Reference | AWS CDK Landing Zone

Complete reference for every component the landing zone deploys. Use this section to understand what a specific StackSet creates or how the three deployment phases relate to each other.

Feature matrix

Capability	Targets
AWS Organization, OUs, accounts	Management account
Service Control Policies	Root, OUs, accounts
GitHub Actions OIDC provider	Management account
Alternate contacts	All accounts
Marketing email unsubscribe	All accounts
SSM organization parameter publishing	Management account
StackSet IAM roles	Management account
Regional CDK asset buckets	Management + all regions
Delegated admin registration (GuardDuty, Security Hub, Inspector, Macie)	Management account (registers the security account)
Log archive CloudTrail S3 buckets	Log archive account
Central CloudTrail SNS topic	Security account
Management-account CloudTrail	Management account
Management-account secure defaults	Management account
Account closure automation	Management account
StackSet drift detection	Management account
Secure defaults (delete default VPC, EBS encryption, default SG hardening, SSM service settings, password policy, S3 block public access)	All member accounts, all configured regions
CloudTrail with CIS alarms	All member accounts, primary region
Cost budgets and anomaly detection	All member accounts, primary region
CDK bootstrap and asset cleaner	Development and Production OUs, primary region
Service quota increases	Development and Production OUs, primary region
Security Hub, GuardDuty, Inspector, and Macie organization configuration	Security account, primary region

Reference pages

Page	What you'll find
Stacks	The three deployment phases, what each stack owns, and the SSM contract between them
StackSets	All 9 StackSets: purpose, resources created, composed constructs, and targets
Constructs	All 22 account-baseline constructs: intent, props, and which StackSet ships each