All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- feat(network-config): Add deployments of Application Load Balancers in perimeter VPC. Added sample to deploy ALB in workload accounts and ALB Forwarding feature.
- feat(replacements): Added use of replacements-config.yaml file to centralize deployment variables.
- fix(custom-config): Updated nodejs and AWS SDK version
- fix(network-config): Removed App2 subnets from the central network. These were used originally used for AWS Managed Active Directory; however, since MAD now supports running in a delegated account with IAM Identity Center, these are no longer needed. Customers should check there are no other resources deployed in these subnets prior to making change
- feat(global-config): Enabled additional regions by default with CMK region excludes for cost optimization
- fix(global-config): Add CWL subscription filter exclusion for organization CloudTrail logs
- fix(docs): Updated broken link to install instructions
- fix(docs): Updated documentation for Control Tower deployments with LZA v1.7.0
- feat(replacements): Added use of replacements-config.yaml file to centralize global variables.
- fix(iam-config): Modified IAM Identity Center configuration to delegate to the Operations account. In the previous version of the configuration file, Identity Center delegated administrator was not explicitly delegated to any account. Therefore LZA used the Audit (Security) account as the delegated administrator by default. We recommend to delegate Identity Center administration to the operations account. Refer to the Identity Center section of the FAQ for more details
- feat(security-config): Added AWS Config rule to enforce HTTPS on S3 bucket via the bucket policy
- fix(network-config): Added blackhole routes to Transit Gateway Network-Main-Segregated route table to match the documented reference architecture
- feat(global-config): Added config version, to help customers easily find their current config version. This helps customers know which changelogs should be reviewed to understand the changes made between versions
- fix(scp): Modified ACM SCP to use accelerator prefix variable
- fix(scp): Modified GLB1 SCP to allow CloudWatch metrics for WAF in global region
- fix(security-config): Added variable and instructions to update CloudWatch log group name for CloudTrail logs. Fixes CloudWatch alarms if using Control Tower
- fix(network-config): Updated source rules to include Central-Web-B as an allowed source
- feat(global-config)!: Use the cdkOptions/customDeploymentRole for all CDK deployment tasks. When implementing this change on existing deployments it is important to review and implement the related SCP changes to use the
${ACCELERATOR_PREFIX}replacements in statement conditions. - feat(global-config): Configure quota limits increase request, so those are no longer needed to be manually requested during installation
- feat(security-config): Configure SNS topic to send Security Hub notifications
- feat(security-config): Enable CloudWatch logging for Security Hub notifications
- feat(security-config): Enables the AWS Config Aggregator if not using Control Tower
- fix(global-config): Remove duplicate CloudTrail management events when deployed with ControlTower
- fix(scp): Modified TAG1 SCP to prevent modification of security groups owned by AWSAccelerator
- chore: Reformated yaml files to remove trailing whitespaces and use proper indentation
This sample configuration is now maintained in this standalone repository.
- feat(network-config)!: Add configuration to delete rules of default security groups. Best practice is to not use the default security groups. Please review if your existing workloads use the default security groups before applying this change.
- feat(iam-config): Use dedicated
AWSAccelerator-RDGW-Rolefor Managed Active Directory management instance - feat(network-config): Deployment of default Web, App and Data security groups in all VPCs and workload accounts (ASEA parity)
- fix(network-config): Add deployment of interface endpoints for Secrets Manager, CloudFormation and Monitoring (ASEA parity)
- fix(scp): SCP updates for granular billing permissions
- fix(network-config): Add additional Route Table entries in the Network Firewall Perimeter subnets to target the NAT Gateway in the proper availability zone
- fix(security-config): Refactor AWS Config rules to avoid duplication
- fix(config rules): Fixed accelerator-ec2-instance-profile-permission Config rule
- fix(iam-config): Changed deployment target of
AWSAccelerator-Default-Boundary-Policyto align with the deployment target of the roles referencing this policy.
- feat(global-config): Added support for Control Tower in the configuration. IMPORTANT: Control Tower can only be enabled in the initial installation and not through an update.
- feat(scp): updates to some SCP statements
- fix(network-config): Security groups defined in shared VPCs are now replicated to accounts where the subnets are shared. If you reference a prefix list from a security group, you need to update the deployment targets of the prefix list to deploy the prefix list in all shared accounts
- fix(security-config): Lambda runtimes for AWS Config rules were updated to NodeJs16
The first version of this reference configuration was released with LZA version 1.3.0.