- Landing Zone Accelerator on AWS
Landing Zone Accelerator on AWS
The Landing Zone Accelerator on AWS solution helps you quickly deploy a secure, resilient, scalable, and fully automated cloud foundation that accelerates your readiness for your cloud compliance program. A landing zone is a cloud environment that offers a recommended starting point, including default accounts, account structure, network and security layouts, and so forth. From a landing zone, you can deploy workloads that utilize your solutions and applications.
The Landing Zone Accelerator (LZA) is architected to align with AWS best practices and in conformance with multiple, global compliance frameworks. When used in coordination with services such as AWS Control Tower, the Landing Zone Accelerator provides a comprehensive no-code solution across 35+ AWS services to manage and govern a multi-account environment built to support customers with highly-regulated workloads and complex compliance requirements. The LZA helps you establish platform readiness with security, compliance, and operational capabilities.
This solution is provided as an open-source project that is built using the AWS Cloud Development Kit (CDK). You install directly into your environment giving you full access to the infrastructure as code (IaC) solution. Through a simplified set of configuration files, you are able to configure additional functionality, guardrails and security services (eg. AWS Managed Config Rules, and AWS SecurityHub), manage your foundational networking topology (eg. VPCs, Transit Gateways, and Network Firewall), and generate additional workload accounts using the AWS Control Tower Account Factory.
There are no additional charges or upfront commitments required to use Landing Zone Accelerator on AWS. You pay only for AWS services enabled in order to set up your platform and operate your guardrails. This solution can also support non-standard AWS partitions, including AWS GovCloud (US), and the US Secret and Top Secret regions.
For an overview and solution deployment guide, please visit Landing Zone Accelerator on AWS
IMPORTANT: This solution will not, by itself, make you compliant. It provides the foundational infrastructure from which additional complementary solutions can be integrated. The information contained in this solution implementation guide is not exhaustive. You must be review, evaluate, assess, and approve the solution in compliance with your organizationโs particular security features, tools, and configurations. It is the sole responsibility of you and your organization to determine which regulatory requirements are applicable and to ensure that you comply with all requirements. Although this solution discusses both the technical and administrative requirements, this solution does not help you comply with the non-technical administrative requirements.
This solution collects anonymous operational metrics to help AWS improve the quality of features of the solution. For more information, including how to disable this capability, please see the implementation guide.
Included Services, Features, and Configuration References
Account Configuration
Used to manage all of the AWS accounts within the AWS Organization. Adding a new account configuration to accounts-config.yaml will invoke the account creation process from Landing Zone Accelerator on AWS.
Service / Feature | Resource | Base Configuration | Service / Feature Configuration | Details |
---|---|---|---|---|
AWS Accounts | Account | AccountsConfig | AccountConfig / GovCloudAccountConfig | Define commercial or GovCloud (US) accounts to be deployed by the accelerator. |
Global Configuration
Used to manage all of the global properties that can be inherited across the AWS Organization. Defined in global-config.yaml.
Service / Feature | Resource | Base Configuration | Service / Feature Configuration | Details |
---|---|---|---|---|
AWS Backup | Backup Vaults | GlobalConfig | BackupConfig | Define AWS Backup Vaults that can be used to store backups in accounts across the AWS Organization. |
AWS Budgets | Budget Reports | GlobalConfig / ReportConfig | BudgetReportConfig | Define Budget report configurations for account(s) and/or organizational unit(s). |
AWS CloudTrail | Organization and Account Trails | GlobalConfig / LoggingConfig | CloudTrailConfig | When specified, Organization and/or account-level trails are deployed. |
Amazon CloudWatch | Log Group Dynamic Partitioning | GlobalConfig / LoggingConfig | CloudWatchLogsConfig | Custom partition values for CloudWatch Log Groups sent to centralized logging S3 bucket. |
AWS Control Tower | Control Tower | GlobalConfig | ControlTowerConfig | It is recommended that AWS Control Tower is enabled, if available, in the desired home region for your environment prior to installing the accelerator. When enabled, the accelerator will integrate with resources and guardrails deployed by AWS Control Tower. |
AWS Cost and Usage | Cost and Usage Report | GlobalConfig / ReportConfig | CostAndUsageReportConfig | Define a global Cost and Usage report configuration for the AWS Organization. |
AWS Regions | Enabled Regions | GlobalConfig | GlobalConfig.enabledRegions | Define one or more AWS Regions for the solution to manage. |
Amazon S3 | Lifecycle Rules | GlobalConfig / LoggingConfig | AccessLogBucketConfig / CentralLogBucketConfig | Define global lifecycle rules for S3 access log buckets and the central log bucket deployed by the accelerator. |
AWS Systems Manager Session Manager | Session Manager logging configuration | GlobalConfig / LoggingConfig | SessionManagerConfig | Define global logging configuration settings for Session Manager. |
AWS SNS Topics | SNS Topics Configuration | GlobalConfig | SnsTopicConfig | Define SNS topics for notifications. |
Identity and Access Management (IAM) Configuration
Used to manage all of the IAM resources across the AWS Organization. Defined in iam-config.yaml.
Service / Feature | Resource | Base Configuration | Service / Feature Configuration | Details |
---|---|---|---|---|
AWS IAM | Users | IamConfig | UserSetConfig | Define IAM users to be deployed to specified account(s) and/or organizational unit(s). |
AWS IAM | Groups | IamConfig | GroupSetConfig | Define IAM groups to be deployed to specified account(s) and/or organizational unit(s). |
AWS IAM | Policies | IamConfig | PolicySetConfig | Define customer-managed IAM policies to be deployed to specified account(s) and/or organizational unit(s). |
AWS IAM | Roles | IamConfig | RoleSetConfig | Define customer-managed IAM roles to be deployed to specified account(s) and/or organizational unit(s). |
AWS IAM | SAML identity providers | IamConfig | SamlProviderConfig | Define a SAML identity provider to allow federated IAM access to the AWS Organization. |
AWS IAM Identity Center | Permission sets | IamConfig | IdentityCenterConfig | Define IAM Identity Center (formerly AWS SSO) permission sets and assignments. |
AWS Managed Microsoft AD | Managed directory | IamConfig | ManagedActiveDirectoryConfig | Define a Managed Microsoft AD directory. |
Network Configuration
Used to manage and implement network resources to establish a WAN/LAN architecture to support cloud operations and application workloads in AWS. Defined in network-config.yaml.
Service / Feature | Resource | Base Configuration | Service / Feature Configuration | Details |
---|---|---|---|---|
Delete Default Amazon VPC | Default VPC | NetworkConfig | DefaultVpcsConfig | If enabled, deletes the default VPC in each account and region managed by the accelerator. |
AWS Direct Connect | Gateways, virtual interfaces, and gateway associations | NetworkConfig | DxGatewayConfig | Define Direct Connect gateways, virtual interfaces, and Direct Connect Gateway associations. |
Amazon Elastic Load Balancing | Gateway Load Balancers, endpoint services, and endpoints | NetworkConfig / CentralNetworkServicesConfig | GwlbConfig | Define a centrally-managed Gateway Load Balancer with an associated VPC endpoint service. Define Gateway Load Balancer endpoints that consume the service, allowing for deep packet inspection of workloads. |
AWS Network Firewall | Network Firewalls, policies, and rule groups | NetworkConfig / CentralNetworkServicesConfig | NfwConfig | Define centrally-managed firewall rule groups and policies. Define Network Firewall endpoints that consume the policies, allowing for deep packet inspection of workloads. |
Amazon Route 53 Resolver | Resolver endpoints, rules, DNS firewall rule groups, and query logging configurations | NetworkConfig / CentralNetworkServicesConfig | ResolverConfig | Define centrally-managed Resolver endpoints, Resolver rules, DNS firewall rule groups, and query logging configurations. DNS firewall rule groups, Resolver rules, and query logging configurations can be associated to VPCs defined in VpcConfig / VpcTemplatesConfig. |
AWS Site-to-Site VPN | Customer gateways and VPN connections | NetworkConfig | CustomerGatewayConfig | Define Customer gateways and VPN connections that terminate on Transit Gateways or Virtual Private Gateways. |
AWS Transit Gateway | Transit Gateways and Transit Gateway route tables | NetworkConfig | TransitGatewayConfig | Define Transit Gateways to deploy to a specified account and region in the AWS Organization. |
AWS Transit Gateway | Transit Gateway peering connections | NetworkConfig | TransitGatewayPeeringConfig | Create Transit Gateway peering connections between two Transit Gateways defined in TransitGatewayConfig. |
Amazon VPC | Customer-managed prefix lists | NetworkConfig | PrefixListConfig | Define customer-managed prefix lists to deploy to account(s) and region(s) in the AWS Organization. Prefix lists can be referenced in place of CIDR ranges in subnet route tables, security groups, and Transit Gateway route tables. |
Amazon VPC | DHCP options sets | NetworkConfig | DhcpOptsConfig | Define custom DHCP options sets to deploy to account(s) and region(s) in the AWS Organization. DHCP options sets can be used by VPCs defined in VpcConfig / VpcTemplatesConfig. |
Amazon VPC | Flow Logs (global) | NetworkConfig | VpcFlowLogsConfig | Define a global VPC flow log configuration for VPCs deployed by the accelerator. VPC-specific flow logs can also be created in VpcConfig / VpcTemplatesConfig. |
Amazon VPC | VPCs, subnets, security groups, NACLs, route tables, NAT Gateways, and VPC endpoints | NetworkConfig | VpcConfig | Define VPCs to deploy to a specified account and region in the AWS Organization. |
Amazon VPC | VPC endpoint policies | NetworkConfig | EndpointPolicyConfig | Define custom VPC endpoint policies to deploy to account(s) and region(s) in the AWS Organization. Endpoint policies can be used by interface endpoints and/or gateway endpoints defined in VpcConfig / VpcTemplatesConfig. |
Amazon VPC | VPC peering connections | NetworkConfig | VpcPeeringConfig | Create a peering connection between two VPCs defined in VpcConfig. NOTE: Not supported with VPCs deployed using VpcTemplatesConfig. |
Amazon VPC IP Address Manager (IPAM) | IPAM pools and scopes | NetworkConfig / CentralNetworkServicesConfig | IpamConfig | Enable IPAM delegated administrator and configuration settings for IPAM pools and scopes. NOTE: IPAM is required for VPCs and subnets configured to use dynamic IPAM CIDR allocations. |
Amazon VPC Templates | VPCs, subnets, security groups, NACLs, route tables, NAT Gateways, and VPC endpoints | NetworkConfig | VpcTemplatesConfig | Deploys a standard-sized VPC to multiple defined account(s) and/or organizational unit(s). |
AWS Organizations Configuration
Used to manage organizational units and policies in the AWS Organization. Defined in organization-config.yaml.
Service / Feature | Resource | Base Configuration | Service / Feature Configuration | Details |
---|---|---|---|---|
AWS Account Quarantine | Quarantine | OrganizationConfig | QuarantineNewAccountsConfig | If enabled, a Service Control Policy (SCP) is applied to newly-created accounts that denies all API actions from principles outside of the accelerator. This SCP is stripped from the new account when the accelerator completes resource provisioning for the new account. |
AWS Organizations | Backup Policies | OrganizationConfig | BackupPolicyConfig | Define organizational backup policies to be deployed to account(s) and/or organizational unit(s). |
AWS Organizations | Organizational Units | OrganizationConfig | OrganizationalUnitConfig | Define organizational units (OUs) for the AWS Organization. NOTE: When using AWS Control Tower, OUs must be registered in the Control Tower console prior to defining them in the configuration. |
AWS Organizations | Service Control Policies (SCPs) | OrganizationConfig | ServiceControlPolicyConfig | Define organizational service control policies to be deployed to account(s) and/or organizational unit(s). |
AWS Organizations | Tag Policies | OrganizationConfig | TaggingPolicyConfig | Define organizational tag policies to be deployed to account(s) and/or organizational unit(s). |
Security Configuration
Used to manage configuration of AWS security services. Defined in security-config.yaml.
Service / Feature | Resource | Base Configuration | Service / Feature Configuration | Details |
---|---|---|---|---|
AWS Audit Manager | Audit Manager | SecurityConfig / CentralSecurityServicesConfig | AuditManagerConfig | Enable Audit Manager delegated administrator and configuration settings. |
Amazon CloudWatch | Metrics, Alarms, and Log Groups | SecurityConfig | CloudWatchConfig | Define CloudWatch metrics, alarms, and log groups to deploy into account(s) and/or organizational unit(s). You can also import existing log groups into your configuration. |
AWS Config | Config Recorder, Delivery Channel, Rules, and Remediations | SecurityConfig | AwsConfig | Define an AWS Config Recorder, Delivery Channel, and custom and/or managed rule sets to deploy across the AWS Organization. |
Amazon Detective | Detective | SecurityConfig / CentralSecurityServicesConfig | DetectiveConfig | Enable Detective delegated administrator and configuration settings. Note: Requires Amazon GuardDuty to be enabled for at least 48 hours. |
Amazon EBS | Default Volume Encryption | SecurityConfig / CentralSecurityServicesConfig | EbsDefaultVolumeEncryptionConfig | Enable EBS default volume encryption across the AWS Organization. |
Amazon GuardDuty | GuardDuty | SecurityConfig / CentralSecurityServicesConfig | GuardDutyConfig | Enable GuardDuty delegated administrator and configuration settings. |
AWS IAM | Access Analyzer | SecurityConfig | AccessAnalyzerConfig | If enabled, IAM Access Analyzer analyzes policies and reports a list of findings for resources that grant public or cross-account access from outside your AWS Organizations in the IAM console and through APIs. |
AWS IAM | Password Policy | SecurityConfig | IamPasswordPolicyConfig | Define a password policy for IAM users in the AWS Organization. |
AWS KMS | Customer-Managed Keys | SecurityConfig | KeyManagementServiceConfig | Define customer-managed KMS keys to be deployed to account(s) and/or organizational unit(s). |
Amazon Macie | Macie | SecurityConfig / CentralSecurityServicesConfig | MacieConfig | Enable Macie delegated administrator and configuration settings. |
Amazon S3 | S3 Public Access Block | SecurityConfig / CentralSecurityServicesConfig | S3PublicAccessBlockConfig | Enable S3 public access block setting across the AWS Organization. |
AWS Security Hub | Security Hub | SecurityConfig / CentralSecurityServicesConfig | SecurityHubConfig | Enable Security Hub delegated administrator and configuration settings. |
Amazon SNS | Subscriptions | SecurityConfig / CentralSecurityServicesConfig | SnsSubscriptionConfig | Configure email subscriptions for security-related SNS notifications. NOTE: DEPRECATED Use SnsTopicConfig in the global configuration instead. |
AWS Systems Manager Automation | Automation Documents | SecurityConfig / CentralSecurityServicesConfig | SsmAutomationConfig | Define SSM Automation Documents to be deployed to account(s) and/or organizational unit(s). |
Customization Configuration
Used to manage configuration of custom applications and CloudFormation stacks. Defined in the optional file customizations-config.yaml.
Service / Feature | Resource | Base Configuration | Service / Feature Configuration | Details |
---|---|---|---|---|
AWS CloudFormation | Stacks | CustomizationsConfig / CustomizationConfig | CloudFormationStackConfig | Define custom CloudFormation Stacks. |
AWS CloudFormation | StackSets | CustomizationsConfig / CustomizationConfig | CloudFormationStackSetConfig | Define custom CloudFormation Stacksets. |
Amazon Elastic Load Balancing | Application Load Balancers | CustomizationsConfig / AppConfigItem | ApplicationLoadBalancerConfig | Define an Application Load Balancer to be used for a custom application. |
Amazon Elastic Load Balancing | Network Load Balancers | CustomizationsConfig / AppConfigItem | NetworkLoadBalancerConfig | Define a Network Load Balancer to be used for a custom application. |
Amazon Elastic Load Balancing | Target Groups | CustomizationsConfig / AppConfigItem | TargetGroupItemConfig | Define a Target Group to be used with an Elastic Load Balancer. |
Amazon EC2 | Autoscaling Groups | CustomizationsConfig / AppConfigItem | AutoScalingConfig | Define an autoscaling group to be used for a custom application. |
Amazon EC2 | Launch Template | CustomizationsConfig / AppConfigItem | LaunchTemplateConfig | Define a launch template to be used for a custom application. |
Amazon EC2 | Next-generation firewalls (standalone or autoscaling) and firewall management appliances | CustomizationsConfig | Ec2FirewallConfig | Define third-party EC2-based firewall appliances. |
AWS Service Catalog | Portfolios, products, and shares | CustomizationsConfig / CustomizationConfig | PortfolioConfig | Define Service Catalog portfolios, products, and grant access permissions. You may also share portfolios to other accounts and OUs. |
Other Services and Features
Other mandatory and non-configurable services/features deployed by the solution are described in the Architecture overview and Architecture details section of the solution Implementation Guide.
Centralized Logging
The Landing Zone Accelerator Centralized Logging solution provides the ability to consolidate and manage log files from various sources into a Centralized Logging Account. This enables users to consolidate logs such as audit logs for access, configuration changes, and billing events. You can also collect Amazon CloudWatch Logs from multiple accounts and AWS Regions. The following sections discuss the types of logs that are centralized and the mechanisms used by the accelerator to centralize them.
Supported Log Types
- ELB Logs
- VPC Flow Logs
- Macie Reports
- Cost and Usage Reports
- Config History
- Config Snapshots
- GuardDuty Findings
- CloudWatch Logs
- CloudTrail Digest
- CloudTrail Insights
- CloudTrail Logs
- CloudTrail S3 Access Logs / S3 Access Logs
- SSM Inventory
- SSM Session Manager
- Security Hub Findings
Log Centralization Methods
- S3 Replication - Logs are stored in account specific S3 buckets and have bucket replication enabled to replicate logs to Centralized Logging S3 Bucket in Central Logging Account.
- Service-Native - The AWS Service writes directly to the centralized logging bucket in the central-logging account.
- Log Streaming - Some services do not support native centralized-logging capability and do not allow writing directly to S3 in a centralized account. In order to enable this functionality, the accelerator utilizes CloudWatch and native log forwarding capabilities via the following workflow:
- Log Group is created in CloudWatch.
- A subscription filter is added to the CloudWatch Log Group.
- The subscription filter points to a Log Destination.
- The Log Destination is a region specific Kinesis Stream in the Central Logging Account.
- Each enabled region has its own Kinesis Stream in the Central Logging Account.
- The Kinesis Streams are forwarded into a Kinesis Firehose in the same specific region.
- The logs are processed by a Lambda function and written to the Central Logging S3 Bucket in the Home Region.
Bucket Type | Bucket Name | Purpose |
---|---|---|
Centralized Logging Bucket | aws-accelerator-central-logs-{account#}-{region} | Stores all Landing Zone Accelerator centralized logs that have been enabled via the accelerator. This mechanism allows the solution to store a combined set of logs in a single account and single region. |
ELB Access Logs | aws-accelerator-elb-access-logs-{account#}-{region} | Stores ELB Access logs on a per account/per region basis. |
S3 Access Logs | aws-accelerator-s3-access-logs-{account#}-{region} | Stores S3 Access logs on a per account/region basis. |
Log Type | S3 Path | Example | Supported Centralization Methods |
---|---|---|---|
ELB | {account#}/{region}/* | s3://aws-accelerator-elb-access-logs-123456789016-us-east-1/{account#}/{region}/*.log.gz | |
VPC Flow Logs | vpc-flow-logs/AWSLogs/{account#}/vpcflowlogs/{region}/{year}/{month}/{day}/* | s3://aws-accelerator-central-logs-123456789016-us-east-1/vpc-flow-logs/AWSLogs/123456789016/vpcflowlogs/us-east-1/2023/04/14/*.log.gz | Log Streaming / S3 |
Macie Reports | macie/{account#}/AWSLogs/{account#}/Macie/{region}/* | s3://aws-accelerator-central-logs-123456789016-us-east-1/macie/123456789016/AWSLogs/123456789016/Macie/us-east-1/*.jsonl.gz | Service |
Cost and Usage Reports | cur/{account#}/accelerator-cur/* | s3://aws-accelerator-central-logs-123456789016-us-east-1/cur/123456789016/accelerator-cur/20220901-20221001/*.snappy.parquet | S3 Bucket Replication from Bucket in Home Region |
Config History | config/AWSLogs/{account#}/Config/{region}/{year}/{month}/{day}/ConfigHistory/* | s3://aws-accelerator-central-logs-123456789016-us-east-1/AWSLogs/123456789016/Config/us-east-1/2023/4/10/ConfigHistory/*.json.gz | Service |
Config Snapshots | config/AWSLogs/{account#}/Config/{region}/{year}/{month}/{day}/ConfigSnapshot/* | s3://aws-accelerator-central-logs-123456789016-us-east-1/AWSLogs/123456789016/Config/us-east-1/2023/4/10/ConfigSnapshot/*.json.gz | Service |
GuardDuty | guardduty/AWSLogs/{account#}/GuardDuty/region/{year}/{month}/{day}/* | s3://aws-accelerator-central-logs-123456789016-us-east-1/guardduty/AWSLogs/123456789016/GuardDuty/us-east-1/2023/04/08/*.jsonl.gz | Service |
CloudWatch Logs | CloudWatchLogs/{year}/{month}/{day}/{hour}/* | s3://aws-accelerator-central-logs-123456789016-us-east-1/CloudWatchLogs/2023/04/17/14/*.parquet | Log Streaming |
CloudTrail Organization Digest | cloudtrail-organization/AWSLogs/{organizationId}/{account#}/CloudTrail-Digest/{region}/{year}/{month}/{day}/* | s3://aws-accelerator-central-logs-123456789016-us-east-1/cloudtrail-organization/AWSLogs/o-abc12cdefg/123456789016/CloudTrail-Digest/us-east-1/2023/04/14/*.json.gz | Service |
CloudTrail Organization Insights | cloudtrail-organization/AWSLogs/{organizationID}/{account#}/CloudTrail-Insight/* | s3://aws-accelerator-central-logs-123456789016-us-east-1/cloudtrail-organization/AWSLogs/o-abc12cdefg/123456789016/CloudTrail-Insight/*.json.gz | Service |
CloudTrail Organization Logs | cloudtrail-organization/AWSLogs/{organizationId}/{account#}/CloudTrail/{region}/{year}/{month}/{day}/* | s3://aws-accelerator-central-logs-123456789016-us-east-1/cloudtrail-organization/AWSLogs/o-abc12cdefg//123456789016/CloudTrail/us-east-1/2023/04/14/*.json.gz | Service / Log Streaming |
S3 Access Logs | aws-accelerator-central-logs-{account#}-{region}/* | s3://aws-accelerator-s3-access-logs-123456789016-us-east-1/aws-accelerator-central-logs-123456789016-us-east-1/* | Service |
SSM Inventory | ssm-inventory/* | s3://aws-accelerator-central-logs-123456789016-us-east-1/ssm-inventory/AWS:ComplianceSummary/accountid=123456789016/region=us-east-1/resourcetype=ManagedInstanceInventory/*.json | Service |
SSM Sessions Manager | session/{account#}/{region}/* | s3://aws-accelerator-central-logs-123456789016-us-east-1/session/123456789016/us-east-1/*.log | Log Streaming / S3 |
Security Hub | CloudWatchLogs/{year}/{month}/{day}/* | s3://aws-accelerator-central-logs-123456789016-us-east-1/CloudWatchLogs/2023/04/21/00/*.parquet | Log Streaming |
Package Structure
@aws-accelerator/accelerator
A CDK Application. The core of the accelerator solution. Contains all the stack definitions and deployment pipeline for the accelerator. This also includes the CDK Toolkit orchestration.
@aws-accelerator/config
A pure typescript library containing modules to manage the accelerator config files.
@aws-accelerator/constructs
Contains L2/L3 constructs that have been built to support accelerator actions, such as creating an AWS Organizational Unit or VPC. These constructs are intended to be fully reusable, independent of the accelerator, and do not directly access the accelerator configuration files. Example: CentralLogsBucket, an S3 bucket that is configured with a CMK with the proper key and bucket policies to allow services and accounts in the organization to publish logs to the bucket.
@aws-accelerator/installer
Contains a CDK Application that defines the accelerator Installer stack.
@aws-accelerator/ui (future)
A web application that utilizes the aws-ui-components library to present a console to configure the accelerator
@aws-accelerator/utils
Contains common utilities and types that are needed by @aws-accelerator/* packages. For example, throttling and backoff for AWS SDK calls
@aws-cdk-extensions/cdk-extensions
Contains L2 constructs that extend the functionality of the CDK repo. The CDK repo is an actively developed project. As the accelerator team identifies missing features of the CDK, those features will be initially developed locally within this repo and submitted to the CDK project as a pull request.
@aws-cdk-extensions/tester
Accelerator tester CDK app. This package creates AWS Config custom rules for every test cases defined in test case manifest file.
--- |
Creating an Installer Stack
The Installer Stack, a CDK Application, can be deployed through a CloudFormation template produced by your CLI by navigating to the directory for the installer and running a CDK synthesis. The template can either be deployed directly via the AWS CLI or console. Below are the commands for completing the deployment of the Installer stack.
1. Build the Installer stack for deployment
- Install dependencies for the Installer stack
- [Node](https://nodejs.org/en/)
- [AWS CDK](https://aws.amazon.com/cdk/)
- [Yarn](https://yarnpkg.com/)
- [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
- Install project dependencies
cd <rootDir>/source
yarn install && yarn lerna link
- To run the CDK synthesis
cd <rootDir>/source/packages/@aws-accelerator/installer
yarn build && yarn cdk synth
After running these commands, the Installer stack template will be saved to <rootDir>/source/packages/@aws-accelerator/installer/cdk.out/AWSAccelerator-InstallerStack.template.json
2. Create a GitHub personal access token
Follow the instructions on GitHub Docs to create a personal access token (Classic).
When creating the token select public_repo for the selected scope.
3. Store Token in Secrets Manager
Store the personal access token in Secrets Manager.
- In the AWS Management Console, navigate to Secrets Manager
- Click Store a new secret
- On the Choose secret type step select Other type of secret
- Select the Plaintext tab
- Completely remove the example text and paste your secret with no formatting no leading or trailing spaces
- Select the aws/secretsmanager encryption key
- Click Next
- On the Configure secret step set the Secret name to accelerator/github-token
- On the Configure rotation step click Next
- On the Review step click Store
4. Deploy the Installer stack
-
Configure the AWS CLI CloudFormation command for the Installer stack
-
Create an S3 bucket and copy the generated template file.
cd <rootDir>/source/packages/@aws-accelerator/installer
aws s3 mb s3://<bucket name>
aws s3 cp ./cdk.out/AWSAccelerator-InstallerStack.template.json s3://<bucket name>
- Create the Installer stack with AWS CLI command:
aws cloudformation create-stack --stack-name AWSAccelerator-InstallerStack --template-body https://<bucket name>.s3.<region>.amazonaws.com/AWSAccelerator-InstallerStack.template.json \
--parameters ParameterKey=RepositoryName,ParameterValue=<Repository_Name> \
ParameterKey=RepositoryBranchName,ParameterValue=<Branch_Name> \
ParameterKey=ManagementAccountEmail,ParameterValue=<Management_Email> \
ParameterKey=LogArchiveAccountEmail,ParameterValue=<LogArchive_Email> \
ParameterKey=AuditAccountEmail,ParameterValue=<Audit_Email> \
ParameterKey=EnableApprovalStage,ParameterValue=Yes \
ParameterKey=ApprovalStageNotifyEmailList,ParameterValue=comma-delimited-notify-emails \
ParameterKey=ControlTowerEnabled,ParameterValue=Yes \
--capabilities CAPABILITY_IAM
- Alternate deployment of CloudFormation via AWS console:
- From your Management account, navigate to CloudFormation page in the AWS console
- Select โCreate Stackโ and from the dropdown pick โwith new resources (standard)โ
- For the prerequisite template, select โTemplate is readyโ
- When specifying the template, select โUpload a template fileโ
- Ensure that you select the correct file โAWSLandingZoneAccelerator-InstallerStack.template.jsonโ
- Fill out the required parameters in the UI, and create the stack once the parameters are inputted.
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
Licensed under the Apache License Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at
http://www.apache.org/licenses/
or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions and limitations under the License.