Releases: aws-samples/iam-identity-center-team
v1.2.2
Release Notes: Security Enhancement - Fine-Grained GraphQL Authorization
Security Vulnerability Fixed
- Patched security vulnerability in request approval workflow that allowed a requester or member of an approver group to self-approve their access request
- Implemented field-level authorization controls in GraphQL schema
- Prevented unauthorized manipulation of approver fields during request creation
- Fixed potential privilege escalation through approval parameter injection
Technical Implementation
GraphQL Schema Enhancements
- Added granular @auth directives at both type and field levels
- Implemented strict field-level permissions for sensitive fields:
- approval status
- approver information
- request metadata
- Restricted owner permissions to appropriate operations
- Added separate authorization rules for approvers using ownerField
Authorization Rules
- Created distinct permission sets for:
- Request owners (create, read own requests)
- Approvers (read, update approval fields)
- Auditors (read-only access)
- IAM-authenticated services
- Enforced separation of duties through schema-level controls
- Prevented unauthorized modification of approval-related fields
Security Impact
- Ensures requesters cannot modify approval fields
- Enforces proper segregation between requesters and approvers
- Prevents authorization bypass through parameter manipulation
- Maintains audit trail integrity
- Protects against unauthorized privilege escalation
Required Actions
- Follow instructions in updating TEAM documentation for updating process
- No configuration changes needed
Technical Notes
- Implementation uses AWS AppSync @auth directives
- Leverages multiple authorization rules per field
- Combines owner-based and group-based access control
- Maintains IAM-based access for system operations
v1.2.1
Release Notes: Pre-Token Generation Lambda Trigger - Security Enhancement
Security Issue Resolved
- Fixed critical security vulnerability where removed IdC admin users could temporarily retain admin privileges through API access
- Previously, group membership updates occurred after token generation, allowing one final session with elevated permissions
- Users removed from IdC admin groups could potentially maintain admin API access for up to 24 hours via refresh tokens
Technical Solution
- Implemented pre-token generation Lambda trigger in Cognito authentication flow
- Moved group membership synchronization logic to execute before token generation
- Ensures JWT tokens only contain current, verified group memberships from IdC
- Prevents temporary privilege retention when admin access is removed in IdC
Impact
This security enhancement ensures:
- Immediate enforcement of IdC group membership changes
- No gap between IdC admin removal and permission revocation
- Consistent security state between IdC and AWS access
- Protection against potential privilege escalation via API calls
Technical Details
- Added Lambda trigger to Cognito User Pool pre-token generation phase
- Validates current IdC group memberships before token claims are generated
- Synchronizes Cognito groups with IdC groups in real-time
- Prevents generation of tokens with stale admin permissions
Requirements
- Update to latest version to receive this security enhancement
- No configuration changes needed - automatically enforced by pre-token generation
- Existing sessions will still need to expire or be revoked
v1.2.0
If deploying v1.2.0 directly to your environment
Follow instructions in TEAM deployment documentation for deployment process
If upgrading from v1.1.2 to v1.2.0, please read below
Follow instructions in updating TEAM documentation for updating process
What's changed
This change provides support for external repositories due to deprecation of AWS CodeCommit
Updates
- Updated code to allow for use for external repositories due to AWS CodeCommit deprecation
- Updated documentation for a detailed walkthrough on setup
- Added Encryption for SNS from #312
v1.1.2
If deploying v1.1.2 directly to your environment
Follow instructions in TEAM deployment documentation for deployment process
If upgrading from v1.1.1 to v1.1.2, please read below
Due to an ongoing issue the CLOUDTRAIL_AUDIT_LOGS parameter is no longer optional but now a mandatory parameter that accepts the ARN of an existing Cloudtrail Lake event datastore.
If upgrading from v1.1.1 to v1.1.2, create a new Cloudtrail lake event datastore in the delegated admin account outside of TEAM and pass the ARN to the parameter.sh file as shown below:
CLOUDTRAIL_AUDIT_LOGS=arn:aws:cloudtrail:us-east-1:123456789101:eventdatastore/e646f20d-7959-4682-be84-6c5b8a37cf15
Warning
This change would delete the existing Cloudtrail lake event datastore created by TEAM as part of the Amplify deployment
Follow instructions in updating TEAM documentation for updating process
What's changed
Bug Fixes
- Fix - OU's not loading in Eligibility policy. see #235
- Fix - Only require approval if all eligibilities for a request require approval.
- Fix - Allow both acount and OU approvers
v1.1.1
If deploying v1.1.1 directly to your environment
Follow instructions in TEAM deployment documentation for deployment process
If upgrading from v1.1.0 to v1.1.1, please read below
TEAM v1.1.1 introduces the use of custom domain instead of the default amplify generated domain name. To use a custom domain, ensure to update the parameters.sh in the deployment folder with UI_DOMAIN key and your custom domain name before running the ./update.sh script.
Follow instructions in updating TEAM documentation for updating process
What's changed
Feature enhancement
- This change introduces support custom domain instead of the default amplify generated domain name. see #32
v1.1.0
If deploying v1.1.0 directly to your environment
Follow instructions in TEAM deployment documentation for deployment process
If upgrading from v1.0.0 - v1.0.6 to v1.1.0, please read below
You would have to reconfigure or update your notification source email address in the notification section of the TEAM settings page if you are using SES for email notification. See notification configuration
Follow instructions in updating TEAM documentation for updating process
What's changed
See #54 for more details
Feature enhancement
- This change introduces support for additional configuration options. Notifications are supported via Slack (#14), SNS (#20), and cross-account SES (#46). Users may also enable multiple notification services.
- The TEAM admin and auditor groups may also be changed after deployment. (#22)
- Hierarchichal view of OU structure during Eligibility and Approval policy configuration
v1.0.6
If deploying v1.0.6 directly to your environment
Follow instructions in TEAM deployment documentation for deployment process
If upgrading from v1.0.0 - v1.0.5 to v1.0.6, please read below
Follow instructions in TEAM updating documentation for updating process
What's changed
See #62
Feature enhancement
With this change, users can be selective about the amount of logging they enable as part of their TEAM deployment. The CLOUDTRAIL_AUDIT_LOGS key is added to parameters.sh. The options are:
read_write- record read and write eventsread- record only read eventswrite- record only write eventsnone- disable event logging
Depending on an organisation's regulatory and governance requirements, this can help to significantly reduce the cost of deploying the TEAM solution.
Documentation
v1.0.5
If deploying v1.0.5 directly to your environment
Follow instructions in TEAM deployment documentation for deployment process
If upgrading from v1.0.0 - v1.0.4 to v1.0.5, please read below
Follow instructions in TEAM updating documentation for updating process
What's changed
Feature enhancement
Ability to add custom tags to Amplify created resources by adding a TAGS key to the parameters.sh file - see #29
v1.0.4
If deploying v1.0.4 directly to your environment
Follow instructions in TEAM deployment documentation for deployment process
If upgrading from v1.0.0 - v1.0.3 to v1.0.4, please read below
Follow instructions in TEAM updating documentation for updating process
What's changed
Bug fix - Issue with the latest version of pipenv(2023.6.26) which is used by the Amplify build pipeline to package the backend python lambda functions. Updated Amplify buildspec to use the most recent stable version of pipenv(2023.6.12). see #21
v1.0.3
If deploying v1.0.3 directly to your environment
Follow instructions in TEAM deployment documentation for deployment process
If upgrading from v1.0.0..v1.0.2 to v1.0.3, please read below
Follow instructions in TEAM updating documentation for updating process
What's changed
Bug fix - Pagination error when fetching groups or permissions from IAM Identity center - See #16