All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
2.1.0 (2022-12-03)
- enable CIS benchmark v1.4.0 standard (#308) (bb724cd)
- make audit log bucket access logs bucket name customizable (#303) (07dc101)
2.0.0 (2022-06-05)
- this change disables glacier transition rules by default since transitioning small objects is officially not recommended. it can be enabled by setting
var.audit_log_lifecycle_glacier_transition_daysto a positive number.
- add permissions boundaries for IAM entities support (#288) (219f003)
- make glacier transition rules optional (#293) (f0cdf3e)
1.1.0 (2022-04-16)
1.0.1 (2022-03-06)
1.0.0 - 2022-02-19
- add new S3 bucket configuration resources (#261)
- allow use of organization trail to be toggled via variable (#259)
- require AWS provider v4.2.0 (#270)
- require AWS provider v4.1.0 (#268)
- the condition to use the organization trail (#265)
- use count instead of
var.enabled(#262)
- remove
destination_options(#267) - explicitly define a format for FlowLogs (#264)
- replace deprecated arguments (#263)
resources regarding S3 bucket configurations need manual import
after upgrade. See docs/upgrade-1.0.md for guidance.
0.34.0 - 2022-01-22
- automatically accepts invite from the master (#256)
- enforce strong password policy by default (#252)
- no findings aggregator for member accounts (#257)
- set the minimum terraform version to 1.1.4 (#255)
- upgrade minimum provider requirements (#248)
0.33.0 - 2022-01-10
0.32.0 - 2022-01-08
- enable finding aggregator in the main region (#241)
0.31.0 - 2022-01-08
- add inputs to toggle submodules (#240)
- optionally ignore SSO logins for MFA alarms (#234)
- apply default subnet changes to existing subnets (#237)
- use module count instead of having ennabled variable in each submodule. (#195)
0.30.0 - 2021-11-23
- add S3 bucket key support (#236)
- the minimum required version of the AWS provider (#227)
0.29.2 - 2021-09-18
0.29.1 - 2021-09-18
- make
sns_topic_kms_master_key_idoptional (#219)
0.29.0 - 2021-09-17
- add kms_master_key_id to alarm baseline and config-baseline module (#216)
0.28.0 - 2021-09-11
- GuardDuty: Enable S3 events sources (#209)
- add support for logging dynamodb events (#207)
- add in support to enable 3rd party products (#206)
- adds lambda function invocation logging (#205)
- add a flag to toggle Security Hub (#201)
- do not manage
datasourcesin member accounts. (#215) - adjust passwort policy to match CIS 1.3+ (#214)
- adjust filter pattern for unauthorized_api_calls alarm (#212)
- adjust passwort policy to match CIS 1.3+ (#213)
- typo (#203)
0.27.1 - 2021-07-03
- when VPC is disabled, disable vpc logging for it (#197)
0.27.0 - 2021-06-27
- add flag for disabling config-baseline (#190)
- is_enabled flag with ap-northeast-3 (#192)
0.26.0 - 2021-06-06
- disable automatic public ip assignments in default subnets (#189)
- enable S3 account-level public block (#188)
- add functionality to manually enable/disable guardduty-baseline module (#183)
- enable Insights event logging by default (#185)
- add cloudtrail insight selector type specification (#180)
- add vpc_enable variable (#170)
- add/enable ap-northeast-3 (Osaka) region (#177)
- allow alarm variables to be set at top level module (#178)
0.24.0 - 2021-04-25
- add flag to allow recording global resources in all regions (#168)
- enable access analyzer for org (#167)
- allow enabling/disabling individual alarms (#164)
- edge case when not logging to cloudwatch (#161)
- define required providers for submodules (#171)
0.23.1 - 2020-12-13
- invalid reference when flow logs is disabled (#157)
0.23.0 - 2020-11-23
- use the audit log bucket for Flow Logs by default (#152)
- add option to publish VPC Flow Logs to either S3 or CW (#151)
- associate members to master in SecurityHub (#147)
- add a flag to enable/disable VPC Flow Logs (#146)
0.22.0 - 2020-11-14
- apply tags to default network resources (#133)
- logging policies when using custom prefixes (#141)
- deprecation warnings (#140)
- prevent AWS Config to fire alarms (#139)
0.21.0 - 2020-09-24
- various updates to comply with CIS Benchmark v1.3.0 (#131)
- force using HTTPS to access the access log bucket (#129)
- force using HTTPS to access the audit log bucket (#128)
- add parameters to make role creations optional (#127)
- add tags to guardduty (#121)
- add tags to flow logs (#120)
- remove a redundant Config rule (#132)
0.20.0 - 2020-08-10
- make all roles to be optional (#115)
- add a wildcard suffix to log group ARN (#119)
0.19.0 - 2020-08-10
- new SecurityHub standards support (#113)
- make delivery of CloudTrail to CloudWatch Logs and SNS optional (#117)
- support standard options for ap-east-1
0.18.1 - 2020-05-31
- do not enable SecurityHub when not enabled (#111)
0.18.0 - 2020-05-17
- use the same CMK for encrypting the SNS topic (#104)
- ensure to have the audit log bucket before CloudTrail (#102)
- add in new region (#91)
0.17.0 - 2019-12-14
0.16.2 - 2019-11-16
- remove unused data source
0.16.1 - 2019-10-12
- do not read AWS Organization when account_type is set to "individual"
0.16.0 - 2019-09-28
- add an argument to specify target regions.
- add "tags" argument
- incorrect references in external-bucket example
0.15.0 - 2019-08-18
- allow member accounts access to the audit log bucket
- do not setup CloudTrail for member accounts
- add the organizational AWS Config aggregated view
- support organization trails
- support GuardDuty master/member accounts
- only include global resources in the specified region
- permissions for organization trail
- do not override guardduty_master_account_id for simplicity
- insufficient permission to accept organization trails.
- use aws_iam_policy_document instead of heredocs
0.14.0 - 2019-07-24
- allow using an external bucket instead of creating a new one
- add a flag to enable force_destroy on S3 buckets
0.13.0 - 2019-07-14
- take finding_publishing_frequency as an input variable
- enable GuardDuty in eu-north-1 region
0.12.0 - 2019-07-14
- return resources as outputs instead of specific attributes
0.11.0 - 2019-06-06
0.10.0 - 2019-05-25
- upgrade to terraform 0.12
0.9.0 - 2019-04-06
- enable SecurityHub and CIS standard subscription
- add eu-north-1 region support
0.8.0 - 2019-04-03
- add eu-north-1 region support
- remove a default subnet resource
0.7.0 - 2019-02-11
- create a log group for VPC Flow Logs in each region
0.6.0 - 2018-11-23
- enable managed config rules for benchmark compliance
0.5.0 - 2018-08-05
- enable GuardDuty in Paris region.
- Change how to workaround the default ACL issue.
0.4.1 - 2018-05-27
- create a global rule after recorders.
0.4.0 - 2018-05-27
- enable AWS Config rules for monitoring
0.3.0 - 2018-05-19
- automatically archive audit logs into Amazon Glacier
0.2.1 - 2018-04-01
- temporarily disable mfa_delete on secure buckets
0.2.0 - 2018-04-01
- enable versioning with secure buckets
0.1.1 - 2018-03-20
- omit GuardDuty config for eu-west-3 region until supported
0.1.0 - 2018-03-11
- add various outputs
- update var names in the CI script
0.0.5 - 2018-02-17
- add IAM baseline module
- use consistent resource namings
0.0.4 - 2018-02-12
- enable GuardDuty in all regions
0.0.3 - 2018-02-12
- output an ID of the audit log bucket
- broken output value