Landing Zone Accelerator on AWS - Accounts Config (SchemaStore) JSON Schema

Type	IAccountsConfig
File match	`accounts-config.yaml`
Schema URL	https://catalog.lintel.tools/schemas/schemastore/landing-zone-accelerator-on-aws-accounts-config/latest.json
Source	https://raw.githubusercontent.com/awslabs/landing-zone-accelerator-on-aws/main/source/packages/@aws-accelerator/config/lib/schemas/accounts-config.json

Validate with Lintel

npx @lintel/lintel check

Type: IAccountsConfig

Definitions

AwsAccountId string

AWS Account ID Type

Represents a valid AWS account identifier. AWS account IDs are unique 12-digit numbers assigned to each AWS account when it's created.

EmailAddress string

Email Address Type

Represents a valid email address with AWS-compatible formatting requirements. Used throughout the Landing Zone Accelerator for account creation, notifications, and contact information.

Format Requirements

Length: 6-64 characters
Pattern: Must match standard email format
Domain: Must contain at least one dot in the domain portion

Examples

typescript const email1: EmailAddress = "[email protected]";

IAccountConfig object

Standard Account Configuration

Standard account configuration for commercial AWS partition accounts. Extends the base account configuration with account warming capabilities.

Key Features

Account Warming: Optional EC2 instance pre-provisioning for immediate workload readiness
Commercial Partition: Designed for standard AWS commercial regions
Full Feature Support: Supports all base account configuration options

Usage Example

- name: Production   description: Production environment for customer applications   email: [email protected]   organizationalUnit: Workloads   warm: true                    # Pre-warm for immediate EC2 usage   accountAlias: company-prod

# Development account
- name: Development   description: Development and testing environment   email: [email protected]   organizationalUnit: Workloads   warm: false                   # No warming needed   accountAlias: company-dev ```

email string required

Email Address Type

Represents a valid email address with AWS-compatible formatting requirements. Used throughout the Landing Zone Accelerator for account creation, notifications, and contact information.

Format Requirements

Length: 6-64 characters
Pattern: Must match standard email format
Domain: Must contain at least one dot in the domain portion

Examples

typescript const email1: EmailAddress = "[email protected]";

minLength=6maxLength=64pattern=['^\S+@\S+\.\S+$', '^\w+$']

name string required

Non-Empty No-Space String Type

Represents a string that must contain at least one character and cannot contain any whitespace characters.

Common Use Cases

AWS account names
Account aliases
Resource identifiers
Configuration keys
File names and paths

minLength=1pattern=^[^\s]*$

accountAlias string

Non-Empty No-Space String Type

Represents a string that must contain at least one character and cannot contain any whitespace characters.

Common Use Cases

AWS account names
Account aliases
Resource identifiers
Configuration keys
File names and paths

minLength=1pattern=^[^\s]*$

description string

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

minLength=1

organizationalUnit string

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

minLength=1

warm boolean

Account Warming (Optional)

Pre-provision the account by creating a temporary EC2 instance that runs for 15 minutes. This prepares the account's EC2 service for immediate production workload deployment.

When to Enable

Enable for accounts that will immediately deploy EC2-based workloads
Enable for production accounts requiring rapid deployment capabilities
Disable for accounts primarily using serverless or managed services
Disable for cost-sensitive development/testing environments

Process Details

Warming occurs during the operations stack deployment phase
Creates a minimal EC2 instance in the default VPC
Instance automatically terminates after 15 minutes
No additional charges beyond the brief EC2 usage
Can be safely removed from configuration after initial deployment

Best Practices


# Development/testing - typically disable warm: false

# Serverless-only accounts - disable warm: false ```

Default: false

IAccountIdConfig object

Account ID Mapping Configuration

Provides static account ID to email mappings to bypass AWS Organizations account lookups. Used exclusively when LZA cannot or should not perform automatic account ID resolution.

Use Cases

AWS Organizations Unavailable: When deploying in partitions without Organizations support
Restricted API Access: When Organizations APIs are restricted or unavailable
Static Account References: When dynamic lookups are not desired or possible
GovCloud Usage: Adding account ids allows the LZA to add the account to the Organization in GovCloud automatically

Usage Example


  # Account in partition without Organizations   - email: [email protected]     accountId: "444455556666"

  # Static reference when API lookups are restricted   - email: [email protected]     accountId: "444455556666" ```

### When to Use

**Most customers will not need this section.** Only populate when:

1. **Organizations API Unavailable**: Deploying in partitions without AWS Organizations 2. **API Restrictions**: When Organizations lookup APIs are blocked or restricted 3. **Static Configuration**: When dynamic account resolution is not desired 4. **GovCloud Usage**: Adding account ids allows the LZA to add the account to the Organization in GovCloud automatically

### Important Considerations

- Only use when automatic account ID lookup is not possible
- Email addresses should match the account references in your configuration
- Account IDs must be valid 12-digit AWS account identifiers
- This bypasses automatic account discovery mechanisms

accountId string required

AWS Account ID Type

Represents a valid AWS account identifier. AWS account IDs are unique 12-digit numbers assigned to each AWS account when it's created.

minLength=12maxLength=12

email string required

Email Address Type

Represents a valid email address with AWS-compatible formatting requirements. Used throughout the Landing Zone Accelerator for account creation, notifications, and contact information.

Format Requirements

Length: 6-64 characters
Pattern: Must match standard email format
Domain: Must contain at least one dot in the domain portion

Examples

typescript const email1: EmailAddress = "[email protected]";

minLength=6maxLength=64pattern=['^\S+@\S+\.\S+$', '^\w+$']

IAccountsConfig object

Main Accounts Configuration Interface

Root configuration interface that defines all accounts to be managed by the Landing Zone Accelerator. This interface serves as the entry point for account configuration and supports both commercial and GovCloud partitions.

Configuration Sections

The accounts configuration is organized into three main sections:

Mandatory Accounts - Required core accounts (Management, Audit, Log Archive) 2. Workload Accounts - Application and business-specific accounts 3. Account IDs - Pre-existing account mappings (optional)

Usage Example


workloadAccounts:   - name: Production     email: [email protected]     organizationalUnit: Workloads     warm: true   - name: Staging     email: [email protected]     organizationalUnit: Workloads

accountIds:   - email: [email protected]     accountId: "123456789012" ```

mandatoryAccounts IAccountConfig[] | IGovCloudAccountConfig[] required

Mandatory Accounts Configuration

Required accounts that provide core Landing Zone Accelerator functionality. These accounts are essential for security, compliance, and operational management.

Required Accounts:

Management: Primary account for organizational management and billing
LogArchive: Centralized logging and log retention account
Audit: Security auditing and compliance account

workloadAccounts IAccountConfig[] | IGovCloudAccountConfig[] required

Workload Accounts Configuration

Application-specific and business workload accounts. These accounts host your applications, databases, and other business workloads, isolated by environment, business unit, or application.

Common Workload Account Types:

Production environments
Development/testing environments
Shared services (networking, monitoring)
Business unit specific accounts
Sandbox accounts for experimentation

accountIds IAccountIdConfig[]

Pre-existing Account IDs (Optional)

Map existing AWS accounts IDs to email addresses to skip dynamic lookups by the Landing Zone Accelerator. Use this section when you have existing accounts that need to be managed by the accelerator.

Use Cases:

Migrating existing AWS accounts into the Landing Zone Accelerator
Integrating with accounts created outside the accelerator
Mapping legacy account structures

IGovCloudAccountConfig object

GovCloud Account Configuration

Specialized account configuration for AWS GovCloud partition accounts. Used when deploying Landing Zone Accelerator in AWS GovCloud regions that require compliance with government security and regulatory requirements.

Key Features

GovCloud Partition Support: Creates accounts in the isolated AWS GovCloud partition
Linked Account Creation: Automatically creates paired commercial partition accounts
Compliance Ready: Designed for government and regulated workloads
Account Warming: Optional EC2 pre-provisioning for immediate readiness

Usage Example

- name: GovCloud-Production   description: GovCloud production environment for regulated workloads   email: [email protected]   organizationalUnit: GovCloud-Workloads   enableGovCloud: true   warm: true   accountAlias: agency-govcloud-prod

# GovCloud development account
- name: GovCloud-Development   description: GovCloud development and testing environment   email: [email protected]   organizationalUnit: GovCloud-Workloads   enableGovCloud: true   warm: false ```

### GovCloud Considerations

- GovCloud accounts require separate email addresses from commercial accounts
- Account creation process involves additional verification steps
- Some AWS services have different availability in GovCloud
- Enhanced logging and monitoring requirements typically apply

email string required

Email Address Type

Represents a valid email address with AWS-compatible formatting requirements. Used throughout the Landing Zone Accelerator for account creation, notifications, and contact information.

Format Requirements

Length: 6-64 characters
Pattern: Must match standard email format
Domain: Must contain at least one dot in the domain portion

Examples

typescript const email1: EmailAddress = "[email protected]";

minLength=6maxLength=64pattern=['^\S+@\S+\.\S+$', '^\w+$']

name string required

Non-Empty No-Space String Type

Represents a string that must contain at least one character and cannot contain any whitespace characters.

Common Use Cases

AWS account names
Account aliases
Resource identifiers
Configuration keys
File names and paths

minLength=1pattern=^[^\s]*$

accountAlias string

Non-Empty No-Space String Type

Represents a string that must contain at least one character and cannot contain any whitespace characters.

Common Use Cases

AWS account names
Account aliases
Resource identifiers
Configuration keys
File names and paths

minLength=1pattern=^[^\s]*$

description string

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

minLength=1

enableGovCloud boolean

Enable GovCloud Account Creation (Optional)

Controls whether a GovCloud partition account should be created alongside the standard commercial partition account. When enabled, creates a linked account pair across both AWS partitions.

When to Enable

Enable for workloads requiring FedRAMP compliance
Enable for government agency workloads
Enable for regulated industries requiring GovCloud
Disable for standard commercial workloads

Account Linking

Creates paired accounts in both GovCloud and commercial partitions
Maintains separate identity and access management per partition
Requires separate email addresses for each partition account

Compliance Benefits


# Commercial deployment only enableGovCloud: false   # Creates only commercial partition account ```

Default: false

organizationalUnit string

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

minLength=1

warm boolean

Account Warming (Optional)

Pre-provision the account by creating a temporary EC2 instance that runs for 15 minutes. This prepares the account's EC2 service for immediate production workload deployment in the GovCloud partition.

GovCloud Warming Considerations

Warming occurs in the GovCloud partition specifically
May take longer due to additional GovCloud provisioning requirements
Helps establish baseline EC2 service readiness for compliance workloads
Particularly beneficial for time-sensitive government deployments

Best Practices


# Development/testing in GovCloud - typically disable warm: false

# Serverless-only GovCloud accounts - disable warm: false ```

Default: false

NonEmptyNoSpaceString string

Non-Empty No-Space String Type

Represents a string that must contain at least one character and cannot contain any whitespace characters.

Common Use Cases

AWS account names
Account aliases
Resource identifiers
Configuration keys
File names and paths

NonEmptyString string

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.