Components Changelog
Subscribe through RSS feeds to stay up-to-date with new releases!
View on GitHub
1.216.2
1.216.1
π Enhancementsβ
Preserve custom roles when vendoring in updates
Whatβ
- Add
additional-policy-map.tf
as glue meant to be replaced by customers with map of their custom policies.
Whyβ
- Currently, custom polices have to be manually added to the map in
main.tf
, but that gets overwritten with every vendor update. Putting that map in a separate, optional file allows for the custom code to survive vendoring.
1.216.0
1.215.0
`.editorconfig` Typo
Whatβ
fixed intent typo
Whyβ
should be spelled "indent"
Referencesβ
https://cloudposse.slack.com/archives/C01EY65H1PA/p1685638634845009
1.214.0
Transit Gateway `var.connections` Redesign
Whatβ
- Updated how the connection variables for
tgw/hub
andtgw/spoke
are defined - Moved the old versions of
tgw
todeprecated/tgw
Whyβ
- We want to be able to define multiple or alternately named
vpc
oreks/cluster
components for both hub and spoke - The cross-region components are not updated yet with this new design, since the current customers requesting these updates do not need cross-region access at this time. But we want to still support the old design s.t. customers using cross-region components can access the old components. We will need to update the cross-region components with follow up effort
Referencesβ
1.213.0
Introducing Security Hub
Whatβ
- Introducing Security Hub component
Whyβ
Amazon Security Hub enables users to centrally manage and monitor the security and compliance of their AWS accounts and resources. It aggregates, organizes, and prioritizes security findings from various AWS services, third-party tools, and integrated partner solutions.
Here are the key features and capabilities of Amazon Security Hub:
Centralized security management: Security Hub provides a centralized dashboard where users can view and manage security findings from multiple AWS accounts and regions. This allows for a unified view of the security posture across the entire AWS environment.
Automated security checks: Security Hub automatically performs continuous security checks on AWS resources, configurations, and security best practices. It leverages industry standards and compliance frameworks, such as AWS CIS Foundations Benchmark, to identify potential security issues.
Integrated partner solutions: Security Hub integrates with a wide range of AWS native services, as well as third-party security products and solutions. This integration enables the ingestion and analysis of security findings from diverse sources, offering a comprehensive security view.
Security standards and compliance: Security Hub provides compliance checks against industry standards and regulatory frameworks, such as PCI DSS, HIPAA, and GDPR. It identifies non-compliant resources and provides guidance on remediation actions to ensure adherence to security best practices.
Prioritized security findings: Security Hub analyzes and prioritizes security findings based on severity, enabling users to focus on the most critical issues. It assigns severity levels and generates a consolidated view of security alerts, allowing for efficient threat response and remediation.
Custom insights and event aggregation: Security Hub supports custom insights, allowing users to create their own rules and filters to focus on specific security criteria or requirements. It also provides event aggregation and correlation capabilities to identify related security findings and potential attack patterns.
Integration with other AWS services: Security Hub seamlessly integrates with other AWS services, such as AWS CloudTrail, Amazon GuardDuty, AWS Config, and AWS IAM Access Analyzer. This integration allows for enhanced visibility, automated remediation, and streamlined security operations.
Alert notifications and automation: Security Hub supports alert notifications through Amazon SNS, enabling users to receive real-time notifications of security findings. It also facilitates automation and response through integration with AWS Lambda, allowing for automated remediation actions.
By utilizing Amazon Security Hub, organizations can improve their security posture, gain insights into security risks, and effectively manage security compliance across their AWS accounts and resources.
Referencesβ
1.212.0
Introducing GuardDuty
Whatβ
- Introducing GuardDuty component
Whyβ
AWS GuardDuty is a managed threat detection service. It is designed to help protect AWS accounts and workloads by continuously monitoring for malicious activities and unauthorized behaviors. GuardDuty analyzes various data sources within your AWS environment, such as AWS CloudTrail logs, VPC Flow Logs, and DNS logs, to detect potential security threats.
Key features and components of AWS GuardDuty include:
Threat detection: GuardDuty employs machine learning algorithms, anomaly detection, and integrated threat intelligence to identify suspicious activities, unauthorized access attempts, and potential security threats. It analyzes event logs and network traffic data to detect patterns, anomalies, and known attack techniques.
Threat intelligence: GuardDuty leverages threat intelligence feeds from AWS, trusted partners, and the global community to enhance its detection capabilities. It uses this intelligence to identify known malicious IP addresses, domains, and other indicators of compromise.
Real-time alerts: When GuardDuty identifies a potential security issue, it generates real-time alerts that can be delivered through AWS CloudWatch Events. These alerts can be integrated with other AWS services like Amazon SNS or AWS Lambda for immediate action or custom response workflows.
Multi-account support: GuardDuty can be enabled across multiple AWS accounts, allowing centralized management and monitoring of security across an entire organization's AWS infrastructure. This helps to maintain consistent security policies and practices.
Automated remediation: GuardDuty integrates with other AWS services, such as AWS Macie, AWS Security Hub, and AWS Systems Manager, to facilitate automated threat response and remediation actions. This helps to minimize the impact of security incidents and reduces the need for manual intervention.
Security findings and reports: GuardDuty provides detailed security findings and reports that include information about detected threats, affected AWS resources, and recommended remediation actions. These findings can be accessed through the AWS Management Console or retrieved via APIs for further analysis and reporting.
GuardDuty offers a scalable and flexible approach to threat detection within AWS environments, providing organizations with an additional layer of security to proactively identify and respond to potential security risks.
Referencesβ
1.211.0
Upstream `aws-inspector`
Whatβ
Upstream aws-inspector
from past engagement
Whyβ
This component was never upstreamed and now were want to use it again
AWS Inspector is a security assessment service offered by Amazon Web Services (AWS). It helps you analyze and evaluate the security and compliance of your applications and infrastructure deployed on AWS. AWS Inspector automatically assesses the resources within your AWS environment, such as Amazon EC2 instances, for potential security vulnerabilities and deviations from security best practices. Here are some key features and functionalities of AWS Inspector:
Security Assessments: AWS Inspector performs security assessments by analyzing the behavior of your resources and identifying potential security vulnerabilities. It examines the network configuration, operating system settings, and installed software to detect common security issues.
Vulnerability Detection: AWS Inspector uses a predefined set of rules to identify common vulnerabilities, misconfigurations, and security exposures. It leverages industry-standard security best practices and continuously updates its knowledge base to stay current with emerging threats.
Agent-Based Architecture: AWS Inspector utilizes an agent-based approach, where you install an Inspector agent on your EC2 instances. The agent collects data about the system and its configuration, securely sends it to AWS Inspector, and allows for more accurate and detailed assessments.
Security Findings: After performing an assessment, AWS Inspector generates detailed findings that highlight security vulnerabilities, including their severity level, impact, and remediation steps. These findings can help you prioritize and address security issues within your AWS environment.
Integration with AWS Services: AWS Inspector seamlessly integrates with other AWS services, such as AWS CloudFormation, AWS Systems Manager, and AWS Security Hub. This allows you to automate security assessments, manage findings, and centralize security information across your AWS infrastructure.
Referencesβ
DEV-942
1.210.1
1.210.0
1.209.0
Update ALB controller IAM policy
Whatβ
- Update
eks/alb-controller
controller IAM policy
Whyβ
- Email from AWS:
On June 1, 2023, we will be adding an additional layer of security to ELB βCreate' API calls where API callers must have explicit access to add tags in their Identity and Access Management (IAM) policy. Currently, access to attach tags was implicitly granted with access to 'Create' APIs.
Referencesβ
1.208.0
1.207.0
1.206.0
1.205.0
1.204.1
1.204.0
`datadog-agent` bugfixes
Whatβ
- update datadog agent to latest
- remove variable in datadog configuration
1.203.0
Update `vpc` and `eks/cluster` components
Whatβ
- Update
vpc
andeks/cluster
components
Whyβ
Use latest module versions
Take into account
var.availability_zones
for the EKS cluster itself. Only thenode-group
module was usingvar.availability_zones
to use the subnets from the provided AZs. The EKS cluster (control plane) was using all the subnets provisioned in a VPC. This caused issues because EKS is not available in all AZs in a region, e.g. it's not available inus-east-1e
b/c of a limited capacity, and when using all AZs fromus-east-1
, the deployment failsThe latest version of the
vpc
component (which was updated in this PR as well) has the outputs to get a map of AZs to the subnet IDs in each AZ
# Get only the public subnets that correspond to the AZs provided in `var.availability_zones`
# `az_public_subnets_map` is a map of AZ names to list of public subnet IDs in the AZs
public_subnet_ids = flatten([for k, v in local.vpc_outputs.az_public_subnets_map : v if contains(var.availability_zones, k)])
# Get only the private subnets that correspond to the AZs provided in `var.availability_zones`
# `az_private_subnets_map` is a map of AZ names to list of private subnet IDs in the AZs
private_subnet_ids = flatten([for k, v in local.vpc_outputs.az_private_subnets_map : v if contains(var.availability_zones, k)])
1.202.0
feat: adds ability to list principals of Lambdas allowed to access ECR
Whatβ
- This change allows listing IDs of the accounts allowed to consume ECR.
Whyβ
- This is supported by terraform-aws-ecr, but not the component.
Referencesβ
- N/A