V2.0.5

AWS CaC v2.0.5

This release introduces several enhancements, control updates, and compliance logic improvements across multiple Guardrails.

GR1

Removed: gc01_check_attestation_letter control and all related Lambda/config resources.
Added: Validation for gc01_check_alerts_flag_misuse to verify EventBridge targets (SNS or log group).

GR4

New Check: gc04_check_alerts_flag_misuse now validates CloudWatch metrics for specific AssumeRole/AccessDenied patterns.

GR5

Region Update: ca-west-1 added to allowed regions for gc05_check_data_location.

GR7

Validation 1 (ELB v1 & v2): Compliance now considers the presence of GR07_lb_attestation file.
Validation 2 (ELB v2 only): Redirects from non-HTTPS to HTTPS now mark gc07_check_encryption_in_transit as compliant.

GR11

Removed: AWS managed config rule from ConformancePack.yaml for gc11_check_trail_logging.
Enhanced: Lambda now checks for:
Multi-region trail
LogFileValidation enabled
KMS key presence

Audit Manager fixes

Validation 1: Removed AWS-owned config rule checks from audit_manager_custom_framework.py.
Validation 2: Added custom Lambda gc11_check_policy_event_logging for aws_audit_manager_resources_config_setup.

General Improvements

Lambda Permissions: Statement ID naming convention updated to p1...pn (based on AWS Organization account count).
OrgRoleGenerator.yaml: Added identitystore:ListGroupMembership permission to GCLambdaExecutionRole.

V2.0.4

CaC v2.0.4 - March 27, 2025

New Features/Changes

Multi-Cloud Usage Profile Integration

• Added new feature for multi-cloud usage profile integration.
• Users will see a profile tag in the CSV report.
• Users must send tenant profiles to the Cloud Security Compliance Division (CSCD) for onboarding.
• Once installed, users can tag each account with the appropriate profile.

Guardrail 1 (GR1)

• Validation 1: Added control for 'All Cloud User Accounts MFA Check (M)'.
  • Control Names: gc01_check_root_mfa, gc01_check_iam_users_mfa, gc01_check_federated_users_mfa.
• Validation 2: Added control for 'All Cloud User Accounts MFA Conditional Access Policy (M)'.
  • Control Name: gc01_check_mfa_digital_policy.
• Validation 4: Added control for 'User Account GC Event Logging Check (M)'.
  • Control Names: gc01_check_alerts_flag_misuse, gc01_check_monitoring_and_logging.
• Validation 5: Added control for 'Alerts to Flag Misuse and Suspicious Activities (M)'.
  • Control Name: gc01_check_alerts_flag_misuse.
• Validation 6: Added control for 'Dedicated User Accounts for Administration (M)'.
  • Control Name: gc01_check_dedicated_admin_account.

Guardrail 2 (GR2)

• Validation 1: Added control for 'Account Management: User Groups (M)'.
  • Control Name: gc02_check_group_access_configuration.
• Validation 2: Updated control for 'Privileged Account Management Plan (Lifecycle of Account Management) (M)'.
  • Control Name: gc02_check_account_mgmt_plan.
• Validation 3: Added control for 'Automated Role Reviews: Role Assignments for Users and Global Administrators (M)'.
  • Control Name: gc02_check_privileged_roles_review.
• Validation 4: Added control for 'Privileged Account Management Plan (Least Privilege Role Assignment) (M)'.
  • Control Name: gc02_check_account_mgmt_plan.
• Validation 6: Added control for 'Measures to Counter Online Attacks Check: Lockouts and Banned Password Lists (M)'.
  • Control Name: gc02_check_iam_password_policy.
• Validation 7: Added control for 'Authentication Mechanisms: Risk Based Conditional Access Policies (M)'.
  • Control Name: gc02_check_password_protection_mechanisms.

Guardrail 3 (GR3)

• Validation 1: Added control for 'Administrator Access Restrictions Applied - device management/trusted locations (M)'.
  • Control Name: gc03_check_trusted_devices_admin_access.
• Validation 2: Added control for 'Access Configurations and Policies are implemented for devices (M)'.
  • Control Name: gc03_check_endpoint_access_config.

Guardrail 4 (GR4)

• Validation 1: Added control for 'Verify that roles required to enable visibility in the GC have been provisioned or assigned (M)'.
  • Control Name: gc04_check_enterprise_monitoring.
• Validation 2: Added control for 'Confirm that alerts to authorized personnel have been implemented to flag misuse (M)'.
  • Control Name: gc04_check_alerts_flag_misuse.

Guardrail 5 (GR5)

• Validation 1: Added control for 'Allowed Locations Policy (M)'.
  • Control Name: gc05_check_data_location.

Guardrail 6 (GR6)

• Validation 1: Added control for 'Confirm that storage service encryption is enabled for data at rest (M)'.
  • Control Names: gc06_check_encryption_at_rest_part1, gc06_check_encryption_at_rest_part2.

Guardrail 7 (GR7)

• Validation 1: Added control for 'TLS 1.2 or above encryption is implemented (M)'.
  • Control Names: gc07_check_encryption_in_transit.
• Validation 2: Added control for 'Leverage cryptographic algorithms and protocols configurable by the user in accordance with ITSP.40.111 and ITSP.40 (M)'.
  • Control Names: gc07_check_cryptographic_algorithms.
• Validation 3: Added control for 'Confirm that non-person entity certificates are issued from certificate authorities that align with GC recommendations for TLS server certificates (M)'.
  • Control Names: gc07_check_certificate_authorities.

Guardrail 8 (GR8)

• Validation 1: Added control for 'Confirm that the department has a target network architecture with a high-level design or a diagram with appropriate segmentation between network security zones in alignment with ITSP.50.104, ITSP.80.022 and ITSG-38 (M)'.
  • Control Names: gc08_check_target_network_architecture.
• Validation 2: Added control for 'Cloud Infrastructure Deployment Guide or Applicable Landing Zone Details (M)'.
  • Control Names: gc08_check_cloud_deployment_guide.
• Validation 3: Added control for 'Confirm that the cloud service provider’s segmentation features are leveraged to provide segmentation of management, production, user acceptance testing (UAT), development (DEV) and testing (M)'.
  • Control Names: gc08_check_cloud_segmentation_design.

Guardrail 9 (GR9)

• Validation 2: Added control for 'Attestation that the network boundary protection policy is adhered to (M)'.
  • Control Names: gc09_check_netsec_architecture.
• Validation 4: Added control for 'Confirm that storage accounts are not exposed to the public (M)'.
  • Control Names: gc09_check_non_public_storage_account.

Guardrail 10 (GR10)

• Validation 2: Added control for 'Confirm that the Cyber Centre’s sensors or other cyber defence services are implemented where available (M)'.
  • Control Names: gc10_check_cyber_center_sensors.

Guardrail 11 (GR11)

• Validation 1: Added control for 'Confirm policy for event logging is implemented (M)'.
  • Control Names: gc11_check_policy_event_logging.
• Validation 2: Added control for 'Confirm that the following logs are included (M)':
  • Sign-in (interactive and non-interactive sign-ins, API sign-ins)
  • Access privilege and group changes (including group membership and group privilege assignment)
  • Changes in the configuration of the cloud platform
  • Cloud resource provisioning activities
  • Control Name: gc11_check_trail_logging.
• Validation 3: Added control for 'Confirm whether monitoring and auditing is implemented for all users (M)'.
  • Control Name: gc11_check_monitoring_all_users.
• Validation 4: Added control for 'Confirm that the security contact record within the account should be completed with the details of at least two appropriate information security personnel (if multiple personnel are permitted by the cloud platform) (M)'.
  • Control Name: gc11_check_security_contact.
• Validation 5: Added control for 'Confirm that the appropriate time zone has been set (M)'.
  • Control Name: gc11_check_timezone.
• Validation 6: Added control for 'Demonstrate that the monitoring use cases for the cloud platform have been implemented and have been integrated with the overall security monitoring activities being performed by the department (M)'.
  • Control Name: gc11_check_monitoring_use_cases.

Guardrail 12 (GR12)

• Validation 1: Added control for 'Confirm that third-party marketplace restrictions have been implemented (M)'.
  • Control Name: gc12_check_private_marketplace.

Guardrail 13 (GR13)

• Validation 1: Added control for 'Verify that an emergency account management procedure has been developed (M)'.
  • Control Name: gc13_check_emergency_account_management.
• Validation 2: Added control for 'Verify that alerts are in place to report any use of emergency accounts (M)'.
  • Control Name: gc13_check_emergency_account_alerts.
• Validation 3: Added control for 'Verify that testing of emergency accounts took place, and that periodic testing is included in emergency account management procedures (M)'.
  • Control Name: gc13_check_emergency_account_testing.
• Validation 4: Added control for 'Confirm through attestation that the departmental CIO, in collaboration with the DOCS, has approved the emergency account management procedure for the cloud service (M)'.
  • Control Name: gc13_check_emergency_account_mgmt_approvals.

1.0.2-final

What's Changed

• [BugFix]-Pass deploy version to nested stack by @singhgss in #56

Full Changelog: 1.0.1...1.0.2-final

1.0.1

What's Changed

• [Fix] GC03 Generalize for env and fix gc03 cloudwatch alarm by @dutt0 in #53
• [Enhancement] - Add build code before creating cloudshell package by @singhgss in #54
• [Enhancement] Add execute permission for sam scripts for release pipeline by @singhgss in #55

Full Changelog: 1.0.0...1.0.1

1.0.0

What's Changed

• [BugFix] - Fix cac solution install/fix sam clean script and config generator by @singhgss in #1
• Adding templates and workflow files by @dutt0 in #2
• [Bug] - Multiple fixes for CAC installation - Lambdas not providing eval results - Not triggering for all accounts by @singhgss in #5
• [BugFix] - Get Evidence bucket, api key and api url automatically from server, s3 cleanup script, fix endless loop error, do not delete KMS keys by @singhgss in #11
• [Enhancement] adding readme and generator files by @dutt0 in #12
• [Bug] Adding missing action to the policy permission for GCLambdaExecutionRole by @dutt0 in #31
• [Bug fix] Update lambda permission by @dutt0 in #33
• [Bug] Fixing_S3_buckets_whitespace by @dutt0 in #32
• [Bug fix] fix dependency and reference function by @dutt0 in #35
• [Enhancement] - Cleanup AllAccountPrerequisite, makefile and some bug fixes by @singhgss in #42
• Excluding breakglass accounts from MFA check by @alalvi00 in #43
• [Enhancement] Upgrade CAC changes Event Bridge Trigger to Create GC roles and some misc bug fixes by @singhgss in #44
• [Enhancement ]- Add Deployment Pipeline by @singhgss in #45
• Update deploy-test-pipeline.yml by @singhgss in #46
• [Enhancement] - Fix AWS CAC Deployment pipeline by @singhgss in #48
• [Enhancement] - Add AWS CAC Release Pipeline by @singhgss in #49
• [BugFix] - fix release pipeline to trigger on numeric version by @singhgss in #50
• [BugFix] - fix typo for zip file name by @singhgss in #51

New Contributors

• @singhgss made their first contribution in #1
• @dutt0 made their first contribution in #2
• @alalvi00 made their first contribution in #43

Full Changelog: https://github.com/ssc-spc-ccoe-cei/aws-guardrails-cac-solution/commits/1.0.0