Opt-in Regions - Landing Zone Accelerator on AWS

Opt-in Regions

We built the opt-in Region configuration to help customers use the Landing Zone Accelerator on AWS solution in opt-in Regions.

Note

Not all AWS services are available in all Regions, including the AWS opt-in Regions. We update our AWS Regional Services list daily with which services are available in which Regions.

You must initially launch Landing Zone Accelerator on AWS in a Region where CodeCommit, AWS CodeBuild, and AWS CodePipeline are available. This will deploy the default resources that are depicted in the Architecture overview.

The following installation instructions leverage opt-in AWS Regions. Following these instructions deploys the default resources into the management account for items 1–8 of the architecture diagram. Items 9–10 of the architecture diagram, centralized logging and workload accounts, deploy in the opt-in (target) AWS Region.

Note

While the Landing Zone Accelerator on AWS solution can help you align with frameworks and best practices, customers are responsible for their own security and compliance practices.

Prerequisites

To launch the Landing Zone Accelerator on AWS solution into opt-in AWS Regions, verify that the user who launches the solution can:

Architecture

Architecture diagram depicting Landing Zone Accelerator on AWS architecture in opt-in (Target) Regions.

Landing Zone Accelerator on AWS architecture in opt-in (Target) Regions

Deployment

Using an opt-in Region as the target Region

Deploying this solution with the default parameters builds the environment depicted in the previous figure. The default parameters use the Home Region for the Landing Zone Accelerator on AWS Core pipeline and the Target Region for centralized logging.

Step 1. Deploy the solution in your AWS Management account

  1. Identify the Home Region that you want to use. This Region must have CodeCommit, AWS CodeBuild, and CodePipeline availability.

    Note

    Two main factors contribute to which Region to select as your Home Region: latency and cost. Choosing an AWS Region with close proximity to your user base location can achieve lower network latency. AWS services are priced differently from one Region to another.

  2. Prepare for an AWS Organizations based installation (without AWS Control Tower). Use the following notes to guide you:

    • For a new environment, set up AWS Organizations.

    • Create a LogArchive account and an Audit/Security Tooling account.

    • Create a Security OU and Infrastructure OU.

  3. Set up Landing Zone Accelerator on AWS in your AWS standard account.

Step 2. Allow your desired opt-in AWS Regions for all accounts

  1. Sign in to your management account.

  2. Allow the Regions you want to use.

    Note

    When you allow a Region, AWS prepares your account in that Region, such as by distributing your IAM resources to the Region. This process takes a few minutes for most accounts, but it can take several hours. You can’t use the Region until this process is complete.

  3. Log in to the LogArchive and Audit/Security Tooling accounts to repeat the actions to allow the opt-in Regions that you want to use.

Step 3. Update the configuration file in your AWS Management account

  1. Using your management account, update the global-config.yaml file to list the new Region under the enabledRegions option, as shown in the following sample. In the sample, Europe (London) (eu-west-2) is the home Region and Middle East (Bahrain) (me-south-1) is the opt-in (target) Region:

    homeRegion: eu-west-2 enabledRegions: - eu-west-2 - me-south-1
  2. Using your management account, update the global-config.yaml file to list the opt-in Region under the centralizedLoggingRegion option, as shown in the following sample:

    logging: account: LogArchive centralizedLoggingRegion: me-south-1 cloudtrail: enable: true organizationTrail: true organizationTrailSettings: multiRegionTrail: true globalServiceEvents: true managementEvents: true s3DataEvents: true lambdaDataEvents: true sendToCloudWatchLogs: true apiErrorRateInsight: false apiCallRateInsight: false accountTrails: [] lifecycleRules: [] sessionManager: sendToCloudWatchLogs: false sendToS3: false excludeRegions: [] excludeAccounts: [] lifecycleRules: [] attachPolicyToIamRoles: []
  3. After the commit, confirm that the pipeline runs successfully.