AWS CDK Landing Zone

AWS CDK Landing Zone

A licensed, ready-made multi-account AWS environment built with CDK, giving you secure governance, automated baselines, and a version-controlled foundation you own.

Overview

The AWS CDK Landing Zone is a production-ready multi-account AWS environment delivered as a deployable CDK project. You get a fully wired AWS Organization with security guardrails, account baselines, and a CI/CD pipeline on day one, without building any of that plumbing yourself.

The foundation ships as two private packages through AWS CodeArtifact:

  • @towardsthecloud/cdk-landing-zone-foundation: organization management, GitHub OIDC, and StackSet prerequisites
  • @towardsthecloud/cdk-landing-zone-constructs: 22 single-purpose account-baseline constructs (CloudTrail, secure defaults, the security services, cost controls, and more)

Your organization-specific configuration lives in the cdk-landing-zone-starter repo you own and manage. Improvements to the underlying solution reach you as package releases: bump two version numbers, run pnpm exec projen, and redeploy.

Mermaid diagram loading.Your Config (starter repo) Private Packages (CodeArtifact) @towardsthecloud/cdk-landing-zone-foundation @towardsthecloud/cdk-landing-zone-constructs Deployment Phases

What it deploys

The landing zone rolls out in three ordered phases. Each phase builds on the previous one.

StackWhat it creates
OrganizationStackAWS Organization, OUs, accounts, SCPs, GitHub OIDC provider, alternate contacts, SSM parameter publishing
LandingZoneFoundationStackStackSet IAM roles, regional asset buckets, delegated admins, log archive, central alerts, management-account provisioning
LandingZoneAccountProvisioningStackAccount-baseline StackSets: secure defaults, CloudTrail, cost controls, CDK bootstrap, service quotas, and the unified security services (Security Hub, GuardDuty, Inspector, Macie)

One thing worth calling out: AWS Organizations starts every organization with a quota of 10 accounts, and a real multi-account setup reaches that ceiling fast. The landing zone handles this for you through the optional organizationAccountLimit setting, which files the AWS Organizations quota increase automatically during deployment. AWS does not approve these requests instantly (it usually takes a couple of days), so set it early if you already know you will need more accounts.

Why teams choose it

  • Zero manual account setup: every new account that joins an OU automatically receives all baseline StackSets
  • Version-controlled governance: organization structure, SCPs, and contacts are TypeScript you can code-review and roll back
  • Secure CI/CD from day one: GitHub Actions with OIDC, no long-lived AWS keys stored anywhere
  • Updates without rebuilding: bump the two pinned package versions and redeploy; the foundation improvements flow in

Documentation map

SectionWhat you'll find
InstallPrerequisites, CodeArtifact whitelisting, first deployment (two phases), and CI/CD setup
ConfigurationEvery customer-editable file: settings, organization structure, SCPs, and contacts
GuidesTask-oriented walkthroughs: add an account, create an SCP, customize StackSets, set up GitHub Actions, and update versions
ReferenceDeep dives into the three deployment stacks, all 9 StackSets, and the 22 account-baseline constructs

Ready to get started? Follow the Install guide.

DocumentationInstall