Accounts Stack⚓︎

Overview⚓︎

The Accounts stack runs in the management account and handles organization-level account governance: Service Control Policies, service-linked roles, opt-in region enablement, and account move detection rules.

Deployment Scope⚓︎

Stage: accounts
Deployed to: Management account, global region
Config files consumed: organization-config.yaml, security-config.yaml, global-config.yaml

What It Deploys⚓︎

Service Control Policies (SCPs)⚓︎

Creates and attaches SCPs defined in organization-config.yaml
Supports dynamic policy replacements (e.g., VPC IDs generated by the pipeline)
Attaches quarantine SCP to new accounts (if enabled)

Service-Linked Roles⚓︎

Creates SLRs required by downstream security stacks:

IAM Access Analyzer
AWS Config
Amazon GuardDuty
AWS Security Hub
Amazon Macie
AWS Auto Scaling (if needed)

Opt-In Region Enablement⚓︎

When enableOptInRegions: true in global-config.yaml, enables opt-in regions for all accounts

Move Account Config Rule⚓︎

Deploys an AWS Config rule that detects when accounts are moved between OUs
Triggers re-evaluation of SCP attachments

Key Code Paths⚓︎

Component	File
Stack class	`accelerator/lib/stacks/accounts-stack.ts`
Policy resource helper	`accelerator/lib/resources/policy-resource.ts`
KMS key resource helper	`accelerator/lib/resources/kms-key-resource.ts`

Config-to-Resource Mapping⚓︎

Config Property	Resource Created
`organization-config.yaml → serviceControlPolicies`	`AWS::Organizations::Policy`
`organization-config.yaml → quarantineNewAccounts`	Quarantine SCP attachment
`global-config.yaml → enableOptInRegions`	Opt-in region enablement
`security-config.yaml → accessAnalyzer`	Access Analyzer SLR
`security-config.yaml → awsConfig`	Config SLR
`security-config.yaml → centralSecurityServices.guardduty`	GuardDuty SLR
`security-config.yaml → centralSecurityServices.securityHub`	Security Hub SLR
`security-config.yaml → centralSecurityServices.macie`	Macie SLR