Skip to content

Included Services, Features, and Configuration References⚓︎

The latest version of our configuration reference is hosted here: Latest TypeDocs.

Direct links to specific service configuration references are included in the following sections.

Documentation for previous releases

Please see TypeDocs for a full list of our versioned TypeDoc configuration references.

Account Configuration⚓︎

Used to manage all of the AWS accounts within the AWS Organization. Adding a new account configuration to accounts-config.yaml will invoke the account creation process from Landing Zone Accelerator on AWS.

Service / Feature Resource Base Configuration Service / Feature Configuration Details
AWS Accounts Account AccountsConfig AccountConfig / GovCloudAccountConfig Define commercial or GovCloud (US) accounts to be deployed by the accelerator.

Global Configuration⚓︎

Used to manage all of the global properties that can be inherited across the AWS Organization. Defined in global-config.yaml.

Service / Feature Resource Base Configuration Service / Feature Configuration Details
AWS Backup Backup Vaults GlobalConfig BackupConfig Define AWS Backup Vaults that can be used to store backups in accounts across the AWS Organization.
AWS Budgets Budget Reports GlobalConfig / ReportConfig BudgetReportConfig Define Budget report configurations for account(s) and/or organizational unit(s).
AWS CloudTrail Organization and Account Trails GlobalConfig / LoggingConfig CloudTrailConfig When specified, Organization and/or account-level trails are deployed.
Amazon CloudWatch Log Group Dynamic Partitioning GlobalConfig / LoggingConfig CloudWatchLogsConfig Custom partition values for CloudWatch Log Groups sent to centralized logging S3 bucket.
AWS Control Tower Control Tower GlobalConfig ControlTowerConfig It is recommended that AWS Control Tower is enabled. When enabled, the accelerator will deploy AWS Control Tower in the desired home region for your environment. If AWS Control Tower is already available in the home region of your environment prior to installing the accelerator, the accelerator will integrate with resources and guardrails deployed by AWS Control Tower.
AWS Control Tower Control Tower GlobalConfig / ControlTowerConfig ControlTowerLandingZoneConfig Define AWS Control Tower LandingZone configuration. When defined, the accelerator will manage AWS Control Tower LandingZone.
AWS Control Tower Control Tower Controls GlobalConfig / ControlTowerConfig ControlTowerControlConfig Define AWS Control Tower controls to be deployed into organizational unit(s).
AWS Cost and Usage Cost and Usage Report GlobalConfig / ReportConfig CostAndUsageReportConfig Define a global Cost and Usage report configuration for the AWS Organization.
AWS Regions Enabled Regions GlobalConfig GlobalConfig.enabledRegions Define one or more AWS Regions for the solution to manage.
Amazon S3 Lifecycle Rules GlobalConfig / LoggingConfig AccessLogBucketConfig / CentralLogBucketConfig Define global lifecycle rules for S3 access log buckets and the central log bucket deployed by the accelerator.
AWS Systems Manager Session Manager Session Manager logging configuration GlobalConfig / LoggingConfig SessionManagerConfig Define global logging configuration settings for Session Manager.
AWS Systems Manager Parameter Store GlobalConfig SsmParametersConfig Define parameters to be stored in SSM Parameter Store.
AWS SNS Topics SNS Topics Configuration GlobalConfig SnsTopicConfig Define SNS topics for notifications.
AWS Tags Tags Configuration GlobalConfig GlobalConfig.tags Define tags to apply to Landing Zone Accelerator created resources.

Identity and Access Management (IAM) Configuration⚓︎

Used to manage all of the IAM resources across the AWS Organization. Defined in iam-config.yaml.

Service / Feature Resource Base Configuration Service / Feature Configuration Details
AWS IAM Users IamConfig UserSetConfig Define IAM users to be deployed to specified account(s) and/or organizational unit(s).
AWS IAM Groups IamConfig GroupSetConfig Define IAM groups to be deployed to specified account(s) and/or organizational unit(s).
AWS IAM Policies IamConfig PolicySetConfig Define customer-managed IAM policies to be deployed to specified account(s) and/or organizational unit(s).
AWS IAM Roles IamConfig RoleSetConfig Define customer-managed IAM roles to be deployed to specified account(s) and/or organizational unit(s).
AWS IAM SAML identity providers IamConfig SamlProviderConfig Define a SAML identity provider to allow federated IAM access to the AWS Organization.
AWS IAM Identity Center Permission sets IamConfig IdentityCenterConfig Define IAM Identity Center (formerly AWS SSO) permission sets and assignments.
AWS Managed Microsoft AD Managed directory IamConfig ManagedActiveDirectoryConfig Define a Managed Microsoft AD directory.

Network Configuration⚓︎

Used to manage and implement network resources to establish a WAN/LAN architecture to support cloud operations and application workloads in AWS. Defined in network-config.yaml.

Service / Feature Resource Base Configuration Service / Feature Configuration Details
Delete Default Amazon VPC Default VPC NetworkConfig DefaultVpcsConfig If enabled, deletes the default VPC in each account and region managed by the accelerator.
AWS Direct Connect Gateways, virtual interfaces, and gateway associations NetworkConfig DxGatewayConfig Define Direct Connect gateways, virtual interfaces, and Direct Connect Gateway associations.
Amazon Elastic Load Balancing Gateway Load Balancers, endpoint services, and endpoints NetworkConfig / CentralNetworkServicesConfig GwlbConfig Define a centrally-managed Gateway Load Balancer with an associated VPC endpoint service. Define Gateway Load Balancer endpoints that consume the service, allowing for deep packet inspection of workloads.
AWS Network Firewall Network Firewalls, policies, and rule groups NetworkConfig / CentralNetworkServicesConfig NfwConfig Define centrally-managed firewall rule groups and policies. Define Network Firewall endpoints that consume the policies, allowing for deep packet inspection of workloads.
Amazon Route 53 Resolver Resolver endpoints, rules, DNS firewall rule groups, and query logging configurations NetworkConfig / CentralNetworkServicesConfig ResolverConfig Define centrally-managed Resolver endpoints, Resolver rules, DNS firewall rule groups, and query logging configurations. DNS firewall rule groups, Resolver rules, and query logging configurations can be associated to VPCs defined in VpcConfig / VpcTemplatesConfig.
AWS Site-to-Site VPN Customer gateways and VPN connections NetworkConfig CustomerGatewayConfig Define Customer gateways and VPN connections that terminate on Transit Gateways or Virtual Private Gateways.
AWS Transit Gateway Transit Gateways and Transit Gateway route tables NetworkConfig TransitGatewayConfig Define Transit Gateways to deploy to a specified account and region in the AWS Organization.
AWS Transit Gateway Transit Gateway peering connections NetworkConfig TransitGatewayPeeringConfig Create Transit Gateway peering connections between two Transit Gateways defined in TransitGatewayConfig.
Amazon VPC Customer-managed prefix lists NetworkConfig PrefixListConfig Define customer-managed prefix lists to deploy to account(s) and region(s) in the AWS Organization. Prefix lists can be referenced in place of CIDR ranges in subnet route tables, security groups, and Transit Gateway route tables.
Amazon VPC DHCP options sets NetworkConfig DhcpOptsConfig Define custom DHCP options sets to deploy to account(s) and region(s) in the AWS Organization. DHCP options sets can be used by VPCs defined in VpcConfig / VpcTemplatesConfig.
Amazon VPC Flow Logs (global) NetworkConfig VpcFlowLogsConfig Define a global VPC flow log configuration for VPCs deployed by the accelerator. VPC-specific flow logs can also be created in VpcConfig / VpcTemplatesConfig.
Amazon VPC VPCs, subnets, security groups, NACLs, route tables, NAT Gateways, and VPC endpoints NetworkConfig VpcConfig Define VPCs to deploy to a specified account and region in the AWS Organization.
Amazon VPC VPC endpoint policies NetworkConfig EndpointPolicyConfig Define custom VPC endpoint policies to deploy to account(s) and region(s) in the AWS Organization. Endpoint policies can be used by interface endpoints and/or gateway endpoints defined in VpcConfig / VpcTemplatesConfig.
Amazon VPC VPC peering connections NetworkConfig VpcPeeringConfig Create a peering connection between two VPCs defined in VpcConfig. NOTE: Not supported with VPCs deployed using VpcTemplatesConfig.
Amazon VPC IP Address Manager (IPAM) IPAM pools and scopes NetworkConfig / CentralNetworkServicesConfig IpamConfig Enable IPAM delegated administrator and configuration settings for IPAM pools and scopes. NOTE: IPAM is required for VPCs and subnets configured to use dynamic IPAM CIDR allocations.
Amazon VPC Templates VPCs, subnets, security groups, NACLs, route tables, NAT Gateways, and VPC endpoints NetworkConfig VpcTemplatesConfig Deploys a standard-sized VPC to multiple defined account(s) and/or organizational unit(s).

AWS Organizations Configuration⚓︎

Used to manage organizational units and policies in the AWS Organization. Defined in organization-config.yaml.

Service / Feature Resource Base Configuration Service / Feature Configuration Details
AWS Account Quarantine Quarantine OrganizationConfig QuarantineNewAccountsConfig If enabled, a Service Control Policy (SCP) is applied to newly-created accounts that denies all API actions from principles outside of the accelerator. This SCP is stripped from the new account when the accelerator completes resource provisioning for the new account.
AWS Organizations Backup Policies OrganizationConfig BackupPolicyConfig Define organizational backup policies to be deployed to account(s) and/or organizational unit(s).
AWS Organizations Organizational Units OrganizationConfig OrganizationalUnitConfig Define organizational units (OUs) for the AWS Organization. NOTE: When using AWS Control Tower, OUs must be registered in the Control Tower console prior to defining them in the configuration.
AWS Organizations Service Control Policies (SCPs) OrganizationConfig ServiceControlPolicyConfig Define organizational service control policies to be deployed to account(s) and/or organizational unit(s).
AWS Organizations Tag Policies OrganizationConfig TaggingPolicyConfig Define organizational tag policies to be deployed to account(s) and/or organizational unit(s).

Security Configuration⚓︎

Used to manage configuration of AWS security services. Defined in security-config.yaml.

Service / Feature Resource Base Configuration Service / Feature Configuration Details
AWS Audit Manager Audit Manager SecurityConfig / CentralSecurityServicesConfig AuditManagerConfig Enable Audit Manager delegated administrator and configuration settings.
Amazon CloudWatch Metrics, Alarms, and Log Groups SecurityConfig CloudWatchConfig Define CloudWatch metrics, alarms, and log groups to deploy into account(s) and/or organizational unit(s). You can also import existing log groups into your configuration.
AWS Config Config Recorder, Delivery Channel, Rules, and Remediations SecurityConfig AwsConfig Define an AWS Config Recorder, Delivery Channel, and custom and/or managed rule sets to deploy across the AWS Organization.
Amazon Detective Detective SecurityConfig / CentralSecurityServicesConfig DetectiveConfig Enable Detective delegated administrator and configuration settings. Note: Requires Amazon GuardDuty to be enabled for at least 48 hours.
Amazon EBS Default Volume Encryption SecurityConfig / CentralSecurityServicesConfig EbsDefaultVolumeEncryptionConfig Enable EBS default volume encryption across the AWS Organization.
Amazon GuardDuty GuardDuty SecurityConfig / CentralSecurityServicesConfig GuardDutyConfig Enable GuardDuty delegated administrator and configuration settings.
AWS IAM Access Analyzer SecurityConfig AccessAnalyzerConfig If enabled, IAM Access Analyzer analyzes policies and reports a list of findings for resources that grant public or cross-account access from outside your AWS Organizations in the IAM console and through APIs.
AWS IAM Password Policy SecurityConfig IamPasswordPolicyConfig Define a password policy for IAM users in the AWS Organization.
AWS KMS Customer-Managed Keys SecurityConfig KeyManagementServiceConfig Define customer-managed KMS keys to be deployed to account(s) and/or organizational unit(s).
Amazon Macie Macie SecurityConfig / CentralSecurityServicesConfig MacieConfig Enable Macie delegated administrator and configuration settings.
Amazon S3 S3 Public Access Block SecurityConfig / CentralSecurityServicesConfig S3PublicAccessBlockConfig Enable S3 public access block setting across the AWS Organization.
AWS Security Hub Security Hub SecurityConfig / CentralSecurityServicesConfig SecurityHubConfig Enable Security Hub delegated administrator and configuration settings.
Amazon SNS Subscriptions SecurityConfig / CentralSecurityServicesConfig SnsSubscriptionConfig Configure email subscriptions for security-related SNS notifications. NOTE: DEPRECATED Use SnsTopicConfig in the global configuration instead.
AWS Systems Manager Automation Automation Documents SecurityConfig / CentralSecurityServicesConfig SsmAutomationConfig Define SSM Automation Documents to be deployed to account(s) and/or organizational unit(s).
Resource Policy Enforcement Resource Policy Enforcement Config SecurityConfig ResourcePolicyEnforcementConfig Define compliance check and remediation for resource-based policy to be deployed to account(s) and/or organization unit, which will enforce resource policy for all applicable resources in the account and/or OU.

Customization Configuration⚓︎

Used to manage configuration of custom applications and CloudFormation stacks. Defined in the optional file customizations-config.yaml.

Service / Feature Resource Base Configuration Service / Feature Configuration Details
AWS CloudFormation Stacks CustomizationsConfig / CustomizationConfig CloudFormationStackConfig Define custom CloudFormation Stacks.
AWS CloudFormation StackSets CustomizationsConfig / CustomizationConfig CloudFormationStackSetConfig Define custom CloudFormation Stacksets.
Amazon Elastic Load Balancing Application Load Balancers CustomizationsConfig / AppConfigItem ApplicationLoadBalancerConfig Define an Application Load Balancer to be used for a custom application.
Amazon Elastic Load Balancing Network Load Balancers CustomizationsConfig / AppConfigItem NetworkLoadBalancerConfig Define a Network Load Balancer to be used for a custom application.
Amazon Elastic Load Balancing Target Groups CustomizationsConfig / AppConfigItem TargetGroupItemConfig Define a Target Group to be used with an Elastic Load Balancer.
Amazon EC2 Autoscaling Groups CustomizationsConfig / AppConfigItem AutoScalingConfig Define an autoscaling group to be used for a custom application.
Amazon EC2 Launch Template CustomizationsConfig / AppConfigItem LaunchTemplateConfig Define a launch template to be used for a custom application.
Amazon EC2 Next-generation firewalls (standalone or autoscaling) and firewall management appliances CustomizationsConfig Ec2FirewallConfig Define third-party EC2-based firewall appliances.
AWS Service Catalog Portfolios, products, and shares CustomizationsConfig / CustomizationConfig PortfolioConfig Define Service Catalog portfolios, products, and grant access permissions. You may also share portfolios to other accounts and OUs.

Other Services and Features⚓︎

Other mandatory and non-configurable services/features deployed by the solution are described in the Architecture overview and Architecture details section of the solution Implementation Guide.