object independently (#61)
Fixes for parameter and batch processing, and performance improvements
Release notes:
- removed all read -p for batch processing
- improvement for speeding up the stack instance creation
- fixed issue for read -p on EC-Connect-Account.sh
- fixed issue parameters and with root email address on EC-Invite-from-seclog.sh (#55)
Enhancement of the Landing Zone functionality and implementation of the SECLOG update script.
Release note:
- added batch flag to script parameters to disable prompting the user for continuing the execution of the script (#47)
- fixed issue with ec2 describe-regions failing when Default profile is not available (#46)
- added eu-north-1 to the list of all regions except ireland on the seclog create and update scripts (#45)
- updated CFT s3 buckets to include lambda functions for cloudwatch log shipping (#44)
- updated scripts to remove dependency on AWS organisation profile - made organisation parameter optional (#48)
- updated CFT S3 buckets, minor fix on source ARN for lambda permissions. Minor fixes to EC-Update-Seclog.sh script
- fixed issue with cloudwatch event target mapping to log groups on guardduty and securityhub events. Added logs:CreateLogGroup action to ogShipperLambdaExecutionRole so lambdas can create their own loggroup
- shifted the next token retrieval closer to the log push function and set the concurrency to 1 on both lambdas
- fix for the access denied lambda function problem. Modified LogShipperLambdaExecutionRole
- updated readme.md file
Update script fix to include missing CFT
Fix on update seclog account script to include update to (#17) SECLZ-Notifications-Cloudtrail stack
Hotfix/client script typo
Hotfix/client script typo (#15) * Fixed typo on script that prevented execution: oganisation -> o"r"ganisation * Updated CFN/EC-lz-config-cloudtrail-logging.yml CFN/EC-lz-config-securityhub-logging.yml To cater for SOC integration disabling on Client account. * Updated CFN/EC-lz-guardDuty-detector.yml to cater for LZ installation on client account
v1.1.2: Hotfix/documentation update (#14)
* Correctionon master account id and typo in the list of regions * Release/1.1.1 (#9) * Correctionon master account id and typo in the list of regions * Fixed issue with retrieval account email in script ./SH/EC-Invite-from-SecLog-Account.sh * added NOSOC integration CFT files * Update CFT and script for optional SECLOG integration with splunk. * Script fixes. * Updated parameter management on EC-Setup-Client.sh Added Disable-Seclog-Splunk.sh script to remove Seplunk-SecLog integration. Update Update-Seclog-splunk.sh script to new parameter scheme. * Minor fix on CFT param. * Added policy for denying non ssl-requests for s3 buckets * Fixed parameter check on EC-Update-Seclog-Splunk and EC-Disable-Seclog-Splunk * chmod 755 EC-Disable-SecLog-Splunk.sh and EC-Update-SecLog-Splunk.sh * Fixed params for CFT (firehose ARN) and default values set for KMS CFT * Set default parameter to null on all CFT that require firehose_arn Updated policies for s3 bucket fix * Fixes for guarduty cft - integration with splunk selector * Update status check on update scripts for lz 1.1.1 * Minor fixes on update scripts update parameter check on guardduty detect to cft * Update to put parameter on upda scripts * Review of conditional resources on guardduty-deector CFT * Fixed issue with yaml on s3 bucket CFT * Conditionality fix for full install of LZ 1.1.1 Co-authored-by: leonalt <laurent.leonard@ext.ec.europa.eu> * Updated comments and documentation. Fix for update script on CFT S3 bucket CLI execution Co-authored-by: leonalt <laurent.leonard@ext.ec.europa.eu>
Release 1.1.1
Incorporates optional integration with Splunk, and scripts to update LZ from 1.0.0 to 1.1.1 and rollback if required.