Skip to content

Latest commit

 

History

History
504 lines (364 loc) · 21.2 KB

CHANGELOG.md

File metadata and controls

504 lines (364 loc) · 21.2 KB

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

2.1.0 (2022-12-03)

Features

  • enable CIS benchmark v1.4.0 standard (#308) (bb724cd)
  • make audit log bucket access logs bucket name customizable (#303) (07dc101)

2.0.0 (2022-06-05)

⚠ BREAKING CHANGES

  • this change disables glacier transition rules by default since transitioning small objects is officially not recommended. it can be enabled by setting var.audit_log_lifecycle_glacier_transition_days to a positive number.

Features

  • add permissions boundaries for IAM entities support (#288) (219f003)
  • make glacier transition rules optional (#293) (f0cdf3e)

1.1.0 (2022-04-16)

Features

Bug Fixes

1.0.1 (2022-03-06)

Bug Fixes

1.0.0 - 2022-02-19

Feat

  • add new S3 bucket configuration resources (#261)
  • allow use of organization trail to be toggled via variable (#259)

Fix

  • require AWS provider v4.2.0 (#270)
  • require AWS provider v4.1.0 (#268)
  • the condition to use the organization trail (#265)
  • use count instead of var.enabled (#262)

Refactor

  • remove destination_options (#267)
  • explicitly define a format for FlowLogs (#264)
  • replace deprecated arguments (#263)

BREAKING CHANGE

resources regarding S3 bucket configurations need manual import after upgrade. See docs/upgrade-1.0.md for guidance.

0.34.0 - 2022-01-22

Feat

  • automatically accepts invite from the master (#256)
  • enforce strong password policy by default (#252)

Fix

  • no findings aggregator for member accounts (#257)
  • set the minimum terraform version to 1.1.4 (#255)
  • upgrade minimum provider requirements (#248)

0.33.0 - 2022-01-10

Refactor

  • add tflint checks (#246)
  • re-organize locals (#243)

0.32.0 - 2022-01-08

Feat

  • enable finding aggregator in the main region (#241)

0.31.0 - 2022-01-08

Feat

  • add inputs to toggle submodules (#240)
  • optionally ignore SSO logins for MFA alarms (#234)
  • apply default subnet changes to existing subnets (#237)

Fix

  • use CIS recommended filter pattern (#239)
  • remove aws_default_vpc dependency (#238)

Refactor

  • use module count instead of having ennabled variable in each submodule. (#195)

0.30.0 - 2021-11-23

Feat

  • add S3 bucket key support (#236)

Fix

  • the minimum required version of the AWS provider (#227)

0.29.2 - 2021-09-18

0.29.1 - 2021-09-18

Fix

  • make sns_topic_kms_master_key_id optional (#219)

0.29.0 - 2021-09-17

Feat

  • add kms_master_key_id to alarm baseline and config-baseline module (#216)

0.28.0 - 2021-09-11

Feat

  • GuardDuty: Enable S3 events sources (#209)
  • add support for logging dynamodb events (#207)
  • add in support to enable 3rd party products (#206)
  • adds lambda function invocation logging (#205)
  • add a flag to toggle Security Hub (#201)

Fix

  • do not manage datasources in member accounts. (#215)
  • adjust passwort policy to match CIS 1.3+ (#214)
  • adjust filter pattern for unauthorized_api_calls alarm (#212)
  • adjust passwort policy to match CIS 1.3+ (#213)
  • typo (#203)

0.27.1 - 2021-07-03

Fix

  • when VPC is disabled, disable vpc logging for it (#197)

0.27.0 - 2021-06-27

Feat

  • add flag for disabling config-baseline (#190)

Fix

  • is_enabled flag with ap-northeast-3 (#192)

Refactor

  • define configuration_aliases (#196)
  • use one instead of join to pick the first element (#194)

0.26.0 - 2021-06-06

Feat

  • disable automatic public ip assignments in default subnets (#189)
  • enable S3 account-level public block (#188)
  • add functionality to manually enable/disable guardduty-baseline module (#183)
  • enable Insights event logging by default (#185)
  • add cloudtrail insight selector type specification (#180)
  • add vpc_enable variable (#170)
  • add/enable ap-northeast-3 (Osaka) region (#177)

Fix

  • allow alarm variables to be set at top level module (#178)

0.24.0 - 2021-04-25

Feat

  • add flag to allow recording global resources in all regions (#168)
  • enable access analyzer for org (#167)
  • allow enabling/disabling individual alarms (#164)

Fix

  • edge case when not logging to cloudwatch (#161)

Refactor

  • define required providers for submodules (#171)

0.23.1 - 2020-12-13

Fix

  • invalid reference when flow logs is disabled (#157)

0.23.0 - 2020-11-23

Feat

  • use the audit log bucket for Flow Logs by default (#152)
  • add option to publish VPC Flow Logs to either S3 or CW (#151)
  • associate members to master in SecurityHub (#147)
  • add a flag to enable/disable VPC Flow Logs (#146)

0.22.0 - 2020-11-14

Feat

  • apply tags to default network resources (#133)

Fix

  • logging policies when using custom prefixes (#141)
  • deprecation warnings (#140)
  • prevent AWS Config to fire alarms (#139)

0.21.0 - 2020-09-24

Feat

  • various updates to comply with CIS Benchmark v1.3.0 (#131)
  • force using HTTPS to access the access log bucket (#129)
  • force using HTTPS to access the audit log bucket (#128)
  • add parameters to make role creations optional (#127)
  • add tags to guardduty (#121)
  • add tags to flow logs (#120)

Fix

  • remove a redundant Config rule (#132)

0.20.0 - 2020-08-10

Feat

  • make all roles to be optional (#115)

Fix

  • add a wildcard suffix to log group ARN (#119)

0.19.0 - 2020-08-10

Feat

  • new SecurityHub standards support (#113)
  • make delivery of CloudTrail to CloudWatch Logs and SNS optional (#117)

Fix

  • support standard options for ap-east-1

0.18.1 - 2020-05-31

Fix

  • do not enable SecurityHub when not enabled (#111)

0.18.0 - 2020-05-17

Feat

  • enable Security Hub in each region (#105)
  • encrypt the sns topic (#103)

Fix

  • use the same CMK for encrypting the SNS topic (#104)
  • ensure to have the audit log bucket before CloudTrail (#102)
  • add in new region (#91)

0.17.0 - 2019-12-14

0.16.2 - 2019-11-16

Refactor

  • remove unused data source

0.16.1 - 2019-10-12

Fix

  • do not read AWS Organization when account_type is set to "individual"

0.16.0 - 2019-09-28

Feat

  • add an argument to specify target regions.
  • add "tags" argument

Fix

  • incorrect references in external-bucket example

0.15.0 - 2019-08-18

Feat

  • allow member accounts access to the audit log bucket
  • do not setup CloudTrail for member accounts
  • add the organizational AWS Config aggregated view
  • support organization trails
  • support GuardDuty master/member accounts
  • only include global resources in the specified region

Fix

  • permissions for organization trail
  • do not override guardduty_master_account_id for simplicity
  • insufficient permission to accept organization trails.

Refactor

  • use aws_iam_policy_document instead of heredocs

0.14.0 - 2019-07-24

Feat

  • allow using an external bucket instead of creating a new one
  • add a flag to enable force_destroy on S3 buckets

0.13.0 - 2019-07-14

Feat

  • take finding_publishing_frequency as an input variable
  • enable GuardDuty in eu-north-1 region

0.12.0 - 2019-07-14

Feat

  • return resources as outputs instead of specific attributes

0.11.0 - 2019-06-06

0.10.0 - 2019-05-25

Feat

  • upgrade to terraform 0.12

0.9.0 - 2019-04-06

Feat

  • enable SecurityHub and CIS standard subscription
  • add eu-north-1 region support

0.8.0 - 2019-04-03

Feat

  • add eu-north-1 region support

Fix

  • remove a default subnet resource

0.7.0 - 2019-02-11

Fix

  • create a log group for VPC Flow Logs in each region

0.6.0 - 2018-11-23

Feat

  • enable managed config rules for benchmark compliance

0.5.0 - 2018-08-05

Feat

  • enable GuardDuty in Paris region.

Fix

  • Change how to workaround the default ACL issue.

0.4.1 - 2018-05-27

Fix

  • create a global rule after recorders.

0.4.0 - 2018-05-27

Feat

  • enable AWS Config rules for monitoring

0.3.0 - 2018-05-19

Feat

  • automatically archive audit logs into Amazon Glacier

0.2.1 - 2018-04-01

Fix

  • temporarily disable mfa_delete on secure buckets

0.2.0 - 2018-04-01

Feat

  • enable versioning with secure buckets

0.1.1 - 2018-03-20

Fix

  • omit GuardDuty config for eu-west-3 region until supported

0.1.0 - 2018-03-11

Feat

  • add various outputs

Fix

  • update var names in the CI script

0.0.5 - 2018-02-17

Feat

  • add IAM baseline module

Refactor

  • use consistent resource namings

0.0.4 - 2018-02-12

Feat

  • enable GuardDuty in all regions

0.0.3 - 2018-02-12

Feat

  • output an ID of the audit log bucket

Fix

  • broken output value

0.0.2 - 2018-02-12

0.0.1 - 2018-02-12