Skip to content

Releases: awslabs/landing-zone-accelerator-on-aws

v1.6.2

28 Mar 18:26
Compare
Choose a tag to compare

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Dynamic Replacements

In release v1.5.0, we introduced LZA replacements which enabled customers to perform substitutions in configuration files on strings surrounded by double curly braces. This resulted in unintended replacement behavior for customers using this syntax without knowledge of LZA replacement functionality. To ensure all configuration substitutions are deliberate, we have added a configuration validation check to ensure all strings surrounded by double curly braces in the LZA configuration files are SSM dynamic references or referenced in replacements-config.yaml. See Parameter Store reference variables for more information.

Fixed

  • fix(container): ecr immutability tag on bootstrap
  • fix(docs): improvements to installation.md
  • fix(replacements): throw error for undefined replacements
  • fix(diff): dependent stack lookup
  • fix(diff): customizations template lookup
  • fix(networking): fix Canada region physical AZ Subnet lookup
  • fix(metadata): event based get-accelerator-metadata

v1.6.1

22 Feb 05:08
Compare
Choose a tag to compare

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

Fixed

  • fix(docs): broken links in documentation
  • fix(route53): associate hosted zones timeout
  • chore(diagnostics-pack): cleanup

v1.6.0

11 Jan 21:40
Compare
Choose a tag to compare

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for more information.

Added

  • feat(budgets): Budget notifications accept array of email addresses
  • feat(cloudwatch): provide the ability to use CloudWatch service key for LogGroup encryption
  • feat(config-service): allow reference of public ssm documents
  • feat(customizations): Enhance custom applications to deploy in shared VPC
  • feat(firewalls): load firewall configuration from directory and support secret replacement
  • feat(lambda): Allow option to use service key for AWS Lambda function environment variables encryption
  • feat(networking): add support for targeting network interfaces
  • feat(pipeline): use v2 tokens for sts
  • feat(regions) Add il-central-1 region
  • feat(replacements): added check for commented out replacements-config.yaml
  • feat(replacements): extend dynamic parameter lookups
  • feat(resource-policies): Support additional AWS services in resource based policies
  • feat(s3): make the creation of access log buckets and S3 encryption CMK optional
  • feat(ssm): add aggregated ssm region policy construct
  • feat(support): add Diagnostic Pack support
  • feat(validation): adds configuration validation for cmk replacement in the AWS config remediation lambda.
  • feat(validation): add option to skip static validation

Changed

  • chore(documentation): added SBOM instructions to FAQ
  • chore(documentation): added Architecture and Design Philosophy section to DEVELOPING.md
  • chore(documentation): Update security hub cis 1.4.0 control examples
  • chore(esbuild): update build target from node16 to node18
  • enhancement(ebs): Add deployment targets to ebs encryption options
  • enhancement(iam): added prefix condition to trust policies
  • enhancement(logging): Add validation for s3 resource policy attachments against public block access
  • enhancement(networking): allow ability to define static replacements for EC2 firewall configurations
  • enhancement(networking): allow ability to deploy EC2 firewall in RAM shared VPC account
  • enhancement(pipeline): optimize CodeBuild memory for over 1000 stacks
  • enhancement(validation): Managed active directory secret config account validation

Fixed

  • fix(aspects): saml lookup for console login to non-standard partitions fails
  • fix(budget): sns topic arn for budgets notifications
  • fix(config-service): modify public ssm document name validation
  • fix(guardduty): export findings frequency and exclude region settings for protections are ignored
  • fix(iam): update the iam role for systems manager
  • fix(logging): refactored CloudWatch Log exclusion filter to use regex
  • fix(networking): Allow for Target Groups with type IP to be created within VPC without targets specified
  • fix(networking): added explicit dependency between vpc creation and deletion of default vpc
  • fix(networking): create network interface route for firewall in shared vpc
  • fix(networking): reverted role name to VpcPeeringRole
  • fix(networking): share subnets with tags causes SSM parameter race condition
  • fix(networking): add dependency between networkAssociations and GWLB stages
  • fix(operations): account warming fails
  • fix(organizations): enablePolicyType function blocks tag and backup policy creation in GovCloud
  • fix(pipeline): consolidate customizations into single app
  • fix(pipeline): exit pipeline upon synth failure
  • fix(pipeline): evaluate limits before deploying workloads
  • fix(scp): Catch PolicyNotAttachedException when SCP is allow-list strategy
  • fix(scp): Add organization_enabled variable to revertSCP Lambda function
  • fix(ssm): intermittent failure in OperationsStack, added missing dependency
  • fix(toolkit): enforce runOrder for custom stacks in customizations stage
  • fix(validation): allow OUs and accounts for MAD shares
  • fix(validation): Fix max concurrent stacks validation
  • fix(validation): Add validation on static parameters for policy templates
  • fix(validation): validate kmsKey and subnet deployment targets

Configuration Changes

  • chore(aws-best-practices-tse-se): migrated to new GitHub repository
  • chore(aws-best-practices-cccs-medium): migrated to new GitHub repository

v1.5.2

16 Nov 14:51
Compare
Choose a tag to compare

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for more information.

Fixed

  • fix(toolkit): enforce runOrder for custom stacks in customizations stage
  • fix(aspects): saml lookup for console login to non-standard partitions fails
  • fix(pipeline): exit pipeline upon synth failure
  • fix(pipeline): consolidate customizations into single app

Changed

  • chore: update libs per audit findings

Configuration Changes

  • chore: migrate cccs and tse-se configuration

v1.5.1

19 Oct 20:30
Compare
Choose a tag to compare

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for more information.

Fixed

  • fix(iam): Security_Resource stack failure to assume role into suspended and un-enrolled account
  • fix(identity-center): operation stack AcceleratorLambdaKey construct already exists
  • fix(customizations): could not load credentials from any providers

v1.5.0

12 Oct 22:27
Compare
Choose a tag to compare

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for more information.

Centralized logging bucket policy enhancement

The S3 Bucket policy for the centralized logging bucket was updated, in 4cff4bf, to further restrict actions by principals within an AWS Organization. See s3ResourcePolicyAttachments for more information regarding further customization of the centralized logging bucket.

Sample Configuration service control policies (SCPs) enhancement

The lza-sample-config [previously aws-best-practices] provides a set of Service Control Policies (SCPs) that can be used as a starting point for configuring the LZA after initial deployment. The guardrails-2.json SCP, has been enhanced to include an additional clause to protect prefixes that are used within the LZA engine. We recommend reviewing configuration changes made to the lza-sample-config and determine which changes you need to apply to your configuration

[1.5.0] - 2023-10-05

Added

  • feat(backup) add Backup vault policy
  • feat(config): allow users to set stack concurrency
  • feat(config) M2131 WAF logging enabled
  • feat(control-tower): add control tower controls
  • feat(identity-center): add IdentityCenter extended permission set and assignment
  • feat(logging): enable non-accelerator subscription filter destination replacement
  • feat(logging): move larger CloudWatch logs payloads back into kinesis stream for re-ingestion
  • feat(networking): add ability to reference dynamic configuration file replacements and license files for EC2 firewalls
  • feat(networking): add dynamic EC2 firewall site-to-site VPN connections and configuration replacements
  • feat(networking): add exclude regions for default VPC
  • feat(networking): allow gateway and interface endpoint service customizations
  • feat(networking): Created Shared ALB and supporting resources (ACM, Target Groups)
  • feat(replacements): support Policy Replacements in VPC Endpoint policies
  • feat(s3): allow import of S3 buckets
  • feat(s3): support lifecycle rules for given prefix
  • feat(security-hub): allow customers to disable Security Hub CloudWatch logs
  • feat(service-catalog): support service catalog product constraints
  • feat(ssm): allow SSM replacements through replacements-config.yaml
  • feat(ssm): allow creation of custom SSM parameters
  • feat(tags): Support Customer Tags

Changed

  • enhancement(docs): add script to generate versioned TypeDocs
  • enhancement(iam): make managed AD resolverRuleName property optional
  • enhancement(logging): Add Landing Zone Accelerator on AWS specific IAM roles to central S3 bucket policy
  • enhancement(networking): add ability to define advanced VPN tunnel configuration parameters
  • enhancement(networking): add ability to dynamically reference same-VPC subnets as a route destination
  • enhancement(networking): add ability to reference physical IDs for subnet availability zones and for Network Firewall endpoint lookups
  • enhancement(networking): add AWSManagedAggregateThreatList to supported DNS firewall managed domain lists
  • enhancement(pipeline): allow synth and deploy to write to stack specific directories
  • enhancement(validation): Add config rule name validation
  • enhancement(validation): add name uniqueness check for IAM policies and roles
  • enhancement(validation): add validation for security delegated admin account
  • chore(deps): bump semver to 7.5.2
  • chore(deps): bump lerna to 7.2.0
  • chore(deps): bump proxy-agent to 6.3.0
  • chore(deps): bump aws-cdk to 2.93.0
  • chore(docs): added instructions for validations and tests
  • chore(docs): added documentation for excluded regions in audit manager
  • chore(docs): document dynamic partitioning format in TypeDocs
  • chore(docs): remove invalid targets for routeTableEntry
  • chore(docs): update TransitGatewayAttachmentConfig docs to reflect subnet update behavior
  • chore(docs): updated typedoc example for budget notifications
  • chore(docs): update maxAggregationInterval to match appropriate unit
  • chore(docs): VPC Flow Logs central logging method indicated service-native S3 logging
  • chore(logging): add accelerator roles to central bucket policy
  • chore(organizations): Moved getOrgId function to config
  • chore(organizations): Removed Check for Tag and Backup policies in AWS GovCloud
  • chore(test): update test pipeline lambda functions to Node.js 16 runtime
  • chore(utils): moved chunkArray to utils
  • chore(validation): Remove let from config validation
  • chore: license file updates
  • chore: refactor engine to reduce complexity
  • chore: updated dependencies for aws-sdk

Fixed

  • fix(accelerator-prefix): accelerator prefix remains hardcoded in some constructs
  • fix(accounts): allow Control Tower account enrollment in GovCloud
  • fix(acm): Duplicate certificate imported on CR update
  • fix(applications): allow launchTemplates without userData, remove securityGroup checks
  • fix(audit-manager): excluded regions list ignored in security audit stack
  • fix(bootstrap): synth large environments runs out of memory
  • fix(cdk): fixed promise bug for parallel deployments
  • fix(cloudwatch): log replication with exclusion times out
  • fix(cloudwatch): Updated logic to deploy CW log groups to OUs
  • fix(customizations): make security groups optional in launch templates
  • fix(deployment) - Enforce IMDS v2 for Managed Active Directory controlling EC2 instance
  • fix(guardduty): create guardduty prefix in s3 destination when prefix deleted by life cycle policy
  • fix(guardduty): support account create and delete actions for more than 50 accounts
  • fix(guardduty): Delete publishing destination when enabled is false
  • fix(guardduty): Updated createMembers function to use SDKv3
  • fix(iam): remove permissive runInstance from policy
  • fix(iam): add IAM validation for roles, groups, users to Policies
  • fix(iam): failed to assume role with static partition
  • fix(iam): Added error handling for service linked role already existing
  • fix(iam): update boundary control policy IAM get user actions
  • fix(identity-center): incorrect sso regional endpoint
  • fix(identity-center): fix api rate exceeded issue
  • fix(limits): Allow service quota limits to be defined with regions
  • fix(logging): change kms key lookup for central bucket
  • fix(logging): fixed logging stack deployment order
  • fix(logging): central log bucket cmk role exists when centralized logging changed
  • fix(logging): enable CloudWatch logging on Firehose
  • fix(logging): Add prefix creation for imported central log buckets
  • fix(logging): add firehose records processor to exclusion list default
  • fix(logging): compress logs within lambda and set firehose transform to uncompressed
  • fix(MAD): Remove key pair from MAD instance
  • fix(networking): duplicate construct error when creating GWLB endpoints in multiple VPCs under the same account
  • fix(networking): fix underscore subnet names
  • fix(networking): Transit gateway peering fails when multiple accepter tgw has multiple requester
  • fix(networking): Fixed IPv6 validation for Prefix Lists
  • fix(networking): incorrect private hosted zones created for interface endpoint services with specific API subdomains
  • fix(networking): AZ not defined error when outpost subnet is configured
  • fix(networking): fixed isTarget conditions for target groups
  • fix(networking): update regional conditions for shared ALBs
  • fix(networking): EC2 firewall config replacements incorrectly matches multiple variables on a single line
  • fix(networking): EC2 firewall config replacements missing hostname lookup
  • fix(organizations): load ou units asynchronously
  • fix(pipeline): useManagementAccessRole optional
  • fix(pipeline): time out in CodePipeline Review stage
  • fix(pipeline): change assume role behavior on management account
  • fix(pipeline): add nagSupression to firewall service linked role
  • fix(pipeline): toolkit does not use prefix variable
  • fix(replacements): Updated generatePolicyReplacements arguments to include organization id
  • fix(roles): add UUID to service linked role to prevent accidental deletion
  • fix(roles): make security audit stack partition aware
  • fix(roles): add delay on service linked role creation
  • fix(roles): create service linked role in custom resource
  • fix(saml): SAML login is hardcoded
  • fix(s3): access logs bucket external policy fix
  • fix(scp): scpRevertChanges should use accelerator prefix
  • fix(security): bring your own KMS key cannot reference service-linked roles in key policy file
  • fix(security): Increased memory for GuardDuty custom resource
  • fix(security): custom config rule discarding triggering resource types
  • fix(ssm): PutSsmParameter upgrade from v1.3.x to v1.4.2+ fails
  • fix(ssm): Added check to see if roles exist before policy attachment
  • fix(sso): Added validation to flag permission set assignments created for management account
  • fix(tagging): Accel-P tag is appropriately set on resources
  • fix(uninstaller) detach customer policies prior to delete
  • fix(validation): Add config rule name validation
  • fix(validation): va...
Read more

v1.4.3

19 Jul 21:49
Compare
Choose a tag to compare

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. To upgrade your environments to this version, use the CloudFormation console to update your AWSAccelerator-Installer stack using the latest installer template and ensure that that you set Branch Name to the latest version (release/v1.4.3 for this release). See Update the solution for more information.

Upgrading from version 1.4.0/1.4.1 to 1.4.2+

For users with shared VPC subnets configured, if you are encountering an SSM parameter validation error during the Network_Associations stage, use the following update procedure:

  1. Determine the parameters that are needed in the share target accounts by reviewing the CloudWatch logs for the Lambda function that is prefixed with AWSAccelerator-NetworkVpc-CustomSsmPutParameterVal- in the account that owns the shared VPC.
  2. Manually create the parameters in any accounts that are failing SSM parameter validation.
  3. Re-run the core pipeline
  4. After upgrading to 1.4.2+, this process will not be required for newly-enrolled accounts in the share target OUs.

Fixed

  • fix(logging): cloudwatch logging, change log format in firehose to json
  • fix(organizations): large OU organizations fail to load during prepare stage
  • fix(networking): cannot provision new IPAM subnets when VPC has CIDRs from non-contiguous CIDR blocks
  • fix(networking): Modify Transit Gateway resource lookup construct ids
  • fix(validate-config): ValidateEnvironmentConfig improperly evaluates enrolled CT accounts as not enrolled

Configuration Changes

  • chore(aws-best-practices-tse-se): include granular billing SCP permission updates
  • chore(aws-best-practices-cccs-medium): include granular billing SCP permission updates

v1.4.2

20 Jun 21:54
Compare
Choose a tag to compare

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. To upgrade your environments to this version, use the CloudFormation console to update your AWSAccelerator-Installer stack using the latest installer template and ensure that that you set Branch Name to the latest version (release/v1.4.2 for this release). See Update the solution for more information.

Upgrading from version 1.4.x to 1.4.2

For users with shared VPC subnets configured, if you are encountering an SSM parameter validation error during the Network_Associations stage, use the following update procedure:

  1. Determine the parameters that are needed in the share target accounts by reviewing the CloudWatch logs for the Lambda function that is prefixed with AWSAccelerator-NetworkVpc-CustomSsmPutParameterVal- in the account that owns the shared VPC.
  2. Manually create the parameters in any accounts that are failing SSM parameter validation.
  3. Re-run the core pipeline
  4. After upgrading to 1.4.2, this process will not be required for newly-enrolled accounts in the share target OUs.

Fixed

  • fix(ssm): PutSsmParameters custom resource ignores new accounts
  • chore(organizations): moved getOrganizationId to organizations-config
  • fix(iam): service linked roles fail to create in multi-region deployment
  • fix(validation): TGW route validation fails when prefixList deployment targets do not have excluded regions
  • fix(validation): incorrectly configured security delegated admin account isn’t caught by validation
  • fix(docs): README indicates S3 server access logs are replicated to central logs bucket

v1.4.1

18 May 21:17
Compare
Choose a tag to compare

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. To upgrade your environments to this version, use the CloudFormation console to update your AWSAccelerator-Installer stack using the latest installer template and ensure that that you set Branch Name to the latest version (release/v1.4.1 for this release). See Update the solution for more information.

Fixed

  • fix(route53): route53 resolver configuration depends on Network Firewall configuration
  • fix(config): AWS Config recorder failure when enabled in new installation
  • fix(installer): set default value for existing config repository parameters
  • fix(networking): non-wildcard record missing in hosted zone for centralized S3 interface endpoints
  • chore(bootstrap): update CDK version to 2.79.1
  • chore(lambda): Increased memory size of custom resources

v1.4.0

05 May 15:00
Compare
Choose a tag to compare

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. To upgrade your environments to this version, use the CloudFormation console to update your AWSAccelerator-Installer stack using the latest installer template and ensure that that you set Branch Name to the latest version (release/v1.4.0 for this release). See Update the solution for more information.

Security groups defined in shared VPCs are now replicated to accounts where the subnets are shared. If you reference a prefix list from a security group, you need to update the deployment targets of the prefix list to deploy the prefix list in all shared accounts. (network-config.yaml)

Lambda runtimes for AWS Config rules were updated to NodeJs16. (security-config.yaml)

Cross-account IPAM subnet references have been updated and requires a configuration change. This only affects customers that are referencing IPAM-created subnets that exist in the same account and region the NACL rule is created in. To resolve this, you will need to:

  1. Comment out any NACL rules that reference IPAM-created subnets that reside in the same account+region of the account+region the NACL is being created in.
  2. Run the pipeline, which will delete the NACL rules.
  3. Uncomment the same-account NACLs and run the pipeline once again.

Added

  • feat(config): Utilize existing AWS Config Service Delivery Channel
  • feat(installer): Support custom prefix for LZA resources
  • feat(logging) Add S3 prefix to Config Recorder delivery channel
  • feat(networking): Added deploymentTargets property for prefix lists
  • feat(networking): add ability to reference same-account IPAM subnets in Security Groups and NACLs
  • feat(scp): Implement SCP allow-list strategy
  • feat(security-config) Add ability to define CloudWatch Log Groups
  • feat(security hub): allow definition of deploymentTargets for Security Hub standards
  • feat(validation): verify no ignored OU accounts are included in accounts-config file

Changed

  • chore(app): Update AWS CDK version to 2.70.0
  • chore(docs): adding optional flags and replacement warnings to SecurityConfig and NetworkConfig
  • chore(network): network stack refactor to assist in development efforts
  • enhancement(cdk): Configure CDK to use managementAccountAccessRole for all actions
  • enhancement(logging): Reduce logging in firehose processor to optimize cost
  • enhancement(networking): replicate Security Groups to Accounts with RAM shared subnets
  • enhancement(network): make vpcFlowLogs property optional

Fixed

  • fix(accounts): methods used to retrieve Account IDs for Root OU targets return ignored accounts
  • fix(bootstrap): Forced bootstrap update for non-centralized CDK buckets
  • fix(budgets): unable to deploy AWS Budgets in Regions without vpc endpoint
  • fix(ebs): EBS encryption policy references Account instead of Region
  • fix(logging): remove nested looping for additional statements
  • fix(networking): fix IPAM SSM lookup role name mismatch
  • fix(networking): VPC-level ALBs and NLBs may reference incorrect logging bucket region
  • fix(networking): replicating shared VPC/subnet tags to consumer account fails if sharing subnets from multiple owner accounts
  • fix(networking): default VPCs are not deleted if the excludedAccounts property is not included
  • fix(pipeline): Credential timeout for long running stages
  • fix(sso): permission sets and assignments created outside of LZA cause pipeline failure
  • chore(application-stack): refactor application stack to reduce complexity

Configuration Changes

  • feat(aws-best-practices-education): Added additional security-config controls
  • feat(aws-best-practices-tse-se): Added AWS Control Tower installation instructions
  • enhancement(aws-best-practices): Replace hard-coded management role in guardrail SCPs with a variable
  • enhancement(aws-best-practices-cccs-medium): updated configuration to utilize accelerator prefix feature
  • enhancement(aws-best-practices-tse-se): updated install instructions for GitHub personal access token