{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://catalog.lintel.tools/schemas/schemastore/landing-zone-accelerator-on-aws-global-config/latest.json", "x-lintel": { "source": "https://raw.githubusercontent.com/awslabs/landing-zone-accelerator-on-aws/main/source/packages/@aws-accelerator/config/lib/schemas/global-config.json", "sourceSha256": "6898094d28b80ae4f1bdb2fd9395ac68f8ed7976b2b93fac82312e46b3e5e1d9", "fileMatch": [ "global-config.yaml" ], "parsers": [ "yaml" ] }, "$ref": "#/$defs/IGlobalConfig", "$defs": { "ComparisonOperator": { "description": "## Comparison Operator Type\n\nDefines comparison operations used in monitoring, alerting, and conditional logic throughout the Landing Zone Accelerator configuration.\n\n### Values\n- **GREATER_THAN**: Trigger when value exceeds threshold\n- **LESS_THAN**: Trigger when value falls below threshold\n- **EQUAL_TO**: Trigger when value equals threshold", "enum": [ "GREATER_THAN", "LESS_THAN", "EQUAL_TO" ], "type": "string" }, "EmailAddress": { "description": "## Email Address Type\n\nRepresents a valid email address with AWS-compatible formatting requirements. Used throughout the Landing Zone Accelerator for account creation, notifications, and contact information.\n\n### Format Requirements\n\n- **Length**: 6-64 characters\n- **Pattern**: Must match standard email format\n- **Domain**: Must contain at least one dot in the domain portion\n\n### Examples\n\n```typescript const email1: EmailAddress = \"admin@example.com\"; ```", "maxLength": 64, "minLength": 6, "pattern": "['^\\S+@\\S+\\.\\S+$', '^\\w+$']", "type": "string" }, "IAcceleratorMetadataConfig": { "type": "object", "description": "## Accelerator Metadata Configuration\n\nUsed to enable accelerator metadata logs.\n\n### Example ```yaml acceleratorMetadata: enable: true account: Logging readOnlyAccessRoleArns: - arn:aws:iam::111111111111:role/test-access-role ```", "properties": { "account": { "description": "**Account** *(Required)*\n\nThe account to save the logs in. A new S3 Bucket will be created for this purpose.", "type": "string" }, "enable": { "description": "**Enable** *(Required)*\n\nDetermines whether or not accelerator metadata is captured", "type": "boolean" }, "readOnlyAccessRoleArns": { "description": "**Read-Only Access Role ARNs** *(Required)*\n\nList of role arns that should have read-only access to the logs.", "items": { "type": "string" }, "type": "array" } }, "required": [ "enable", "account", "readOnlyAccessRoleArns" ], "additionalProperties": false }, "IAcceleratorSettingsConfig": { "type": "object", "description": "## Accelerator Settings Configuration\n\nContains additional configuration settings for the Accelerator. Allows for the configuration of the maximum concurrent stacks that can be processed at a given time.\n\n### Example ```yaml acceleratorSettings: maxConcurrentStacks: 100 ```", "properties": { "maxConcurrentStacks": { "default": 100, "description": "**Max Concurrent Stacks** *(Optional)*\n\nSet the maximum number of concurrent stacks that can be processed at a time while transpiling the application.", "type": "number" } }, "additionalProperties": false }, "IAccessLogBucketConfig": { "type": "object", "description": "## Access Log Bucket Configuration\n\nConfiguration for the access log bucket used to store S3 server access logs.\n\n### Key Features\n- **Resource Policies**: Attach resource policies to the bucket\n- **Lifecycle Management**: Configure lifecycle rules for log retention and cost optimization\n- **Imported Bucket**: Import existing bucket and apply resource policies\n- **Deployment Targeting**: Control which accounts and regions receive the configuration\n\n### Example ```yaml accessLogBucket: enable: true deploymentTargets: organizationalUnits: - Root s3ResourcePolicyAttachments: - policy: s3-policies/policy1.json lifecycleRules: - enabled: true id: AccessLifecycle-01 abortIncompleteMultipartUpload: 14 expiration: 3563 expiredObjectDeleteMarker: false noncurrentVersionExpiration: 3653 noncurrentVersionTransitions: - storageClass: GLACIER transitionAfter: 365 transitions: - storageClass: GLACIER transitionAfter: 365 prefix: PREFIX importedBucket: name: existing-access-log-bucket-${ACCOUNT_ID}-${REGION} applyAcceleratorManagedBucketPolicy: true ```", "properties": { "customPolicyOverrides": { "$ref": "#/$defs/ICustomS3ResourcePolicyOverridesConfig", "default": "undefined", "description": "**Custom Policy Overrides Configuration** *(Optional)*\n\nProvide policy overrides. Policy files must contain a complete policy document.\n\n**Conflicts**\n- When s3Policy is defined, importedBucket.applyAcceleratorManagedBucketPolicy cannot be true\n- When s3Policy is defined, s3ResourcePolicyAttachments cannot be defined\n\n**Example** ```yaml customPolicyOverrides: s3Policy: path/to/access-log-policy.json ```" }, "deploymentTargets": { "$ref": "#/$defs/IDeploymentTargets", "default": "All accounts and enabled regions", "description": "**Deployment Targets** *(Optional)*\n\nSpecifies which accounts and regions should receive the access log bucket configuration. When undefined, the configuration applies to all accounts and enabled regions.\n\n**Example** ```yaml deploymentTargets: organizationalUnits: - Root excludedRegions: - us-west-1 ```" }, "enable": { "default": true, "description": "**Enable Access Log Bucket** *(Optional)*\n\nControls whether the S3 access logging bucket is created by the solution. When undefined, the solution will create access log buckets automatically.\n\n**Important Notes**\n- Access log buckets are always created for critical solution buckets (installer, pipeline, central logs, assets)\n- Use deploymentTargets to control which accounts and regions receive this configuration\n- This setting primarily affects additional access log buckets beyond the core solution buckets", "type": "boolean" }, "importedBucket": { "$ref": "#/$defs/IImportedS3ManagedEncryptionKeyBucketConfig", "default": "undefined", "description": "**Imported Bucket Configuration** *(Optional)*\n\nWhen set, the accelerator will import an existing access logs bucket.\n\nUse this configuration to import an existing access logs bucket and manage its resource policy through the solution.\n\n**Important Requirements**\n- Both source and destination buckets must be in the same AWS Region and owned by the same account\n- The bucket must be pre-created in each target account and region using a repeatable naming pattern\n- Include ${ACCOUNT_ID} and ${REGION} parameters in your naming pattern for automatic population\n\n**Example** ```yaml importedBucket: name: existing-access-log-bucket-${ACCOUNT_ID}-${REGION} applyAcceleratorManagedBucketPolicy: true ```" }, "lifecycleRules": { "description": "**S3 Lifecycle Rules** *(Optional)*\n\nConfigure lifecycle rules for the access log bucket to manage log retention and storage costs. Rules can transition logs to different storage classes and set expiration policies.\n\n**Example** ```yaml lifecycleRules: - enabled: true id: AccessLifecycle-01 expiration: 365 transitions: - storageClass: GLACIER transitionAfter: 30 ```", "items": { "$ref": "#/$defs/ILifecycleRule" }, "type": "array" }, "s3ResourcePolicyAttachments": { "description": "**S3 Resource Policy Attachments** *(Optional)*\n\nPolicy statements from the listed files will be added to the bucket resource policy. This property cannot be used when customPolicyOverrides.s3Policy property has value.\n\n**Note**: When Block Public Access is enabled for S3 on the AWS account, you can't specify a policy that would make the S3 Bucket public.\n\n**Example** ```yaml s3ResourcePolicyAttachments: - policy: s3-policies/access-log-policy.json - policy: s3-policies/cross-account-access.json ```", "items": { "$ref": "#/$defs/IResourcePolicyStatement" }, "type": "array" } }, "additionalProperties": false }, "IAccountCloudTrailConfig": { "type": "object", "description": "## Account Cloud Trail Configuration\n\nConfiguration options for account-level trails.\n\n### Example ```yaml\n- name: AWSAccelerator-Account-CloudTrail regions: - us-east-1 deploymentTargets: organizationalUnits: - Root settings: multiRegionTrail: true globalServiceEvents: true managementEvents: true s3DataEvents: true lambdaDataEvents: true sendToCloudWatchLogs: true apiErrorRateInsight: false apiCallRateInsight: false ```", "properties": { "deploymentTargets": { "$ref": "#/$defs/IDeploymentTargets", "description": "**Deployment Targets** *(Required)*\n\nDetermines which OU's or Accounts the trail will be deployed to" }, "name": { "description": "**Name** *(Required)*\n\nThe name that will be used to create the trail.", "type": "string" }, "regions": { "description": "**Regions** *(Required)*\n\nDetermines which region(s) that this account trail will be deployed in.", "items": { "$ref": "#/$defs/NonEmptyString" }, "type": "array" }, "settings": { "$ref": "#/$defs/ICloudTrailSettingsConfig", "description": "**Settings** *(Required)*\n\nAdditional settings for the trail" } }, "required": [ "name", "regions", "deploymentTargets", "settings" ], "additionalProperties": false }, "IAssetBucketConfig": { "type": "object", "description": "## Asset Bucket Configuration\n\nConfiguration for the asset bucket.\n\n### Key Features\n- **Resource Policies**: Attach resource policies to the bucket\n- **KMS Policy**: Apply KMS policy to the bucket encryption key\n- **Imported Bucket**: Import existing bucket and apply resource policies and encryption key policies\n\n### Example ```yaml assetBucket: s3ResourcePolicyAttachments: - policy: s3-policies/policy1.json importedBucket: name: aws-accelerator-assets applyAcceleratorManagedBucketPolicy: true ```", "properties": { "customPolicyOverrides": { "$ref": "#/$defs/ICustomS3ResourceAndKmsPolicyOverridesConfig", "default": "undefined", "description": "**Custom Policy Overrides Configuration** *(Optional)*\n\nProvide policy overrides. Policy files must contain a complete policy document.\n\n**Conflicts**\n- When s3Policy is defined, importedBucket.applyAcceleratorManagedBucketPolicy cannot be true\n- When s3Policy is defined, seResourcePolicyAttachments cannot be defined\n- When kmsPolicy is defined, importedBucket.createAcceleratorManagedKey cannot be true\n- When kmsPolicy is defined, kmsResourcePolicyAttachments cannot be defined\n\n**Example** ```yaml customPolicyOverrides: s3Policy: path/to/policy.json kmsPolicy: kms/full-central-logs-bucket-key-policy.json ```" }, "importedBucket": { "$ref": "#/$defs/IImportedCustomerManagedEncryptionKeyBucketConfig", "default": "undefined", "description": "**Imported Bucket Configuration** *(Optional)*\n\nWhen set, the accelerator will import an existing assets bucket.\n\nUse the following configuration to imported Assets bucket, manage bucket resource policy and apply bucket encryption through the solution.\n\n**Note**: When importing your own Assets S3 Bucket, be sure to create it in the `Management` account in the `home` region.\n\n**Example ```yaml importedBucket: name: aws-assets applyAcceleratorManagedBucketPolicy: true createAcceleratorManagedKey: true ```" }, "kmsResourcePolicyAttachments": { "description": "**KMS Resource Policy Attachments** *(Optional)*\n\nPolicy statements from the listed files will be added to the bucket resource policy.\n\n**Notes**\n- Cannot be used when customPolicyOverrides.kmsPolicy property has value.\n- When importing an assets bucket with createAcceleratorManagedKey set to false, this property must be undefined\n- The Assets Bucket will allow customers to have SSE-S3 (Amazon S3 managed keys) or SSE-KMS keys. Only SSE-KMS keys can adopt the KMS resource policy files.", "items": { "$ref": "#/$defs/IResourcePolicyStatement" }, "type": "array" }, "s3ResourcePolicyAttachments": { "description": "**S3 Resource Policy Attachments** *(Optional)*\n\nPolicy statements from the listed files will be added to the bucket resource policy. This property cannot be used when customPolicyOverrides.s3Policy property has value.\n\n**Note**: When Block Public Access is enabled for S3 on the AWS account, you can't specify a policy that would make the S3 Bucket public.\n\n**Example ```yaml s3ResourcePolicyAttachments: - policy: s3-policies/policy1.json - policy: s3-policies/policy2.json ```", "items": { "$ref": "#/$defs/IResourcePolicyStatement" }, "type": "array" } }, "additionalProperties": false }, "IBackupConfig": { "type": "object", "description": "## Backup Configuration\n\nEnables the setup of Backups.\n\n\n### Examples ```yaml backup: vaults: - name: BackupVault deploymentTargets: organizationalUnits: - Root ```", "properties": { "vaults": { "description": "**Vaults** *(Required)*\n\nConfiguration for Backup Vaults.", "items": { "$ref": "#/$defs/IVaultConfig" }, "type": "array" } }, "required": [ "vaults" ], "additionalProperties": false }, "IBudgetReportConfig": { "type": "object", "description": "## Budget Report Configuration\n\nDefines AWS Budgets for cost monitoring, usage tracking, and automated alerting. Budgets help you monitor your AWS costs and usage, and receive alerts when you exceed or are forecasted to exceed your defined thresholds.\n\n### Key Features\n\n- **Cost and Usage Monitoring**: Track spending across accounts, services, and resources\n- **Automated Alerting**: Email and SNS notifications when thresholds are exceeded\n- **Multiple Budget Types**: Support for cost, usage, RI utilization, and Savings Plans\n- **Flexible Thresholds**: Percentage or absolute value threshold configurations\n- **Multi-Account Deployment**: Deploy budgets across organizational units and accounts\n\n### Budget Types Supported\n\n- **COST**: Monitor spending in your preferred currency\n- **USAGE**: Track service usage hours or quantities\n- **RI_UTILIZATION**: Monitor Reserved Instance utilization rates\n- **RI_COVERAGE**: Track Reserved Instance coverage percentages\n- **SAVINGS_PLANS_UTILIZATION**: Monitor Savings Plans utilization\n- **SAVINGS_PLANS_COVERAGE**: Track Savings Plans coverage\n\n### Usage Example\n\n```yaml budgets: # Monthly cost budget with email alerts - name: monthly-cost-budget timeUnit: MONTHLY type: COST amount: 5000 unit: USD includeUpfront: true includeTax: true includeSupport: true notifications: - type: ACTUAL thresholdType: PERCENTAGE threshold: 80 comparisonOperator: GREATER_THAN subscriptionType: EMAIL recipients: - finance-team@example.com - platform-team@example.com deploymentTargets: organizationalUnits: - Workloads\n\n # Daily usage budget for EC2 hours - name: ec2-usage-budget timeUnit: DAILY type: USAGE amount: 1000 unit: Hrs notifications: - type: FORECASTED thresholdType: ABSOLUTE_VALUE threshold: 800 comparisonOperator: GREATER_THAN subscriptionType: EMAIL recipients: - ops-team@example.com ```", "properties": { "amount": { "default": 2000, "description": "**Budget Amount** *(Required)*\n\nThe cost or usage amount that defines the budget threshold. This value represents the maximum amount you want to spend (for COST budgets) or consume (for USAGE budgets) within the specified time period.\n\n### Amount Guidelines\n\n- **Cost Budgets**: Specify amount in your preferred currency unit\n- **Usage Budgets**: Specify amount in service-specific units (hours, GB, requests)\n- **RI/Savings Plans**: Specify percentage values (0-100) for utilization/coverage\n\n### Examples\n\n```yaml # Monthly cost budget of $5,000 amount: 5000 type: COST unit: USD\n\n# Daily EC2 usage budget of 1,000 hours amount: 1000 type: USAGE unit: Hrs\n\n# RI utilization target of 80% amount: 80 type: RI_UTILIZATION ```", "type": "number" }, "deploymentTargets": { "$ref": "#/$defs/IDeploymentTargets", "description": "**Deployment Targets** *(Optional)*\n\nSpecifies which organizational units and accounts should have this budget deployed. When not specified, the budget is deployed only to the management account.\n\n### Deployment Scope\n\n- **Organizational Units**: Deploy to all accounts within specified OUs\n- **Specific Accounts**: Deploy to individually named accounts\n- **Account Exclusions**: Exclude specific accounts from OU-wide deployments\n\n### Usage Examples\n\n```yaml # Deploy to all accounts in Workloads OU deploymentTargets: organizationalUnits: - Workloads\n\n# Deploy to specific accounts only deploymentTargets: accounts: - Production - Staging\n\n# Deploy to OU but exclude specific accounts deploymentTargets: organizationalUnits: - Workloads excludedAccounts: - Development ```\n\n### Best Practices\n\n- Use OU-based deployment for consistent budget policies\n- Deploy cost budgets to production accounts\n- Consider separate budgets for different environments\n- Exclude sandbox accounts from strict budget controls" }, "includeCredit": { "default": true, "description": "**Include Credits** *(Optional)*\n\nWhether to include AWS credits in the budget calculation. When enabled, credits reduce the total amount counted against the budget.\n\n### Credit Types\n\n- AWS promotional credits\n- Service credits for SLA violations\n- Partner-provided credits\n- Migration incentive credits\n\n### Best Practices\n\n- **Enable** for net cost visibility after credits\n- **Disable** for tracking actual resource consumption costs", "type": "boolean" }, "includeDiscount": { "default": true, "description": "**Include Discounts** *(Optional)*\n\nWhether to include discounts in the budget calculation. When enabled, discounts reduce the total amount counted against the budget.\n\n### Discount Types\n\n- Volume discounts\n- Reserved Instance discounts\n- Savings Plans discounts\n- Promotional credits\n\n### Considerations\n\n- **Enable** to see net costs after discounts\n- **Disable** to track gross costs before discounts", "type": "boolean" }, "includeOtherSubscription": { "default": true, "description": "**Include Other Subscriptions** *(Optional)*\n\nWhether to include non-Reserved Instance subscription costs such as Savings Plans, software subscriptions, and marketplace subscriptions.\n\n### Subscription Types Included\n\n- AWS Marketplace software subscriptions\n- Third-party software licenses\n- Other recurring subscription charges", "type": "boolean" }, "includeRecurring": { "default": true, "description": "**Include Recurring Costs** *(Optional)*\n\nWhether to include recurring fees such as monthly Reserved Instance charges, data transfer fees, and other predictable recurring costs.\n\n### Recurring Cost Types\n\n- Monthly RI fees (after upfront payment)\n- Data transfer charges\n- Storage fees\n- Other predictable monthly charges", "type": "boolean" }, "includeRefund": { "default": true, "description": "**Include Refunds** *(Optional)*\n\nWhether to include refunds in the budget calculation. When enabled, refunds reduce the total amount counted against the budget.\n\n### When to Include\n\n- **Enable** for net cost tracking that accounts for refunds\n- **Disable** for gross cost tracking without refund adjustments\n- Consider impact on budget accuracy if refunds are frequent", "type": "boolean" }, "includeSubscription": { "default": true, "description": "**Include Subscriptions** *(Optional)*\n\nWhether to include general subscription costs in the budget calculation. This is a broader category that encompasses various subscription-based charges.\n\n### When to Include\n\n- **Enable** for comprehensive subscription cost tracking\n- **Disable** when focusing only on usage-based costs", "type": "boolean" }, "includeSupport": { "default": true, "description": "**Include Support Costs** *(Optional)*\n\nWhether to include AWS Support subscription fees in the budget calculation. This includes Business, Enterprise, and other support plan charges.\n\n### When to Include\n\n- **Enable** for complete operational cost visibility\n- **Disable** when support costs are managed separately\n- Consider if support costs should be allocated to specific teams/projects", "type": "boolean" }, "includeTax": { "default": true, "description": "**Include Tax** *(Optional)*\n\nWhether to include taxes in the budget calculation. This includes all applicable taxes such as VAT, sales tax, and other regional taxes.\n\n### Considerations\n\n- **Enable** for total cost visibility including all charges\n- **Disable** for pre-tax budget management\n- Consider regional tax implications for multi-region deployments", "type": "boolean" }, "includeUpfront": { "default": true, "description": "**Include Upfront Costs** *(Optional)*\n\nWhether to include upfront Reserved Instance costs in the budget calculation. Upfront costs are one-time payments made when purchasing Reserved Instances.\n\n### When to Include\n\n- **Enable** for comprehensive cost tracking that includes RI purchases\n- **Enable** when budgeting for periods that include RI purchases\n- **Disable** for operational cost budgets that exclude capital expenditures", "type": "boolean" }, "name": { "$ref": "#/$defs/NonEmptyString", "description": "**Budget Name** *(Required)*\n\nUnique identifier for the budget within the AWS account. The name appears in the AWS Billing and Cost Management console and in budget notifications.\n\n### Naming Requirements\n\n- Must be unique within the AWS account\n- Cannot contain colon (:) or backslash (\\\\) characters\n- Should be descriptive and indicate the budget's purpose\n- Recommended to include time period and budget type\n\n### Naming Best Practices\n\n```yaml # Environment-based naming name: prod-monthly-cost-budget name: dev-daily-usage-budget\n\n# Service-specific naming name: ec2-monthly-cost-limit name: s3-storage-usage-budget\n\n# Team-based naming name: platform-team-quarterly-budget name: data-team-monthly-spend ```" }, "notifications": { "description": "**Budget Notifications** *(Optional)*\n\nList of notification configurations that define when and how alerts are sent when budget thresholds are exceeded or forecasted to be exceeded.\n\n### Notification Types\n\n- **ACTUAL**: Alert when actual spending/usage exceeds threshold\n- **FORECASTED**: Alert when forecasted spending/usage will exceed threshold\n\n### Threshold Types\n\n- **PERCENTAGE**: Threshold as percentage of budget amount\n- **ABSOLUTE_VALUE**: Threshold as absolute value in budget units\n\n### Best Practices\n\n```yaml notifications: # Early warning at 75% of budget - type: FORECASTED thresholdType: PERCENTAGE threshold: 75 comparisonOperator: GREATER_THAN subscriptionType: EMAIL recipients: - team-lead@example.com\n\n # Critical alert at 90% actual spend - type: ACTUAL thresholdType: PERCENTAGE threshold: 90 comparisonOperator: GREATER_THAN subscriptionType: EMAIL recipients: - finance-team@example.com - platform-team@example.com ```", "items": { "$ref": "#/$defs/INotificationConfig" }, "type": "array" }, "subscriptionType": { "anyOf": [ { "$ref": "#/$defs/SubscriptionType" }, { "type": "string" } ], "description": "**Subscription Type** *(Optional)*\n\nDefault notification delivery method for budget alerts. This can be overridden in individual notification configurations.\n\n### Available Types\n\n- **EMAIL**: Send notifications via email (most common)\n- **SNS**: Send notifications via Amazon SNS topic\n\n### Usage Guidelines\n\n```yaml # Email notifications (recommended for most use cases) subscriptionType: EMAIL\n\n# SNS for integration with other systems subscriptionType: SNS ```\n\n**Note:** Individual notifications can override this default setting." }, "timeUnit": { "description": "**Time Unit** *(Required)*\n\nThe time period over which the budget amount is measured and reset. Determines how frequently the budget resets and when notifications are evaluated.\n\n### Available Time Units\n\n- **DAILY**: Budget resets every day (available for all budget types)\n- **MONTHLY**: Budget resets monthly (most common, recommended)\n- **QUARTERLY**: Budget resets every 3 months\n- **ANNUALLY**: Budget resets yearly (good for annual planning)\n\n### Usage Guidelines\n\n```yaml # Most common - monthly cost monitoring timeUnit: MONTHLY type: COST\n\n# Daily monitoring for high-usage services timeUnit: DAILY type: USAGE\n\n# Annual budgets for long-term planning timeUnit: ANNUALLY type: COST ```\n\n### Special Considerations\n\n- **RI_UTILIZATION** and **RI_COVERAGE** budgets support DAILY time units\n- DAILY budgets provide more granular monitoring but may generate more alerts\n- MONTHLY is recommended for most cost management use cases", "type": "string" }, "type": { "description": "**Budget Type** *(Required)*\n\nSpecifies what the budget monitors - costs, usage, or Reserved Instance metrics. The budget type determines how the amount is interpreted and what data is tracked.\n\n### Budget Types\n\n- **COST**: Monitors spending in your specified currency\n- **USAGE**: Tracks service usage quantities (hours, GB, requests)\n- **RI_UTILIZATION**: Monitors Reserved Instance utilization percentage\n- **RI_COVERAGE**: Tracks Reserved Instance coverage percentage\n- **SAVINGS_PLANS_UTILIZATION**: Monitors Savings Plans utilization\n- **SAVINGS_PLANS_COVERAGE**: Tracks Savings Plans coverage\n\n### Type-Specific Considerations\n\n```yaml # Cost monitoring (most common) type: COST amount: 5000 unit: USD\n\n# Usage monitoring type: USAGE amount: 1000 unit: Hrs\n\n# Reserved Instance optimization type: RI_UTILIZATION amount: 80 # Target 80% utilization\n\n# Savings Plans monitoring type: SAVINGS_PLANS_COVERAGE amount: 70 # Target 70% coverage ```", "type": "string" }, "unit": { "$ref": "#/$defs/NonEmptyString", "description": "**Budget Unit** *(Optional)*\n\nUnit of measurement for the budget amount. The unit depends on the budget type and determines how the amount value is interpreted.\n\n### Common Units by Budget Type\n\n**Cost Budgets:**\n- `USD`, `EUR`, `GBP`, `JPY` (currency codes)\n\n**Usage Budgets:**\n- `Hrs` (hours for compute services)\n- `GB` (gigabytes for storage)\n- `Requests` (for API calls)\n- Service-specific units\n\n**RI/Savings Plans Budgets:**\n- Percentage values (no unit specified)\n\n### Examples\n\n```yaml # Cost budget in US Dollars type: COST amount: 5000 unit: USD\n\n# Usage budget in hours type: USAGE amount: 1000 unit: Hrs\n\n# RI utilization (no unit needed) type: RI_UTILIZATION amount: 80 ```" }, "useAmortized": { "default": false, "description": "**Use Amortized Costs** *(Optional)*\n\nWhether to use amortized costs for Reserved Instances and Savings Plans. Amortized costs spread upfront payments across the term of the commitment.\n\n### Amortized vs. Unblended\n\n- **Amortized**: Spreads upfront RI costs across the RI term\n- **Unblended**: Shows actual charges as they occur\n\n### When to Use\n\n- **Enable** for consistent monthly cost allocation\n- **Disable** for cash flow and actual billing tracking\n- Useful for chargeback and cost allocation scenarios", "type": "boolean" }, "useBlended": { "default": false, "description": "**Use Blended Rates** *(Optional)*\n\nWhether to use blended rates that average costs across different pricing tiers. Blended rates provide a simplified view by averaging tiered pricing.\n\n### Blended vs. Unblended\n\n- **Blended**: Averages costs across pricing tiers\n- **Unblended**: Shows actual per-unit costs for each tier\n\n### When to Use\n\n- **Enable** for simplified cost analysis and reporting\n- **Disable** for detailed cost optimization and tier analysis\n- Consider organizational reporting requirements", "type": "boolean" } }, "required": [ "amount", "name", "timeUnit", "type" ], "additionalProperties": false }, "ICdkOptionsConfig": { "type": "object", "description": "## CDK Options\n\nManage the behavior of CDK within LZA.\n\n### Key Features\n- **Centralize Buckets**: Determines whether CDK will use a single, centralized S3 bucket per region\n- **Deployment Role Management**: Determines whether CDK will use a custom execution role for CDK operations\n\n### Example ```yaml cdkOptions: centralizeBuckets: true useManagementAccessRole: true deploymentMethod: 'direct' ```", "properties": { "centralizeBuckets": { "description": "**Centralize Buckets** *(Required)*\n\nWhen the accelerator deploys resources using the AWS CDK, assets are first built and stored in S3. By default, the S3 bucket is located within the deployment target account. Enabling this feature will utilize an S3 bucket within the management account instead.", "type": "boolean" }, "customDeploymentRole": { "description": "**Custom Deployment Role** *(Optional)*\n\nCreate a deployment role in all accounts in the home region with the specified name. This role is used by the LZA for all CDK deployment tasks.", "type": "string" }, "deploymentMethod": { "default": "direct", "description": "**Deployment Method** *(Optional)*\n\nManage the CDK deployment method for the LZA\n\n**Options**\n- **'direct'**: Default used by the LZA\n- **'change-set'**: Provides additional progress information, can increase deployment time", "enum": [ "change-set", "direct" ], "type": "string" }, "forceBootstrap": { "default": false, "description": "**Force Bootstrap** *(Optional)*\n\nForces the Accelerator to deploy the bootstrapping stack and circumvent the SSM parameter check. This option is needed when adding or removing a custom deployment role", "type": "boolean" }, "skipStaticValidation": { "description": "** Skip Static Validation** *(Optional)*\n\nWhen enabled, the LZA pipeline will skip the static config validation step during the build phase. Helpful in cases where the config validator incorrectly throws errors for a valid configuration.", "type": "boolean" }, "useManagementAccessRole": { "description": "**Use Management Access Role** *(Required)*\n\nIndicates whether CDK operations use the IAM role specified in the {@link IGlobalConfig.managementAccountAccessRole `managementAccountAccessRole` option in the global config } rather than the default roles created by CDK.", "type": "boolean" } }, "required": [ "centralizeBuckets", "useManagementAccessRole" ], "additionalProperties": false }, "ICentralLogBucketConfig": { "type": "object", "description": "## Central Log Bucket Configuration\n\nConfiguration for the central log bucket used to store centralized logs from across the organization.\n\n### Key Features\n- **Resource Policies**: Attach resource policies to the bucket\n- **KMS Policy**: Apply KMS policy to the bucket encryption key\n- **Lifecycle Management**: Configure lifecycle rules for log retention and cost optimization\n- **Imported Bucket**: Import existing bucket and apply resource policies and encryption key policies\n\n### Example ```yaml centralLogBucket: lifecycleRules: - enabled: true id: CentralLifecycleRule-01 abortIncompleteMultipartUpload: 14 expiration: 3563 expiredObjectDeleteMarker: false noncurrentVersionExpiration: 3653 noncurrentVersionTransitions: - storageClass: GLACIER transitionAfter: 365 transitions: - storageClass: GLACIER transitionAfter: 365 prefix: PREFIX s3ResourcePolicyAttachments: - policy: s3-policies/policy1.json kmsResourcePolicyAttachments: - policy: kms-policies/policy1.json importedBucket: name: central-log-bucket applyAcceleratorManagedBucketPolicy: true createAcceleratorManagedKey: false ```", "properties": { "customPolicyOverrides": { "$ref": "#/$defs/ICustomS3ResourceAndKmsPolicyOverridesConfig", "default": "undefined", "description": "**Custom Policy Overrides Configuration** *(Optional)*\n\nProvide policy overrides. Policy files must contain a complete policy document.\n\n**Conflicts**\n- When s3Policy is defined, importedBucket.applyAcceleratorManagedBucketPolicy cannot be true\n- When s3Policy is defined, s3ResourcePolicyAttachments cannot be defined\n- When kmsPolicy is defined, importedBucket.createAcceleratorManagedKey cannot be true\n- When kmsPolicy is defined, kmsResourcePolicyAttachments cannot be defined\n\n**Example** ```yaml customPolicyOverrides: s3Policy: path/to/policy.json kmsPolicy: kms/full-central-logs-bucket-key-policy.json ```" }, "importedBucket": { "$ref": "#/$defs/IImportedS3ManagedEncryptionKeyBucketConfig", "default": "undefined", "description": "**Imported Bucket Configuration** *(Optional)*\n\nWhen set, the accelerator will import an existing central logs bucket.\n\nUse this configuration to import an existing central logs bucket, manage bucket resource policy and KMS policy through the solution.\n\n**Example** ```yaml importedBucket: name: existing-central-log-bucket applyAcceleratorManagedBucketPolicy: true createAcceleratorManagedKey: true ```" }, "kmsResourcePolicyAttachments": { "description": "**KMS Resource Policy Attachments** *(Optional)*\n\nPolicy statements from the listed files will be added to the bucket encryption key policy.\n\n**Notes**\n- Cannot be used when customPolicyOverrides.kmsPolicy property has value\n- When importing a central logs bucket with createAcceleratorManagedKey set to false, this property must be undefined\n- The Central Logs Bucket will allow customers to have SSE-S3 (Amazon S3 managed keys) or SSE-KMS keys. Only SSE-KMS keys can adopt the KMS resource policy files.\n\n**Example** ```yaml kmsResourcePolicyAttachments: - policy: kms-policies/central-log-key-policy.json ```", "items": { "$ref": "#/$defs/IResourcePolicyStatement" }, "type": "array" }, "lifecycleRules": { "description": "**S3 Lifecycle Rules** *(Optional)*\n\nConfigure lifecycle rules for the central log bucket to manage log retention and storage costs. Rules can transition logs to different storage classes and set expiration policies.\n\n**Example** ```yaml lifecycleRules: - enabled: true id: CentralLifecycleRule-01 expiration: 365 transitions: - storageClass: GLACIER transitionAfter: 30 ```", "items": { "$ref": "#/$defs/ILifecycleRule" }, "type": "array" }, "s3ResourcePolicyAttachments": { "description": "**S3 Resource Policy Attachments** *(Optional)*\n\nPolicy statements from the listed files will be added to the bucket resource policy. This property cannot be used when customPolicyOverrides.s3Policy property has value.\n\n**Note**: When Block Public Access is enabled for S3 on the AWS account, you can't specify a policy that would make the S3 Bucket public.\n\n**Example** ```yaml s3ResourcePolicyAttachments: - policy: s3-policies/central-log-policy.json - policy: s3-policies/cross-account-access.json ```", "items": { "$ref": "#/$defs/IResourcePolicyStatement" }, "type": "array" } }, "additionalProperties": false }, "ICentralRootUserManagementConfig": { "type": "object", "description": "## Central Root User Management Configuration\n\nConfigure how root management is controlled within the organization.\n\n### Example ```yaml centralRootUserManagement: enable: true capabilities: rootCredentialsManagement: true allowRootSessions: true ```", "properties": { "capabilities": { "$ref": "#/$defs/IRootUserManagementCapabiltiesConfig", "description": "**Capabilities** *(Required)*\n\nDetermines how root user management is controlled within the organization." }, "enable": { "description": "**Enable** *(Required)*\n\nDetermines whether root user management is enabled for the organization.", "type": "boolean" } }, "required": [ "enable", "capabilities" ], "additionalProperties": false }, "ICentralizeCdkBucketsConfig": { "type": "object", "deprecated": true, "description": "## Centralized CDK Buckets Configuration**", "properties": { "enable": { "deprecated": true, "type": "boolean" } }, "required": [ "enable" ], "additionalProperties": false }, "ICloudTrailConfig": { "type": "object", "description": "## Cloudtrail Configuration\n\nUsed to enable and configure CloudTrail for the LZA deployment.\n\n### Example ```yaml cloudtrail: enable: true organizationTrail: true organizationTrailSettings: multiRegionTrail: true globalServiceEvents: true managementEvents: true s3DataEvents: true lambdaDataEvents: true sendToCloudWatchLogs: true apiErrorRateInsight: false apiCallRateInsight: false accountTrails: [] lifecycleRules: [] ```", "properties": { "accountTrails": { "description": "**Account Trails** *(Optional)*\n\nConfigurations for account-level trails to be created by the LZA deployment.", "items": { "$ref": "#/$defs/IAccountCloudTrailConfig" }, "type": "array" }, "enable": { "description": "**Enable** *(Required)*\n\nWhether or not to enable CloudTrail. This setting alone does not create any trails. Enabling {@link ICloudTrailConfig.organizationTrail } will create an organization-level trail. Additionally, you can setup account-level trails.", "type": "boolean" }, "lifecycleRules": { "description": "**S3 Log Bucket Lifecycle Rules** *(Optional)*\n\nOptional lifecycle rules for the S3 log bucket", "items": { "$ref": "#/$defs/ILifecycleRule" }, "type": "array" }, "organizationTrail": { "description": "**Organization Trail** *(Required)*\n\nWhen enabled alongside {@link ICloudTrailConfig.enable } , LZA will create an organization-level trail.", "type": "boolean" }, "organizationTrailSettings": { "$ref": "#/$defs/ICloudTrailSettingsConfig", "description": "**Organization Trail Settings** *(Optional)*\n\nContains optional settings for the organization-level trail." } }, "required": [ "enable", "organizationTrail" ], "additionalProperties": false }, "ICloudTrailSettingsConfig": { "type": "object", "description": "## Cloud Trail Settings Configuration\n\nAdditional settings used to configure an organization-level trail.\n\n### Example ```yaml multiRegionTrail: true globalServiceEvents: true managementEvents: true s3DataEvents: true lambdaDataEvents: true sendToCloudWatchLogs: true apiErrorRateInsight: false apiCallRateInsight: false ```", "properties": { "apiCallRateInsight": { "description": "**API Call Rate Insight** *(Required)*\n\nWill enable CloudTrail Insights and enable the API Call Rate Insight", "type": "boolean" }, "apiErrorRateInsight": { "description": "**API Error Rate Insight** *(Required)*\n\nWill enable CloudTrail insights and enable the API Error Rate Insight", "type": "boolean" }, "globalServiceEvents": { "description": "**Global Service Events** *(Required)*\n\nFor global services, events are delivered to any trail that includes global services and are logged in the us-east-1 region.", "type": "boolean" }, "lambdaDataEvents": { "default": true, "description": "**Lambda Data Events** *(Required)*\n\n\n\nAdds an Lambda Data Event Selector for filtering events that match Lambda operations. These events provide insight into the resource operations performed on or within a resource. These are also known as data plane operations.\n\n**Considerations** By default, this feature is enabled and will incur additional costs if enabled for your CloudTrail.", "type": "boolean" }, "managementEvents": { "description": "**Management Events** *(Required)*\n\nWhether or not to log management events, or control plane operations. Management events can also include non-API events that occur in your account, such as a user logging in to the account. Enabling sets ReadWriteType.ALL.", "type": "boolean" }, "multiRegionTrail": { "description": "**Multi-Region Trail** *(Required)*\n\nDetermines whether or not this trail delivers log files from all regions to the account.", "type": "boolean" }, "s3DataEvents": { "default": true, "description": "**S3 Data Events** *(Required)*\n\nAdds an S3 Data Event Selector for filtering events that match S3 operations. These events provide insight into the resource operations performed on or within a resource. These are also known as data plane operations.\n\n**Considerations** By default, this feature is enabled and will incur additional costs if enabled for your CloudTrail.", "type": "boolean" }, "sendToCloudWatchLogs": { "description": "**Send to CloudWatch Logs** *(Required)*\n\nDetermines whether CloudTrail pushes logs to CloudWatch logs in addition to S3.", "type": "boolean" } }, "required": [ "multiRegionTrail", "globalServiceEvents", "managementEvents", "s3DataEvents", "lambdaDataEvents", "sendToCloudWatchLogs", "apiErrorRateInsight", "apiCallRateInsight" ], "additionalProperties": false }, "ICloudWatchDataProtectionConfig": { "type": "object", "description": "## CloudWatch Log Data Protection Configuration\n\nAllows the enablement of CloudWatch Logs data protection.\n\n### Example ```yaml dataProtection: managedDataIdentifiers: categories: - Credentials deploymentTargets: organizationalUnits: - Root ```", "properties": { "deploymentTargets": { "$ref": "#/$defs/IDeploymentTargets", "description": "**Deployment Targets** *(Optional)*\n\nEnables control over which accounts the configuration applies to. When left undefined, the configuration will be applied to all accounts and enabled regions." }, "managedDataIdentifiers": { "$ref": "#/$defs/ICloudWatchManagedDataProtectionIdentifierConfig", "description": "**Managed Data Identifiers** *(Required)*\n\nProvides the selection of data identifiers to be protected. Currently only `Credentials` is supported." }, "overrideExisting": { "default": false, "description": "**Override Existing** *(Optional)*\n\nIndicates whether any existing CloudWatch Log data protection configurations can be overwritten.", "type": "boolean" } }, "required": [ "managedDataIdentifiers" ], "additionalProperties": false }, "ICloudWatchFirehoseConfig": { "type": "object", "description": "## CloudWatch Firehose Configuration\n\nConfiguration for the CloudWatch Logs Firehose.\n\n### Example ```yaml logging: cloudwatchLogs: firehose: fileExtension: json.gz lambdaProcessor: retries: 3 bufferSize: 0.2 bufferInterval: 60 ```", "properties": { "fileExtension": { "$ref": "#/$defs/NonEmptyString", "description": "**File Extension** *(Optional)*\n\nDetermines what format firehose will deliver the logs in. If left undefined, firehose will delivery the logs in MimeType as application/octet-stream.\n\n**Example** ```yaml\n- fileExtension: 'json.gz' ```" }, "lambdaProcessor": { "$ref": "#/$defs/ICloudWatchFirehoseLambdaProcessorConfig", "description": "**Lambda Processor** *(Optional)*\n\nConfigure the lambda that process the incoming data from firehose. Firehose invokes the lambda to take the source data and deliver it to the configured dynamic partition." } }, "additionalProperties": false }, "ICloudWatchFirehoseLambdaProcessorConfig": { "type": "object", "description": "## CloudWatch Firehose Lambda Configuration\n\nEnables the configuration of the lambda processor used to process incoming logs to the LogArchive account.", "properties": { "bufferInterval": { "default": 60, "description": "**Buffer Interval** *(Optional)*\n\nThe period of time in seconds which Amazon Data Firehose buffers incoming data before invoking the Lambda function. The AWS lambda function is invoked once the value of the buffer size, or the buffer interval is reached.\n\nValid values range from 60 - 900s.", "type": "number" }, "bufferSize": { "default": 0.2, "description": "**Buffer Size** *(Optional)*\n\nThe AWS Lambda function has a 6 MB invocation payload quota. Your data can expand in size after it's processed. A smaller buffer size allows for more room should the data expand after processing.\n\nValid values range from 0.2 - 3 MB.", "type": "number" }, "retries": { "default": 3, "description": "**Retries** *(Optional)*\n\nHow many times Firehose will retry the Lambda invocation.", "type": "number" } }, "additionalProperties": false }, "ICloudWatchKinesisConfig": { "type": "object", "description": "## CloudWatch Kinesis Configuration\n\nConfiguration for CloudWatch Log's Kinesis.\n\n ### Key Features\n\n- **Real-time Processing**: Stream CloudWatch Logs data in real-time for immediate analysis\n- **Scalable Throughput**: Configure capacity based on your data volume requirements\n- **Flexible Retention**: Store data for 24 hours to 365 days for replay and reprocessing\n- **Cost Optimization**: Choose between on-demand and provisioned capacity modes\n- **Integration Ready**: Seamlessly integrates with AWS analytics and processing services\n\n### Example ```yaml logging: cloudwatchLogs: kinesis: streamingMode: PROVISIONED shardCount: 5 retention: 240 ```", "properties": { "retention": { "default": 24, "description": "**Retention** *(Optional)*\n\nThe number of hours the data records are stored in shards and remain accessible.\n\nThe value should be between 24 and 8760", "type": "number" }, "shardCount": { "default": 1, "description": "**Shard Count** *(Optional)*\n\nThe number of shared the stream uses. For greater throughput, increase the number of shards. Only applicable if {@link ICloudWatchKinesisConfig.streamingMode } is 'Provisioned', otherwise this is ignored. Shards cannot be increased to more than double their capacity. For example, you cannot go from 1 shard to 4.", "type": "number" }, "streamingMode": { "$ref": "#/$defs/StreamMode", "default": "PROVISIONED", "description": "**Streaming Mode** *(Required)*\n\nSpecifies the capacity mode for the Kinesis Data Stream. Currently, you can choose between on-demand or provisioned capacity. The service might limit how many times you can toggle between the two modes as mentioned on [this page](https://docs.aws.amazon.com/streams/latest/dev/how-do-i-size-a-stream.html#switchingmodes)" } }, "required": [ "streamingMode" ], "additionalProperties": false }, "ICloudWatchLogSkipBulkUpdateConfig": { "type": "object", "description": "## Skip Bulk Update Configuration\n\nConfiguration to skip the bulk update of CloudWatch Logs.\n**Warning**: This configuration option could cause CloudWatch log group configurations to become out of sync with the global configuration. Only enable this option if you fully understand the implications.", "properties": { "enable": { "description": "**Enable** *(Required)*\n\nWhether or not to enable the skip bulk updates", "type": "boolean" }, "skipBulkUpdateTargets": { "$ref": "#/$defs/IDeploymentTargets", "description": "**Skip Bulk Update Targets** *(Required)*\n\nWhich target's log groups to skip the bulk updates of." } }, "required": [ "enable" ], "additionalProperties": false }, "ICloudWatchLogsConfig": { "type": "object", "description": "## CloudWatch Logs Configuration\n\n### Key Features\n- Configure logs encryption\n- Manage Subscriptions for CloudWatch Logs\n- Enable CloudWatch Logs replication\n\n### Example ```yaml cloudwatchLogs: dynamicPartitioning: path/to/filter.json # default is true, if undefined this is set to true # if set to false, no replication is performed which is useful in test or temporary environments enable: true encryption: useCMK: true deploymentTargets: organizationalUnits: - Root replaceLogDestinationArn: arn:aws:logs:us-east-1:111111111111:destination:ReplaceDestination exclusions: # in these OUs do not do log replication - organizationalUnits: - Research - ProofOfConcept excludeAll: true # in these accounts exclude pattern testApp - accounts: - WorkloadAccount1 - WorkloadAccount1 logGroupNames: - testApp* # in these accounts exclude logs in specific regions - accounts: - WorkloadAccount1 - WorkloadAccount1 regions: - us-west-2 - eu-west-1 logGroupNames: - pattern1* dataProtection: managedDataIdentifiers: categories: - Credentials deploymentTargets: organizationalUnits: - Root ```", "properties": { "dataProtection": { "$ref": "#/$defs/ICloudWatchDataProtectionConfig", "description": "**Data Protection** *(Optional)*\n\nConfiguration for CloudWatch Logs data protection" }, "dynamicPartitioning": { "$ref": "#/$defs/NonEmptyString", "description": "**Dynamic Partitioning for Kinesis Firehose** *(Optional)*\n\nConfigure the prefixes log groups are archived under. The input should be the path to a JSON file containing an array of the log filters.\n\n**Example JSON format** Each item should be of the format: ``` { \"logGroupPattern\": string, \"s3Prefix\": string } ```\n\nThe following example will stream any log group with the name \"LogGroupName\" to `s3:///CloudWatchLogs/s3-prefix/`. ``` { \"logGroupPattern\": \"LogGroupName\", \"s3Prefix\": \"s3-prefix\" } ```\n\nYou may use `*` for grouping log groups to the same prefix. In the following example, all log groups with a name starting with \"Application\" will be streamed to `s3:///CloudWatchLogs/app/`. ``` [{ \"logGroupPattern\": \"Application*\", \"s3Prefix\": \"app\" }] ```\n\n**Overlapping Patterns**\n\nPlease ensure that patterns do not overlap. Logs are streamed only to one destination, so logs will not be replicated in the event that the log group name matches multiple patterns." }, "dynamicPartitioningByAccountId": { "description": "**Dynamic Partitioning by Account ID** *(Optional)*\n\nWhether or not the ID of the account that produced the CloudWatch Logs should be used in the partitioning strategy of the logs. For example: `s3:///CloudWatchLogs//`.\n\n**Use With Dynamic Partitioning** If dynamicPartitioning is also being used, the Account ID will come before the supplied s3 prefix. For example the following would result in `s3:///CloudWatchLogs//s3-prefix/` being used as the partition.\n\n``` { \"logGroupPattern\": \"LogGroupName\", \"s3Prefix\": \"s3-prefix\" } ```", "type": "boolean" }, "enable": { "default": true, "description": "**Enable Replication** *(Optional)*\n\nWhether or not to enable CloudWatch Logs replication.", "type": "boolean" }, "encryption": { "$ref": "#/$defs/IServiceEncryptionConfig", "description": "**Encryption** *(Optional)*\n\nConfigure encryption for the CloudWatch Logs. If left undefined, an AWS KMS CMK will be used to encrypt the logs." }, "exclusions": { "description": "**Exclusions** *(Optional)*\n\nConfigure log groups to exclude from replication.", "items": { "$ref": "#/$defs/ICloudWatchLogsExclusionConfig" }, "type": "array" }, "firehose": { "$ref": "#/$defs/ICloudWatchFirehoseConfig", "description": "**Firehose** *(Optional)*\n\nConfiguration for the CloudWatch logs Firehose." }, "kinesis": { "$ref": "#/$defs/ICloudWatchKinesisConfig", "description": "**Kinesis** *(Optional)*\n\nConfiguration for the CloudWatch logs Kinesis." }, "organizationIdConditionSupported": { "description": "**Organization ID Condition** *(Optional)*\n\nWhether or not a list of account IDs is used instead of a principal organization condition in the CloudWatch Logs destination access policy. Useful in partitions where the principal organization condition is not supported.", "type": "boolean" }, "replaceLogDestinationArn": { "$ref": "#/$defs/NonEmptyString", "default": "undefined", "description": "**Replace Log Destination** *(Optional)*\n\nThe ARN of the current log subscription filter destination. LZA needs to disassociate this destination before configuring the LZA defined subscription filter destination.\n\n**Notes**\n- When no value is provided, the solution will not attempt to remove the existing subscription filter destination\n- When existing log group(s) have two subscription filter destinations defined, and none are LZA configured, the solution will fail to configure log replication and the pipeline will fail" }, "skipBulkUpdate": { "$ref": "#/$defs/ICloudWatchLogSkipBulkUpdateConfig", "description": "**Skip Bulk Update** *(Optional)*\n\nWhether or not the LZA pipeline should skip the bulk update of CloudWatch log groups.\n\n**Warning**: This configuration option could cause CloudWatch log group configurations to become out of sync with the global configuration. Only enable if you fully understand the implications." }, "subscription": { "$ref": "#/$defs/ICloudWatchSubscriptionConfig", "description": "**Subscription** *(Optional)*\n\nConfiguration for the CloudWatch logs subscription." } }, "additionalProperties": false }, "ICloudWatchLogsExclusionConfig": { "type": "object", "description": "## CloudWatch Logs Exclusions Config\n\nUsed to define which CloudWatch Logs Groups should be excluded. Select groups based on accounts, regions, OUs, and log group names.\n\n### Example ```yaml organizationalUnits: - Sandbox regions: - us-west-1 - us-west-2 accounts: - WorkloadAccount1 excludeAll: true logGroupNames: - 'test/*' - '/appA/*'\n\n```", "properties": { "accounts": { "description": "**Accounts** *(Optional)*\n\nList of accounts where the exclusions will apply.", "items": { "$ref": "#/$defs/NonEmptyString" }, "type": "array" }, "excludeAll": { "default": false, "description": "**Exclude All** *(Optional)*\n\nWhether or not to exclude all logs.\n\nWhen true, all replication for the listed accounts/OUs will be disabled. Setting the OU to `Root` with no region specified and having this true, will fail validation as this would be redundant. Instead use {@link ICloudWatchLogsConfig.enable } to disable replication for the entire environment", "type": "boolean" }, "logGroupNames": { "description": "**Log Group Names** *(Optional)*\n\nList of log group names to be excluded\n\nWild cards are supported. If {@link ICloudWatchLogsExclusionConfig.excludeAll } is enabled, then this parameter is ignored.", "items": { "$ref": "#/$defs/NonEmptyString" }, "type": "array" }, "organizationalUnits": { "description": "**Organizational Units** *(Optional)*\n\nList of OUs to exclude.", "items": { "$ref": "#/$defs/NonEmptyString" }, "type": "array" }, "regions": { "description": "**Regions** *(Optional)*\n\nList of regions to exclude. If left undefined, exclusions will apply to all enabled regions.", "items": { "type": "string" }, "type": "array" } }, "additionalProperties": false }, "ICloudWatchManagedDataProtectionIdentifierConfig": { "type": "object", "description": "## Managed Data Protection Identifier Configuration\n\nAllows the protection of CloudWatch Log Data. Currently, only Credentials category is supported.", "properties": { "categories": { "default": "Credentials", "description": "**Categories** *(Required)*\n\nList of categories to protect.", "items": { "type": "string" }, "type": "array" } }, "required": [ "categories" ], "additionalProperties": false }, "ICloudWatchSubscriptionConfig": { "type": "object", "description": "## CloudWatch Subscription Configuration\n\nConfiguration for the CloudWatch logs subscription\n\n### Example ```yaml logging: cloudwatchLogs: subscription: type: ACCOUNT selectionCriteria: 'LogGroupName NOT IN [ /aws/lambda/AWSAccelerator-FirehoseRecordsProcessor development AppA]' overrideExisting: true ```", "properties": { "filterPattern": { "$ref": "#/$defs/NonEmptyString", "description": "**Filter Pattern** *(Optional)*\n\nThe specific filter pattern to apply to the subscription. If no value is provided all logs events will match filter criteria. Only applicable when {@link ICloudWatchSubscriptionConfig.type } is 'LOG_GROUP'" }, "overrideExisting": { "default": false, "description": "**Override Existing** *(Optional)*\n\nIndicates whether the existing CloudWatch Log subscription configuration can be overwritten. If enabled, any existing policy will be updated and renamed to 'ACCELERATOR_ACCOUNT_SUBSCRIPTION_POLICY'. Upon deleting the solution or disabling logging for cloudwatch in global config, this policy will be removed. If type is set to 'LOG_GROUP' this parameter will not be used.", "type": "boolean" }, "selectionCriteria": { "$ref": "#/$defs/NonEmptyString", "description": "**Selection Criteria** *(Optional)*\n\nSelection criteria for the account-wide subscription. Only used when {@link ICloudWatchSubscriptionConfig.type } is 'ACCOUNT'. This should be used to {@link Prevent log recursion } .\n\nIn the following example, log groups with the names /aws/lambda/AWSAccelerator-FirehoseRecordsProcessor, development, or AppA will not have a subscription filter.\n\n**Example** ```yaml selectionCriteria: 'LogGroupName NOT IN [\"/aws/lambda/AWSAccelerator-FirehoseRecordsProcessor\", \"development\", \"AppA\"]' ```" }, "type": { "description": "**Type** *(Required)*\n\nDetermines whether an account-wide subscription is applied, or if a Lambda function will be invoked to apply each log group.\n\n**Example** ``` type: ACCOUNT ```", "enum": [ "ACCOUNT", "LOG_GROUP" ], "type": "string" } }, "required": [ "type" ], "additionalProperties": false }, "IControlTowerConfig": { "type": "object", "description": "## AWS Control Tower Configuration\n\nAWS Control Tower provides a prescriptive way to set up and govern a secure, multi-account AWS environment based on best practices. This configuration enables and manages Control Tower Landing Zone deployment alongside the Landing Zone Accelerator.\n\n### Key Features\n\n- **Landing Zone Management**: Configure and manage Control Tower Landing Zone settings\n- **Guardrail Controls**: Enable additional strongly recommended and elective controls\n- **Identity Center Integration**: Seamless integration with AWS IAM Identity Center\n- **Logging Configuration**: Centralized logging with configurable retention policies\n\n### Configuration Structure\n\n```yaml # global-config.yaml controlTower: enable: true landingZone: version: '3.3' logging: loggingBucketRetentionDays: 365 accessLoggingBucketRetentionDays: 365 organizationTrail: true security: enableIdentityCenterAccess: true controls: - identifier: AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK enable: true deploymentTargets: organizationalUnits: - SecureWorkloads - identifier: AWS-GR_EC2_INSTANCE_IMDSv2_CHECK enable: true deploymentTargets: organizationalUnits: - Workloads ```\n\n### Best Practices\n\n1. **Version Management**: Always specify the latest available Landing Zone version 2. **Control Deployment**: Enable controls in batches of 10 or fewer to avoid throttling 3. **Organizational Units**: Align control deployment with your OU structure 4. **Logging Retention**: Set appropriate retention periods based on compliance requirements 5. **Identity Center**: Enable Identity Center access for centralized user management\n\n### Important Considerations\n\n- Control Tower requires the three mandatory accounts: Management, Audit, and Log Archive\n- Some controls cannot be deployed to the Security OU\n- Control Tower operations are limited to 10 concurrent operations\n- Landing Zone updates require the latest available version", "properties": { "controls": { "description": "**Control Tower Guardrails** *(Optional)*\n\nConfiguration for additional Control Tower guardrails (controls) beyond the mandatory ones. Allows enablement of strongly recommended and elective controls across organizational units.\n\n**Control Types**\n\n- **Mandatory**: Automatically enabled by Control Tower (cannot be disabled)\n- **Strongly Recommended**: Best practice controls that should be enabled\n- **Elective**: Additional controls for specific compliance requirements\n\n**Deployment Considerations**\n\n- **Concurrency Limit**: Maximum 10 concurrent control operations\n- **Batch Processing**: Deploy controls in batches to avoid throttling\n- **OU Restrictions**: Some controls cannot be deployed to Security OU\n- **Regional Scope**: Controls can be region-specific or global\n\n**Usage Examples**\n\n```yaml controls: # Strongly recommended control - identifier: AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK enable: true deploymentTargets: organizationalUnits: - Workloads - Sandbox\n\n # Elective control with regional scope - identifier: AWS-GR_EC2_INSTANCE_IMDSv2_CHECK enable: true regions: - us-east-1 - us-west-2 deploymentTargets: organizationalUnits: - Production\n\n # Global control using opaque identifier - identifier: m7a5gbdf08wg2o0en010mkng enable: true deploymentTargets: organizationalUnits: - Infrastructure ```\n\n**Best Practices**\n\n- Enable controls gradually in batches of 10 or fewer\n- Test controls in non-production OUs first\n- Review control documentation for OU compatibility\n- Monitor control status and compliance in Control Tower console", "items": { "$ref": "#/$defs/IControlTowerControlConfig" }, "type": "array" }, "enable": { "description": "**Enable Control Tower** *(Required)*\n\nControls whether AWS Control Tower Landing Zone is enabled for the deployment. When enabled, the accelerator ensures the account configuration includes the three mandatory Control Tower accounts.\n\n**Required Accounts**\n\nWhen Control Tower is enabled, these accounts must be defined in accounts-config.yaml:\n- **Management Account**: Primary account for organizational management and billing\n- **Log Archive Account**: Centralized logging and log retention\n- **Audit Account**: Security auditing and compliance monitoring\n\n**Prerequisites**\n\n- AWS Organizations must be enabled in the management account\n- All features must be enabled in AWS Organizations\n- The management account must have appropriate permissions\n- Required service-linked roles must be created\n\n```yaml # Enable Control Tower integration enable: true\n\n# Disable Control Tower (standalone LZA deployment) enable: false ```", "type": "boolean" }, "landingZone": { "$ref": "#/$defs/IControlTowerLandingZoneConfig", "description": "**Control Tower Landing Zone Configuration** *(Optional)*\n\nAdvanced configuration options for the Control Tower Landing Zone, including version management, logging settings, and security configurations.\n\n**Key Configuration Areas**\n\n- **Version Management**: Specify Landing Zone version for updates and resets\n- **Logging Configuration**: Control log retention and CloudTrail settings\n- **Security Settings**: Configure Identity Center access and authentication\n\n\n**Usage Example**\n\n```yaml landingZone: version: '3.3' # Must be latest available version logging: loggingBucketRetentionDays: 365 # 1 year retention accessLoggingBucketRetentionDays: 90 # 90 day access logs organizationTrail: true # Enable org-wide CloudTrail security: enableIdentityCenterAccess: true # Enable centralized access ```\n\n**Update Considerations**\n\n- Landing Zone updates require the latest version number\n- Configuration changes trigger Landing Zone reset/update\n- Updates may take 60-90 minutes to complete\n- Existing resources and configurations are preserved" } }, "required": [ "enable" ], "additionalProperties": false }, "IControlTowerControlConfig": { "type": "object", "description": "## Control Tower Guardrail Configuration\n\nIndividual Control Tower guardrail (control) configuration for enabling additional security and compliance controls beyond the mandatory ones automatically enabled by Control Tower.\n\n### Overview\n\nControl Tower guardrails provide governance controls that help ensure your AWS environment remains compliant with security and operational best practices. This configuration allows you to enable additional controls across your organizational structure.\n\n### Deployment Constraints\n\n- **Concurrency Limit**: Maximum 10 concurrent control operations per region\n- **OU Restrictions**: Some controls cannot be deployed to the Security OU\n- **Regional Scope**: Controls can be global or region-specific\n- **Batch Processing**: Deploy in small batches to avoid throttling\n\n### Usage Examples\n\n```yaml\n- identifier: AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK enable: true deploymentTargets: organizationalUnits: - Workloads - Production\n\n- identifier: AWS-GR_EC2_INSTANCE_IMDSv2_CHECK enable: true regions: - us-east-1 - us-west-2 deploymentTargets: organizationalUnits: - Infrastructure\n\n- identifier: m7a5gbdf08wg2o0en010mkng enable: true deploymentTargets: organizationalUnits: - Root ```\n\n### Important Considerations\n\n- LZA only supports highly recommended and elective controls\n- Control Tower operations count against the 10 concurrent operation limit\n- Enabling a control for one OU counts as one Control Tower operation\n- Control deployment is asynchronous and may take several minutes\n- Some controls have dependencies on other AWS services", "properties": { "deploymentTargets": { "$ref": "#/$defs/IDeploymentTargets", "description": "**Deployment Targets** *(Required)*\n\nSpecifies the organizational units where this control should be applied. Controls can only be deployed to OUs, not individual accounts.\n\n### Organizational Unit Targeting\n\nControls are applied at the OU level and automatically affect:\n- All current accounts in the target OU\n- All future accounts added to the target OU\n- Child OUs and their accounts (inheritance)\n\n### Usage Examples\n\n```yaml deploymentTargets: organizationalUnits: - Production - Staging - Development\n\n# Root OU deployment (affects all accounts) deploymentTargets: organizationalUnits: - Root ```\n\n### OU Restrictions\n\n**Security OU Limitations:**\n- Some controls cannot be deployed to the Security OU\n- Check AWS documentation for specific control compatibility\n- Alternative controls may be available for Security OU\n\n### Validation Requirements\n\n- OU names must exactly match those defined in organization-config.yaml\n- OUs must exist before control deployment\n- Invalid OU names will cause deployment failures" }, "enable": { "description": "**Enable Control** *(Required)*\n\nControls whether this guardrail should be enabled or disabled for the specified organizational units.\n\n### Control States\n\n**Enabled (`true`):**\n- Control is active and enforcing its policy\n- Resources are monitored for compliance\n- Non-compliant resources are flagged or remediated\n- Control appears as \"Enabled\" in Control Tower console\n\n**Disabled (`false`):**\n- Control is inactive and not enforcing policy\n- No compliance monitoring occurs\n- Existing violations are not flagged\n- Control appears as \"Disabled\" in Control Tower console\n\n### Usage Examples\n\n```yaml # Enable a security control\n- identifier: AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK enable: true # Control will be enabled deploymentTargets: organizationalUnits: - Production\n\n# Disable a control (useful for temporary exceptions)\n- identifier: AWS-GR_EC2_INSTANCE_IMDSv2_CHECK enable: false # Control will be disabled deploymentTargets: organizationalUnits: - Development ```", "type": "boolean" }, "identifier": { "$ref": "#/$defs/NonEmptyString", "description": "**Control Identifier** *(Required)*\n\nUnique identifier for the Control Tower guardrail to be enabled. The identifier format depends on the control type and determines how the control is referenced.\n\n### Identifier Formats\n\n**Standard Controls (AWS-GR_*):**\n- Format: `AWS-GR_`\n- Used for strongly recommended and elective controls\n- Human-readable and descriptive of the control's purpose\n\n**Global Controls (Opaque IDs):**\n- Format: Alphanumeric string (e.g., `m7a5gbdf08wg2o0en010mkng`)\n- Used for global controls that span multiple services\n- Requires reference to AWS documentation for mapping" }, "regions": { "default": "Home region only", "description": "**Regional Scope** *(Optional)*\n\nSpecifies the AWS regions where this control should be enabled. If not specified, the control is enabled in the home region only.\n\n### Regional Deployment\n\n**Global Controls:**\n- Some controls are inherently global (e.g., IAM-related controls)\n- Regional specification is ignored for global controls\n- Applied once per account regardless of region list\n\n**Regional Controls:**\n- Most controls are region-specific (e.g., EC2, VPC controls)\n- Must be explicitly enabled in each target region\n- Each region deployment counts as a separate operation\n\n### Usage Examples\n\n```yaml regions: - us-east-1 - us-west-2 - eu-west-1 ```\n\n### Important Considerations\n\n- Each region deployment counts toward the 10 concurrent operation limit\n- Regions must be listed in the `enabledRegions` section of global-config.yaml\n- Invalid regions will cause deployment failures", "items": { "type": "string" }, "type": "array" } }, "required": [ "identifier", "enable", "deploymentTargets" ], "additionalProperties": false }, "IControlTowerLandingZoneConfig": { "type": "object", "description": "## Control Tower Landing Zone Configuration\n\nConfigure the Control Tower Landing Zone's settings.\n\n**Key Features**\n- Specify the Landing Zone Version\n- Customize log retention to meet regulatory compliance\n- Manage Identity Center Access for Control Tower Landing Zone\n\n## Example ```yaml landingZone: version: '3.3' logging: loggingBucketRetentionDays: 365 accessLoggingBucketRetentionDays: 365 organizationTrail: true security: enableIdentityCenterAccess: true ```", "properties": { "accountAutoEnrollment": { "default": false, "description": "**Account Auto-Enrollment** *(Optional)*\n\nEnables automatic enrollment of accounts when moved between organizational units (OUs). When enabled, accounts moved into or between registered OUs automatically receive baseline resources and control configurations from the destination OU without creating inheritance drift.", "type": "boolean" }, "logging": { "$ref": "#/$defs/IControlTowerLandingZoneLoggingConfig", "description": "**Logging Configuration** *(Required)*\n\n\n- **Retention Policies**: Configure log retention periods for compliance\n- **Organization Trail**: Enable organization-wide CloudTrail logging\n- **Access Logging**: Configure access log retention for audit trails" }, "security": { "$ref": "#/$defs/IControlTowerLandingZoneSecurityConfig", "description": "**Security Configuration** *(Required)*\n\nManage Identity Center Access for Control Tower Landing Zone." }, "version": { "description": "**Landing Zone Version** *(Required)*\n\n**Considerations**\n\n- Most recent version required for landing zone updates or resets\n- Updates or resets will occur when drift is detected or any configuration change\n- If the solution needs to perform an update or reset and the version is not the most recent, the solution will fail", "type": "string" } }, "required": [ "version", "logging", "security" ], "additionalProperties": false }, "IControlTowerLandingZoneLoggingConfig": { "type": "object", "description": "## AWS Control Tower Landing Zone Logging Configuration\n\nLogging configuration for the landing zone.\n\n### Key Features\n\n- **Log Retention**: Configure log retention time\n- **Organization-Level CloudTrail**: Enable/Disable organization-level CloudTrail\n\n### Usage Example\n\n```yaml logging: loggingBucketRetentionDays: 365 accessLoggingBucketRetentionDays: 365 organizationTrail: true ```", "properties": { "accessLoggingBucketRetentionDays": { "default": 365, "description": "**Access Logs Retention Time** *(Required)*\n\nRetention time, in days, of the bucket access logs", "type": "number" }, "loggingBucketRetentionDays": { "default": 365, "description": "**Bucket Retention Configuration** *(Required)*\n\nRetention time, in days, of the Amazon S3 log archive bucket", "type": "number" }, "organizationTrail": { "default": true, "description": "**Organization-Level CloudTrail** *(Required)*\n\nWhether or not to enable organization-level CloudTrail.\n\n**Important Considerations**\n\n- Organization-level CloudTrail is different than the CloudTrail deployed by the solution\n- If both organization-level CloudTrail and solution defined CloudTrail are enabled, multiple trails will be created", "type": "boolean" } }, "required": [ "loggingBucketRetentionDays", "accessLoggingBucketRetentionDays", "organizationTrail" ], "additionalProperties": false }, "IControlTowerLandingZoneSecurityConfig": { "type": "object", "description": "## Control Tower Landing Zone Security Configuration\n\nConfigure security settings and access controls for the AWS Control Tower Landing Zone deployment. This configuration manages identity and access management integration with AWS services. ### Important Considerations\n\n- Identity Center access affects how users authenticate to AWS accounts in the organization\n- When enabled, Control Tower automatically configures permission sets and account assignments\n- Disabling may impact existing user access patterns and require manual IAM configuration\n- Changes to this configuration may trigger a Control Tower Landing Zone update\n\n### Usage Example\n\n```yaml security: enableIdentityCenterAccess: true ```", "properties": { "enableIdentityCenterAccess": { "default": false, "description": "**Identity Center Access** *(Required)*\n\nWhen enabled, AWS Control Tower sets up AWS account access with IAM Identity Center.", "type": "boolean" } }, "required": [ "enableIdentityCenterAccess" ], "additionalProperties": false }, "ICostAndUsageReportConfig": { "type": "object", "description": "## Cost and Usage Report Configuration\n\nConfiguration for AWS Cost and Usage Reports (CUR) that provides comprehensive cost and usage data for your AWS account. These reports are delivered to an S3 bucket and can be used for detailed cost analysis and billing insights.\n\n### Key Features\n\n- **Flexible Reporting**: Configure time granularity from hourly to monthly\n- **Multiple Formats**: Support for CSV, text, and Parquet formats with various compression options\n- **Data Integration**: Generate manifests for integration with Amazon Redshift, QuickSight, and Athena\n- **Lifecycle Management**: Configure S3 lifecycle rules for cost optimization\n- **Version Control**: Choose between creating new reports or overwriting existing ones\n\n### Usage Example\n\n```yaml costAndUsageReport: compression: Parquet format: Parquet reportName: accelerator-cur s3Prefix: cur timeUnit: DAILY refreshClosedReports: true reportVersioning: CREATE_NEW_REPORT lifecycleRules: - enabled: true id: CostAndUsageBucketLifecycleRule-01 abortIncompleteMultipartUpload: 14 expiration: 3563 expiredObjectDeleteMarker: false noncurrentVersionExpiration: 3653 noncurrentVersionTransitions: - storageClass: GLACIER transitionAfter: 365 transitions: - storageClass: GLACIER transitionAfter: 365 prefix: PREFIX ```", "properties": { "additionalArtifacts": { "description": "**Additional Artifacts** *(Optional)*\n\nA list of manifests that AWS creates for this report to enable integration with other AWS analytics services.\n\n**Available Artifacts**\n- `REDSHIFT`: Creates manifest files for Amazon Redshift integration\n- `QUICKSIGHT`: Creates manifest files for Amazon QuickSight integration\n- `ATHENA`: Creates manifest files for Amazon Athena integration\n\n**Example** ```yaml additionalArtifacts: - ATHENA - QUICKSIGHT ```", "items": { "type": "string" }, "type": "array" }, "additionalSchemaElements": { "description": "**Additional Schema Elements** *(Optional)*\n\nAdditional content that AWS includes in the report, such as individual resource IDs. These elements provide more granular data for detailed cost analysis.", "items": { "$ref": "#/$defs/NonEmptyString" }, "type": "array" }, "compression": { "description": "**Compression Format** *(Required)*\n\nThe compression format that AWS uses for the report files.\n\n**Example** ```yaml compression: Parquet ```", "type": "string" }, "format": { "description": "**Report Format** *(Required)*\n\nThe format that AWS saves the report in.\n\n**Example** ```yaml format: Parquet ```", "type": "string" }, "lifecycleRules": { "description": "**S3 Lifecycle Rules** *(Optional)*\n\nConfiguration for S3 bucket lifecycle rules to manage the cost and storage of your Cost and Usage Reports over time.\n\n**Key Benefits**\n- Automatically transition older reports to cheaper storage classes\n- Set expiration policies to delete old reports\n- Optimize storage costs for long-term report retention\n\n**Example** ```yaml lifecycleRules: - enabled: true id: CostAndUsageBucketLifecycleRule-01 expiration: 2555 # 7 years transitions: - storageClass: STANDARD_IA transitionAfter: 30 - storageClass: GLACIER transitionAfter: 365 - storageClass: DEEP_ARCHIVE transitionAfter: 1095 # 3 years ```", "items": { "$ref": "#/$defs/ILifecycleRule" }, "type": "array" }, "refreshClosedReports": { "description": "**Refresh Closed Reports** *(Required)*\n\nWhether AWS should update your reports after they have been finalized if AWS detects charges related to previous months. These charges can include refunds, credits, or support fees.\n\n**When to Enable**\n- Enable if you need the most accurate historical data\n- Enable if you frequently receive refunds or credits\n- Enable for compliance and auditing requirements\n\n**When to Disable**\n- Disable if you prefer immutable historical reports\n- Disable to reduce processing overhead\n\n**Example** ```yaml refreshClosedReports: true ```", "type": "boolean" }, "reportName": { "$ref": "#/$defs/NonEmptyString", "description": "**Report Name** *(Required)*\n\nThe name of the report that you want to create\n\n**Naming Requirements**\n- Must be unique within the AWS account\n- Case sensitive\n- Cannot contain spaces\n\n**Example** ```yaml reportName: accelerator-cur ```" }, "reportVersioning": { "description": "**Report Versioning** *(Required)*\n\nWhether AWS should overwrite the previous version of each report or deliver the report in addition to the previous versions.\n\n**Available Options**\n- `CREATE_NEW_REPORT`: Creates a new report file for each delivery (recommended)\n- `OVERWRITE_REPORT`: Overwrites the previous report file\n\n**Considerations**\n- `CREATE_NEW_REPORT` provides better audit trail and version history\n- `OVERWRITE_REPORT` uses less storage but loses historical versions\n\n**Example** ```yaml reportVersioning: CREATE_NEW_REPORT ```", "type": "string" }, "s3Prefix": { "$ref": "#/$defs/NonEmptyString", "description": "**S3 Prefix** *(Required)*\n\nThe prefix that AWS adds to the report name when delivering the report to S3. This helps organize reports within the S3 bucket structure.\n\n**Notes**\n- Cannot include spaces\n- Used to organize reports in S3 bucket\n- Helps with lifecycle management and access control\n\n**Example** ```yaml s3Prefix: cur ```" }, "timeUnit": { "description": "**Time Unit** *(Required)*\n\nThe granularity of the line items in the report. This determines how frequently the report data is aggregated.\n\n**Available Options**\n- `HOURLY`: Hourly granularity (most detailed, higher costs)\n- `DAILY`: Daily granularity (recommended for most use cases)\n- `MONTHLY`: Monthly granularity (least detailed, lower costs)\n\n**Cost Considerations**\n- Hourly reports are more expensive but provide the most detail\n- Daily reports offer a good balance of detail and cost\n- Monthly reports are the most cost-effective but least granular\n\n**Example** ```yaml timeUnit: DAILY ```", "type": "string" } }, "required": [ "compression", "format", "reportName", "s3Prefix", "timeUnit", "refreshClosedReports", "reportVersioning" ], "additionalProperties": false }, "ICustomS3ResourceAndKmsPolicyOverridesConfig": { "type": "object", "description": "## Custom S3 Resource and KMS Policy Overrides Configuration\n\nConfiguration for providing custom policy files that override both S3 bucket resource policies and KMS key policies. Use this interface when you need specific policy statements for both the bucket and its encryption key that differ from the standard accelerator-generated policies.\n\n### Key Features\n\n- **Dual Policy Management**: Override both S3 and KMS policies simultaneously\n- **Policy File Integration**: Load policies from external JSON files\n- **Complete Override**: Replaces accelerator-generated policies entirely\n- **Coordinated Access**: Ensure consistent permissions across bucket and key\n\n### Usage Example\n\n```yaml customPolicyOverrides: s3Policy: policies/custom-bucket-policy.json kmsPolicy: policies/custom-key-policy.json ```", "properties": { "kmsPolicy": { "$ref": "#/$defs/NonEmptyString", "description": "**KMS Key Policy File** *(Optional)*\n\nPath to a JSON file containing custom KMS key policy statements for the bucket's encryption key. When provided, the accelerator will use this policy instead of generating its own key policy." }, "s3Policy": { "$ref": "#/$defs/NonEmptyString", "description": "**S3 Resource Policy File** *(Optional)*\n\nPath to a JSON file containing custom S3 bucket resource policy statements. When provided, the accelerator will use this policy instead of generating its own bucket resource policy." } }, "additionalProperties": false }, "ICustomS3ResourcePolicyOverridesConfig": { "type": "object", "description": "## Custom S3 Resource Policy Overrides Configuration\n\nConfiguration for providing custom S3 bucket resource policy files that override the default accelerator-generated policies. Use this interface when you need specific bucket policy statements that differ from the standard accelerator policies.\n\n### Usage Example\n\n```yaml customPolicyOverrides: policy: path/to/custom-bucket-policy.json ```", "properties": { "policy": { "$ref": "#/$defs/NonEmptyString", "description": "**S3 Resource Policy File** *(Optional)*\n\nPath to a JSON file containing custom S3 bucket resource policy statements. When provided, the accelerator will use this policy instead of generating its own bucket resource policy.\n\n### Behavior\n\n- **Complete Replacement**: Overrides all accelerator-generated policies\n- **No Merging**: Does not combine with default accelerator policies\n- **Full Control**: Provides complete control over bucket access permissions\n- **Responsibility**: You are responsible for all required service access\n\n### Example\n\n```yaml policy: compliance/restricted-access-policy.json ```" } }, "additionalProperties": false }, "IDefaultEventBusConfig": { "type": "object", "description": "## Default Event Bus Configuration\n\nDefine policies for the default event bus.\n\n### Example ```yaml defaultEventBus: policy: path-to-my-policy ```", "properties": { "deploymentTargets": { "$ref": "#/$defs/IDeploymentTargets", "description": "**Deployment Targets** *(Required)*\n\nDetermine which accounts the configuration applies to. LZA will deploy the LZA managed, or custom policy provided in {@link IDefaultEventBusConfig.policy } property, to the default Event Bus resource-based policy for the respective account(s)." }, "policy": { "$ref": "#/$defs/NonEmptyString", "description": "**Policy** *(Required)*\n\nJSON file path containing a resource-based policy definition. The file must be present in the config repository.\n\nResource-based policy definition json file. This file must be present in config repository" } }, "required": [ "policy", "deploymentTargets" ], "additionalProperties": false }, "IDeploymentTargets": { "type": "object", "description": "## Deployment Targets Interface\n\nDefines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.\n\n### Key Features\n\n- **Account-level targeting**: Deploy to specific AWS accounts\n- **OU-level targeting**: Deploy to all accounts within organizational units\n- **Regional exclusions**: Skip specific AWS regions for compliance or cost optimization\n- **Account exclusions**: Exclude specific accounts from broader deployments\n\n### Example\n\n```yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1 ```", "properties": { "accounts": { "description": "**Target Accounts** *(Optional)*\n\nList of specific account names where resources should be deployed. Use for precise account-level targeting.", "items": { "type": "string" }, "type": "array" }, "excludedAccounts": { "description": "**Excluded Accounts** *(Optional)*\n\nList of account names to exclude from deployment. Takes precedence over organizational unit and account inclusions.", "items": { "type": "string" }, "type": "array" }, "excludedRegions": { "description": "**Excluded Regions** *(Optional)*\n\nList of AWS regions to exclude from deployment. Useful for compliance requirements or cost optimization.", "items": { "type": "string" }, "type": "array" }, "organizationalUnits": { "description": "**Organizational Units** *(Optional)*\n\nList of organizational unit names where resources should be deployed. When specified, resources will be created in all accounts within these OUs.", "items": { "type": "string" }, "type": "array" } }, "additionalProperties": false }, "IElbLogBucketConfig": { "type": "object", "description": "## ELB Log Bucket Configuration\n\nConfiguration for the ELB log bucket used to store Elastic Load Balancer access logs.\n\n### Key Features\n- **Resource Policies**: Attach resource policies to the bucket\n- **Lifecycle Management**: Configure lifecycle rules for log retention and cost optimization\n- **Imported Bucket**: Import existing bucket and apply resource policies\n- **Regional Deployment**: Deploy buckets in each operating region\n\n### Example ```yaml elbLogBucket: lifecycleRules: - enabled: true id: ElbLifecycleRule-01 abortIncompleteMultipartUpload: 14 expiration: 3563 expiredObjectDeleteMarker: false noncurrentVersionExpiration: 3653 noncurrentVersionTransitions: - storageClass: GLACIER transitionAfter: 365 transitions: - storageClass: GLACIER transitionAfter: 365 prefix: PREFIX s3ResourcePolicyAttachments: - policy: s3-policies/policy1.json importedBucket: name: elb-logs-bucket applyAcceleratorManagedBucketPolicy: true ```", "properties": { "customPolicyOverrides": { "$ref": "#/$defs/ICustomS3ResourcePolicyOverridesConfig", "default": "undefined", "description": "**Custom Policy Overrides Configuration** *(Optional)*\n\nProvide policy overrides. Policy files must contain a complete policy document. Custom policy overrides can ONLY be applied to imported buckets.\n\n**Conflicts**\n- When s3Policy is defined, importedBucket.applyAcceleratorManagedBucketPolicy cannot be true\n- When s3Policy is defined, s3ResourcePolicyAttachments cannot be defined\n\n**Example** ```yaml customPolicyOverrides: s3Policy: path/to/elb-log-policy.json ```" }, "importedBucket": { "$ref": "#/$defs/IImportedS3ManagedEncryptionKeyBucketConfig", "default": "undefined", "description": "**Imported Bucket Configuration** *(Optional)*\n\nWhen set, the accelerator will import an existing ELB logs bucket.\n\nUse this configuration to import an existing ELB logs bucket and manage its resource policy through the solution.\n\n**Important Note**: If importing your own ELB Log buckets, be sure to create the buckets in the LogArchive account and a bucket within each operating region that LZA is configured in.\n\n**Example** ```yaml importedBucket: name: existing-elb-log-bucket applyAcceleratorManagedBucketPolicy: true ```" }, "lifecycleRules": { "description": "**S3 Lifecycle Rules** *(Optional)*\n\nConfigure lifecycle rules for the ELB log bucket to manage log retention and storage costs. Rules can transition logs to different storage classes and set expiration policies.\n\n**Example** ```yaml lifecycleRules: - enabled: true id: ElbLifecycleRule-01 expiration: 365 transitions: - storageClass: GLACIER transitionAfter: 30 ```", "items": { "$ref": "#/$defs/ILifecycleRule" }, "type": "array" }, "s3ResourcePolicyAttachments": { "description": "**S3 Resource Policy Attachments** *(Optional)*\n\nPolicy statements from the listed files will be added to the bucket resource policy. This property cannot be used when customPolicyOverrides.s3Policy property has value.\n\n**Note**: When Block Public Access is enabled for S3 on the AWS account, you can't specify a policy that would make the S3 Bucket public.\n\n**Example** ```yaml s3ResourcePolicyAttachments: - policy: s3-policies/elb-log-policy.json - policy: s3-policies/cross-account-access.json ```", "items": { "$ref": "#/$defs/IResourcePolicyStatement" }, "type": "array" } }, "additionalProperties": false }, "IExternalLandingZoneResourcesConfig": { "type": "object", "description": "## External Landing Zone Resources Configuration\n\nUsed for importing resources from an Amazon Secure Environment Accelerator (ASEA) environment into the LZA.\n\n### Example ```yaml externalLandingZoneResourcesConfig: importExternalLandingZoneResources: true ```", "properties": { "acceleratorName": { "$ref": "#/$defs/NonEmptyString", "description": "**Accelerator Name** *(Required)*\n\nAccelerator Name used in the ASEA deployment" }, "acceleratorPrefix": { "$ref": "#/$defs/NonEmptyString", "description": "**Accelerator Prefix** *(Required)*\n\nAccelerator Prefix used in the ASEA deployment" }, "importExternalLandingZoneResources": { "description": "**Import External Landing Zone Resources** *(Required)*\n\nSetting this flag indicates that this is an Amazon Secure Environment Accelerator (ASEA) environment and imports ASEA resources to the LZA.", "type": "boolean" }, "mappingFileBucket": { "description": "**Mapping File Bucket** *(Optional)*\n\nThe name of the bucket that contains the mapping file.", "type": "string" } }, "required": [ "importExternalLandingZoneResources", "acceleratorPrefix", "acceleratorName" ], "additionalProperties": false }, "IGlobalConfig": { "additionalProperties": false, "description": "## Global Configuration Interface\n\nThe global configuration defines foundational settings that apply across your entire Landing Zone Accelerator deployment. This configuration establishes core operational parameters, security baselines, and service integrations.\n\n### Overview\n\nThe global configuration serves as the central control plane for:\n- **Regional Deployment**: Define home region and enabled regions for multi-region deployments\n- **Security & Compliance**: Configure logging, encryption, and governance controls\n- **Service Integration**: Enable AWS Control Tower, centralized logging, and monitoring\n- **Resource Management**: Set quotas, budgets, and operational parameters\n\n### Key Features\n\n- **Multi-Region Support**: Deploy across multiple AWS regions with centralized management\n- **Control Tower Integration**: Seamless integration with AWS Control Tower for governance\n- **Centralized Logging**: Comprehensive logging strategy with CloudTrail, CloudWatch, and S3\n- **Security Baseline**: Encryption, access controls, and compliance monitoring\n- **Cost Management**: Budgets, cost reports, and service quota management\n- **Operational Excellence**: Backup strategies, SNS notifications, and metadata collection\n\n### Usage Example\n\n```yaml homeRegion: &HOME_REGION us-east-1 enabledRegions: - us-east-1 - us-west-2\n\nmanagementAccountAccessRole: AWSControlTowerExecution cloudwatchLogRetentionInDays: 365\n\ncontrolTower: enable: true landingZone: version: '3.3' logging: loggingBucketRetentionDays: 365 organizationTrail: true security: enableIdentityCenterAccess: true\n\nlogging: account: LogArchive centralizedLoggingRegion: us-east-1 cloudtrail: enable: true organizationTrail: true sessionManager: sendToCloudWatchLogs: true sendToS3: true cloudwatchLogs: enable: true encryption: useCMK: true\n\nreports: costAndUsageReport: compression: Parquet format: Parquet reportName: accelerator-cur timeUnit: DAILY budgets: - name: monthly-budget type: COST amount: 1000 timeUnit: MONTHLY\n\nsnsTopics: deploymentTargets: organizationalUnits: - Root topics: - name: SecurityAlerts emailAddresses: - security@example.com ```", "properties": { "acceleratorMetadata": { "$ref": "#/$defs/IAcceleratorMetadataConfig", "description": "**Accelerator Metadata Configuration** *(Optional)*\n\nEnable and customize the collection of LZA metadata in your environment.\n\n**Key Features**\n- Enable the collection of LZA metadata\n- Specify an account to store the metadata\n- Provision access to IAM roles for the metadata\n\n**Example** ```yaml acceleratorMetadata: enable: true account: Logging readOnlyAccessRoleArns: - arn:aws:iam::111111111111:role/test-access-role ```" }, "acceleratorSettings": { "$ref": "#/$defs/IAcceleratorSettingsConfig", "description": "**Accelerator Settings Configuration** *(Optional)*\n\nEnables the modification of additional LZA properties\n\n**Example** ```yaml acceleratorSettings: maxConcurrentStacks: 100 ```" }, "backup": { "$ref": "#/$defs/IBackupConfig", "description": "**Backup Vaults Configuration** *(Optional)*\n\nUsed to generate Backup Vaults\n\n**Example** ```yaml backup: vaults: - name: MyBackUpVault deploymentTargets: organizationalUnits: - Root ```" }, "cdkOptions": { "$ref": "#/$defs/ICdkOptionsConfig", "description": "**AWS CDK Options Configuration**\n\nEnables the customization of the operation of the CDK within LZA" }, "centralRootUserManagement": { "$ref": "#/$defs/ICentralRootUserManagementConfig", "description": "**Central Root User Configuration** *(Optional)*\n\nCentrally managing root enables the removal of root user credentials from the organization's member accounts. Tasks requiring root access can then be performed by the organization's management account. This configuration dictates whether or not root user management is centralized for the organization.\n\n**Example** ```yaml centralRootUserManagement: enable: true capabilities: rootCredentialsManagement: true allowRootSessions: true ```" }, "centralizeCdkBuckets": { "$ref": "#/$defs/ICentralizeCdkBucketsConfig", "deprecated": true }, "cloudwatchLogRetentionInDays": { "description": "**CloudWatch Log Retention** *(Required)*\n\nThe retention period, specified in days, is applied to all CloudWatch log groups created by the LZA. Additionally, this retention period will be applied to any pre-existing CloudWatch log group with a shorter retention period.\n\n**Example Scenarios**\n\nScenario 1: If `cloudWatchRetentionInDays` is set to 365, and create a new CloudWatch log group with a 730-day retention period, the LZA will update the log group to have a 365-day retention period.\n\nScenario 2: If `cloudWatchRetentionInDays` is set to 365, and there is an existing CloudWatch log group with a 730-day retention period, the log group will not be updated by the LZA.\n\nScenario 3: If `cloudWatchRetentionInDays` is set to 365, and there is an existing CloudWatch log group with a 30-day retention period, the LZA will update the log group to have a 365-day retention period.", "type": "number" }, "controlTower": { "$ref": "#/$defs/IControlTowerConfig", "description": "**AWS Control Tower Configuration** *(Required)*\n\nConfigure Control Tower for the LZA deployment.\n\n**Key Features**\n- Enable/Disable Control Tower\n- Set Control Tower controls\n- Configure Control Tower Landing Zone" }, "defaultEventBus": { "$ref": "#/$defs/IDefaultEventBusConfig", "description": "**Default Event Bus Configuration** *(Optional)*\n\nDefine a custom policy which the solution will automatically apply to the default event bus within targeted accounts.\n\n\n**Example** ``` defaultEventBus: policy: path-to-my-policy.json deploymentTargets: accounts: - Management } ```" }, "enableOptInRegions": { "default": false, "description": "**Enable opt-in Regions** *(Optional)*\n\nWhether or not to automatically enable opt-in regions configured for all LZA managed accounts\n\nWhen enableOptInRegions is set to true, it will only enable the opt-in regions that are also listed in the {@link IGlobalConfig.enabledRegions enabledRegions } configuration.", "type": "boolean" }, "enabledRegions": { "description": "**Enabled Regions** *(Required)*\n\nList of AWS Regions where accelerator will be deployed. {@link IGlobalConfig.homeRegion Home region } must be part of this list.\n\n**Example**\n\n```yaml enabledRegions: - us-east-1 - us-west-2 ```", "items": { "type": "string" }, "type": "array" }, "externalLandingZoneResources": { "$ref": "#/$defs/IExternalLandingZoneResourcesConfig", "description": "**External Landing Zone Resources Configuration** *(Optional)*\n\nUsed when importing resources from an existing Amazon Secure Environment Accelerator (ASEA) environment.\n\n**Example** ```yaml externalLandingZoneResources: importExternalLandingZoneResources: false ```" }, "homeRegion": { "$ref": "#/$defs/NonEmptyString", "description": "**Accelerator Home Region Name** *(Required)*\n\nThe region where the accelerator pipeline will be deployed\n\n**Example**\n\n```yaml homeRegion: us-east-1 ```" }, "lambda": { "$ref": "#/$defs/ILambdaConfig", "description": "**Lambda Configuration** *(Optional)*\n\nUsed to configure encryption for Lambda function environment variables across the LZA environment.\n\n\n**Example** ```yaml lambda: encryption: useCMK: true deploymentTargets: organizationalUnits: - Root ```" }, "limits": { "description": "**AWS Service Quota Limit Configuration**\n\nEnables the creation of service quota increases for accounts within the LZA deployment.\n\n**Considerations** Service quotas define the maximum number of service resources or operations for your AWS account. Service quota increases are processed asynchronously and may require approval. Some quotas require AWS Support cases for increases beyond certain thresholds. Quotas are account-specific and region-specific (where applicable). You can find service and quota codes in the AWS Service Quotas console.\n\nFor more information, see:\n- [AWS Service Quotas User Guide](https://docs.aws.amazon.com/servicequotas/latest/userguide/intro.html)\n- [Requesting a quota increase](https://docs.aws.amazon.com/servicequotas/latest/userguide/request-quota-increase.html)\n\n**Example** ```yaml limits: # Increase Lambda concurrent executions - serviceCode: lambda quotaCode: L-B99A9384 desiredValue: 1000 deploymentTargets: organizationalUnits: - Root regions: - us-west-2\n\n # Increase IAM roles per account (global quota - no regions needed) - serviceCode: iam quotaCode: L-4019AD8B desiredValue: 15 deploymentTargets: accounts: - SharedServices\n\n # Increase VPCs per region - serviceCode: vpc quotaCode: L-F678F1CE desiredValue: 20 deploymentTargets: organizationalUnits: - Security - Infrastructure regions: - us-east-1 - us-west-2\n\n # Increase Route 53 Resolver rules per region - serviceCode: route53resolver quotaCode: L-4A669CC0 desiredValue: 10 deploymentTargets: organizationalUnits: - Infrastructure ```", "items": { "$ref": "#/$defs/IServiceQuotaLimitsConfig" }, "type": "array" }, "logging": { "$ref": "#/$defs/ILoggingConfig", "description": "**Logging Configuration** *(Required)*\n\nUsed to configure logging for the LZA deployment. Enables the configuration of logging for Session Manager, CloudTrail, and CloudWatch." }, "managementAccountAccessRole": { "$ref": "#/$defs/NonEmptyString", "description": "**Management Account Access Role** *(Required)*\n\nName of the management account access role created in member accounts.\n\n**Example** ```yaml managementAccountAccessRole: AWSControlTowerExecution ```" }, "reports": { "$ref": "#/$defs/IReportConfig", "description": "**Report Configuration** *(Optional)*\n\nConfiguration for cost and usage reports as well as budgets." }, "s3": { "$ref": "#/$defs/IS3GlobalConfig", "description": "**AWS S3 Global Configuration** *(Optional)*\n\nUsed to configure AWS S3 server side encryption for S3 buckets across the LZA environment. The configuration is able to target OUs, regions, or accounts. When left undefined, the solution will utilize AWS KMS CMK to encrypt the AWS S3 buckets.\n\n**Notes** This configuration is not applicable to LogArchive's central logging region, because the solution deployed CentralLogs bucket always encrypted with AWS KMS CMK. This configuration is not applicable to the Management account Asset bucket in the home region. This bucket will always have a key generated and applied to the bucket if it is created. This configuration is not applicable to the assets S3 bucket if the bucket is created. This bucket will always have a key generated and applied.\n\n For more information please see [here](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html)\n\n**Example** ```yaml s3: createCMK: true deploymentTargets: organizationalUnits: - Root ```" }, "snsTopics": { "$ref": "#/$defs/ISnsConfig", "description": "**SNS Topics Configuration** *(Optional)*\n\nDefine SNS topics to be deployed throughout the LZA environment.\n\nTo send CloudWatch Alarms and SecurityHub notifications, you will need to configure at least one SNS Topic. For SecurityHub notifications, you will need to set the deployment target OU to Root in order to receive notifications from all accounts.\n\n**Example** ```yaml snsTopics: deploymentTargets: organizationalUnits: - Root topics: - name: Security emailAddresses: - SecurityNotifications@example.com ```" }, "sqs": { "$ref": "#/$defs/ISqsConfig", "description": "**SQS Queue Configuration** *(Optional)*\n\nUsed to configure encryption for SQS queues throughout the LZA environment. The configuration is able to target OUs, regions, or accounts. When left undefined, the solution will utilize AWS KMS CMK to encrypt SQS queues.\n\n**Example** ```yaml sqs: encryption: useCMK: true deploymentTargets: organizationalUnits: - Root ```" }, "ssmInventory": { "$ref": "#/$defs/ISsmInventoryConfig", "description": "**SSM Inventory Configuration** *(Optional)*\n\nAllows enabling of SSM Inventory in member accounts" }, "ssmParameters": { "description": "**SSM parameter configurations** *(Optional)*\n\nCreate SSM parameters through the LZA. Parameters can be deployed to Organizational Units or Accounts through the use of deployment targets.\n\n**Example** ```yaml ssmParameters: - deploymentTargets: organizationalUnits: - Workloads parameters: - name: WorkloadParameter path: /my/custom/path/variable value: 'MySSMParameterValue' ```", "items": { "$ref": "#/$defs/ISsmParametersConfig" }, "type": "array" }, "stackPolicy": { "$ref": "#/$defs/IStackPolicyConfig", "description": "**Stack Policy Configuration** *(Optional)*\n\nDefine which resource types should be protected. Defined resource types will be protected for Update:Replace and Update:Delete operation. Protected types need to be AWS:: resource types e.g. AWS::EC2::InternetGateway.\n\n\n**Example** ```yaml stackPolicy: enable: true protectedTypes: ['AWS::EC2::InternetGateway'] ```" }, "tags": { "description": "**Tags** *(Optional)*\n\nGlobal tags to be applied to all resources created by the solution.\n\n**Note** LZA will not apply the tags to all resource types. Excluded types include Transit Gateway Route Tables and Route53 Resolver Endpoints.\n\n**Example** ```yaml tags: - key: Environment value: Dev - key: ResourceOwner value: AcmeApp - key: CostCenter value: '123' ```", "items": { "$ref": "#/$defs/ITag" }, "type": "array" }, "terminationProtection": { "description": "**Termination Protection** *(Optional)*\n\nWhether or not termination protection should be enabled for this stack", "type": "boolean" }, "useV2Stacks": { "default": false, "description": "**V2 Stacks** *(Optional)*\n\nWhether or not V2 Stacks should be enabled.\n\nWhen enabled, LZA will place newly defined resources in separate CloudFormation stacks to prevent exceeding the 500 resource per stack limit. Pre-existing resources will be preserved in their original stacks.", "type": "boolean" } }, "required": [ "homeRegion", "enabledRegions", "managementAccountAccessRole", "cloudwatchLogRetentionInDays", "controlTower", "logging" ], "type": "object", "patternProperties": { "^\\.": { "description": "YAML anchor" } } }, "IImportedCustomerManagedEncryptionKeyBucketConfig": { "type": "object", "description": "## Imported S3 Bucket Configuration (Customer Managed Encryption)\n\nConfiguration for importing existing S3 buckets with customer-managed KMS encryption (SSE-KMS). Use this interface when you want the Landing Zone Accelerator to manage an existing bucket that uses or should use customer-managed KMS keys for encryption.\n\n### Key Features\n\n- **Existing Bucket Integration**: Import buckets created outside the accelerator\n- **KMS Key Management**: Option to create and manage KMS keys for the bucket\n- **Policy Management**: Optional application of accelerator-managed policies\n- **Encryption Enhancement**: Upgrade existing buckets to use customer-managed keys\n\n### Usage Example\n\n```yaml importedBucket: name: existing-sensitive-data-bucket applyAcceleratorManagedBucketPolicy: true createAcceleratorManagedKey: true ```", "properties": { "applyAcceleratorManagedBucketPolicy": { "default": false, "description": "**Apply Accelerator Managed Bucket Policy** *(Optional)*\n\nControls whether the accelerator should apply its generated resource policies to the imported bucket. When enabled, the accelerator will manage the bucket's resource policy based on enabled security services and configurations.", "type": "boolean" }, "createAcceleratorManagedKey": { "default": false, "description": "**Create Accelerator Managed KMS Key** *(Optional)*\n\nControls whether the accelerator should create a new customer-managed KMS key and apply it to the imported bucket for encryption. When enabled, enhances bucket security with dedicated encryption key management.\n\n### Key Creation Process\n\n**When `true`:**\n- Creates a new customer-managed KMS key specifically for this bucket\n- Applies accelerator-managed key policy with appropriate service permissions\n- Configures bucket to use the new key for server-side encryption\n- Integrates key permissions with enabled security and logging services\n\n**When `false` (default):**\n- Preserves existing bucket encryption configuration\n- Uses current encryption method (S3-managed, existing KMS key, or none)\n- No new KMS key creation or encryption changes\n- Existing encryption settings remain unchanged\n\n### Important Warnings\n\n**Irreversible Change**: Once the accelerator pipeline executes with this value set to `true`, changing it back to `false` will cause CloudFormation stack failures. The KMS key becomes a permanent part of the infrastructure.", "type": "boolean" }, "name": { "$ref": "#/$defs/NonEmptyString", "description": "**Bucket Name** *(Required)*\n\nName of the existing S3 bucket to be imported and managed by the accelerator. The bucket must already exist in the target AWS account.\n\n### Examples\n\n```yaml name: company-sensitive-logs name: legacy-encrypted-bucket name: imported-compliance-data ```" } }, "required": [ "name" ], "additionalProperties": false }, "IImportedS3ManagedEncryptionKeyBucketConfig": { "type": "object", "description": "## Imported S3 Bucket Configuration (S3 Managed Encryption)\n\nConfiguration for importing existing S3 buckets that use S3-managed encryption (SSE-S3). Use this interface when you want the Landing Zone Accelerator to manage an existing bucket that was created outside of the accelerator solution.\n\n### Key Features\n\n- **Existing Bucket Integration**: Import buckets created outside the accelerator\n- **Policy Management**: Optional application of accelerator-managed policies\n- **S3-Managed Encryption**: Designed for buckets using SSE-S3 encryption\n- **Service Integration**: Automatic policy generation for enabled security services\n\n### Usage Example\n\n```yaml importedBucket: name: existing-logs-bucket applyAcceleratorManagedBucketPolicy: true ```", "properties": { "applyAcceleratorManagedBucketPolicy": { "default": false, "description": "**Apply Accelerator Managed Bucket Policy** *(Optional)*\n\nControls whether the accelerator should apply its generated resource policies to the imported bucket. When enabled, the accelerator will manage the bucket's resource policy based on enabled security services and configurations.\n\n### Policy Generation\n\nThe accelerator automatically generates bucket policies based on:\n- **Security Services**: Macie, GuardDuty, Security Hub access requirements\n- **Logging Services**: CloudTrail, VPC Flow Logs, Config access needs\n- **Cross-Account Access**: Organization-wide service access patterns\n- **External Policies**: Additional policies from s3ResourcePolicyAttachments\n\n### Behavior Options\n\n```yaml # Let accelerator manage policies (recommended for new imports) applyAcceleratorManagedBucketPolicy: true\n\n# Preserve existing policies (use for buckets with custom policies) applyAcceleratorManagedBucketPolicy: false ```\n\n### Important Considerations\n\n**When `true`:**\n- Accelerator **REPLACES** existing bucket resource policy\n- Combines accelerator-generated policies with external policy files\n- Ensures compatibility with enabled security services\n- **WARNING**: Removes any existing custom S3 policies on the bucket\n\n**When `false` (default):**\n- Preserves existing bucket resource policy\n- Only adds policies from external s3ResourcePolicyAttachments files\n- No changes if no external policy files are provided\n- Existing policies remain intact\n\n### Best Practices\n\n- Set to `true` for buckets that need full accelerator integration\n- Set to `false` for buckets with critical existing policies\n- Review existing policies before enabling accelerator management\n- Test policy changes in non-production environments first", "type": "boolean" }, "name": { "$ref": "#/$defs/NonEmptyString", "description": "**Bucket Name** *(Required)*\n\nName of the existing S3 bucket to be imported and managed by the accelerator. The bucket must already exist in the target AWS account.\n\n### Example\n\n```yaml name: company-existing-logs ```" } }, "required": [ "name" ], "additionalProperties": false }, "ILambdaConfig": { "type": "object", "description": "## Lambda Configuration\n\nCustomize the encryption used for lambda environment variables.\n\n### Example ```yaml encryption: useCMK: true deploymentTargets: organizationalUnits: - Root ```", "properties": { "encryption": { "$ref": "#/$defs/IServiceEncryptionConfig", "description": "**Encryption** *(Optional)*\n\nDetermine what methods should be used to encrypt lambda environment variables." } }, "additionalProperties": false }, "ILifecycleRule": { "type": "object", "description": "## S3 Bucket Lifecycle Rule Configuration\n\nDefines lifecycle management rules for S3 buckets to automatically transition objects between storage classes and manage object expiration. Lifecycle rules help optimize storage costs and manage data retention policies.\n\n### Key Features\n\n- **Cost Optimization**: Automatically transition objects to cheaper storage classes\n- **Data Management**: Set expiration policies for automatic cleanup\n- **Version Control**: Manage current and non-current object versions separately\n- **Prefix Filtering**: Apply rules to specific object prefixes or entire buckets\n\n### Usage Example\n\n```yaml lifecycleRules: - enabled: true id: LogsLifecycle abortIncompleteMultipartUpload: 7 expiration: 2555 # ~7 years expiredObjectDeleteMarker: false noncurrentVersionExpiration: 365 transitions: - storageClass: STANDARD_IA transitionAfter: 30 - storageClass: GLACIER transitionAfter: 365 prefix: logs/\n\n - enabled: true id: ArchiveLifecycle expiredObjectDeleteMarker: true noncurrentVersionExpiration: 90 transitions: - storageClass: DEEP_ARCHIVE transitionAfter: 180 ```", "properties": { "abortIncompleteMultipartUpload": { "description": "**Abort Incomplete Multipart Uploads** *(Optional)*\n\nNumber of days after which incomplete multipart uploads are automatically aborted and cleaned up. This helps prevent storage costs from abandoned multipart uploads.\n\n### Benefits\n\n- **Cost Control**: Prevents charges for incomplete upload parts\n- **Storage Cleanup**: Automatically removes orphaned multipart data\n- **Operational Hygiene**: Maintains clean bucket state\n\n### Considerations\n\n- Set based on your typical upload patterns and file sizes\n- Consider network reliability and upload duration requirements\n- Balance between cost control and operational flexibility", "type": "number" }, "enabled": { "default": true, "description": "**Rule Enabled** *(Optional)*\n\nControls whether this lifecycle rule is active and enforced. Allows you to temporarily disable rules without removing them from the configuration.", "type": "boolean" }, "expiration": { "description": "**Object Expiration** *(Optional)*\n\nNumber of days after object creation when objects are permanently deleted from the bucket. This implements automatic data retention policies and helps manage storage costs for time-sensitive data.\n\n### Use Cases\n\n- **Log Retention**: Automatically delete old log files\n- **Compliance**: Enforce data retention policies\n- **Cost Management**: Remove data that's no longer needed\n- **Regulatory Requirements**: Meet data disposal requirements\n\n### Important Considerations\n\n- **Irreversible**: Expired objects are permanently deleted\n- **Compliance**: Ensure retention periods meet regulatory requirements\n- **Business Needs**: Consider future data access requirements\n- **Backup Strategy**: Ensure critical data is backed up before expiration", "type": "number" }, "expiredObjectDeleteMarker": { "default": false, "description": "**Expired Object Delete Marker Cleanup** *(Optional)*\n\nControls whether S3 automatically removes delete markers that have no non-current versions. This helps clean up versioned buckets and reduce storage costs from orphaned delete markers.\n\n### Benefits When Enabled\n\n- **Cost Reduction**: Eliminates charges for orphaned delete markers\n- **Storage Optimization**: Keeps bucket metadata clean\n- **Operational Efficiency**: Reduces clutter in versioned buckets", "type": "boolean" }, "id": { "description": "**Rule Identifier** *(Optional)*\n\nUnique, human-readable name for the lifecycle rule within the bucket. Used for rule identification, management, and troubleshooting.", "type": "string" }, "noncurrentVersionExpiration": { "description": "**Non-Current Version Expiration** *(Optional)*\n\nNumber of days after an object version becomes non-current when it should be permanently deleted. This manages storage costs for versioned buckets by cleaning up old object versions.\n\n### Considerations\n\n- **Recovery Needs**: Balance cost vs. ability to recover old versions\n- **Compliance**: Some regulations require version retention\n- **Storage Costs**: Non-current versions incur full storage charges\n- **Access Patterns**: Consider how often old versions are accessed", "type": "number" }, "noncurrentVersionTransitions": { "description": "**Non-Current Version Transitions** *(Optional)*\n\nArray of transition rules that specify when non-current object versions should move to different storage classes. This optimizes costs for versioned buckets by moving old versions to cheaper storage.\n\n### Storage Class Optimization\n\nNon-current versions are typically accessed less frequently than current versions, making them ideal candidates for cheaper storage classes.", "items": { "$ref": "#/$defs/ITransition" }, "type": "array" }, "prefix": { "$ref": "#/$defs/NonEmptyString", "default": "undefined (applies to all objects in the bucket)", "description": "**Object Key Prefix Filter** *(Optional)*\n\nObject key prefix that identifies which objects this lifecycle rule applies to. When specified, the rule only affects objects whose keys start with this prefix. When omitted, the rule applies to all objects in the bucket.\n\n\n### Best Practices\n\n- Use consistent prefix naming conventions\n- Design prefixes to support different lifecycle needs\n- Consider future organizational changes\n- Document prefix meanings and purposes" }, "transitions": { "description": "**Current Version Transitions** *(Optional)*\n\nArray of transition rules that specify when current objects should move to different storage classes. This implements cost optimization strategies based on data access patterns and age.\n\n### Cost Optimization Strategy\n\nDesign transitions based on your data access patterns:\n- **Frequently Accessed**: Keep in Standard storage\n- **Infrequently Accessed**: Transition to Standard-IA\n- **Archive Data**: Move to Glacier or Deep Archive\n- **Long-term Retention**: Use Deep Archive for lowest cost", "items": { "$ref": "#/$defs/ITransition" }, "type": "array" } }, "additionalProperties": false }, "ILoggingConfig": { "type": "object", "description": "## Global Logging Configuration\n\n### Example ```yaml logging: account: LogArchive centralizedLoggingRegion: us-east-1 cloudtrail: enable: false organizationTrail: false sessionManager: sendToCloudWatchLogs: false sendToS3: true ```", "properties": { "accessLogBucket": { "$ref": "#/$defs/IAccessLogBucketConfig", "description": "**Access Logs Bucket** *(Optional)*\n\nUsed to define and configure the access logs bucket for the solution." }, "account": { "$ref": "#/$defs/NonEmptyString", "description": "**Account Name** *(Required)*\n\nThe name of the account used to store the logs.\n\n**Example ```yaml account: LogArchive ```" }, "assetBucket": { "$ref": "#/$defs/IAssetBucketConfig", "description": "**Asset Bucket** *(Optional)*\n\nUsed to define and configure the asset bucket for the solution." }, "centralLogBucket": { "$ref": "#/$defs/ICentralLogBucketConfig", "description": "**Central Log Bucket** *(Optional)*\n\nUsed to define and configure the central logs bucket for the solution" }, "centralizedLoggingRegion": { "$ref": "#/$defs/NonEmptyString", "description": "**Centralized Logging Region** *(Optional)*\n\nThe region used to store the logs. When not provided, the log bucket will be created in the home region." }, "cloudtrail": { "$ref": "#/$defs/ICloudTrailConfig", "description": "**CloudTrail Configuration** *(Required)*\n\nMain configuration for CloudTrail\n\n**Key Features**\n- Enable/Disable CloudTrail\n- Setup organization-level trails\n- Setup account-level trails" }, "cloudwatchLogs": { "$ref": "#/$defs/ICloudWatchLogsConfig", "description": "**CloudWatch Logs Configuration** *(Optional)*\n\nConfigure CloudWatch logs for the solution.\n\n**Key Features**\n- Configure encryption at rest\n- Enable replication\n- Configure CloudWatch logs subscriptions" }, "elbLogBucket": { "$ref": "#/$defs/IElbLogBucketConfig", "description": "**ELB Log Bucket** *(Optional)*\n\nUsed to define and configure the ELB logs bucket for the solution" }, "sessionManager": { "$ref": "#/$defs/ISessionManagerConfig", "description": "**SessionManager Configuration** *(Required)*\n\nAllows for the customization of SessionManager in the environment allowing the modifications such as where to save logs and what accounts to manage." } }, "required": [ "account", "cloudtrail", "sessionManager" ], "additionalProperties": false }, "INotificationConfig": { "type": "object", "description": "## Notification Configuration\n\nUsed to configure notifications for budget reports\n\n### Key Features\n- **Recipients**: Configure multiple recipients for the notification\n- **Threshold**: Define the threshold to trigger the notification\n- **Subscription Type**: Choose the subscription type (e.g., email, SNS) for delivery\n\n\n### Example ```yaml notifications: - type: ACTUAL thresholdType: PERCENTAGE threshold: 90 comparisonOperator: GREATER_THAN subscriptionType: EMAIL recipients: - myemail+pa1-budg@example.com - myemail+pa2-budg@example.com ```", "properties": { "address": { "$ref": "#/$defs/NonEmptyString", "deprecated": true, "description": "**Address** *(Optional)*" }, "comparisonOperator": { "anyOf": [ { "$ref": "#/$defs/ComparisonOperator" }, { "type": "string" } ], "description": "**Comparison Operator** *(Required)*\n\nThe comparison that's used for this notification.\n\nValid values are `GREATER_THAN`, `LESS_THAN`, and `EQUAL_TO`" }, "recipients": { "description": "**Recipients** *(Optional)*\n\nA list of recipients that the notification will be sent to. Must be either an SNS topic or an email.", "items": { "$ref": "#/$defs/NonEmptyString" }, "type": "array" }, "subscriptionType": { "anyOf": [ { "$ref": "#/$defs/SubscriptionType" }, { "type": "string" } ], "description": "**Subscription Type** *(Required)*\n\nThe type of notification that AWS will send to the subscribers. Must either be `SNS` or `EMAIL`" }, "threshold": { "description": "**Threshold** *(Optional)*\n\nThe value that, when usage exceeds, will trigger the notification.", "type": "number" }, "thresholdType": { "anyOf": [ { "$ref": "#/$defs/ThresholdType" }, { "type": "string" } ], "description": "**Threshold Type** *(Required)*\n\nThe type of threshold for a notification.\n\n**Types**\n- `ABSOLUTE_VALUE`: AWS sends the notification when you go over, or are forecasted to go over, the total cost of the threshold.\n- `PERCENTAGE`: AWS sends the notification when you go over, or are forecasted to go over, a certain percentage of your forecasted spend." }, "type": { "anyOf": [ { "$ref": "#/$defs/NotificationType" }, { "type": "string" } ], "description": "**Notification Type** *(Required)*\n\nDetermines whether the notification should be sent based on actual or forecasted usage.\n\nValues must either be `ACTUAL` or `FORECASTED`" } }, "required": [ "type", "thresholdType", "comparisonOperator", "subscriptionType" ], "additionalProperties": false }, "IReportConfig": { "type": "object", "description": "## Reports Configuration\n\nUsed to configure reports for the LZA deployment.\n\n### Key Features\n- Configure cost and usage reports\n- Configure budget reports\n\n### Example ```yaml costAndUsageReport: compression: Parquet format: Parquet reportName: accelerator-cur s3Prefix: cur timeUnit: DAILY refreshClosedReports: true reportVersioning: CREATE_NEW_REPORT lifecycleRules: storageClass: DEEP_ARCHIVE enabled: true multiPart: 1 expiration: 1825 deleteMarker: false nonCurrentExpiration: 366 transitionAfter: 365 budgets: - name: accel-budget timeUnit: MONTHLY type: COST amount: 2000 includeUpfront: true includeTax: true includeSupport: true includeSubscription: true includeRecurring: true includeOtherSubscription: true includeDiscount: true includeCredit: false includeRefund: false useBlended: false useAmortized: false unit: USD notifications: - type: ACTUAL thresholdType: PERCENTAGE threshold: 90 comparisonOperator: GREATER_THAN subscriptionType: EMAIL address: myemail+pa-budg@example.com ```", "properties": { "budgets": { "description": "**Budget Reports** *(Optional)*\n\nConfiguration for budget reports.\n\n**Example** ```yaml budgets: - name: accel-budget timeUnit: MONTHLY type: COST amount: 2000 includeUpfront: true includeTax: true includeSupport: true includeSubscription: true includeRecurring: true includeOtherSubscription: true includeDiscount: true includeCredit: false includeRefund: false useBlended: false useAmortized: false unit: USD notifications: - type: ACTUAL thresholdType: PERCENTAGE threshold: 90 comparisonOperator: GREATER_THAN subscriptionType: EMAIL address: myemail+pa-budg@example.com ```", "items": { "$ref": "#/$defs/IBudgetReportConfig" }, "type": "array" }, "costAndUsageReport": { "$ref": "#/$defs/ICostAndUsageReportConfig", "description": "**Cost and Usage Report** *(Optional)*\n\nConfiguration for a cost and usage report.\n\n\n**Example** ```yaml costAndUsageReport: compression: Parquet format: Parquet reportName: accelerator-cur s3Prefix: cur timeUnit: DAILY refreshClosedReports: true reportVersioning: CREATE_NEW_REPORT lifecycleRules: storageClass: DEEP_ARCHIVE enabled: true multiPart: 1 expiration: 1825 deleteMarker: false nonCurrentExpiration: 366 transitionAfter: 365 ```" } }, "additionalProperties": false }, "IResourcePolicyStatement": { "type": "object", "description": "## Resource Policy Statement Configuration\n\nDefines a custom resource policy statement that can be applied to AWS resources. Used for providing additional or override policy statements beyond the default accelerator-generated policies.\n\n### Usage Context\n\n- **Custom Access Patterns**: Define specific access requirements\n- **Policy Attachments**: Add policies to existing resources\n- **Compliance Requirements**: Meet specific regulatory or security needs\n- **Service Integration**: Enable access for additional AWS services", "properties": { "policy": { "description": "**Policy Document** *(Required)*\n\nPath to a JSON file containing a valid AWS IAM policy document, or the policy document content as a JSON string.", "type": "string" } }, "required": [ "policy" ], "additionalProperties": false }, "IRootUserManagementCapabiltiesConfig": { "type": "object", "description": "## Root User Management Capabilities Configuration\n\nDetermines how root user management is controlled within the organization.", "properties": { "allowRootSessions": { "description": "**Allow Root Sessions** *(Required)*\n\nDetermines whether root user sessions are allowed.", "type": "boolean" }, "rootCredentialsManagement": { "description": "**Root Credentials Management** *(Required)*\n\nDetermines whether root user credentials are managed by the organization.", "type": "boolean" } }, "required": [ "rootCredentialsManagement", "allowRootSessions" ], "additionalProperties": false }, "IS3EncryptionConfig": { "type": "object", "description": "## S3 Encryption Configuration\n\nConfigure encryption settings for S3 buckets deployed by the Landing Zone Accelerator. This configuration allows you to control whether AWS KMS Customer Managed Keys (CMKs) are used for S3 server-side encryption across your organization.\n\n### Key Features\n\n- **Flexible Encryption**: Choose between AWS KMS CMK or default S3 encryption\n- **Targeted Deployment**: Apply encryption settings to specific organizational units or accounts\n- **Compliance Support**: Helps meet regulatory requirements for data encryption at rest\n\n### Important Considerations\n\n- **Always Encrypted Buckets**: The following buckets always use CMK regardless of this setting: - LZA Installer bucket - CodePipeline artifact bucket - Solution-deployed CentralLogs bucket\n\n### Example ```yaml encryption: createCMK: true deploymentTargets: organizationalUnits: - Security - Production excludedAccounts: - Development ```", "properties": { "createCMK": { "default": true, "description": "**Create CMK** *(Required)*\n\nWhen enabled, the solution will create use AWS KMS CMK for S3 server-side encryption. The following buckets always use CMK regardless of this settings:\n\n- Installer bucket\n- Pipeline bucket\n- Solution-deployed CentralLogs bucket", "type": "boolean" }, "deploymentTargets": { "$ref": "#/$defs/IDeploymentTargets", "description": "**Deployment Targets** *(Optional)*\n\nEnables the control of which environments will use AWS KMS CMK for S# encryption. Leaving `deploymentTargets` undefined will apply `createCMK` setting to all accounts and enabled regions." } }, "required": [ "createCMK" ], "additionalProperties": false }, "IS3GlobalConfig": { "type": "object", "description": "## S3 Global Configuration\n\nManage S3 settings for accounts managed by the LZA deployment. Configure the encryption settings for S3 buckets used throughout the deployment.\n\n### Example ```yaml s3: encryption: createCMK: true deploymentTargets: organizationalUnits: - Root ```", "properties": { "encryption": { "$ref": "#/$defs/IS3EncryptionConfig", "default": "undefined", "description": "**S3 Encryption Configuration** *(Optional)*\n\nAllows for the configuration of the encryption method for S3 buckets.\n\n**Important Considerations**\n- In the absence of this property, the solution will use AWS KMS CMK in every environment\n- The solution will disregard this property and create CMKs for the installer bucket, pipeline bucket, and solution deployed CentralLogs bucket as AWS KMS CMK is always used for these buckets\n\n**Example** ```yaml encryption: createCMK: false deploymentTargets: organizationalUnits: - Root ```" } }, "additionalProperties": false }, "IServiceEncryptionConfig": { "type": "object", "description": "## Encryption Configuration\n\nEnable/Disable the use of AWS KMS CMK for encryption. Can specify which accounts/OUs to use this configuration in.\n\n### Example ```yaml encryption: useCMK: true deploymentTargets: organizationalUnits: - Root ```", "properties": { "deploymentTargets": { "$ref": "#/$defs/IDeploymentTargets", "description": "**Deployment Targets** *(Optional)*\n\nConfigure which environments the given configuration will be used for. When left undefined, the configuration is applied to all accounts and enabled regions." }, "useCMK": { "default": false, "description": "**Use CMK** *(Required)*\n\nDetermines whether or not AWS KMS CMK will be used for encryption. When set to `true`, AWS CMK KMS will be used. When set to `false`, service managed KMS will be used.", "type": "boolean" } }, "required": [ "useCMK" ], "additionalProperties": false }, "IServiceQuotaLimitsConfig": { "type": "object", "description": "## AWS Service Quotas Configuration\n\nUsed request increases to AWS service quotas (formerly known as service limits). Service quotas are the maximum number of service resources or operations for your AWS account. Service quota increases are requested asynchronously and may take time to be approved. Some quotas require AWS Support cases and cannot be increased automatically. You can find service codes and quota codes in the AWS Service Quotas console.\n\n\n### Example ```yaml # Increase Lambda concurrent executions\n- serviceCode: lambda quotaCode: L-B99A9384 desiredValue: 1000 deploymentTargets: organizationalUnits: - Root regions: - us-west-2\n\n# Increase IAM roles per account (global quota - no regions needed)\n- serviceCode: iam quotaCode: L-4019AD8B desiredValue: 15 deploymentTargets: accounts: - SharedServices\n\n# Increase VPCs per region\n- serviceCode: vpc quotaCode: L-F678F1CE desiredValue: 20 deploymentTargets: organizationalUnits: - Security - Infrastructure regions: - us-east-1 - us-west-2\n\n# Increase Route 53 Resolver rules per region\n- serviceCode: route53resolver quotaCode: L-4A669CC0 desiredValue: 10 deploymentTargets: organizationalUnits: - Infrastructure ```", "properties": { "deploymentTargets": { "$ref": "#/$defs/IDeploymentTargets", "description": "**Deployment Targets** *(Required)*\n\nUsed to specify the accounts that should be included in the Service Quota changes. Additionally, you can target specific accounts or entire organizational units." }, "desiredValue": { "description": "**Desired Value** *(Required)*\n\nThe new limit you want to request for. The value must be higher than the current quota value. Some quotas have maximum values that cannot be exceeded.", "type": "number" }, "quotaCode": { "description": "**Quota Code** *(Required)*\n\nIndicates the specific quota we are requesting a change for within the given service. You can find the quota codes in the console or using the AWS CLI command: `aws service-quotas list-service-quotas --service-code `.\n\nExample quota codes (verify current codes in AWS console):\n- L-B99A9384 (Lambda concurrent executions)\n- L-4019AD8B (IAM roles per account)\n- L-F678F1CE (VPCs per region)\n- L-4A669CC0 (Route 53 Resolver rules per region)", "type": "string" }, "regions": { "description": "**Regions** *(Optional)*\n\nRegions where this service quota increase will be requested. If undefined, the increase will only be requested in the home region. Specified regions must also be listed in the enabledRegions section. Some quotas are global (like IAM) and don't require region specification.", "items": { "type": "string" }, "type": "array" }, "serviceCode": { "description": "**Service Code** *(Required)*\n\nIndicates which service Service Quota we are requesting a change for. You can find service codes the console or using the AWS CLI command: `aws service-quotas list-services`.\n\nExample service codes (verify current codes in AWS console):\n- lambda (AWS Lambda)\n- iam (AWS Identity and Access Management)\n- vpc (Amazon Virtual Private Cloud)\n- route53resolver (Amazon Route 53 Resolver)", "type": "string" } }, "required": [ "serviceCode", "quotaCode", "desiredValue", "deploymentTargets" ], "additionalProperties": false }, "ISessionManagerConfig": { "type": "object", "description": "## SessionManager Configuration\n\n### Example ```yaml sessionManager: sendToCloudWatchLogs: true sendToS3: true excludeRegions: [] excludeAccounts: [] lifecycleRules: [] attachPolicyToIamRoles: - EC2-Default-SSM-AD-Role ```", "properties": { "attachPolicyToIamRoles": { "description": "**Attach Policy to IAM Roles** *(Optional)*\n\nA list of IAM Ec2 roles that the Session Manager access policy should be attached to.", "items": { "type": "string" }, "type": "array" }, "excludeAccounts": { "description": "**Excluded Accounts** *(Optional)*\n\nList of AWS Account names to be excluded from this SessionManager configuration", "items": { "type": "string" }, "type": "array" }, "excludeRegions": { "description": "**Excluded Regions** *(Optional)*\n\nList of AWS Region names to be excluded from this SessionManager configuration", "items": { "type": "string" }, "type": "array" }, "lifecycleRules": { "description": "**S3 Lifecycle Rules** *(Optional)*\n\nDefines the lifecycle rules for the S3 bucket containing the logs.", "items": { "$ref": "#/$defs/ILifecycleRule" }, "type": "array" }, "sendToCloudWatchLogs": { "description": "**Send to CloudWatch Logs** *(Required)*\n\nDetermines whether sending SessionManager logs to CloudWatch logs is enabled.", "type": "boolean" }, "sendToS3": { "description": "**Send to S3** *(Required)*\n\nDetermines whether sending SessionManager logs to S3 is enabled. When enabled, the accelerator will send the session manager logs to the central log bucket in the LogArchive account.", "type": "boolean" } }, "required": [ "sendToCloudWatchLogs", "sendToS3" ], "additionalProperties": false }, "ISnsConfig": { "type": "object", "description": "## SNS Configuration\n\nUsed to setup and configure SNS Topics within the LZA environment.\n\n### Example ```yaml snsTopics: deploymentTargets: organizationalUnits: - Root topics: - name: Security emailAddresses: - SecurityNotifications@example.com ```", "properties": { "deploymentTargets": { "$ref": "#/$defs/IDeploymentTargets", "description": "**Deployment Targets** *(Required)*\n\nDetermines which accounts the SNS topic will be deployed to.\n\n**Note** SNS topics will always be deployed to the Log Archive Account. All email subscriptions will be created in the Log Archive Account. Member accounts will forward their notifications through the Log Archive Account." }, "topics": { "description": "**SNS Topic Configuration** *(Required)*\n\nList of SNS Topics to be created by the solution.", "items": { "$ref": "#/$defs/ISnsTopicConfig" }, "type": "array" } }, "required": [ "deploymentTargets", "topics" ], "additionalProperties": false }, "ISnsTopicConfig": { "type": "object", "description": "## SNS Topic Configuration\n\nIndividual SNS topic configuration for notifications and alerts within the Landing Zone Accelerator. Topics are used to distribute notifications from CloudWatch Alarms, Security Hub findings, and other AWS services to designated email recipients.\n\n### Example\n\n```yaml topics: # Security notifications topic - name: Security emailAddresses: - security-team@example.com - compliance@example.com\n\n # Operations alerts topic - name: Operations emailAddresses: - ops-team@example.com - on-call@example.com\n\n # Executive notifications - name: Executive emailAddresses: - ciso@example.com - cto@example.com ```", "properties": { "emailAddresses": { "description": "**Email Addresses** *(Required)*\n\nList of email addresses that will receive notifications from this SNS topic. Each email address will receive a subscription confirmation email that must be confirmed before notifications can be delivered.\n\n### Subscription Management\n\n- Subscriptions are created automatically during deployment\n- Each email address receives a confirmation email from AWS\n- Unconfirmed subscriptions appear as \"PendingConfirmation\" in the AWS console\n- Confirmed subscriptions will receive all topic notifications", "items": { "$ref": "#/$defs/EmailAddress" }, "type": "array" }, "name": { "$ref": "#/$defs/NonEmptyString", "description": "**Topic Name** *(Required)*\n\nUnique identifier for the SNS topic within the deployment scope. This name is used to create the SNS topic and reference it in other configurations." } }, "required": [ "name", "emailAddresses" ], "additionalProperties": false }, "ISqsConfig": { "type": "object", "description": "## SQS Configuration\n\nConfigure SQS encryption for the solution.\n\n\n### Example ```yaml encryption: useCMK: true deploymentTargets: organizationalUnits: - Root ```", "properties": { "encryption": { "$ref": "#/$defs/IServiceEncryptionConfig", "description": "**Encryption** *(Optional)*\n\nConfigure the encryption used for SQS queues." } }, "additionalProperties": false }, "ISsmInventoryConfig": { "type": "object", "description": "## SSM Inventory Configuration\n\nEnable SSM Inventory within the deployment.\n\n### Example ```yaml ssmInventoryConfig: enable: true deploymentTargets: organizationalUnits: - Infrastructure ```", "properties": { "deploymentTargets": { "$ref": "#/$defs/IDeploymentTargets", "description": "**Deployment Targets** *(Required)*\n\nWhich accounts should the current configuration apply to. Can be specified at the account or OU level." }, "enable": { "description": "**Enable** *(Required)*\n\nWhether or not to enable SSM Inventory.", "type": "boolean" } }, "required": [ "enable", "deploymentTargets" ], "additionalProperties": false }, "ISsmParameterConfig": { "type": "object", "description": "## SSM Parameter Configuration\n\nThe definition of an SSM parameter.\n\n### Example ```yaml ssmParameters: - deploymentTargets: organizationalUnits: - Workloads parameters: - name: WorkloadsSsmParameter path: /my/custom/path/variable value: 'MySSMParameterValue' ```", "properties": { "name": { "$ref": "#/$defs/NonEmptyString", "description": "**Name** *(Required)*\n\nThe user friendly name of the SSM parameter. This is used to create the CloudFormation Logical ID." }, "path": { "$ref": "#/$defs/NonEmptyString", "description": "**Path** *(Required)*\n\nThe path or name used when creating the SSM parameter." }, "value": { "$ref": "#/$defs/NonEmptyString", "description": "**Value** *(Required)*\n\nThe value of the SSM Parameter" } }, "required": [ "name", "path", "value" ], "additionalProperties": false }, "ISsmParametersConfig": { "type": "object", "description": "## SSM Parameters Configuration\n\nEnables the creation of standard SSM parameters throughout managed accounts.\n\n### Example ```yaml ssmParameters: - deploymentTargets: organizationalUnits: - Workloads parameters: - name: MyWorkloadParameter path: /my/custom/path/variable value: 'MySSMParameterValue' ```", "properties": { "deploymentTargets": { "$ref": "#/$defs/IDeploymentTargets", "description": "**Deployment Targets** *(Required)*\n\nControl which environments the SSM parameters are deployed to." }, "parameters": { "description": "**Parameters** *(Required)*\n\nA list of parameters to be created.", "items": { "$ref": "#/$defs/ISsmParameterConfig" }, "type": "array" } }, "required": [ "parameters", "deploymentTargets" ], "additionalProperties": false }, "IStackPolicyConfig": { "type": "object", "description": "## CloudFormation Stack Policy Configuration\n\nThe CloudFormation Stack Policy configuration determines how stack resources can be updated or modified during stack operations. When this value is not specified, any existing stack policies will remain in effect and unchanged. The behavior intentionally differs from typical LZA behavior, which assumes false, enabling organizations to manage and maintain stack policies independently through other mechanisms outside of LZA if preferred.\n\n### Example ```yaml stackPolicy: enable: true protectedTypes: - \"AWS::EC2::InternetGateway\" - \"AWS::EC2::NatGateway\" - \"AWS::EC2::PrefixList\" - \"AWS::EC2::Route\" - \"AWS::EC2::RouteTable\" - \"AWS::EC2::SubnetRouteTableAssociation\" - \"AWS::EC2::TransitGateway\" - \"AWS::EC2::TransitGatewayPeeringAttachment\" - \"AWS::EC2::TransitGatewayRoute\" - \"AWS::EC2::TransitGatewayRouteTable\" - \"AWS::EC2::TransitGatewayRouteTableAssociation\" - \"AWS::EC2::TransitGatewayRouteTablePropagation\" - \"AWS::EC2::TransitGatewayVpcAttachment\" - \"AWS::EC2::VPC\" - \"AWS::EC2::VPCCidrBlock\" - \"AWS::EC2::VPCEndpoint\" - \"AWS::EC2::VPCGatewayAttachment\" - \"AWS::NetworkFirewall::Firewall\" - \"AWS::NetworkFirewall::LoggingConfiguration\" - \"AWS::RAM::ResourceShare\" ```", "properties": { "enable": { "description": "**Enable** *(Required)*\n\nIndicates whether stack policies are enabled for the organization. When enabled, specified resource types will be protected for Update:Replace and Update:Delete operations.", "type": "boolean" }, "protectedTypes": { "description": "**Protected Types** *(Required)*\n\nA list of CloudFormation resource types that should be protected for Update:Replace and Update:Delete operations.\n\n**Example**: ```yaml protectedTypes: - \"AWS::EC2::InternetGateway\" - \"AWS::EC2::NatGateway\" ```", "items": { "type": "string" }, "type": "array" } }, "required": [ "enable", "protectedTypes" ], "additionalProperties": false }, "ITag": { "type": "object", "description": "## AWS Resource Tag Configuration\n\nDefines key-value pairs used for tagging AWS resources. Tags provide metadata for resource organization, cost allocation, access control, and automation.\n\n### Key Features\n\n- **Resource Organization**: Group and categorize resources logically\n- **Cost Allocation**: Track costs by project, department, or environment\n- **Access Control**: Use tags in IAM policies for conditional access\n- **Automation**: Trigger automated actions based on tag values\n- **Compliance**: Meet organizational and regulatory tagging requirements\n\n### Example\n\n```yaml tags: - key: Environment value: Production - key: Project value: WebApplication - key: Owner value: Platform-Team - key: CostCenter value: Engineering - key: Backup value: Daily ```", "properties": { "key": { "description": "**Tag Key** *(Required)*\n\nThe tag key name that identifies the type of metadata being stored. Tag keys should follow consistent naming conventions across your organization.", "type": "string" }, "value": { "description": "**Tag Value** *(Required)*\n\nThe tag value that provides the actual metadata content for the tag key. Values should be meaningful and follow organizational standards.", "type": "string" } }, "required": [ "key", "value" ], "additionalProperties": false }, "ITransition": { "type": "object", "description": "## S3 Storage Class Transition Configuration\n\nDefines when and how objects should transition from their current storage class to a different storage class. Used in S3 lifecycle rules to optimize storage costs based on data access patterns and retention requirements.\n\n### Key Components\n\n- **Storage Class**: Target storage class for the transition\n- **Transition Timing**: Number of days after object creation or version change\n\n### Example\n\n```yaml transitions: - storageClass: STANDARD_IA transitionAfter: 30 - storageClass: GLACIER transitionAfter: 365 - storageClass: DEEP_ARCHIVE transitionAfter: 2555 ```", "properties": { "storageClass": { "$ref": "#/$defs/StorageClass", "description": "**Target Storage Class** *(Required)*\n\nThe S3 storage class that objects should transition to after the specified time period." }, "transitionAfter": { "description": "**Transition After (Days)** *(Required)*\n\nNumber of days after object creation (for current versions) or after becoming non-current (for non-current versions) when the transition should occur.", "type": "number" } }, "required": [ "storageClass", "transitionAfter" ], "additionalProperties": false }, "IVaultConfig": { "type": "object", "description": "## Vault Configuration\n\nEnables the configuration of Backup Vaults' names, policies, and deployment targets.\n\n### Example ```\n- name: BackupVault deploymentTargets: organizationalUnits: - Root policy: policies/backup-vault-policy.json ```", "properties": { "deploymentTargets": { "$ref": "#/$defs/IDeploymentTargets", "description": "**Deployment Targets** *(Required)*\n\nThe accounts and OUs that the vault should be deployed in." }, "name": { "$ref": "#/$defs/NonEmptyString", "description": "**Name** *(Required)*\n\nThe name of the vault to be created." }, "policy": { "$ref": "#/$defs/NonEmptyString", "description": "**Policy** *(Optional)*\n\nThe path to a JSON file defining Backup Vault access policy" } }, "required": [ "name", "deploymentTargets" ], "additionalProperties": false }, "NonEmptyString": { "description": "## Non-Empty String Type\n\nRepresents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.\n\n```", "minLength": 1, "type": "string" }, "NotificationType": { "description": "## Notification Type\n\nDefines when budget notifications should be triggered based on spending patterns and forecasting data from AWS Budgets.\n\n### Values\n- **ACTUAL**: Trigger notifications based on actual incurred costs\n- **FORECASTED**: Trigger notifications based on projected/forecasted costs", "enum": [ "ACTUAL", "FORECASTED" ], "type": "string" }, "StorageClass": { "description": "## S3 Storage Class Type\n\nDefines the available Amazon S3 storage classes for lifecycle transitions. Each storage class is optimized for different access patterns, durability requirements, and cost considerations.", "enum": [ "DEEP_ARCHIVE", "GLACIER", "GLACIER_IR", "STANDARD_IA", "INTELLIGENT_TIERING", "ONEZONE_IA" ], "type": "string" }, "StreamMode": { "enum": [ "ON_DEMAND", "PROVISIONED" ], "type": "string" }, "SubscriptionType": { "description": "## Subscription Type\n\nDefines the delivery mechanism for notifications and alerts from AWS services like Budgets, CloudWatch, and other monitoring services.\n\n### Values\n- **EMAIL**: Send notifications via email to specified addresses\n- **SNS**: Send notifications via Amazon SNS topic\n\n### Considerations\n- **EMAIL**: Simple setup, direct delivery, limited to email addresses\n- **SNS**: More flexible, supports multiple endpoints, requires SNS topic setup", "enum": [ "EMAIL", "SNS" ], "type": "string" }, "ThresholdType": { "description": "## Threshold Type\n\nDefines how threshold values should be interpreted in monitoring and alerting configurations, particularly for AWS Budgets and CloudWatch alarms.\n\n### Values\n- **PERCENTAGE**: Threshold as a percentage of the total/baseline value\n- **ABSOLUTE_VALUE**: Threshold as an absolute numeric value", "enum": [ "PERCENTAGE", "ABSOLUTE_VALUE" ], "type": "string" } } }