Prerequisites - Landing Zone Accelerator on AWS


You must meet the following prerequisites before launching the stack.

Activate a multi-account management solution

Before deploying the Landing Zone Accelerator on AWS, activate AWS Control Tower or AWS Organizations. AWS Control Tower is strongly recommended if deploying to a Region where it's supported.


The default configuration for Landing Zone Accelerator on AWS assumes that an OU named Infrastructure was created. We built this OU for core infrastructure workload accounts that you can add to your organization, such as central networking or shared services. Before running the Core pipeline, either create the Infrastructure OU or modify the organization-config.yaml configuration file to represent your landing zone base configuration. See Adding an Organizational Unit (OU) for more information.

If you want to deploy to an existing multi-account environment, see Working with existing landing zones for additional considerations before deploying the solution.

To set up AWS Control Tower, refer to Getting started with AWS Control Tower in the AWS Control Tower User Guide.


If you're using AWS Control Tower, we strongly recommended creating an AWS KMS customer managed key before deploying your landing zone. This AWS KMS key is used by services that AWS Control Tower manages to apply encryption at rest to sensitive log files.

For more information on activating encryption for AWS Control Tower, see Configure your shared accounts and encryption.

If you’re deploying a new AWS Control Tower landing zone, you can add the prerequisite Infrastructure OU during the initial setup wizard. By default, the landing zone deploys with an additional Sandbox OU. You can rename this OU to Infrastructure if desired. Alternatively, you can create the Infrastructure OU after the landing zone is provisioned.

For more information about customizing the additional OU created during Control Tower setup, see Step 2b. Configure your organizational units (OUs) in the Control Tower User Guide.

For AWS Organizations based installation (without AWS Control Tower)

To set up AWS Organizations, refer to Getting started with AWS Organizations in the AWS Organization User Guide.

Ensure the Mandatory accounts are created. The Landing Zone Accelerator on AWS requires these three accounts at minimum to successfully deploy to your environment.

For more information on managing accounts in an AWS Organization, refer to Managing the AWS accounts in your organization in the AWS Organization User Guide.

Update AWS CodeBuild concurrency quota

Follow this procedure to check your current CodeBuild concurrency quota.

  1. Navigate to the Service Quotas console in the account and Region for which you will deploy the Landing Zone Accelerator on AWS solution.

  2. In the navigation pane, choose AWS services.

  3. Search for then select AWS CodeBuild.

  4. Select Concurrently running builds for Linux/Large environment.

  5. If the value under Applied quota value is less than 3, select the quota link. Otherwise, skip the remaining steps.

  6. Choose Request increase at account-level. In the Increase quota value box, enter 3 or more as the new quota value.

  7. Choose Request. Ensure this quota increase request has been approved prior to deploying the solution. You can view your request status by choosing Quota request history in the navigation sidebar.

Ensure your global Region is accessible

Some AWS services and features apply configurations to your accounts at a global level rather than a regional level. In addition to the Regions that you enable in the solution configuration files; this solution requires access to the Region where global service API endpoints are hosted. The global Region depends on the AWS partition you will be deploying the solution to.

AWS partitions and their corresponding global Region

AWS Partition Global Region
Standard (aws)


GovCloud US (aws-us-gov)


China (aws-cn)



Ensure that you don’t have any existing AWS Organizations service control policies and/or Control Tower Region deny settings configured in your environment that would block access to the global Region listed above. You might experience Core pipeline failures if you do not allow access to this Region.

Create a GitHub personal access token and store in Secrets Manager

You require a GitHub access token to access the Landing Zone Accelerator on AWS code repository. Instructions on how to create a personal access token are located on GitHub Docs.


The GitHub access token must have public_repo permissions.

Store the personal access token in Secrets Manager as plain text. Name the secret accelerator/github-token (case sensitive).

With the AWS Management Console:

  1. Store a new secret, and select Other type of secrets, Plaintext.

  2. Paste your secret with no formatting, leading, or trailing spaces (completely remove the example text).

  3. Select an encryption key.

  4. Set the secret name to accelerator/github-token (case sensitive).

  5. Select Disable rotation.