Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
New Features
Enhanced Transit Gateway Attachment Processing
The LZA now includes batch lookup functionality for Transit Gateway attachment IDs in the Network Associations stack, replacing individual attachment lookup custom resources with optimized batched operations that can handle up to 90 attachments per custom resource. This change will allow for more CloudFormation resources to be deployed in the Network Associations stack.
During the upgrade process, customers will observe the deletion of existing Custom::GetTransitGatewayAttachment custom resources. This is expected behavior as the solution transitions from individual lookup resources to the new batched implementation. No configuration file changes are required, as this optimization occurs automatically during the deployment process.
The LZA team highly recommends utilizing stack policies to protect critical CloudFormation resources deployed by the LZA.
Enhanced TypeDoc Documentation
This release includes comprehensive improvements to TypeDoc documentation. The documentation has been enriched with further detail and reorganized to highlight the 8 top-level interfaces that align with files in the LZA configuration repository. These changes are designed to make it easier for users to identify existing features supported by the LZA.
Bug Fixes
AWS Control Tower Integration
This fix prevents deployment failures when certain Control Tower Landing Zone configuration properties are not explicitly defined, providing more robust handling of Control Tower operations.
Prerequisites Account Management
LZA now properly handles suspended accounts within ignored Organizational Units during the prerequisites phase. Previously, the solution would attempt to process suspended accounts, leading to deployment failures. The updated logic correctly identifies and skips these accounts.
Session Manager Logging
We've resolved permissions issues affecting Session Manager log group creation and management. The fix ensures that proper IAM permissions are applied to Session Manager log groups, allowing for consistent logging functionality across all managed accounts.
ASEA Transit Gateway Route Handling
ASEA handlers now includes improved error handling for Transit Gateway route lookups.
Container Module Deployment
Fixed an issue where the accelerator stage was not properly added during the prepare stage for modules in container deployments. This resolution ensures that all necessary deployment stages are executed in the correct sequence, preventing module deployment failures.
Documentation Links
Corrected broken links throughout the user guide documentation, ensuring that all references point to the correct resources and improving the overall user experience when navigating the documentation.
GuardDuty Detector Features
We have resolved an issue that resulted in newly provisioned AWS accounts having only a subset of features such as S3 Protection and EKS Protection enabled on their GuardDuty detector. In order to ensure new accounts are automatically registered with GuardDuty, ensure the autoEnableOrgMembers property is set to true.
Additional Resources
For full details, please see the CHANGELOG.