Releases: awslabs/landing-zone-accelerator-on-aws
v1.11.0
Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
Advanced CloudFormation Stacksets Operational Control:
This new feature enables the option to specify operational preferences such as region order, max concurrency, and concurrency mode to StackSets in the customizations stage (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudformation-stackset-operationpreferences.html).
Chatbot Policies Integration with Organizations:
This release adds support for Chatbot Policies through the Organizations config file. Chatbot policies allow you to control access to an organization's accounts from chat applications such as Slack and Microsoft Teams(https://docs.aws.amazon.com/chatbot/latest/adminguide/chatbot-orgs-policy.html).
Enhanced CloudWatch Log Replication to S3:
This release provides the ability to specify a log file extension for CloudWatch Logs that are replicated to S3 via Firehose. This functionality allows for improved log file organization, identification, and a better SIEM integration experience.
Added
- feat: add eks-auth endpoints to hosted-zone
- feat(customizations): add feature to set custom admin and execution roles for custom stacksets
- feat(customizations): add operational preferences support or stacksets customization
- feat(doc): add package dependency section in typedoc
- feat(eventbus): add support for default event bus resource policy
- feat(iam): create IAM user without console access
- feat(lambda): add lambda runtime to the construct props and default to Node 18
- feat(logging): provide file extension to CloudWatch log replicated files in S3
- feat(networking): allows the option of specifying a network firewall policy arn
- feat(organizations): add support for chatbot policies
- feat(pipeline): add feature to parallelise synth and diff operations
- feat(pipeline): add feature to reuse synth for all deploy actions
- feat(pipeline): add feature to consolidate all diffs and generate URL for review in Review stage
- feat(pipeline): add feature to deploy LZA solution region by region
- feat(test): add api assertion to integration testing
- feat(validation): validating that order of CIDRs is not changed
Fixed
- fix: added missing imports to test file
- fix: Disable management events for Lambda & S3 Cloudtrail event selectors
- fix: hosted zone DNS for Sagemaker VPC Endpoints
- fix: updated GitHub action target
- fix(account): remove partition checks for account creation in prepare stack
- fix(assets): add local account for ssm parameters to assets policy
- fix(build): fixing naming scheme of installer templates
- fix(config/validation): make account email comparisons case insensitive
- fix(config-service): only record global resources in home region
- fix(config-service): exclude global resources from recorder except in home region
- fix(control-tower): update landingzone fails for non-default security ou name
- fix(docs): change macie api version
- fix(globalConfig): provide required permissions for subscriptions
- fix(iam): add supported partition for service linked roles
- fix(identity-center): checks if a user or group exists when building assignments
- fix(installer): fix management account bootstrap failed when using external pipeline
- fix(logging): add log stream arn for SubscriptionFilterRole IAM Policy
- fix(logging): fixed permissions on custom resource for when cloudwatch encryption is enabled in global-config
- fix(logging): incorrect managed policy for imported elb access log bucket
- fix(logging): updated kms key for imported asset bucket
- fix(macie): unable to publish sensitive data findings to security hub
- fix(networking): add conditions to trust policy for DescribeTgwAttach IAM Role
- fix(networking): add conditions to trust policy for VpcPeering IAM Role
- fix(networking): fixes ssm parameter name format
- fix(networking): trust policy for tgw peering multiple acceptors to single requestor account
- fix(organizations): create ou's in all partitions with exceptions
- fix(resolver): correctly identify custom domain list filename
- fix(s3): imported elb bucket policy attachment failed
- fix(uninstaller): correct syntax for debug log
- fix(validation): make case insensitive comparisons when validating email addresses
- fix(warning): removes unreachable code that results in warning
Changed
- chore: bump version to v1.11.0
- chore: change viperscan from cli to wget
- chore(cli): modify cli signature
- chore(documentation): create lza module documentation
- chore(modules): add config parsing module lza-config
- chore(modules): add aws-lza package for ct module and lza cli
- chore(test): updated tests for stack creation
- chore(testing): moves construction of stacks from test bootstrap into test run
Configuration Changes
- chore(cn): remove cn sample configuration directory
- chore(sample-config): add kms key disable rotation prevention control in sample config
- chore(sample-config): add kms delete policy to scp in sample config
- chore(sample-config): add transit gateway and ram share protection in sample config
- chore(sample-config): externalize healthcare configurations
Full Changelog: v1.10.0...v1.11.0
v1.10.1
Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
Fixed
- fix(metadata): accelerator metadata lambda times out without error
- fix(docs): resolve broken links in mkdocs
- fix(route53): fix hosted zone DNS for Sagemaker VPC Endpoints
- fix(route53): fix hosted zone DNS for EKS-Auth VPC Endpoints
- fix(pipeline): bootstrap stage failed silently
- fix(organizations): fix enabled controls cfn throttling
v1.10.0
Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
Performance Improvements
This release includes significant performance improvements to the overall runtime of the LZA pipeline.
feat(performance): changed transpiler to swc - We have replaced the default typescript transpiler for the LZA to use SWC. This enhancement can reduce the overall runtime of the LZA pipeline depending on the amount of accounts and environments that need to be synthesized and deployed. Customers who have a small amount of accounts and enabled regions managed by the LZA will see the greatest benefit from this change.
fix(bootstrap): batched bootstrap checks - We have changed the bootstrapping process to batch api calls that check to see if the bootstrapping stack needs to be updated. This substantially speeds up the bootstrapping stage when an update to the bootstrapping stack does not need to be performed. Customers who have a large amount of accounts and enabled regions will see the greatest benefit from this change
VPC CIDR Ordering
The Landing Zone Accelerator allows customers to provide a list of CIDR ranges when creating Amazon Virtual Private Clouds (VPCs). This release has updated our documentation to specify that the ordering of provided CIDR ranges in the network-config.yaml
file should be maintained when adding or removing additional CIDRs. The first entry in the list is mapped to the CidrBlock CloudFormation property which results in replacement of the resource when modified.
New Configuration Repository Location
Parameter Option for Installation
New LZA Installations:
This release provides the opportunity for new installations to leverage AWS CodeConnections to use GitHub, GitLab, or Bitbucket for storing the LZA configuration files. This supplements existing options including AWS CodeCommit and Amazon S3 to provide even more flexibility when integrating LZA operations into existing workflows.
Added
- feat(networking): add support for TLS1.3 security policy for ALB and NLB listener
- feat(performance): changed transpiler to swc
- feat(pipeline): add codeconnection as configuration source
- feat(regions): add support for the ap-southeast-5 opt-in region
- feat(regions): add feature to enable opt-in regions programmatically
- feat(s3): add error handling and validation for s3 config
- feat(s3): add feature flag parameter use-s3-source for S3 as LZA source code location
- feat(stacksets): added support for dependencies between stacksets
- feat(uninstaller): deleted s3 repo in uninstaller
- feat(yarn): add ability to use .yarnrc to use custom package registry and ca-certs
Fixed
- fix(bootstrap): batched bootstrap checks
- fix(control-tower): updated boolean logic to get LZ identifier
- fix(custom-stacks): loaded replacement values during custom stack deployment
- fix(diff): parse error during diff
- fix(firewalls): fix firewall owner lookup when deployed in shared VPC
- fix(iam): add cdk feature flag to minimize iam policy
- fix(iam): use same form of service principal in all partitions: .amazonaws.com
- fix(logs): refactored NewCloudWatchLogEvent to ignore LZA-managed log groups
- fix(metadata): fixed config file writes with codecommit
- fix(organizations): failure when 5 SCPs with allow-list strategy option is defined
- fix(organizations): update organizations module to handle nested ou's correctly
- fix(prerequisites): checks forces child accounts to have CodeBuild parallel executions
- fix(replacements): accel_lookup variable not getting replaced for all the occurrences
- fix(s3): fix s3 bucket name constructs for imported buckets
- fix(s3): fixed issue where s3 bucket as source did not support a KMS-encrypted bucket
- fix(s3): default asset bucket name to home region
- fix(s3): add methods to construct imported bucket
- fix(ssm): updated session manager role to allow kms permissions in all enabled regions
- fix(validation): configuration validation failure when SecurityHub was enabled with Control Tower
- fix(uninstaller): include deletion of IdentityCenter and ResourcePolicyEnforcement stacks
Changed
- chore: remove cdk 2.148.0 dependencies
- chore: suppress node warnings on synth
- chore: update typedoc to v0.26.7
- chore: updated cdk version
- chore: updated deps @types/jest v29.5.12 aws-sdk v3.637.0
- chore: upgrade aws sdk to v2.1691.0
- chore: upgrade lerna to v8.1.8
- chore(cfn-nag): added suppressions
- chore(documentation): add security.md file to repo
- chore(documentation): added json-schema page
- chore(documentation): update config.md Control Tower OU guidance
- chore(documentation): updating typedoc for vpc cidrs to include caveat about cidr list
- chore(installer): added clarification to CF template
- chore(lambda): remove debug console log statements
- chore(modules): renamed modules to lza-modules
- chore(organizations): use global region in AWS Organizations client
- chore(regions): update global region map
- chore(sample-config): add iam user create prevention control in sample config
- chore(sample-config): add kms modification protection to preventative controls in sample config
- chore(sample-config): add disable import findings integration to scp
- chore(sample-config): update s3 service control policy
- chore(sts): updated sts endpoints
- chore(uninstaller): improved performance for deployments with many regions
- chore(validation): extending validation on ENI lookups to allow for _ character
v1.9.2
Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
Fixed
- fix(metadata): fixed config file writes with codecommit
- fix(validation): configuration validation failure when SecurityHub was enabled with Control Tower
- fix(control-tower): skip existing Control Tower identifier check when Contrtol Tower is not enabled
Changed
- chore: add security.md file to repo
v1.9.1
Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
Sample Configuration service control policies (SCPs) enhancement
The lza-sample-config provides a set of Service Control Policies (SCPs) that can be used as a starting point for configuring the LZA after initial deployment. The guardrails-1.json SCP, has been enhanced to include an additional clause to protect invocation of lambda functions that are used within the LZA engine. We recommend reviewing configuration changes made to the lza-sample-config and determine which changes you need to apply to your configuration
Changed
- chore: upgrade github action to node20
Configuration Changes
- chore(lza-sample-config): enhance SCP statements for invocation of Lambda functions
v1.9.0
Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
New Configuration Repository Location
Parameter for Installation
New LZA Installations:
This release provides the opportunity for new installations to leverage Amazon S3 for storing the LZA configuration files which was previously managed by AWS CodeCommit. New installations of LZA are recommended to use s3
as this will be the default source location for the LZA configuration repository moving forward.
Existing LZA Environments / LZA Version Upgrades:
When performing an upgrade to the latest version of LZA, this parameter will not be automatically selected and will require manual intervention. For upgrades of LZA, please select codecommit
as it is not currently supported to migrate from AWS CodeCommit repository to S3 bucket. This feature is prioritized for an upcoming release.
Added
- feat(s3): added use of S3 as a configuration repository location
- feat(network): allow Route53 resolver endpoints and query logging to be defined in the VPC object.
- feat(control-tower): integrate lz management and lz baseline api
- feat(control-tower) integrate lz management and baseline api for external account deployment
- feat(control-tower): lz management api gov cloud support
- feat(control-tower): add global region into the Control Tower governed region list
- feat(logging): add cloudwatch log group data protection policy
- feat(securityhub): allow custom cloudwatch log group for events
Fixed
- fix(bootstrap): Failed to publish asset when cdkOptions.centralizeBuckets: true
- fix(control-tower): add validation to check incorrect landing zone version in global config
- fix(control-tower): new lza installation overrides existing control tower settings
- fix(organizations): unable to create ou with same name under different parent
- fix(organization): ou baseline operation should be skipped when Control Tower is not enabled
Changed
- chore: add commitlint to precommit hook
- chore: upgrade cdk to 2.148.0
- chore: bump cdk bootstrap to 20
- chore(documentation): update opt-in region requirement for Control Tower deployment
- chore(documentation): update merge request template to add unit test information
- chore(test): update all-enabled custom config rule lambda python version
v1.8.1
Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
Fixed
- fix(networking): Fix undefined condition for transitGatewayCidrBlocks property for Transit Gateway.
- bug(pipeline): Suppress mapping bucket results from build log
- fix(pipeline): "find: ‘./cdk.out’: No such file or directory" error in diff stage
- fix(config): update global config cdkoptions and control tower settings
- fix(security-hub): Fixed SecurityHub error "exceeds maximum number of members can be created in a single request"
v1.8.0
Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
Added
- feat(networking): Add transit gateway static CIDR blocks and Transit Gateway Connect attachments
- feat(autoScalingGroup): Add option to set maxInstanceLifetime property for AutoScalingGroups
- feat(securityHub): Allow SecurityHub to be enabled when AwsConfig is enabled with deploymentTargets option
- feat(customizations): Add option to set maxInstanceLifetime property for AutoScalingGroups by @insignias
Changed
- chore(github): added automated testing to GitHub repo for external PRs
- chore(networking): update function signatures for vpc resources in network vpc stack
Fixed
- fix(organizations): throttling on ListAccounts call
- fix(control-tower): The baseline 'AWSControlTowerBaseline' cannot be enabled on renamed OUs
- fix(control-tower): change organizations module execution condition
- fix(diff): "Unexpected end of JSON input" error, closes #497
- fix(configrule): Update config rule remediation validation when using KMSMasterKey replacement value
- fix(construct): LZA fails with AWS::Logs::LogGroup already exists, closes #471, #492, #494 by @richardkeit
New Contributors
- @insignias made their first contribution in this release
- @richardkeit made their first contribution in this release
v1.7.1
Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
Added
- feat(security-hub): enable cisv3 standard
Fixed
- fix(logging): CreateServiceLinkedRole fails with LogGroup already exists
- fix(organizations): Update number of retries when using SDKV3 retry strategy
- fix(replacements): add check for undefined accountName
v1.7.0
Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
AWS Lambda runtime upgrade to Node.js 18
This version upgrades all of the AWS Lambda runtime to Node.js 18 as the Node.js 16 runtime for AWS Lambda is scheduled for deprecation in 2024. Performing the upgrade to v1.7.0 should remediate any notifications for upcoming deprecation. Note: Any AWS Config rules in the security-config.yaml
are not automatically updated and will need to be manually validated against the sample configurations for updated configuration files.
AWS Control Tower Integration
Using the Landing Zone Accelerator on AWS solution, you can create, update, or reset an AWS Control Tower Landing Zone. It is possible to maintain the AWS Control Tower Landing Zone using the Landing Zone Accelerator solution. When the installer stack of the solution is deployed with the ControlTowerEnabled parameter set to Yes, then the Landing Zone Accelerator solution will deploy the AWS Control Tower Landing Zone with the most recent version available. For more information please review the Documentation
AWS Identity Center Resource Changes
As part of this release, AWS IAM Identity Center resources (permission sets and account assignments) will be moved from the Operations
AWS CloudFormation stack to a new dedicated IdentityCenter
CloudFormation stack. This stack will be launched after the Operations
stack during deployment.
Impact:
- During the migration, there will be a short window where permission sets and account assignments are deleted and recreated in the new CloudFormation stack.
- To ensure continuous access during this process, please ensure you have at least one of the following:
- A separate user/group in AWS IAM Identity Center with necessary account assignments and permissions
- AWS IAM users configured in the Management account with the necessary permissions to triage any issues.
Added
- feat(control-tower): integrate lz management api
- feat(control-tower): integrate lz baseline api
- feat(control-tower): add global region into the Control Tower governed region list
- feat(network): add IPv6 support for DHCP options sets
- feat(network): Provide static IPv6 support for VPC and Subnets
- feat(network): extend IPv6 support to VPC peering, ENI, and TGW static routes
- feat(network): support vpc peering for vpcs created by vpcTemplates
- feat(network): add resolver config to vpc object
- feat(network): add tag property for interface endpoints
- feat(network): add route53 query logging and resolver endpoint handlers
- feat(logging): wildcards in dynamic partitioning
- feat(logging): add cloudwatch log group data protection policy
- feat(ssm): add targetType to documents
- feat(config): update to use json schema
- feat(replacements): add support for ACCOUNT_NAME in user data
- feat(pipeline): move assets to local directory
- feat(pipeline): validate accelerator version in build stage
- feat(regions): add ca-west-1 support
- feat(securityhub): add custom cloudwatch log group for security hub
- feat(iam): allow IAM Principal Arn as well as externalId for trust policy with IAM Roles
- feat(config): added deploymentTargets for awsConfig
- feat(guardduty): added deploymentTargets for GuardDuty
Changed
- chore(lambda): upgrade to node18 runtime
- chore(sdkv3): remove references to aws-lambda
- chore(sdkv3): remove aws-lambda reference in batch enable standards
- chore(package): tree shake util import to reduce package size
- chore(docs): added docs for local zone subnet creation
Fixed
- fix(replacements): retrieve mgmt credentials during every config validation
- fix(replacements): throw error for undefined replacement
- fix(replacements): updated logic for ignored replacements
- fix(replacements): updated validation pattern
- fix(replacements): updated EmailAddress type to support replacement strings
- fix(route53): revert getHostedZoneNameForService changes
- fix(identity-center): address identity center resource metadata lookup resources
- fix(identity-center): added permission to create assignments for mgmt
- fix(identity-center): removed custom resource for SSM parameters
- fix(diagnostic-pack): assume role name prefix for external deployment
- fix(logging): refactored logging of Security Hub events
- fix(diff): customizations template lookup
- fix(diff): dependent stack lookup
- fix(diff): added error logging to detect file diff errors
- fix(applications): only lookup shared subnet ids for apps in shared vpcs
- fix(toolkit): fixed deployment behavior for non-customization stage
- fix(toolkit): change asset copy files to syn
- fix(toolkit): move asset processing into main
- fix(organizations): unable to create ou with same name under different parent
- fix(organizations): delete policies based on event
- fix(organizations): Resolve issue where policies are not being updated
- fix(pipeline): send UUID on exception of central logs bucket kms key
- fix(config): Update SSM automation document match string
- fix(config): validate regions in customizations
- fix(service-quotas): check existing limit before request
- fix(idc): explicitly set management account for CDK env
- fix(move-accounts): retry strategy and increase timeout
- fix(alb): Update target types to include lambda
- fix(validation): check for duplicate emails in accounts-config
- fix(validation) Update KMS key lookup validation in security-config
Configuration Changes
- chore(sample-config): remove breakglass user from the sample configurations
- chore(sample-config): add alerting for breakglass user account usage