CHANGELOG.md

Unreleased

0.28.0 - 2021-09-11

Feat

• GuardDuty: Enable S3 events sources (#209)
• add support for logging dynamodb events (#207)
• add in support to enable 3rd party products (#206)
• adds lambda function invocation logging (#205)
• add a flag to toggle Security Hub (#201)

Fix

• do not manage datasources in member accounts. (#215)
• adjust passwort policy to match CIS 1.3+ (#214)
• adjust filter pattern for unauthorized_api_calls alarm (#212)
• adjust passwort policy to match CIS 1.3+ (#213)
• typo (#203)

0.27.1 - 2021-07-03

Fix

• when VPC is disabled, disable vpc logging for it (#197)

0.27.0 - 2021-06-27

Feat

• add flag for disabling config-baseline (#190)

Fix

• is_enabled flag with ap-northeast-3 (#192)

Refactor

• define configuration_aliases (#196)
• use one instead of join to pick the first element (#194)

0.26.0 - 2021-06-06

Feat

• disable automatic public ip assignments in default subnets (#189)
• enable S3 account-level public block (#188)
• add functionality to manually enable/disable guardduty-baseline module (#183)
• enable Insights event logging by default (#185)
• add cloudtrail insight selector type specification (#180)
• add vpc_enable variable (#170)
• add/enable ap-northeast-3 (Osaka) region (#177)

Fix

• allow alarm variables to be set at top level module (#178)

0.24.0 - 2021-04-25

Feat

• add flag to allow recording global resources in all regions (#168)
• enable access analyzer for org (#167)
• allow enabling/disabling individual alarms (#164)

Fix

• edge case when not logging to cloudwatch (#161)

Refactor

• define required providers for submodules (#171)

0.23.1 - 2020-12-13

Fix

• invalid reference when flow logs is disabled (#157)

0.23.0 - 2020-11-23

Feat

• use the audit log bucket for Flow Logs by default (#152)
• add option to publish VPC Flow Logs to either S3 or CW (#151)
• associate members to master in SecurityHub (#147)
• add a flag to enable/disable VPC Flow Logs (#146)

0.22.0 - 2020-11-14

Feat

• apply tags to default network resources (#133)

Fix

• logging policies when using custom prefixes (#141)
• deprecation warnings (#140)
• prevent AWS Config to fire alarms (#139)

0.21.0 - 2020-09-24

Feat

• various updates to comply with CIS Benchmark v1.3.0 (#131)
• force using HTTPS to access the access log bucket (#129)
• force using HTTPS to access the audit log bucket (#128)
• add parameters to make role creations optional (#127)
• add tags to guardduty (#121)
• add tags to flow logs (#120)

Fix

• remove a redundant Config rule (#132)

0.20.0 - 2020-08-10

Feat

• make all roles to be optional (#115)

Fix

• add a wildcard suffix to log group ARN (#119)

0.19.0 - 2020-08-10

Feat

• new SecurityHub standards support (#113)
• make delivery of CloudTrail to CloudWatch Logs and SNS optional (#117)

Fix

• support standard options for ap-east-1

0.18.1 - 2020-05-31

Fix

• do not enable SecurityHub when not enabled (#111)

0.18.0 - 2020-05-17

Feat

• enable Security Hub in each region (#105)
• encrypt the sns topic (#103)

Fix

• use the same CMK for encrypting the SNS topic (#104)
• ensure to have the audit log bucket before CloudTrail (#102)
• add in new region (#91)

0.17.0 - 2019-12-14

0.16.2 - 2019-11-16

Refactor

• remove unused data source

0.16.1 - 2019-10-12

Fix

• do not read AWS Organization when account_type is set to "individual"

0.16.0 - 2019-09-28

Feat

• add an argument to specify target regions.
• add "tags" argument

Fix

• incorrect references in external-bucket example

0.15.0 - 2019-08-18

Feat

• allow member accounts access to the audit log bucket
• do not setup CloudTrail for member accounts
• add the organizational AWS Config aggregated view
• support organization trails
• support GuardDuty master/member accounts
• only include global resources in the specified region

Fix

• permissions for organization trail
• do not override guardduty_master_account_id for simplicity
• insufficient permission to accept organization trails.

Refactor

• use aws_iam_policy_document instead of heredocs

0.14.0 - 2019-07-24

Feat

• allow using an external bucket instead of creating a new one
• add a flag to enable force_destroy on S3 buckets

0.13.0 - 2019-07-14

Feat

• take finding_publishing_frequency as an input variable
• enable GuardDuty in eu-north-1 region

0.12.0 - 2019-07-14

Feat

• return resources as outputs instead of specific attributes

0.11.0 - 2019-06-06

0.10.0 - 2019-05-25

Feat

• upgrade to terraform 0.12

0.9.0 - 2019-04-06

Feat

• enable SecurityHub and CIS standard subscription
• add eu-north-1 region support

0.8.0 - 2019-04-03

Feat

• add eu-north-1 region support

Fix

• remove a default subnet resource

0.7.0 - 2019-02-11

Fix

• create a log group for VPC Flow Logs in each region

0.6.0 - 2018-11-23

Feat

• enable managed config rules for benchmark compliance

0.5.0 - 2018-08-05

Feat

• enable GuardDuty in Paris region.

Fix

• Change how to workaround the default ACL issue.

0.4.1 - 2018-05-27

Fix

• create a global rule after recorders.

0.4.0 - 2018-05-27

Feat

• enable AWS Config rules for monitoring

0.3.0 - 2018-05-19

Feat

• automatically archive audit logs into Amazon Glacier

0.2.1 - 2018-04-01

Fix

• temporarily disable mfa_delete on secure buckets

0.2.0 - 2018-04-01

Feat

• enable versioning with secure buckets

0.1.1 - 2018-03-20

Fix

• omit GuardDuty config for eu-west-3 region until supported

0.1.0 - 2018-03-11

Feat

• add various outputs

Fix

• update var names in the CI script

0.0.5 - 2018-02-17

Feat

• add IAM baseline module

Refactor

• use consistent resource namings

0.0.4 - 2018-02-12

Feat

• enable GuardDuty in all regions

0.0.3 - 2018-02-12

Feat

• output an ID of the audit log bucket

Fix

• broken output value

0.0.2 - 2018-02-12

0.0.1 - 2018-02-12