v3.1.0

3.1.0 (2025-10-07)

Features

• dealing with issue #1139; add Critical to GuardDutyFindings alert (#1140)
• ecs-app: use stable synthetics module (#503)
• migrate from depcheck to knip (#924)
• migrate to Node.js 22 (#1220)
• Modify env parameter (#333)
• Use Node.js 18 as default build environment (#439)

Bug Fixes

• add ObjectOwnership property (#364)
• blea-guest-serverless-api-sample: lambda runtime version and snapshot update (#784)
• deprecated code, RDS's instanceProps and CloudWatch Synthetics's older runtime (#662)
• make public variable read only outside construct (#824)
• metrics name (#438)
• pin esbuild version to 0.21.x (#815)
• replace deprecated aws-portal:*Billing policy (#583)
• replace managedPolicies object literals with ManagedPolicy.fromAwsManagedPolicyName (#1218)
• rm eslint & prettier from ignoreDependencies in knip config (#940)

Document Changes

• v3 migration doc (#372)

v3.0.0

After BLEA was released in 2021, AWS launched various updates in security services and CDK become widely used.
I'll propose several updates to catch up with recent AWS security and CDK best practices in the next BLEA release.
It contains several breaking changes, so the version number should be BLEA v3.0.

Main points:

• Single or fewer Stacks

  • Currently BLEA creates many stacks. It's to reduce blast radius on update and simplify class architecture. However this induces several difficulties on stack dependencies, so recent CDK best practice suggest using fewer stacks.
  • ControlTower has released Account Factory Customization (AFC). AFC provides functionality to deploy a baseline when creating account and it requires single stack (CFn template) to apply. With a single stack, BLEA's baseline can be deployed with AFC.

• Simplify file placement in the bin/ and lib/ directories

  • The guest system sample (especially guest-webapp-sample) contains several CDK Apps in bin/ directory and these app refer to constructs defined in the lib/ directory for each they need. To simplify it, use only one App for a single use case. We will add CDK Apps in bin/ directory only when we need other deployment patterns, for example, using CDKPipelines.

• Passing parameter within CDK code but not cdk.json

  • According to feedbacks and CDK best practices, It is not recommended to use cdk.json as a parameter store. For example we can't verify type of parameters, and cloud assembly is overridden when we synth for another environment. So we will add parameters in CDK code (i.e. parameters.ts) to define parameters and use it in CDK App. Within the CDK App, We will define stacks for each environment (i.e. DevStack, ProdStack). When you need to create specific environment stack, you specify the name of stack in cdk deploy command.

• Governance model is unchanged

  • Baseline with CloudTrail, Config, SecurityHub... will not change. However, if you already use BLEA v2, you need to re-create resources for baseline, because the stack architecture and resource names will change.

What's Changed

• feat!: BLEA v3 by @ohmurayu in #298

Full Changelog: v2.1.1...v3.0.0

v2.1.1

What's Changed

• refactor: Update subnet type, PRIVATE_WITH_NAT is deprecated. by @tkimurz in #106
• fix: change guest web db identifier by @kondo-kj in #86
• feat: enable scan on push with pull through cache by @tkimurz in #105
• doc: Update instructions for setup AWS Chatbot by @konokenj in #98
• feat(guest-webapp-sample):Change launch configurations to launch tem… by @tomoki10 in #183
• ci: increase dependabot PR limits by @konokenj in #229
• ci: enable CI in 'dev.*' branches by @konokenj in #230
• ci: add bot to update shapshot test in PR by @konokenj in #236

New Contributors

• @tomoki10 made their first contribution in #183

Full Changelog: v2.1.0...v2.1.1

v2.1.0

Release v2.1.0

v2.0.0

Release v2.0.0

v1.3.0

Release v1.3.0

v1.2.1

Release v1.2.1

v1.2.0

Release v1.2.0

v1.1.1

Update CDK version to 1.107.0 and its dependencies.

v1.1.0

Merge pull request #1 from aws-samples/v1.1.0

Add Japanese documents