Landing Zone Accelerator on AWS - Network Config

Enable or disable deletion protection.

Indicates whether HTTP/2 is enabled. The possible values are true and false. The default is true. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens.

The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds.

Indicates whether HTTP headers with invalid header fields are removed by the load balancer ( true ) or routed to targets ( false ). The default is false.

Indicates whether the two headers ( x-amzn-tls-version and x-amzn-tls-cipher-suite ), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The x-amzn-tls-version header has information about the TLS protocol version negotiated with the client, and the x-amzn-tls-cipher-suite header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are true and false . The default is false.

Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer. The possible values are true and false . The default is false.

Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. The possible values are true and false. The default is false.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Port of the application load balancer listener

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Application load balancer listener fixed response config It returns a custom HTTP response. Applicable only when type under {@link ApplicationLoadBalancerListenerConfig listener} is fixed-response.

Application Load balancer listener forward config. Used to define forward action. Applicable only when type under {@link ApplicationLoadBalancerListenerConfig listener} is forward.

The order for the action. This value is required for rules with multiple actions. The action with the lowest value for order is performed first

Application Load balancer listener redirect config. Used to define redirect action. Applicable only when type under {@link ApplicationLoadBalancerListenerConfig listener} is redirect.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Application Load balancer listener forward config target group stickiness config Applicable only when type under {@link ApplicationLoadBalancerListenerConfig listener} is forward.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days).

Indicates whether target group stickiness is enabled.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Security Groups to attach to the Application Load Balancer.

Subnets to launch the Application Load Balancer in.

Application Load Balancer attributes config.

Listeners for Application Load Balancer.

Resource Access Manager (RAM) Share Targets Interface

Interface for AWS Resource Access Manager (RAM) share targets, which defines where shared resources should be made available within your AWS organization. RAM enables secure sharing of resources between AWS accounts and organizational units without duplicating resources or compromising security.

Key Features

• Cross-Account Sharing: Share resources across multiple AWS accounts
• OU-Level Sharing: Share with entire organizational units at once
• Centralized Management: Manage shared resources from a central account
• Cost Optimization: Avoid resource duplication across accounts
• Security: Maintain resource ownership while enabling controlled access

Example

yaml shareTargets: organizationalUnits: - Root

Learn more about AWS Resource Access Manager.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

An array of Gateway Load Balancer configurations.

An array of IPAM configurations.

Use this configuration to define Network Firewalls in your environment. AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for your virtual private cloud (VPC) that you create in Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect.

The following example creates a simple Network Firewall rule group, policy, and firewall. The policy and rule group are shared with the entire organization. The firewall endpoints are created in subnets named Subnet-A and Subnet-B in the VPC named Network-Inspection.

Use this configuration to define several features of Route 53 resolver, including resolver endpoints, DNS firewall rule groups, and DNS query logs. Amazon Route 53 Resolver responds recursively to DNS queries from AWS resources for public records, Amazon VPC-specific DNS names, and Amazon Route 53 private hosted zones, and is available by default in all VPCs.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Deployment Targets Interface

Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.

Key Features

• Account-level targeting: Deploy to specific AWS accounts
• OU-level targeting: Deploy to all accounts within organizational units
• Regional exclusions: Skip specific AWS regions for compliance or cost optimization
• Account exclusions: Exclude specific accounts from broader deployments

Example

yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Additional FQDNs to be included in the Subject Alternative Name extension of the ACM certificate. For example, add the name www.example.net to a certificate for which the DomainName field is www.example.com if users can reach your site by using either name.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Define the ASN used for the Customer Gateway

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The AWS region to provision the customer gateway in

Define tags for the Customer Gateway

Define the optional VPN Connection configuration

Enable to delete default VPCs.

(OPTIONAL) Include an array of friendly account names to exclude from default VPC deletion.

(OPTIONAL) Include an array of AWS regions to exclude from default VPC deletion.

Target Accounts (Optional)

List of specific account names where resources should be deployed. Use for precise account-level targeting.

Excluded Accounts (Optional)

List of account names to exclude from deployment. Takes precedence over organizational unit and account inclusions.

Excluded Regions (Optional)

List of AWS regions to exclude from deployment. Useful for compliance requirements or cost optimization.

Organizational Units (Optional)

List of organizational unit names where resources should be deployed. When specified, resources will be created in all accounts within these OUs.

An array of friendly account names to deploy the options set.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

An array of regions to deploy the options set.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) An array of IP addresses for domain name servers.

(OPTIONAL An array of IP addresses for NetBIOS servers.

(OPTIONAL) An array of IP addresses for NTP servers.

(OPTIONAL) An array of tags for the options set.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The regions to deploy the rule group to.

An array of DNS firewall rule configurations.

Resource Access Manager (RAM) Share Targets Interface

Interface for AWS Resource Access Manager (RAM) share targets, which defines where shared resources should be made available within your AWS organization. RAM enables secure sharing of resources between AWS accounts and organizational units without duplicating resources or compromising security.

Key Features

• Cross-Account Sharing: Share resources across multiple AWS accounts
• OU-Level Sharing: Share with entire organizational units at once
• Centralized Management: Manage shared resources from a central account
• Cost Optimization: Avoid resource duplication across accounts
• Security: Maintain resource ownership while enabling controlled access

Example

yaml shareTargets: organizationalUnits: - Root

Learn more about AWS Resource Access Manager.

An array of tags for the rule group.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The priority of the DNS firewall rule.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) Configure a time-to-live (TTL) for the override domain. This is the recommended amount of time for the DNS resolver or web browser to cache the override record and use it in response to this query, if it is received again. By default, this is zero, and the record isn't cached.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

An array of destination services used to store the logs.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Resource Access Manager (RAM) Share Targets Interface

Interface for AWS Resource Access Manager (RAM) share targets, which defines where shared resources should be made available within your AWS organization. RAM enables secure sharing of resources between AWS accounts and organizational units without duplicating resources or compromising security.

Key Features

• Cross-Account Sharing: Share resources across multiple AWS accounts
• OU-Level Sharing: Share with entire organizational units at once
• Centralized Management: Manage shared resources from a central account
• Cost Optimization: Avoid resource duplication across accounts
• Security: Maintain resource ownership while enabling controlled access

Example

yaml shareTargets: organizationalUnits: - Root

Learn more about AWS Resource Access Manager.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

A Border Gateway Protocol (BGP) Autonomous System Number (ASN).

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) An array of transit gateway association configurations. Creates transit gateway attachments for this DX gateway.

(OPTIONAL) An array of virtual interface configurations. Creates virtual interfaces on the DX gateway.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

An array of CIDR prefixes that are allowed to advertise over this transit gateway association.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) The friendly name of TGW route table(s) to associate with this attachment.

(OPTIONAL) The friendly name of TGW route table(s) to propagate routes from this attachment.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

A Border Gateway Protocol (BGP) Autonomous System Number (ASN) for the customer side of the connection.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The region of the virtual interface.

The virtual local area network (VLAN) tag to use for this virtual interface.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) Enable SiteLink for this virtual interface.

Default - false

(OPTIONAL) Enable jumbo frames for the virtual interface.

Default - standard 1500 MTU frame size

(OPTIONAL) An array of tags to apply to the virtual interface.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The FMS Notification Channel Configuration

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

An array of endpoints to create.

(OPTIONAL) Specify whether or not a policy is applied to the endpoint. By default, if no policy is specified in the policy property, a default policy is applied. Specifying this option as false will ensure no policy is applied to the endpoint. This property defaults to true if not specified.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

An array of Gateway Load Balancer endpoint configurations.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

An array of friendly names of subnets to deploy the Gateway Load Balancer to.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) Whether to enable cross-zone load balancing.

(OPTIONAL) Whether to enable deletion protection.

(OPTIONAL) An array of CloudFormation tag objects.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The ICMP code number. A value of -1 indicates all types.

The ICMP type number. A value of -1 indicates all types.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

An array of VPC interface endpoint services to be deployed.

An array of the friendly names of VPC subnets for the endpoints to be deployed.

(OPTIONAL) An array of source CIDRs allowed to communicate with the endpoints.

(OPTIONAL) Enable to define interface endpoints as centralized endpoints.

(OPTIONAL) An array of tag objects for the private hosted zones associated with the VPC Interface endpoints.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) Specify whether or not a policy is applied to the endpoint. By default, if no policy is specified in the policy property, a default policy is applied. Specifying this option as false will ensure no policy is applied to the endpoint. This property defaults to true if not specified.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The subnet mask length to request.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The region to deploy the IPAM.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) An array of regions that the IPAM will manage.

An optional array of IPAM pool configurations to create under the IPAM.

(OPTIONAL) An array of IPAM scope configurations to create under the IPAM.

(OPTIONAL) An array of tag objects for the IPAM.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) The default netmask length of IPAM allocations for this pool.

(OPTIONAL) The maximum netmask length of IPAM allocations for this pool.

(OPTIONAL) The minimum netmask length of IPAM allocations for this pool.

(OPTIONAL) An array of tags that are required for resources that use CIDRs from this IPAM pool.

(OPTIONAL) If set to true, IPAM will continuously look for resources within the CIDR range of this pool and automatically import them as allocations into your IPAM.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) The AWS Region where you want to make an IPAM pool available for allocations.

An array of CIDR ranges to provision for the IPAM pool.

(OPTIONAL) Determines if a pool is publicly advertisable.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Resource Access Manager (RAM) Share Targets Interface

Interface for AWS Resource Access Manager (RAM) share targets, which defines where shared resources should be made available within your AWS organization. RAM enables secure sharing of resources between AWS accounts and organizational units without duplicating resources or compromising security.

Key Features

• Cross-Account Sharing: Share resources across multiple AWS accounts
• OU-Level Sharing: Share with entire organizational units at once
• Centralized Management: Manage shared resources from a central account
• Cost Optimization: Avoid resource duplication across accounts
• Security: Maintain resource ownership while enabling controlled access

Example

yaml shareTargets: organizationalUnits: - Root

Learn more about AWS Resource Access Manager.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) An array of tag objects for the IPAM pool.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) An array of tag objects for the IPAM scope.

Abort Incomplete Multipart Uploads (Optional)

Number of days after which incomplete multipart uploads are automatically aborted and cleaned up. This helps prevent storage costs from abandoned multipart uploads.

Benefits

• Cost Control: Prevents charges for incomplete upload parts
• Storage Cleanup: Automatically removes orphaned multipart data
• Operational Hygiene: Maintains clean bucket state

Considerations

• Set based on your typical upload patterns and file sizes
• Consider network reliability and upload duration requirements
• Balance between cost control and operational flexibility

Rule Enabled (Optional)

Controls whether this lifecycle rule is active and enforced. Allows you to temporarily disable rules without removing them from the configuration.

Object Expiration (Optional)

Number of days after object creation when objects are permanently deleted from the bucket. This implements automatic data retention policies and helps manage storage costs for time-sensitive data.

Use Cases

• Log Retention: Automatically delete old log files
• Compliance: Enforce data retention policies
• Cost Management: Remove data that's no longer needed
• Regulatory Requirements: Meet data disposal requirements

Important Considerations

• Irreversible: Expired objects are permanently deleted
• Compliance: Ensure retention periods meet regulatory requirements
• Business Needs: Consider future data access requirements
• Backup Strategy: Ensure critical data is backed up before expiration

Expired Object Delete Marker Cleanup (Optional)

Controls whether S3 automatically removes delete markers that have no non-current versions. This helps clean up versioned buckets and reduce storage costs from orphaned delete markers.

Benefits When Enabled

• Cost Reduction: Eliminates charges for orphaned delete markers
• Storage Optimization: Keeps bucket metadata clean
• Operational Efficiency: Reduces clutter in versioned buckets

Rule Identifier (Optional)

Unique, human-readable name for the lifecycle rule within the bucket. Used for rule identification, management, and troubleshooting.

Non-Current Version Expiration (Optional)

Number of days after an object version becomes non-current when it should be permanently deleted. This manages storage costs for versioned buckets by cleaning up old object versions.

Considerations

• Recovery Needs: Balance cost vs. ability to recover old versions
• Compliance: Some regulations require version retention
• Storage Costs: Non-current versions incur full storage charges
• Access Patterns: Consider how often old versions are accessed

Non-Current Version Transitions (Optional)

Array of transition rules that specify when non-current object versions should move to different storage classes. This optimizes costs for versioned buckets by moving old versions to cheaper storage.

Storage Class Optimization

Non-current versions are typically accessed less frequently than current versions, making them ideal candidates for cheaper storage classes.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Current Version Transitions (Optional)

Array of transition rules that specify when current objects should move to different storage classes. This implements cost optimization strategies based on data access patterns and age.

Cost Optimization Strategy

Design transitions based on your data access patterns:

• Frequently Accessed: Keep in Standard storage
• Infrequently Accessed: Transition to Standard-IA
• Archive Data: Move to Glacier or Deep Archive
• Long-term Retention: Use Deep Archive for lowest cost

(OPTIONAL) An array of Application Load Balancer (ALB) configurations. Use this property to define ALBs to be deployed in the specified VPC subnets.

(OPTIONAL) An array of Network Load Balancer (NLB) configurations. Use this property to define NLBs to be deployed in the specified VPC subnets.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The route tables for the Local Gateway

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) Set true to define a NAT gateway with private connectivity type

(OPTIONAL) An array of tag objects for the NAT Gateway.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

A list of subnets to associate with the Network ACL

(OPTIONAL) A list of inbound rules to define for the Network ACL

(OPTIONAL) A list of outbound rules to define for the Network ACL

(OPTIONAL) A list of tags to attach to the Network ACL

Allow/Deny Type

Represents permission states for access control and policy configurations. Used throughout the Landing Zone Accelerator for defining access permissions.

Values

• allow: Grant permission or enable access
• deny: Deny permission or block access

The {@link https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml IANA protocol number } for the network ACL rule. You may also specify -1 for all protocols.

The rule ID number for the rule.

The source of the network ACL rule.

The port to start from in the network ACL rule.

(OPTIONAL) The Internet Control Message Protocol (ICMP) code and type. Required if specifying 1 (ICMP) for the protocol parameter.

The port to end with in the network ACL rule.

Allow/Deny Type

Represents permission states for access control and policy configurations. Used throughout the Landing Zone Accelerator for defining access permissions.

Values

• allow: Grant permission or enable access
• deny: Deny permission or block access

The destination of the network ACL rule.

The {@link https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml IANA protocol number } for the network ACL rule. You may also specify -1 for all protocols.

The rule ID number for the rule.

The port to start from in the network ACL rule.

(OPTIONAL) The Internet Control Message Protocol (ICMP) code and type. Required if specifying 1 (ICMP) for the protocol parameter.

The port to end with in the network ACL rule.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) Indicates whether to target the IPv6 CIDR associated with a subnet.

(OPTIONAL) The region that the subnet is located in.

Use this configuration to delete default VPCs in your environment.

A list of VPC configurations. An array of VPC endpoint policies.

An array of Transit Gateway configurations.

An array of VPC configurations.

A map between account Id and all the VPC Endpoint IDs in the account.

Currently, the dynamic values will only be loaded in FinalizeStack for SCP finalization. Only the account VPC Endpoints referred by ACCEL_LOOKUP in SCPs will be loaded.

A map between account Id and all the VPC IDs in the account.

Currently, the dynamic values will only be loaded in FinalizeStack for SCP finalization. Only the account VPCs referred in SCPs by ACCEL_LOOKUP will be loaded.

Central network services configuration. Use this configuration to define centralized networking services for your environment. Central network services enables you to easily designate a central account that owns your core network infrastructure. These network resources can be shared with other accounts in your organization so that workload accounts can consume them.

Certificate manager configuration

An array of Customer Gateway configurations.

An optional list of DHCP options set configurations.

An optional array of Direct Connect Gateway configurations.

An optional ELB root account ID

An optional Firewall Manager Service Config

Accelerator home region name.

An optional list of prefix list set configurations.

An array of Transit Gateway Connect configurations.

Transit Gateway peering configuration.

VPC Flow Logs Configuration Interface

Interface for AWS VPC Flow Logs configuration, which captures information about IP traffic flowing to and from network interfaces in your VPCs. Flow logs provide visibility into network traffic patterns, security analysis, and troubleshooting capabilities.

Key Features

• Traffic Visibility: Monitor all network traffic in your VPCs
• Security Analysis: Detect suspicious traffic patterns and potential threats
• Compliance: Meet regulatory requirements for network monitoring
• Troubleshooting: Diagnose connectivity and performance issues
• Cost Optimization: Analyze traffic patterns to optimize network costs

Supported Destinations

• Amazon S3: Cost-effective long-term storage and analysis
• CloudWatch Logs: Real-time monitoring and alerting capabilities
• Dual Destination: Send logs to both S3 and CloudWatch simultaneously

Learn more about VPC Flow Logs.

An optional list of VPC peering configurations

An optional list of VPC template configurations

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Subnets to launch the Network Load Balancer in.

Cross Zone load balancing for Network Load Balancer.

Deletion protection for Network Load Balancer.

Listeners for Network Load Balancer.

An array of Network Firewall firewall configurations.

An array of Network Firewall policy configurations.

An array of Network Firewall rule group configurations.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

An array of the friendly names of subnets to deploy Network Firewall to.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) Enable for deletion protection on the firewall.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) Enable to disallow firewall policy changes.

(OPTIONAL) An array of Network Firewall logging configurations.

(OPTIONAL) Enable to disallow firewall subnet changes.

(OPTIONAL) An array of tags for the firewall.

Use this configuration to define how the Network Firewall policy will behave. An AWS Network Firewall firewall policy defines the monitoring and protection behavior for a firewall. The details of the behavior are defined in the rule groups that you add to your policy, and in some policy default settings.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The regions to deploy the policy to.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Resource Access Manager (RAM) Share Targets Interface

Interface for AWS Resource Access Manager (RAM) share targets, which defines where shared resources should be made available within your AWS organization. RAM enables secure sharing of resources between AWS accounts and organizational units without duplicating resources or compromising security.

Key Features

• Cross-Account Sharing: Share resources across multiple AWS accounts
• OU-Level Sharing: Share with entire organizational units at once
• Centralized Management: Manage shared resources from a central account
• Cost Optimization: Avoid resource duplication across accounts
• Security: Maintain resource ownership while enabling controlled access

Example

yaml shareTargets: organizationalUnits: - Root

Learn more about AWS Resource Access Manager.

(OPTIONAL) An array of tags for the policy.

An array of default actions to take on packets evaluated by the stateless engine.

An array of default actions to take on fragmented packets.

(OPTIONAL) An array of default actions to take on packets evaluated by the stateful engine.

{OPTIONAL) An array of Network Firewall stateful rule group reference configurations.

(OPTIONAL) An array of Network Firewall custom action configurations.

(OPTIONAL) An array of Network Firewall stateless rule group reference configurations.

Log Destination Type

Defines the supported destinations for storing and processing log data from various AWS services like VPC Flow Logs, CloudTrail, and other logging services.

Values

• s3: Amazon S3 for cost-effective long-term storage and batch analysis
• cloud-watch-logs: CloudWatch Logs for real-time monitoring and alerting

The capacity of the rule group.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The regions to deploy the rule group to.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Network Firewall rule group rule configuration. Used to define rules for a Network Firewall rule group.

Resource Access Manager (RAM) Share Targets Interface

Interface for AWS Resource Access Manager (RAM) share targets, which defines where shared resources should be made available within your AWS organization. RAM enables secure sharing of resources between AWS accounts and organizational units without duplicating resources or compromising security.

Key Features

• Cross-Account Sharing: Share resources across multiple AWS accounts
• OU-Level Sharing: Share with entire organizational units at once
• Centralized Management: Manage shared resources from a central account
• Cost Optimization: Avoid resource duplication across accounts
• Security: Maintain resource ownership while enabling controlled access

Example

yaml shareTargets: organizationalUnits: - Root

Learn more about AWS Resource Access Manager.

(OPTIONAL) An array of tags for the rule group.

Network Firewall rule source configuration. Use this configuration to define stateful and/or stateless rules for your Network Firewall. The following rules sources are supported:

• File with list of Suricata-compatible rules
• Domain list
• Single Suricata-compatible rule
• Stateful rule in IP header format
• Stateless rules and custom actions

Use this configuration to define rule variable definitions for Network Firewall. Rule variables can be used in Suricata-compatible and domain list rule definitions. They are not supported in stateful rule IP header definitions.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Use this configuration to define DNS domain allow and deny lists for Network Firewall. Domain lists allow you to configure domain name filtering for your Network Firewall.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) An array of Network Firewall stateful rule IP header configurations. Use this property to define a stateful rule in IP header format for Network Firewall.

Use this configuration to define stateless rules and custom actions for Network Firewall.

Use this configuration to define custom CloudWatch metrics for Network Firewall. You can optionally specify a named custom action to apply. For this action, Network Firewall assigns a dimension to Amazon CloudWatch metrics with the name set to CustomAction and a value that you specify.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Use this configuration to define custom action dimensions to log in CloudWatch metrics. You can optionally specify a named custom action to apply. For this action, Network Firewall assigns a dimension to Amazon CloudWatch metrics with the name set to CustomAction and a value that you specify.

An array of values of the custom metric dimensions to log.

An array of protocol types to inspect.

An array of target domain names.

Use this configuration to define stateful rules for Network Firewall in an IP packet header format. This header format can be used instead of Suricata-compatible rules to define your stateful firewall filtering behavior.

An array of Network Firewall stateful rule options configurations.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

An array of values for the keyword.

(OPTIONAL) An array of Network Firewall stateless port range configurations.

(OPTIONAL) An array of destination CIDR ranges to inspect for.

(OPTIONAL) An array of IP protocol numbers to inspect for.

(OPTIONAL) An array of Network Firewall stateless port range configurations.

(OPTIONAL) An array of source CIDR ranges to inspect for.

(OPTIONAL) An array of Network Firewall stateless TCP flag configurations.

The port to start from in the range.

The port to end with in the range.

The priority number for the rule.

Use this configuration to define a stateless rule definition for your Network Firewall.

An array of actions to take using the stateless rule engine.

Use this configuration to define stateless rule match attributes for Network Firewall. To be a match, a packet must satisfy all of the match settings in the rule.

An array of TCP flags.

The set of flags to consider in the inspection.

A Network Firewall rule variable definition configuration.

A Network Firewall rule variable definition configuration.

An array of values for the rule variable.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) If using strict ordering, a priority number for the rule.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

A priority number for the rule.

An array of Network Firewall stateless rule configurations.

An array of Network Firewall custom action configurations.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Port where the traffic is directed to.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The availability zone where the Outpost resides

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Use this configuration to reference existing local gateways for your Outposts. The local gateway for your Outpost rack enables connectivity from your Outpost subnets to all AWS services that are available in the parent Region, in the same way that you access them from an Availability Zone subnet.

(OPTIONAL) An array of permitted Diffie-Hellman group numbers used in the IKE Phase 1 for initial authentication.

Default - [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]

(OPTIONAL) An array of encryption algorithms permitted for IKE Phase 1 negotiations.

Default - [AES128, AES256, AES128-GCM-16, AES256-GCM-16]

(OPTIONAL) An array of integrity algorithms permitted for IKE Phase 1 negotiations.

Default - [SHA1, SHA2-256, SHA2-384, SHA2-512]

(OPTIONAL) The IKE Phase 1 lifetime (in seconds) for the VPN tunnel.

Default: 28800 (8 hours)

(OPTIONAL) An array of permitted Diffie-Hellman group numbers used in the IKE Phase 2 negotiations.

Default - [2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]

(OPTIONAL) An array of encryption algorithms permitted for IKE Phase 2 negotiations.

Default - [AES128, AES256, AES128-GCM-16, AES256-GCM-16]

(OPTIONAL) An array of integrity algorithms permitted for IKE Phase 2 negotiations.

Default - [SHA1, SHA2-256, SHA2-384, SHA2-512]

(OPTIONAL) The IKE Phase 2 lifetime (in seconds) for the VPN tunnel.

Default: 3600 (1 hour)

An array of CIDR entries for the prefix list.

The maximum allowed entries in the prefix list.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(DEPRECATED) An array of friendly names for the accounts the prefix list is deployed.

Deployment Targets Interface

Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.

Key Features

• Account-level targeting: Deploy to specific AWS accounts
• OU-level targeting: Deploy to all accounts within organizational units
• Regional exclusions: Skip specific AWS regions for compliance or cost optimization
• Account exclusions: Exclude specific accounts from broader deployments

Example

yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1

(DEPRECATED) An array of region names for the prefix list to be deployed.

(OPTIONAL) An array of tag objects for the prefix list.

An array of the friendly names of prefix lists to reference.

(OPTIONAL) An array of Route 53 resolver endpoint configurations.

(OPTIONAL) An array of Route 53 DNS firewall rule group configurations.

Use this configuration to define a centralized query logging configuration that can be associated with VPCs in your environment. You can use this configuration to log queries that originate from your VPCs, queries to your inbound and outbound resolver endpoints, and queries that use Route 53 Resolver DNS firewall to allow, block, or monitor domain lists.

The following example creates a query logging configuration that logs to both S3 and a CloudWatch Logs log group. It is shared with the entire organization.

(OPTIONAL) An array of Route 53 resolver rules.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

An array of friendly names for subnets to deploy the resolver endpoint to.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) The allowed ingress/egress CIDRs for the resolver endpoint security group.

(OPTIONAL) An array of DNS Queries over HTTPS (DoH) Protocols to apply to the Route 53 Resolver Endpoints.

(OPTIONAL) An array of resolver rule configurations for the endpoint.

(OPTIONAL) An array of tags for the resolver endpoint.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) Regions to exclude from SYSTEM rule deployment.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Resource Access Manager (RAM) Share Targets Interface

Interface for AWS Resource Access Manager (RAM) share targets, which defines where shared resources should be made available within your AWS organization. RAM enables secure sharing of resources between AWS accounts and organizational units without duplicating resources or compromising security.

Key Features

• Cross-Account Sharing: Share resources across multiple AWS accounts
• OU-Level Sharing: Share with entire organizational units at once
• Centralized Management: Manage shared resources from a central account
• Cost Optimization: Avoid resource duplication across accounts
• Security: Maintain resource ownership while enabling controlled access

Example

yaml shareTargets: organizationalUnits: - Root

Learn more about AWS Resource Access Manager.

(OPTIONAL) An array of tags for the resolver rule.

(OPTIONAL) An array of target IP configurations for the resolver rule.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

An array of VPC route table entry configuration objects.

(OPTIONAL) An array of tag objects for the VPC route table.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The Availability Zone (AZ) the target resides in.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

An array of security group rule configurations for ingress rules.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

An array of security group rule configurations for egress rules.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) An array of tag objects for the security group.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

An array of sources for the security group rule.

(OPTIONAL) The port to start from in the security group rule.

(OPTIONAL) An array of custom IP Protocols for the security group rule

(OPTIONAL) An array of TCP ports to include in the security group rule.

(OPTIONAL) The port to end with in the security group rule.

(OPTIONAL) An array of port/protocol types to include in the security group rule.

(OPTIONAL) An array of UDP ports to include in the security group rule.

An array of the friendly names of security group rules to reference.

Target Accounts (Optional)

List of specific account names that should receive access to the shared resource. Use this for precise, account-level control over resource sharing.

Organizational Units (Optional)

List of organizational unit names that should receive access to the shared resource. When specified, all accounts within these OUs will be able to consume the shared resource.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) Indicates whether a network interface created in this subnet receives an IPv6 address on creation.

The Availability Zone (AZ) the subnet resides in.

(OPTIONAL) Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations.

For more information, see {@link https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-nat64-dns64 DNS64 and NAT64 } in the Amazon Virtual Private Cloud User Guide.

Use this configuration to dynamically assign a VPC or subnet CIDR from an IPAM pool.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) Configure automatic mapping of public IPs.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Use this configuration to define custom DNS name settings for your VPC subnets.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Resource Access Manager (RAM) Share Targets Interface

Interface for AWS Resource Access Manager (RAM) share targets, which defines where shared resources should be made available within your AWS organization. RAM enables secure sharing of resources between AWS accounts and organizational units without duplicating resources or compromising security.

Key Features

• Cross-Account Sharing: Share resources across multiple AWS accounts
• OU-Level Sharing: Share with entire organizational units at once
• Centralized Management: Manage shared resources from a central account
• Cost Optimization: Avoid resource duplication across accounts
• Security: Maintain resource ownership while enabling controlled access

Example

yaml shareTargets: organizationalUnits: - Root

Learn more about AWS Resource Access Manager.

(OPTIONAL) An array of tag objects for the VPC subnet.

(OPTIONAL) Indicates whether to respond to DNS queries for instance hostname with DNS AAAA records.

(OPTIONAL) Indicates whether to respond to DNS queries for instance hostnames with DNS A records.

The type of hostname for EC2 instances.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

An array of the friendly names of subnets to reference.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) Indicates whether to target the IPv6 CIDR associated with a subnet.

Tag Key (Required)

The tag key name that identifies the type of metadata being stored. Tag keys should follow consistent naming conventions across your organization.

Tag Value (Required)

The tag value that provides the actual metadata content for the tag key. Values should be meaningful and follow organizational standards.

The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds). The following attribute is supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is true or false. The default is false. The following attribute is supported only by Network Load Balancers.

The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. The default value is 300 seconds.

The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds). The following attribute is supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address.

Indicates whether client IP preservation is enabled. The value is true or false. The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation cannot be disabled for UDP and TCP_UDP target groups. The following attribute is supported only by Network Load Balancers.

Indicates whether Proxy Protocol version 2 is enabled. The value is true or false. The default is false. The following attribute is supported only by Network Load Balancers.

The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled). The following attribute is supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address.

Indicates whether target stickiness is enabled. The value is true or false. The default is false.

The approximate amount of time, in seconds, between health checks of an individual target. The range is 5-300. If the target group protocol is TCP, TLS, UDP, TCP_UDP, HTTP or HTTPS, the default is 30 seconds. If the target group protocol is GENEVE, the default is 10 seconds.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The port the load balancer uses when performing health checks on targets. If the protocol is HTTP, HTTPS, TCP, TLS, UDP, or TCP_UDP, the default is traffic-port, which is the port on which each target receives traffic from the load balancer. If the protocol is GENEVE, the default is port 80.

The amount of time, in seconds, during which no response from a target means a failed health check. The range is 2–120 seconds. For target groups with a protocol of HTTP, the default is 6 seconds. For target groups with a protocol of TCP, TLS or HTTPS, the default is 10 seconds. For target groups with a protocol of GENEVE, the default is 5 seconds.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The port on which the targets receive traffic.

Set attributes for target group.

Configure health check for target group.

Add the ability to target an NLB created by the Landing Zone Accelerator

Resource Access Manager (RAM) Share Targets Interface

Interface for AWS Resource Access Manager (RAM) share targets, which defines where shared resources should be made available within your AWS organization. RAM enables secure sharing of resources between AWS accounts and organizational units without duplicating resources or compromising security.

Key Features

• Cross-Account Sharing: Share resources across multiple AWS accounts
• OU-Level Sharing: Share with entire organizational units at once
• Centralized Management: Manage shared resources from a central account
• Cost Optimization: Avoid resource duplication across accounts
• Security: Maintain resource ownership while enabling controlled access

Example

yaml shareTargets: organizationalUnits: - Root

Learn more about AWS Resource Access Manager.

Target group targets. These targets should be the friendly names assigned to firewall instances.

Configure health check threshold for target group.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The number of consecutive health check successes required before considering a target healthy. The range is 2-10. If the target group protocol is TCP, TCP_UDP, UDP, TLS, HTTP or HTTPS, the default is 5. For target groups with a protocol of GENEVE, the default is 3.

The number of consecutive health check failures required before considering a target unhealthy. The range is 2-10. If the target group protocol is TCP, TCP_UDP, UDP, TLS, HTTP or HTTPS, the default is 2. For target groups with a protocol of GENEVE, the default is 3.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

An array of the friendly names of VPC subnets for the attachment to be deployed.

Use this configuration to target a Transit Gateway when defining an attachment for your VPC.

Used to specify advanced options for the VPC attachment.

The friendly name of a Transit Gateway route table to associate the attachment to.

An array of friendly names of Transit Gateway route tables to propagate the attachment.

(OPTIONAL) An array of tag objects for the Transit Gateway attachment.

Enable/Disable Type

Represents activation states for features and services throughout the Landing Zone Accelerator configuration.

Values

• enable: Activate the feature or service
• disable: Deactivate the feature or service

Enable/Disable Type

Represents activation states for features and services throughout the Landing Zone Accelerator configuration.

Values

• enable: Activate the feature or service
• disable: Deactivate the feature or service

Enable/Disable Type

Represents activation states for features and services throughout the Landing Zone Accelerator configuration.

Values

• enable: Activate the feature or service
• disable: Deactivate the feature or service

Enable/Disable Type

Represents activation states for features and services throughout the Landing Zone Accelerator configuration.

Values

• enable: Activate the feature or service
• disable: Deactivate the feature or service

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

A Border Gateway Protocol (BGP) Autonomous System Number (ASN).

Enable/Disable Type

Represents activation states for features and services throughout the Landing Zone Accelerator configuration.

Values

• enable: Activate the feature or service
• disable: Deactivate the feature or service

Enable/Disable Type

Represents activation states for features and services throughout the Landing Zone Accelerator configuration.

Values

• enable: Activate the feature or service
• disable: Deactivate the feature or service

Enable/Disable Type

Represents activation states for features and services throughout the Landing Zone Accelerator configuration.

Values

• enable: Activate the feature or service
• disable: Deactivate the feature or service

Enable/Disable Type

Represents activation states for features and services throughout the Landing Zone Accelerator configuration.

Values

• enable: Activate the feature or service
• disable: Deactivate the feature or service

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The region name to deploy the Transit Gateway.

An array of Transit Gateway route table configuration objects.

Enable/Disable Type

Represents activation states for features and services throughout the Landing Zone Accelerator configuration.

Values

• enable: Activate the feature or service
• disable: Deactivate the feature or service

Enable/Disable Type

Represents activation states for features and services throughout the Landing Zone Accelerator configuration.

Values

• enable: Activate the feature or service
• disable: Deactivate the feature or service

Enable/Disable Type

Represents activation states for features and services throughout the Landing Zone Accelerator configuration.

Values

• enable: Activate the feature or service
• disable: Deactivate the feature or service

Resource Access Manager (RAM) Share Targets Interface

Interface for AWS Resource Access Manager (RAM) share targets, which defines where shared resources should be made available within your AWS organization. RAM enables secure sharing of resources between AWS accounts and organizational units without duplicating resources or compromising security.

Key Features

• Cross-Account Sharing: Share resources across multiple AWS accounts
• OU-Level Sharing: Share with entire organizational units at once
• Centralized Management: Manage shared resources from a central account
• Cost Optimization: Avoid resource duplication across accounts
• Security: Maintain resource ownership while enabling controlled access

Example

yaml shareTargets: organizationalUnits: - Root

Learn more about AWS Resource Access Manager.

(OPTIONAL) An array of tag objects for the Transit Gateway.

(OPTIONAL) A list of transit gateway IPv4 CIDR blocks.

Transit Gateway Flow Logs Configuration Interface

Interface for AWS Transit Gateway Flow Logs configuration, which captures information about IP traffic flowing to and from Transit Gateways . Flow logs provide visibility into network traffic patterns, security analysis, and troubleshooting capabilities.

Key Features

• Traffic Visibility: Monitor all Transit Gateway network traffic
• Security Analysis: Detect suspicious traffic patterns and potential threats
• Compliance: Meet regulatory requirements for network monitoring
• Troubleshooting: Diagnose connectivity and performance issues
• Cost Optimization: Analyze traffic patterns to optimize network costs

Supported Destinations

• Amazon S3: Cost-effective long-term storage and analysis
• CloudWatch Logs: Real-time monitoring and alerting capabilities
• Dual Destination: Send logs to both S3 and CloudWatch simultaneously

Learn more about Transit Gateway Flow Logs.

(OPTIONAL) A list of transit gateway IPv6 CIDR blocks.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Use this configuration to target a Transit Gateway when defining an attachment for your VPC.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

(OPTIONAL) An array of tag objects for the Transit Gateway attachment.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Custom Fields (Required when defaultFormat is false)

Array of specific fields to include in flow log records when using custom format. This allows you to capture exactly the network information needed for your use cases.

Use Default Format (Required)

Controls whether to use the AWS default flow log format or a custom format with specific fields. When false, allows customization of logged fields.

Log Destinations (Required)

Array of destination services where Transit Gateway flow logs should be delivered. You can send logs to one or both supported destinations simultaneously.

Maximum Aggregation Interval (Required)

The maximum interval in seconds for aggregating flow log records before they are captured and delivered to the destination. This value must be 60 for Transit Gateway Flow Logs

VPC Flow Logs Destination Configuration Interface

Configuration interface for VPC Flow Logs destination settings, supporting both S3 and CloudWatch Logs destinations. Allows fine-grained control over how flow logs are stored, retained, and processed.

Supported Destinations

• S3: Cost-effective long-term storage with lifecycle management
• CloudWatch Logs: Real-time monitoring with immediate alerting capabilities
• Dual Destination: Send to both S3 and CloudWatch simultaneously

Example

yaml destinationsConfig: s3: lifecycleRules: - enabled: true expiration: 2555 transitions: - storageClass: GLACIER transitionAfter: 365 cloudWatchLogs: retentionInDays: 365 kms: flow-logs-key