For AWS Control Tower based installation (recommended)

Prerequisites

To launch the Landing Zone Accelerator on AWS solution, verify the following:

The account used to launch the solution is allowed to access AWS GovCloud (US) Regions.
You're authorized to create accounts in the AWS GovCloud (US) Regions. For more information on the AWS GovCloud (US) Regions, refer to the AWS GovCloud (US) User Guide.
You have an account in an AWS GovCloud (US) Region that's paired with a management account of an organization in a standard AWS Region.

Before deploying the Landing Zone Accelerator on AWS, activate AWS Control Tower and AWS Organizations. AWS Control Tower is strongly recommended if deploying to a Region where it’s supported.

Important

The default configuration for Landing Zone Accelerator on AWS creates an OU named Infrastructure. We built this OU for core infrastructure workload accounts that you can add to your organization, such as central networking and shared services. Before running the Core pipeline, either create the Infrastructure OU or modify the organization-config.yaml configuration file to represent your landing zone base configuration. See Adding an Organizational Unit for more information.

If you want to deploy to an existing multi-account environment, see Working with existing landing zones for additional considerations before deploying the solution.

For AWS Control Tower based installation (recommended)

Create required accounts as documented in Step 1 of Option 1.
Invite the accounts into your Organization as detailed in the AWS Control Tower section of the AWS GovCloud (US) User Guide.

To set up AWS Control Tower, refer to Getting started with AWS Control Tower in the AWS Control Tower User Guide.

Note

We recommend creating an AWS KMS customer managed key before deploying your landing zone. This AWS KMS key is used by services that AWS Control Tower manages to apply encryption at rest to sensitive log files.

For more information on activating encryption for AWS Control Tower, see Configure your shared accounts and encryption. When configuring your KMS key policy, remember that AWS GovCloud (US) ARNs are different than those in other AWS Regions.

Follow the procedure to set up AWS Control Tower in an existing organization. Specify the two existing accounts, which you've already created in Step 1 of Option 1 and just invited to your organization, as your audit and log archive accounts.

If you’re deploying a new AWS Control Tower landing zone, you can add the prerequisite Infrastructure OU during the initial setup wizard. By default, the landing zone deploys with an additional Sandbox OU. You can rename this OU to Infrastructure if desired. Alternatively, you can create the Infrastructure OU after the landing zone is provisioned.

For more information about customizing the additional OU created during Control Tower setup, see Step 2b. Configure your organizational units (OUs) in the AWS Control Tower User Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Deploy to AWS GovCloud (US) Regions

Architecture