v1.4.2

Bug fixes

• fix Lambda Runtime.ExitError errors on teamNotifications by @rvanmiloliver in #444
• Fix Approval state machine to send correct mail on request expiry by @MalteGood in #460

Dependency updates

• chore(deps): bump axios from 1.8.4 to 1.12.2 by @dependabot[bot] in #434
• chore(deps): bump form-data by @dependabot[bot] in #424
• chore(deps): bump rexml from 3.3.9 to 3.4.2 in /docs by @dependabot[bot] in #430
• chore(deps): bump brace-expansion by @dependabot[bot] in #435
• chore(deps): bump node-forge from 1.3.1 to 1.3.2 by @dependabot[bot] in #454
• chore(deps): bump js-yaml from 3.14.1 to 3.14.2 by @dependabot[bot] in #449
• chore(deps): bump form-data from 3.0.1 to 3.0.4 by @dependabot[bot] in #436
• chore(deps): bump urllib3 from 2.3.0 to 2.6.0 in /amplify/backend/function/teamRouter by @dependabot[bot] in #457
• chore(deps): bump urllib3 from 2.3.0 to 2.6.0 in /amplify/backend/function/teamapplicationboto3layer/lib/python by @dependabot[bot] in #458
• chore(deps): bump urllib3 from 2.3.0 to 2.6.0 in /amplify/backend/function/teamNotifications by @dependabot[bot] in #461
• chore(deps): bump urllib3 from 2.6.0 to 2.6.3 in /amplify/backend/function/teamapplicationboto3layer/lib/python by @dependabot[bot] in #464
• chore(deps): bump urllib3 from 2.6.0 to 2.6.3 in /amplify/backend/function/teamRouter by @dependabot[bot] in #467
• chore(deps): bump @smithy/config-resolver from 4.1.0 to 4.4.6 in /amplify/backend/function/teamgetLogs/src by @dependabot[bot] in #466
• chore(deps): bump urllib3 from 2.6.0 to 2.6.3 in /amplify/backend/function/teamNotifications by @dependabot[bot] in #468
• chore(deps): bump @smithy/config-resolver from 4.1.0 to 4.4.5 in /amplify/backend/function/teamqueryLogs/src by @dependabot[bot] in #465
• chore(deps): bump qs and express by @dependabot[bot] in #463

Full Changelog: v1.4.1...v1.4.2

v1.4.1

What's Changed

• Retry on SsoAdmin.ThrottlingException by @lukasgabi in #407
• fix: duplicated Slack channel notifications by @pcova in #414
• chore(deps): bump on-headers and compression by @dependabot[bot] in #416

Upgrade instructions

If upgrading from a version <1.4.0 please note the extra steps required in the v1.4.0 release notes.

Full Changelog: v1.4.0...v1.4.1

v1.4.0

Changes and bug fixes

• Reintroduced programmatic logging configuration
• Update Amplify CLI to 14.0.0
• Update Node.js and Python versions for Lambdas
• Addressed an issue where account lists were not loading correctly
• Adds the ability to optionally configure a Slack channel

Upgrade Instructions

Before upgrading you must first manually delete the existing bucket policy from the Amplify deployment bucket.

Amplify CLI versions after 12.12.15 apply an S3 bucket policy to enforce SSL on the Amplify S3 deployment bucket. This conflicts with the S3 bucket policy previously applied by the TEAM application deployment.

You can confirm the name of this bucket in the Outputs tab of the deployed Amplify CloudFormation stack. For example amplify-teamidcapp-main-123456-deployment
You can find the bucket policy by selecting the Permissions tab of the S3 bucket in the S3 console.

Once the bucket policy is removed, follow the instructions in updating TEAM documentation. The bucket policy will be reapplied by Amplify as part of the update.

Thank you

Thank you to everyone who contributed to this release.

Full Changelog: v1.3.0...v1.4.0

v1.3.0

Release Notes - v1.3.0

Breaking Changes

• Removed AppSync API logging configuration from override.ts due to compatibility issues with current Amplify CLI version
• Teams using AppSync logging capabilities will need to configure this manually through the AWS Console

Upgrade instructions

Follow instructions in updating TEAM documentation for updating process

Manual Configuration Steps for AppSync Logging

To configure AppSync API logging after deployment:

1. Navigate to the AWS AppSync Console
2. Select your API from the list
3. Go to "Settings" in the left navigation
4. Scroll down to the "Logging" section
5. Click "Enable Logging"
6. Configure the following settings:
   • Field resolver log level: ERROR
   • Exclude verbose content: Yes
   • Select an existing CloudWatch role or create a new one with the following naming convention:
     AppsyncCloudWatchRole-{environment}

Additional Notes

• This change improves build stability and deployment reliability
• Future versions will reintroduce programmatic logging configuration once Amplify CLI compatibility issues are resolved
• Please report any issues or concerns through our standard support channels

Affected Versions

• Amplify CLI versions: All current versions

v1.2.2

Release Notes: Security Enhancement - Fine-Grained GraphQL Authorization

Security Vulnerability Fixed

• Patched security vulnerability in request approval workflow that allowed a requester or member of an approver group to self-approve their access request
• Implemented field-level authorization controls in GraphQL schema
• Prevented unauthorized manipulation of approver fields during request creation
• Fixed potential privilege escalation through approval parameter injection

Technical Implementation

GraphQL Schema Enhancements

• Added granular @auth directives at both type and field levels
• Implemented strict field-level permissions for sensitive fields:
  • approval status
  • approver information
  • request metadata
• Restricted owner permissions to appropriate operations
• Added separate authorization rules for approvers using ownerField

Authorization Rules

• Created distinct permission sets for:
  • Request owners (create, read own requests)
  • Approvers (read, update approval fields)
  • Auditors (read-only access)
  • IAM-authenticated services
• Enforced separation of duties through schema-level controls
• Prevented unauthorized modification of approval-related fields

Security Impact

• Ensures requesters cannot modify approval fields
• Enforces proper segregation between requesters and approvers
• Prevents authorization bypass through parameter manipulation
• Maintains audit trail integrity
• Protects against unauthorized privilege escalation

Required Actions

• Follow instructions in updating TEAM documentation for updating process
• No configuration changes needed

Technical Notes

• Implementation uses AWS AppSync @auth directives
• Leverages multiple authorization rules per field
• Combines owner-based and group-based access control
• Maintains IAM-based access for system operations

v1.2.1

Release Notes: Pre-Token Generation Lambda Trigger - Security Enhancement

Security Issue Resolved

• Fixed critical security vulnerability where removed IdC admin users could temporarily retain admin privileges through API access
• Previously, group membership updates occurred after token generation, allowing one final session with elevated permissions
• Users removed from IdC admin groups could potentially maintain admin API access for up to 24 hours via refresh tokens

Technical Solution

• Implemented pre-token generation Lambda trigger in Cognito authentication flow
• Moved group membership synchronization logic to execute before token generation
• Ensures JWT tokens only contain current, verified group memberships from IdC
• Prevents temporary privilege retention when admin access is removed in IdC

Impact

This security enhancement ensures:

• Immediate enforcement of IdC group membership changes
• No gap between IdC admin removal and permission revocation
• Consistent security state between IdC and AWS access
• Protection against potential privilege escalation via API calls

Technical Details

• Added Lambda trigger to Cognito User Pool pre-token generation phase
• Validates current IdC group memberships before token claims are generated
• Synchronizes Cognito groups with IdC groups in real-time
• Prevents generation of tokens with stale admin permissions

Requirements

• Update to latest version to receive this security enhancement
• No configuration changes needed - automatically enforced by pre-token generation
• Existing sessions will still need to expire or be revoked

v1.2.0

If deploying v1.2.0 directly to your environment

Follow instructions in TEAM deployment documentation for deployment process

If upgrading from v1.1.2 to v1.2.0, please read below

Follow instructions in updating TEAM documentation for updating process

What's changed

This change provides support for external repositories due to deprecation of AWS CodeCommit

Updates

• Updated code to allow for use for external repositories due to AWS CodeCommit deprecation
• Updated documentation for a detailed walkthrough on setup
• Added Encryption for SNS from #312

v1.1.2

If deploying v1.1.2 directly to your environment

Follow instructions in TEAM deployment documentation for deployment process

If upgrading from v1.1.1 to v1.1.2, please read below

Due to an ongoing issue the CLOUDTRAIL_AUDIT_LOGS parameter is no longer optional but now a mandatory parameter that accepts the ARN of an existing Cloudtrail Lake event datastore.

If upgrading from v1.1.1 to v1.1.2, create a new Cloudtrail lake event datastore in the delegated admin account outside of TEAM and pass the ARN to the parameter.sh file as shown below:

CLOUDTRAIL_AUDIT_LOGS=arn:aws:cloudtrail:us-east-1:123456789101:eventdatastore/e646f20d-7959-4682-be84-6c5b8a37cf15

Warning
This change would delete the existing Cloudtrail lake event datastore created by TEAM as part of the Amplify deployment

Follow instructions in updating TEAM documentation for updating process

What's changed

Bug Fixes

• Fix - OU's not loading in Eligibility policy. see #235
• Fix - Only require approval if all eligibilities for a request require approval.
• Fix - Allow both acount and OU approvers

v1.1.1

If deploying v1.1.1 directly to your environment

Follow instructions in TEAM deployment documentation for deployment process

If upgrading from v1.1.0 to v1.1.1, please read below

TEAM v1.1.1 introduces the use of custom domain instead of the default amplify generated domain name. To use a custom domain, ensure to update the parameters.sh in the deployment folder with UI_DOMAIN key and your custom domain name before running the ./update.sh script.

Follow instructions in updating TEAM documentation for updating process

What's changed

Feature enhancement

• This change introduces support custom domain instead of the default amplify generated domain name. see #32

v1.1.0

If deploying v1.1.0 directly to your environment

Follow instructions in TEAM deployment documentation for deployment process

If upgrading from v1.0.0 - v1.0.6 to v1.1.0, please read below

You would have to reconfigure or update your notification source email address in the notification section of the TEAM settings page if you are using SES for email notification. See notification configuration

Follow instructions in updating TEAM documentation for updating process

What's changed

See #54 for more details

Feature enhancement

• This change introduces support for additional configuration options. Notifications are supported via Slack (#14), SNS (#20), and cross-account SES (#46). Users may also enable multiple notification services.
• The TEAM admin and auditor groups may also be changed after deployment. (#22)
• Hierarchichal view of OU structure during Eligibility and Approval policy configuration