All notable changes to this project will automatically be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- breaking: Central Security Hub configuration (#216) @sbkg0002
- docs: improve upgrade guide to v5 (#217) @marwinbaumannsbp
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v4.0.1...v5.0.0
- fix: add the option to control the SecurityHub auto enabling behaviour for newly created AWS accounts (#213) @kapas2004
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v4.0.0...v4.0.1
- breaking: update GuardDuty to support runtime monitoring (#210) @marwinbaumannsbp
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v3.5.2...v4.0.0
- fix: Remove unused SES forwarder alias (#212) @shoekstra
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v3.5.1...v3.5.2
- fix: bump Datadog module to one with fixed dependencies (#211) @stefanwb
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v3.5.0...v3.5.1
- feature: update dependencies for security findings (#209) @Plork
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v3.4.0...v3.5.0
- bug: encrypt the audit manager reports bucket using KMS (#208) @marwinbaumannsbp
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v3.3.0...v3.4.0
- feature: upgrade the datadog integration module, exposing the latest settings (#207) @marwinbaumannsbp
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v3.2.5...v3.3.0
- fix: add create timeout config for aws_inspector2_enabler resource (#206) @skesarkar-schubergphilis
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v3.2.4...v3.2.5
- fix: for passing Control.1 Security Hub control on the core-mgmt account (#205) @marceldevroed
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v3.2.3...v3.2.4
- bug: add servicequotas to allowed regions deny since global quotas need to be managed from us-east-1 (#204) @marwinbaumannsbp
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v3.2.2...v3.2.3
- fix: global allowed region permissions for quicksight (#202) @svashisht03
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v3.2.1...v3.2.2
- fix: add logs:* to the allowed regions exclusion since this is needed for global services (#201) @angautam
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v3.2.0...v3.2.1
- feature: Add Amazon Inspector support (#200) @wvanheerde
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v3.1.2...v3.2.0
- fix: add default principal to region deny SCP (#199) @marwinbaumannsbp
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v3.1.1...v3.1.2
- fix: global allowed region permissions for s3 logging & quicksight (#198) @Plork
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v3.1.0...v3.1.1
- enhancement: Enable AWS Audit Manager (#197) @stefanwb
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v3.0.0...v3.1.0
- breaking: Control Tower 3.0 support (#196) @stefanwb
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v2.0.1...v3.0.0
- fix: add provider to guardduty features (#195) @marcoschreurs
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v2.0.0...v2.0.1
- breaking: Add AWS Guardduty detector features & bump AWS provider to next major v5 (#194) @marcoschreurs
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v1.4.0...v2.0.0
- feat: Add option to provide event_selector for CloudTrail (#193) @sbkg0002
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v1.3.0...v1.4.0
- enhancement: Update mcaf datadog to v0.3.12 (#191) @marcoschreurs
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v1.2.0...v1.3.0
- feat: update allowed_regions SCP to include latest services (#190) @marwinbaumannsbp
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v1.1.1...v1.2.0
- bug: tag policy documentation is not in line with actual enforcement options enforced by the tag policies service (#188) @marwinbaumannsbp
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v1.1.0...v1.1.1
- feat: update the tag policy services and resource types list that support enforcement (#187) @marwinbaumannsbp
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v1.0.1...v1.1.0
- bug: aws security hub in management settings need to be removed to prevent overriding of values (#186) @marwinbaumannsbp
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v1.0.0...v1.0.1
- feature: Refactor AWS Security Hub configuration (#185) @marwinbaumannsbp
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v0.28.1...v1.0.0
- fix: Remove unused
files/okta/app_settings.json.tpl
file (#183) @shoekstra - bug: cis metrics filters get removed when upgrading to v0.26.0 or higher but not upgrading to security hub cis 1.4 (#184) @marwinbaumannsbp
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v0.28.0...v0.28.1
- enhancement: Adds log collection option for DD integration (#182) @stefanwb
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v0.27.0...v0.28.0
- enhancement: Enable SecurityHub for management and logging account (#176) @stimmerman
- enhancement: Enable SecurityHub for management and logging account (#176) @stimmerman
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v0.26.1...v0.27.0
- bug: ses-root-accounts-mail-forward s3 bucket solve ACL error (#180) @marwinbaumannsbp
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v0.26.0...v0.26.1
- enhancement: Update cis-aws-foundations-benchmark from v1.2.0 to v1.4.0 (#177) @stimmerman
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v0.25.1...v0.26.0
- bug: when creating the AWS Config bucket the ACL is not supported (#179) @marwinbaumannsbp
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v0.25.0...v0.25.1
- Remove workflows (#172) @shoekstra
- TF docs needs to write content (#170) @stimmerman
- Be more explicit about which files to keep in sync (#169) @stefanwb
- Bumps checkov in Actions (#168) @stefanwb
- enhancement: add kms encryption to the CloudTrail
additional_auditing_trail
(#171) @japm94
- enhancement: add kms encryption to the CloudTrail
additional_auditing_trail
(#171) @japm94
Full Changelog: https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/compare/v0.24.1...v0.25.0
ENHANCEMENTS
- Add KMS permissions to the KMS key to allow encryption/decryption by the cloudWatch log group of the
ses-root-accounts-mail-forward
lambda (#167). - Encrypt the CloudWatch log group of the
ses-root-accounts-mail-forward
lambda (#166).
ENHANCEMENTS
- Change nested provider to provider alias (#165).
ENHANCEMENTS
- Use a seperate bucket to store AWS Config Configuration History, enable KMS on the delivery channel objects, and add the option to set a optional path for all supported IAM resources. (#164).
- Restructure module - create a file per provided functionality instead of per account (#163).
ENHANCEMENTS
- Make GuardDuty more configurable, adds ability to set publishing frequency and data sources (#161).
ENHANCEMENTS
- Adding CheckOV to the workflow and solving all CheckOV findings (#160).
ENHANCEMENTS
- Adding the
supportplans:*
global service as exception to theDenyAllRegionsOutsideAllowedList
SCP (#159).
ENHANCEMENTS
- Fixed CheckOV finding because of
aws_guardduty_detector
not explicity enabled (#158).
ENHANCEMENTS
- Update minimum AWS provider version to fix deprecation message in
aws_identitystore_group
data resource (#157).
ENHANCEMENTS
- Add DMARC support for SES root accounts mail forward feature, this will make it possible to configure a RUA or RUF email address to send DMARC reports to (#156).
BUG FIXES
- Adding allowing IAM entities exceptions on
aws_deny_disabling_security_hub
andaws_deny_leaving_org
organizations policy. Move SCP's variables intoaws_service_control_policies
(#153).
ENHANCEMENTS
- Move AWS IAM Identity Center permission set resources to a sub-module. (#150)
ENHANCEMENTS
- Generate unique names for tag policies and remove services that are not supported from the enforcement list. (#155)
ENHANCEMENTS
- Create tag policies per tag key, this will recreate any existing policies, and allow policy enforcement per service. (#152)
ENHANCEMENTS
- Allow Tag Policies on nested Organizational units and allow optional
values
for Tag policies. Therefore the Terraform version requirement is now>= 1.3
(#151)
ENHANCEMENTS
- Bump terraform-aws-mcaf-ses-forwarder to 0.2.2, which removes template provider dependency. (#149)
BUG FIXES
- Update allowed regions list to include latest services. (#148)
BUG FIXES
- Update AWS ConfigRole to match the updated policy name. (#147)
BUG FIXES
- Only use
aws_cloudwatch_log_group
data sources when the variablemonitor_iam_activity
is set to true. (#145)
BUG FIXES
- Fix error: Null values are not allowed for this attribute value. (#144)
- Fix SH finding SNS.2 on core-audit account -- Configuring delivery status logging. (#142)
ENHANCEMENTS
- Update the terraform-aws-mcaf-ses module to v0.1.1 to support DMARC record creation. (#141)
BUG FIXES
- Modify audit kms key policy to grant GenerateDataKey permissions to pipeline . (#140)
BUG FIXES
- Allow sns.amazonaws.com access to the audit kms key and remove an unneeded statement in the master key. (#138)
- Modify master account KMS key policy allowing override. (#139)
ENHANCEMENTS
- Add support for providing custom KMS key policy for audit KMS key and move KMS to a seperate file. (#137)
ENHANCEMENTS
- Add support for AWS Provider version 4. (#136)
BUG FIXES
- Modify KMS key input of the internal
ses-root-accounts-mail-forward
module to use ARN in stead of ID. (#135)
ENHANCEMENTS
- Whitelist Sustainability as a approved global service in the Allowed Regions Service Control Policy. (#134)
BUG FIXES
- Datadog site url is now also passed to datadog forwarder module for audit and logging accounts. (#133)
BUG FIXES
- When
var.monitor_iam_activity
is setfalse
we shouldn't create anyiam_activity
related resources. (#131)
ENHANCEMENTS
- Updated KMS key policy for logging KMS key have more default Get permissions. (#130)
ENHANCEMENTS
- Added a KMS key for logging account with support for KMS key policy. (#129)
ENHANCEMENTS
- Add an optional mail forwarder using Amazon SES: adding the
ses_root_accounts_mail_forward
variable creates the necessary SES resources to accept mail sent to an AWS hosted domain and forward it to an external recipient or recipients. (#128)
ENHANCEMENTS
- Add an account level S3 public access policy to block public access to all S3 buckets within the landing zone core accounts. (#125)
ENHANCEMENTS
- Add support for assigning managed policies in SSO permission sets. (#124)
BUG FIXES
- Fixed malfunction policy issue. Allowed regions policy template wasn't using the appropariate allowed_region property. (#123)
BUG FIXES
- Conditionally merges DenyAllRegionsOutsideAllowedList, DenyDeletingCloudTrailLogStream, DenyDisablingSecurityHub, RequireAllEc2RolesToUseV2, RequireImdsV2, MaxImdsHopLimit, and DenyLeavingOrg policies into one
LandinZone-RootPolicies
policy to avoid exceeding SCP limit (5 policies per org) Quotas for AWS Organizations. - (#120)
ENHANCEMENTS
- Set the audit account as security hub administrator account for the organization and automatically enable Security Hub for new accounts in the organization. (#121)
ENHANCEMENTS
- Add additional IAM activity monitors. (#119)
ENHANCEMENTS
- Upgrade Datadog MCAF module used in core accounts to latest version. (#118)
ENHANCEMENTS
- Update IAM Activity Monitor for root usage to match CIS AWS rule 1.1. (#117)
ENHANCEMENTS
- Add a
DenyDisablingSecurityHub
SCP that is attached to all AWS Organisation OUs. (#110)
ENHANCEMENTS
- Enable by default AWS GuardDuty S3 protection. (#111)
ENHANCEMENTS
- Update KMS module. (#109)
ENHANCEMENTS
- Make list of SecurityHub Standards configurable (#108)
ENHANCEMENTS
- Add support for multiple SSO Permission Set assignments. (#106)
ENHANCEMENTS
- Added support for KMS Key policy. (#104)
ENHANCEMENTS
- Removal of the local AVM module. AVM module has been split up into 2 modules to allow for more flexibility: AVM core functionality has been moved to MCAF Account Vending Machine (AVM) module and all other functionality has been moved to the MCAF Account Baseline module. (#102)
BUG FIXES
- Adds
is_multi_region_trail = true
&enable_log_file_validation = true
for cloudtrail resource regarding TFSEC#AWS063 & #AWS064 (#101) - Allows access-analyzer to be used outside region since it's a global service + adds ignores for tfsec (#100)
ENHANCEMENTS
- Add support to use a TFC agent pool (#98)
ENHANCEMENTS
- Add support to manage AWS SSO resources (#95)
ENHANCEMENTS
- Add SCP to protect CloudTrail LogStream (#94)
BUG FIXES
ENHANCEMENTS
- Adding tag compliance capability using tag policies (#84)
ENHANCEMENTS
- Add capability to disable SSO activity monitoring in the AVM module (#89)
BUG FIXES
- Update SCP to support AWS ChatBot (#88)
ENHANCEMENTS
- Update IAM activity monitoring in the AVM module (#86)
- Update IAM activity monitoring in the core accounts (#85)
BUG FIXES
- Add missing provider to the
aws_iam_account_password_policy
andaws_ebs_encryption_by_default
resources (#82)
BUG FIXES
- Fix error when trying to read SNS topic policy from data source (#78)
ENHANCEMENTS
- Enable AWS EBS encryption by default (#79)
- Refactored Securityhub to use organizations and removed unused Guardduty resources (#80)
BUG FIXES
- Fix
workspace_id
output in AVM module when the module does not create a workspace (#76)
ENHANCEMENTS
- Add ability to opt out of workspace create when you want to create the workspace and workspace user outside of the AVM module (#74)
BUG FIXES
- Fix bug in output
monitor_iam_access_sns_topic_arn
, this needs to be the event bus arn. Changed the value and the output to match the event bus in the audit account (#72)
BUG FIXES
- Fix bug in
monitor_iam_access
pattern in the AVM module,userName
must be an array (#70)
BUG FIXES
- Enable key rotation for the kms resources (#68)
ENHANCEMENTS
- Add notifications for Security Hub findings via SNS topic LandingZone-SecurityHubFindings (#56)
BUG FIXES
- Add
endpoint_auto_confirms
variable to the AWS Config SNS topic (#62) (#64) - Modify accountID of the AWS Config SNS topic (#65)
BUG FIXES
- Resolve issue where an empty
sns_security_subscription
variable causes a failure and restructured the variable to a map asfor_each
in Terraform 0.14 cannot be used with an object that has sensitive values (#60)
ENHANCEMENTS
- Set default password policy parameters for the audit, logging, master accounts (#57)
ENHANCEMENTS
- Forward SecurityHub findings to AggregateSecurityNotifications SNS topic (#56)
ENHANCEMENTS
- Add support for subscribing to aggregated security SNS topic (#41)
ENHANCEMENTS
- Add support for exemptions to the AWS region restriction (#31)
- Set default password policy parameters for the AWS accounts (#51) (#43)
BUG FIXES
- Loosen provider version constraints to allow more flexibility for module users (#53)
ENHANCEMENTS
- Add a
DenyLeavingOrg
SCP that is attached to all AWS Organisation OUs (#39) - Add a
RequireUseOfIMDSv2
SCP that is attached to all AWS Organisation OUs by default (#38) - Add a
DenyRootUser
SCP that can be attached to AWS Organisation OUs (#37)
BUG FIXES
- Fix support for Datadog region (#36)
ENHANCEMENTS
ENHANCEMENTS
- Add support for an additional CloudTrail Trail configuration (#28)
BUG FIXES
- Fix recreation of the aws_securityhub_member resource (#25)
- Remove MCAF provider version pin in AVM module (#26)
ENHANCEMENTS
- Add support for AWS GuardDuty (#12)
- Modify terraform-aws-mcaf-workspace version to 0.3.0 in the avm module, in order to prevent github error (#22)
- Add KMS Key in the Audit account (#18)
- Add support for monitoring IAM access (#15)
- Add support for multiple AWS Config Aggregators (#14)
- Add support for defining specific account name for AWS Service Catalog (#13)
- Make account and email names more flexible. (#17)
BUG FIXES
- Fix multiple bugs in unreleased features (#23)
- Add filter to create rules only for the right identities (#21)
- Fix errors when monitor_iam_access is null (#19)
- Add condition to audit AWS Config Aggregate Auth (#20)
- Adds optional SCP to restrict allowed regions (#11)
- Adds support for optional AWS Config Aggregate Authorization (#10)
- Enables AWS Config in the master account (#9)
- Adds support for custom tags to AVM module (#8)
- Adds support for passing SSH Key Id to TFE workspace (#7)
- Adds output to AVM module (#6)
- Adds support for AWS-Datadog integration (#5)
- Adds support for AWS Config Rules (#4)
- Enables security hub for all AWS Organization accounts (#3)
- Removes embedded Okta Groups (#2)
- First version (#1)