Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. See Update the solution for the required actions to upgrade.
Bug Fixes
Control Tower Enroll-Accounts Module Baseline Status Checks
Resolved an issue where the enroll-accounts module did not filter ignored Organizational Units (OUs) from AWS Control Tower baseline status checks. OUs marked with ignore: true in organization-config.yaml are now excluded from baseline evaluation, preventing false failures when those OUs intentionally lack Control Tower baselines.
Changed
Removed KmsKeyId Override for ISO and ISOB Partitions
LZA no longer removes the KmsKeyId property from CloudWatch Logs log groups when deploying to ISO and ISO-B partitions. This change enables KMS encryption for log groups in isolated regions where it was previously stripped by the CDK aspect overrides.
Dependency Updates
This release remediates the following security vulnerabilities in third-party dependencies:
- CVE-2026-42264 in
axios(upgraded to 1.15.2) - CVE-2026-42338 in
ip-address(upgraded to 10.0.2) - CVE-2026-41907 in
uuid(upgraded to 11.1.0) - CVE-2026-44665 in
fast-xml-builder(upgraded to 5.7.2) - CVE-2026-44240 in
basic-ftp(upgraded to 5.3.1) - CVE-2026-33750 in
brace-expansion(upgraded to 2.0.2) - CVE-2026-6322 in
fast-uri(upgraded to 3.0.7)
Please see the v1.15.0 Release Notes for information on significant changes from a previous minor version.