Prerequisites

You must meet the following prerequisites before launching the stack.

Activate a multi-account management solution

Landing Zone Accelerator on AWS solution can create, update, or reset an AWS Control Tower Landing Zone. When enabled, the solution will deploy AWS Control Tower in the home Region.

For AWS Control Tower based installation

Auto-deploy AWS Control Tower by the solution (recommended)

Using the Landing Zone Accelerator on AWS solution, you can create, update, or reset an AWS Control Tower Landing Zone. It is possible to maintain the AWS Control Tower Landing Zone using the Landing Zone Accelerator solution. When the installer stack of the solution is deployed with the ControlTowerEnabled parameter set to Yes, then the Landing Zone Accelerator solution will deploy the AWS Control Tower Landing Zone with the most recent version available.

The Landing Zone Accelerator solution can deploy AWS Control Tower Landing Zone when the following prerequisites are met.

• Configured AWS Organizations with all feature enabled in management account.

  Create AWS Organization and verify that your own the email address is provided for the management account in the organization. In order to learn more about setting up an AWS organization, you may refer to this Creating an organization in the AWS Organizations User Guide.

Note

In the event that AWS Organizations has been configured, but not all features have been enabled, the solution will enable all features for your organization.

• There are no AWS services enabled for AWS Organizations.

• There are no organization units created in the AWS Organizations.

• The only AWS account in the AWS Organization is the management account.

• The management account does not have AWS IAM Identity Center configured.

• The following AWS Control Tower service roles are not preset in the management account.

  • AWSControlTowerAdmin

  • AWSControlTowerCloudTrailRole

  • AWSControlTowerStackSetRole

  • AWSControlTowerConfigAggregatorRoleForOrganizations

Landing Zone Accelerator performs the following prerequisites before deploying AWS Control Tower Landing Zone. This document provides more information about AWS Control Tower prerequisites. The solution will not perform any of the prerequisites if there is an existing AWS Control Tower Landing Zone.

• Deploy following AWS Control Tower service roles in the management account:

  • AWSControlTowerAdmin

  • AWSControlTowerCloudTrailRole

  • AWSControlTowerStackSetRole

  • AWSControlTowerConfigAggregatorRoleForOrganizations

• Deploy AWS KMS CMK with alias alias/aws-controltower/key in the management account home Region.

• Create shared accounts (LogArchive and Audit) and invite to AWS Organizations.

• Deploy AWS Control Tower Landing Zone in the management account home Region.

Note

Landing Zone Accelerator on AWS uses the AWS Control Tower API to create and manage the AWS Control Tower Landing Zone.

Important

The AWS Console should be used to enable or disable the Region deny property for your AWS Control Tower Landing Zone. Currently, the Landing Zone Accelerator solution does not support the modification of the Region deny feature. Due to the fact that the Landing Zone Accelerator may deploy certain global AWS services, such as AWS IAM and AWS Organizations, the solution will add the global Region to the list of governed Regions in the AWS Control Tower if the home Region of the Landing Zone Accelerator is not the same as the global Region.

Manually deploy AWS Control Tower

To set up AWS Control Tower, refer to Getting started with AWS Control Tower in the AWS Control Tower User Guide.

Note

If you're using AWS Control Tower, we strongly recommended creating an AWS KMS customer managed key before deploying your landing zone. This AWS KMS key is used by services that AWS Control Tower manages to apply encryption at rest to sensitive log files. For more information on activating encryption for AWS Control Tower, see Configure your shared accounts and encryption.

If you’re deploying a new AWS Control Tower landing zone, you can add the prerequisite Infrastructure OU during the initial setup wizard. By default, the landing zone deploys with an additional Sandbox OU. You can rename this OU to Infrastructure if desired. Alternatively, you can create the InfrastructureOU after the landing zone is provisioned.

For more information about customizing the additional OU created during Control Tower setup, see Step 2b. Configure your organizational units (OUs) in the Control Tower User Guide.

For AWS Organizations based installation (without AWS Control Tower)

To set up AWS Organizations, refer to Getting started with AWS Organizations in the AWS Organization User Guide.

Ensure the Mandatory accounts are created. The Landing Zone Accelerator on AWS requires these three accounts at minimum to successfully deploy to your environment.

For more information on managing accounts in an AWS Organization, refer to Managing the AWS accounts in your organization in the AWS Organization User Guide.

Update AWS CodeBuild concurrency quota

Follow this procedure to check your current CodeBuild concurrency quota.

1. Navigate to the Service Quotas console in the account and Region for which you will deploy the Landing Zone Accelerator on AWS solution.

2. In the navigation pane, choose AWS services.

3. Search for then select AWS CodeBuild.

4. Select Concurrently running builds for Linux/Large environment.

5. If the value under Applied quota value is less than 3, select the quota link. Otherwise, skip the remaining steps.

6. Choose Request increase at account-level. In the Increase quota value box, enter 3 or more as the new quota value.

7. Choose Request. Ensure this quota increase request has been approved prior to deploying the solution. You can view your request status by choosing Quota request history in the navigation sidebar.

Ensure your global Region is accessible

Some AWS services and features apply configurations to your accounts at a global level rather than a regional level. In addition to the Regions that you enable in the solution configuration files; this solution requires access to the Region where global service API endpoints are hosted. The global Region depends on the AWS partition you will be deploying the solution to.

AWS partitions and their corresponding global Region

AWS Partition	Global Region
Standard (aws)	us-east-1
GovCloud US (aws-us-gov)	us-gov-west-1
China (aws-cn)	cn-northwest-1

Important

Ensure that you don’t have any existing AWS Organizations service control policies and/or Control Tower Region deny settings configured in your environment that would block access to the global Region listed above. You might experience Core pipeline failures if you do not allow access to this Region.

Create a GitHub personal access token and store in Secrets Manager

You require a GitHub access token to access the Landing Zone Accelerator on AWS code repository. Instructions on how to create a personal access token are located on GitHub Docs.

Note

The GitHub access token must have public_repo permissions.

Store the personal access token in Secrets Manager as plain text. Name the secret accelerator/github-token (case sensitive).

With the AWS Management Console:

1. Store a new secret, and select Other type of secrets, Plaintext.

2. Paste your secret with no formatting, leading, or trailing spaces (completely remove the example text).

3. Select an encryption key.

4. Set the secret name to accelerator/github-token (case sensitive).

5. Select Disable rotation.