The account baseline is built from single-purpose CDK constructs that ship in @towardsthecloud/cdk-landing-zone-constructs. Each one does a single job (delete the default VPC, configure GuardDuty for the organization, request a quota increase) and exposes a small, typed props interface.
You do not instantiate these constructs yourself. The StackSets compose them into the templates they roll out across your accounts, and the Organization stack uses a few directly in the management account. The props are preset for you as part of the landing zone wiring. This page is the reference for what each construct does, which props it exposes, and which StackSet ships it, so you know exactly what lands in your accounts.
At a glance
| Construct | Purpose | Shipped by |
|---|---|---|
| SecureDefaultsConstruct | Bundles per-account security hardening into one unit | SecureDefaultsStackSet, ProvisionManagementStackSet |
| DeleteDefaultVPCConstruct | Deletes the default VPC in every region | via SecureDefaults |
| EnableEbsEncryptionConstruct | Turns on EBS encryption by default | via SecureDefaults |
| S3BlockPublicAccessConstruct | Enforces account-level S3 Block Public Access | via SecureDefaults |
| SetAccountPasswordPolicyConstruct | Enforces a strong IAM password policy | via SecureDefaults |
| ConfigureSsmServiceSettingsConstruct | Hardens Systems Manager service settings | via SecureDefaults |
| SecurityHubV2Construct | Manages the four org-wide security services from one place | SecurityHubV2StackSet |
| SecurityHubCspmConstruct | Security Hub CSPM central configuration and standards | via SecurityHubV2 |
| GuardDutyConstruct | GuardDuty organization configuration | via SecurityHubV2 |
| InspectorConstruct | Amazon Inspector organization scanning | via SecurityHubV2 |
| MacieConstruct | Amazon Macie organization configuration | via SecurityHubV2 |
| CloudTrailConstruct | Multi-region CloudTrail with CIS alarms | CloudTrailStackSet, ProvisionManagementStackSet |
| EncryptedSNSTopicConstruct | KMS-encrypted SNS topic with scoped policies | CentralAlertsStackSet, CostControlStackSet |
| BudgetConstruct | AWS Budget with actual and forecast alerts | CostControlStackSet |
| CostAnomalyConstruct | Cost anomaly detection monitor | CostControlStackSet |
| CdkToolkitConstruct | CDK bootstrap resources for an account | CdkBootstrapStackSet |
| CdkToolkitCleanerConstruct | Removes unused CDK bootstrap assets | CdkBootstrapStackSet |
| IncreaseServiceQuotaConstruct | Requests a Service Quotas increase | ServiceQuotasStackSet |
| DetectStackSetDriftConstruct | Daily drift detection across all StackSets | ProvisionManagementStackSet |
| CloseAccountConstruct | Closes accounts moved to the Suspended OU | ProvisionManagementStackSet |
| SetAlternateContactConstruct | Reconciles alternate contacts across all accounts | OrganizationStack |
| UnsubscribeMarketingMailsConstruct | Opts account emails out of AWS marketing mail | OrganizationStack |
SecureDefaultsConstruct
Applies the per-account hardening baseline in one unit: deletes the default VPC, turns on EBS encryption by default, blocks S3 public access at the account level, enforces a strong IAM password policy, tightens Systems Manager service settings, and strips every inbound and outbound rule from the default security group of any newly created VPC. You interact with the hardening controls through this construct; the five constructs that follow are the pieces it composes.
Props
| Prop | Type | Required |
|---|---|---|
globalSettingsRegion | string | Yes |
globalSettingsRegion is the region where account-global settings (S3 Block Public Access and the password policy) are applied once. The region-local controls run in every targeted region. This prevents duplicate account-wide calls when the StackSet rolls out to multiple regions.
Shipped by: SecureDefaultsStackSet (member accounts) and ProvisionManagementStackSet (management account).
DeleteDefaultVPCConstruct
Removes the default VPC in every region of an account, so workloads have to run in an explicitly created VPC instead of the wide-open default.
No configurable props.
Shipped by: via SecureDefaultsConstruct.
EnableEbsEncryptionConstruct
Turns on EBS encryption by default for the whole account, so every new EBS volume is encrypted at rest without workload teams having to opt in.
No configurable props.
Shipped by: via SecureDefaultsConstruct.
S3BlockPublicAccessConstruct
Enables all four account-level S3 Block Public Access settings, so no bucket or object in the account can be made public regardless of its own configuration.
No configurable props.
Shipped by: via SecureDefaultsConstruct.
SetAccountPasswordPolicyConstruct
Enforces a strong IAM user password policy: minimum 18 characters, 90-day maximum age, no reuse of the last 24 passwords, and required uppercase, lowercase, number, and symbol complexity.
No configurable props.
Shipped by: via SecureDefaultsConstruct.
ConfigureSsmServiceSettingsConstruct
Hardens account-level AWS Systems Manager settings: blocks public sharing of SSM documents and routes SSM Automation execution logs to CloudWatch.
No configurable props.
Shipped by: via SecureDefaultsConstruct.
SecurityHubV2Construct
Configures the unified Security Hub V2 management layer from the security account, giving you one place to govern Security Hub CSPM, GuardDuty, Inspector, and Macie across every account and region. Each service ships wired but disabled by default; you turn one on by flipping its options block (cspmOptions, guardDutyOptions, inspectorOptions, or macieOptions) and redeploying.
Props
| Prop | Type | Required |
|---|---|---|
rootId | string | Yes |
suspendedOuId | string | Yes |
managementAccountId | string | Yes |
enabledRegions | string[] | Yes |
secondaryRegions | string[] | No |
cspmOptions | SecurityHubCspmOptions | No |
guardDutyOptions | GuardDutyOptions | No |
inspectorOptions | InspectorOptions | No |
macieOptions | MacieOptions | No |
Shipped by: SecurityHubV2StackSet (security account). Composes SecurityHubCspmConstruct, GuardDutyConstruct, InspectorConstruct, and MacieConstruct.
SecurityHubCspmConstruct
Configures Security Hub CSPM central configuration from the security account: cross-region finding aggregation, the AWS Config organization aggregator, and the organization policies that decide which standards are enabled and which controls are suppressed.
Props
The behavior is driven by cspmOptions (SecurityHubCspmOptions):
| Field | Type | Default |
|---|---|---|
enabled | boolean | true |
enabledStandardIdentifiers | string[] | AWS FSBP v1.0.0 and CIS v5.0.0 |
autoEnableNewControls | boolean | true |
consolidatedControlFindings | boolean | true |
Use the SecurityHubV2Standard static constants (for example SecurityHubV2Standard.AWS_FOUNDATIONAL_SECURITY_BEST_PRACTICES) or raw standard ARNs for enabledStandardIdentifiers.
Shipped by: via SecurityHubV2Construct.
GuardDutyConstruct
Configures GuardDuty across the organization from the security account, with per-protection-plan control and automatic association of member accounts.
Props
The behavior is driven by guardDutyOptions (GuardDutyOptions):
| Field | Type | Default |
|---|---|---|
enabled | boolean | true |
s3DataEvents | boolean | true |
eksAuditLogs | boolean | true |
ec2MalwareProtection | boolean | true |
lambdaNetworkLogs | boolean | true |
rdsLoginEvents | boolean | true |
eksRuntimeMonitoring | boolean | true |
ecsFargateRuntimeMonitoring | boolean | true |
ec2RuntimeMonitoring | boolean | true |
memberAccounts | GuardDutyMemberAccount[] | none |
Each GuardDutyMemberAccount has a required accountId and email, resolved from your organization structure.
Shipped by: via SecurityHubV2Construct.
InspectorConstruct
Configures organization-wide Amazon Inspector scanning from the security account for EC2 instances, ECR container images, Lambda functions, and code repositories.
Props
The behavior is driven by inspectorOptions (InspectorOptions):
| Field | Type | Default |
|---|---|---|
enabled | boolean | true |
ec2Scanning | boolean | true |
ecrScanning | boolean | true |
codeRepositoryScanning | boolean | true |
lambdaStandardScanning | boolean | true |
lambdaCodeScanning | boolean | true |
Shipped by: via SecurityHubV2Construct.
MacieConstruct
Configures Amazon Macie across the organization from the security account for sensitive-data discovery and S3 bucket classification, with optional automated discovery and in-place suspend or resume to control billing.
Props
The behavior is driven by macieOptions (MacieOptions):
| Field | Type | Default |
|---|---|---|
enabled | boolean | true |
automatedSensitiveDataDiscovery | boolean | true |
memberAccounts | MacieMemberAccount[] | none |
Each MacieMemberAccount has a required accountId and email, resolved from your organization structure.
Shipped by: via SecurityHubV2Construct.
CloudTrailConstruct
Creates a multi-region CloudTrail trail that delivers to a central S3 bucket and adds a set of CloudWatch alarms aligned with the CIS AWS Foundations Benchmark. The alarms cover root account usage, unauthorized API calls, sign-in without MFA, IAM and policy changes, CloudTrail configuration changes, console authentication failures, KMS key disable or delete, S3 bucket policy changes, AWS Config changes, and network changes (security groups, NACLs, gateways, route tables, and VPCs).
Props
| Prop | Type | Required |
|---|---|---|
snsTopic | sns.ITopic | Yes |
s3Bucket | s3.IBucket | Yes |
Shipped by: CloudTrailStackSet (member accounts) and ProvisionManagementStackSet (management account, primary region).
EncryptedSNSTopicConstruct
A KMS-encrypted SNS topic with resource policies scoped to your organization or account, with optional email subscriptions. It is the notification backbone for the landing zone's security alerts and budget notifications.
Props
| Prop | Type | Required |
|---|---|---|
topicName | string | Yes |
servicePrincipal | string | Yes |
subscribers | Subscribers | Yes |
organizationId | string | No |
additionalServicePrincipals | string[] | No |
subscribers accepts an optional emails string array.
Shipped by: CentralAlertsStackSet (security account) and CostControlStackSet (member accounts).
BudgetConstruct
Creates an AWS Budget that notifies an SNS topic when actual or forecasted spend crosses 100 percent of the configured limit, with optional tag filtering for per-team or per-project cost attribution.
Props
| Prop | Type | Required |
|---|---|---|
name | string | Yes |
amount | number | Yes |
snsTopic | sns.ITopic | Yes |
timeUnit | TimeUnit (MONTHLY, QUARTERLY, ANNUALLY) | No (default MONTHLY) |
forTags | { [key: string]: string } | No |
Shipped by: CostControlStackSet.
CostAnomalyConstruct
Sets up Cost Explorer anomaly detection across all AWS services and notifies an SNS topic as soon as an anomaly reaches full impact, so unexpected spend spikes surface early.
Props
| Prop | Type | Required |
|---|---|---|
snsTopic | sns.ITopic | Yes |
Shipped by: CostControlStackSet.
CdkToolkitConstruct
Provisions the standard CDK bootstrap resources (asset S3 bucket, container image repository, and deploy roles) in a StackSet-compatible form, so every target account is CDK-deployable without anyone running cdk bootstrap by hand.
Props
| Prop | Type | Required |
|---|---|---|
assetRemovalPolicy | cdk.RemovalPolicy | No (default RETAIN) |
qualifier | string | No (default hnb659fds) |
Shipped by: CdkBootstrapStackSet (Development and Production OUs).
CdkToolkitCleanerConstruct
Periodically removes unused assets (S3 objects and container images) from the CDK bootstrap bucket and repository, so bootstrap storage does not grow without bound.
Props
| Prop | Type | Required |
|---|---|---|
bucketName | string | Yes |
repositoryName | string | Yes |
schedule | events.Schedule | No (default daily) |
scheduleEnabled | boolean | No (default true) |
dryRun | boolean | No (default false) |
retainAssetsNewerThan | cdk.Duration | No |
dockerTagPrefix | string | No |
Shipped by: CdkBootstrapStackSet (Development and Production OUs).
IncreaseServiceQuotaConstruct
Requests a Service Quotas increase for a specific quota during deployment, so workload accounts raise their limits without manual console steps. The request is idempotent: it does nothing if a request is already pending or the quota is already met.
Props
| Prop | Type | Required |
|---|---|---|
quotaCode | string | Yes |
serviceCode | string | Yes |
desiredValue | number | Yes |
region | string | No (default StackSet target region) |
Shipped by: ServiceQuotasStackSet (Development and Production OUs).
DetectStackSetDriftConstruct
Runs a daily drift-detection scan across all StackSets in the management account, so manual changes to StackSet-managed resources surface promptly instead of going unnoticed.
No configurable props.
Shipped by: ProvisionManagementStackSet.
CloseAccountConstruct
Closes an account automatically when you move it into the Suspended OU, so decommissioning an account does not need a manual console action.
Props
| Prop | Type | Required |
|---|---|---|
suspendedOuId | string | Yes |
Shipped by: ProvisionManagementStackSet.
SetAlternateContactConstruct
Reconciles the security, billing, and operations alternate contacts on every active account in the organization on each deploy, so contact details stay current as accounts come and go.
Props
| Prop | Type | Required |
|---|---|---|
securityContact | AlternateContact | Yes |
billingContact | AlternateContact | Yes |
operationsContact | AlternateContact | Yes |
reconcileTrigger | string | No |
Each AlternateContact has a required name, title, emailAddress, and phoneNumber. You set these in alternate-contacts.ts.
Shipped by: OrganizationStack (management account).
UnsubscribeMarketingMailsConstruct
Opts every account's root email out of AWS marketing mail, and re-runs as new accounts are added so they are unsubscribed in the same deploy.
Props
| Prop | Type | Required |
|---|---|---|
reconcileTrigger | string | No |
Shipped by: OrganizationStack (management account).