Landing Zone Accelerator on AWS - Organization Config
Used to manage all of the organization units in the AWS Organization
| Type | IOrganizationConfig |
|---|---|
| File match |
organization-config.yaml
|
| Schema URL | https://catalog.lintel.tools/schemas/schemastore/landing-zone-accelerator-on-aws-organization-config/latest.json |
| Source | https://raw.githubusercontent.com/awslabs/landing-zone-accelerator-on-aws/main/source/packages/@aws-accelerator/config/lib/schemas/organization-config.json |
Validate with Lintel
npx @lintel/lintel checkDefinitions
Configuration structure for backup policies that enforce consistent data protection across your organization. Backup policies help deploy organization-wide backup plans to ensure compliance and data recovery capabilities.
Deployment Targets Interface
Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.
Key Features
- Account-level targeting: Deploy to specific AWS accounts
- OU-level targeting: Deploy to all accounts within organizational units
- Regional exclusions: Skip specific AWS regions for compliance or cost optimization
- Account exclusions: Exclude specific accounts from broader deployments
Example
yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1
4 nested properties
Target Accounts (Optional)
List of specific account names where resources should be deployed. Use for precise account-level targeting.
Excluded Accounts (Optional)
List of account names to exclude from deployment. Takes precedence over organizational unit and account inclusions.
Excluded Regions (Optional)
List of AWS regions to exclude from deployment. Useful for compliance requirements or cost optimization.
Organizational Units (Optional)
List of organizational unit names where resources should be deployed. When specified, resources will be created in all accounts within these OUs.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Configuration structure for chatbot policies that control AWS account access from chat applications. Chatbot policies help manage permissions and security for integrations with Slack, Microsoft Teams, and other chat platforms.
Deployment Targets Interface
Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.
Key Features
- Account-level targeting: Deploy to specific AWS accounts
- OU-level targeting: Deploy to all accounts within organizational units
- Regional exclusions: Skip specific AWS regions for compliance or cost optimization
- Account exclusions: Exclude specific accounts from broader deployments
Example
yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1
4 nested properties
Target Accounts (Optional)
List of specific account names where resources should be deployed. Use for precise account-level targeting.
Excluded Accounts (Optional)
List of account names to exclude from deployment. Takes precedence over organizational unit and account inclusions.
Excluded Regions (Optional)
List of AWS regions to exclude from deployment. Useful for compliance requirements or cost optimization.
Organizational Units (Optional)
List of organizational unit names where resources should be deployed. When specified, resources will be created in all accounts within these OUs.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Configuration structure for declarative policies that manage AWS service settings.
Deployment Targets Interface
Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.
Key Features
- Account-level targeting: Deploy to specific AWS accounts
- OU-level targeting: Deploy to all accounts within organizational units
- Regional exclusions: Skip specific AWS regions for compliance or cost optimization
- Account exclusions: Exclude specific accounts from broader deployments
Example
yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1
4 nested properties
Target Accounts (Optional)
List of specific account names where resources should be deployed. Use for precise account-level targeting.
Excluded Accounts (Optional)
List of account names to exclude from deployment. Takes precedence over organizational unit and account inclusions.
Excluded Regions (Optional)
List of AWS regions to exclude from deployment. Useful for compliance requirements or cost optimization.
Organizational Units (Optional)
List of organizational unit names where resources should be deployed. When specified, resources will be created in all accounts within these OUs.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Deployment Targets Interface
Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.
Key Features
- Account-level targeting: Deploy to specific AWS accounts
- OU-level targeting: Deploy to all accounts within organizational units
- Regional exclusions: Skip specific AWS regions for compliance or cost optimization
- Account exclusions: Exclude specific accounts from broader deployments
Example
yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1
Target Accounts (Optional)
List of specific account names where resources should be deployed. Use for precise account-level targeting.
Excluded Accounts (Optional)
List of account names to exclude from deployment. Takes precedence over organizational unit and account inclusions.
Excluded Regions (Optional)
List of AWS regions to exclude from deployment. Useful for compliance requirements or cost optimization.
Organizational Units (Optional)
List of organizational unit names where resources should be deployed. When specified, resources will be created in all accounts within these OUs.
Organization configuration
Defines organizational structure and governance policies to be deployed across your multi-account environment. Controls whether organizational management is enabled and specifies the account hierarchy, security policies, and automated controls that will be applied.
Backup policy configurations that enforce organization-wide backup requirements across organizational units. These policies ensure consistent backup strategies and compliance across accounts. The policy content is loaded from a JSON file from the path specified and deployed to the specified organizational units. File must exist in the configuration repository.
Controls whether AWS Organizations features are enabled for the management account. When set to true, enables the organizational structure and policies defined in this configuration.
List of Organizational Units to be created or managed. Supports nested organizational unit structures using forward slash notation.
Service Control Policy configurations that define maximum permissions for users and roles. SCPs act as guardrails to prevent certain actions. The policy content is loaded from a JSON file from the path specified and deployed to the specified organizational units. File must exist in the configuration repository.
Tagging policy configurations that standardize tags across resources in organizational units. The policy content is loaded from a JSON file from the path specified and deployed to the specified organizational units. File must exist in the configuration repository.
Chat applications policy configurations that control access to organization accounts from chat applications. These policies enforce which chat applications can be used and restrict access to specific workspaces and channels. The policy content is loaded from a JSON file from the path specified and deployed to the specified organizational units. File must exist in the configuration repository.
Declarative policy configurations that manage AWS service settings across organizational units. The policy content is loaded from a JSON file from the path specified. File must exist in the configuration repository.
Optionally provide a list of Organizational Unit IDs to bypass the usage of the AWS Organizations Client lookup. This is not a readonly member since we will initialize it with values if it is not provided.
Configuration for automatically applying quarantine policies to newly created accounts. When enabled, applies a specified Service Control Policy to all new accounts for security isolation until proper setup is completed.
2 nested properties
Controls whether quarantine policies are automatically applied to newly created accounts. When enabled, all accounts created by any means will have the specified SCP applied for security isolation.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Resource Control Policy configurations for controlling access to AWS resources. RCPs help establish data perimeters and restrict resource access patterns. The policy content is loaded from a JSON file from the path specified and deployed to the specified organizational units. File must exist in the configuration repository.
Configuration for defining organizational units within your AWS organization structure. Organizational units provide hierarchical grouping of accounts and enable targeted application of governance policies.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
When set to true, excludes this organizational unit and its associated accounts from processing. Defaults to false if not specified.
Configuration for mapping organizational unit names to their AWS identifiers. Provides a way to bypass AWS Organizations API lookups by explicitly defining OU IDs and ARNs.
Organizational unit id configuration
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Optional AWS Organizations API response data. Contains the raw response from the Organizations service.
Configuration for automatically applying quarantine policies to newly created accounts. When enabled, applies a specified Service Control Policy to all new accounts for security isolation until proper setup is completed.
Controls whether quarantine policies are automatically applied to newly created accounts. When enabled, all accounts created by any means will have the specified SCP applied for security isolation.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Configuration structure for resource control policies that establish data perimeters and control resource access.
Deployment Targets Interface
Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.
Key Features
- Account-level targeting: Deploy to specific AWS accounts
- OU-level targeting: Deploy to all accounts within organizational units
- Regional exclusions: Skip specific AWS regions for compliance or cost optimization
- Account exclusions: Exclude specific accounts from broader deployments
Example
yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1
4 nested properties
Target Accounts (Optional)
List of specific account names where resources should be deployed. Use for precise account-level targeting.
Excluded Accounts (Optional)
List of account names to exclude from deployment. Takes precedence over organizational unit and account inclusions.
Excluded Regions (Optional)
List of AWS regions to exclude from deployment. Useful for compliance requirements or cost optimization.
Organizational Units (Optional)
List of organizational unit names where resources should be deployed. When specified, resources will be created in all accounts within these OUs.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Defines how the resource control policy is evaluated - either deny-list (default) or allow-list. Deny-list blocks specified resources, allow-list only permits specified resources. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps_evaluation.html
Configuration structure for service control policies that define permission guardrails for AWS accounts. SCPs help establish security boundaries by controlling what actions users and roles can perform.
Deployment Targets Interface
Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.
Key Features
- Account-level targeting: Deploy to specific AWS accounts
- OU-level targeting: Deploy to all accounts within organizational units
- Regional exclusions: Skip specific AWS regions for compliance or cost optimization
- Account exclusions: Exclude specific accounts from broader deployments
Example
yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1
4 nested properties
Target Accounts (Optional)
List of specific account names where resources should be deployed. Use for precise account-level targeting.
Excluded Accounts (Optional)
List of account names to exclude from deployment. Takes precedence over organizational unit and account inclusions.
Excluded Regions (Optional)
List of AWS regions to exclude from deployment. Useful for compliance requirements or cost optimization.
Organizational Units (Optional)
List of organizational unit names where resources should be deployed. When specified, resources will be created in all accounts within these OUs.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Specifies whether this is an AWS-managed or customer-managed policy. AWS-managed policies are predefined by AWS, customer-managed policies are custom.
Defines how the service control policy is evaluated - either deny-list (default) or allow-list. Deny-list blocks specified actions, allow-list only permits specified actions.
Configuration structure for tagging policies that enforce consistent tag standards across your organization. Tagging policies help standardize tag keys, values, and capitalization on all tagged resources and define what values are allowed.
Deployment Targets Interface
Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.
Key Features
- Account-level targeting: Deploy to specific AWS accounts
- OU-level targeting: Deploy to all accounts within organizational units
- Regional exclusions: Skip specific AWS regions for compliance or cost optimization
- Account exclusions: Exclude specific accounts from broader deployments
Example
yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1
4 nested properties
Target Accounts (Optional)
List of specific account names where resources should be deployed. Use for precise account-level targeting.
Excluded Accounts (Optional)
List of account names to exclude from deployment. Takes precedence over organizational unit and account inclusions.
Excluded Regions (Optional)
List of AWS regions to exclude from deployment. Useful for compliance requirements or cost optimization.
Organizational Units (Optional)
List of organizational unit names where resources should be deployed. When specified, resources will be created in all accounts within these OUs.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Contains details about an organizational unit (OU). An OU is a container of Amazon Web Services accounts within a root of an organization. Policies that are attached to an OU apply to all accounts contained in that OU and in any child OUs.
The Amazon Resource Name (ARN) of this OU.
For more information about ARNs in Organizations, see ARN Formats Supported by Organizations in the Amazon Web Services Service Authorization Reference.
The unique identifier (ID) associated with this OU. The ID is unique to the organization only.
The regex pattern for an organizational unit ID string requires "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits.
The friendly name of this OU.
The regex pattern that is used to validate this parameter is a string of any of the characters in the ASCII character range.
Contains details about a root. A root is a top-level parent node in the hierarchy of an organization that can contain organizational units (OUs) and accounts. The root contains every Amazon Web Services account in the organization.
The Amazon Resource Name (ARN) of the root.
For more information about ARNs in Organizations, see ARN Formats Supported by Organizations in the Amazon Web Services Service Authorization Reference.
The unique identifier (ID) for the root. The ID is unique to the organization only.
The regex pattern for a root ID string requires "r-" followed by from 4 to 32 lowercase letters or digits.
The friendly name of the root.
The regex pattern that is used to validate this parameter is a string of any of the characters in the ASCII character range.
The types of policies that are currently enabled for the root and therefore can be attached to the root or to its OUs or accounts.
Even if a policy type is shown as available in the organization, you can separately enable and disable them at the root level by using EnablePolicyType and DisablePolicyType. Use DescribeOrganization to see the availability of the policy types in that organization.