Skip to main content

Components Changelog

Subscribe through RSS feeds to stay up-to-date with new releases!

View on GitHub

[eks/external-secrets-operator] Normalize variables, update dependencies

What​

For eks/external-secrets-operator:

  • Normalize variables, update dependencies
  • Exclude Kubernetes provider v2.21.0

Why​

  • Bring in line with other Helm-based modules
  • Take advantage of improvements in dependencies

References​

πŸš€ Enhancements​

Preserve custom roles when vendoring in updates

What​

  • Add additional-policy-map.tf as glue meant to be replaced by customers with map of their custom policies.

Why​

  • Currently, custom polices have to be manually added to the map in main.tf, but that gets overwritten with every vendor update. Putting that map in a separate, optional file allows for the custom code to survive vendoring.

ssm-parameters: support tiers

What​

  • Added support for ssm param tiers
  • Updated the minimum version to >= 1.3.0 to support optional parameters

Why​

  • Standard tier only supports 4096 characters. This allows Advanced and Intelligent Tiering support.

References​

Transit Gateway `var.connections` Redesign

What​

  • Updated how the connection variables for tgw/hub and tgw/spoke are defined
  • Moved the old versions of tgw to deprecated/tgw

Why​

  • We want to be able to define multiple or alternately named vpc or eks/cluster components for both hub and spoke
  • The cross-region components are not updated yet with this new design, since the current customers requesting these updates do not need cross-region access at this time. But we want to still support the old design s.t. customers using cross-region components can access the old components. We will need to update the cross-region components with follow up effort

References​

Introducing Security Hub

What​

  • Introducing Security Hub component

Why​

Amazon Security Hub enables users to centrally manage and monitor the security and compliance of their AWS accounts and resources. It aggregates, organizes, and prioritizes security findings from various AWS services, third-party tools, and integrated partner solutions.

Here are the key features and capabilities of Amazon Security Hub:

  • Centralized security management: Security Hub provides a centralized dashboard where users can view and manage security findings from multiple AWS accounts and regions. This allows for a unified view of the security posture across the entire AWS environment.

  • Automated security checks: Security Hub automatically performs continuous security checks on AWS resources, configurations, and security best practices. It leverages industry standards and compliance frameworks, such as AWS CIS Foundations Benchmark, to identify potential security issues.

  • Integrated partner solutions: Security Hub integrates with a wide range of AWS native services, as well as third-party security products and solutions. This integration enables the ingestion and analysis of security findings from diverse sources, offering a comprehensive security view.

  • Security standards and compliance: Security Hub provides compliance checks against industry standards and regulatory frameworks, such as PCI DSS, HIPAA, and GDPR. It identifies non-compliant resources and provides guidance on remediation actions to ensure adherence to security best practices.

  • Prioritized security findings: Security Hub analyzes and prioritizes security findings based on severity, enabling users to focus on the most critical issues. It assigns severity levels and generates a consolidated view of security alerts, allowing for efficient threat response and remediation.

  • Custom insights and event aggregation: Security Hub supports custom insights, allowing users to create their own rules and filters to focus on specific security criteria or requirements. It also provides event aggregation and correlation capabilities to identify related security findings and potential attack patterns.

  • Integration with other AWS services: Security Hub seamlessly integrates with other AWS services, such as AWS CloudTrail, Amazon GuardDuty, AWS Config, and AWS IAM Access Analyzer. This integration allows for enhanced visibility, automated remediation, and streamlined security operations.

  • Alert notifications and automation: Security Hub supports alert notifications through Amazon SNS, enabling users to receive real-time notifications of security findings. It also facilitates automation and response through integration with AWS Lambda, allowing for automated remediation actions.

By utilizing Amazon Security Hub, organizations can improve their security posture, gain insights into security risks, and effectively manage security compliance across their AWS accounts and resources.

References​

Introducing GuardDuty

What​

  • Introducing GuardDuty component

Why​

AWS GuardDuty is a managed threat detection service. It is designed to help protect AWS accounts and workloads by continuously monitoring for malicious activities and unauthorized behaviors. GuardDuty analyzes various data sources within your AWS environment, such as AWS CloudTrail logs, VPC Flow Logs, and DNS logs, to detect potential security threats.

Key features and components of AWS GuardDuty include:

  • Threat detection: GuardDuty employs machine learning algorithms, anomaly detection, and integrated threat intelligence to identify suspicious activities, unauthorized access attempts, and potential security threats. It analyzes event logs and network traffic data to detect patterns, anomalies, and known attack techniques.

  • Threat intelligence: GuardDuty leverages threat intelligence feeds from AWS, trusted partners, and the global community to enhance its detection capabilities. It uses this intelligence to identify known malicious IP addresses, domains, and other indicators of compromise.

  • Real-time alerts: When GuardDuty identifies a potential security issue, it generates real-time alerts that can be delivered through AWS CloudWatch Events. These alerts can be integrated with other AWS services like Amazon SNS or AWS Lambda for immediate action or custom response workflows.

  • Multi-account support: GuardDuty can be enabled across multiple AWS accounts, allowing centralized management and monitoring of security across an entire organization's AWS infrastructure. This helps to maintain consistent security policies and practices.

  • Automated remediation: GuardDuty integrates with other AWS services, such as AWS Macie, AWS Security Hub, and AWS Systems Manager, to facilitate automated threat response and remediation actions. This helps to minimize the impact of security incidents and reduces the need for manual intervention.

  • Security findings and reports: GuardDuty provides detailed security findings and reports that include information about detected threats, affected AWS resources, and recommended remediation actions. These findings can be accessed through the AWS Management Console or retrieved via APIs for further analysis and reporting.

GuardDuty offers a scalable and flexible approach to threat detection within AWS environments, providing organizations with an additional layer of security to proactively identify and respond to potential security risks.

References​

Upstream `aws-inspector`

What​

Upstream aws-inspector from past engagement

Why​

  • This component was never upstreamed and now were want to use it again

  • AWS Inspector is a security assessment service offered by Amazon Web Services (AWS). It helps you analyze and evaluate the security and compliance of your applications and infrastructure deployed on AWS. AWS Inspector automatically assesses the resources within your AWS environment, such as Amazon EC2 instances, for potential security vulnerabilities and deviations from security best practices. Here are some key features and functionalities of AWS Inspector:

    • Security Assessments: AWS Inspector performs security assessments by analyzing the behavior of your resources and identifying potential security vulnerabilities. It examines the network configuration, operating system settings, and installed software to detect common security issues.

    • Vulnerability Detection: AWS Inspector uses a predefined set of rules to identify common vulnerabilities, misconfigurations, and security exposures. It leverages industry-standard security best practices and continuously updates its knowledge base to stay current with emerging threats.

    • Agent-Based Architecture: AWS Inspector utilizes an agent-based approach, where you install an Inspector agent on your EC2 instances. The agent collects data about the system and its configuration, securely sends it to AWS Inspector, and allows for more accurate and detailed assessments.

    • Security Findings: After performing an assessment, AWS Inspector generates detailed findings that highlight security vulnerabilities, including their severity level, impact, and remediation steps. These findings can help you prioritize and address security issues within your AWS environment.

    • Integration with AWS Services: AWS Inspector seamlessly integrates with other AWS services, such as AWS CloudFormation, AWS Systems Manager, and AWS Security Hub. This allows you to automate security assessments, manage findings, and centralize security information across your AWS infrastructure.

References​

DEV-942

EKS FAQ for Addons

What​

Added docs for EKS Cluster Addons

Why​

FAQ, requested for documentation

References​

DEV-846

Update ALB controller IAM policy

What​

  • Update eks/alb-controller controller IAM policy

Why​

  • Email from AWS:

    On June 1, 2023, we will be adding an additional layer of security to ELB β€˜Create' API calls where API callers must have explicit access to add tags in their Identity and Access Management (IAM) policy. Currently, access to attach tags was implicitly granted with access to 'Create' APIs.

References​

Corrections to `dms` components

What​

  • Corrections to dms components

Why​

  • outputs were incorrect
  • set pass and username with ssm

References​

  • n/a

feat: add lambda monitors to datadog-monitor

What​

  • add lambda error monitor
  • add datadog lambda log forwarder config monitor

Why​

  • Observability

πŸš€ Enhancements​

Update `module "datadog_configuration"` modules

What​

  • Update module "datadog_configuration" modules

Why​

  • The module does not accept the region variable
  • The module must be always enabled to be able to read the Datadog API keys even if the component is disabled

`datadog-agent` bugfixes

What​

  • update datadog agent to latest
  • remove variable in datadog configuration

Update `vpc` and `eks/cluster` components

What​

  • Update vpc and eks/cluster components

Why​

  • Use latest module versions

  • Take into account var.availability_zones for the EKS cluster itself. Only the node-group module was using var.availability_zones to use the subnets from the provided AZs. The EKS cluster (control plane) was using all the subnets provisioned in a VPC. This caused issues because EKS is not available in all AZs in a region, e.g. it's not available in us-east-1e b/c of a limited capacity, and when using all AZs from us-east-1, the deployment fails

  • The latest version of the vpc component (which was updated in this PR as well) has the outputs to get a map of AZs to the subnet IDs in each AZ

  # Get only the public subnets that correspond to the AZs provided in `var.availability_zones`
  # `az_public_subnets_map` is a map of AZ names to list of public subnet IDs in the AZs
  public_subnet_ids = flatten([for k, v in local.vpc_outputs.az_public_subnets_map : v if contains(var.availability_zones, k)])

  # Get only the private subnets that correspond to the AZs provided in `var.availability_zones`
  # `az_private_subnets_map` is a map of AZ names to list of private subnet IDs in the AZs
  private_subnet_ids = flatten([for k, v in local.vpc_outputs.az_private_subnets_map : v if contains(var.availability_zones, k)])

feat: adds ability to list principals of Lambdas allowed to access ECR

What​

  • This change allows listing IDs of the accounts allowed to consume ECR.

Why​

References​

  • N/A