v1.9.2

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Fixed

• fix(metadata): fixed config file writes with codecommit
• fix(validation): configuration validation failure when SecurityHub was enabled with Control Tower
• fix(control-tower): skip existing Control Tower identifier check when Contrtol Tower is not enabled

Changed

• chore: add security.md file to repo

v1.9.1

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Sample Configuration service control policies (SCPs) enhancement

The lza-sample-config provides a set of Service Control Policies (SCPs) that can be used as a starting point for configuring the LZA after initial deployment. The guardrails-1.json SCP, has been enhanced to include an additional clause to protect invocation of lambda functions that are used within the LZA engine. We recommend reviewing configuration changes made to the lza-sample-config and determine which changes you need to apply to your configuration

Changed

• chore: upgrade github action to node20

Configuration Changes

• chore(lza-sample-config): enhance SCP statements for invocation of Lambda functions

v1.9.0

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

New Configuration Repository Location Parameter for Installation

New LZA Installations:
This release provides the opportunity for new installations to leverage Amazon S3 for storing the LZA configuration files which was previously managed by AWS CodeCommit. New installations of LZA are recommended to use s3 as this will be the default source location for the LZA configuration repository moving forward.

Existing LZA Environments / LZA Version Upgrades:
When performing an upgrade to the latest version of LZA, this parameter will not be automatically selected and will require manual intervention. For upgrades of LZA, please select codecommit as it is not currently supported to migrate from AWS CodeCommit repository to S3 bucket. This feature is prioritized for an upcoming release.

Added

• feat(s3): added use of S3 as a configuration repository location
• feat(network): allow Route53 resolver endpoints and query logging to be defined in the VPC object.
• feat(control-tower): integrate lz management and lz baseline api
• feat(control-tower) integrate lz management and baseline api for external account deployment
• feat(control-tower): lz management api gov cloud support
• feat(control-tower): add global region into the Control Tower governed region list
• feat(logging): add cloudwatch log group data protection policy
• feat(securityhub): allow custom cloudwatch log group for events

Fixed

• fix(bootstrap): Failed to publish asset when cdkOptions.centralizeBuckets: true
• fix(control-tower): add validation to check incorrect landing zone version in global config
• fix(control-tower): new lza installation overrides existing control tower settings
• fix(organizations): unable to create ou with same name under different parent
• fix(organization): ou baseline operation should be skipped when Control Tower is not enabled

Changed

• chore: add commitlint to precommit hook
• chore: upgrade cdk to 2.148.0
• chore: bump cdk bootstrap to 20
• chore(documentation): update opt-in region requirement for Control Tower deployment
• chore(documentation): update merge request template to add unit test information
• chore(test): update all-enabled custom config rule lambda python version

v1.8.1

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Fixed

• fix(networking): Fix undefined condition for transitGatewayCidrBlocks property for Transit Gateway.
• bug(pipeline): Suppress mapping bucket results from build log
• fix(pipeline): "find: ‘./cdk.out’: No such file or directory" error in diff stage
• fix(config): update global config cdkoptions and control tower settings
• fix(security-hub): Fixed SecurityHub error "exceeds maximum number of members can be created in a single request"

v1.8.0

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Added

• feat(networking): Add transit gateway static CIDR blocks and Transit Gateway Connect attachments
• feat(autoScalingGroup): Add option to set maxInstanceLifetime property for AutoScalingGroups
• feat(securityHub): Allow SecurityHub to be enabled when AwsConfig is enabled with deploymentTargets option
• feat(customizations): Add option to set maxInstanceLifetime property for AutoScalingGroups by @insignias

Changed

• chore(github): added automated testing to GitHub repo for external PRs
• chore(networking): update function signatures for vpc resources in network vpc stack

Fixed

• fix(organizations): throttling on ListAccounts call
• fix(control-tower): The baseline 'AWSControlTowerBaseline' cannot be enabled on renamed OUs
• fix(control-tower): change organizations module execution condition
• fix(diff): "Unexpected end of JSON input" error, closes #497
• fix(configrule): Update config rule remediation validation when using KMSMasterKey replacement value
• fix(construct): LZA fails with AWS::Logs::LogGroup already exists, closes #471, #492, #494 by @richardkeit

New Contributors

• @insignias made their first contribution in this release
• @richardkeit made their first contribution in this release

v1.7.1

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Added

• feat(security-hub): enable cisv3 standard

Fixed

• fix(logging): CreateServiceLinkedRole fails with LogGroup already exists
• fix(organizations): Update number of retries when using SDKV3 retry strategy
• fix(replacements): add check for undefined accountName

v1.7.0

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

AWS Lambda runtime upgrade to Node.js 18

This version upgrades all of the AWS Lambda runtime to Node.js 18 as the Node.js 16 runtime for AWS Lambda is scheduled for deprecation in 2024. Performing the upgrade to v1.7.0 should remediate any notifications for upcoming deprecation. Note: Any AWS Config rules in the security-config.yaml are not automatically updated and will need to be manually validated against the sample configurations for updated configuration files.

AWS Control Tower Integration

Using the Landing Zone Accelerator on AWS solution, you can create, update, or reset an AWS Control Tower Landing Zone. It is possible to maintain the AWS Control Tower Landing Zone using the Landing Zone Accelerator solution. When the installer stack of the solution is deployed with the ControlTowerEnabled parameter set to Yes, then the Landing Zone Accelerator solution will deploy the AWS Control Tower Landing Zone with the most recent version available. For more information please review the Documentation

Added

• feat(control-tower): integrate lz management api
• feat(control-tower): integrate lz baseline api
• feat(control-tower): add global region into the Control Tower governed region list
• feat(network): add IPv6 support for DHCP options sets
• feat(network): Provide static IPv6 support for VPC and Subnets
• feat(network): extend IPv6 support to VPC peering, ENI, and TGW static routes
• feat(network): support vpc peering for vpcs created by vpcTemplates
• feat(network): add resolver config to vpc object
• feat(network): add tag property for interface endpoints
• feat(network): add route53 query logging and resolver endpoint handlers
• feat(logging): wildcards in dynamic partitioning
• feat(logging): add cloudwatch log group data protection policy
• feat(ssm): add targetType to documents
• feat(config): update to use json schema
• feat(replacements): add support for ACCOUNT_NAME in user data
• feat(pipeline): move assets to local directory
• feat(pipeline): validate accelerator version in build stage
• feat(regions): add ca-west-1 support
• feat(securityhub): add custom cloudwatch log group for security hub
• feat(iam): allow IAM Principal Arn as well as externalId for trust policy with IAM Roles
• feat(config): added deploymentTargets for awsConfig
• feat(guardduty): added deploymentTargets for GuardDuty

Changed

• chore(lambda): upgrade to node18 runtime
• chore(sdkv3): remove references to aws-lambda
• chore(sdkv3): remove aws-lambda reference in batch enable standards
• chore(package): tree shake util import to reduce package size
• chore(docs): added docs for local zone subnet creation

Fixed

• fix(replacements): retrieve mgmt credentials during every config validation
• fix(replacements): throw error for undefined replacement
• fix(replacements): updated logic for ignored replacements
• fix(replacements): updated validation pattern
• fix(replacements): updated EmailAddress type to support replacement strings
• fix(route53): revert getHostedZoneNameForService changes
• fix(identity-center): address identity center resource metadata lookup resources
• fix(identity-center): added permission to create assignments for mgmt
• fix(identity-center): removed custom resource for SSM parameters
• fix(diagnostic-pack): assume role name prefix for external deployment
• fix(logging): refactored logging of Security Hub events
• fix(diff): customizations template lookup
• fix(diff): dependent stack lookup
• fix(diff): added error logging to detect file diff errors
• fix(applications): only lookup shared subnet ids for apps in shared vpcs
• fix(toolkit): fixed deployment behavior for non-customization stage
• fix(toolkit): change asset copy files to syn
• fix(toolkit): move asset processing into main
• fix(organizations): unable to create ou with same name under different parent
• fix(organizations): delete policies based on event
• fix(organizations): Resolve issue where policies are not being updated
• fix(pipeline): send UUID on exception of central logs bucket kms key
• fix(config): Update SSM automation document match string
• fix(config): validate regions in customizations
• fix(service-quotas): check existing limit before request
• fix(idc): explicitly set management account for CDK env
• fix(move-accounts): retry strategy and increase timeout
• fix(alb): Update target types to include lambda
• fix(validation): check for duplicate emails in accounts-config
• fix(validation) Update KMS key lookup validation in security-config

Configuration Changes

• chore(sample-config): remove breakglass user from the sample configurations
• chore(sample-config): add alerting for breakglass user account usage

v1.6.4

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Added

• feat(validation): add option to skip scp validation during prepare stage

Fixed

• fix(toolkit): move custom stack queue out of toolkit

v1.6.3

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Fixed

• fix(organizations): ignore deletion for policies that do not exist
• fix(organizations): resolve issue where existing policies were not being updated

v1.6.2

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Dynamic Replacements

In release v1.5.0, we introduced LZA replacements which enabled customers to perform substitutions in configuration files on strings surrounded by double curly braces. This resulted in unintended replacement behavior for customers using this syntax without knowledge of LZA replacement functionality. To ensure all configuration substitutions are deliberate, we have added a configuration validation check to ensure all strings surrounded by double curly braces in the LZA configuration files are SSM dynamic references or referenced in replacements-config.yaml. See Parameter Store reference variables for more information.

Fixed

• fix(container): ecr immutability tag on bootstrap
• fix(docs): improvements to installation.md
• fix(replacements): throw error for undefined replacements
• fix(diff): dependent stack lookup
• fix(diff): customizations template lookup
• fix(networking): fix Canada region physical AZ Subnet lookup
• fix(metadata): event based get-accelerator-metadata