Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
The Landing Zone Accelerator on AWS is designed and tested to work with the latest versions of Service Control Policies (SCPs) from the LZA Universal Configuration and the LZA CCCS Medium Configuration. Please review the latest changes in these repositories to ensure your SCPs align with the latest changes.
New Features
Container deployment
- Regional Flexibility: Enables deployment in AWS regions without support for CodeBuild and CodePipeline services, providing a focused path for select regions without support for Code* services
- Improved Performance: Optimized deployment process for faster infrastructure provisioning
To get started, see README.md
Security Hub Automation Rules
LZA now includes support for Security Hub automation rules, enabling automated response and remediation workflows:
- Add and remove Security Hub automation rules through your security configuration
- Configure automation rules across all enabled Security Hub regions
- Streamline security operations with automated response to security findings
Transit Gateway Enhancements
Landing Zone Accelerator now includes enhanced Transit Gateway capabilities:
- Multicast Support: Enable multicast functionality for one-to-many or many-to-many network communication patterns, useful for media streaming, financial data distribution, gaming applications, and IoT deployments
- Flow Logs: Added support for Transit Gateway flow logs to capture information about IP traffic going to and from network interfaces in your Transit Gateway
Important: Enabling multicast on an existing Transit Gateway will cause the TGW to be recreated, which may disrupt TGW attachments, route tables, VPN connections, Direct Connect associations, and peering attachments. The LZA team highly recommends utilizing stack policies to protect critical CloudFormation resources.
GuardDuty S3 Malware Protection
LZA now supports Amazon GuardDuty S3 Malware Protection, enabling automated malware scanning for objects uploaded to S3 buckets:
- Detect malicious files before they impact your environment
- Configure S3 Malware Protection through your security configuration file
- Enhance security posture with automated threat detection
AWS Network Firewall Managed Rule Groups
The LZA now supports AWS Managed Rule Groups for AWS Network Firewall:
- Leverage pre-configured rule sets maintained by AWS
- Simplify network security management with ready-to-use protection
- Automatically deploy and manage AWS-provided rule sets through your network configuration
Changes
CodeStar Notifications Removal
CodeStar notification functionality has been removed from the solution. Organizations requiring deployment notifications should implement alternative notification mechanisms.
Node.js Runtime Update
The solution runtime has been upgraded to Node.js 22, providing improved performance, security updates, and access to the latest JavaScript features.
Additional Resources
For full details, please see the CHANGELOG.