AWS CaC v2.0.5
This release introduces several enhancements, control updates, and compliance logic improvements across multiple Guardrails.
GR1
Removed: gc01_check_attestation_letter control and all related Lambda/config resources.
Added: Validation for gc01_check_alerts_flag_misuse to verify EventBridge targets (SNS or log group).
GR4
New Check: gc04_check_alerts_flag_misuse now validates CloudWatch metrics for specific AssumeRole/AccessDenied patterns.
GR5
Region Update: ca-west-1 added to allowed regions for gc05_check_data_location.
GR7
Validation 1 (ELB v1 & v2): Compliance now considers the presence of GR07_lb_attestation file.
Validation 2 (ELB v2 only): Redirects from non-HTTPS to HTTPS now mark gc07_check_encryption_in_transit as compliant.
GR11
Removed: AWS managed config rule from ConformancePack.yaml for gc11_check_trail_logging.
Enhanced: Lambda now checks for:
Multi-region trail
LogFileValidation enabled
KMS key presence
Audit Manager fixes
Validation 1: Removed AWS-owned config rule checks from audit_manager_custom_framework.py.
Validation 2: Added custom Lambda gc11_check_policy_event_logging for aws_audit_manager_resources_config_setup.
General Improvements
Lambda Permissions: Statement ID naming convention updated to p1...pn (based on AWS Organization account count).
OrgRoleGenerator.yaml: Added identitystore:ListGroupMembership permission to GCLambdaExecutionRole.