aws-solutions
diff --git a/‎.gitignore
Lines changed: 3 additions & 2 deletions b/‎.gitignore
Lines changed: 3 additions & 2 deletions
diff --git a/‎AWSSD-DevNotes.md
Lines changed: 6 additions & 6 deletions b/‎AWSSD-DevNotes.md
Lines changed: 6 additions & 6 deletions
diff --git a/‎AWSSD-README.md
Lines changed: 41 additions & 41 deletions b/‎AWSSD-README.md
Lines changed: 41 additions & 41 deletions
diff --git a/‎CHANGELOG.md
Lines changed: 44 additions & 1 deletion b/‎CHANGELOG.md
Lines changed: 44 additions & 1 deletion
diff --git a/‎NOTICE.txt
Lines changed: 60 additions & 3 deletions b/‎NOTICE.txt
Lines changed: 60 additions & 3 deletions
@@ -4,9 +4,10 @@
 /deployment/regional-s3-assets/
 /deployment/setenv.sh
 /deployment/temp/
-
+/build
 # test
 /deployment/test/coverage-reports/
+requirements_dev.txt
 
 # Typescript
 /source/dist/
@@ -43,4 +44,4 @@ requirements.txt
 .idea/
 
 # system
-.DS_Store
+.DS_Store
@@ -1,16 +1,16 @@
-# SHARR v1.3.0
+# ASR v2.3.0
 
 ## How it works
 
 - Security Hub Custom Actions send selected finding events to CloudWatch Logs
-- EventBridge rules matching SHARR-supported findings send the findings to the SHARR Orchestrator
+- EventBridge rules matching ASR-supported findings send the findings to the ASR Orchestrator
 - The Orchestrator, an AWS Step Function, uses finding data to determine which account and remediation to execute, verifies that the remediation is active in that account, executes it, and monitors until completion.
 
 ### SSM Parameters
 There are N parameters that control processing under /Solutions/SO0111:
-CMK_ARN - encryption key for the AWS FSBP runbooks
+CMK_ARN - encryption key for the AWS AFSBP runbooks
 CMK_ARN - Admin account only, KMS key for solution encryption
-SNS_Topic_Arn - arn of the SHARR topic
+SNS_Topic_Arn - arn of the ASR topic
 sendAnonymizedMetrics - controls whether the solution sends metrics
 version - solution version
 
@@ -111,10 +111,10 @@ Need to enable AWS Config on all 5 accounts
 
 -   Verify it produces the expected results
 
--   Verify logging to CloudWatch LogGroup "SHARR"
+-   Verify logging to CloudWatch LogGroup "SO0111-ASR"
 
     -   Note: Lambda logs to the usual CW Logs prefix. Application data is
-        logged to SHARR.
+        logged to SO0111-ASR.
 
 -   Verify that remediated findings' workflow status is updated
 
 
@@ -5,13 +5,57 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.3.0] - 2025-07-16
+
+### Added
+
+- Remediations for additional control ids, see `source/playbooks/SC/lib/sc_remediations.ts` for details
+- Filtering by Account ID for automated remediation executions
+- AssumeRoleFailure step to the Orchestrator Step Function for error handling
+- Enhanced failure metric states
+- Anonymized metrics for CloudFormation parameter selections
+- SSM parameters security validation
+
+### Removed
+
+- ServiceCatalog Application Registry integration
+- Deprecated `zlib` package from CloudTrail Event Processor lambda
+- `requirements_dev.txt` from version control
+- Redundant anonymized metric publishing from check_ssm_execution lambda
+
+### Changed
+
+- Upgraded NodeJS runtime for CloudTrail Event Processor lambda from 20->22
+- Refactored member roles & remediation runbook stacks into separate files
+- Replaced resource names and references to old solution name ("SHARR") with current solution name ("ASR")
+  - Some logical IDs with references to "SHARR" were not changed to avoid breaking the update path
+  - Any KMS key names/aliases/logical IDs were left unchanged to avoid disrupting encryption.
+- Renamed error strings published by Orchestrator steps as "States" and consumed in cloudwatch_metrics.ts
+- Removed AwsSolutionsChecks from CDK build
+- Updated grouping of CloudWatch metrics parameters for clarity
+- Updated dependencies: Jinja2, Cryptography, babel, aws-cdk-lib, aws-cdk, urllib3, moto, @cdklabs/cdk-ssm-documents, jest libs
+- Support for Poetry v2
+- Refactored lambdas and runbooks for code quality
+- 'Estimated Hours Saved' dashboard widget
+- Renamed CloudFormation templates to align with current solution name: Automated Security Response on AWS (ASR)
+- Appended account ID to action log ManagementEvents S3 bucket to avoid bucket name clashing among member stack deployments with the same `namespace`
+
+### Fixed
+
+- Python handler referenced in RevokeUnusedIAMUserCredentials.yaml to match RevokeUnusedIAMUserCredentials.py
+- Remediation runbooks that rely on unstable Resources.Details finding field
+- Regular expression patterns used in runbooks to match KMS Key ARNs
+- Race condition in applogger.py when two instances of SendNotifications lambda are running in parallel
+  - Caused by lack of exception handling when log group does not yet exist
+
 ## [2.2.1] - 2025-01-27
 
 ### Changed
 
 - Modified the org-id-lookup custom resource to avoid throwing an error when the Admin stack is deployed in a non-Organization account.
 
 ### Security
+
 - Upgrade jinja2 to mitigate [CVE-2024-56201](https://avd.aquasec.com/nvd/cve-2024-56201)
 
 ## [2.2.0] - 2024-12-16
@@ -40,7 +84,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Config.1 remediation script to allow non-"default" Config recorder name
 - parse_non_string_types.py script to allow boolean values
 
-
 ## [2.1.4] - 2024-11-18
 
 ### Changed
 
@@ -21,7 +21,6 @@ This software includes third party software subject to the following copyrights:
 @typescript-eslint/eslint-plugin under the MIT License
 aws-cdk under the Apache License 2.0
 aws-cdk-lib under the Apache License 2.0
-cdk-nag under the Apache License 2.0
 constructs under the Apache License 2.0
 eslint under the MIT License
 eslint-config-prettier under the MIT License
@@ -365,7 +364,6 @@ tslib under the 0BSD license.
 natural-compare-lite under the MIT license.
 aws-cdk under the Apache-2.0 license.
 fsevents under the MIT license.
-cdk-nag under the Apache-2.0 license.
 eslint-config-prettier under the MIT license.
 eslint-plugin-header under the MIT license.
 eslint-plugin-import under the MIT license.
@@ -631,7 +629,6 @@ yargs-parser under the ISC license.
 ts-jest under the MIT license.
 bs-logger under the MIT license.
 lodash.memoize under the MIT license.
-zlib license unknown or missing
 @aws-sdk/client-cloudwatch-logs under the Apache-2.0 license.
 @aws-crypto/sha256-browser under the Apache-2.0 license.
 @smithy/is-array-buffer under the Apache-2.0 license.
@@ -838,6 +835,65 @@ types-urllib3 under the Apache-2.0 license.
 virtualenv under the MIT license.
 werkzeug under the 0BSD license.
 xmltodict under the MIT license.
+pydantic-core under the MIT license.
+pydantic-settings under the MIT license.
+python-dotenv under the BSD-3-Clause license.
+typing-inspection under the MIT license.
+pygments under the 0BSD license.
+@aws-sdk/client-cloudformation under the Apache-2.0 license.
+@aws-sdk/client-cloudwatch under the Apache-2.0 license.
+@aws-sdk/client-ec2 under the Apache-2.0 license.
+@aws-sdk/client-iam under the Apache-2.0 license.
+@aws-sdk/client-lambda under the Apache-2.0 license.
+@aws-sdk/client-sns under the Apache-2.0 license.
+@aws-sdk/client-sqs under the Apache-2.0 license.
+@aws-sdk/client-ssm under the Apache-2.0 license.
+@aws-sdk/middleware-sdk-ec2 under the Apache-2.0 license.
+@aws-sdk/middleware-sdk-sqs under the Apache-2.0 license.
+@aws-sdk/nested-clients under the Apache-2.0 license.
+@aws-sdk/util-format-url under the Apache-2.0 license.
+@smithy/middleware-compression under the Apache-2.0 license.
+fflate under the MIT license.
+@ungap/structured-clone under the ISC license.
+@rtsao/scc under the MIT license.
+call-bind-apply-helpers under the MIT license.
+es-object-atoms under the MIT license.
+get-proto under the MIT license.
+dunder-proto under the MIT license.
+math-intrinsics under the MIT license.
+call-bound under the MIT license.
+data-view-buffer under the MIT license.
+is-data-view under the MIT license.
+data-view-byte-length under the MIT license.
+data-view-byte-offset under the MIT license.
+side-channel-list under the MIT license.
+side-channel-map under the MIT license.
+side-channel-weakmap under the MIT license.
+is-set under the MIT license.
+own-keys under the MIT license.
+safe-push-apply under the MIT license.
+set-proto under the MIT license.
+stop-iteration-iterator under the MIT license.
+reflect.getprototypeof under the MIT license.
+which-builtin-type under the MIT license.
+is-async-function under the MIT license.
+async-function under the MIT license.
+is-finalizationregistry under the MIT license.
+which-collection under the MIT license.
+is-map under the MIT license.
+is-weakmap under the MIT license.
+is-weakset under the MIT license.
+@pkgr/core under the MIT license.
+@babel/helper-globals under the MIT license.
+ejs under the Apache-2.0 license.
+jake under the Apache-2.0 license.
+async under the MIT license.
+filelist under the Apache-2.0 license.
+@types/chai under the MIT license.
+@types/deep-eql under the MIT license.
+@jest/get-type under the MIT license.
+@jest/diff-sequences under the MIT license.
+@jest/pattern under the MIT license.
 
 ********************
 OPEN SOURCE LICENSES
@@ -849,3 +905,4 @@ ISC - https://spdx.org/licenses/ISC.html
 MPL-2.0 - https://spdx.org/licenses/MPL-2.0.html
 Python-2.0 - https://spdx.org/licenses/Python-2.0.html
 Unlicense - https://spdx.org/licenses/Unlicense.html
+BSD-3-Clause - https://spdx.org/licenses/BSD-3-Clause.html