Optional Readonly acceleratorAccelerator Metadata Configuration Creates a bucket in the logging account to enable accelerator metadata collection
acceleratorMetadata:
enable: true
account: Logging
Optional Readonly acceleratorAccelerator Settings Configuration Allows setting additional properties for accelerator
acceleratorSettings:
maxConcurrentStacks: 250
Optional Readonly backupBackup Vaults Configuration
To generate vaults, you need to provide below value for this parameter.
backup:
vaults:
- name: MyBackUpVault
deploymentTargets:
organizationalUnits:
- Root
Optional Readonly cdkAWS CDK options configuration. This lets you customize the operation of the CDK within LZA, specifically:
centralizeBuckets: Enabling this option modifies the CDK bootstrap process to utilize a single S3 bucket per region located in the management account for CDK assets generated by LZA. Otherwise, CDK will create a new S3 bucket in every account and every region supported by LZA.
useManagementAccessRole: Enabling this option modifies CDK operations to use the IAM role specified in the managementAccountAccessRole option in global-config.yaml rather than the default roles created by CDK. Default CDK roles will still be created, but will remain unused. Any stacks previously deployed by LZA will retain their associated execution role. For more information on these roles, please see here.
cdkOptions:
centralizeBuckets: true
useManagementAccessRole: true
Optional Readonly centralizeDeprecated
NOTICE: The configuration of CDK buckets is being moved to cdkOptions in the Global Config. This block is deprecated and will be removed in a future release
To indicate workload accounts should utilize the cdk-assets S3 buckets in the management account, you need to provide below value for this parameter.
centralizeCdkBuckets:
enable: true
Readonly cloudwatchGlobal CloudWatch Logs retention in days configuration.
This retention setting will be applied to all CloudWatch log groups created by the accelerator. Additionally, this retention setting will be applied to any CloudWatch log groups that already exist in the target environment if the log group's retention setting is LOWER than this configured value.
Readonly controlAWS Control Tower Landing Zone configuration
To indicate environment has control tower enabled, you need to provide below value for this parameter.
controlTower:
enable: true
Readonly enabledList of AWS Region names where accelerator will be deployed. Home region must be part of this list.
To add us-west-2 along with home region for accelerator deployment, you need to provide below value for this parameter.
enabledRegions:
- *HOME_REGION
- us-west-2
Optional Readonly externalExternalLandingZoneResourcesConfig.
centralizeBuckets: Enabling this option modifies the CDK bootstrap process to utilize a single S3 bucket per region located in the management account for CDK assets generated by LZA. Otherwise, CDK will create a new S3 bucket in every account and every region supported by LZA.
externalLandingZoneResources:
importExternalLandingZoneResources: false
Readonly homeAccelerator home region name. The region where accelerator pipeline deployed.
To use us-east-1 as home region for the accelerator, you need to provide below value for this parameter. Note: Variable HOME_REGION created for future usage of home region in the file
homeRegion: &HOME_REGION us-east-1
Optional Readonly lambdaAWS Lambda Function environment variables encryption configuration options.
You can decide to use AWS KMS CMK or AWS managed key for Lambda function environment variables encryption. When this property is undefined, the solution will deploy AWS KMS CMK to encrypt function environment variables.
You can use deploymentTargets to control target accounts and regions for the given useCMK configuration.
For more information please see here
lambda:
encryption:
useCMK: true
deploymentTargets:
organizationalUnits:
- Root
Optional Readonly limitsAWS Service Quota - Limit configuration
To enable limits within service quota, you need to provide below value for this parameter.
limits:
- serviceCode: lambda
quotaCode: L-2ACBD22F
desiredValue: 2000
deploymentTargets:
organizationalUnits:
- Infrastructure
Readonly loggingAccelerator logging configuration
To enable organization trail and session manager logs sending to S3, you need to provide below value for this parameter.
logging:
account: LogArchive
cloudtrail:
enable: false
organizationTrail: false
cloudtrailInsights:
apiErrorRateInsight: true
apiCallRateInsight: true
sessionManager:
sendToCloudWatchLogs: false
sendToS3: true
cloudwatchLogs:
dynamicPartitioning: logging/dynamic-partition.json
Readonly managementThis role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.
Examples:
Optional Readonly reportsReport configuration
To enable budget report along with cost and usage report, you need to provide below value for this parameter.
reports:
costAndUsageReport:
compression: Parquet
format: Parquet
reportName: accelerator-cur
s3Prefix: cur
timeUnit: DAILY
refreshClosedReports: true
reportVersioning: CREATE_NEW_REPORT
budgets:
- name: accel-budget
timeUnit: MONTHLY
type: COST
amount: 2000
includeUpfront: true
includeTax: true
includeSupport: true
includeSubscription: true
includeRecurring: true
includeOtherSubscription: true
includeDiscount: true
includeCredit: false
includeRefund: false
useBlended: false
useAmortized: false
unit: USD
notifications:
- type: ACTUAL
thresholdType: PERCENTAGE
threshold: 90
comparisonOperator: GREATER_THAN
subscriptionType: EMAIL
address: myemail+pa-budg@example.com
Optional Readonly s3AWS S3 global configuration options.
You can decide to create AWS KMS CMK for AWS S3 server side encryption. When this property is undefined, the solution will deploy AWS KMS CMK to encrypt AWS S3 bucket.
You can use deploymentTargets to control target accounts and regions for the given createCMK configuration.
This configuration is not applicable to LogArchive's central logging region, because the solution deployed CentralLogs bucket always encrypted with AWS KMS CMK.
This configuration is not applicable to the Management account Asset bucket in the home region. This bucket will always have a key generated and applied to the bucket if it is created.
This configuration is not applicable to the assets S3 bucket if the bucket is created. This bucket will always have a key generated and applied.
For more information please see here
s3:
createCMK: true
deploymentTargets:
organizationalUnits:
- Root
Optional Readonly snsSNS Topics Configuration
To send CloudWatch Alarms and SecurityHub notifications you will need to configure at least one SNS Topic For SecurityHub notification you will need to set the deployment target to Root in order to receive notifications from all accounts
snsTopics:
deploymentTargets:
organizationalUnits:
- Root
topics:
- name: Security
emailAddresses:
- SecurityNotifications@example.com
Optional Readonly ssmSSM Inventory Configuration
EC2 prerequisites Connectivity prerequisites
ssmInventory:
enable: true
deploymentTargets:
organizationalUnits:
- Infrastructure
Optional Readonly ssmSSM parameter configurations
Create SSM parameters through the LZA. Parameters can be deployed to Organizational Units or Accounts using deploymentTargets
ssmParameters:
- deploymentTargets:
organizationalUnits:
- Workloads
parameters:
- name: WorkloadParameter
path: /my/custom/path/variable
value: 'MySSMParameterValue'
Optional Readonly tagsCustom Tags for all resources created by Landing Zone Accelerator that can be tagged.
tags:
- key: Environment
value: Dev
- key: ResourceOwner
value: AcmeApp
- key: CostCenter
value: '123'
Optional Readonly terminationWhether to enable termination protection for this stack.
Generated using TypeDoc
Accelerator global configuration