Account (Required)

The account to save the logs in. A new S3 Bucket will be created for this purpose.

Enable (Required)

Determines whether or not accelerator metadata is captured

Read-Only Access Role ARNs (Required)

List of role arns that should have read-only access to the logs.

Max Concurrent Stacks (Optional)

Set the maximum number of concurrent stacks that can be processed at a time while transpiling the application.

Custom S3 Resource Policy Overrides Configuration

Configuration for providing custom S3 bucket resource policy files that override the default accelerator-generated policies. Use this interface when you need specific bucket policy statements that differ from the standard accelerator policies.

Usage Example

yaml customPolicyOverrides: policy: path/to/custom-bucket-policy.json

Deployment Targets Interface

Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.

Key Features

• Account-level targeting: Deploy to specific AWS accounts
• OU-level targeting: Deploy to all accounts within organizational units
• Regional exclusions: Skip specific AWS regions for compliance or cost optimization
• Account exclusions: Exclude specific accounts from broader deployments

Example

yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1

Enable Access Log Bucket (Optional)

Controls whether the S3 access logging bucket is created by the solution. When undefined, the solution will create access log buckets automatically.

Important Notes

• Access log buckets are always created for critical solution buckets (installer, pipeline, central logs, assets)
• Use deploymentTargets to control which accounts and regions receive this configuration
• This setting primarily affects additional access log buckets beyond the core solution buckets

Imported S3 Bucket Configuration (S3 Managed Encryption)

Configuration for importing existing S3 buckets that use S3-managed encryption (SSE-S3). Use this interface when you want the Landing Zone Accelerator to manage an existing bucket that was created outside of the accelerator solution.

Key Features

• Existing Bucket Integration: Import buckets created outside the accelerator
• Policy Management: Optional application of accelerator-managed policies
• S3-Managed Encryption: Designed for buckets using SSE-S3 encryption
• Service Integration: Automatic policy generation for enabled security services

Usage Example

yaml importedBucket: name: existing-logs-bucket applyAcceleratorManagedBucketPolicy: true

S3 Lifecycle Rules (Optional)

Configure lifecycle rules for the access log bucket to manage log retention and storage costs. Rules can transition logs to different storage classes and set expiration policies.

Example yaml lifecycleRules: - enabled: true id: AccessLifecycle-01 expiration: 365 transitions: - storageClass: GLACIER transitionAfter: 30

S3 Resource Policy Attachments (Optional)

Policy statements from the listed files will be added to the bucket resource policy. This property cannot be used when customPolicyOverrides.s3Policy property has value.

Note: When Block Public Access is enabled for S3 on the AWS account, you can't specify a policy that would make the S3 Bucket public.

Example yaml s3ResourcePolicyAttachments: - policy: s3-policies/access-log-policy.json - policy: s3-policies/cross-account-access.json

Deployment Targets Interface

Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.

Key Features

• Account-level targeting: Deploy to specific AWS accounts
• OU-level targeting: Deploy to all accounts within organizational units
• Regional exclusions: Skip specific AWS regions for compliance or cost optimization
• Account exclusions: Exclude specific accounts from broader deployments

Example

yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1

Name (Required)

The name that will be used to create the trail.

Regions (Required)

Determines which region(s) that this account trail will be deployed in.

Cloud Trail Settings Configuration

Additional settings used to configure an organization-level trail.

Example yaml multiRegionTrail: true globalServiceEvents: true managementEvents: true s3DataEvents: true lambdaDataEvents: true sendToCloudWatchLogs: true apiErrorRateInsight: false apiCallRateInsight: false

Custom S3 Resource and KMS Policy Overrides Configuration

Configuration for providing custom policy files that override both S3 bucket resource policies and KMS key policies. Use this interface when you need specific policy statements for both the bucket and its encryption key that differ from the standard accelerator-generated policies.

Key Features

• Dual Policy Management: Override both S3 and KMS policies simultaneously
• Policy File Integration: Load policies from external JSON files
• Complete Override: Replaces accelerator-generated policies entirely
• Coordinated Access: Ensure consistent permissions across bucket and key

Usage Example

yaml customPolicyOverrides: s3Policy: policies/custom-bucket-policy.json kmsPolicy: policies/custom-key-policy.json

Imported S3 Bucket Configuration (Customer Managed Encryption)

Configuration for importing existing S3 buckets with customer-managed KMS encryption (SSE-KMS). Use this interface when you want the Landing Zone Accelerator to manage an existing bucket that uses or should use customer-managed KMS keys for encryption.

Key Features

• Existing Bucket Integration: Import buckets created outside the accelerator
• KMS Key Management: Option to create and manage KMS keys for the bucket
• Policy Management: Optional application of accelerator-managed policies
• Encryption Enhancement: Upgrade existing buckets to use customer-managed keys

Usage Example

yaml importedBucket: name: existing-sensitive-data-bucket applyAcceleratorManagedBucketPolicy: true createAcceleratorManagedKey: true

KMS Resource Policy Attachments (Optional)

Policy statements from the listed files will be added to the bucket resource policy.

Notes

• Cannot be used when customPolicyOverrides.kmsPolicy property has value.
• When importing an assets bucket with createAcceleratorManagedKey set to false, this property must be undefined
• The Assets Bucket will allow customers to have SSE-S3 (Amazon S3 managed keys) or SSE-KMS keys. Only SSE-KMS keys can adopt the KMS resource policy files.

S3 Resource Policy Attachments (Optional)

Policy statements from the listed files will be added to the bucket resource policy. This property cannot be used when customPolicyOverrides.s3Policy property has value.

Note: When Block Public Access is enabled for S3 on the AWS account, you can't specify a policy that would make the S3 Bucket public.

**Example yaml s3ResourcePolicyAttachments: - policy: s3-policies/policy1.json - policy: s3-policies/policy2.json

Vaults (Required)

Configuration for Backup Vaults.

Budget Amount (Required)

The cost or usage amount that defines the budget threshold. This value represents the maximum amount you want to spend (for COST budgets) or consume (for USAGE budgets) within the specified time period.

Amount Guidelines

• Cost Budgets: Specify amount in your preferred currency unit
• Usage Budgets: Specify amount in service-specific units (hours, GB, requests)
• RI/Savings Plans: Specify percentage values (0-100) for utilization/coverage

Examples

# Daily EC2 usage budget of 1,000 hours amount: 1000 type: USAGE unit: Hrs

# RI utilization target of 80% amount: 80 type: RI_UTILIZATION ```

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Time Unit (Required)

The time period over which the budget amount is measured and reset. Determines how frequently the budget resets and when notifications are evaluated.

Available Time Units

• DAILY: Budget resets every day (available for all budget types)
• MONTHLY: Budget resets monthly (most common, recommended)
• QUARTERLY: Budget resets every 3 months
• ANNUALLY: Budget resets yearly (good for annual planning)

Usage Guidelines

# Daily monitoring for high-usage services timeUnit: DAILY type: USAGE

# Annual budgets for long-term planning timeUnit: ANNUALLY type: COST ```

### Special Considerations

- **RI_UTILIZATION** and **RI_COVERAGE** budgets support DAILY time units
- DAILY budgets provide more granular monitoring but may generate more alerts
- MONTHLY is recommended for most cost management use cases

Budget Type (Required)

Specifies what the budget monitors - costs, usage, or Reserved Instance metrics. The budget type determines how the amount is interpreted and what data is tracked.

Budget Types

• COST: Monitors spending in your specified currency
• USAGE: Tracks service usage quantities (hours, GB, requests)
• RI_UTILIZATION: Monitors Reserved Instance utilization percentage
• RI_COVERAGE: Tracks Reserved Instance coverage percentage
• SAVINGS_PLANS_UTILIZATION: Monitors Savings Plans utilization
• SAVINGS_PLANS_COVERAGE: Tracks Savings Plans coverage

Type-Specific Considerations

# Usage monitoring type: USAGE amount: 1000 unit: Hrs

# Reserved Instance optimization type: RI_UTILIZATION amount: 80  # Target 80% utilization

# Savings Plans monitoring type: SAVINGS_PLANS_COVERAGE amount: 70  # Target 70% coverage ```

Deployment Targets Interface

Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.

Key Features

• Account-level targeting: Deploy to specific AWS accounts
• OU-level targeting: Deploy to all accounts within organizational units
• Regional exclusions: Skip specific AWS regions for compliance or cost optimization
• Account exclusions: Exclude specific accounts from broader deployments

Example

yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1

Include Credits (Optional)

Whether to include AWS credits in the budget calculation. When enabled, credits reduce the total amount counted against the budget.

Credit Types

• AWS promotional credits
• Service credits for SLA violations
• Partner-provided credits
• Migration incentive credits

Best Practices

• Enable for net cost visibility after credits
• Disable for tracking actual resource consumption costs

Include Discounts (Optional)

Whether to include discounts in the budget calculation. When enabled, discounts reduce the total amount counted against the budget.

Discount Types

• Volume discounts
• Reserved Instance discounts
• Savings Plans discounts
• Promotional credits

Considerations

• Enable to see net costs after discounts
• Disable to track gross costs before discounts

Include Other Subscriptions (Optional)

Whether to include non-Reserved Instance subscription costs such as Savings Plans, software subscriptions, and marketplace subscriptions.

Subscription Types Included

• AWS Marketplace software subscriptions
• Third-party software licenses
• Other recurring subscription charges

Include Recurring Costs (Optional)

Whether to include recurring fees such as monthly Reserved Instance charges, data transfer fees, and other predictable recurring costs.

Recurring Cost Types

• Monthly RI fees (after upfront payment)
• Data transfer charges
• Storage fees
• Other predictable monthly charges

Include Refunds (Optional)

Whether to include refunds in the budget calculation. When enabled, refunds reduce the total amount counted against the budget.

When to Include

• Enable for net cost tracking that accounts for refunds
• Disable for gross cost tracking without refund adjustments
• Consider impact on budget accuracy if refunds are frequent

Include Subscriptions (Optional)

Whether to include general subscription costs in the budget calculation. This is a broader category that encompasses various subscription-based charges.

When to Include

• Enable for comprehensive subscription cost tracking
• Disable when focusing only on usage-based costs

Include Support Costs (Optional)

Whether to include AWS Support subscription fees in the budget calculation. This includes Business, Enterprise, and other support plan charges.

When to Include

• Enable for complete operational cost visibility
• Disable when support costs are managed separately
• Consider if support costs should be allocated to specific teams/projects

Include Tax (Optional)

Whether to include taxes in the budget calculation. This includes all applicable taxes such as VAT, sales tax, and other regional taxes.

Considerations

• Enable for total cost visibility including all charges
• Disable for pre-tax budget management
• Consider regional tax implications for multi-region deployments

Include Upfront Costs (Optional)

Whether to include upfront Reserved Instance costs in the budget calculation. Upfront costs are one-time payments made when purchasing Reserved Instances.

When to Include

• Enable for comprehensive cost tracking that includes RI purchases
• Enable when budgeting for periods that include RI purchases
• Disable for operational cost budgets that exclude capital expenditures

Budget Notifications (Optional)

List of notification configurations that define when and how alerts are sent when budget thresholds are exceeded or forecasted to be exceeded.

Notification Types

• ACTUAL: Alert when actual spending/usage exceeds threshold
• FORECASTED: Alert when forecasted spending/usage will exceed threshold

Threshold Types

• PERCENTAGE: Threshold as percentage of budget amount
• ABSOLUTE_VALUE: Threshold as absolute value in budget units

Best Practices

  # Critical alert at 90% actual spend   - type: ACTUAL     thresholdType: PERCENTAGE     threshold: 90     comparisonOperator: GREATER_THAN     subscriptionType: EMAIL     recipients:       - [email protected]       - [email protected] ```

Subscription Type (Optional)

Default notification delivery method for budget alerts. This can be overridden in individual notification configurations.

Available Types

• EMAIL: Send notifications via email (most common)
• SNS: Send notifications via Amazon SNS topic

Usage Guidelines

# SNS for integration with other systems subscriptionType: SNS ```

**Note:** Individual notifications can override this default setting.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Use Amortized Costs (Optional)

Whether to use amortized costs for Reserved Instances and Savings Plans. Amortized costs spread upfront payments across the term of the commitment.

Amortized vs. Unblended

• Amortized: Spreads upfront RI costs across the RI term
• Unblended: Shows actual charges as they occur

When to Use

• Enable for consistent monthly cost allocation
• Disable for cash flow and actual billing tracking
• Useful for chargeback and cost allocation scenarios

Use Blended Rates (Optional)

Whether to use blended rates that average costs across different pricing tiers. Blended rates provide a simplified view by averaging tiered pricing.

Blended vs. Unblended

• Blended: Averages costs across pricing tiers
• Unblended: Shows actual per-unit costs for each tier

When to Use

• Enable for simplified cost analysis and reporting
• Disable for detailed cost optimization and tier analysis
• Consider organizational reporting requirements

Centralize Buckets (Required)

When the accelerator deploys resources using the AWS CDK, assets are first built and stored in S3. By default, the S3 bucket is located within the deployment target account. Enabling this feature will utilize an S3 bucket within the management account instead.

Use Management Access Role (Required)

Indicates whether CDK operations use the IAM role specified in the {@link IGlobalConfig.managementAccountAccessRole managementAccountAccessRole option in the global config } rather than the default roles created by CDK.

Custom Deployment Role (Optional)

Create a deployment role in all accounts in the home region with the specified name. This role is used by the LZA for all CDK deployment tasks.

Deployment Method (Optional)

Manage the CDK deployment method for the LZA

Options

• 'direct': Default used by the LZA
• 'change-set': Provides additional progress information, can increase deployment time

Force Bootstrap (Optional)

Forces the Accelerator to deploy the bootstrapping stack and circumvent the SSM parameter check. This option is needed when adding or removing a custom deployment role

** Skip Static Validation** (Optional)

When enabled, the LZA pipeline will skip the static config validation step during the build phase. Helpful in cases where the config validator incorrectly throws errors for a valid configuration.

Custom S3 Resource and KMS Policy Overrides Configuration

Configuration for providing custom policy files that override both S3 bucket resource policies and KMS key policies. Use this interface when you need specific policy statements for both the bucket and its encryption key that differ from the standard accelerator-generated policies.

Key Features

• Dual Policy Management: Override both S3 and KMS policies simultaneously
• Policy File Integration: Load policies from external JSON files
• Complete Override: Replaces accelerator-generated policies entirely
• Coordinated Access: Ensure consistent permissions across bucket and key

Usage Example

yaml customPolicyOverrides: s3Policy: policies/custom-bucket-policy.json kmsPolicy: policies/custom-key-policy.json

Imported S3 Bucket Configuration (S3 Managed Encryption)

Configuration for importing existing S3 buckets that use S3-managed encryption (SSE-S3). Use this interface when you want the Landing Zone Accelerator to manage an existing bucket that was created outside of the accelerator solution.

Key Features

• Existing Bucket Integration: Import buckets created outside the accelerator
• Policy Management: Optional application of accelerator-managed policies
• S3-Managed Encryption: Designed for buckets using SSE-S3 encryption
• Service Integration: Automatic policy generation for enabled security services

Usage Example

yaml importedBucket: name: existing-logs-bucket applyAcceleratorManagedBucketPolicy: true

KMS Resource Policy Attachments (Optional)

Policy statements from the listed files will be added to the bucket encryption key policy.

Notes

• Cannot be used when customPolicyOverrides.kmsPolicy property has value
• When importing a central logs bucket with createAcceleratorManagedKey set to false, this property must be undefined
• The Central Logs Bucket will allow customers to have SSE-S3 (Amazon S3 managed keys) or SSE-KMS keys. Only SSE-KMS keys can adopt the KMS resource policy files.

Example yaml kmsResourcePolicyAttachments: - policy: kms-policies/central-log-key-policy.json

S3 Lifecycle Rules (Optional)

Configure lifecycle rules for the central log bucket to manage log retention and storage costs. Rules can transition logs to different storage classes and set expiration policies.

Example yaml lifecycleRules: - enabled: true id: CentralLifecycleRule-01 expiration: 365 transitions: - storageClass: GLACIER transitionAfter: 30

S3 Resource Policy Attachments (Optional)

Policy statements from the listed files will be added to the bucket resource policy. This property cannot be used when customPolicyOverrides.s3Policy property has value.

Note: When Block Public Access is enabled for S3 on the AWS account, you can't specify a policy that would make the S3 Bucket public.

Example yaml s3ResourcePolicyAttachments: - policy: s3-policies/central-log-policy.json - policy: s3-policies/cross-account-access.json

Root User Management Capabilities Configuration

Determines how root user management is controlled within the organization.

Enable (Required)

Determines whether root user management is enabled for the organization.

Enable (Required)

Whether or not to enable CloudTrail. This setting alone does not create any trails. Enabling {@link ICloudTrailConfig.organizationTrail } will create an organization-level trail. Additionally, you can setup account-level trails.

Organization Trail (Required)

When enabled alongside {@link ICloudTrailConfig.enable } , LZA will create an organization-level trail.

Account Trails (Optional)

Configurations for account-level trails to be created by the LZA deployment.

S3 Log Bucket Lifecycle Rules (Optional)

Optional lifecycle rules for the S3 log bucket

Cloud Trail Settings Configuration

Additional settings used to configure an organization-level trail.

Example yaml multiRegionTrail: true globalServiceEvents: true managementEvents: true s3DataEvents: true lambdaDataEvents: true sendToCloudWatchLogs: true apiErrorRateInsight: false apiCallRateInsight: false

API Call Rate Insight (Required)

Will enable CloudTrail Insights and enable the API Call Rate Insight

API Error Rate Insight (Required)

Will enable CloudTrail insights and enable the API Error Rate Insight

Global Service Events (Required)

For global services, events are delivered to any trail that includes global services and are logged in the us-east-1 region.

Lambda Data Events (Required)

Adds an Lambda Data Event Selector for filtering events that match Lambda operations. These events provide insight into the resource operations performed on or within a resource. These are also known as data plane operations.

Considerations By default, this feature is enabled and will incur additional costs if enabled for your CloudTrail.

Management Events (Required)

Whether or not to log management events, or control plane operations. Management events can also include non-API events that occur in your account, such as a user logging in to the account. Enabling sets ReadWriteType.ALL.

Multi-Region Trail (Required)

Determines whether or not this trail delivers log files from all regions to the account.

S3 Data Events (Required)

Adds an S3 Data Event Selector for filtering events that match S3 operations. These events provide insight into the resource operations performed on or within a resource. These are also known as data plane operations.

Considerations By default, this feature is enabled and will incur additional costs if enabled for your CloudTrail.

Send to CloudWatch Logs (Required)

Determines whether CloudTrail pushes logs to CloudWatch logs in addition to S3.

Managed Data Protection Identifier Configuration

Allows the protection of CloudWatch Log Data. Currently, only Credentials category is supported.

Deployment Targets Interface

Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.

Key Features

• Account-level targeting: Deploy to specific AWS accounts
• OU-level targeting: Deploy to all accounts within organizational units
• Regional exclusions: Skip specific AWS regions for compliance or cost optimization
• Account exclusions: Exclude specific accounts from broader deployments

Example

yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1

Override Existing (Optional)

Indicates whether any existing CloudWatch Log data protection configurations can be overwritten.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

CloudWatch Firehose Lambda Configuration

Enables the configuration of the lambda processor used to process incoming logs to the LogArchive account.

Buffer Interval (Optional)

The period of time in seconds which Amazon Data Firehose buffers incoming data before invoking the Lambda function. The AWS lambda function is invoked once the value of the buffer size, or the buffer interval is reached.

Valid values range from 60 - 900s.

Buffer Size (Optional)

The AWS Lambda function has a 6 MB invocation payload quota. Your data can expand in size after it's processed. A smaller buffer size allows for more room should the data expand after processing.

Valid values range from 0.2 - 3 MB.

Retries (Optional)

How many times Firehose will retry the Lambda invocation.

Retention (Optional)

The number of hours the data records are stored in shards and remain accessible.

The value should be between 24 and 8760

Shard Count (Optional)

The number of shared the stream uses. For greater throughput, increase the number of shards. Only applicable if {@link ICloudWatchKinesisConfig.streamingMode } is 'Provisioned', otherwise this is ignored. Shards cannot be increased to more than double their capacity. For example, you cannot go from 1 shard to 4.

Enable (Required)

Whether or not to enable the skip bulk updates

Deployment Targets Interface

Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.

Key Features

• Account-level targeting: Deploy to specific AWS accounts
• OU-level targeting: Deploy to all accounts within organizational units
• Regional exclusions: Skip specific AWS regions for compliance or cost optimization
• Account exclusions: Exclude specific accounts from broader deployments

Example

yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1

CloudWatch Log Data Protection Configuration

Allows the enablement of CloudWatch Logs data protection.

Example yaml dataProtection: managedDataIdentifiers: categories: - Credentials deploymentTargets: organizationalUnits: - Root

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Dynamic Partitioning by Account ID (Optional)

Whether or not the ID of the account that produced the CloudWatch Logs should be used in the partitioning strategy of the logs. For example: s3://<central-logs-bucket>/CloudWatchLogs/<account id>/.

Use With Dynamic Partitioning If dynamicPartitioning is also being used, the Account ID will come before the supplied s3 prefix. For example the following would result in s3://<central-logs-bucket>/CloudWatchLogs/<account id>/s3-prefix/ being used as the partition.

{ "logGroupPattern": "LogGroupName", "s3Prefix": "s3-prefix" }

Enable Replication (Optional)

Whether or not to enable CloudWatch Logs replication.

Encryption Configuration

Enable/Disable the use of AWS KMS CMK for encryption. Can specify which accounts/OUs to use this configuration in.

Example yaml encryption: useCMK: true deploymentTargets: organizationalUnits: - Root

Exclusions (Optional)

Configure log groups to exclude from replication.

CloudWatch Firehose Configuration

Configuration for the CloudWatch Logs Firehose.

Example yaml logging: cloudwatchLogs: firehose: fileExtension: json.gz lambdaProcessor: retries: 3 bufferSize: 0.2 bufferInterval: 60

CloudWatch Kinesis Configuration

Configuration for CloudWatch Log's Kinesis.

Key Features

• Real-time Processing: Stream CloudWatch Logs data in real-time for immediate analysis
• Scalable Throughput: Configure capacity based on your data volume requirements
• Flexible Retention: Store data for 24 hours to 365 days for replay and reprocessing
• Cost Optimization: Choose between on-demand and provisioned capacity modes
• Integration Ready: Seamlessly integrates with AWS analytics and processing services

Example yaml logging: cloudwatchLogs: kinesis: streamingMode: PROVISIONED shardCount: 5 retention: 240

Organization ID Condition (Optional)

Whether or not a list of account IDs is used instead of a principal organization condition in the CloudWatch Logs destination access policy. Useful in partitions where the principal organization condition is not supported.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Skip Bulk Update Configuration

Configuration to skip the bulk update of CloudWatch Logs. Warning: This configuration option could cause CloudWatch log group configurations to become out of sync with the global configuration. Only enable this option if you fully understand the implications.

CloudWatch Subscription Configuration

Configuration for the CloudWatch logs subscription

Example yaml logging: cloudwatchLogs: subscription: type: ACCOUNT selectionCriteria: 'LogGroupName NOT IN [ /aws/lambda/AWSAccelerator-FirehoseRecordsProcessor development AppA]' overrideExisting: true

Accounts (Optional)

List of accounts where the exclusions will apply.

Exclude All (Optional)

Whether or not to exclude all logs.

When true, all replication for the listed accounts/OUs will be disabled. Setting the OU to Root with no region specified and having this true, will fail validation as this would be redundant. Instead use {@link ICloudWatchLogsConfig.enable } to disable replication for the entire environment

Log Group Names (Optional)

List of log group names to be excluded

Wild cards are supported. If {@link ICloudWatchLogsExclusionConfig.excludeAll } is enabled, then this parameter is ignored.

Organizational Units (Optional)

List of OUs to exclude.

Regions (Optional)

List of regions to exclude. If left undefined, exclusions will apply to all enabled regions.

Categories (Required)

List of categories to protect.

Type (Required)

Determines whether an account-wide subscription is applied, or if a Lambda function will be invoked to apply each log group.

Example type: ACCOUNT

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Override Existing (Optional)

Indicates whether the existing CloudWatch Log subscription configuration can be overwritten. If enabled, any existing policy will be updated and renamed to 'ACCELERATOR_ACCOUNT_SUBSCRIPTION_POLICY'. Upon deleting the solution or disabling logging for cloudwatch in global config, this policy will be removed. If type is set to 'LOG_GROUP' this parameter will not be used.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Enable Control Tower (Required)

Controls whether AWS Control Tower Landing Zone is enabled for the deployment. When enabled, the accelerator ensures the account configuration includes the three mandatory Control Tower accounts.

Required Accounts

When Control Tower is enabled, these accounts must be defined in accounts-config.yaml:

• Management Account: Primary account for organizational management and billing
• Log Archive Account: Centralized logging and log retention
• Audit Account: Security auditing and compliance monitoring

Prerequisites

• AWS Organizations must be enabled in the management account
• All features must be enabled in AWS Organizations
• The management account must have appropriate permissions
• Required service-linked roles must be created

# Disable Control Tower (standalone LZA deployment) enable: false ```

Control Tower Guardrails (Optional)

Configuration for additional Control Tower guardrails (controls) beyond the mandatory ones. Allows enablement of strongly recommended and elective controls across organizational units.

Control Types

• Mandatory: Automatically enabled by Control Tower (cannot be disabled)
• Strongly Recommended: Best practice controls that should be enabled
• Elective: Additional controls for specific compliance requirements

Deployment Considerations

• Concurrency Limit: Maximum 10 concurrent control operations
• Batch Processing: Deploy controls in batches to avoid throttling
• OU Restrictions: Some controls cannot be deployed to Security OU
• Regional Scope: Controls can be region-specific or global

Usage Examples

  # Elective control with regional scope   - identifier: AWS-GR_EC2_INSTANCE_IMDSv2_CHECK     enable: true     regions:       - us-east-1       - us-west-2     deploymentTargets:       organizationalUnits:         - Production

  # Global control using opaque identifier   - identifier: m7a5gbdf08wg2o0en010mkng     enable: true     deploymentTargets:       organizationalUnits:         - Infrastructure ```

**Best Practices**

- Enable controls gradually in batches of 10 or fewer
- Test controls in non-production OUs first
- Review control documentation for OU compatibility
- Monitor control status and compliance in Control Tower console

Control Tower Landing Zone Configuration

Configure the Control Tower Landing Zone's settings.

Key Features

• Specify the Landing Zone Version
• Customize log retention to meet regulatory compliance
• Manage Identity Center Access for Control Tower Landing Zone

Example yaml landingZone: version: '3.3' logging: loggingBucketRetentionDays: 365 accessLoggingBucketRetentionDays: 365 organizationTrail: true security: enableIdentityCenterAccess: true

Deployment Targets Interface

Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.

Key Features

• Account-level targeting: Deploy to specific AWS accounts
• OU-level targeting: Deploy to all accounts within organizational units
• Regional exclusions: Skip specific AWS regions for compliance or cost optimization
• Account exclusions: Exclude specific accounts from broader deployments

Example

yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1

Enable Control (Required)

Controls whether this guardrail should be enabled or disabled for the specified organizational units.

Control States

Enabled (true):

• Control is active and enforcing its policy
• Resources are monitored for compliance
• Non-compliant resources are flagged or remediated
• Control appears as "Enabled" in Control Tower console

Disabled (false):

• Control is inactive and not enforcing policy
• No compliance monitoring occurs
• Existing violations are not flagged
• Control appears as "Disabled" in Control Tower console

Usage Examples

- identifier: AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK   enable: true    # Control will be enabled   deploymentTargets:     organizationalUnits:       - Production

# Disable a control (useful for temporary exceptions)
- identifier: AWS-GR_EC2_INSTANCE_IMDSv2_CHECK   enable: false   # Control will be disabled   deploymentTargets:     organizationalUnits:       - Development ```

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Regional Scope (Optional)

Specifies the AWS regions where this control should be enabled. If not specified, the control is enabled in the home region only.

Regional Deployment

Global Controls:

• Some controls are inherently global (e.g., IAM-related controls)
• Regional specification is ignored for global controls
• Applied once per account regardless of region list

Regional Controls:

• Most controls are region-specific (e.g., EC2, VPC controls)
• Must be explicitly enabled in each target region
• Each region deployment counts as a separate operation

Usage Examples

yaml regions: - us-east-1 - us-west-2 - eu-west-1

Important Considerations

• Each region deployment counts toward the 10 concurrent operation limit
• Regions must be listed in the enabledRegions section of global-config.yaml
• Invalid regions will cause deployment failures

AWS Control Tower Landing Zone Logging Configuration

Logging configuration for the landing zone.

Key Features

• Log Retention: Configure log retention time
• Organization-Level CloudTrail: Enable/Disable organization-level CloudTrail

Usage Example

yaml logging: loggingBucketRetentionDays: 365 accessLoggingBucketRetentionDays: 365 organizationTrail: true

Control Tower Landing Zone Security Configuration

Configure security settings and access controls for the AWS Control Tower Landing Zone deployment. This configuration manages identity and access management integration with AWS services. ### Important Considerations

• Identity Center access affects how users authenticate to AWS accounts in the organization
• When enabled, Control Tower automatically configures permission sets and account assignments
• Disabling may impact existing user access patterns and require manual IAM configuration
• Changes to this configuration may trigger a Control Tower Landing Zone update

Usage Example

yaml security: enableIdentityCenterAccess: true

Landing Zone Version (Required)

Considerations

• Most recent version required for landing zone updates or resets
• Updates or resets will occur when drift is detected or any configuration change
• If the solution needs to perform an update or reset and the version is not the most recent, the solution will fail

Account Auto-Enrollment (Optional)

Enables automatic enrollment of accounts when moved between organizational units (OUs). When enabled, accounts moved into or between registered OUs automatically receive baseline resources and control configurations from the destination OU without creating inheritance drift.

Access Logs Retention Time (Required)

Retention time, in days, of the bucket access logs

Bucket Retention Configuration (Required)

Retention time, in days, of the Amazon S3 log archive bucket

Organization-Level CloudTrail (Required)

Whether or not to enable organization-level CloudTrail.

Important Considerations

• Organization-level CloudTrail is different than the CloudTrail deployed by the solution
• If both organization-level CloudTrail and solution defined CloudTrail are enabled, multiple trails will be created

Identity Center Access (Required)

When enabled, AWS Control Tower sets up AWS account access with IAM Identity Center.

Compression Format (Required)

The compression format that AWS uses for the report files.

Example yaml compression: Parquet

Report Format (Required)

The format that AWS saves the report in.

Example yaml format: Parquet

Refresh Closed Reports (Required)

Whether AWS should update your reports after they have been finalized if AWS detects charges related to previous months. These charges can include refunds, credits, or support fees.

When to Enable

• Enable if you need the most accurate historical data
• Enable if you frequently receive refunds or credits
• Enable for compliance and auditing requirements

When to Disable

• Disable if you prefer immutable historical reports
• Disable to reduce processing overhead

Example yaml refreshClosedReports: true

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Report Versioning (Required)

Whether AWS should overwrite the previous version of each report or deliver the report in addition to the previous versions.

Available Options

• CREATE_NEW_REPORT: Creates a new report file for each delivery (recommended)
• OVERWRITE_REPORT: Overwrites the previous report file

Considerations

• CREATE_NEW_REPORT provides better audit trail and version history
• OVERWRITE_REPORT uses less storage but loses historical versions

Example yaml reportVersioning: CREATE_NEW_REPORT

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Time Unit (Required)

The granularity of the line items in the report. This determines how frequently the report data is aggregated.

Available Options

• HOURLY: Hourly granularity (most detailed, higher costs)
• DAILY: Daily granularity (recommended for most use cases)
• MONTHLY: Monthly granularity (least detailed, lower costs)

Cost Considerations

• Hourly reports are more expensive but provide the most detail
• Daily reports offer a good balance of detail and cost
• Monthly reports are the most cost-effective but least granular

Example yaml timeUnit: DAILY

Additional Artifacts (Optional)

A list of manifests that AWS creates for this report to enable integration with other AWS analytics services.

Available Artifacts

• REDSHIFT: Creates manifest files for Amazon Redshift integration
• QUICKSIGHT: Creates manifest files for Amazon QuickSight integration
• ATHENA: Creates manifest files for Amazon Athena integration

Example yaml additionalArtifacts: - ATHENA - QUICKSIGHT

Additional Schema Elements (Optional)

Additional content that AWS includes in the report, such as individual resource IDs. These elements provide more granular data for detailed cost analysis.

S3 Lifecycle Rules (Optional)

Configuration for S3 bucket lifecycle rules to manage the cost and storage of your Cost and Usage Reports over time.

Key Benefits

• Automatically transition older reports to cheaper storage classes
• Set expiration policies to delete old reports
• Optimize storage costs for long-term report retention

Example yaml lifecycleRules: - enabled: true id: CostAndUsageBucketLifecycleRule-01 expiration: 2555 # 7 years transitions: - storageClass: STANDARD_IA transitionAfter: 30 - storageClass: GLACIER transitionAfter: 365 - storageClass: DEEP_ARCHIVE transitionAfter: 1095 # 3 years

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Deployment Targets Interface

Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.

Key Features

• Account-level targeting: Deploy to specific AWS accounts
• OU-level targeting: Deploy to all accounts within organizational units
• Regional exclusions: Skip specific AWS regions for compliance or cost optimization
• Account exclusions: Exclude specific accounts from broader deployments

Example

yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Target Accounts (Optional)

List of specific account names where resources should be deployed. Use for precise account-level targeting.

Excluded Accounts (Optional)

List of account names to exclude from deployment. Takes precedence over organizational unit and account inclusions.

Excluded Regions (Optional)

List of AWS regions to exclude from deployment. Useful for compliance requirements or cost optimization.

Organizational Units (Optional)

List of organizational unit names where resources should be deployed. When specified, resources will be created in all accounts within these OUs.

Custom S3 Resource Policy Overrides Configuration

Configuration for providing custom S3 bucket resource policy files that override the default accelerator-generated policies. Use this interface when you need specific bucket policy statements that differ from the standard accelerator policies.

Usage Example

yaml customPolicyOverrides: policy: path/to/custom-bucket-policy.json

Imported S3 Bucket Configuration (S3 Managed Encryption)

Configuration for importing existing S3 buckets that use S3-managed encryption (SSE-S3). Use this interface when you want the Landing Zone Accelerator to manage an existing bucket that was created outside of the accelerator solution.

Key Features

• Existing Bucket Integration: Import buckets created outside the accelerator
• Policy Management: Optional application of accelerator-managed policies
• S3-Managed Encryption: Designed for buckets using SSE-S3 encryption
• Service Integration: Automatic policy generation for enabled security services

Usage Example

yaml importedBucket: name: existing-logs-bucket applyAcceleratorManagedBucketPolicy: true

S3 Lifecycle Rules (Optional)

Configure lifecycle rules for the ELB log bucket to manage log retention and storage costs. Rules can transition logs to different storage classes and set expiration policies.

Example yaml lifecycleRules: - enabled: true id: ElbLifecycleRule-01 expiration: 365 transitions: - storageClass: GLACIER transitionAfter: 30

S3 Resource Policy Attachments (Optional)

Policy statements from the listed files will be added to the bucket resource policy. This property cannot be used when customPolicyOverrides.s3Policy property has value.

Note: When Block Public Access is enabled for S3 on the AWS account, you can't specify a policy that would make the S3 Bucket public.

Example yaml s3ResourcePolicyAttachments: - policy: s3-policies/elb-log-policy.json - policy: s3-policies/cross-account-access.json

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Import External Landing Zone Resources (Required)

Setting this flag indicates that this is an Amazon Secure Environment Accelerator (ASEA) environment and imports ASEA resources to the LZA.

Mapping File Bucket (Optional)

The name of the bucket that contains the mapping file.

CloudWatch Log Retention (Required)

The retention period, specified in days, is applied to all CloudWatch log groups created by the LZA. Additionally, this retention period will be applied to any pre-existing CloudWatch log group with a shorter retention period.

Example Scenarios

Scenario 1: If cloudWatchRetentionInDays is set to 365, and create a new CloudWatch log group with a 730-day retention period, the LZA will update the log group to have a 365-day retention period.

Scenario 2: If cloudWatchRetentionInDays is set to 365, and there is an existing CloudWatch log group with a 730-day retention period, the log group will not be updated by the LZA.

Scenario 3: If cloudWatchRetentionInDays is set to 365, and there is an existing CloudWatch log group with a 30-day retention period, the LZA will update the log group to have a 365-day retention period.

AWS Control Tower Configuration

AWS Control Tower provides a prescriptive way to set up and govern a secure, multi-account AWS environment based on best practices. This configuration enables and manages Control Tower Landing Zone deployment alongside the Landing Zone Accelerator.

Key Features

• Landing Zone Management: Configure and manage Control Tower Landing Zone settings
• Guardrail Controls: Enable additional strongly recommended and elective controls
• Identity Center Integration: Seamless integration with AWS IAM Identity Center
• Logging Configuration: Centralized logging with configurable retention policies

Configuration Structure

yaml # global-config.yaml controlTower: enable: true landingZone: version: '3.3' logging: loggingBucketRetentionDays: 365 accessLoggingBucketRetentionDays: 365 organizationTrail: true security: enableIdentityCenterAccess: true controls: - identifier: AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK enable: true deploymentTargets: organizationalUnits: - SecureWorkloads - identifier: AWS-GR_EC2_INSTANCE_IMDSv2_CHECK enable: true deploymentTargets: organizationalUnits: - Workloads

Best Practices

1. Version Management: Always specify the latest available Landing Zone version 2. Control Deployment: Enable controls in batches of 10 or fewer to avoid throttling 3. Organizational Units: Align control deployment with your OU structure 4. Logging Retention: Set appropriate retention periods based on compliance requirements 5. Identity Center: Enable Identity Center access for centralized user management

Important Considerations

• Control Tower requires the three mandatory accounts: Management, Audit, and Log Archive
• Some controls cannot be deployed to the Security OU
• Control Tower operations are limited to 10 concurrent operations
• Landing Zone updates require the latest available version

Enabled Regions (Required)

List of AWS Regions where accelerator will be deployed. {@link IGlobalConfig.homeRegion Home region } must be part of this list.

Example

yaml enabledRegions: - us-east-1 - us-west-2

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Global Logging Configuration

Example yaml logging: account: LogArchive centralizedLoggingRegion: us-east-1 cloudtrail: enable: false organizationTrail: false sessionManager: sendToCloudWatchLogs: false sendToS3: true

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Accelerator Metadata Configuration

Used to enable accelerator metadata logs.

Example yaml acceleratorMetadata: enable: true account: Logging readOnlyAccessRoleArns: - arn:aws:iam::111111111111:role/test-access-role

Accelerator Settings Configuration

Contains additional configuration settings for the Accelerator. Allows for the configuration of the maximum concurrent stacks that can be processed at a given time.

Example yaml acceleratorSettings: maxConcurrentStacks: 100

Backup Configuration

Enables the setup of Backups.

Examples yaml backup: vaults: - name: BackupVault deploymentTargets: organizationalUnits: - Root

CDK Options

Manage the behavior of CDK within LZA.

Key Features

• Centralize Buckets: Determines whether CDK will use a single, centralized S3 bucket per region
• Deployment Role Management: Determines whether CDK will use a custom execution role for CDK operations

Example yaml cdkOptions: centralizeBuckets: true useManagementAccessRole: true deploymentMethod: 'direct'

Central Root User Management Configuration

Configure how root management is controlled within the organization.

Example yaml centralRootUserManagement: enable: true capabilities: rootCredentialsManagement: true allowRootSessions: true

Centralized CDK Buckets Configuration**

Default Event Bus Configuration

Define policies for the default event bus.

Example yaml defaultEventBus: policy: path-to-my-policy

Enable opt-in Regions (Optional)

Whether or not to automatically enable opt-in regions configured for all LZA managed accounts

When enableOptInRegions is set to true, it will only enable the opt-in regions that are also listed in the {@link IGlobalConfig.enabledRegions enabledRegions } configuration.

External Landing Zone Resources Configuration

Used for importing resources from an Amazon Secure Environment Accelerator (ASEA) environment into the LZA.

Example yaml externalLandingZoneResourcesConfig: importExternalLandingZoneResources: true

Lambda Configuration

Customize the encryption used for lambda environment variables.

Example yaml encryption: useCMK: true deploymentTargets: organizationalUnits: - Root

AWS Service Quota Limit Configuration

Enables the creation of service quota increases for accounts within the LZA deployment.

Considerations Service quotas define the maximum number of service resources or operations for your AWS account. Service quota increases are processed asynchronously and may require approval. Some quotas require AWS Support cases for increases beyond certain thresholds. Quotas are account-specific and region-specific (where applicable). You can find service and quota codes in the AWS Service Quotas console.

For more information, see:

• AWS Service Quotas User Guide
• Requesting a quota increase

Example ```yaml limits: # Increase Lambda concurrent executions - serviceCode: lambda quotaCode: L-B99A9384 desiredValue: 1000 deploymentTargets: organizationalUnits: - Root regions: - us-west-2

Increase IAM roles per account (global quota - no regions needed) - serviceCode: iam quotaCode: L-4019AD8B desiredValue: 15 deploymentTargets: accounts: - SharedServices

Increase VPCs per region - serviceCode: vpc quotaCode: L-F678F1CE desiredValue: 20 deploymentTargets: organizationalUnits: - Security - Infrastructure regions: - us-east-1 - us-west-2

Increase Route 53 Resolver rules per region - serviceCode: route53resolver quotaCode: L-4A669CC0 desiredValue: 10 deploymentTargets: organizationalUnits: - Infrastructure ```

Reports Configuration

Used to configure reports for the LZA deployment.

Key Features

• Configure cost and usage reports
• Configure budget reports

Example yaml costAndUsageReport: compression: Parquet format: Parquet reportName: accelerator-cur s3Prefix: cur timeUnit: DAILY refreshClosedReports: true reportVersioning: CREATE_NEW_REPORT lifecycleRules: storageClass: DEEP_ARCHIVE enabled: true multiPart: 1 expiration: 1825 deleteMarker: false nonCurrentExpiration: 366 transitionAfter: 365 budgets: - name: accel-budget timeUnit: MONTHLY type: COST amount: 2000 includeUpfront: true includeTax: true includeSupport: true includeSubscription: true includeRecurring: true includeOtherSubscription: true includeDiscount: true includeCredit: false includeRefund: false useBlended: false useAmortized: false unit: USD notifications: - type: ACTUAL thresholdType: PERCENTAGE threshold: 90 comparisonOperator: GREATER_THAN subscriptionType: EMAIL address: [email protected]

S3 Global Configuration

Manage S3 settings for accounts managed by the LZA deployment. Configure the encryption settings for S3 buckets used throughout the deployment.

Example yaml s3: encryption: createCMK: true deploymentTargets: organizationalUnits: - Root

SNS Configuration

Used to setup and configure SNS Topics within the LZA environment.

Example yaml snsTopics: deploymentTargets: organizationalUnits: - Root topics: - name: Security emailAddresses: - [email protected]

SQS Configuration

Configure SQS encryption for the solution.

Example yaml encryption: useCMK: true deploymentTargets: organizationalUnits: - Root

SSM Inventory Configuration

Enable SSM Inventory within the deployment.

Example yaml ssmInventoryConfig: enable: true deploymentTargets: organizationalUnits: - Infrastructure

SSM parameter configurations (Optional)

Create SSM parameters through the LZA. Parameters can be deployed to Organizational Units or Accounts through the use of deployment targets.

Example yaml ssmParameters: - deploymentTargets: organizationalUnits: - Workloads parameters: - name: WorkloadParameter path: /my/custom/path/variable value: 'MySSMParameterValue'

CloudFormation Stack Policy Configuration

The CloudFormation Stack Policy configuration determines how stack resources can be updated or modified during stack operations. When this value is not specified, any existing stack policies will remain in effect and unchanged. The behavior intentionally differs from typical LZA behavior, which assumes false, enabling organizations to manage and maintain stack policies independently through other mechanisms outside of LZA if preferred.

Example yaml stackPolicy: enable: true protectedTypes: - "AWS::EC2::InternetGateway" - "AWS::EC2::NatGateway" - "AWS::EC2::PrefixList" - "AWS::EC2::Route" - "AWS::EC2::RouteTable" - "AWS::EC2::SubnetRouteTableAssociation" - "AWS::EC2::TransitGateway" - "AWS::EC2::TransitGatewayPeeringAttachment" - "AWS::EC2::TransitGatewayRoute" - "AWS::EC2::TransitGatewayRouteTable" - "AWS::EC2::TransitGatewayRouteTableAssociation" - "AWS::EC2::TransitGatewayRouteTablePropagation" - "AWS::EC2::TransitGatewayVpcAttachment" - "AWS::EC2::VPC" - "AWS::EC2::VPCCidrBlock" - "AWS::EC2::VPCEndpoint" - "AWS::EC2::VPCGatewayAttachment" - "AWS::NetworkFirewall::Firewall" - "AWS::NetworkFirewall::LoggingConfiguration" - "AWS::RAM::ResourceShare"

Tags (Optional)

Global tags to be applied to all resources created by the solution.

Note LZA will not apply the tags to all resource types. Excluded types include Transit Gateway Route Tables and Route53 Resolver Endpoints.

Example yaml tags: - key: Environment value: Dev - key: ResourceOwner value: AcmeApp - key: CostCenter value: '123'

Termination Protection (Optional)

Whether or not termination protection should be enabled for this stack

V2 Stacks (Optional)

Whether or not V2 Stacks should be enabled.

When enabled, LZA will place newly defined resources in separate CloudFormation stacks to prevent exceeding the 500 resource per stack limit. Pre-existing resources will be preserved in their original stacks.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Apply Accelerator Managed Bucket Policy (Optional)

Controls whether the accelerator should apply its generated resource policies to the imported bucket. When enabled, the accelerator will manage the bucket's resource policy based on enabled security services and configurations.

Create Accelerator Managed KMS Key (Optional)

Controls whether the accelerator should create a new customer-managed KMS key and apply it to the imported bucket for encryption. When enabled, enhances bucket security with dedicated encryption key management.

Key Creation Process

When true:

• Creates a new customer-managed KMS key specifically for this bucket
• Applies accelerator-managed key policy with appropriate service permissions
• Configures bucket to use the new key for server-side encryption
• Integrates key permissions with enabled security and logging services

When false (default):

• Preserves existing bucket encryption configuration
• Uses current encryption method (S3-managed, existing KMS key, or none)
• No new KMS key creation or encryption changes
• Existing encryption settings remain unchanged

Important Warnings

Irreversible Change: Once the accelerator pipeline executes with this value set to true, changing it back to false will cause CloudFormation stack failures. The KMS key becomes a permanent part of the infrastructure.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Apply Accelerator Managed Bucket Policy (Optional)

Controls whether the accelerator should apply its generated resource policies to the imported bucket. When enabled, the accelerator will manage the bucket's resource policy based on enabled security services and configurations.

Policy Generation

The accelerator automatically generates bucket policies based on:

• Security Services: Macie, GuardDuty, Security Hub access requirements
• Logging Services: CloudTrail, VPC Flow Logs, Config access needs
• Cross-Account Access: Organization-wide service access patterns
• External Policies: Additional policies from s3ResourcePolicyAttachments

Behavior Options

# Preserve existing policies (use for buckets with custom policies) applyAcceleratorManagedBucketPolicy: false ```

### Important Considerations

**When `true`:**
- Accelerator **REPLACES** existing bucket resource policy
- Combines accelerator-generated policies with external policy files
- Ensures compatibility with enabled security services
- **WARNING**: Removes any existing custom S3 policies on the bucket

**When `false` (default):**
- Preserves existing bucket resource policy
- Only adds policies from external s3ResourcePolicyAttachments files
- No changes if no external policy files are provided
- Existing policies remain intact

### Best Practices

- Set to `true` for buckets that need full accelerator integration
- Set to `false` for buckets with critical existing policies
- Review existing policies before enabling accelerator management
- Test policy changes in non-production environments first

Encryption Configuration

Enable/Disable the use of AWS KMS CMK for encryption. Can specify which accounts/OUs to use this configuration in.

Example yaml encryption: useCMK: true deploymentTargets: organizationalUnits: - Root

Abort Incomplete Multipart Uploads (Optional)

Number of days after which incomplete multipart uploads are automatically aborted and cleaned up. This helps prevent storage costs from abandoned multipart uploads.

Benefits

• Cost Control: Prevents charges for incomplete upload parts
• Storage Cleanup: Automatically removes orphaned multipart data
• Operational Hygiene: Maintains clean bucket state

Considerations

• Set based on your typical upload patterns and file sizes
• Consider network reliability and upload duration requirements
• Balance between cost control and operational flexibility

Rule Enabled (Optional)

Controls whether this lifecycle rule is active and enforced. Allows you to temporarily disable rules without removing them from the configuration.

Object Expiration (Optional)

Number of days after object creation when objects are permanently deleted from the bucket. This implements automatic data retention policies and helps manage storage costs for time-sensitive data.

Use Cases

• Log Retention: Automatically delete old log files
• Compliance: Enforce data retention policies
• Cost Management: Remove data that's no longer needed
• Regulatory Requirements: Meet data disposal requirements

Important Considerations

• Irreversible: Expired objects are permanently deleted
• Compliance: Ensure retention periods meet regulatory requirements
• Business Needs: Consider future data access requirements
• Backup Strategy: Ensure critical data is backed up before expiration

Expired Object Delete Marker Cleanup (Optional)

Controls whether S3 automatically removes delete markers that have no non-current versions. This helps clean up versioned buckets and reduce storage costs from orphaned delete markers.

Benefits When Enabled

• Cost Reduction: Eliminates charges for orphaned delete markers
• Storage Optimization: Keeps bucket metadata clean
• Operational Efficiency: Reduces clutter in versioned buckets

Rule Identifier (Optional)

Unique, human-readable name for the lifecycle rule within the bucket. Used for rule identification, management, and troubleshooting.

Non-Current Version Expiration (Optional)

Number of days after an object version becomes non-current when it should be permanently deleted. This manages storage costs for versioned buckets by cleaning up old object versions.

Considerations

• Recovery Needs: Balance cost vs. ability to recover old versions
• Compliance: Some regulations require version retention
• Storage Costs: Non-current versions incur full storage charges
• Access Patterns: Consider how often old versions are accessed

Non-Current Version Transitions (Optional)

Array of transition rules that specify when non-current object versions should move to different storage classes. This optimizes costs for versioned buckets by moving old versions to cheaper storage.

Storage Class Optimization

Non-current versions are typically accessed less frequently than current versions, making them ideal candidates for cheaper storage classes.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Current Version Transitions (Optional)

Array of transition rules that specify when current objects should move to different storage classes. This implements cost optimization strategies based on data access patterns and age.

Cost Optimization Strategy

Design transitions based on your data access patterns:

• Frequently Accessed: Keep in Standard storage
• Infrequently Accessed: Transition to Standard-IA
• Archive Data: Move to Glacier or Deep Archive
• Long-term Retention: Use Deep Archive for lowest cost

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Cloudtrail Configuration

Used to enable and configure CloudTrail for the LZA deployment.

Example yaml cloudtrail: enable: true organizationTrail: true organizationTrailSettings: multiRegionTrail: true globalServiceEvents: true managementEvents: true s3DataEvents: true lambdaDataEvents: true sendToCloudWatchLogs: true apiErrorRateInsight: false apiCallRateInsight: false accountTrails: [] lifecycleRules: []

SessionManager Configuration

Example yaml sessionManager: sendToCloudWatchLogs: true sendToS3: true excludeRegions: [] excludeAccounts: [] lifecycleRules: [] attachPolicyToIamRoles: - EC2-Default-SSM-AD-Role

Access Log Bucket Configuration

Configuration for the access log bucket used to store S3 server access logs.

Key Features

• Resource Policies: Attach resource policies to the bucket
• Lifecycle Management: Configure lifecycle rules for log retention and cost optimization
• Imported Bucket: Import existing bucket and apply resource policies
• Deployment Targeting: Control which accounts and regions receive the configuration

Example yaml accessLogBucket: enable: true deploymentTargets: organizationalUnits: - Root s3ResourcePolicyAttachments: - policy: s3-policies/policy1.json lifecycleRules: - enabled: true id: AccessLifecycle-01 abortIncompleteMultipartUpload: 14 expiration: 3563 expiredObjectDeleteMarker: false noncurrentVersionExpiration: 3653 noncurrentVersionTransitions: - storageClass: GLACIER transitionAfter: 365 transitions: - storageClass: GLACIER transitionAfter: 365 prefix: PREFIX importedBucket: name: existing-access-log-bucket-${ACCOUNT_ID}-${REGION} applyAcceleratorManagedBucketPolicy: true

Asset Bucket Configuration

Configuration for the asset bucket.

Key Features

• Resource Policies: Attach resource policies to the bucket
• KMS Policy: Apply KMS policy to the bucket encryption key
• Imported Bucket: Import existing bucket and apply resource policies and encryption key policies

Example yaml assetBucket: s3ResourcePolicyAttachments: - policy: s3-policies/policy1.json importedBucket: name: aws-accelerator-assets applyAcceleratorManagedBucketPolicy: true

Central Log Bucket Configuration

Configuration for the central log bucket used to store centralized logs from across the organization.

Key Features

• Resource Policies: Attach resource policies to the bucket
• KMS Policy: Apply KMS policy to the bucket encryption key
• Lifecycle Management: Configure lifecycle rules for log retention and cost optimization
• Imported Bucket: Import existing bucket and apply resource policies and encryption key policies

Example yaml centralLogBucket: lifecycleRules: - enabled: true id: CentralLifecycleRule-01 abortIncompleteMultipartUpload: 14 expiration: 3563 expiredObjectDeleteMarker: false noncurrentVersionExpiration: 3653 noncurrentVersionTransitions: - storageClass: GLACIER transitionAfter: 365 transitions: - storageClass: GLACIER transitionAfter: 365 prefix: PREFIX s3ResourcePolicyAttachments: - policy: s3-policies/policy1.json kmsResourcePolicyAttachments: - policy: kms-policies/policy1.json importedBucket: name: central-log-bucket applyAcceleratorManagedBucketPolicy: true createAcceleratorManagedKey: false

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

CloudWatch Logs Configuration

Key Features

• Configure logs encryption
• Manage Subscriptions for CloudWatch Logs
• Enable CloudWatch Logs replication

Example yaml cloudwatchLogs: dynamicPartitioning: path/to/filter.json # default is true, if undefined this is set to true # if set to false, no replication is performed which is useful in test or temporary environments enable: true encryption: useCMK: true deploymentTargets: organizationalUnits: - Root replaceLogDestinationArn: arn:aws:logs:us-east-1:111111111111:destination:ReplaceDestination exclusions: # in these OUs do not do log replication - organizationalUnits: - Research - ProofOfConcept excludeAll: true # in these accounts exclude pattern testApp - accounts: - WorkloadAccount1 - WorkloadAccount1 logGroupNames: - testApp* # in these accounts exclude logs in specific regions - accounts: - WorkloadAccount1 - WorkloadAccount1 regions: - us-west-2 - eu-west-1 logGroupNames: - pattern1* dataProtection: managedDataIdentifiers: categories: - Credentials deploymentTargets: organizationalUnits: - Root

ELB Log Bucket Configuration

Configuration for the ELB log bucket used to store Elastic Load Balancer access logs.

Key Features

• Resource Policies: Attach resource policies to the bucket
• Lifecycle Management: Configure lifecycle rules for log retention and cost optimization
• Imported Bucket: Import existing bucket and apply resource policies
• Regional Deployment: Deploy buckets in each operating region

Example yaml elbLogBucket: lifecycleRules: - enabled: true id: ElbLifecycleRule-01 abortIncompleteMultipartUpload: 14 expiration: 3563 expiredObjectDeleteMarker: false noncurrentVersionExpiration: 3653 noncurrentVersionTransitions: - storageClass: GLACIER transitionAfter: 365 transitions: - storageClass: GLACIER transitionAfter: 365 prefix: PREFIX s3ResourcePolicyAttachments: - policy: s3-policies/policy1.json importedBucket: name: elb-logs-bucket applyAcceleratorManagedBucketPolicy: true

Comparison Operator (Required)

The comparison that's used for this notification.

Valid values are GREATER_THAN, LESS_THAN, and EQUAL_TO

Subscription Type (Required)

The type of notification that AWS will send to the subscribers. Must either be SNS or EMAIL

Threshold Type (Required)

The type of threshold for a notification.

Types

• ABSOLUTE_VALUE: AWS sends the notification when you go over, or are forecasted to go over, the total cost of the threshold.
• PERCENTAGE: AWS sends the notification when you go over, or are forecasted to go over, a certain percentage of your forecasted spend.

Notification Type (Required)

Determines whether the notification should be sent based on actual or forecasted usage.

Values must either be ACTUAL or FORECASTED

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Recipients (Optional)

A list of recipients that the notification will be sent to. Must be either an SNS topic or an email.

Threshold (Optional)

The value that, when usage exceeds, will trigger the notification.

Budget Reports (Optional)

Configuration for budget reports.

Example yaml budgets: - name: accel-budget timeUnit: MONTHLY type: COST amount: 2000 includeUpfront: true includeTax: true includeSupport: true includeSubscription: true includeRecurring: true includeOtherSubscription: true includeDiscount: true includeCredit: false includeRefund: false useBlended: false useAmortized: false unit: USD notifications: - type: ACTUAL thresholdType: PERCENTAGE threshold: 90 comparisonOperator: GREATER_THAN subscriptionType: EMAIL address: [email protected]

Cost and Usage Report Configuration

Configuration for AWS Cost and Usage Reports (CUR) that provides comprehensive cost and usage data for your AWS account. These reports are delivered to an S3 bucket and can be used for detailed cost analysis and billing insights.

Key Features

• Flexible Reporting: Configure time granularity from hourly to monthly
• Multiple Formats: Support for CSV, text, and Parquet formats with various compression options
• Data Integration: Generate manifests for integration with Amazon Redshift, QuickSight, and Athena
• Lifecycle Management: Configure S3 lifecycle rules for cost optimization
• Version Control: Choose between creating new reports or overwriting existing ones