Step 2: Launch your landing zone - AWS Control Tower

Step 2: Launch your landing zone

The AWS Control Tower CreateLandingZone API requires a landing zone version and a manifest file as input parameters. You can use the manifest file to configure the following features:

After compiling your manifest file, you're ready to create a new landing zone.

Note

AWS Control Tower does not support the Region deny control when using APIs to configure and launch a landing zone. After successfully launching your landing zone using APIs, you can use the AWS Control Tower console to Configure the Region deny control.

  1. Call the AWS Control Tower CreateLandingZone API. This API requires a landing zone version and a manifest file as input.

    aws controltower create-landing-zone --landing-zone-version 3.3 --manifest "file://LandingZoneManifest.json"

    Example LandingZoneManifest.json manifest:

    { "governedRegions": ["us-west-2","us-west-1"], "organizationStructure": { "security": { "name": "CORE" }, "sandbox": { "name": "Sandbox" } }, "centralizedLogging": { "accountId": "222222222222", "configurations": { "loggingBucket": { "retentionDays": 60 }, "accessLoggingBucket": { "retentionDays": 60 }, "kmsKeyArn": "arn:aws:kms:us-west-1:123456789123:key/e84XXXXX-6bXX-49XX-9eXX-ecfXXXXXXXXX" }, "enabled": true }, "securityRoles": { "accountId": "333333333333" }, "accessManagement": { "enabled": true } }
    Note

    As shown in the example, the AccountId for the CentralizedLogging and SecurityRoles accounts must be different.

    Output:

    { "arn": "arn:aws:controltower:us-west-2:123456789012:landingzone/1A2B3C4D5E6F7G8H", "operationIdentifier": "55XXXXXX-e2XX-41XX-a7XX-446XXXXXXXXX" }
  2. Call the GetLandingZoneOperation API to check the status of the CreateLandingZone operation. The GetLandingZoneOperation API returns a status of SUCCEEDED, FAILED, or IN_PROGRESS.

    aws controltower get-landing-zone-operation --operation-identifier "55XXXXXX-eXXX-4XXX-aXXX-44XXXXXXXXXX"

    Output:

    { "operationDetails": { "operationType": "CREATE", "startTime": "Thu Nov 09 20:39:19 UTC 2023", "endTime": "Thu Nov 09 21:02:01 UTC 2023", "status": "SUCCEEDED" } }
  3. When the status returns as SUCCEEDED, you can call the GetLandingZone API to review the landing zone configuration.

    aws controltower get-landing-zone --landing-zone-identifier "arn:aws:controltower:us-west-2:123456789123:landingzone/1A2B3C4D5E6F7G8H"

    Output:

    { "landingZone": { "arn": "arn:aws:controltower:us-west-2:123456789012:landingzone/1A2B3C4D5E6F7G8H", "driftStatus": { "status": "IN_SYNC" }, "latestAvailableVersion": "3.3", "manifest": { "accessManagement": { "enabled": true }, "securityRoles": { "accountId": "333333333333" }, "governedRegions": [ "us-west-1", "eu-west-3", "us-west-2" ], "organizationStructure": { "sandbox": { "name": "Sandbox" }, "security": { "name": "CORE" } }, "centralizedLogging": { "accountId": "222222222222", "configurations": { "loggingBucket": { "retentionDays": 60 }, "kmsKeyArn": "arn:aws:kms:us-west-1:123456789123:key/e84XXXXX-6bXX-49XX-9eXX-ecfXXXXXXXXX", "accessLoggingBucket": { "retentionDays": 60 } }, "enabled": true } }, "status": "PROCESSING", "version": "3.3" } }