v1.7.0
Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
AWS Lambda runtime upgrade to Node.js 18
This version upgrades all of the AWS Lambda runtime to Node.js 18 as the Node.js 16 runtime for AWS Lambda is scheduled for deprecation in 2024. Performing the upgrade to v1.7.0 should remediate any notifications for upcoming deprecation. Note: Any AWS Config rules in the security-config.yaml
are not automatically updated and will need to be manually validated against the sample configurations for updated configuration files.
AWS Control Tower Integration
Using the Landing Zone Accelerator on AWS solution, you can create, update, or reset an AWS Control Tower Landing Zone. It is possible to maintain the AWS Control Tower Landing Zone using the Landing Zone Accelerator solution. When the installer stack of the solution is deployed with the ControlTowerEnabled parameter set to Yes, then the Landing Zone Accelerator solution will deploy the AWS Control Tower Landing Zone with the most recent version available. For more information please review the Documentation
Added
- feat(control-tower): integrate lz management api
- feat(control-tower): integrate lz baseline api
- feat(control-tower): add global region into the Control Tower governed region list
- feat(network): add IPv6 support for DHCP options sets
- feat(network): Provide static IPv6 support for VPC and Subnets
- feat(network): extend IPv6 support to VPC peering, ENI, and TGW static routes
- feat(network): support vpc peering for vpcs created by vpcTemplates
- feat(network): add resolver config to vpc object
- feat(network): add tag property for interface endpoints
- feat(network): add route53 query logging and resolver endpoint handlers
- feat(logging): wildcards in dynamic partitioning
- feat(logging): add cloudwatch log group data protection policy
- feat(ssm): add targetType to documents
- feat(config): update to use json schema
- feat(replacements): add support for ACCOUNT_NAME in user data
- feat(pipeline): move assets to local directory
- feat(pipeline): validate accelerator version in build stage
- feat(regions): add ca-west-1 support
- feat(securityhub): add custom cloudwatch log group for security hub
- feat(iam): allow IAM Principal Arn as well as externalId for trust policy with IAM Roles
- feat(config): added deploymentTargets for awsConfig
- feat(guardduty): added deploymentTargets for GuardDuty
Changed
- chore(lambda): upgrade to node18 runtime
- chore(sdkv3): remove references to aws-lambda
- chore(sdkv3): remove aws-lambda reference in batch enable standards
- chore(package): tree shake util import to reduce package size
- chore(docs): added docs for local zone subnet creation
Fixed
- fix(replacements): retrieve mgmt credentials during every config validation
- fix(replacements): throw error for undefined replacement
- fix(replacements): updated logic for ignored replacements
- fix(replacements): updated validation pattern
- fix(replacements): updated EmailAddress type to support replacement strings
- fix(route53): revert getHostedZoneNameForService changes
- fix(identity-center): address identity center resource metadata lookup resources
- fix(identity-center): added permission to create assignments for mgmt
- fix(identity-center): removed custom resource for SSM parameters
- fix(diagnostic-pack): assume role name prefix for external deployment
- fix(logging): refactored logging of Security Hub events
- fix(diff): customizations template lookup
- fix(diff): dependent stack lookup
- fix(diff): added error logging to detect file diff errors
- fix(applications): only lookup shared subnet ids for apps in shared vpcs
- fix(toolkit): fixed deployment behavior for non-customization stage
- fix(toolkit): change asset copy files to syn
- fix(toolkit): move asset processing into main
- fix(organizations): unable to create ou with same name under different parent
- fix(organizations): delete policies based on event
- fix(organizations): Resolve issue where policies are not being updated
- fix(pipeline): send UUID on exception of central logs bucket kms key
- fix(config): Update SSM automation document match string
- fix(config): validate regions in customizations
- fix(service-quotas): check existing limit before request
- fix(idc): explicitly set management account for CDK env
- fix(move-accounts): retry strategy and increase timeout
- fix(alb): Update target types to include lambda
- fix(validation): check for duplicate emails in accounts-config
- fix(validation) Update KMS key lookup validation in security-config
Configuration Changes
- chore(sample-config): remove breakglass user from the sample configurations
- chore(sample-config): add alerting for breakglass user account usage