Mandatory accounts

The Landing Zone Accelerator on AWS builds on top of an existing AWS Control Tower or AWS Organizations multi-account structure. If using AWS Control Tower, this solution uses the same initial accounts that are generated by deploying the Control Tower Landing Zone. If using AWS Organizations only in a Region without AWS Control Tower, the following mandatory accounts must be created:

Management account – This account is designated when first creating an AWS Organization. It's a privileged account where all AWS Organizations global configuration management and billing consolidation occurs.
LogArchive account – This account is used for centralized logging of AWS service logs and AWS CloudTrail trails.
Audit account – This account is used to centralize all security operations and management activities. This account is typically used as a delegated administrator of centralized security services such as Amazon Macie, Amazon GuardDuty, and AWS Security Hub.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

External pipeline deployment

Administrative role