Landing Zone Accelerator on AWS - Security Config

Controls whether AWS IAM Access Analyzer is enabled across your organization.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The number of consecutive periods over which the threshold must be breached for the alarm to trigger.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The length of each evaluation period in seconds.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The threshold value that the metric statistic is compared against to determine alarm state. When the metric breaches this threshold according to the comparison operator, the alarm will transition to the ALARM state and trigger notifications.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Array of CloudWatch alarm configurations to deploy as part of this alarm set.

Deployment Targets Interface

Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.

Key Features

• Account-level targeting: Deploy to specific AWS accounts
• OU-level targeting: Deploy to all accounts within organizational units
• Regional exclusions: Skip specific AWS regions for compliance or cost optimization
• Account exclusions: Exclude specific accounts from broader deployments

Example

yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1

AWS regions where the CloudWatch alarms will be deployed.

Configuration for specifying where AWS Audit Manager stores compliance assessment reports Use this configuration to enable a destination for reports generated by AWS Audit Manager.

Controls whether AWS Audit Manager is enabled across your organization.

List of AWS regions where Audit Manager should not be enabled.

S3 lifecycle rules that automatically manage the retention and deletion of Audit Manager reports and evidence stored in S3.

The type of resource for storing audit reports. Currently only Amazon S3 buckets are supported.

Controls whether AWS Audit Manager Default Reports destination is enabled. When enabled, compliance reports are automatically saved to the specified destination for audit trail purposes.

Controls whether the AWS Config configuration recorder is enabled to track resource changes.

Configuration for AWS Config aggregation that centralizes compliance data from multiple accounts and regions into a single location for organization-wide visibility and reporting. This enables centralized compliance monitoring and simplifies governance oversight across your entire AWS Organization.

Deployment Targets Interface

Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.

Key Features

• Account-level targeting: Deploy to specific AWS accounts
• OU-level targeting: Deploy to all accounts within organizational units
• Regional exclusions: Skip specific AWS regions for compliance or cost optimization
• Account exclusions: Exclude specific accounts from broader deployments

Example

yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1

Controls whether the delivery channel is enabled for sending configuration changes to S3.

Controls whether to override existing Config recorder settings in accounts that already have Config enabled.

Array of Config rule sets that define compliance checks to be deployed across your organization.

Controls whether to use AWS service-linked roles for Config instead of custom IAM roles created by LZA.

Controls whether AWS Config aggregation is enabled across your organization. When enabled, compliance data from all accounts and regions will be centralized for unified reporting and governance oversight.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Deployment Targets Interface

Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.

Key Features

• Account-level targeting: Deploy to specific AWS accounts
• OU-level targeting: Deploy to all accounts within organizational units
• Regional exclusions: Skip specific AWS regions for compliance or cost optimization
• Account exclusions: Exclude specific accounts from broader deployments

Example

yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1

Array of AWS Config rules to deploy as part of this rule set.

Indicates whether SSM Block Public Document Sharing is enabled across the organization. When true, blocks public document sharing on all accounts except those in excludeAccounts. When false, allows public document sharing on all accounts. This setting is applied in all enabled regions for comprehensive security coverage.

List of AWS Account names to be excluded from SSM Block Public Document Sharing configuration. Accounts in this list will have public document sharing allowed regardless of the enable setting. Account names must match those defined in the accounts configuration. Exclusions are applied across all enabled regions.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Configuration for enabling automatic encryption of all new EBS volumes and snapshots in your AWS environment..

Configuration for Amazon GuardDuty, a threat detection service that monitors your AWS environment for malicious activity. Use this configuration to enable Amazon GuardDuty for an AWS Organization and configure which AWS services should be monitored for security threats.

Configuration for Amazon Macie, a data security service that discovers, classifies, and protects sensitive data. Use this configuration to enable Amazon Macie within your AWS Organization along with it's reporting configuration.

Configuration for preventing accidental public exposure of S3 buckets and objects across your organization. When enabled, this setting applies organization-wide security guardrails that prevent users from accidentally making S3 buckets or objects publicly accessible.

Configuration for Amazon Security Hub, a centralized security findings management service that aggregates security alerts from multiple AWS security services. Use this configuration to enable Amazon Security Hub for an AWS Organization along with it's auditing configuration.

Configuration for AWS Systems Manager (SSM) automation that enables centralized management and distribution of SSM documents across your AWS Organization.

Configuration for AWS Audit Manager, a service that helps you continually audit your AWS usage to simplify how you manage risk and compliance with regulations and industry standards. Use this configuration to enable AWS Audit Manager for an AWS Organization. Audit Manager automates evidence collection so you can more easily assess whether your policies, procedures, and activities are operating effectively.

Configuration for Amazon Detective, a security service that helps you analyze, investigate, and quickly identify the root cause of security findings. Use this configuration to enable Amazon Detective for an AWS Organization.

Configuration for automatically detecting and reverting manual changes to Service Control Policies (SCPs). This securty control helps maintain governance by ensuring that security policies cannot be modified outside of your approved change management process. When enabled, any manual changes to SCPs will be automatically reverted and security teams will be notified of the attempted modification.

Configuration for SNS notification subscriptions for security alerts (DEPRECATED).

Configuration for AWS Systems Manager (SSM) security settings and controls across your organization. This enables centralized management of SSM security features to ensure secure and governed access to your managed resources while preventing unauthorized sharing of sensitive automation documents.

Array of alarm sets that monitor metrics and trigger notifications when thresholds are breached.

Array of metric filter sets that extract metrics from log data for monitoring and alerting.

Array of CloudWatch log group configurations for centralized log management.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Array of AWS resource types that this rule will evaluate for compliance.

Configuration for custom AWS Config rules that use Lambda functions to evaluate resource compliance.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Key-value pairs that provide configuration parameters to the Config rule.

Configuration for automated remediation actions that AWS Config executes when resources are found non-compliant. This enables automatic correction of compliance violations using AWS Systems Manager automation documents, reducing manual intervention and ensuring continuous compliance across your AWS environment.

Key-value pairs to assign as tags to the Config rule.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Controls whether remediation actions are triggered automatically when non-compliance is detected. When enabled, AWS Config will immediately attempt to remediate non-compliant resources without manual intervention.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

List of AWS regions where this remediation should not be applied.

The maximum number of remediation attempts for a single non-compliant resource. This prevents infinite retry loops while allowing for temporary failures to be resolved. After reaching this limit, manual intervention may be required.

Array of input parameters to pass to the remediation automation document. These parameters provide the necessary context and data for the automation document to perform the appropriate corrective actions on non-compliant resources.

Maximum time in seconds that AWS Config waits for each remediation attempt to complete. This prevents remediation actions from running indefinitely and ensures timely failure detection.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Configuration for AWS Lambda functions that implement custom AWS Config rules for compliance monitoring.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Configuration for AWS Lambda functions that implement custom AWS Config rules for compliance monitoring.

The frequency at which periodic evaluations are performed.

Configuration for defining which AWS resources trigger evaluations for custom AWS Config rules.

Controls whether the rule runs when AWS resource configurations change. When enabled, the rule will immediately evaluate affected resources whenever their configuration is modified.

Controls whether the rule runs on a scheduled basis at regular intervals. When enabled, the rule will evaluate resources according to the specified frequency.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Maximum execution time for the Lambda function in seconds.

Target Accounts (Optional)

List of specific account names where resources should be deployed. Use for precise account-level targeting.

Excluded Accounts (Optional)

List of account names to exclude from deployment. Takes precedence over organizational unit and account inclusions.

Excluded Regions (Optional)

List of AWS regions to exclude from deployment. Useful for compliance requirements or cost optimization.

Organizational Units (Optional)

List of organizational unit names where resources should be deployed. When specified, resources will be created in all accounts within these OUs.

Controls whether Amazon Detective is enabled across your organization.

List of AWS regions where Detective should not be enabled.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Array of SSM documents to be shared with the specified organizational units.

Resource Access Manager (RAM) Share Targets Interface

Interface for AWS Resource Access Manager (RAM) share targets, which defines where shared resources should be made available within your AWS organization. RAM enables secure sharing of resources between AWS accounts and organizational units without duplicating resources or compromising security.

Key Features

• Cross-Account Sharing: Share resources across multiple AWS accounts
• OU-Level Sharing: Share with entire organizational units at once
• Centralized Management: Manage shared resources from a central account
• Cost Optimization: Avoid resource duplication across accounts
• Security: Maintain resource ownership while enabling controlled access

Example

yaml shareTargets: organizationalUnits: - Root

Learn more about AWS Resource Access Manager.

Controls whether EBS default volume encryption is enabled. When enabled, all new EBS volumes created in the specified accounts and regions will be encrypted by default.

Deployment Targets Interface

Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.

Key Features

• Account-level targeting: Deploy to specific AWS accounts
• OU-level targeting: Deploy to all accounts within organizational units
• Regional exclusions: Skip specific AWS regions for compliance or cost optimization
• Account exclusions: Exclude specific accounts from broader deployments

Example

yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1

List of AWS regions where EBS default volume encryption should not be enabled.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Uses the default CloudWatch Logs KMS key that is automatically deployed by Landing Zone Accelerator.

Controls whether GuardDuty is enabled across your organization to monitor for security threats.

Configuration for exporting GuardDuty security findings to an Amazon S3 bucket for long-term storage and analysis.

Configuration for enabling S3 protection with Amazon GuardDuty to detect suspicious and malicious activity in your S3 buckets. Use this configuration to enable S3 Protection with Amazon GuardDuty to monitor object-level API operations for potential security risks for data within Amazon S3 buckets.

Controls whether GuardDuty is automatically enabled for new accounts joining the organization.

Deployment Targets Interface

Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.

Key Features

• Account-level targeting: Deploy to specific AWS accounts
• OU-level targeting: Deploy to all accounts within organizational units
• Regional exclusions: Skip specific AWS regions for compliance or cost optimization
• Account exclusions: Exclude specific accounts from broader deployments

Example

yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1

Configuration for GuardDuty for EC2 malware protection that scans EC2 instances and EBS volumes for malicious software. EC2 Malware Protection helps you detect malware and other security threats on your EC2 instances.

Configuration for GuardDuty EKS (Elastic Kubernetes Service) protection that monitors Amazon Elastic Kubernetes Service clusters for security threats. EKS Protection helps you detect potential security risks in Amazon EKS clusters.

List of AWS regions where GuardDuty should not be enabled.

AWS GuardDuty Lambda Malware Protection configuration.

S3 lifecycle rules that automatically manage the retention and deletion of GuardDuty findings stored in S3.

Configuration for GuardDuty RDS (Relational Database Service) protection that monitors Amazon RDS instances for security threats. RDS Protection helps you detect potential security risks in your RDS databases.

Use this configuration to define an Amazon GuardDuty S3 Malware Protection Plan to an Amazon S3 bucket.

Controls whether GuardDuty EC2 Malware Protection is enabled to scan your EC2 instances for malware.

Controls whether EBS snapshots created during malware scanning are retained. When enables, snapshots are preserved.

List of AWS regions where GuardDuty EC2 Malware Protection should not be enabled.

Controls whether GuardDuty EKS Protection is enabled to monitor your EKS clusters for security threats.

List of AWS regions where GuardDuty EKS protection should not be enabled.

Controls whether the GuardDuty EKS Agent is managed.

The type of resource for the publishing destination. Currently only Amazon S3 buckets are supported.

Controls whether GuardDuty findings are automatically exported to an S3 bucket.

An enum value that specifies how frequently findings are exported to the S3 bucket. Possible values FIFTEEN_MINUTES, ONE_HOUR, or SIX_HOURS

Controls whether existing export configurations can be overwritten with new settings.

Centralized Logging Prefix Configuration Interface

Configuration interface for customizing the S3 prefix structure used in centralized logging buckets. Allows organizations to override the default LZA logging path structure to meet specific organizational or compliance requirements.

Key Features

• Custom Prefixes: Override default LZA logging path structure
• Organizational Alignment: Align with existing logging conventions
• Compliance: Meet specific regulatory path requirements
• Flexibility: Maintain consistency across different log types

Example

yaml prefixConfig: useCustomPrefix: true customOverride: compliance/audit-logs

Controls whether GuardDuty Lambda Protection is enabled to monitor your Lambda functions for security threats.

List of AWS regions where GuardDuty Lambda Protection should not be enabled.

Controls whether GuardDuty RDS Protection is enabled to monitor your RDS databases for security threats..

List of AWS regions where GuardDuty RDS Protection should not be enabled.

Indicates whether AWS GuardDuty S3 Malware Protection is enabled.

(OPTIONAL) The S3 Malware Protection Configuration. Provide this configuration when enabling this feature.

Controls whether GuardDuty S3 protection is enabled to monitor your S3 buckets for suspicious activity.

List of AWS regions where Amazon GuardDuty S3 protection should not be enabled.

Controls whether IAM users can change their own passwords through the AWS Management Console. When enabled, users can update their passwords without administrator intervention.

Controls whether IAM users can set a new password after their current password expires. When enabled, users with expired passwords cannot access the console until an administrator resets their password.

The maximum number of days a password remains valid before requiring a change.

The minimum number of characters required for IAM user passwords.

The number of previous passwords that users cannot reuse.

Requires passwords to contain at least one lowercase letter from the ISO basic Latin alphabet (a to z).

Requires passwords to contain at least one numeric character (0-9).

Requires passwords to contain at least one special character. Allowed symbols: ! @ # $ % ^ & * ( ) _ + - = [ ] { } | '

Requires passwords to contain at least one uppercase letter from the ISO basic Latin alphabet (A to Z).

Deployment Targets Interface

Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.

Key Features

• Account-level targeting: Deploy to specific AWS accounts
• OU-level targeting: Deploy to all accounts within organizational units
• Regional exclusions: Skip specific AWS regions for compliance or cost optimization
• Account exclusions: Exclude specific accounts from broader deployments

Example

yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Controls whether AWS Key Management Service (KMS) automatially rotates the encryption key material.

Controls whether the encryption key is available to be used. Disabled keys cannot encrypt or decrypt data.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Determines what happens to the encryption key when it's removed from the Stack. 'retain' preserves the key for data recovery, 'destroy' permanently deletes it, 'snapshot' creates a backup.

Array of KMS key configurations to be created and managed across your organization.

Abort Incomplete Multipart Uploads (Optional)

Number of days after which incomplete multipart uploads are automatically aborted and cleaned up. This helps prevent storage costs from abandoned multipart uploads.

Benefits

• Cost Control: Prevents charges for incomplete upload parts
• Storage Cleanup: Automatically removes orphaned multipart data
• Operational Hygiene: Maintains clean bucket state

Considerations

• Set based on your typical upload patterns and file sizes
• Consider network reliability and upload duration requirements
• Balance between cost control and operational flexibility

Rule Enabled (Optional)

Controls whether this lifecycle rule is active and enforced. Allows you to temporarily disable rules without removing them from the configuration.

Object Expiration (Optional)

Number of days after object creation when objects are permanently deleted from the bucket. This implements automatic data retention policies and helps manage storage costs for time-sensitive data.

Use Cases

• Log Retention: Automatically delete old log files
• Compliance: Enforce data retention policies
• Cost Management: Remove data that's no longer needed
• Regulatory Requirements: Meet data disposal requirements

Important Considerations

• Irreversible: Expired objects are permanently deleted
• Compliance: Ensure retention periods meet regulatory requirements
• Business Needs: Consider future data access requirements
• Backup Strategy: Ensure critical data is backed up before expiration

Expired Object Delete Marker Cleanup (Optional)

Controls whether S3 automatically removes delete markers that have no non-current versions. This helps clean up versioned buckets and reduce storage costs from orphaned delete markers.

Benefits When Enabled

• Cost Reduction: Eliminates charges for orphaned delete markers
• Storage Optimization: Keeps bucket metadata clean
• Operational Efficiency: Reduces clutter in versioned buckets

Rule Identifier (Optional)

Unique, human-readable name for the lifecycle rule within the bucket. Used for rule identification, management, and troubleshooting.

Non-Current Version Expiration (Optional)

Number of days after an object version becomes non-current when it should be permanently deleted. This manages storage costs for versioned buckets by cleaning up old object versions.

Considerations

• Recovery Needs: Balance cost vs. ability to recover old versions
• Compliance: Some regulations require version retention
• Storage Costs: Non-current versions incur full storage charges
• Access Patterns: Consider how often old versions are accessed

Non-Current Version Transitions (Optional)

Array of transition rules that specify when non-current object versions should move to different storage classes. This optimizes costs for versioned buckets by moving old versions to cheaper storage.

Storage Class Optimization

Non-current versions are typically accessed less frequently than current versions, making them ideal candidates for cheaper storage classes.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Current Version Transitions (Optional)

Array of transition rules that specify when current objects should move to different storage classes. This implements cost optimization strategies based on data access patterns and age.

Cost Optimization Strategy

Design transitions based on your data access patterns:

• Frequently Accessed: Keep in Standard storage
• Infrequently Accessed: Transition to Standard-IA
• Archive Data: Move to Glacier or Deep Archive
• Long-term Retention: Use Deep Archive for lowest cost

Deployment Targets Interface

Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.

Key Features

• Account-level targeting: Deploy to specific AWS accounts
• OU-level targeting: Deploy to all accounts within organizational units
• Regional exclusions: Skip specific AWS regions for compliance or cost optimization
• Account exclusions: Exclude specific accounts from broader deployments

Example

yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The number of days to retain log events in the log group.

Configuration for encrypting CloudWatch log groups using AWS Key Management Service (KMS).

Controls whether the log group should be protected from accidental deletion.

Controls whether AWS Macie is enabled across your organization

Specifies whether to publish sensitive data findings to Security Hub. If you set this value to true, Amazon Macie automatically publishes all sensitive data findings that weren't suppressed by a findings filter. Default value is false.

List of AWS Region names to be excluded from configuring Amazon Macie.

Declaration of S3 Lifecycle rules that automatically manage the retention and deletion for Macie findings reports stored in S3.

Specifies how frequently findings are published to Security Hub. Possible values: FIFTEEN_MINUTES, ONE_HOUR, or SIX_HOURS

Specifies whether to publish findings to Security Hub and EventBridge

Account that S3 bucket resides in

Region that S3 bucket resides in

Name of the S3 bucket.

Information about whether the tags will be added to the S3 object after scanning.

Information about the specified object prefixes. The S3 object will be scanned only if it belongs to any of the specified object prefixes.

(OPTIONAL) Tags added to the Malware Protection plan resource.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Th value reported to the metric filter during a period when logs are ingested but no matching logs are found.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Array of CloudWatch metric filter configurations to deploy as part of this metric set.

Deployment Targets Interface

Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.

Key Features

• Account-level targeting: Deploy to specific AWS accounts
• OU-level targeting: Deploy to all accounts within organizational units
• Regional exclusions: Skip specific AWS regions for compliance or cost optimization
• Account exclusions: Exclude specific accounts from broader deployments

Example

yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1

AWS regions where the CloudWatch metric filters will be deployed.

Controls which VPCs are included when using VPC lookup parameters in resource policy templates.

Use Custom Prefix (Required)

Indicates whether or not to add a custom prefix to LZA Default Centralized Logging location. If useCustomPrefix is set to true, logs will be stored in the Centralized Logging Bucket prefix.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The data type of the parameter value, determining how the remediation document interprets the input.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The type of AWS resource that this policy will be applied to. This determines which AWS resources will be targeted for policy enforcement, such as S3 buckets, KMS keys, IAM roles, or other supported resource types.

Controls whether resource policy enforcement is enabled across your organization. When enabled, AWS Config rules will be deployed to monitor and enforce resource-based policies according to the configured policy sets and remediation settings.

Array of policy sets that define which resource policies to enforce and where to deploy them.

Configuration for automated remediation actions when AWS Config detects non-compliant resource policies. This enables automatic correction of policy violations to maintain consistent security controls across your organization without manual intervention, helping ensure continuous compliance.

Configuration for defining the network perimeter scope when using VPC lookup parameters in resource policies.

Controls whether remediation actions are triggered automatically when policy violations are detected. When enabled, AWS Config will automatically attempt to correct non-compliant resource policies.

Maximum number of times AWS Config will attempt to remediate a non-compliant resource. This prevents infinite retry loops while allowing for temporary failures to be resolved. After reaching this limit, manual intervention may be required.

Maximum time in seconds that AWS Config waits before timing out a remediation attempt. This prevents remediation actions from running indefinitely and ensures timely completion.

Deployment Targets Interface

Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.

Key Features

• Account-level targeting: Deploy to specific AWS accounts
• OU-level targeting: Deploy to all accounts within organizational units
• Regional exclusions: Skip specific AWS regions for compliance or cost optimization
• Account exclusions: Exclude specific accounts from broader deployments

Example

yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1

Array of resource policy configurations that define the specific policies to be enforced.

Custom parameters that will be passed as environment variables to the AWS Config rule and remediation Lambda functions.

Indicates whether S3 public access blocking is enforced across all accounts in your organization.

List of AWS account names that should be exempted from S3 public access blocking requirements.

Indicates whether manual changes to Service Control Policies are automatically detected and reverted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Configuration for AWS Identity and Access Management (IAM) Access Analyzer that identifies resources with external access and helps implement least privilege by analyzing resource policies for security risks.

Configuration for AWS Config service that enables continuous monitoring and assessment of AWS resource configurations for compliance, security, and governance. This service records configuration changes, evaluates resources against compliance rules, and provides centralized visibility into your AWS environment's configuration state.

Configuration for centralized security services that provides organization-wide security controls and monitoring capabilities. This configuration enables and manages core AWS security services including GuardDuty, Security Hub, Macie, Detective, and Audit Manager across your entire AWS Organization. It establishes a centralized security posture with consistent policies, automated threat detection, compliance monitoring, and unified security findings management to help organizations maintain strong security governance at scale.

Configuration for AWS CloudWatch monitoring and logging services across your organization.

Configuration for AWS Identity and Access Management (IAM) password policy that enforces password complexity and security requirements for IAM users across your organization.

The primary AWS region where the Landing Zone Accelerator is deployed and managed.

Configuration for AWS Key Management Service (KMS) that enables centralized management of encryption keys across your organization. This allows you to create, manage, and control customer-managed KMS keys for encrypting data at rest and in transit, helping meet compliance requirements and security best practices.

Configuration for automated resource policy enforcement across your AWS Organization using AWS Config rules.

The type of action to perform when findings match the automation rule criteria.

Configuration for updating specific fields within Security Hub findings through automation rules. Identifies the finding fields that the automation rule action updates when a finding matches the defined criteria.

Array of actions to perform on findings that match the rule criteria.

Array of criteria that findings must match to trigger the rule actions

A detailed description explaining what the automation rule does and when it applies.

Controls whether the automation rule is enabled and will proccess findings.

The unique name identifier for the automation rule.

List of AWS regions where this automation rule should not be applied.

Indiciates whether this rule should be the last rule applied to a matching finding.

The execution order for this rule when multiple rules apply to the same finding. Rules with lower numbers execute first. Valid range: 1-1000.

The filter conditions to apply to the specified finding field. The filter type (string, number, date, or key-value) must match the data type of the field being filtered.

The name of the Security Hub finding field to filter on.

The confidence score (0-100) indicating how certain the automation rule is about the finding's accuracy.

The criticality score (0-100) representing the business impact if this finding represents a real security issue.

Configuration for adding explanatory notes to Security Hub findings through automation rules. This allows automation rules to automatically document the reason for actions taken on findings, providing context and audit trails for security teams to understand automated decisions.

Array of related findings to link to this finding for correlation and context.

Severity label to assign to the finding

Array of finding types to assign, categorizing the nature of the security issue.

Custom key-value pairs to add to the finding for organization-specific metadata.

The verification state to assign to the finding, indicating the validation status of the security issue. Valid values: UNKNOWN, TRUE_POSITIVE, FALSE_POSITIVE, BENIGN_POSITIVE.

Workflow status to assign to the finding to update information about the investigation. This controls the finding's state in your security workflow (e.g., NEW, NOTIFIED, RESOLVED, SUPPRESSED).

The descriptive text content of the note that will be added to the finding. This should explain the reason for the automation action

The name or identifier of the entity responsible for adding this note.

The unique identifier of the related finding within the specified security tool.

The Amazon Resource Name (ARN) of the security tool that generated the related finding. This identifies the source service or tool that created the finding you want to link to.

Configuration for relative date range filtering based on a rolling time window. This provides a dynamic alternative to fixed start/end dates, automatically adjusting the filter criteria based on the current date and time.

The end date and time for the date range filter in ISO 8601 format. Findings with dates on or before this timestamp will match the filter. Use this to define the end boundary of a specific time period for filtering.

The start date and time for the date range filter in ISO 8601 format. Findings with dates on or after this timestamp will match the filter. Use this to define the beginning of a specific time period for filtering.

The comparison operator that defines how the filter value should be matched against the key's value. Different operators enable various matching strategies for key-value pair filtering.

• EQUALS: Exact match of the value
• NOT_EQUALS: Does not match the value exactly
• CONTAINS: Value contains the specified text
• NOT_CONTAINS: Value does not contain the specified text

The key name to filter on within key-value pair fields. This specifies which key within a structured field (like tags or user-defined fields) to examine.

The value to match against for the specified key. This is the target value that will be compared against the actual value associated with the key.

Matches findings where the numeric field value exactly equals this number. Use this to filter for findings with specific numeric values.

Matches findings where the numeric field value is greater than this number. Use this for strict greater-than comparisons (excluding the boundary value).

Matches findings where the numeric field value is greater than or equal to this number. Use this to filter for findings above a certain threshold (e.g., high severity scores).

Greater than or equal to value

Matches findings where the numeric field value is less than this number. Use this for strict less-than comparisons (excluding the boundary value).

Matches findings where the numeric field value is less than or equal to this number. Use this to filter for findings below a certain threshold (e.g., low confidence scores).

Less than or equal to value

The comparison operator that defines how the filter value should be matched against finding field values. Different operators enable various matching strategies from exact matches to partial text searches.

• EQUALS: Exact match
• PREFIX: Starts with the specified value
• NOT_EQUALS: Does not match exactly
• PREFIX_NOT_EQUALS: Does not start with the specified value
• CONTAINS: Contains the specified value anywhere
• NOT_CONTAINS: Does not contain the specified value
• CONTAINS_WORD: Contains the specified value as a complete word

The string value to match against when filtering Security Hub findings.

Controls whether AWS Security Hub is enabled across your organization

List of security and compliance standards that Security Hub will monitor across your organization.

Controls whether Security Hub is automatically enabled for new accounts joining the organization.

Configuration for Security Hub automation rules that automatically update findings based on specified criteria.

Deployment Targets Interface

Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.

Key Features

• Account-level targeting: Deploy to specific AWS accounts
• OU-level targeting: Deploy to all accounts within organizational units
• Regional exclusions: Skip specific AWS regions for compliance or cost optimization
• Account exclusions: Exclude specific accounts from broader deployments

Example

yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1

List of AWS regions where Security Hub should not be enabled.

Configuration for Security Hub logging destinations that determines where security findings are stored for analysis. This configuration allows you to centralize Security Hub findings in CloudWatch Logs for integration with your monitoring and alerting infrastructure.

Minimum severity level for findings that will trigger SNS notifications.

Controls whether Security Hub findings from all regions are aggregated in your organization's home region.

Name of the SNS topic that will receive Security Hub notifications.

Controls whether Security Hub findings are automatically forwarded to CloudWatch Logs. When enabled, findings are sent to CloudWatch for integration with monitoring dashboards and alerting systems.

Name of the CloudWatch Log Group where Security Hub findings will be stored.

Security Hub Severity Level Type

Defines the severity levels used by AWS Security Hub for categorizing security findings and compliance issues.

Values (Highest to Lowest Severity)

• CRITICAL: Immediate action required, severe security risk
• HIGH: Urgent attention needed, significant security concern
• MEDIUM: Important but not urgent, moderate security risk
• LOW: Minor security concern, low priority
• INFORMATIONAL: Informational findings, no immediate action needed

Configuration for forwarding Security Hub findings to CloudWatch for centralized monitoring and analysis.

Controls whether this Security Hub standard is enabled to monitor compliance across your specified deployment targets. When enabled, Security Hub continuously evaluates your resources against the standard's security controls.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

List of specific control names within the security standard that should be disabled.

Deployment Targets Interface

Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.

Key Features

• Account-level targeting: Deploy to specific AWS accounts
• OU-level targeting: Deploy to all accounts within organizational units
• Regional exclusions: Skip specific AWS regions for compliance or cost optimization
• Account exclusions: Exclude specific accounts from broader deployments

Example

yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1

Target Accounts (Optional)

List of specific account names that should receive access to the shared resource. Use this for precise, account-level control over resource sharing.

Organizational Units (Optional)

List of organizational unit names that should receive access to the shared resource. When specified, all accounts within these OUs will be able to consume the shared resource.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

Array of document sets that define which SSM documents to create and share across organizational units.

List of AWS regions where SSM automation documents should not be deployed.

This interface defines the SSM Block Public Document Sharing configuration for organization accounts. SSM Block Public Document Sharing prevents AWS Systems Manager documents from being shared publicly, providing an additional layer of security for organizations. The feature operates on a per-region basis and is applied across all enabled regions for comprehensive protection.

Tag Key (Required)

The tag key name that identifies the type of metadata being stored. Tag keys should follow consistent naming conventions across your organization.

Tag Value (Required)

The tag value that provides the actual metadata content for the tag key. Values should be meaningful and follow organizational standards.

S3 Storage Class Type

Defines the available Amazon S3 storage classes for lifecycle transitions. Each storage class is optimized for different access patterns, durability requirements, and cost considerations.

Transition After (Days) (Required)

Number of days after object creation (for current versions) or after becoming non-current (for non-current versions) when the transition should occur.

Non-Empty String Type

Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.

The method used to identify which resources should trigger Config rule evaluations. This determines how the Config rule will find and evaluate AWS resources for compliance.

Array of values used to match resources based on the lookup type and key.