Release 2025.07.31 · cisagov/cyhy_amis

Important

This is the first version for this project after sustained development.

What's Changed

Adding a MongoDB image by @jsf9k in #1
Adding terraform for mongo by @jsf9k in #2
Adding a bastion host by @jsf9k in #3
Feature/terraform for nessus by @dav3r in #4
Adding docker AMI by @jsf9k in #5
Creating a VPC for HTTPS and Trustworthy Email scanning by @jsf9k in #6
Modify VPCs to create routes, ACL rules, and security group rules as top-level entities by @jsf9k in #7
Feature/setup mongo volumes by @dav3r in #8
Feature/limit ingress networks by @dav3r in #9
Add new script to push local version of production.tfvars to the corr… by @dav3r in #10
Make the gold VPC immortal by @jsf9k in #11
Change from Mongo 4.0.0 to Mongo 3.2.20 to match version of current C… by @dav3r in #12
Feature/production recovery prep by @dav3r in #13
Add Terraform configuration for BOD 18-01 scanning by @jsf9k in #14
Add new Nmap EC2 instance to the scanner subnet by @dav3r in #16
Add VPC peering between the CyHy and BOD VPCs by @jsf9k in #15
Feature/route 53 by @felddy in #17
Provision MongoDB users via ansible by @jsf9k in #18
Fixes made while debugging BOD 18-01 scanning and report generation by @jsf9k in #19
Change code to use the cheaper r4.xlarge instance type. by @jsf9k in #20
Feature/fix nessus only setup by @dav3r in #22
Feature/egress pub by @felddy in #21
Feature/route 53 update by @felddy in #23
Improved workspace filtering by @jsf9k in #24
Install and configure CyHy runner by @jsf9k in #25
Add credentials that allow the commander to ssh to the runners but not vice-versa by @jsf9k in #26
Improve networking by @jsf9k in #27
Add systemd unit files for cyhy-runner and cyhy-commander by @jsf9k in #28
Improvement/egress cloudfront by @felddy in #29
The Nessus host is not systemd by @jsf9k in #30
Create /etc/cyhy and move commander.conf into the new dir by @KyleEvers in #31
Feature/internal dns by @felddy in #33
Disallow the manual Nessus instances from being deleted by @jsf9k in #32
Bugfix/add cyhy commander conf by @dav3r in #34
Improvement/dhcp options by @felddy in #35
add public DNS entry for the bastion host by @felddy in #37
fix bastion record being created in wrong zone by @felddy in #38
Improvement/simplify bod rules by @jsf9k in #36
add prevent_destroy to very important zones by @felddy in #39
Add support to query all regions for public IPs instead of just one by @felddy in #40
Allow the bastion to reach the mongo host via the mongo port by @jsf9k in #41
Added empty ssh config for commander and added scanners in commander … by @KyleEvers in #42
add new role to configure login banners by @felddy in #43
Feature/create places collection by @dav3r in #44
Use a more customized mongo config file, similar to our previous Prod… by @dav3r in #45
Bugfix/make mongo great again by @dav3r in #46
Allow the Nessus UI port (8834) to be tunneled through the bastion by @jsf9k in #47
Automate setup of Nessus hosts by @jsf9k in #50
Beefier instance types and root disks for production by @jsf9k in #51
Increase size of root volume for nessus by @dav3r in #53
Only update plugins and rebuild database when previously unregistered by @jsf9k in #54
Improvement/production changes by @dav3r in #55
Ramp up number of jobs per nmap and nessus host by @dav3r in #57
Double number of jobs per nmap and nessus host by @dav3r in #59
Install htop for all AMIs by @jsf9k in #60
Double number of jobs per nmap and nessus host again by @dav3r in #61
Add an Ansible role for expanding the ephemeral port range by @jsf9k in #62
Add nightly cron job to update database with latest NVD data by @dav3r in #63
Add cron jobs for BOD 18-01 scanning and sending of BOD 18-01 reports by @jsf9k in #64
Add flow logs that can be turned on or off via a variable by @jsf9k in #65
Import base nessus policy by @KyleEvers in #67
Add instance for CyHy reporting by @jsf9k in #68
Improvement/persist active nmap instance scans by @dav3r in #69
Grab the master report password from S3 and add it to cyhy.conf by @jsf9k in #70
Pipe (cron) cyhy-nvdsync output to /usr/bin/logger so it ends up in /… by @dav3r in #71
Improvement/better egress pub by @felddy in #72
Various changes for Production based on our testing by @dav3r in #66
Improvement/swap role by @felddy in #77
Improvement/consolidate commander and mongo ami by @dav3r in #80
Build nmap from latest source by @jsf9k in #79
Install ncats-webd alongside cyhy-reports by @jsf9k in #78
Improvement/add persistent data volume for nessus by @dav3r in #81
add registrations and conditionals to swap creation tasks by @felddy in #83
Add cyhy_ops user to the bastion by @jsf9k in #84
Operations/add production scanners by @dav3r in #85
Add cyhy_logrotate ansible role. by @jsf9k in #90
Improvement/dry provisioning by @felddy in #86
Fix reporting cron jobs by @jsf9k in #93
Feature/add cyhy archive job by @dav3r in #94
Networking changes for FTP by @jsf9k in #95
Operations/upgrade mongo by @dav3r in #96
Add Ansible changes that were dropped by @jsf9k in #97
Fix a typo by @jsf9k in #98
Remove unnecessary ACL rule by @jsf9k in #99
Add DNS for the BOD VPC by @jsf9k in #100
Fix cron jobs by @jsf9k in #101
Better handling of different Linux distros by @jsf9k in #102
Operations/upgrade to mongo 3.6 by @dav3r in #103
Install nmap via package manager by @jsf9k in #104
Remove now-unused commander Packer json by @jsf9k in #105
Minor tweaks by @jsf9k in #106
Correct comment by @jsf9k in #107
Add a README to the terraform directory. by @jsf9k in #108
Only create cron jobs in production workspaces by @jsf9k in #109
Add volumes for CyHy and BOD reports by @jsf9k in #110
Improvement/mongo commander on debian stretch by @dav3r in #111
Prefer package to apt where possible by @jsf9k in #112
Allow for variable device names by @jsf9k in #115
The root filesystem for the BOD Docker instance needs to be larger by @jsf9k in #114
Minor improvements by @jsf9k in #117
No more static IPs for the CyHy VPC by @jsf9k in #118
Persist journald logs across reboots by @jsf9k in #120
Don't apply journald tweak to the Nessus instance by @jsf9k in #121
Increase root volume sizes by @jsf9k in #122
Improvement/eips and nat gateways by @dav3r in #119
Use pip3 to pull docker-compose by @jsf9k in #123
Add cyhy-mailer to cyhy reporter AMI by @jsf9k in #124
Add elastic IPs to egress_pub script by @dav3r in #125
Only check for 'prod' in workspace name, rather than 'production'. by @dav3r in #126
Add prod-b workspace to configure.py by @dav3r in #127
Cyhy feeds by @KyleEvers in #128
Break out cyhy-core install and retrieval of GitHub OAuth token into roles by @jsf9k in #130
Make more use of ansible dependencies by @jsf9k in #131
List chown_cyhy_dirs as a dependency for several roles by @jsf9k in #132
Update dependency syntax by @jsf9k in #134
Move some stuff around between cyhy-feeds Ansibles by @jsf9k in #133
Use GitHub OAuth role from GitHub by @jsf9k in #135
Improvement/flow logs for all by @dav3r in #136
Modify the prevent_destroy toggle script for OSX by @jsf9k in #137
Add TravisCI config by @jsf9k in #138
Use the htop Ansible role in GitHub and remove the local one by @jsf9k in #139
Remove local cyhy_logrotate role and use the one in GitHub instead by @jsf9k in #140
Add ansible-galaxy command to terraform README by @jsf9k in #141
Use the banner Ansible role from GitHub instead of the local one by @jsf9k in #142
Add missing route table association by @jsf9k in #143
Improvement/remove nat gateways by @dav3r in #145
Improvement/use contiguous cidr block by @dav3r in #146
Disable the CyHy reporting cron job (for now). by @jsf9k in #147
Cyhy dashboard by @KyleEvers in #149
Merge feeds into mongo by @KyleEvers in #150
Remove stray mode line by @jsf9k in #151
add cd to directory of script because the script expects the output d… by @KyleEvers in #152
add trustymail, pshtt, and sslyze data to cron job by @KyleEvers in #155
Move to newer instance types by @jsf9k in #156
Remove file that is no longer used by @jsf9k in #158
Upgrade mongo instance type by @jsf9k in #159
Improvement/mongo log rotation by @dav3r in #160
Bugs and fixes encountered whilst switching to prod-a by @jsf9k in #161
Add test Qualys CIDR blocks by @dav3r in #164
Change root volume size from 20gb to 100gb by @KyleEvers in #166
Bugfix/feeds cronjob only in prod by @KyleEvers in #168
Move creation of the Mongo run directory from the second Ansible to the Mongo unit file by @jsf9k in #169
Update Qualys CIDR blocks by @dav3r in #170
A bit of cleanup by @jsf9k in #171
add assessments read user to cyhy conf by @KyleEvers in #172
add assessments section to cronjob and change bod name to scan by @KyleEvers in #173
Change public zones from cyber.dhs.gov to ncats.cyber.dhs.gov. by @jsf9k in #174
Add logging to cyhy-feeds cronjob by @KyleEvers in #175
Put public zone back to cyber.dhs.gov and append ncats... by @dav3r in #176
Improvement/use nessus 8 by @dav3r in #163
Update License to true CC0 text by @KyleEvers in #177
Create Management VPC by @dav3r in #178
Lambda functions executing in BOD VPC behind a NAT gateway by @jsf9k in #153
Use boto3 for sending emails instead of connecting to SMTP directly by @jsf9k in #154
Pull Lambda zips from an S3 bucket instead of from the local filesystem by @jsf9k in #179
Fix some bugs discovered when applying to production by @jsf9k in #180
change url that feeds is pulled from and remove github auth by @KyleEvers in #181
Fix build badge URL by @jsf9k in #182
Increase jobs-per-nessus-host from 16 to 32 by @dav3r in #183
Remove explicit touch command by @jsf9k in #185
Use instance role for cyhy-feeds instead of explicit user creds by @jsf9k in #184
Allow the user to specify docker-compose override files by @jsf9k in #186
Improvement/more dynamic mgmt vpc by @dav3r in #187
Fix LGTM and flake8 warnings by @jsf9k in #188
Move LGTM directive to the correct line by @jsf9k in #189
Allow Amazon certs in CAA record by @jsf9k in #190
Add code-gov-update to BOD Docker instance by @jsf9k in #191
Add some scripts to aid in deploying frequently-deployed resources by @jsf9k in #192
Add workspace support to scripts by @jsf9k in #194
Add client cert update by @jsf9k in #193
Move the client cert cron job to 5AM UTC on Tuesdays by @jsf9k in #195
Add cloud-init code to set hostnames to match private DNS entries by @jsf9k in #196
Docker ansible role separation by @KyleEvers in #197
Move python and pip Ansible roles to their own repos by @jsf9k in #198
Remove the dhs-nccic organization from the scraper configuration by @jsf9k in #200
Allow DNS resolution across the CyHy and BOD VPCs by @jsf9k in #199
Move secrets from S3 to SSM by @jsf9k in #201
Add assessment data import lambda by @dav3r in #202
Move Packer Ansible roles to their own GitHub repos by @jsf9k in #203
Add runbook: 'How to Redeploy All Instances' by @dav3r in #207
Add cron job on reporter to create and email daily CyHy notifications by @dav3r in #204
Get rid of some Ansible warnings by @jsf9k in #208
Update script location for daily CyHy notification cron job by @dav3r in #209
Add new team member as a privileged user by @dav3r in #210
Update for use with Terraform 0.12 by @jsf9k in #211
change webui service to only restart on failure and increase restart … by @KyleEvers in #212
Update script for Terraform 0.12 by @jsf9k in #213
Add a workaround for a bug related to empty lists by @jsf9k in #214
Go back to using cloudposse/terraform-null-ansible by @jsf9k in #215
Fix deploy script by @jsf9k in #216
Deploy script improvements by @dav3r in #217
Update splat syntax by @jsf9k in #218
Use CyHy EIPs for "manual" Nessus scanners by @dav3r in #219
Increase retry count in nessus_base.py by @dav3r in #221
Cyhy feeds/remove cyhy core dependency by @mcdonnnj in #220
Add new script for redeploying the database instance by @dav3r in #222
Fix typo in URI for scan_reader.yml configuration. by @mcdonnnj in #223
Remove explicit installation of Docker by @jsf9k in #224
Encrypt root volumes and delete them on termination by @jsf9k in #225
Specify the default KMS key for each region by @jsf9k in #226
Update .travis.yml by @dav3r in #229
Revert "Specify the default KMS key for each region" by @dav3r in #227
Add mongo bucket permission by @mcdonnnj in #228
Add missing tf targets to database AMI deploy script by @dav3r in #230
Fix busted Nessus ansible provisioner by @dav3r in #231
Add --cleanup-aws switch to the cyhy-feeds cron job. by @mcdonnnj in #232
Remove deprecated aws_flow_log argument by @dav3r in #233
New re-deployment scripts for CyHy and BOD bastion instances by @dav3r in #234
Update README with management VPC info by @dav3r in #237
Management VPC private DNS lookups from CyHy and BOD VPCs by @dav3r in #238
Fix Nessus being Stopped Whenever the Terraform Nessus Role is Run by @mcdonnnj in #239
Correct Nessus key check regex. by @mcdonnnj in #241
Remove reference to packer/feeds.json in README by @dav3r in #242
Fix for changed functionality in Terraform 0.12.12 by @mcdonnnj in #243
Increase production data volume to 1TB by @jsf9k in #245
Add findings import lambda to terraform by @mcdonnnj in #240
Add deploy_new_adi_lambda script by @dav3r in #246
Fix cyhy-feeds cron job by @mcdonnnj in #247
Increase Production jobs-per-nessus-host in commander config by @dav3r in #248
Terraform Fixes for the Management VPC by @dav3r in #249
Add Missing Portscan Instance to cyhy-commander Configuration by @mcdonnnj in #250
Increase nmap Instance Swap Size from 2GiB to 4GiB by @mcdonnnj in #251
Beefier Dashboard Instance by @dav3r in #252
Add deploy_new_fdi_lambda Script and Bump Python Environment Version for the fdi lambda by @mcdonnnj in #253
Update issue ref for Terraforms continued lack of support for module iteration by @felddy in #254
Use the COOL DNS account for sending emails via SES by @jsf9k in #255
Update public DNS records in COOL-hosted zone by @dav3r in #257
Fix deploy_new_database_ami.sh by @dav3r in #258
Use the dmarc-import Elasticsearch database in the COOL DNS account by @jsf9k in #259
Change policy to allow assumption of a role by @jsf9k in #260
Increase next-scan-limit for CyHy commander by @dav3r in #261
Specify Nessus bucket name when calling ansible-role-nessus by @dav3r in #262
Fix email sending for code_gov_update and client_cert_update projects by @jsf9k in #263
Revert "Tighten file permissions" commit by @jsf9k in #265
Update Dev Team Sudoers by @mcdonnnj in #266
Create rules page specific to web application scanning by @jsf9k in #267
Add Dashboard Deploy Script and Add Rule to Database Deploy Script by @mcdonnnj in #268
Update Portscan Deployment Script to Support Sequential Instance Range by @mcdonnnj in #269
Increase Portscan Instance Count to 72 by @mcdonnnj in #270
Increase timeout when rebuilding Nessus plugin database by @dav3r in #271
Add a missing SG rule for the Management vulnscanner by @dav3r in #273
Explicitly set owner of authorized_keys file for SSH ops user by @dav3r in #275
Explicitly set owner of authorized_keys file for SSH mgmt ops user by @mcdonnnj in #276
Remove Unnecessary Private Repository Usage by @mcdonnnj in #277
Update WAS IPs for Rules Page by @mcdonnnj in #278
Tweak scraper configuration by @jsf9k in #280
Update Terraform Version Pinnings by @mcdonnnj in #283
Add monthly cyhy redeploy issue template by @hillaryj in #281
Fix pymongo Version and File Permission by @mcdonnnj in #287
Increase volume sizes on reporter instance by @dav3r in #288
Update bastion Image to build on Debian Buster by @mcdonnnj in #286
Fix portscan Instance Deploy Script by @mcdonnnj in #289
Add vulnscan (Re)Deploy Script by @mcdonnnj in #291
[HOLD] Migrate portscan and vulnscan Instances to Debian Buster by @mcdonnnj in #292
Run the terraform_fmt pre-commit Hook by @mcdonnnj in #295
Increase Portscanner Capacity by @mcdonnnj in #299
Add cisagov/.github ISSUE_TEMPLATE Files by @mcdonnnj in #300
Initial Integration of skeleton-generic by @mcdonnnj in #302
⚠️ CONFLICT! Lineage pull request for: skeleton by @cisagovbot in #306
Add a Fourth vulnscan Instance to the Production Environment by @mcdonnnj in #307
⚠️ CONFLICT! Lineage pull request for: skeleton by @cisagovbot in #311
Update Python Requirements by @mcdonnnj in #314
Account for Non-existent Instance IDs in Scanner Deploy Scripts by @mcdonnnj in #316
Add ClamAV to CyHy Images by @mcdonnnj in #317
Import public GPG key for NCPS Analytics Environment by @dav3r in #318
Add HSTS and other security headers to egress IP CloudFront distribution by @jsf9k in #320
Update Development Team SSH Keys by @mcdonnnj in #321
⚠️ CONFLICT! Lineage pull request for: skeleton by @cisagovbot in #323
Update the Redeployment Template by @mcdonnnj in #328
Remove Departed Team Member from Configuration Script by @mcdonnnj in #330
Use the python3.8 Runtime for the assessment-data-import λ by @mcdonnnj in #329
Bump t3.micro Instance Usage to t3.small by @mcdonnnj in #331
Fix Variable Usage in Shell Task by @mcdonnnj in #332
⚠️ CONFLICT! Lineage pull request for: skeleton by @cisagovbot in #333
Enable Python pre-commit Hooks by @mcdonnnj in #334
⚠️ CONFLICT! Lineage pull request for: skeleton by @cisagovbot in #335
Upgrade Terraform Version Used from 0.12 to 0.13 by @mcdonnnj in #336
Lineage pull request for: skeleton by @cisagovbot in #337
Upgrade Terraform Version Used from 0.13 to 0.14 by @mcdonnnj in #338
Upgrade Terraform Version Used from 0.14 to 1.0 by @mcdonnnj in #339
Enable the markdownlint Hook in the pre-commit Configuration by @mcdonnnj in #340
Start daily CyHy notifications cron earlier by @dav3r in #341
Enable shell-lint Hook for pre-commit and Re-Organize cloud-init Files by @mcdonnnj in #342
⚠️ CONFLICT! Lineage pull request for: skeleton by @cisagovbot in #343
Bump transcend-io/lambda-at-edge/aws from 0.0.2 to 0.3.1 in /terraform_egress_pub by @dependabot[bot] in #344
Bump up the reporter instance type from c5.2xlarge to c5.4xlarge by @jsf9k in #345
Add CyHy manual scanner IP by @dav3r in #347
Bump transcend-io/lambda-at-edge/aws from 0.3.1 to 0.4.0 in /terraform_egress_pub by @dependabot[bot] in #349
Bump dashboard from c5.large to c5.xlarge by @dav3r in #350
Fix Lambda logging functionality by @mcdonnnj in #351
Change WAS IPs by @st0rmbl3ss3d in #353
⚠️ CONFLICT! Lineage pull request for: skeleton by @cisagovbot in #354
Update ansible requirement from <5,>=2.10 to >=2.10,<6 by @dependabot[bot] in #352
Update configuration to fix Packer image building by @mcdonnnj in #360
Refresh Terraform related documentation by @mcdonnnj in #361
Use the default_tags provider argument by @mcdonnnj in #355
⚠️ CONFLICT! Lineage pull request for: skeleton by @cisagovbot in #367
Reorganize Terraform variables.tf files by @mcdonnnj in #383
Add variables to control the AMI prefix(es) used by @mcdonnnj in #384
Update production workspace handling by @mcdonnnj in #389
Lineage pull request for: skeleton by @cisagovbot in #393
Add a new page for the STRIGA IPs by @jsf9k in #392
Upgrade volumes to gp3 and io2 by @jsf9k in #346
Lineage pull request for: skeleton by @cisagovbot in #395
Add an Ansible task to install a cyhy-kevsync cron job by @jsf9k in #396
Increase Nessus production root disk size to 200 GB by @dav3r in #408
Add VDP scanning to the legacy CyHy environment by @mcdonnnj in #407
Refactor Route53 resources in the terraform/ configuration by @mcdonnnj in #409
Add CloudWatch alarm notifications for certain failed data ingestion processes by @jsf9k in #394
Add AWS-specific Ansible roles to our Packer configuration by @mcdonnnj in #410
Add automatic security updates to AMIs by @mcdonnnj in #411
Add cisagov/ansible-role-geoip2 to the Packer configuration by @mcdonnnj in #412
Add the CodeQL GHA workflow from cisagov/skeleton-python-library by @mcdonnnj in #413
Fix bug in CloudWatch metric alarm code by @dav3r in #414
Update deployment scripts by @mcdonnnj in #421
Build AMIs with dev team ssh access by @mcdonnnj in #420
Add explicit dependencies for the terraform/ configuration by @mcdonnnj in #422
Update the cloud-init for setting instance hostnames by @mcdonnnj in #424
Fix broken NVD and KEV sync failure alarm code by @jsf9k in #423
Add an EBS volume to store VDP output by @mcdonnnj in #428
Ensure mongo instance cloud-init scripts run in the necessary order by @mcdonnnj in #429
Fix EBS volume destruction by @mcdonnnj in #427
Fully configure Nessus assessment policy SMTP settings by @mcdonnnj in #434
Increase volume sizes on reporter and vulnscan instances by @dav3r in #435
Update the Ansible provisioner settings in our Packer configuration by @mcdonnnj in #441
Ensure filesystems are mounted before performing a chown on them by @jsf9k in #436
Adjust the cloud-init that chowns directories by @mcdonnnj in #446
Update the version of Nessus installed on nessus AMIs by @mcdonnnj in #460
Add 4 additional vulnscan instances in commander.conf by @dav3r in #471
Reduce to 6 vulnscan instances in commander.conf by @dav3r in #477
Update current CyHy manual egress IPs by @dav3r in #487
Remove the helper scripts for managing tfvars files by @mcdonnnj in #488
Enable the docker-pre-commit hook by @mcdonnnj in #489
Use larger, compute-optimized vulnscanner instances by @dav3r in #539
Configure advanced vulnscan settings by @dav3r in #540
Install Python 2 where appropriate, and remove it elsewhere by @jsf9k in #451
Use a file to store the configuration to access the Nessus API by @mcdonnnj in #542
Use the next size up instance type for the reporter instance by @mcdonnnj in #543
Modernize the Ansible roles used in the Terraform configuration by @mcdonnnj in #478
Dynamically populate the nmap and nessus hosts in the commander configuration by @mcdonnnj in #544
Explicitly set the id for the cyhy user and group by @mcdonnnj in #559
⚠️ CONFLICT! Lineage pull request for: skeleton by @cisagovbot in #560
Upgrade Lambda runtime and Terraform module by @jsf9k in #578
Finalize replacing LGTM with CodeQL by @mcdonnnj in #588
Update adi and fdi lambda configurations by @mcdonnnj in #587
Update the Lambda bucket notification resource names by @mcdonnnj in #593
Add an additional resource to the adi and fdi Lambda deployment scripts by @mcdonnnj in #594
Update the Python runtime used by BOD 18-01 Lambdas by @mcdonnnj in #608
Update Ansible role metadata by @mcdonnnj in #613
Lineage pull request for: skeleton by @cisagovbot in #614
Add RAF IPs to egress list by @dav3r in #619
Add five additional RAF IPs to the egress list by @dav3r in #624
Move cyhy user creation to AMI build time by @mcdonnnj in #640
Update Debian versions used for AMIs by @mcdonnnj in #641
Fix issue with setting up MongoDB users by @mcdonnnj in #642
Lock down the Instance Metadata Service for all EC2 instances by @mcdonnnj in #643
Update the Parameter Store path for the GitHub token used for running cisagov/code-gov-update by @mcdonnnj in #644
Update the version of Nessus Professional used on vulnscan instances by @mcdonnnj in #645
Update code to use the "docker compose" syntax vice "docker-compose" by @jsf9k in #461
Add notifications for findings-data-import Lambda processing failures by @mcdonnnj in #646
Refactor the Ansible playbooks used by the Packer configurations by @mcdonnnj in #648
Refactor some IAM policies by @mcdonnnj in #649
Increase texmf buffer size for reporter by @jsf9k in #550
Update the cisagov/ansible-role-cyhy-reports configuration by @mcdonnnj in #652
Run cisagov/cyhy-feeds using Python 3 by @mcdonnnj in #653
Break out S3 bucket settings using backported resources by @mcdonnnj in #654
Start daily CyHy notifications cron earlier (0600 UTC) by @dav3r in #655
Lineage pull request for: skeleton by @cisagovbot in #638
Additional alphabetization in Python scripts by @mcdonnnj in #656
Update boto3 and botocore installation on Debian Buster by @mcdonnnj in #657
Refactor BOD 18-01 Lambda configuration by @mcdonnnj in #658
Enforce S3 object ownership and add missing lifecycle rule for S3 buckets by @mcdonnnj in #659
Sort the keys in Ansible requirements files by @mcdonnnj in #660
Remove Old Nexpose Source IP and Add Nessus IP by @KeithBonesJr in #664
Lineage pull request for: skeleton by @cisagovbot in #661
Add the ability to configure the cyhy-commander's next-scan-limit value by @mcdonnnj in #663
Bump production portscan instances from t3.small to t3.medium by @mcdonnnj in #667
Tear down Docker composition before bringing it up again by @jsf9k in #666
Add the ability to configure the cyhy-commander's jobs-per-*-host values by @mcdonnnj in #669
Update old email addresses by @mcdonnnj in #670
Allow HTTPS egress for bastion instances by @mcdonnnj in #671
Cleanup the Ansible roles defined in this project by @mcdonnnj in #672
Increase report data volume size on reporter instance by @dav3r in #673
Use the new cisagov/cyhy-lambda-bucket-terraform S3 bucket by @mcdonnnj in #674
⚠️ CONFLICT! Lineage pull request for: skeleton by @cisagovbot in #675
Update Ansible requirements files by @mcdonnnj in #689
Fix variable usage for Ansible roles in the Packer configuration by @mcdonnnj in #694
Add a post-deployment Ansible provisioner for the BOD bastion by @mcdonnnj in #699
Alphabetize the Ansible provisioner modules in the Terraform configurations by @mcdonnnj in #700
Update the Terraform AWS provider version constraint from ~> 3.75 to ~> 4.9 by @mcdonnnj in #713
Add a configuration file for terraform-docs by @mcdonnnj in #719
Move the use of cisagov/ansible-role-cyhy-feeds into its own playbook by @mcdonnnj in #720
Create the /etc/cyhy directory at AMI build time by @mcdonnnj in #721
Consolidate CyHy Lambda security groups by @mcdonnnj in #722
Update the security header Lambda's runtime to Node 18 by @jsf9k in #738
Fix the rules publication Terraform configuration by @mcdonnnj in #742
Upgrade select CyHy instances from Debian Bullseye to Debian Bookworm by @mcdonnnj in #746
Start orchestrator 12 hours earlier (noon UTC on Friday) by @dav3r in #748
Create CSA region-to-email mapping YAML file for cisagov/cyhy-mailer by @jsf9k in #749
Update Ansible version pin by @mcdonnnj in #752
Lineage pull request for: skeleton by @cisagovbot in #747
Remove suffix from the argument to the sleep command by @mcdonnnj in #754
Remove the assessment-data-import Lambda configuration by @mcdonnnj in #755
Fix incorrect module usage in the cyhy_mailer Ansible role by @mcdonnnj in #756
Remove legacy Terraform configurations by @mcdonnnj in #788
Remove client certificate results sending by @mcdonnnj in #787
Increase the timeout for the Nessus plugin database rebuild by @mcdonnnj in #811
Change the EC2 instance type for the production CyHy bastion by @mcdonnnj in #812
Stop forcing the use of Python 2 when building AMIs by @mcdonnnj in #814
Upgrade the production vulnscanner EC2 instance type by @mcdonnnj in #815
Lineage pull request for: skeleton by @cisagovbot in #780
Update Ansible related pins by @mcdonnnj in #781
Update dependency to the new cisagov/ansible-role-manage-thp role by @mcdonnnj in #813
Install and configure systemd-resolved on Bookworm AMIs by @mcdonnnj in #818
Adjust the upgrade.yml Ansible playbook in the Packer configuration by @mcdonnnj in #819
Update for changes to cisagov/ansible-role-geoip2 by @mcdonnnj in #817
Update the CodeQL GitHub Actions workflow by @mcdonnnj in #820
Prefer long options for command line tool calls by @mcdonnnj in #821
Turn information about the cyhy user into a Terraform variable by @mcdonnnj in #822
Prefer true/false to yes/no in Ansible configurations by @mcdonnnj in #823
Add functionality to overwrite the CloudWatch Agent configuration file by @mcdonnnj in #825
⚠️ CONFLICT! Lineage pull request for: skeleton by @cisagovbot in #830
Remove two unused Terraform variables by @mcdonnnj in #833
⚠️ CONFLICT! Lineage pull request for: skeleton by @cisagovbot in #838
Specify all variables as non-nullable by @dav3r in #843
Revert "Create CSA region-to-email mapping YAML file for cyhy-mailer" by @dav3r in #846
Create a databricks user and key with read-only access to the MOE bucket by @dav3r in #855
Increase size of the root and data volumes for the CyHy reporter instance by @jsf9k in #857
Use symbolic permissions in Ansible code by @mcdonnnj in #858
Update the aws_ssm lookup module reference to a fully qualified collection name by @mcdonnnj in #860
Modernize the Packer template in this repository by @mcdonnnj in #835
Bump cisagov/pre-commit-packer from 0.3.0 to 0.3.1 by @mcdonnnj in #862
Copy README content into the Packer template README by @mcdonnnj in #861
Bake Packer Ansible requirements installation into the template by @mcdonnnj in #863
Add an ARM64 build configuration for the bastion AMI by @mcdonnnj in #864
Point to the Packer template README in the repository README by @mcdonnnj in #865
Normalize the Packer template by @mcdonnnj in #866
Add an ARM64 build configuration for the nmap AMI by @mcdonnnj in #867
Update the terraform-docs configuration by @mcdonnnj in #869
Adjust Terraform variable formatting by @mcdonnnj in #870
Use the Debian Archive on Buster by @mcdonnnj in #872
Correct quote usage in YAML files by @mcdonnnj in #873
Move SSM Parameter Store lookups out of the Packer Ansible configuration by @mcdonnnj in #868
⚠️ CONFLICT! Lineage pull request for: skeleton by @cisagovbot in #856
Use a GitHub token for Packer when running pre-commit by @mcdonnnj in #876
Simplify how PTR records are constructed by @mcdonnnj in #877
Use calendar versioning for the project by @mcdonnnj in #878

New Contributors

@jsf9k made their first contribution in #1
@dav3r made their first contribution in #4
@felddy made their first contribution in #17
@KyleEvers made their first contribution in #31
@hillaryj made their first contribution in #281
@cisagovbot made their first contribution in #306
@dependabot[bot] made their first contribution in #344
@st0rmbl3ss3d made their first contribution in #353
@KeithBonesJr made their first contribution in #664

Full Changelog: https://github.com/cisagov/cyhy_amis/commits/2025.07.31

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

2025.07.31

Choose a tag to compare

Sorry, something went wrong.

Sorry, something went wrong.

Uh oh!

No results found

What's Changed

New Contributors

Contributors

Uh oh!