All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Updated dependencies to address cross-spawn CVE-2024-21538
- Support for China regions.
- Support for GovCloud regions.
- Support for Opt-in regions.
- Policies will now update automatically when a new version of policy_manifest.json file is uploaded to the solution's
PolicyManifestS3 bucket. - Automations for AWS Shield Advanced subscribers to set up health-based detection and proactive engagement. This includes three new CloudFormation templates:
aws-fms-shield-automations-prereq,aws-fms-shield-automations, andaws-fms-proactive-event-response. - Option to subscribe to SNS topic for error notifications.
- Integration with Amazon X-Ray.
- Lambda layer for utilities shared by solution's lambda functions.
- Snapshots for CDK stacks in
source/resources/__tests__. - upload-s3-dist.sh script to the
/deploymentdirectory to upload solution artifacts directly to S3.
- Updated default policy_manifest.json to enable AWS Shield Advanced automatic application-layer DDoS protection in "count" mode for Shield Advanced policies deployed by the solution via Firewall Manager. Currently, AWS Shield supports this feature for CloudFront distributions and Application Load Balancers only.
- General refactor to increase code and unit test clarity.
policyUpdateTokenis no longer stored in DynamoDB, instead it is retrieved using FMS GetPolicy API.- Removed anonymized metrics publishing from PreReqManager Lambda function.
- Removed UUID from the Prerequisite stack.
- Updated wording from "anonymous" to "anonymized" for metric publishing.
- Removed
MetricsQueueresource &MetricsManagerLambda function and consolidated metrics publishing to theutilsLayer. - Enhanced log statements to use Lambda Powertools Logger.
- Enhanced SSM Parameter retrieval to use Lambda Powertools.
- Upgraded dependencies with
npm upgrade.
- Fixed bug in Prerequisite stack which halted AWS Organizations trusted access with CloudFormation StackSets from being activated.
- Upgrade depdendencies to mitigate CVE-2024-45296
- Upgrade
fast-xml-parserto mitigate CVE-2024-41818
- Extended PolicyManager's Log Group retention period to ten years.
- Upgraded
bracespackage to mitigate CVE-2024-4068
- Fixed intermittent deployment failure caused by "CopyManifest" custom resource installing latest SDK version.
- Update NodeJS runtimes to Nodejs18.x for all the lambda functions in the solution.
- Update lambda timeout for custom resource PreReqManagerCR.
- Update node dependencies for security vulnerabilities.
- Update aws-cdk-lib to force CustomResourceProvider and Provider to update lambda runtime to Nodejs18.x.
- Fixed dependabot issues for fast-xml-parser, CVE-2023-34104.
- Fixed deployment issue which was limiting the solution to be deployed in only us-east-1.
- Update parameter names for consistency
- Refactor to reduce code complexity
- Update client configs to latest sdk version
- Fix broken URLs in README
- Fix npm json5 vulnerabilites CVE-2022-46175
- Upgrade AWS CDK dependencies to version 2
- Changed the Object Ownership for logging bucket from 'Object writer' to 'Bucket owner enforced' to mitigate the impact caused by new S3 default settings.
- Updated S3 bucket policy to support access logging.
- Fix npm got vulnerabilites
- Upgrade to node16
- Update solution name
- Fix: Enforce encrypted access to config S3 buckets
- Security patching of dependencies
- Upgrade CDK version
- Support Amazon Route 53 Resolver DNS Firewall security policies
- Support for AWS Firewall Manager compliance reports
- Support for multiple policy stack deployments to manage custom policies
- Solution re-branding from AWS Centralized WAF & VPC SG Management
- Migrated source code to AWS SDK for JavaScript v3
- Policy manifest file sourced in S3 bucket as compared to packaging with lambda binary earlier, making it easier to customize policy configurations at any time
- Initial version AWS Centralized WAF & VPC SG Management