Releases: aws-solutions/automated-security-response-on-aws
Releases · aws-solutions/automated-security-response-on-aws
v2.3.2
v2.3.1
[2.3.1] - 2025-08-06
Added
- AWS Lambda Powertools Logger & Tracer support for all services
- Added the SNS topic name to the logs
- Added missing ECR.1 remediation in SC list
Fixed
- Remove tag for EventSourceMapping
- Added missing condition on log group in Admin stack to skip creation on solution re-deployment
v2.3.0
[2.3.0] - 2025-07-16
Added
- Remediations for additional control ids, see
source/playbooks/SC/lib/sc_remediations.ts
for details - Filtering by Account ID for automated remediation executions
- AssumeRoleFailure step to the Orchestrator Step Function for error handling
- Enhanced failure metric states
- Anonymized metrics for CloudFormation parameter selections
- SSM parameters security validation
Removed
- ServiceCatalog Application Registry integration
- Deprecated
zlib
package from CloudTrail Event Processor lambda requirements_dev.txt
from version control- Redundant anonymized metric publishing from check_ssm_execution lambda
Changed
- Upgraded NodeJS runtime for CloudTrail Event Processor lambda from 20->22
- Refactored member roles & remediation runbook stacks into separate files
- Replaced resource names and references to old solution name ("SHARR") with current solution name ("ASR")
- Some logical IDs with references to "SHARR" were not changed to avoid breaking the update path
- Any KMS key names/aliases/logical IDs were left unchanged to avoid disrupting encryption.
- Renamed error strings published by Orchestrator steps as "States" and consumed in cloudwatch_metrics.ts
- Removed AwsSolutionsChecks from CDK build
- Updated grouping of CloudWatch metrics parameters for clarity
- Updated dependencies: Jinja2, Cryptography, babel, aws-cdk-lib, aws-cdk, urllib3, moto, @cdklabs/cdk-ssm-documents, jest libs
- Support for Poetry v2
- Refactored lambdas and runbooks for code quality
- 'Estimated Hours Saved' dashboard widget
- Renamed CloudFormation templates to align with current solution name: Automated Security Response on AWS (ASR)
- Appended account ID to action log ManagementEvents S3 bucket to avoid bucket name clashing among member stack deployments with the same
namespace
Fixed
- Python handler referenced in RevokeUnusedIAMUserCredentials.yaml to match RevokeUnusedIAMUserCredentials.py
- Remediation runbooks that rely on unstable Resources.Details finding field
- Regular expression patterns used in runbooks to match KMS Key ARNs
- Race condition in applogger.py when two instances of SendNotifications lambda are running in parallel
- Caused by lack of exception handling when log group does not yet exist
v2.2.1
[2.2.1] - 2025-01-27
Changed
- Modified the org-id-lookup custom resource to avoid throwing an error when the Admin stack is deployed in a non-Organization account.
Security
- Upgrade jinja2 to mitigate CVE-2024-56201
v2.2.0
[2.2.0] - 2024-12-16
Added
- Option to integrate an external ticket system by providing a lambda function name at deployment time
- Integration stacks for Jira and ServiceNow as external ticketing systems
- Widget "Total successful remediations" on the CloudWatch Dashboard
- Detailed success/failure metrics on the CloudWatch Dashboard grouped by control id
- Detailed log of account management actions taken by ASR on the CloudWatch Dashboard
- Remediations for additional control ids
- Playbook for CIS 3.0 standard
- Integrated Poetry for python dependency management
- Integration with AWS Lambda Powertools Logger & Tracer
- Deletion protection and autoscaling to scheduling table
Changed
- More detailed notifications
- Added namespace to member roles to avoid name conflicts when reinstalling the solution
- Removed CloudFormation retention policies for member IAM roles where unnecessary
Fixed
- Config.1 remediation script to allow non-"default" Config recorder name
- parse_non_string_types.py script to allow boolean values
v2.1.4
[2.1.4] - 2024-11-18
Changed
- Upgraded python runtimes in all control runbooks from python3.8 to python3.11.
- Upgrade is done at build-time temporarily, until the
cdklabs/cdk-ssm-documents
package adds support for newer python runtimes.
- Upgrade is done at build-time temporarily, until the
Security
- Upgraded cross-spawn to mitigate CVE-2024-21538
v2.1.3
[2.1.3] - 2024-09-18
Fixed
- Resolved an issue in the remediation scripts for EC2.18 and EC2.19 where security group rules with IpProtocol set to "-1" were being incorrectly ignored.
Changed
- Upgraded all Python runtimes in remediation SSM documents from Python 3.8 to Python 3.11.
V2.1.2
Fixed
- Disabled AppRegistry for certain playbooks to avoid errors when updating solution
- Created list of playbooks instead of creating stacks dynamically to avoid this in the future
Security
- Updated braces package version for CVE-2024-4068 - https://avd.aquasec.com/nvd/cve-2024-4068
V2.1.1
Changed
- Changed order of CloudFormation parameters to emphasize the Security Control playbook
- Changed default for all playbooks other than SC to 'no'
- Updated descriptions of playbook parameters
- Updated architecture diagram
v2.1.0
Added
- CloudWatch Dashboard for monitoring solution metrics
- Remediations will be scheduled in the future to prevent throttling if many remediations are triggered in a short period of time
- New support for NIST 800-53 standard
- New remediations for CloudFront.1, CloudFront.12, Codebuild.5, EC2.4, EC2.8, EC2.18, EC2.19, EC2.23, ECR.1, GuardDuty.1 IAM.3, S3.9, S3.11, S3.13, SecretsManager.1, SecretsManager.3, SecretsManager.4, SSM.4
- Support for customizable input parameters to remediations
Changed
- Updated AFBSP to FBSP in docs
- Add HttpEndpoint parameter as enabled for EC2.8 remediation
- Updated imports for moto 5.0.0
Fixed
- Disabled AppRegistry functionality in China regions. AppRegistry is not available in those regions.
- Added missing EventBridge rules for CloudFormation.1, EC2.15, SNS.1, SNS.2, and SQS.1
- Fixed SC_SNS.2 Not executing due to wrong automation document
- Fixed RDS.4 remediation failing to remediate due to incorrect regex
- RDS.4 regex now includes snapshots created by Backup
- Enable CloudTrail encryption remediation is now a regional remediation
- Fixed SC_SQS.2 incorrect parameter
- Fixed SC_EC2.6 message on finding note
- Added AddTagsToResource to EncryptRDSSnapshot remediation role
- SNS.2 now works in regions other than where the roles are deployed
- Updated SNS.1 parameter to TopicArn instead of SNSTopicArn
- SC_RDS.1 regex now includes snapshots
- Fixed certain remediations failing in opt-in regions due to STS token endpoint
- Rules for CIS 1.4.0 no longer match on CIS 1.2.0 generator ID
- Fixed S3.6 creating malformed policy when all principals are "*"
Security
- Upgraded urllib3