v1.11.2

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Added

• feat(backoff): added ability to configure number of retries and starting backoff

Fixed

• fix(asea): batch s3 mapping writes
• fix(config): remove deprecated field
• fix(config): fix sagemaker runtime feature store in all enabled
• fix(eventbus): add service linked roles to policy condition
• fix(logging): removed wildcard from central log bucket for management access role
• fix(networking): fixed hosted zones for sagemaker vpc endpoints
• fix(networking): fix asn property type in creat dx gateway lambda

Changed

• chore(security): fix CVE-2022-29526 in esbuild
• chore(security): fix execa GMS-2020-2 vulnerability

v1.11.1

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Fixed

• fix(asea): use only accounts from accounts config to write mapping
• fix(asea): error in network association stack security groups associated with RAM shared subnets/vpc
• fix(config): fixing default behavior for Managed Config Rule scopes
• fix(constructs): service linked role missing permissions
• fix(kms): changed cwl cmk condition
• fix(networking): fixed lookup failure on eni 0 when adding new routes for FW
• fix(orgs): update partition support
• fix(throttle): reduced max number of retry attempts to 7

v1.11.0

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Advanced CloudFormation Stacksets Operational Control:

This new feature enables the option to specify operational preferences such as region order, max concurrency, and concurrency mode to StackSets in the customizations stage (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudformation-stackset-operationpreferences.html).

Chatbot Policies Integration with Organizations:

This release adds support for Chatbot Policies through the Organizations config file. Chatbot policies allow you to control access to an organization's accounts from chat applications such as Slack and Microsoft Teams(https://docs.aws.amazon.com/chatbot/latest/adminguide/chatbot-orgs-policy.html).

Enhanced CloudWatch Log Replication to S3:

This release provides the ability to specify a log file extension for CloudWatch Logs that are replicated to S3 via Firehose. This functionality allows for improved log file organization, identification, and a better SIEM integration experience.

Added

• feat: add eks-auth endpoints to hosted-zone
• feat(customizations): add feature to set custom admin and execution roles for custom stacksets
• feat(customizations): add operational preferences support or stacksets customization
• feat(doc): add package dependency section in typedoc
• feat(eventbus): add support for default event bus resource policy
• feat(iam): create IAM user without console access
• feat(lambda): add lambda runtime to the construct props and default to Node 18
• feat(logging): provide file extension to CloudWatch log replicated files in S3
• feat(networking): allows the option of specifying a network firewall policy arn
• feat(organizations): add support for chatbot policies
• feat(pipeline): add feature to parallelise synth and diff operations
• feat(pipeline): add feature to reuse synth for all deploy actions
• feat(pipeline): add feature to consolidate all diffs and generate URL for review in Review stage
• feat(pipeline): add feature to deploy LZA solution region by region
• feat(test): add api assertion to integration testing
• feat(validation): validating that order of CIDRs is not changed

Fixed

• fix: added missing imports to test file
• fix: Disable management events for Lambda & S3 Cloudtrail event selectors
• fix: hosted zone DNS for Sagemaker VPC Endpoints
• fix: updated GitHub action target
• fix(account): remove partition checks for account creation in prepare stack
• fix(assets): add local account for ssm parameters to assets policy
• fix(build): fixing naming scheme of installer templates
• fix(config/validation): make account email comparisons case insensitive
• fix(config-service): only record global resources in home region
• fix(config-service): exclude global resources from recorder except in home region
• fix(control-tower): update landingzone fails for non-default security ou name
• fix(docs): change macie api version
• fix(globalConfig): provide required permissions for subscriptions
• fix(iam): add supported partition for service linked roles
• fix(identity-center): checks if a user or group exists when building assignments
• fix(installer): fix management account bootstrap failed when using external pipeline
• fix(logging): add log stream arn for SubscriptionFilterRole IAM Policy
• fix(logging): fixed permissions on custom resource for when cloudwatch encryption is enabled in global-config
• fix(logging): incorrect managed policy for imported elb access log bucket
• fix(logging): updated kms key for imported asset bucket
• fix(macie): unable to publish sensitive data findings to security hub
• fix(networking): add conditions to trust policy for DescribeTgwAttach IAM Role
• fix(networking): add conditions to trust policy for VpcPeering IAM Role
• fix(networking): fixes ssm parameter name format
• fix(networking): trust policy for tgw peering multiple acceptors to single requestor account
• fix(organizations): create ou's in all partitions with exceptions
• fix(resolver): correctly identify custom domain list filename
• fix(s3): imported elb bucket policy attachment failed
• fix(uninstaller): correct syntax for debug log
• fix(validation): make case insensitive comparisons when validating email addresses
• fix(warning): removes unreachable code that results in warning

Changed

• chore: bump version to v1.11.0
• chore: change viperscan from cli to wget
• chore(cli): modify cli signature
• chore(documentation): create lza module documentation
• chore(modules): add config parsing module lza-config
• chore(modules): add aws-lza package for ct module and lza cli
• chore(test): updated tests for stack creation
• chore(testing): moves construction of stacks from test bootstrap into test run

Configuration Changes

• chore(cn): remove cn sample configuration directory
• chore(sample-config): add kms key disable rotation prevention control in sample config
• chore(sample-config): add kms delete policy to scp in sample config
• chore(sample-config): add transit gateway and ram share protection in sample config
• chore(sample-config): externalize healthcare configurations

Full Changelog: v1.10.0...v1.11.0

v1.10.1

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Fixed

• fix(metadata): accelerator metadata lambda times out without error
• fix(docs): resolve broken links in mkdocs
• fix(route53): fix hosted zone DNS for Sagemaker VPC Endpoints
• fix(route53): fix hosted zone DNS for EKS-Auth VPC Endpoints
• fix(pipeline): bootstrap stage failed silently
• fix(organizations): fix enabled controls cfn throttling

v1.10.0

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Performance Improvements

This release includes significant performance improvements to the overall runtime of the LZA pipeline.

feat(performance): changed transpiler to swc - We have replaced the default typescript transpiler for the LZA to use SWC. This enhancement can reduce the overall runtime of the LZA pipeline depending on the amount of accounts and environments that need to be synthesized and deployed. Customers who have a small amount of accounts and enabled regions managed by the LZA will see the greatest benefit from this change.

fix(bootstrap): batched bootstrap checks - We have changed the bootstrapping process to batch api calls that check to see if the bootstrapping stack needs to be updated. This substantially speeds up the bootstrapping stage when an update to the bootstrapping stack does not need to be performed. Customers who have a large amount of accounts and enabled regions will see the greatest benefit from this change

VPC CIDR Ordering

The Landing Zone Accelerator allows customers to provide a list of CIDR ranges when creating Amazon Virtual Private Clouds (VPCs). This release has updated our documentation to specify that the ordering of provided CIDR ranges in the network-config.yaml file should be maintained when adding or removing additional CIDRs. The first entry in the list is mapped to the CidrBlock CloudFormation property which results in replacement of the resource when modified.

New Configuration Repository Location Parameter Option for Installation

New LZA Installations:
This release provides the opportunity for new installations to leverage AWS CodeConnections to use GitHub, GitLab, or Bitbucket for storing the LZA configuration files. This supplements existing options including AWS CodeCommit and Amazon S3 to provide even more flexibility when integrating LZA operations into existing workflows.

Added

• feat(networking): add support for TLS1.3 security policy for ALB and NLB listener
• feat(performance): changed transpiler to swc
• feat(pipeline): add codeconnection as configuration source
• feat(regions): add support for the ap-southeast-5 opt-in region
• feat(regions): add feature to enable opt-in regions programmatically
• feat(s3): add error handling and validation for s3 config
• feat(s3): add feature flag parameter use-s3-source for S3 as LZA source code location
• feat(stacksets): added support for dependencies between stacksets
• feat(uninstaller): deleted s3 repo in uninstaller
• feat(yarn): add ability to use .yarnrc to use custom package registry and ca-certs

Fixed

• fix(bootstrap): batched bootstrap checks
• fix(control-tower): updated boolean logic to get LZ identifier
• fix(custom-stacks): loaded replacement values during custom stack deployment
• fix(diff): parse error during diff
• fix(firewalls): fix firewall owner lookup when deployed in shared VPC
• fix(iam): add cdk feature flag to minimize iam policy
• fix(iam): use same form of service principal in all partitions: .amazonaws.com
• fix(logs): refactored NewCloudWatchLogEvent to ignore LZA-managed log groups
• fix(metadata): fixed config file writes with codecommit
• fix(organizations): failure when 5 SCPs with allow-list strategy option is defined
• fix(organizations): update organizations module to handle nested ou's correctly
• fix(prerequisites): checks forces child accounts to have CodeBuild parallel executions
• fix(replacements): accel_lookup variable not getting replaced for all the occurrences
• fix(s3): fix s3 bucket name constructs for imported buckets
• fix(s3): fixed issue where s3 bucket as source did not support a KMS-encrypted bucket
• fix(s3): default asset bucket name to home region
• fix(s3): add methods to construct imported bucket
• fix(ssm): updated session manager role to allow kms permissions in all enabled regions
• fix(validation): configuration validation failure when SecurityHub was enabled with Control Tower
• fix(uninstaller): include deletion of IdentityCenter and ResourcePolicyEnforcement stacks

Changed

• chore: remove cdk 2.148.0 dependencies
• chore: suppress node warnings on synth
• chore: update typedoc to v0.26.7
• chore: updated cdk version
• chore: updated deps @types/jest v29.5.12 aws-sdk v3.637.0
• chore: upgrade aws sdk to v2.1691.0
• chore: upgrade lerna to v8.1.8
• chore(cfn-nag): added suppressions
• chore(documentation): add security.md file to repo
• chore(documentation): added json-schema page
• chore(documentation): update config.md Control Tower OU guidance
• chore(documentation): updating typedoc for vpc cidrs to include caveat about cidr list
• chore(installer): added clarification to CF template
• chore(lambda): remove debug console log statements
• chore(modules): renamed modules to lza-modules
• chore(organizations): use global region in AWS Organizations client
• chore(regions): update global region map
• chore(sample-config): add iam user create prevention control in sample config
• chore(sample-config): add kms modification protection to preventative controls in sample config
• chore(sample-config): add disable import findings integration to scp
• chore(sample-config): update s3 service control policy
• chore(sts): updated sts endpoints
• chore(uninstaller): improved performance for deployments with many regions
• chore(validation): extending validation on ENI lookups to allow for _ character

v1.9.2

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Fixed

• fix(metadata): fixed config file writes with codecommit
• fix(validation): configuration validation failure when SecurityHub was enabled with Control Tower
• fix(control-tower): skip existing Control Tower identifier check when Contrtol Tower is not enabled

Changed

• chore: add security.md file to repo

v1.9.1

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Sample Configuration service control policies (SCPs) enhancement

The lza-sample-config provides a set of Service Control Policies (SCPs) that can be used as a starting point for configuring the LZA after initial deployment. The guardrails-1.json SCP, has been enhanced to include an additional clause to protect invocation of lambda functions that are used within the LZA engine. We recommend reviewing configuration changes made to the lza-sample-config and determine which changes you need to apply to your configuration

Changed

• chore: upgrade github action to node20

Configuration Changes

• chore(lza-sample-config): enhance SCP statements for invocation of Lambda functions

v1.9.0

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

New Configuration Repository Location Parameter for Installation

New LZA Installations:
This release provides the opportunity for new installations to leverage Amazon S3 for storing the LZA configuration files which was previously managed by AWS CodeCommit. New installations of LZA are recommended to use s3 as this will be the default source location for the LZA configuration repository moving forward.

Existing LZA Environments / LZA Version Upgrades:
When performing an upgrade to the latest version of LZA, this parameter will not be automatically selected and will require manual intervention. For upgrades of LZA, please select codecommit as it is not currently supported to migrate from AWS CodeCommit repository to S3 bucket. This feature is prioritized for an upcoming release.

Added

• feat(s3): added use of S3 as a configuration repository location
• feat(network): allow Route53 resolver endpoints and query logging to be defined in the VPC object.
• feat(control-tower): integrate lz management and lz baseline api
• feat(control-tower) integrate lz management and baseline api for external account deployment
• feat(control-tower): lz management api gov cloud support
• feat(control-tower): add global region into the Control Tower governed region list
• feat(logging): add cloudwatch log group data protection policy
• feat(securityhub): allow custom cloudwatch log group for events

Fixed

• fix(bootstrap): Failed to publish asset when cdkOptions.centralizeBuckets: true
• fix(control-tower): add validation to check incorrect landing zone version in global config
• fix(control-tower): new lza installation overrides existing control tower settings
• fix(organizations): unable to create ou with same name under different parent
• fix(organization): ou baseline operation should be skipped when Control Tower is not enabled

Changed

• chore: add commitlint to precommit hook
• chore: upgrade cdk to 2.148.0
• chore: bump cdk bootstrap to 20
• chore(documentation): update opt-in region requirement for Control Tower deployment
• chore(documentation): update merge request template to add unit test information
• chore(test): update all-enabled custom config rule lambda python version

v1.8.1

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Fixed

• fix(networking): Fix undefined condition for transitGatewayCidrBlocks property for Transit Gateway.
• bug(pipeline): Suppress mapping bucket results from build log
• fix(pipeline): "find: ‘./cdk.out’: No such file or directory" error in diff stage
• fix(config): update global config cdkoptions and control tower settings
• fix(security-hub): Fixed SecurityHub error "exceeds maximum number of members can be created in a single request"

v1.8.0

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Added

• feat(networking): Add transit gateway static CIDR blocks and Transit Gateway Connect attachments
• feat(autoScalingGroup): Add option to set maxInstanceLifetime property for AutoScalingGroups
• feat(securityHub): Allow SecurityHub to be enabled when AwsConfig is enabled with deploymentTargets option
• feat(customizations): Add option to set maxInstanceLifetime property for AutoScalingGroups by @insignias

Changed

• chore(github): added automated testing to GitHub repo for external PRs
• chore(networking): update function signatures for vpc resources in network vpc stack

Fixed

• fix(organizations): throttling on ListAccounts call
• fix(control-tower): The baseline 'AWSControlTowerBaseline' cannot be enabled on renamed OUs
• fix(control-tower): change organizations module execution condition
• fix(diff): "Unexpected end of JSON input" error, closes #497
• fix(configrule): Update config rule remediation validation when using KMSMasterKey replacement value
• fix(construct): LZA fails with AWS::Logs::LogGroup already exists, closes #471, #492, #494 by @richardkeit

New Contributors

• @insignias made their first contribution in this release
• @richardkeit made their first contribution in this release