Skip to content

Releases: digitc1/AWSLandingZone

Updates to installations scripts

12 Oct 07:53
50d808c
Compare
Choose a tag to compare
  • removed execution of from Setup and Update LZ installation scripts EC-Enable-SecurityHub-Controls-All-Regions.sh
  • reactivated put-permission --action events:PutEvents on setup and upadate LZ for client

Updates to remove stackset changes from update scripts

06 Oct 19:58
ee4c584
Compare
Choose a tag to compare
  • minor fix ec-update-seclog.sh script - removal of embeeded securityhub controls on all regions
  • Updated timeout to 600 sec lamdas, removed stackset execution from update scripts.
  • New update strategy

Throttling, log muting and handling describe logstream response limit

06 Oct 09:13
Compare
Choose a tag to compare
  • implemented throttling for put_log_events (5 issues/sec)

  • Added extra checks on config lambda to prevent non json files to be
    processed

  • Reduced logging on INFO (no log entry per log push on log group)

  • Describe logstream call limited to the loggroup to be processed (to prevent
    reaching the response limit)

Fixes for lambda limitations, EventBus policy and enabling securityhub on all regions for seclog and linked accounts

30 Sep 19:46
ccf6d73
Compare
Choose a tag to compare

Release Notes:

  • enable securityhub controls for both seclog and linked accounts on all regions
  • added condition to SecLogEventBusPolicy to allow only accounts under the organisation account to send put events (#60)
  • fix to handle putlogevents limitation of 256kb by handling each event from the S3 object independently (#61)

Fixes for parameter and batch processing, and performance improvements

29 Sep 12:59
Compare
Choose a tag to compare

Release notes:

  • removed all read -p for batch processing
  • improvement for speeding up the stack instance creation
  • fixed issue for read -p on EC-Connect-Account.sh
  • fixed issue parameters and with root email address on EC-Invite-from-seclog.sh (#55)

Enhancement of the Landing Zone functionality and implementation of the SECLOG update script.

25 Sep 14:18
Compare
Choose a tag to compare

Release note:

  • added batch flag to script parameters to disable prompting the user for continuing the execution of the script (#47)
  • fixed issue with ec2 describe-regions failing when Default profile is not available (#46)
  • added eu-north-1 to the list of all regions except ireland on the seclog create and update scripts (#45)
  • updated CFT s3 buckets to include lambda functions for cloudwatch log shipping (#44)
  • updated scripts to remove dependency on AWS organisation profile - made organisation parameter optional (#48)
  • updated CFT S3 buckets, minor fix on source ARN for lambda permissions. Minor fixes to EC-Update-Seclog.sh script
  • fixed issue with cloudwatch event target mapping to log groups on guardduty and securityhub events. Added logs:CreateLogGroup action to ogShipperLambdaExecutionRole so lambdas can create their own loggroup
  • shifted the next token retrieval closer to the log push function and set the concurrency to 1 on both lambdas
  • fix for the access denied lambda function problem. Modified LogShipperLambdaExecutionRole
  • updated readme.md file

Update script fix to include missing CFT

03 Sep 08:04
549b6f7
Compare
Choose a tag to compare
Fix on update seclog account script to include update to (#17)

SECLZ-Notifications-Cloudtrail stack

Hotfix/client script typo

31 Aug 10:29
8803529
Compare
Choose a tag to compare
Hotfix/client script typo (#15)

* Fixed typo on script that prevented execution: oganisation ->
o"r"ganisation

* Updated
CFN/EC-lz-config-cloudtrail-logging.yml
CFN/EC-lz-config-securityhub-logging.yml

To cater for SOC integration disabling on Client account.

* Updated CFN/EC-lz-guardDuty-detector.yml to cater for LZ installation on
client account

v1.1.2: Hotfix/documentation update (#14)

28 Aug 13:58
89b16a9
Compare
Choose a tag to compare
* Correctionon master account id and typo in the list of regions

* Release/1.1.1 (#9)

* Correctionon master account id and typo in the list of regions

* Fixed issue with retrieval account email in script ./SH/EC-Invite-from-SecLog-Account.sh

* added NOSOC integration CFT files

* Update CFT and script for optional SECLOG integration with splunk.

* Script fixes.

* Updated parameter management on EC-Setup-Client.sh

Added Disable-Seclog-Splunk.sh script to remove Seplunk-SecLog integration.
Update Update-Seclog-splunk.sh script to new parameter scheme.

* Minor fix on CFT param.

* Added policy for denying non ssl-requests for s3 buckets

* Fixed parameter check on EC-Update-Seclog-Splunk and
EC-Disable-Seclog-Splunk

* chmod 755  EC-Disable-SecLog-Splunk.sh and EC-Update-SecLog-Splunk.sh

* Fixed params for CFT (firehose ARN) and default values set for KMS CFT

* Set default parameter to null on all CFT that require firehose_arn
Updated policies for s3 bucket fix

* Fixes for guarduty cft - integration with splunk selector

* Update status check on update scripts for lz 1.1.1

* Minor fixes on update scripts
update parameter check on guardduty detect to cft

* Update to put parameter on upda scripts

* Review of conditional resources on guardduty-deector CFT

* Fixed issue with yaml on s3 bucket CFT

* Conditionality fix for full install of LZ 1.1.1

Co-authored-by: leonalt <laurent.leonard@ext.ec.europa.eu>

* Updated comments and documentation.
Fix for update script on CFT S3 bucket CLI execution

Co-authored-by: leonalt <laurent.leonard@ext.ec.europa.eu>

Release 1.1.1

27 Aug 19:26
66d0251
Compare
Choose a tag to compare

Incorporates optional integration with Splunk, and scripts to update LZ from 1.0.0 to 1.1.1 and rollback if required.