Skip to content

v1.7.0

Compare
Choose a tag to compare
@johnraws johnraws released this 31 May 20:02

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

AWS Lambda runtime upgrade to Node.js 18

This version upgrades all of the AWS Lambda runtime to Node.js 18 as the Node.js 16 runtime for AWS Lambda is scheduled for deprecation in 2024. Performing the upgrade to v1.7.0 should remediate any notifications for upcoming deprecation. Note: Any AWS Config rules in the security-config.yaml are not automatically updated and will need to be manually validated against the sample configurations for updated configuration files.

AWS Control Tower Integration

Using the Landing Zone Accelerator on AWS solution, you can create, update, or reset an AWS Control Tower Landing Zone. It is possible to maintain the AWS Control Tower Landing Zone using the Landing Zone Accelerator solution. When the installer stack of the solution is deployed with the ControlTowerEnabled parameter set to Yes, then the Landing Zone Accelerator solution will deploy the AWS Control Tower Landing Zone with the most recent version available. For more information please review the Documentation

AWS Identity Center Resource Changes

As part of this release, AWS IAM Identity Center resources (permission sets and account assignments) will be moved from the Operations AWS CloudFormation stack to a new dedicated IdentityCenter CloudFormation stack. This stack will be launched after the Operations stack during deployment.

Impact:

  • During the migration, there will be a short window where permission sets and account assignments are deleted and recreated in the new CloudFormation stack.
  • To ensure continuous access during this process, please ensure you have at least one of the following:
    1. A separate user/group in AWS IAM Identity Center with necessary account assignments and permissions
    2. AWS IAM users configured in the Management account with the necessary permissions to triage any issues.

Added

  • feat(control-tower): integrate lz management api
  • feat(control-tower): integrate lz baseline api
  • feat(control-tower): add global region into the Control Tower governed region list
  • feat(network): add IPv6 support for DHCP options sets
  • feat(network): Provide static IPv6 support for VPC and Subnets
  • feat(network): extend IPv6 support to VPC peering, ENI, and TGW static routes
  • feat(network): support vpc peering for vpcs created by vpcTemplates
  • feat(network): add resolver config to vpc object
  • feat(network): add tag property for interface endpoints
  • feat(network): add route53 query logging and resolver endpoint handlers
  • feat(logging): wildcards in dynamic partitioning
  • feat(logging): add cloudwatch log group data protection policy
  • feat(ssm): add targetType to documents
  • feat(config): update to use json schema
  • feat(replacements): add support for ACCOUNT_NAME in user data
  • feat(pipeline): move assets to local directory
  • feat(pipeline): validate accelerator version in build stage
  • feat(regions): add ca-west-1 support
  • feat(securityhub): add custom cloudwatch log group for security hub
  • feat(iam): allow IAM Principal Arn as well as externalId for trust policy with IAM Roles
  • feat(config): added deploymentTargets for awsConfig
  • feat(guardduty): added deploymentTargets for GuardDuty

Changed

  • chore(lambda): upgrade to node18 runtime
  • chore(sdkv3): remove references to aws-lambda
  • chore(sdkv3): remove aws-lambda reference in batch enable standards
  • chore(package): tree shake util import to reduce package size
  • chore(docs): added docs for local zone subnet creation

Fixed

  • fix(replacements): retrieve mgmt credentials during every config validation
  • fix(replacements): throw error for undefined replacement
  • fix(replacements): updated logic for ignored replacements
  • fix(replacements): updated validation pattern
  • fix(replacements): updated EmailAddress type to support replacement strings
  • fix(route53): revert getHostedZoneNameForService changes
  • fix(identity-center): address identity center resource metadata lookup resources
  • fix(identity-center): added permission to create assignments for mgmt
  • fix(identity-center): removed custom resource for SSM parameters
  • fix(diagnostic-pack): assume role name prefix for external deployment
  • fix(logging): refactored logging of Security Hub events
  • fix(diff): customizations template lookup
  • fix(diff): dependent stack lookup
  • fix(diff): added error logging to detect file diff errors
  • fix(applications): only lookup shared subnet ids for apps in shared vpcs
  • fix(toolkit): fixed deployment behavior for non-customization stage
  • fix(toolkit): change asset copy files to syn
  • fix(toolkit): move asset processing into main
  • fix(organizations): unable to create ou with same name under different parent
  • fix(organizations): delete policies based on event
  • fix(organizations): Resolve issue where policies are not being updated
  • fix(pipeline): send UUID on exception of central logs bucket kms key
  • fix(config): Update SSM automation document match string
  • fix(config): validate regions in customizations
  • fix(service-quotas): check existing limit before request
  • fix(idc): explicitly set management account for CDK env
  • fix(move-accounts): retry strategy and increase timeout
  • fix(alb): Update target types to include lambda
  • fix(validation): check for duplicate emails in accounts-config
  • fix(validation) Update KMS key lookup validation in security-config

Configuration Changes

  • chore(sample-config): remove breakglass user from the sample configurations
  • chore(sample-config): add alerting for breakglass user account usage