v1.5.1

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for more information.

Fixed

• fix(iam): Security_Resource stack failure to assume role into suspended and un-enrolled account
• fix(identity-center): operation stack AcceleratorLambdaKey construct already exists
• fix(customizations): could not load credentials from any providers

v1.5.0

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for more information.

Centralized logging bucket policy enhancement

The S3 Bucket policy for the centralized logging bucket was updated, in 4cff4bf, to further restrict actions by principals within an AWS Organization. See s3ResourcePolicyAttachments for more information regarding further customization of the centralized logging bucket.

Sample Configuration service control policies (SCPs) enhancement

The lza-sample-config [previously aws-best-practices] provides a set of Service Control Policies (SCPs) that can be used as a starting point for configuring the LZA after initial deployment. The guardrails-2.json SCP, has been enhanced to include an additional clause to protect prefixes that are used within the LZA engine. We recommend reviewing configuration changes made to the lza-sample-config and determine which changes you need to apply to your configuration

[1.5.0] - 2023-10-05

Added

• feat(backup) add Backup vault policy
• feat(config): allow users to set stack concurrency
• feat(config) M2131 WAF logging enabled
• feat(control-tower): add control tower controls
• feat(identity-center): add IdentityCenter extended permission set and assignment
• feat(logging): enable non-accelerator subscription filter destination replacement
• feat(logging): move larger CloudWatch logs payloads back into kinesis stream for re-ingestion
• feat(networking): add ability to reference dynamic configuration file replacements and license files for EC2 firewalls
• feat(networking): add dynamic EC2 firewall site-to-site VPN connections and configuration replacements
• feat(networking): add exclude regions for default VPC
• feat(networking): allow gateway and interface endpoint service customizations
• feat(networking): Created Shared ALB and supporting resources (ACM, Target Groups)
• feat(replacements): support Policy Replacements in VPC Endpoint policies
• feat(s3): allow import of S3 buckets
• feat(s3): support lifecycle rules for given prefix
• feat(security-hub): allow customers to disable Security Hub CloudWatch logs
• feat(service-catalog): support service catalog product constraints
• feat(ssm): allow SSM replacements through replacements-config.yaml
• feat(ssm): allow creation of custom SSM parameters
• feat(tags): Support Customer Tags

Changed

• enhancement(docs): add script to generate versioned TypeDocs
• enhancement(iam): make managed AD resolverRuleName property optional
• enhancement(logging): Add Landing Zone Accelerator on AWS specific IAM roles to central S3 bucket policy
• enhancement(networking): add ability to define advanced VPN tunnel configuration parameters
• enhancement(networking): add ability to dynamically reference same-VPC subnets as a route destination
• enhancement(networking): add ability to reference physical IDs for subnet availability zones and for Network Firewall endpoint lookups
• enhancement(networking): add AWSManagedAggregateThreatList to supported DNS firewall managed domain lists
• enhancement(pipeline): allow synth and deploy to write to stack specific directories
• enhancement(validation): Add config rule name validation
• enhancement(validation): add name uniqueness check for IAM policies and roles
• enhancement(validation): add validation for security delegated admin account
• chore(deps): bump semver to 7.5.2
• chore(deps): bump lerna to 7.2.0
• chore(deps): bump proxy-agent to 6.3.0
• chore(deps): bump aws-cdk to 2.93.0
• chore(docs): added instructions for validations and tests
• chore(docs): added documentation for excluded regions in audit manager
• chore(docs): document dynamic partitioning format in TypeDocs
• chore(docs): remove invalid targets for routeTableEntry
• chore(docs): update TransitGatewayAttachmentConfig docs to reflect subnet update behavior
• chore(docs): updated typedoc example for budget notifications
• chore(docs): update maxAggregationInterval to match appropriate unit
• chore(docs): VPC Flow Logs central logging method indicated service-native S3 logging
• chore(logging): add accelerator roles to central bucket policy
• chore(organizations): Moved getOrgId function to config
• chore(organizations): Removed Check for Tag and Backup policies in AWS GovCloud
• chore(test): update test pipeline lambda functions to Node.js 16 runtime
• chore(utils): moved chunkArray to utils
• chore(validation): Remove let from config validation
• chore: license file updates
• chore: refactor engine to reduce complexity
• chore: updated dependencies for aws-sdk

Fixed

• fix(accelerator-prefix): accelerator prefix remains hardcoded in some constructs
• fix(accounts): allow Control Tower account enrollment in GovCloud
• fix(acm): Duplicate certificate imported on CR update
• fix(applications): allow launchTemplates without userData, remove securityGroup checks
• fix(audit-manager): excluded regions list ignored in security audit stack
• fix(bootstrap): synth large environments runs out of memory
• fix(cdk): fixed promise bug for parallel deployments
• fix(cloudwatch): log replication with exclusion times out
• fix(cloudwatch): Updated logic to deploy CW log groups to OUs
• fix(customizations): make security groups optional in launch templates
• fix(deployment) - Enforce IMDS v2 for Managed Active Directory controlling EC2 instance
• fix(guardduty): create guardduty prefix in s3 destination when prefix deleted by life cycle policy
• fix(guardduty): support account create and delete actions for more than 50 accounts
• fix(guardduty): Delete publishing destination when enabled is false
• fix(guardduty): Updated createMembers function to use SDKv3
• fix(iam): remove permissive runInstance from policy
• fix(iam): add IAM validation for roles, groups, users to Policies
• fix(iam): failed to assume role with static partition
• fix(iam): Added error handling for service linked role already existing
• fix(iam): update boundary control policy IAM get user actions
• fix(identity-center): incorrect sso regional endpoint
• fix(identity-center): fix api rate exceeded issue
• fix(limits): Allow service quota limits to be defined with regions
• fix(logging): change kms key lookup for central bucket
• fix(logging): fixed logging stack deployment order
• fix(logging): central log bucket cmk role exists when centralized logging changed
• fix(logging): enable CloudWatch logging on Firehose
• fix(logging): Add prefix creation for imported central log buckets
• fix(logging): add firehose records processor to exclusion list default
• fix(logging): compress logs within lambda and set firehose transform to uncompressed
• fix(MAD): Remove key pair from MAD instance
• fix(networking): duplicate construct error when creating GWLB endpoints in multiple VPCs under the same account
• fix(networking): fix underscore subnet names
• fix(networking): Transit gateway peering fails when multiple accepter tgw has multiple requester
• fix(networking): Fixed IPv6 validation for Prefix Lists
• fix(networking): incorrect private hosted zones created for interface endpoint services with specific API subdomains
• fix(networking): AZ not defined error when outpost subnet is configured
• fix(networking): fixed isTarget conditions for target groups
• fix(networking): update regional conditions for shared ALBs
• fix(networking): EC2 firewall config replacements incorrectly matches multiple variables on a single line
• fix(networking): EC2 firewall config replacements missing hostname lookup
• fix(organizations): load ou units asynchronously
• fix(pipeline): useManagementAccessRole optional
• fix(pipeline): time out in CodePipeline Review stage
• fix(pipeline): change assume role behavior on management account
• fix(pipeline): add nagSupression to firewall service linked role
• fix(pipeline): toolkit does not use prefix variable
• fix(replacements): Updated generatePolicyReplacements arguments to include organization id
• fix(roles): add UUID to service linked role to prevent accidental deletion
• fix(roles): make security audit stack partition aware
• fix(roles): add delay on service linked role creation
• fix(roles): create service linked role in custom resource
• fix(saml): SAML login is hardcoded
• fix(s3): access logs bucket external policy fix
• fix(scp): scpRevertChanges should use accelerator prefix
• fix(security): bring your own KMS key cannot reference service-linked roles in key policy file
• fix(security): Increased memory for GuardDuty custom resource
• fix(security): custom config rule discarding triggering resource types
• fix(ssm): PutSsmParameter upgrade from v1.3.x to v1.4.2+ fails
• fix(ssm): Added check to see if roles exist before policy attachment
• fix(sso): Added validation to flag permission set assignments created for management account
• fix(tagging): Accel-P tag is appropriately set on resources
• fix(uninstaller) detach customer policies prior to delete
• fix(validation): Add config rule name validation
• fix(validation): va...

v1.4.3

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. To upgrade your environments to this version, use the CloudFormation console to update your AWSAccelerator-Installer stack using the latest installer template and ensure that that you set Branch Name to the latest version (release/v1.4.3 for this release). See Update the solution for more information.

Upgrading from version 1.4.0/1.4.1 to 1.4.2+

For users with shared VPC subnets configured, if you are encountering an SSM parameter validation error during the Network_Associations stage, use the following update procedure:

1. Determine the parameters that are needed in the share target accounts by reviewing the CloudWatch logs for the Lambda function that is prefixed with AWSAccelerator-NetworkVpc-CustomSsmPutParameterVal- in the account that owns the shared VPC.
2. Manually create the parameters in any accounts that are failing SSM parameter validation.
3. Re-run the core pipeline
4. After upgrading to 1.4.2+, this process will not be required for newly-enrolled accounts in the share target OUs.

Fixed

• fix(logging): cloudwatch logging, change log format in firehose to json
• fix(organizations): large OU organizations fail to load during prepare stage
• fix(networking): cannot provision new IPAM subnets when VPC has CIDRs from non-contiguous CIDR blocks
• fix(networking): Modify Transit Gateway resource lookup construct ids
• fix(validate-config): ValidateEnvironmentConfig improperly evaluates enrolled CT accounts as not enrolled

Configuration Changes

• chore(aws-best-practices-tse-se): include granular billing SCP permission updates
• chore(aws-best-practices-cccs-medium): include granular billing SCP permission updates

v1.4.2

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. To upgrade your environments to this version, use the CloudFormation console to update your AWSAccelerator-Installer stack using the latest installer template and ensure that that you set Branch Name to the latest version (release/v1.4.2 for this release). See Update the solution for more information.

Upgrading from version 1.4.x to 1.4.2

For users with shared VPC subnets configured, if you are encountering an SSM parameter validation error during the Network_Associations stage, use the following update procedure:

1. Determine the parameters that are needed in the share target accounts by reviewing the CloudWatch logs for the Lambda function that is prefixed with AWSAccelerator-NetworkVpc-CustomSsmPutParameterVal- in the account that owns the shared VPC.
2. Manually create the parameters in any accounts that are failing SSM parameter validation.
3. Re-run the core pipeline
4. After upgrading to 1.4.2, this process will not be required for newly-enrolled accounts in the share target OUs.

Fixed

• fix(ssm): PutSsmParameters custom resource ignores new accounts
• chore(organizations): moved getOrganizationId to organizations-config
• fix(iam): service linked roles fail to create in multi-region deployment
• fix(validation): TGW route validation fails when prefixList deployment targets do not have excluded regions
• fix(validation): incorrectly configured security delegated admin account isn’t caught by validation
• fix(docs): README indicates S3 server access logs are replicated to central logs bucket

v1.4.1

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. To upgrade your environments to this version, use the CloudFormation console to update your AWSAccelerator-Installer stack using the latest installer template and ensure that that you set Branch Name to the latest version (release/v1.4.1 for this release). See Update the solution for more information.

Fixed

• fix(route53): route53 resolver configuration depends on Network Firewall configuration
• fix(config): AWS Config recorder failure when enabled in new installation
• fix(installer): set default value for existing config repository parameters
• fix(networking): non-wildcard record missing in hosted zone for centralized S3 interface endpoints
• chore(bootstrap): update CDK version to 2.79.1
• chore(lambda): Increased memory size of custom resources

v1.4.0

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. To upgrade your environments to this version, use the CloudFormation console to update your AWSAccelerator-Installer stack using the latest installer template and ensure that that you set Branch Name to the latest version (release/v1.4.0 for this release). See Update the solution for more information.

Security groups defined in shared VPCs are now replicated to accounts where the subnets are shared. If you reference a prefix list from a security group, you need to update the deployment targets of the prefix list to deploy the prefix list in all shared accounts. (network-config.yaml)

Lambda runtimes for AWS Config rules were updated to NodeJs16. (security-config.yaml)

Cross-account IPAM subnet references have been updated and requires a configuration change. This only affects customers that are referencing IPAM-created subnets that exist in the same account and region the NACL rule is created in. To resolve this, you will need to:

1. Comment out any NACL rules that reference IPAM-created subnets that reside in the same account+region of the account+region the NACL is being created in.
2. Run the pipeline, which will delete the NACL rules.
3. Uncomment the same-account NACLs and run the pipeline once again.

Added

• feat(config): Utilize existing AWS Config Service Delivery Channel
• feat(installer): Support custom prefix for LZA resources
• feat(logging) Add S3 prefix to Config Recorder delivery channel
• feat(networking): Added deploymentTargets property for prefix lists
• feat(networking): add ability to reference same-account IPAM subnets in Security Groups and NACLs
• feat(scp): Implement SCP allow-list strategy
• feat(security-config) Add ability to define CloudWatch Log Groups
• feat(security hub): allow definition of deploymentTargets for Security Hub standards
• feat(validation): verify no ignored OU accounts are included in accounts-config file

Changed

• chore(app): Update AWS CDK version to 2.70.0
• chore(docs): adding optional flags and replacement warnings to SecurityConfig and NetworkConfig
• chore(network): network stack refactor to assist in development efforts
• enhancement(cdk): Configure CDK to use managementAccountAccessRole for all actions
• enhancement(logging): Reduce logging in firehose processor to optimize cost
• enhancement(networking): replicate Security Groups to Accounts with RAM shared subnets
• enhancement(network): make vpcFlowLogs property optional

Fixed

• fix(accounts): methods used to retrieve Account IDs for Root OU targets return ignored accounts
• fix(bootstrap): Forced bootstrap update for non-centralized CDK buckets
• fix(budgets): unable to deploy AWS Budgets in Regions without vpc endpoint
• fix(ebs): EBS encryption policy references Account instead of Region
• fix(logging): remove nested looping for additional statements
• fix(networking): fix IPAM SSM lookup role name mismatch
• fix(networking): VPC-level ALBs and NLBs may reference incorrect logging bucket region
• fix(networking): replicating shared VPC/subnet tags to consumer account fails if sharing subnets from multiple owner accounts
• fix(networking): default VPCs are not deleted if the excludedAccounts property is not included
• fix(pipeline): Credential timeout for long running stages
• fix(sso): permission sets and assignments created outside of LZA cause pipeline failure
• chore(application-stack): refactor application stack to reduce complexity

Configuration Changes

• feat(aws-best-practices-education): Added additional security-config controls
• feat(aws-best-practices-tse-se): Added AWS Control Tower installation instructions
• enhancement(aws-best-practices): Replace hard-coded management role in guardrail SCPs with a variable
• enhancement(aws-best-practices-cccs-medium): updated configuration to utilize accelerator prefix feature
• enhancement(aws-best-practices-tse-se): updated install instructions for GitHub personal access token

v1.3.2

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. To upgrade your environments to this version, use the CloudFormation console to update your AWSAccelerator-Installer stack using the latest installer template and ensure that that you set Branch Name to the latest version (release/v1.3.2 for this release). See Deploy the solution for more information.

Changed

• enhancement(securityhub): enable nist 800-53 rev5 standard
• fix(network): allow -1:-1 port range in NACL config
• fix(validation): fix OU validation
• fix: conflicting logical id for org lookup in createIpamSsmRole

Configuration Changes

• chore: update best practices config to use nist 800-53 security hub standard

v1.3.1

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. To upgrade your environments to this version, use the CloudFormation console to update your AWSAccelerator-Installer stack using the latest installer template and ensure that that you set Branch Name to the latest version (release/v1.3.1 for this release). See Deploy the solution for more information.

Added

• feat: add region support for me-central-1
• feat: add region support for ap-south-2, ap-southeast-3, ap-southeast-4
• feat: add region support for eu-central-2, eu-south-2
• feat(controltower): create up to 5 ControlTower accounts accounts concurrently
• feat(servicecatalog): add ability to define Service Catalog portfolios and products
• feat(servicecatalog): enable principal association with existing IAM resources
• feat(servicecatalog): add option to propagate principal associations for Service Catalog portfolios
• feat(servicecatalog): add support for AWS Identity Center (formerly SSO) principal associations with Service Catalog portfolios
• feat(installer): allow installer stack to use an existing config repository
• feat(network): remove default Security Group ingress and egress rules of VPC
• feat(network): elastic IP address allocation for NAT gateway
• feat(network): add support for referencing cross-account and cross-region subnets in network ACLs
• feat(iam): allow account lookups for IAM trust policies
• feat(identitycenter): add support for overriding delegated admin in Identity Center
• feat(account): add account warming
• feat(logs): add S3 prefixes for GuardDuty, Config and ELB
• feat(customizations): add capability to pass parameters to Stacks and StackSets
• feat(config): add support to enable config aggregation
• feat(docs): added FAQ

Changed

• enhancement(network): add validation for route table names
• enhancement(network): GWLB VPC type and delegated admin account validation checks
• enhancement(network): add ability to define private NAT gateway connectivity type
• enhancement(network): modularize network validation classes
• enhancement(network): improve VPC validation
• enhancement(network): improve transitGateways validation
• enhancement(network): add validation for dhcpOptions and prefixLists
• enhancement(network): improve centralNetworkServices validation
• enhancement(network): update NFW config objects for enhanced error checking
• enhancement(network): allow specification of TGW attachment options in GovCloud
• enhancement(cloudformation): upload StackSet template as asset before deployment
• enhancement(accounts): validate account limit before creating new account
• enhancement(builds): disable privileged mode in Code Build
• chore(logger): move logger to accelerator utils
• chore(logger): improved logger usage
• fix(app): throw error at app-level try/catch
• fix(installer): github token not properly updating in Code Pipeline
• fix(sts): assume role plugin uses regional sts endpoints
• fix(logging): use correct region for organization trail centralized logging
• fix(network): allow TGW route table associations/propagations for separate attachments to the same VPC
• fix(network): cannot create a STRICT_ORDER rule group when using rulesFile
• fix(network): ALB/NLB bucket region correction for accessLogs
• fix(network): fix cross-account nacl entry construct name
• fix(network): fix IPAM CIDR Role
• fix(network): fix security group enum typo from MYSQL to MSSQL
• fix(network): VPC using IPAM not creating cross-region
• fix(network): S2S VPN resource reference fails in GovCloud
• fix(network): inter-region tgw peering unable to find SSM parameter in second region
• fix(securityhub): failure disabling SecurityHub standards
• fix:(guardduty): issue configuring GuardDuty for opt-in regions
• fix(uninstaller): delete termination protected config repo
• fix(uninstaller): ecr delete error handling
• fix(uninstaller): ecr cleanups with full uninstall option
• fix(logging): ignore CloudWatch logs retention when existing log retention is higher than specified in global config
• fix(logging): fix organization trail centralized logging region parameter
• fix(config): VPC route validation fails when no route specified
• fix(cloudtrail): check for cloudtrail.enable property before creating account trails

Configuration Changes

• chore: consolidate finance configs to best-practices
• chore: remove default limits increase from aws-best-practices config
• chore: update education config
• chore: add lifecycle rules to aws-best-practices
• fix: update the readme file name in AWS GovCloud (US) configurations
• fix: update lock down scp with control tower role
• enhancement: enabled versioning on sample template s3 buckets

v1.3.0

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. To upgrade your environments to this version, use the CloudFormation console to update your AWSAccelerator-Installer stack using the latest installer template and ensure that that you set Branch Name to the latest version (release/v1.3.0 for this release). See Deploy the solution for more information.

Added

• feat(installer): add support for organization only install
• feat(network): add ability to create site-to-site vpn to tgw
• feat(network): add ability to specify file with list of suricata rules for network firewall
• feat(network): add ability to specify transit gateway peering
• feat(network): add ability to create routes for vpc peering connections
• feat(network): add ability to create and reference VGWs for VPNs, subnet routes, and gateway route table associations
• feat(network): add ability to create third-party firewalls
• feat(network): add ability to configure firewall manager
• feat(network): add ability to define ALBs and NLBs
• feat(logs): allow specification of centralized logging bucket region independent of home region
• feat(iam): add ability for IAM policy replacements
• feat(organizations): add support to ignore organizational units
• feat(organizations): add functionality to move accounts between ous (orgs-only install)
• feat(security): add centralized and configurable sns topics
• feat(security): add ability to create ACM from s3 and integrate that with ELBv2
• feat(guardDuty): enable S3 export config override
• feat(guardDuty): provide functionality to enable EKS protection
• feat(ssm): enable SSM Inventory
• feat(securityhub): add support for CIS 1.4.0 controls in SecurityHub
• feat(cloudformation): Create custom CloudFormation stacks
• feat(s3): add ability to define policy statements to s3 buckets and keys
• feat(quotas): limits increase for services
• feat(sso): add ability to configure iam identity center
• feat(mad): add ability to configure managed ad
• feat(kms): allow parameter replacement in key files

Changed

• enhancement(network): add use of static CIDR property for VPC templates
• enhancement(network): update Direct Connect custom resource logic to handle asynchronous actions
• enhancement(network): add Resolver endpoint name to deployed endpoints
• enhancement(logging): transform cloudwatch logs data to allow query from athena
• enhancement(organizations): move replacements to stack level
• enhancement(organizations): added checks for scps with no OUs or accounts
• enhancement(organizations): validate scp count
• enhancement(configs): add config rules and ssm auto remediation in AWS GovCloud (US) reference config
• fix(logging): update central log key lookup set log bucket to central log region
• fix(logging): move account CloudTrail S3 logs to central log bucket
• fix(organizations): add cases for null organizations and accounts in SCP
• fix(pipeline): force bootstraping to run in global region and home region if missing
• fix(ssm) limit api calls to 20 accounts per invocation
• fix(sns): update sns policies
• fix(sns): added account check on sns kms key policy
• fix(kms): add ebs kms policy for cloud9
• fix(security): updated sns topic to use home region rather than global region

New Configurations

• US Aerospace
• US State and Local Government Central IT
• Canadian Centre for Cyber Security (CCCS) Cloud Medium
• Trusted Secure Enclaves Sensitive Edition (TSE-SE) for National Security, Defence, and National Law Enforcement
• Elections
• Finance (Tax)

v1.2.2

Important

This release fixes an issue with the deployment of AWS Budgets, and only affects customers that have deployed an AWS Budget, with multiple enabled regions defined in their global-config.yaml, and are using v1.2.1.

In v1.2.1, the definition of AWS Budgets was not limited to only the home region, which caused the object to be deployed to multiple regions. In this release, logic has been added to ensure that AWS Budgets are only added in the defined home region.
These steps are required for if you currently have an AWS Budget deployed through LZA release/v1.2.1:

1. In the AWS console, delete the existing budget within management or any other account where a budget was deployed.
2. Go into the LZA config repository and remove (or comment out) budgets from the config.
3. Update to this version (release/v1.2.2) by updating the branch name for your InstallerStack through the AWS CloudFormation console.
4. Release the changes to the LZA pipeline within the AWS console once to ensure that the current budget is removed from the account.
5. Once the pipeline has completed, add the budgets back into the global-config.yaml file and release the CodePipeline for LZA

Changed

• fix(app) wrap execution in try/catch to surface errors
• fix(budgets) budgets causing operations stack to fail

We highly recommend that you keep your environments up to date by upgrading to the latest version. To upgrade your environments to this version, use the CloudFormation console to update your AWSAccelerator-Installer stack using the latest installer template and ensure that that you set Branch Name to the latest version (release/v1.2.2 for this release)