What does this AWS Solution do?
The Landing Zone Accelerator on AWS solution deploys a cloud foundation that is architected to align with AWS best practices and multiple global compliance frameworks. With this solution, customers with highly-regulated workloads and complex compliance requirements can better manage and govern their multi-account environment. When used in coordination with other AWS services, it provides a comprehensive low-code solution across 35+ AWS services. Currently, we include specific notes regarding use of this solution to support alignment with:
- United States (US) Federal and Department of Defense (DoD) guidance such as:
- DoD Cloud Computing Security Requirements Guide (CC SRG) for hosting Impact Level (IL)4 and IL5 workloads
- DoD Cybersecurity Maturity Model Certification (CMMC) readiness
- United Kingdom (UK) National Cyber Security Centre (NCSC) guidance
- Healthcare guidance for various geographies such as:
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Automatically set up a cloud environment suitable for hosting secure workloads. You can deploy this solution in all AWS Regions. This helps you maintain consistency of your operations and governance across AWS standard Regions, AWS GovCloud (US), and other non-standard partitions in AWS.
Deploy the solution in an AWS Region suitable for you data classification, and use Amazon Macie to provide sensitive data detection in Amazon S3. This solution also helps you deploy, operate, and govern a centrally managed encryption strategy using AWS KMS.
Leverage a foundational infrastructure for deploying mission-critical workloads across a centrally-governed multi-account environment.
AWS Solution overview
The diagram below presents the architecture you can automatically deploy using the solution's implementation guide and accompanying AWS CloudFormation template.
Landing Zone Accelerator on AWS architecture
This solution includes an AWS CloudFormation template you deploy in the account you want to use as the management account for your multi-account environment.
- You use AWS CloudFormation to install the solution into your environment. Your environment must meet prerequisites prior to deploying the solution. The provided CloudFormation template will deploy an AWS CodePipeline that contains the Landing Zone Accelerator on AWS installation engine.
- The Installer pipeline deploys the solution’s Core features. Because this installer functions separately from the Core solution infrastructure, you can update to future versions of the solution with a single parameter through the AWS CloudFormation console.
- An AWS CodeBuild project functions as an orchestration engine to build and execute the solution’s AWS CDK application that deploys the Core AWSAccelerator-PipelineStack template and its associated dependencies.
- The solution deploys Amazon Simple Notification Service (Amazon SNS) topics that you can subscribe to for alerts on core pipeline events, which can increase observability of your Core pipeline operations. Additionally, the solution deploys two AWS Key Management Service (AWS KMS) customer-managed keys to manage encryption at rest of Installer and Core pipeline dependencies.
- The Core pipeline validates and synthesizes inputs and deploys additional CloudFormation stacks with AWS CDK. An AWS CodeCommit repository named aws-accelerator-config stores the configuration files that the solution uses. These configuration files are the primary mechanism for configuring and managing the solution.
- An AWS CodeBuild project compiles and validates the solution’s AWS CDK application configuration.
- Multiple AWS CodeBuild deployment stages deploy the resources that were defined in the solution configuration files to your multi-account environment. An optional manual review stage may be included, allowing you to view all the changes that these stages will apply.
- The solution deploys resources that monitor AWS Control Tower lifecycle events to detect potential drift against a known good state (in other words, when the actual configuration of an infrastructure resource differs from its expected configuration). The solution also deploys resources that can automate the enrollment of new AWS accounts into your multi-account environment. When using AWS Control Tower with this solution, ensure that accounts and organizational units (OUs) within your AWS Control Tower environment are properly enrolled. You can manage this through the AWS Control Tower console.
- The solution deploys centralized logging resources in the Log Archive account in your multi-account environment. This includes Amazon Kinesis resources to stream and ingest logs, AWS KMS keys to facilitate encryption at rest, and Amazon Simple Storage Service (Amazon S3) buckets as log storage destinations.
- You can enroll and provision workload accounts into your multi-account environment with additional infrastructure through the solution’s configuration files. At a minimum, new accounts are provisioned with resources that facilitate streaming Amazon CloudWatch log groups to the centralized logging infrastructure in the Log Archive account.
Browse our library of AWS Solutions to get answers to common architectural problems.
Find AWS Partners to help you get started.
Find prescriptive architectural diagrams, sample code, and technical content for common use cases.