Merge pull request #40 from aws-solutions/release/v2.0.11

Upgrade to v2.0.11

Author: tbelmega

CHANGELOG.md

@@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.0.11] - 2024-08-01
+
+### Security
+- Upgrade `fast-xml-parser` to mitigate [CVE-2024-41818](https://nvd.nist.gov/vuln/detail/CVE-2024-41818)
+
+### Changed
+- Extended PolicyManager's Log Group retention period to ten years.
+
 ## [2.0.10] - 2024-06-19
 
 ### Security

deployment/aws-fms-automations.template

@@ -1,5 +1,5 @@
 {
-  "Description": "(SO0134) - The AWS CloudFormation template for deployment of the aws-firewall-manager-automations-for-aws-organizations. Version v2.0.10",
+  "Description": "(SO0134) - The AWS CloudFormation template for deployment of the aws-firewall-manager-automations-for-aws-organizations. Version v2.0.11",
   "AWSTemplateFormatVersion": "2010-09-09",
   "Metadata": {
     "AWS::CloudFormation::Interface": {
@@ -38,7 +38,7 @@
       },
       "Solution": {
         "SolutionId": "SO0134",
-        "SolutionVersion": "v2.0.10",
+        "SolutionVersion": "v2.0.11",
         "UserAgentPrefix": "AwsSolution"
       }
     }
@@ -303,7 +303,7 @@
           "S3Bucket": {
             "Fn::Sub": "solutions-${AWS::Region}"
           },
-          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.10/assetd121122acde085efd7d2a7f074c5a51327e86cc2fb1104c44095fa98bb2fdd69.zip"
+          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.11/asset65cb064f1448ec88ad58959c7b3936a7c0f0b90b6a84e2143aa944da5ab7e61b.zip"
         },
         "Description": {
           "Fn::Join": [
@@ -464,7 +464,7 @@
           "S3Bucket": {
             "Fn::Sub": "solutions-${AWS::Region}"
           },
-          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.10/asset7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94.zip"
+          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.11/asset7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94.zip"
         },
         "Description": "AWS CDK resource provider framework - onEvent (CommonResourceStack/HelperProvider)",
         "Environment": {
@@ -789,7 +789,7 @@
           "S3Bucket": {
             "Fn::Sub": "solutions-${AWS::Region}"
           },
-          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.10/assetc2fc4947fa6b45b1ca7c63d62ff33796fd3ecb60c42097ac6bf591e52d481b39.zip"
+          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.11/assetcf37c8159d10a0ef4973f62aecd215913bc1e21a8fe6fba6656497a30267d0df.zip"
         },
         "Description": {
           "Fn::Join": [
@@ -926,7 +926,7 @@
             ]
           }
         },
-        "TemplateURL": "https://solutions-reference.s3.amazonaws.com/aws-firewall-manager-automations-for-aws-organizations/v2.0.10/aws-fms-compliance.template"
+        "TemplateURL": "https://solutions-reference.s3.amazonaws.com/aws-firewall-manager-automations-for-aws-organizations/v2.0.11/aws-fms-compliance.template"
       },
       "UpdateReplacePolicy": "Delete",
       "DeletionPolicy": "Delete",
@@ -958,7 +958,7 @@
           },
           "PolicyIdentifier": "DefaultPolicy"
         },
-        "TemplateURL": "https://solutions-reference.s3.amazonaws.com/aws-firewall-manager-automations-for-aws-organizations/v2.0.10/aws-fms-policy.template"
+        "TemplateURL": "https://solutions-reference.s3.amazonaws.com/aws-firewall-manager-automations-for-aws-organizations/v2.0.11/aws-fms-policy.template"
       },
       "UpdateReplacePolicy": "Delete",
       "DeletionPolicy": "Delete",

deployment/aws-fms-compliance.template

@@ -1,5 +1,5 @@
 {
-  "Description": "(SO0134-cr) - The AWS CloudFormation template for deployment of the aws-firewall-manager-automations-for-aws-organizations compliance reporter resources. Version v2.0.10",
+  "Description": "(SO0134-cr) - The AWS CloudFormation template for deployment of the aws-firewall-manager-automations-for-aws-organizations compliance reporter resources. Version v2.0.11",
   "AWSTemplateFormatVersion": "2010-09-09",
   "Metadata": {
     "AWS::CloudFormation::Interface": {
@@ -41,7 +41,7 @@
       },
       "Solution": {
         "SolutionId": "SO0134",
-        "SolutionVersion": "v2.0.10",
+        "SolutionVersion": "v2.0.11",
         "UserAgentPrefix": "AwsSolution"
       }
     }
@@ -456,7 +456,7 @@
           "S3Bucket": {
             "Fn::Sub": "solutions-${AWS::Region}"
           },
-          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.10/asset0c65a0f491e8d69cddfd0b45da98ee9512cd72e06239557b07637450dc95539a.zip"
+          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.11/asset1ac2bfd15f8885c18e44ff6c9a6d0b28cb03c7a7cc014d994d0854e5206dd020.zip"
         },
         "DeadLetterConfig": {
           "TargetArn": {

deployment/aws-fms-demo.template

@@ -1,5 +1,5 @@
 {
-  "Description": "(SO0134D) - The AWS CloudFormation template for deployment of the aws-firewall-manager-automations-for-aws-organizations demo resources. Version v2.0.10",
+  "Description": "(SO0134D) - The AWS CloudFormation template for deployment of the aws-firewall-manager-automations-for-aws-organizations demo resources. Version v2.0.11",
   "AWSTemplateFormatVersion": "2010-09-09",
   "Resources": {
     "testcloudfronts3S3LoggingBucket90D239DD": {

deployment/aws-fms-policy.template

@@ -1,5 +1,5 @@
 {
-  "Description": "(SO0134-po) - The AWS CloudFormation template for deployment of the aws-firewall-manager-automations-for-aws-organizations. Version v2.0.10",
+  "Description": "(SO0134-po) - The AWS CloudFormation template for deployment of the aws-firewall-manager-automations-for-aws-organizations. Version v2.0.11",
   "AWSTemplateFormatVersion": "2010-09-09",
   "Metadata": {
     "AWS::CloudFormation::Interface": {
@@ -64,7 +64,7 @@
       },
       "Solution": {
         "SolutionId": "SO0134",
-        "SolutionVersion": "v2.0.10",
+        "SolutionVersion": "v2.0.11",
         "UserAgentPrefix": "AwsSolution"
       }
     }
@@ -393,7 +393,7 @@
               {
                 "Ref": "AWS::Region"
               },
-              "/aws-firewall-manager-automations-for-aws-organizations/v2.0.10/policy_manifest.json\",\"Key\":\"policy_manifest.json\"},\"physicalResourceId\":{\"id\":\"1718725613573\"}}"
+              "/aws-firewall-manager-automations-for-aws-organizations/v2.0.11/policy_manifest.json\",\"Key\":\"policy_manifest.json\"},\"physicalResourceId\":{\"id\":\"1722475091257\"}}"
             ]
           ]
         },
@@ -504,7 +504,7 @@
           "S3Bucket": {
             "Fn::Sub": "solutions-${AWS::Region}"
           },
-          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.10/asset17c16a3854838fd3ff4bda08146122a6701f33b9c86ae17f415ad0dc47a97544.zip"
+          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.11/asset17c16a3854838fd3ff4bda08146122a6701f33b9c86ae17f415ad0dc47a97544.zip"
         },
         "Handler": "index.handler",
         "Role": {
@@ -638,7 +638,7 @@
           "S3Bucket": {
             "Fn::Sub": "solutions-${AWS::Region}"
           },
-          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.10/asset013e8c75d236c32a1fab745b7186aba0455339de79b1c9ca3d7499c59b99d3d4.zip"
+          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.11/asset282f99aacf96565b4780d1e9874c90fa48ef0abf40ccf66721408e97e6d3b664.zip"
         },
         "DeadLetterConfig": {
           "TargetArn": {
@@ -928,7 +928,7 @@
             ]
           ]
         },
-        "RetentionInDays": 7
+        "RetentionInDays": 3653
       },
       "UpdateReplacePolicy": "Delete",
       "DeletionPolicy": "Delete",

deployment/aws-fms-prereq.template

@@ -1,5 +1,5 @@
 {
-  "Description": "(SO0134N) - The AWS CloudFormation template for deployment of the aws-firewall-manager-automations-for-aws-organizations. Version v2.0.10",
+  "Description": "(SO0134N) - The AWS CloudFormation template for deployment of the aws-firewall-manager-automations-for-aws-organizations. Version v2.0.11",
   "AWSTemplateFormatVersion": "2010-09-09",
   "Metadata": {
     "AWS::CloudFormation::Interface": {
@@ -48,7 +48,7 @@
       },
       "Solution": {
         "SolutionId": "SO0134N",
-        "SolutionVersion": "v2.0.10",
+        "SolutionVersion": "v2.0.11",
         "GlobalStackSetName": "FMS-EnableConfig-Global",
         "RegionalStackSetName": "FMS-EnableConfig-Regional",
         "UserAgentPrefix": "AwsSolution"
@@ -97,7 +97,7 @@
           "S3Bucket": {
             "Fn::Sub": "solutions-${AWS::Region}"
           },
-          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.10/assetd121122acde085efd7d2a7f074c5a51327e86cc2fb1104c44095fa98bb2fdd69.zip"
+          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.11/asset65cb064f1448ec88ad58959c7b3936a7c0f0b90b6a84e2143aa944da5ab7e61b.zip"
         },
         "Description": "DO NOT DELETE - FMS helper function",
         "Environment": {
@@ -245,7 +245,7 @@
           "S3Bucket": {
             "Fn::Sub": "solutions-${AWS::Region}"
           },
-          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.10/asset7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94.zip"
+          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.11/asset7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94.zip"
         },
         "Description": "AWS CDK resource provider framework - onEvent (PreReqStack/HelperProvider)",
         "Environment": {
@@ -385,7 +385,7 @@
           "S3Bucket": {
             "Fn::Sub": "solutions-${AWS::Region}"
           },
-          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.10/assetf3f84a266840977b5a680778ded4c90b32a4741935a3e43fff15f180297682b1.zip"
+          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.11/asset8652d017578624dfafbf9e62e678f4a6eb113df1cfa4e55027279723fbf7e847.zip"
         },
         "Description": "Function to validate and install pre-requisites for the FMS solution",
         "Environment": {
@@ -627,7 +627,7 @@
           "S3Bucket": {
             "Fn::Sub": "solutions-${AWS::Region}"
           },
-          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.10/asset7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94.zip"
+          "S3Key": "aws-firewall-manager-automations-for-aws-organizations/v2.0.11/asset7382a0addb9f34974a1ea6c6c9b063882af874828f366f5c93b2b7b64db15c94.zip"
         },
         "Description": "AWS CDK resource provider framework - onEvent (PreReqStack/PreReqProvider)",
         "Environment": {

package-lock.json

@@ -33,9 +33,10 @@
     "@aws-sdk/client-s3": "^3.359.0"
   },
   "overrides": {
-    "word-wrap": "1.2.4"
+    "word-wrap": "1.2.4",
+    "fast-xml-parser": ">=4.4.1"
   },
   "resolutions": {
     "word-wrap": "1.2.4"
   }
-}
+}

package.json

@@ -42,7 +42,7 @@ describe("==Policy Stack Tests==", () => {
     });
     test("has cloudwatch log group", () => {
       expect(policyStack).toHaveResource("AWS::Logs::LogGroup", {
-        RetentionInDays: 7,
+        RetentionInDays: 3653,
       });
     });
   });

source/resources/__tests__/policy.test.ts

@@ -355,7 +355,7 @@ export class PolicyStack extends NestedStack {
     const lg: LogGroup = new LogGroup(this, "PolicyMangerLogGroup", {
       logGroupName: `/aws/lambda/${policyManager.functionName}`,
       removalPolicy: RemovalPolicy.DESTROY,
-      retention: RetentionDays.ONE_WEEK,
+      retention: RetentionDays.TEN_YEARS,
     });
 
     /**