Releases: aws-solutions/automated-security-response-on-aws
Releases · aws-solutions/automated-security-response-on-aws
v2.1.4
[2.1.4] - 2024-11-18
Changed
- Upgraded python runtimes in all control runbooks from python3.8 to python3.11.
- Upgrade is done at build-time temporarily, until the
cdklabs/cdk-ssm-documentspackage adds support for newer python runtimes.
- Upgrade is done at build-time temporarily, until the
Security
- Upgraded cross-spawn to mitigate CVE-2024-21538
v2.1.3
[2.1.3] - 2024-09-18
Fixed
- Resolved an issue in the remediation scripts for EC2.18 and EC2.19 where security group rules with IpProtocol set to "-1" were being incorrectly ignored.
Changed
- Upgraded all Python runtimes in remediation SSM documents from Python 3.8 to Python 3.11.
V2.1.2
Fixed
- Disabled AppRegistry for certain playbooks to avoid errors when updating solution
- Created list of playbooks instead of creating stacks dynamically to avoid this in the future
Security
- Updated braces package version for CVE-2024-4068 - https://avd.aquasec.com/nvd/cve-2024-4068
V2.1.1
Changed
- Changed order of CloudFormation parameters to emphasize the Security Control playbook
- Changed default for all playbooks other than SC to 'no'
- Updated descriptions of playbook parameters
- Updated architecture diagram
v2.1.0
Added
- CloudWatch Dashboard for monitoring solution metrics
- Remediations will be scheduled in the future to prevent throttling if many remediations are triggered in a short period of time
- New support for NIST 800-53 standard
- New remediations for CloudFront.1, CloudFront.12, Codebuild.5, EC2.4, EC2.8, EC2.18, EC2.19, EC2.23, ECR.1, GuardDuty.1 IAM.3, S3.9, S3.11, S3.13, SecretsManager.1, SecretsManager.3, SecretsManager.4, SSM.4
- Support for customizable input parameters to remediations
Changed
- Updated AFBSP to FBSP in docs
- Add HttpEndpoint parameter as enabled for EC2.8 remediation
- Updated imports for moto 5.0.0
Fixed
- Disabled AppRegistry functionality in China regions. AppRegistry is not available in those regions.
- Added missing EventBridge rules for CloudFormation.1, EC2.15, SNS.1, SNS.2, and SQS.1
- Fixed SC_SNS.2 Not executing due to wrong automation document
- Fixed RDS.4 remediation failing to remediate due to incorrect regex
- RDS.4 regex now includes snapshots created by Backup
- Enable CloudTrail encryption remediation is now a regional remediation
- Fixed SC_SQS.2 incorrect parameter
- Fixed SC_EC2.6 message on finding note
- Added AddTagsToResource to EncryptRDSSnapshot remediation role
- SNS.2 now works in regions other than where the roles are deployed
- Updated SNS.1 parameter to TopicArn instead of SNSTopicArn
- SC_RDS.1 regex now includes snapshots
- Fixed certain remediations failing in opt-in regions due to STS token endpoint
- Rules for CIS 1.4.0 no longer match on CIS 1.2.0 generator ID
- Fixed S3.6 creating malformed policy when all principals are "*"
Security
- Upgraded urllib3
v2.0.2 - 2023-10-24
Security
- Upgraded @babel/traverse to mitigate CVE-2023-45133
- Upgraded urllib3 to mitigate CVE-2023-45803
- Upgraded aws-cdk-lib to mitigate CVE-2023-35165
- Upgraded @cdklabs/cdk-ssm-documents to mitigate CVE-2023-26115
v2.0.1
Fixed
- Set bucket ownership property explicitly when creating logging buckets with ACLs
v2.0.0
[2.0.0] - 2023-03-23
Added
- New remediations contributed by 6Pillars: CIS v1.2.0 1.20
- New AFSBP remediations for CloudFormation.1, EC2.15, SNS.1, SNS.2, SQS.1
- Service Catalog AppRegistry integration
- New support for Security Controls, finding deduplication
- New support for CIS v1.4.0 standard
Changed
- Added protections to avoid deployment failure due to SSM document throttling
Release v1.5.1
[1.5.1] - 2022-12-22
Changed
- Changed SSM document name prefixes from SHARR to ASR to support stack update
- Upgraded Lambda Python runtimes to 3.9
Fixed
- Reverted SSM document custom resource provider to resolve intermittent deployment errors
- Fixed bug in AFSBP AutoScaling.1 and PCI.AutoScaling.1 remediation regexes
v1.5.0
[1.5.0] - 2022-05-31
Added
- New remediations - see Implementation Guide
Changed
- Improved cross-region remediation using resource region from Resources[0].Id
- Added custom resource provider for SSM documents to allow in-place stack upgrades
Refer to changelog for more information
Full Changelog: v1.4.2...v1.5.0