This release of the configuration files has been tested with v1.11.0 of the Landing Zone Accelerator on AWS
Added
- feat(global-config): We have added tagging on all LZA provisioned resources that support tagging. The tag key is Accelerator and the key is set to the value provides to
AcceleratorPrefixin the replacements-config.yaml. - feat(config rule): Created a new AWS Config rule to detect IMDSv1 and auto-remediate to IMDSv2. IMPORTANT: Before enabling, ensure that existing running software is compatible with IMDSv2. See here https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#instance-metadata-transition-to-version-2
- feat(security): Added Accelerator tags to all AWS Config Rules. Modified
RULSCP to Deny AWS Config actions on Accelerator tagged rules only. This allow individual workload accounts administrators to create and manage their own AWS Config Rules while protecting accelerator deployed rules.
Changed
- feat(security): removed noisy CloudWatch alarms and supporting metric filters to align with AWS Security Hub recommendations. https://docs.aws.amazon.com/securityhub/latest/userguide/controls-to-disable.html#controls-to-disable-cloudwatch-alarms
- fix(security-config): We have updated the
"{{ AcceleratorPrefix }}-ec2-instance-profile-permission"AWS Config rule to attach additional policies required to support encrypted logging of AWS SSM Sessions Manager. This fix will now allow users with custom EC2 roles to make use of sessions manager without needing to manually add additional policies. - fix(security-config): Updated Sensitive SCP to view CloudTrail entries in Global Region