Important
We highly recommend that you keep your environments up to date by upgrading to the latest version. To upgrade your environments to this version, use the CloudFormation console to update your AWSAccelerator-Installer stack using the latest installer template and ensure that that you set Branch Name to the latest version (release/v1.4.0 for this release). See Update the solution for more information.
Security groups defined in shared VPCs are now replicated to accounts where the subnets are shared. If you reference a prefix list from a security group, you need to update the deployment targets of the prefix list to deploy the prefix list in all shared accounts. (network-config.yaml)
Lambda runtimes for AWS Config rules were updated to NodeJs16. (security-config.yaml)
Cross-account IPAM subnet references have been updated and requires a configuration change. This only affects customers that are referencing IPAM-created subnets that exist in the same account and region the NACL rule is created in. To resolve this, you will need to:
- Comment out any NACL rules that reference IPAM-created subnets that reside in the same account+region of the account+region the NACL is being created in.
- Run the pipeline, which will delete the NACL rules.
- Uncomment the same-account NACLs and run the pipeline once again.
Added
- feat(config): Utilize existing AWS Config Service Delivery Channel
- feat(installer): Support custom prefix for LZA resources
- feat(logging) Add S3 prefix to Config Recorder delivery channel
- feat(networking): Added deploymentTargets property for prefix lists
- feat(networking): add ability to reference same-account IPAM subnets in Security Groups and NACLs
- feat(scp): Implement SCP allow-list strategy
- feat(security-config) Add ability to define CloudWatch Log Groups
- feat(security hub): allow definition of deploymentTargets for Security Hub standards
- feat(validation): verify no ignored OU accounts are included in accounts-config file
Changed
- chore(app): Update AWS CDK version to 2.70.0
- chore(docs): adding optional flags and replacement warnings to SecurityConfig and NetworkConfig
- chore(network): network stack refactor to assist in development efforts
- enhancement(cdk): Configure CDK to use managementAccountAccessRole for all actions
- enhancement(logging): Reduce logging in firehose processor to optimize cost
- enhancement(networking): replicate Security Groups to Accounts with RAM shared subnets
- enhancement(network): make vpcFlowLogs property optional
Fixed
- fix(accounts): methods used to retrieve Account IDs for Root OU targets return ignored accounts
- fix(bootstrap): Forced bootstrap update for non-centralized CDK buckets
- fix(budgets): unable to deploy AWS Budgets in Regions without vpc endpoint
- fix(ebs): EBS encryption policy references Account instead of Region
- fix(logging): remove nested looping for additional statements
- fix(networking): fix IPAM SSM lookup role name mismatch
- fix(networking): VPC-level ALBs and NLBs may reference incorrect logging bucket region
- fix(networking): replicating shared VPC/subnet tags to consumer account fails if sharing subnets from multiple owner accounts
- fix(networking): default VPCs are not deleted if the excludedAccounts property is not included
- fix(pipeline): Credential timeout for long running stages
- fix(sso): permission sets and assignments created outside of LZA cause pipeline failure
- chore(application-stack): refactor application stack to reduce complexity
Configuration Changes
- feat(aws-best-practices-education): Added additional security-config controls
- feat(aws-best-practices-tse-se): Added AWS Control Tower installation instructions
- enhancement(aws-best-practices): Replace hard-coded management role in guardrail SCPs with a variable
- enhancement(aws-best-practices-cccs-medium): updated configuration to utilize accelerator prefix feature
- enhancement(aws-best-practices-tse-se): updated install instructions for GitHub personal access token