v1.9.0

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

New Configuration Repository Location Parameter for Installation

New LZA Installations:
This release provides the opportunity for new installations to leverage Amazon S3 for storing the LZA configuration files which was previously managed by AWS CodeCommit. New installations of LZA are recommended to use s3 as this will be the default source location for the LZA configuration repository moving forward.

Existing LZA Environments / LZA Version Upgrades:
When performing an upgrade to the latest version of LZA, this parameter will not be automatically selected and will require manual intervention. For upgrades of LZA, please select codecommit as it is not currently supported to migrate from AWS CodeCommit repository to S3 bucket. This feature is prioritized for an upcoming release.

Added

• feat(s3): added use of S3 as a configuration repository location
• feat(network): allow Route53 resolver endpoints and query logging to be defined in the VPC object.
• feat(control-tower): integrate lz management and lz baseline api
• feat(control-tower) integrate lz management and baseline api for external account deployment
• feat(control-tower): lz management api gov cloud support
• feat(control-tower): add global region into the Control Tower governed region list
• feat(logging): add cloudwatch log group data protection policy
• feat(securityhub): allow custom cloudwatch log group for events

Fixed

• fix(bootstrap): Failed to publish asset when cdkOptions.centralizeBuckets: true
• fix(control-tower): add validation to check incorrect landing zone version in global config
• fix(control-tower): new lza installation overrides existing control tower settings
• fix(organizations): unable to create ou with same name under different parent
• fix(organization): ou baseline operation should be skipped when Control Tower is not enabled

Changed

• chore: add commitlint to precommit hook
• chore: upgrade cdk to 2.148.0
• chore: bump cdk bootstrap to 20
• chore(documentation): update opt-in region requirement for Control Tower deployment
• chore(documentation): update merge request template to add unit test information
• chore(test): update all-enabled custom config rule lambda python version

v1.8.1

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Fixed

• fix(networking): Fix undefined condition for transitGatewayCidrBlocks property for Transit Gateway.
• bug(pipeline): Suppress mapping bucket results from build log
• fix(pipeline): "find: ‘./cdk.out’: No such file or directory" error in diff stage
• fix(config): update global config cdkoptions and control tower settings
• fix(security-hub): Fixed SecurityHub error "exceeds maximum number of members can be created in a single request"

v1.8.0

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Added

• feat(networking): Add transit gateway static CIDR blocks and Transit Gateway Connect attachments
• feat(autoScalingGroup): Add option to set maxInstanceLifetime property for AutoScalingGroups
• feat(securityHub): Allow SecurityHub to be enabled when AwsConfig is enabled with deploymentTargets option
• feat(customizations): Add option to set maxInstanceLifetime property for AutoScalingGroups by @insignias

Changed

• chore(github): added automated testing to GitHub repo for external PRs
• chore(networking): update function signatures for vpc resources in network vpc stack

Fixed

• fix(organizations): throttling on ListAccounts call
• fix(control-tower): The baseline 'AWSControlTowerBaseline' cannot be enabled on renamed OUs
• fix(control-tower): change organizations module execution condition
• fix(diff): "Unexpected end of JSON input" error, closes #497
• fix(configrule): Update config rule remediation validation when using KMSMasterKey replacement value
• fix(construct): LZA fails with AWS::Logs::LogGroup already exists, closes #471, #492, #494 by @richardkeit

New Contributors

• @insignias made their first contribution in this release
• @richardkeit made their first contribution in this release

v1.7.1

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Added

• feat(security-hub): enable cisv3 standard

Fixed

• fix(logging): CreateServiceLinkedRole fails with LogGroup already exists
• fix(organizations): Update number of retries when using SDKV3 retry strategy
• fix(replacements): add check for undefined accountName

v1.7.0

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

AWS Lambda runtime upgrade to Node.js 18

This version upgrades all of the AWS Lambda runtime to Node.js 18 as the Node.js 16 runtime for AWS Lambda is scheduled for deprecation in 2024. Performing the upgrade to v1.7.0 should remediate any notifications for upcoming deprecation. Note: Any AWS Config rules in the security-config.yaml are not automatically updated and will need to be manually validated against the sample configurations for updated configuration files.

AWS Control Tower Integration

Using the Landing Zone Accelerator on AWS solution, you can create, update, or reset an AWS Control Tower Landing Zone. It is possible to maintain the AWS Control Tower Landing Zone using the Landing Zone Accelerator solution. When the installer stack of the solution is deployed with the ControlTowerEnabled parameter set to Yes, then the Landing Zone Accelerator solution will deploy the AWS Control Tower Landing Zone with the most recent version available. For more information please review the Documentation

AWS Identity Center Resource Changes

As part of this release, AWS IAM Identity Center resources (permission sets and account assignments) will be moved from the Operations AWS CloudFormation stack to a new dedicated IdentityCenter CloudFormation stack. This stack will be launched after the Operations stack during deployment.

Impact:

• During the migration, there will be a short window where permission sets and account assignments are deleted and recreated in the new CloudFormation stack.
• To ensure continuous access during this process, please ensure you have at least one of the following:
  1. A separate user/group in AWS IAM Identity Center with necessary account assignments and permissions
  2. AWS IAM users configured in the Management account with the necessary permissions to triage any issues.

Added

• feat(control-tower): integrate lz management api
• feat(control-tower): integrate lz baseline api
• feat(control-tower): add global region into the Control Tower governed region list
• feat(network): add IPv6 support for DHCP options sets
• feat(network): Provide static IPv6 support for VPC and Subnets
• feat(network): extend IPv6 support to VPC peering, ENI, and TGW static routes
• feat(network): support vpc peering for vpcs created by vpcTemplates
• feat(network): add resolver config to vpc object
• feat(network): add tag property for interface endpoints
• feat(network): add route53 query logging and resolver endpoint handlers
• feat(logging): wildcards in dynamic partitioning
• feat(logging): add cloudwatch log group data protection policy
• feat(ssm): add targetType to documents
• feat(config): update to use json schema
• feat(replacements): add support for ACCOUNT_NAME in user data
• feat(pipeline): move assets to local directory
• feat(pipeline): validate accelerator version in build stage
• feat(regions): add ca-west-1 support
• feat(securityhub): add custom cloudwatch log group for security hub
• feat(iam): allow IAM Principal Arn as well as externalId for trust policy with IAM Roles
• feat(config): added deploymentTargets for awsConfig
• feat(guardduty): added deploymentTargets for GuardDuty

Changed

• chore(lambda): upgrade to node18 runtime
• chore(sdkv3): remove references to aws-lambda
• chore(sdkv3): remove aws-lambda reference in batch enable standards
• chore(package): tree shake util import to reduce package size
• chore(docs): added docs for local zone subnet creation

Fixed

• fix(replacements): retrieve mgmt credentials during every config validation
• fix(replacements): throw error for undefined replacement
• fix(replacements): updated logic for ignored replacements
• fix(replacements): updated validation pattern
• fix(replacements): updated EmailAddress type to support replacement strings
• fix(route53): revert getHostedZoneNameForService changes
• fix(identity-center): address identity center resource metadata lookup resources
• fix(identity-center): added permission to create assignments for mgmt
• fix(identity-center): removed custom resource for SSM parameters
• fix(diagnostic-pack): assume role name prefix for external deployment
• fix(logging): refactored logging of Security Hub events
• fix(diff): customizations template lookup
• fix(diff): dependent stack lookup
• fix(diff): added error logging to detect file diff errors
• fix(applications): only lookup shared subnet ids for apps in shared vpcs
• fix(toolkit): fixed deployment behavior for non-customization stage
• fix(toolkit): change asset copy files to syn
• fix(toolkit): move asset processing into main
• fix(organizations): unable to create ou with same name under different parent
• fix(organizations): delete policies based on event
• fix(organizations): Resolve issue where policies are not being updated
• fix(pipeline): send UUID on exception of central logs bucket kms key
• fix(config): Update SSM automation document match string
• fix(config): validate regions in customizations
• fix(service-quotas): check existing limit before request
• fix(idc): explicitly set management account for CDK env
• fix(move-accounts): retry strategy and increase timeout
• fix(alb): Update target types to include lambda
• fix(validation): check for duplicate emails in accounts-config
• fix(validation) Update KMS key lookup validation in security-config

Configuration Changes

• chore(sample-config): remove breakglass user from the sample configurations
• chore(sample-config): add alerting for breakglass user account usage

v1.6.4

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Added

• feat(validation): add option to skip scp validation during prepare stage

Fixed

• fix(toolkit): move custom stack queue out of toolkit

v1.6.3

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Fixed

• fix(organizations): ignore deletion for policies that do not exist
• fix(organizations): resolve issue where existing policies were not being updated

v1.6.2

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Dynamic Replacements

In release v1.5.0, we introduced LZA replacements which enabled customers to perform substitutions in configuration files on strings surrounded by double curly braces. This resulted in unintended replacement behavior for customers using this syntax without knowledge of LZA replacement functionality. To ensure all configuration substitutions are deliberate, we have added a configuration validation check to ensure all strings surrounded by double curly braces in the LZA configuration files are SSM dynamic references or referenced in replacements-config.yaml. See Parameter Store reference variables for more information.

Fixed

• fix(container): ecr immutability tag on bootstrap
• fix(docs): improvements to installation.md
• fix(replacements): throw error for undefined replacements
• fix(diff): dependent stack lookup
• fix(diff): customizations template lookup
• fix(networking): fix Canada region physical AZ Subnet lookup
• fix(metadata): event based get-accelerator-metadata

v1.6.1

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Fixed

• fix(docs): broken links in documentation
• fix(route53): associate hosted zones timeout
• chore(diagnostics-pack): cleanup

v1.6.0

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for more information.

Added

• feat(budgets): Budget notifications accept array of email addresses
• feat(cloudwatch): provide the ability to use CloudWatch service key for LogGroup encryption
• feat(config-service): allow reference of public ssm documents
• feat(customizations): Enhance custom applications to deploy in shared VPC
• feat(firewalls): load firewall configuration from directory and support secret replacement
• feat(lambda): Allow option to use service key for AWS Lambda function environment variables encryption
• feat(networking): add support for targeting network interfaces
• feat(pipeline): use v2 tokens for sts
• feat(regions) Add il-central-1 region
• feat(replacements): added check for commented out replacements-config.yaml
• feat(replacements): extend dynamic parameter lookups
• feat(resource-policies): Support additional AWS services in resource based policies
• feat(s3): make the creation of access log buckets and S3 encryption CMK optional
• feat(ssm): add aggregated ssm region policy construct
• feat(support): add Diagnostic Pack support
• feat(validation): adds configuration validation for cmk replacement in the AWS config remediation lambda.
• feat(validation): add option to skip static validation

Changed

• chore(documentation): added SBOM instructions to FAQ
• chore(documentation): added Architecture and Design Philosophy section to DEVELOPING.md
• chore(documentation): Update security hub cis 1.4.0 control examples
• chore(esbuild): update build target from node16 to node18
• enhancement(ebs): Add deployment targets to ebs encryption options
• enhancement(iam): added prefix condition to trust policies
• enhancement(logging): Add validation for s3 resource policy attachments against public block access
• enhancement(networking): allow ability to define static replacements for EC2 firewall configurations
• enhancement(networking): allow ability to deploy EC2 firewall in RAM shared VPC account
• enhancement(pipeline): optimize CodeBuild memory for over 1000 stacks
• enhancement(validation): Managed active directory secret config account validation

Fixed

• fix(aspects): saml lookup for console login to non-standard partitions fails
• fix(budget): sns topic arn for budgets notifications
• fix(config-service): modify public ssm document name validation
• fix(guardduty): export findings frequency and exclude region settings for protections are ignored
• fix(iam): update the iam role for systems manager
• fix(logging): refactored CloudWatch Log exclusion filter to use regex
• fix(networking): Allow for Target Groups with type IP to be created within VPC without targets specified
• fix(networking): added explicit dependency between vpc creation and deletion of default vpc
• fix(networking): create network interface route for firewall in shared vpc
• fix(networking): reverted role name to VpcPeeringRole
• fix(networking): share subnets with tags causes SSM parameter race condition
• fix(networking): add dependency between networkAssociations and GWLB stages
• fix(operations): account warming fails
• fix(organizations): enablePolicyType function blocks tag and backup policy creation in GovCloud
• fix(pipeline): consolidate customizations into single app
• fix(pipeline): exit pipeline upon synth failure
• fix(pipeline): evaluate limits before deploying workloads
• fix(scp): Catch PolicyNotAttachedException when SCP is allow-list strategy
• fix(scp): Add organization_enabled variable to revertSCP Lambda function
• fix(ssm): intermittent failure in OperationsStack, added missing dependency
• fix(toolkit): enforce runOrder for custom stacks in customizations stage
• fix(validation): allow OUs and accounts for MAD shares
• fix(validation): Fix max concurrent stacks validation
• fix(validation): Add validation on static parameters for policy templates
• fix(validation): validate kmsKey and subnet deployment targets

Configuration Changes

• chore(aws-best-practices-tse-se): migrated to new GitHub repository
• chore(aws-best-practices-cccs-medium): migrated to new GitHub repository