Merge pull request #342 from aws-solutions/feature/v2.4.5

Update to version v2.4.5

Author: jangidms

CHANGELOG.md

@@ -5,6 +5,26 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.4.5] - 2025-11-20
+
+### Added
+
+- Added support for EKS 1.34
+
+### Fixed
+
+- Issue with creating Instance group for Member accounts by removing obsolete `subAccountFlbConfUploadingEventTopicArn` parameter from GraphQL schema and related code
+- OpenSearch index pattern error for WindowsEvent logs by adding @timestamp alias field that maps to the existing time field, resolving dashboard visualization errors.
+
+### Security
+
+- Updated pip version to `25.3` to address [CVE-2025-8869](https://avd.aquasec.com/nvd/2025/cve-2025-8869/)
+- Updated AWS Lambda container base image to address CVEs in go/stdlib, coreutils-single, pip, lz4-libs
+, libcap, openssl-fips-provider-latest & openssl-snapsafe-libs packages.
+- Updated aws-for-fluent-bit image version to address CVEs for pip and setuptools packages
+- Updated js-yaml to address [CVE-2025-64718](https://avd.aquasec.com/nvd/2025/cve-2025-64718/)
+- Updated glob to address [CVE-2025-64756](https://avd.aquasec.com/nvd/2025/cve-2025-64756/)
+
 ## [2.4.4] - 2025-09-24
 
 ### Security

NOTICE.txt

@@ -1789,6 +1789,7 @@ own-keys under the MIT license.
 wsl-utils under the MIT license.
 baseline-browser-mapping under the Apache-2.0 license.
 @babel/helper-globals under the Apache-2.0 license.
+docker/library/alpine under the MIT license.
 
 ********************
 OPEN SOURCE LICENSES

deployment/ecr/clo-logging-syslog/Dockerfile

@@ -1,12 +1,16 @@
-FROM public.ecr.aws/aws-observability/aws-for-fluent-bit:2.33.0
+FROM public.ecr.aws/docker/library/alpine:latest AS installer
+RUN apk update && apk add --no-cache unzip curl
+RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+RUN unzip awscliv2.zip -d /tmp/
 
-RUN yum update -y && yum install -y unzip
+FROM public.ecr.aws/aws-observability/aws-for-fluent-bit:3.0.1
 
-RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
-RUN unzip awscliv2.zip
-RUN ./aws/install
+COPY --from=installer /tmp/aws /tmp/aws
+
+RUN /tmp/aws/install
 
-EXPOSE 2022
 COPY docker-entrypoint.sh .
 RUN chmod +x docker-entrypoint.sh
-ENTRYPOINT ["./docker-entrypoint.sh"]
+
+EXPOSE 2022
+ENTRYPOINT ["./docker-entrypoint.sh"]

deployment/ecr/clo-s3-list-objects/Dockerfile

@@ -1,4 +1,4 @@
-FROM public.ecr.aws/lambda/python:3.12.2025.09.22.12 AS builder
+FROM public.ecr.aws/lambda/python:3.12.2025.11.20.16 AS builder
 
 WORKDIR /build
 
@@ -14,7 +14,7 @@ RUN python -m venv .venv && \
     cd common-lib && \
     poetry build
 
-FROM public.ecr.aws/lambda/python:3.12.2025.09.22.12
+FROM public.ecr.aws/lambda/python:3.12.2025.11.20.16
 
 WORKDIR /ws
 

deployment/ecr/clo-s3-list-objects/test/conftest.py

@@ -18,7 +18,7 @@ def default_environment_variables():
     os.environ["VERSION"] = "v1.0.0"
     os.environ["SOLUTION_ID"] = "SO8025"
 
-    os.environ["BUCKET_NAME"] = "solution-bucket"
+    os.environ["BUCKET_NAME"] = "amzn-s3-demo-bucket1"
     os.environ["QUEUE_NAME"] = "my-queue"
     os.environ["KEY_PREFIX"] = ""
     os.environ["QUEUE_URL"] = "http://queue.amazonaws.com"

source/constructs/graphql/schema.graphql

@@ -449,15 +449,13 @@ type Mutation {
     subAccountStackId: String!
     subAccountKMSKeyArn: String!
     subAccountIamInstanceProfileArn: String!
-    subAccountFlbConfUploadingEventTopicArn: String!
     tags: [TagInput]
   ): String
 
   # update a  cross account link
   updateSubAccountLink(
     subAccountId: String!
     region: String
-    subAccountFlbConfUploadingEventTopicArn: String!
     windowsAgentInstallDoc: String!
     windowsAgentConfDoc: String!
     agentStatusCheckDoc: String!
@@ -1495,7 +1493,6 @@ type SubAccountLink {
   subAccountVpcId: String
   subAccountPublicSubnetIds: String
   subAccountIamInstanceProfileArn: String
-  subAccountFlbConfUploadingEventTopicArn: String
   createdAt: String
   status: String
   tags: [Tag]

source/constructs/graphql/vtl/cross_account/UpdateSubAccountLink.vtl

@@ -1,6 +1,5 @@
 
 $util.validate($util.matches("^\d{12}$", $util.defaultIfNullOrEmpty($ctx.args.subAccountId, '123456789012')), "Invalid Account ID")
 $util.validate($util.matches("^(?!(.*--))(?!(.*-$))[a-z0-9]([a-z0-9-]){0,62}$", $util.defaultIfNullOrEmpty($ctx.args.region,'us-west-2')), "Invalid Region Name")
-$util.validate($util.matches("^arn:([^:\n]*):([^:\n]*):([^:\n]*):([^:\n]*):(([^:\/\n]*)[:\/])?(.*)$", $ctx.args.subAccountFlbConfUploadingEventTopicArn), "Invalid Topic ARN")
 
 {"version": "2017-02-28", "operation": "Invoke", "payload": $util.toJson($ctx)}

source/constructs/lambda/api/alarm/test/test_lambda_function.py

@@ -102,7 +102,7 @@ def ddb_client():
                     },
                     {
                         "parameterKey": "backupBucketName",
-                        "parameterValue": "centralizedlogging-solutionloggingbucket0fa53b76-1ff3q5fgfg7un",
+                        "parameterValue": "amzn-s3-demo-logging-bucket",
                     },
                     {
                         "parameterKey": "logSourceAccountId",
@@ -205,7 +205,7 @@ def ddb_client():
                     "coldLogTransition": 0,
                     "domainName": "solution-os",
                     "engine": "OpenSearch",
-                    "failedLogBucket": "solution-solutionloggingbucket0fa53b76-12cw0hl0kfnk6",
+                    "failedLogBucket": "amzn-s3-demo-logging-bucket",
                     "indexPrefix": "syslog-dev-03",
                     "logRetention": 10,
                     "opensearchArn": "arn:aws:es:us-west-2:123456789012:domain/solution-os",
@@ -240,7 +240,7 @@ def ddb_client():
                 "status": "ACTIVE",
                 "monitor": {
                     "status": "ENABLED",
-                    "backupBucketName": "solution-solutionloggingbucket0fa53b76-12cw0hl0kfnk6",
+                    "backupBucketName": "amzn-s3-demo-logging-bucket",
                     "errorLogPrefix": "error/",
                 },
                 "helperLogGroupName": "/aws/lambda/CL-pipe-c34f2159-OpenSearchHelperFn-tJZgzlWN1k99",

source/constructs/lambda/api/app_log_ingestion/flb/flb_builder.py

@@ -27,7 +27,6 @@
 from jinja2 import FileSystemLoader, Environment
 from flb.flb_model import FluentBitDataPipeline
 from flb.k8s import ConfigMap
-import urllib3
 
 logger = get_logger(__name__)
 
@@ -50,8 +49,6 @@
     "public.ecr.aws/aws-observability/aws-for-fluent-bit:2.32.2.20241008",
 )
 fluent_bit_log_group_name = os.environ["FLUENT_BIT_LOG_GROUP_NAME"]
-s3_address = os.environ.get("FLB_S3_ADDR")
-http = urllib3.PoolManager()
 
 instance_table_name = os.environ.get("INSTANCE_TABLE_NAME")
 instance_dao = InstanceDao(table_name=instance_table_name)
@@ -507,8 +504,9 @@ def generate_k8s_kubectl_binary_download_url(
         return content
 
     def get_kubectl(self):
-        return self.get_s3_object(key="kubectl_version.txt")
-
-    def get_s3_object(self, key):
-        response = http.request("GET", f"https://{s3_address}/clo/" + key)
-        return json.loads(response.data.decode("utf-8"))
+        # Read kubectl version mapping from local file
+        current_dir = os.path.dirname(os.path.abspath(__file__))
+        kubectl_version_file = os.path.join(current_dir, "kubectl_version.json")
+        
+        with open(kubectl_version_file, 'r') as f:
+            return json.load(f)

source/constructs/lambda/api/app_log_ingestion/flb/kubectl_version.json

@@ -0,0 +1,17 @@
+{
+    "1.20": "1.20.15/2022-10-31",
+    "1.21": "1.21.14/2024-09-11",
+    "1.22": "1.22.17/2024-09-11",
+    "1.23": "1.23.17/2024-09-11",
+    "1.24": "1.24.17/2024-11-15",
+    "1.25": "1.25.16/2024-11-15",
+    "1.26": "1.26.15/2024-11-15",
+    "1.27": "1.27.16/2024-11-15",
+    "1.28": "1.28.15/2024-11-15",
+    "1.29": "1.29.10/2024-11-15",
+    "1.30": "1.30.6/2024-11-15",
+    "1.31": "1.31.2/2024-11-15",
+    "1.32": "1.32.0/2025-01-10",
+    "1.33": "1.33.0/2025-05-01",
+    "1.34": "1.34.1/2025-09-19"
+}