Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
The Landing Zone Accelerator on AWS is designed and tested to work with the latest versions of Service Control Policies (SCPs) from the LZA Universal Configuration and the LZA CCCS Medium Configuration. Please review the latest changes in these repositories to ensure your SCPs align with the latest changes.
Bug Fixes
ASEA Cross-Account Transit Gateway Propagation Regression
Fixed a regression introduced in v1.15.1 where Transit Gateway route table associations and propagations were incorrectly deleted during upgrades in ASEA environments. The root cause was an early-return on isManagedByAseaGlobal(TRANSIT_GATEWAY_ATTACHMENT) that skipped all association and propagation processing for ASEA-managed attachments, including LZA-owned route table entries. The fix removes the early-return and relies on the existing per-item isManagedByAsea checks to correctly skip only ASEA-owned resources while preserving LZA-created ones.
AWS SDK Update and XML Parser Resolution
Updated all @aws-sdk packages from 3.1018.0 to 3.1041.0 and removed the fast-xml-parser yarn resolution that was causing EntityReplacer errors during CDK synthesis in CodeBuild environments. The resolution previously forced fast-xml-parser 5.7.1, which introduced a breaking change in entity name validation. Removing it allows the SDK to use its naturally resolved parser version.
CloudWatch Log Event KMS Permissions
Added kms:DescribeKey to the IAM policy for the CloudWatch log event subscription Lambda function. Without this permission, the function could fail when interacting with KMS-encrypted log groups.
IAM Full ARN Support for AWS Managed Policies
Fixed an issue where specifying AWS managed policies using full ARN format (e.g., arn:aws:iam::aws:policy/ReadOnlyAccess) in iam-config.yaml role and group definitions would fail. LZA now detects ARN-format entries and uses fromManagedPolicyArn instead of fromAwsManagedPolicyName, supporting both short names and full ARNs.
Identity Center Delegated Admin Guard
Fixed an error that occurred when Identity Center was not configured but the Organizations stack attempted to set up a delegated admin account. LZA now skips Identity Center delegated admin setup when identityCenter is not present in the IAM configuration.
GitHub Pipeline CodeConnections Permissions
Added codeconnections:UseConnection and codeconnections:PassConnection permissions to the GitHub pipeline IAM role in the installer stack. This resolves failures when using AWS CodeConnections (the successor to CodeStar Connections) as the GitHub source provider for the LZA pipeline.
ISO Partition Organization Trail Override
Removed an incorrect property deletion override for IsOrganizationTrail in the ISO partition aspects. This override was preventing organization-level CloudTrail trails from being enabled in ISO-B environments.
Container Dockerfile Fixes
- Fixed the Dockerfile to copy the
source/directory directly instead of expecting asource.tar.gztarball, aligning with the current build pipeline behavior - Added fallback handling to support both
source/directory andsource.tar.gzformats in the staging copy step
Dependency Vulnerability Remediation
Resolved HIGH and MODERATE severity vulnerabilities in dependencies, including updates to @aws-cdk/asset-awscli-v1, axios, and postcss. Added a basic-ftp resolution to address a HIGH severity vulnerability (CVE in versions prior to 5.3.0).
Changes
CFN-Nag Suppression for GitHub Pipeline Role
Updated CFN-Nag suppressions to include the GitHubPipelineRole resource, preventing false-positive warnings for the CodeConnections wildcard permissions required by the GitHub source action.
Service Catalog Documentation Improvements
Expanded and clarified the TypeDoc documentation for Service Catalog portfolio associations, product versions, and product launch constraints in customizations-config.yaml. The updated documentation includes more detailed descriptions, improved code examples, and links to relevant AWS documentation.
AWS Config Aggregation Documentation Fix
Corrected the example configuration for AWS Config aggregation in security-config.yaml to reference the Audit account as the delegated admin instead of LogArchive, matching the recommended deployment pattern.
Container Build Script and Documentation
Reworked create-container.sh for local development use and added a new developer guide page documenting how to build the container image locally, including NODE_OPTIONS heap size configuration and platform considerations.
Internal Package Visibility
Marked the @aws-lza package as private in its package.json to prevent accidental publication to npm registries.
Additional Resources
For full details, please see the CHANGELOG.