Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Account creation and drift detection - Landing Zone Accelerator on AWS

Account creation and drift detection

AWS account creation and management workflow with EventBridge, Lambda, DynamoDB, and other services.

Landing Zone Accelerator on AWS architecture – account provisioning and Control Tower drift detection

  1. The solution deploys Amazon EventBridge rules that monitor for AWS Control Tower lifecycle events. These rules invoke AWS Lambda functions that perform different actions based on the lifecycle event. The solution uses the AttachQuarantineScp function to attach an AWS Organizations SCP to newly-enrolled accounts, if configured. The solution uses the ControlTowerOuEvents function to detect changes made to OUs in the multi-account environment.

  2. The Lambda functions have access to Amazon DynamoDB tables that contain stateful information about the multi-account environment. The functions use this data to validate changes made to the environment against a known good state.

  3. The account creation workflow is invoked by the Prepare stage of the AWSAccelerator-Pipeline when a new account is added to the accounts-config.yaml file. Two AWS Step Functions state machines handle this workflow: one for AWS Control Tower-based landing zones and the other for AWS Organizations-based landing zones.

  4. The state machines have access to DynamoDB tables that contain stateful information about the multi-account environment. This allows the underlying Lambda functions to validate the environment and store the environment’s state in the DynamoDB tables.

  5. The state machines initiate the account creation process if a new account is added to the solution configuration. The account creation workflow is dependent on the type of landing zone that the solution has been deployed to. For AWS Control Tower-based landing zones, the solution leverages the Control Tower Account Factory Service Catalog portfolio to provision a new account. For AWS Organizations-based landing zones, the Organizations API invokes account creation. We provide configuration toggles to differentiate the type of landing zone in the global-config.yaml file.

Note

Account creation is an asynchronous process, so the state machine workflow is used to periodically check the status of the Account Factory or Organizations-based account creation. As such, the state machine pauses the pipeline stage progression until the account creation succeeds or fails. 

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.