Option 2: Deploy on new AWS GovCloud (US) accounts - Landing Zone Accelerator on AWS
Step 1. Launch the stackStep 2. Use Service Catalog to launch the productStep 3. Get account IDsStep 4. Deploy the solution in your AWS GovCloud (US) Management account

Option 2: Deploy on new AWS GovCloud (US) accounts

Deploying the solution in this pattern allows users to have workloads in AWS GovCloud (US) Regions only. The standard Region on the left is used to create AWS GovCloud (US) using Service Catalog.

Note

This deployment assumes that you want to limit your use of standard AWS Regions, and it includes steps to incorporate AWS Organizations SCPs that limit what the AWS standard accounts can do. If you also want to use standard AWS Regions (such as a US DoD customer that wants to run IL2 workloads in AWS US East/West Regions and IL4/IL5 workloads in AWS GovCloud [US] Regions through a shared AWS standard Management billing account), AWS recommends that you create new AWS standard accounts specifically for AWS standard Region usage.

Architecture diagram depicting AWS GovCloud (US) account deployment.

Landing Zone Accelerator on AWS architecture – AWS GovCloud (US) account deployment

Step 1. Launch the stack

  1. Ensure that all prerequisites are complete. Ensure that you’ve set up AWS Organizations and that the account where the stack is launched can run the CreateGovCloudAccount API. See For AWS Organizations based installation (without AWS Control Tower) for more information.

  2. Sign in to the AWS Management Console of your organization’s management account and select the following button to launch the AWSAccelerator-GovCloudAccountVending AWS CloudFormation template.

    Orange button with "View template" text for accessing a document or form template. AWSAccelerator-GovCloudAccountVending.template − Use this template to launch the AWS GovCloud (US) account vending component.

  3. On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box and choose Next.

  4. On the Specify stack details page, assign a name to your solution stack. We recommend you name your stack AWSAccelerator-GovCloudAccountVending to match the naming convention used for additional stacks that the solution creates. For information about naming character limitations, refer to IAM and STS quotas in the AWS Identity and Access Management User Guide.

  5. Choose Next.

  6. On the Configure stack options page, choose Next.

  7. On the Review page, review and confirm the settings. Select the box acknowledging that the template will create IAM resources.

  8. Choose Create stack to deploy the stack.

Step 2. Use Service Catalog to launch the product

  1. In the AWS Management Console upper left section, select Services and then select Service Catalog.

  2. Ensure that the in-use IAM resource that has permissions to access the portfolio Landing Zone Accelerator on AWS. Refer to Grant Access to Users in Service Catalog Administrator Guide.

  3. In the left-hand navigation menu, under Provisioning, choose Products.

  4. In Products, choose a Landing Zone Accelerator on AWS - GovCloud Account Vending product and then Launch product.

  5. In Provisioned product name, enter or generate a name (for example, Landing_Zone_Accelerator_GovCloud_Account_LogArchive).

  6. In Product versions, choose a version of the product (for example, v1.0.0).

  7. In Parameters, specify the following parameters:

    • Account Name – Name of account (for example, Accelerator Log Archive Account)

    • Account Email – Valid email address (for example, example+log-archive@amazon.com)

    • Organization Role Name – Name of the IAM role that AWS Organizations automatically pre-configures in the new member accounts in both the AWS GovCloud (US) Regions and in the standard Region (for example, OrganizationAccountAccessRole)

  8. Choose Launch product.

  9. On the Review page, review the configuration information, and select LAUNCH. This creates a CloudFormation stack. The initial status of the product is shown as Under change. Wait for about ten minutes, and then refresh the screen until the status changes to AVAILABLE.

Step 3. Get account IDs

  1. In the AWS Management Console upper left section, select Services and then select Service Catalog.

  2. In the left-hand navigation menu, under Provisioning, choose Provisioned products.

  3. In Provisioned Products, choose the product that you created in step 3.8.

  4. Choose Events.

  5. Under the Provisioned products output, get the GovCloudAccountId and AccountId, which correspond to the AWS GovCloud (US) account ID and standard account ID, respectively.

Step 4. Deploy the solution in your AWS GovCloud (US) Management account

Important

Ensure that the prerequisites have been completed.

  1. Log in to the AWS GovCloud (US) Management account.

  2. Deploy the solution by following Step 2 of Option 1.

  3. To add more accounts:

    1. Follow Step 2 and Step 3 of Option 2.

    2. Follow Step 4 of Option 1.