- Added option to enable concurrency to deploy StackSets operations in regions in parallel.
- Update CodeBuild Image to standard:5.0
- Add retry mechanism for describe CloudFormation APIs.
- Optimize rsync command in merge scripts (Build Stage).
- Refactor Boto3Session class for all the AWS service modules.
- Support pagination for Service Catalog list_portfolios API responses.
- Pinned versions for all the third-party packages.
- Updated IAM role to use new AWS Lambda Function managed policy 'AWSLambda_FullAccess'
- Fixed bug related to describe_parameter API
- Updated the AWS CodeBuild image to the latest available version (aws/codebuild/standard:4.0)
- Fix issue related to incompatibility between latest version of BotoCore and AWS CLI. Ref:[Boto3 Issue #2596](https://github.com/boto/boto3/issues/2596)
- Updated AWS Config managed policy name to use the new managed policy name that removes the “S3:GetObject” permission.
- Enable automatic key rotation for the AWS KMS key: AwsLandingZoneKMSKey
- Optimized stack instance deployment workflow - consume 60% less time to deploy same number of stack instances
- Reduced stack set operation fault tolerance to 10 percent
- Optimized LauncAVM stage to reduce throttling exceptions
- Change IAM Password Policy baseline resource runtime from NodeJS to Python to avoid future NodeJS updates
- Updated all python3.6 runtimes to python 3.8 (and 3.7 for inline lambda functions)
- Added retry mechanism for AWS Organizations APIs
- Updated state machine execution names in LaunchAVM stage to avoid name conflict exception.
- Use Virtual Hosted-Style URLs (path-style URLs will be deprecated in Sept 2020)
- Use regional endpoint for S3 APIs
- Updated to Nodejs12.x runtime
- Updated to Python3.8 runtime
- Added public IP address and cfn-signal to RDGW template launch config
- Added an AWS Lambda function to publish new Service Catalog Add-On Products.
- Added a CloudWatch Event (CWE) to run Add-On publisher lambda function once a day.
- Added parameter to initiation template to disable auto-update Add-On portfolio mechanism.
- Added parameter to specify an update notification email if auto-update functionality is enabled.
- Fixed error handling of intermittent issue: during new account creation an exception is thrown if STS service has not been enabled due to account initialization. The bug fix will force a retry after 5 minutes.
- Handled Scaling Issue with Service Catalog API (search_provisioned_product). The API response does not return all the provisioned products in the response pages if there are more than 100 provisioned products. We added "sortBy" key in the API to restore this behavior.
- RSS Feed Notifications for future releases
- Deletion Mechanism for the Baseline Resources in the CodePipeline
- Add SCP Policies (preventive guardrails) to protect resources managed by AWS Landing Zone (feature parity with AWS Control Tower Guardrails)
- Add solution prefix to the resources created by the solution (feature parity with AWS Control Tower Guardrails)
- Parallel LaunchAVM State Machine executions - deploy/update batch of accounts per execution
- Added retry mechanism in LaunchAVM State Machine to handle exceptions during provisioned product update.
- Update S3 prefix with organization id for Cloudtrail and Config logs in Log Archive account
- Added metadata and/or updated template with reduced permissions per CFN-Nag warnings.
- Add retain policy to protect the resources from deletion (VPC Resources and Active Directory Resource (Add-On))
- Support for Boolean and None-Type Parameters values in Add-On Products
- Automatically remove unnecessary white spaces in the SCP policies to handle SCP (size) limits
- Fixes SCP Stage failure due to SSM parameter store value limit. Use S3 to store SCP policy.
- Fixes undefined password issue issue in the IAM Password policy baseline resource
- Fixes LaunchAVM State Machine error - reached maximum (25,000) entries in the state machine execution history
- Fixes Handhshake State Machine error - unable to get master detector id
- Support Nested OU structure
- Apply SCP at OU level, not at account level anymore
- Add the new input parameter for the LZ Initiation template to enable "AWS Security Monitoring" in all regions (production) vs current region (Immersion Day)
- SSO Add-On change in all available regions
- Centralized Logging Add-On to retain cognito user pool & ES domain once the Add-on is deleted.
- Update CodeBuild project image
- Change due to STS Global Endpoint Deprecation
- Core Resource Stage Optimization, if the core resource template/parameter/account/region does not change, it will skip the update stack set.
- Service Catalog Stage Optimization, skip creating a new version if no changes were made in AVM (This improves LaunchAVM Stage - Currently everytime the pipeline runs, it create the new version of AVM. With this optimization, if nothing has changed in AVM, it will not generate the new version of AVM service catalog product.)
- Unable to deploy AVM in US-West-1, AZ Enumeration issue
- Landing zone API throttle limit exceed error while describing stack
- Manifest with only the PRIMARY account in 'core' OU fails
- LaunchAVM is moving the Core account to incorrect OU
- Create "add-on" folder at the same level as manifest.yaml
- Handle assume role failure in AVM for new account
- Handshake State Machine - metric stage fail
- CFN_NAG package installation failure due to Ruby 2.2.X EOL
- CodeBuild validation stage failure due to windows style carriage return in manifest
- Intermittent CodeBuild stage failure due to S3 error: Access Denied
- AVM fails to provision new accounts after new region launch (HKG)
- Changing Security Account Name in Manifest Breaks GuardDutyMemberof Custom Resource
- [Centralized Logging Add-On] Lambda Env Variable Case mismatch
- GuardDuty Notification Bug
- Update for templates/aws_baseline/aws-landing-zone-iam-password-policy.template due to NodeJS6.10 EOL
- Fixes the bug introduced in v2.0.1 where the LaunchAVM stage of pipeline attempted to remove the existing VPCs provisioned from AVM in the existing vended accounts
- Fixes the issue of when the LandingZone pipeline completes, it may leave one or more accounts without the desired SCP(s) attached to it. This fix will require a manual update to file templates/aws_baseline/aws-landing-zone-avm.template.j2 in customer's Landing Zone Configuration ZIP file
- Fixes for StackSet State Machine to be able to update the override parameters on the stack instances. It does so by invoking Update StackInstance on the existing stacks only if it has the parameter override.
- The last stage of pipeline (LaunchAVM) and the LaunchAVM State Machine shows more detailed logging when it fails.
- Adding the new OU to Manifest does not require it to associate with any SCP.
- The last stage of pipeline (LaunchAVM) can now handle the SUSPENDED accounts inside a LZ managed OU. The account will be moved out of the OU to 'root'
Optimizations for "BaselineResource" stage of pipeline to execute faster, it will no longer perform the UpdateStackSet workflow, if the template and parameter files have not been updated since the last pipeline run. For example, if user has not modified the templates/parameters files for any of the baseline resources, than it will skip the UpdateStackSet for all the baseline resources.
- Introduces Add-on feature, which allows the partners, ISVs and LZ experts to share their turn-key solutions with all the Landing Zone customers by creating the micro-configuration zip file and packaging it within the given guidelines (see developer guide for details)
- Out-of-the-box Add-on products, available as Service Catalog products for Centralized Logging & AWS Managed AD and Directory Connector for AWS SSO
- Added generic Handshake State Machine to perform invite/accept workflow steps for VPC peering, Amazon GuardDuty, can be extended for other APIs.
- Support remotely sourced templates and parameters in manifest.yaml for CoreResource & BaselineResource
- Option to never expire password for AD connector user.
- Template constraint for AVM product to allow VPC peering only for private subnet network type.
- Updated the Service Catalog SM to apply the Template Constraint Rules on SC Products
- Generation (change) and validation (new) of the AVM template moved to BUILD stage from Service Catalog Stage
- Changed the default options for RDGW instance type to t2.micro
- Fix Config & Config Rules can be deployed in multiple regions
- Fix AVM Input validation to check if the user selects the Public only VPC pattern than Peering option must be false
- Fix if more than one VPC with the same CIDR attempts to peer with Shared services VPC, second time AVM fails and rolls back, but also deletes the routes added by the first VPC
- Fix IAM Password Policy stack update process
- Fix for adding new AVM parameter(s) does not break the "LaunchAVM" stage of the pipeline.
- Removed the Optional products
- Fixes an issue where the AD Connector user password is logged to CloudWatch Logs
- Replaces expired RDGW AMI IDs with an SSM parameter to get the latest Windows AMI
- Handle a case if OU list is returned as an empty list
- DescribeParameters api returning empty list; Fixed by using ParameterFilters instead of Filters
- Fixes for AVM template for the default routes are not pointing to the nat gateways/instances due to some incorrect condition chaining
- AVM fails to do VPC peering if the account name has a space in it e.g. 'Test Account'
- Allow '+' sign in CLV2 email address input parameters
- Adding explicit DependsOn for AWS::Logs::SubscriptionFilter in CLV2 spoke template
- Allow .(period) in the email address parameter
- Sanitize OU Names with space
- Fix for to limit the length of state machine name < 80 characters
- Fix for the CLV primary template separating out the domain names for ES & Cognito
- Fix for the CLV primary template to save updated domain endpoint name in SSM parameter (without https://)
- Updated CLV spoke template to stream the CloudTrail logs to ES domain
- Document update – SSM Parameter keys for AD domain admin user and password (Step 4.3 and 4.4)
- Initial stable Release of AWS Landing Zone Solution