v2.8.0

• protect-infra-immutable.json: Extended infra:immutable tag protection to EC2, S3, Lambda, DynamoDB, SQS, SSM, Elastic Load Balancing, and CloudWatch Logs. Previously, tag removal and resource modification were only blocked for a subset of services.
• protect-foundations.json: Added DenyFederationProviderMutation statement blocking OIDC and SAML provider creation and modification by non-admin principals. SecurityAdministratorAccess is exempted.
• NetworkAdministratorAccess.yaml: Narrowed iam:* to the specific IAM actions required for network administration.
• developer-permission-boundary-policy.yaml: Added athena, batch, cloudshell, glue, quicksight, sagemaker, and securityhub to match the DeveloperAccess permission set.
• Action required: Copy the following files from apps.example/ to apps/ and redeploy:
  - foundation/SCPs/protect-infra-immutable.json
  - foundation/SCPs/protect-foundations.json
  - foundation/sso-config/sso_permission_sets/NetworkAdministratorAccess.yaml
  - foundation/BoundaryPolicies/developer-permission-boundary-policy.yaml

Full Changelog: v2.7.0...v2.8.0

v2.7.0

• Fixed additional edge-case privilege escalation vulnerabilities in permissions boundary enforcement.
• require-boundary-permissions.json: Added PutRolePermissionsBoundary to per-SSO-role statements, added universal catch-all for non-SSO principals, separated boundary deletion into its own statement.
• protect-foundations.json: Added ProtectAdminRoleTrustPolicies statement to prevent trust policy modification on admin-exempted roles. Expanded PreventUserMutations to cover credential management (CreateAccessKey, CreateLoginProfile, etc.) and group operations.
• Action required: Copy the following files from apps.example/ to apps/ and redeploy:
  - foundation/SCPs/require-boundary-permissions.json
  - foundation/SCPs/protect-foundations.json

Full Changelog: v2.6.1...v2.7.0

v2.6.1

• Added protection for switching boundary permissions using SCP.

Full Changelog: v2.6.0...v2.6.1

v2.6.0

• Added IAM user management permissions to SecurityAdministratorAccess role in protect-foundations.json SCP.
• Added backup:* and backup-storage:* permissions to DeveloperAccess SSO permission set and permission boundary.

Full Changelog: v2.5.5...v2.6.0

v2.5.5

• Added vpce:AllowMultiRegion to the NetworkAdministratorAccess SSO Permission Set.

Full Changelog: 2.5.5...v2.5.5

v2.5.4

• Updated ARCHITECTURE.md.

Full Changelog: v2.5.3...v2.5.4

v2.5.3

• Fixed zsh comments.
• Fixed deploy script for Foundation-security-services-setup. Distributed to all repos.
• Added ARCHITECTURE.md, describing the operation of the OpenSecOps Installer and its scripts.
• Added header doc strings to all scripts under scripts/.
• Fixed script execution to properly pass --verbose flag to component scripts when using verbose mode.
• Added Foundation-security-services-setup component to automate AWS security services configuration (GuardDuty, Security Hub, IAM Access Analyzer, AWS Config, Detective, and Inspector delegation and setup across the organization), including updates to apps.exampleconfiguration files.
• Added data/ML services (Athena, Batch, CloudShell, Glue, QuickSight, SageMaker) to DeveloperAccess permission sets.

Full Changelog: v2.5.2...v2.5.3

v2.3.0

• Added ReclassifyAWSHealthIncidents parameter to OpenSecOps SOAR example configuration to support AWS Health incident reclassification feature introduced in OpenSecOps SOAR v2.2.0, reducing false positives.

Full Changelog: v2.2.0...v2.3.0

v2.2.0

• Added the developer SSO group to the default configuration in /apps.example. This also matches the default account request templates in our tailored version of Foundation-AFT-account-request, for easier setup.
• The SSO Group prefix is now by default the empty string, "".

Full Changelog: v2.1.0...v2.2.0

v2.1.0

• The default model in apps.example for Claude updated to Claude Sonnet v4.

Full Changelog: v2.0.3...v2.1.0