AWS CDK Landing Zone

Reference

Deep dives into everything the AWS CDK Landing Zone deploys, including the deployment stacks and the StackSets that roll out the account baseline.

Complete reference for every component the landing zone deploys. Use this section to understand what a specific StackSet creates or how the deployment phases relate to each other.

Feature matrix

CapabilityTargets
AWS Organization, OUs, accountsManagement account
Trusted service access enablementManagement account (organization phase)
Organization policy type enablement (SCP, resource control, tag, backup, Inspector, Security Hub)Management account (organization phase)
Service Control PoliciesRoot, OUs, accounts
Delegated admin registration (Config, IAM, IAM Access Analyzer, StackSets, CloudTrail, GuardDuty, Security Hub, Inspector, Macie)Management account (organization phase)
GitHub Actions OIDC provider and deploy roleManagement + landing zone accounts
Alternate contactsAll accounts
Marketing email unsubscribeAll accounts
Organization stack output publishingManagement account
StackSet IAM rolesLanding zone account
Regional landing-zone asset bucketsLanding zone account, all regions
Log archive CloudTrail S3 bucketsLog archive account
Central CloudTrail SNS topicSecurity account
Organization CloudTrail trail (covers every account)Security account, primary region
IAM centralized root access (organization-wide)Security account (all member accounts)
IAM Access Analyzer organization external access analyzerSecurity account, all configured regions
Management-account secure defaultsManagement account
Account closure automationManagement account (organization phase)
CloudFormation drift detectionManagement + landing zone accounts
Secure defaults (delete default VPC, EBS encryption, default SG hardening, SSM service settings, password policy, S3 block public access)All member accounts, all configured regions
Organization trail with CIS alarmsSecurity account, primary region
Cost budgets and anomaly detectionAll member accounts, primary region
CDK bootstrap and asset cleanerDevelopment and Production OUs, all configured regions
Service quota increasesDevelopment, Production, and Security OUs, all regions
Security Hub, GuardDuty, Inspector, and Macie organization configurationSecurity account

Reference pages

PageWhat you'll find
StacksThe two account phases, what each stack owns, and the organization output contract between them
StackSetsAll 9 StackSets: purpose, resources created, composed constructs, and targets
ConstructsAll 24 account-baseline constructs: intent, props, and which StackSet ships each