Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
The Landing Zone Accelerator on AWS is designed and tested to work with the latest versions of Service Control Policies (SCPs) from the LZA Universal Configuration and the LZA CCCS Medium Configuration. Please review the latest changes in these repositories to ensure your SCPs align with the latest changes.
New Features
Uninstaller Container Build Mode and OU-Ignore Filtering
The LZA uninstaller now supports a --container-build mode for environments deployed via the Fargate/ECS installer stack. In this mode, the uninstaller reads the accelerator prefix and qualifier directly from CLI parameters instead of discovering them from CodeBuild environment variables. Additional parameters include --config-path, --accelerator-prefix, --accelerator-qualifier, and --management-account-id for cross-account scenarios. The uninstaller also now respects OU-ignore filtering, skipping accounts in ignored organizational units during teardown.
Bug Fixes
EUSC Partition EBS Encryption Service-Linked Role
Added the aws-eusc partition to the list of partitions that require a service-linked role for EBS default encryption. Previously, deploying LZA in the EUSC partition would fail when attempting to enable EBS encryption because the partition was not recognized. Cloud9 policies are also correctly excluded in this partition.
Ignored OU Accounts Excluded from Bootstrap and Stack Deployment
Fixed an issue where accounts belonging to ignored organizational units were still included in bootstrap and stack deployment operations. The isIgnored() check in AcceleratorStack was logging the exclusion but not returning false, causing ignored accounts to pass through the filter. The accelerator now correctly filters out accounts in ignored OUs before generating deployment environments.
SSM Cross-Account Parameter Overwrite
Simplified the cross-account SSM parameter custom resource handler by using PutParameter with Overwrite: true and tags inline, replacing the previous approach of managing tags separately via AddTagsToResource and RemoveTagsFromResource. This also preserves the existing PhysicalResourceId on updates, preventing CloudFormation from interpreting a changed ID as a resource replacement, which previously triggered spurious delete events that removed shared SSM parameters.
V2 Stack Security Group-to-Security Group References
Fixed an issue where security group ingress and egress rules referencing other security groups were not created in v2 network stacks. The prepareSecurityGroupRuleProps function required an lzaLookup parameter to process security group sources, but this parameter was not available in the NetworkAssociationsStack context. The fix makes lzaLookup optional, allowing security group-to-security group rules to be created unconditionally when the lookup is not present.
Changes
AWS SDK and CDK Version Bump
Updated AWS SDK to v3.1018.0, AWS CDK to v2.246.0, and constructs to v10.5.0, along with associated tooling and package updates across all packages.
Dependency Vulnerability Remediation
Resolved HIGH and CRITICAL severity vulnerabilities in dependencies, including updates to proxy-agent, follow-redirects, axios, and basic-ftp. Yarn resolutions were added to the root package.json and @aws-lza package to ensure consistent pinning of patched versions throughout the dependency tree.
Additional Resources
For full details, please see the CHANGELOG.