Important
We are pleased to announce an experimental release of the Landing Zone Accelerator on AWS, providing early access to upcoming features and improvements. Installer templates for the experimental version can be downloaded from the release notes.
Intended Usage and Environment Considerations
This experimental release is specifically designed for evaluation and testing purposes in development environments only. Given the nature of pre-release software and ongoing refinements, we strongly advise against deploying these features in production environments at this time. Organizations should continue to rely on our latest official release for production workloads to ensure maximum stability and support coverage.
Support and Issue Reporting Guidelines
Any issues encountered while using this experimental release should be reported directly through our GitHub issues, rather than through AWS Support directly. This approach allows our development team to rapidly address feedback and incorporate improvements into the upcoming official release. When submitting GitHub issues, please clearly indicate that it relates to the experimental release (experimental/v1.16.0) to help us properly track and address your input.
Path to Official Release
Features and improvements introduced in this experimental release will undergo thorough testing and refinement before being incorporated into an official release. We encourage users to subscribe to our repository notifications to stay informed about updates and the timeline for official release availability.
New Features
Static HTML configuration diff viewer
LZA now generates a self-contained static HTML diff report during pipeline execution, providing a visual side-by-side comparison of CloudFormation template changes before deployment. The viewer includes:
- Noise filtering — automatically detects and collapses Lambda S3Key rotations and CustomResource UUID changes that appear on every deploy with no functional impact
- Section grouping — diffs are organized by stack section (e.g., Networking, Security, Logging) extracted from stack names
- Compressed payload — diff content is gzip-compressed and embedded in the HTML for efficient storage and transfer
- CLI integration — a generate-diff-viewer-cli.ts wrapper enables CodeBuild to generate the report as a pipeline artifact
The diff viewer is integrated into the accelerator pipeline as an additional build artifact, accessible from the pipeline execution history.
IAM role trust policy conditions
LZA now supports per-principal trust policy conditions on IAM roles defined in iam-config.yaml. Each assumedBy entry can include a conditions array specifying IAM condition operators (StringEquals, ArnLike, StringLike, etc.), condition keys, and values. Conditions are merged with any existing role-level externalIds, enabling fine-grained control such as restricting assume-role to specific aws:PrincipalOrgID values or source VPCs.
# Example iam-config.yaml
roleSets:
- deploymentTargets:
accounts: [Management]
roles:
- name: CrossAccountRole
assumedBy:
- type: account
principal: "123456789012"
conditions:
- type: StringEquals
key: "aws:PrincipalOrgID"
values:
- "o-abc123def4"
VPN route propagation on route tables
Added a new enableRoutePropagation boolean property on route tables in network-config.yaml. When set to true and a Virtual Private Gateway is defined for the VPC, LZA creates a CfnVPNGatewayRoutePropagation resource that automatically propagates BGP-learned routes from the VPN gateway into the specified route tables. This eliminates the need for manual static route management for Site-to-Site VPN connections.
Includes config validation that warns if enableRoutePropagation is set but no VPN gateway is defined, and errors if used without v2 stacks enabled.
Changes
Custom Resources to LZA Module Migration
The LZA has begun migrating CloudFormation custom resource implementations to native Node.js modules, replacing Lambda-backed resource provisioning with direct API calls during pipeline execution. This migration eliminates Lambda cold-start overhead and CloudFormation timeout constraints while providing improved error handling, structured logging, and faster pipeline execution. The migration is transparent to customers; existing configurations continue to work without changes, and resource state is preserved. Future releases will continue migrating remaining custom resources incrementally.
Transit Gateway associations and propagations Module
LZA now manages Transit Gateway route table associations, propagations, and Direct Connect gateway associations through a dedicated module instead of individual CloudFormation resources. This resolves the CloudFormation 500-resource stack limit that caused deployment failures in large environments with many VPC attachments.
Key improvements:
- Stack resource reduction — TGW associations and propagations are no longer individual AWS::EC2::TransitGatewayRouteTableAssociation / Propagation CFN resources. The module manages them via direct API calls, eliminating the resource count ceiling
- Resource retention safety — a retention registry ensures existing CFN-managed TGW resources are preserved with DeletionPolicy: Retain before the module takes ownership, preventing accidental deletion during migration
Macie Module Migration
Migrated Amazon Macie from CloudFormation custom resources to the LZA module pattern. This migration:
- Introduces the module orchestration framework — a new runner.ts and module-orchestration.ts provide a reusable engine for executing security service modules with DynamoDB-backed state management, credential caching, and structured logging
- Adds CloudFormation resource retention — a cfn-retention subsystem safely transitions Macie resources from CFN-managed custom resources to module-managed API calls by applying DeletionPolicy: Retain before stack updates
Identity Center Delegated Admin
Previously, LZA registered an Identity Center delegated administrator even when the identityCenter property was not defined in the IAM configuration. This has been corrected — delegated admin registration now only occurs when identityCenter is explicitly configured. Customers who did not define identityCenter in their config but rely on the delegated admin account for managing Identity Center resources should either add the identityCenter configuration block or re-register the delegated admin manually before upgrading, as the delegated admin will be deregistered during the upgrade. Existing permission sets and user access are not affected.
S3-only VPC flow logs (v2 network stack)
Previously when a VPC's vpcFlowLogs was configured with destinations: [s3] (or any list excluding cloud-watch-logs) on the v2 network stack, LZA incorrectly synthesized a CloudWatch flow log alongside the S3 flow log. With this fix, only the destinations explicitly listed are created. v1 network stacks were not affected.
Note
If you used a destinations list that excluded cloud-watch-logs on the v2 network stack and saw an unwanted CloudWatch flow log created, the next pipeline run will automatically remove the AWS::EC2::FlowLog resource and its IAM role from your stack. The underlying CloudWatch log group is retained (it uses RETAIN_ON_UPDATE_OR_DELETE to protect against accidental log deletion) and must be deleted manually in each affected account/region if it is not desired. Only customers running v2 network stacks (useV2Stacks: true) who explicitly opted out of cloud-watch-logs are impacted.
Container Deployment Image Availability
For official releases, the container deployment image is published to the public Amazon ECR gallery. However, for this experimental release, the container image is not published to public ECR. Instead, a pre-built container image is attached as an asset to this GitHub release (lza-v1.16.0-experimental-rc.5-al2023.tar.gz).
To use container deployment with this experimental release:
- Download lza-v1.16.0-experimental-rc.5-al2023.tar.gz from the Assets section below
- Create an Amazon ECR repository in the orchestration account (recommended name: landing-zone-accelerator-on-aws)
- Authenticate to your ECR registry:
aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin <account_id>.dkr.ecr.<region>.amazonaws.com
- Load the image:
docker load < lza-v1.16.0-experimental-rc.5-al2023.tar.gz
- Tag and push the image:
docker tag lza-v1.16.0-experimental-rc.5-al2023:latest <account_id>.dkr.ecr.<region>.amazonaws.com/landing-zone-accelerator-on-aws:latest docker push <account_id>.dkr.ecr.<region>.amazonaws.com/landing-zone-accelerator-on-aws:latest
For full container deployment instructions, see the Container README.
Additional Resources
For full details, please see the CHANGELOG.