github awslabs/landing-zone-accelerator-on-aws v1.15.1
on GitHub

7 hours ago

Important

We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.

The Landing Zone Accelerator on AWS is designed and tested to work with the latest versions of Service Control Policies (SCPs) from the LZA Universal Configuration and the LZA CCCS Medium Configuration. Please review the latest changes in these repositories to ensure your SCPs align with the latest changes.

New Features

IAM Role maxSessionDuration Support

LZA now supports configuring maxSessionDuration on IAM roles defined in roleSets.roles[] within your IAM configuration:

  • Set the maximum session duration (in seconds) when assuming a role, with valid values from 3600 (1 hour) to 43200 (12 hours)
  • If not specified, AWS defaults to 3600 seconds
  • Configured through the iam-config.yaml file

Bug Fixes

ASEA Transit Gateway Route Propagation Race Condition

Fixed a race condition in ASEA environments where Transit Gateway route propagation would fail when adding a new VPC. The fix ensures proper sequencing of SSM parameter lookups and route propagation when sharing multiple subnets from the same VPC with v2 stacks.

Control Tower Security OU Exclusion Logic

Fixed an issue where the Control Tower OU registration exclusion logic was incorrectly using the Log Archive account's organizational unit instead of the Audit account's organizational unit to determine the Security OU. This resolves #1008.

SSM Parameter Overwrite

Restored the overwrite flag when putting SSM parameters, which was inadvertently removed. This ensures SSM parameter updates are applied correctly during deployments.

Cross-Account NLB Targets

Fixed an issue where Network Load Balancer target group registrations failed for targets in cross-account VPCs, enabling proper cross-account NLB target configuration in the network configuration.

Module Credential Session Timeout

Resolved a session timeout issue in the modules framework by switching from static assumed-role credentials to a credential provider (fromTemporaryCredentials). This ensures credentials are automatically refreshed during long-running module executions, preventing failures caused by expired sessions.

Container Deployment Fixes

  • Fixed the default imageUri in the container installer to include the v prefix in the version tag
  • Removed the VpcCidr parameter from the container installer stack, simplifying the deployment configuration

Partition-Specific Overrides

  • Added Kinesis Data Firehose delivery stream overrides for the ISO-F partition
  • Fixed organization trail enablement in the ISO-B partition by removing an incorrect override

Changes

Dependency Vulnerability Remediation

Resolved HIGH and CRITICAL severity vulnerabilities in development dependencies, including updates to @aws-cdk/asset-awscli-v1, handlebars, flatted, and picomatch.

Documentation Updates

Added validate-config instructions for external pipeline deployments to the developer guide scripts documentation.

Additional Resources

For full details, please see the CHANGELOG.

Check out latest releases or
releases around awslabs/landing-zone-accelerator-on-aws v1.15.1

Don't miss a new landing-zone-accelerator-on-aws release

NewReleases is sending notifications on new releases.

Get notifications