The account baseline is built from single-purpose CDK constructs that ship in @towardsthecloud/cdk-landing-zone-constructs. Each one does a single job (delete the default VPC, configure GuardDuty for the organization, request a quota increase) and exposes a small, typed props interface.
You do not instantiate these constructs yourself. The StackSets compose them into the templates they roll out across your accounts, and the Organization stack uses a few directly in the management account. The props are preset for you as part of the landing zone wiring. This page is the reference for what each construct does, which props it exposes, and which StackSet ships it, so you know exactly what lands in your accounts.
At a glance
| Construct | Purpose | Shipped by |
|---|---|---|
| SecureDefaultsConstruct | Bundles per-account security hardening into one unit | AccountSecurityStackSet, ProvisionManagementStackSet |
| DeleteDefaultVPCConstruct | Deletes the default VPC in every region | via SecureDefaults |
| EnableEbsEncryptionConstruct | Turns on EBS encryption by default | via SecureDefaults |
| S3BlockPublicAccessConstruct | Enforces account-level S3 Block Public Access | via SecureDefaults |
| SetAccountPasswordPolicyConstruct | Enforces a strong IAM password policy | via SecureDefaults |
| ConfigureSsmServiceSettingsConstruct | Hardens Systems Manager service settings | via SecureDefaults |
| CentralizedRootAccessConstruct | Enables IAM centralized root access org-wide | OrganizationSecurityStackSet |
| SecurityHubV2Construct | Manages the four org-wide security services from one place | SecurityHubV2StackSet |
| SecurityHubCspmConstruct | Security Hub CSPM central configuration and standards | via SecurityHubV2 |
| GuardDutyConstruct | GuardDuty organization configuration | via SecurityHubV2 |
| InspectorConstruct | Amazon Inspector organization scanning | via SecurityHubV2 |
| MacieConstruct | Amazon Macie organization configuration | via SecurityHubV2 |
| OrganizationTrailConstruct | Organization-wide CloudTrail with CIS alarms | OrganizationSecurityStackSet |
| IamAccessAnalyzerConstruct | Organization external access analyzer | OrganizationSecurityStackSet |
| EncryptedSNSTopicConstruct | KMS-encrypted SNS topic with scoped policies | CentralAlertsStackSet, CostControlStackSet |
| BudgetConstruct | AWS Budget with actual and forecast alerts | CostControlStackSet |
| CostAnomalyConstruct | Cost anomaly detection monitor | CostControlStackSet |
| CdkToolkitConstruct | CDK bootstrap resources for an account | CdkBootstrapStackSet |
| CdkToolkitCleanerConstruct | Removes unused CDK bootstrap assets | CdkBootstrapStackSet |
| IncreaseServiceQuotaConstruct | Requests a Service Quotas increase | ServiceQuotasStackSet, ProvisionManagementStackSet |
| SetAlternateContactConstruct | Reconciles alternate contacts across all accounts | LandingZoneOrganizationStack |
| UnsubscribeMarketingMailsConstruct | Opts account emails out of AWS marketing mail | LandingZoneOrganizationStack |
| CloseAccountConstruct | Closes accounts moved to the close-account OU | LandingZoneOrganizationStack |
| DetectCloudFormationDriftConstruct | Daily drift detection on landing-zone StackSets and stacks | LandingZoneOrganizationStack, LandingZoneFoundationStack |
SecureDefaultsConstruct
Applies the per-account hardening baseline in one unit: deletes the default VPC, turns on EBS encryption by default, blocks S3 public access at the account level, enforces a strong IAM password policy, tightens Systems Manager service settings, and strips every inbound and outbound rule from the default security group of any newly created VPC. You interact with the hardening controls through this construct; the five constructs that follow are the pieces it composes.
Props
| Prop | Type | Required |
|---|---|---|
globalSettingsRegion | string | Yes |
globalSettingsRegion is the region where account-global settings (S3 Block Public Access and the password policy) are applied once. The region-local controls run in every targeted region. This prevents duplicate account-wide calls when the StackSet rolls out to multiple regions.
Shipped by: AccountSecurityStackSet (member accounts) and ProvisionManagementStackSet (management account).
DeleteDefaultVPCConstruct
Removes the default VPC in every region of an account, so workloads have to run in an explicitly created VPC instead of the wide-open default.
No configurable props.
Shipped by: via SecureDefaultsConstruct.
EnableEbsEncryptionConstruct
Turns on EBS encryption by default for the whole account, so every new EBS volume is encrypted at rest without workload teams having to opt in.
No configurable props.
Shipped by: via SecureDefaultsConstruct.
S3BlockPublicAccessConstruct
Enables all four account-level S3 Block Public Access settings, so no bucket or object in the account can be made public regardless of its own configuration.
No configurable props.
Shipped by: via SecureDefaultsConstruct.
SetAccountPasswordPolicyConstruct
Enforces a strong IAM user password policy: minimum 18 characters, 90-day maximum age, no reuse of the last 24 passwords, and required uppercase, lowercase, number, and symbol complexity.
No configurable props.
Shipped by: via SecureDefaultsConstruct.
ConfigureSsmServiceSettingsConstruct
Hardens account-level AWS Systems Manager settings: blocks public sharing of SSM documents and routes SSM Automation execution logs to CloudWatch.
No configurable props.
Shipped by: via SecureDefaultsConstruct.
CentralizedRootAccessConstruct
Enables IAM centralized root access for the organization, so member accounts do not carry their own root credentials and privileged root actions run as short-lived sessions. It runs from the security account, which the organization phase registers as the IAM delegated administrator, once IAM trusted access is enabled, and it leaves centralized root access enabled if the stack is deleted, so member accounts keep centrally managed root rather than being handed back standalone root credentials. Because the setting is account-global, its resources are applied once from the configured primary region.
Props
| Prop | Type | Required |
|---|---|---|
primaryRegion | string | Yes |
primaryRegion is the region where the account-global setting is applied once, so a multi-region StackSet rollout does not repeat the call.
Shipped by: OrganizationSecurityStackSet (security account).
IamAccessAnalyzerConstruct
Creates an organization-wide IAM Access Analyzer external access analyzer from the security account, which the organization phase registers as the Access Analyzer delegated administrator. The analyzer uses the organization as its zone of trust, so it reports resources (S3 buckets, IAM roles, KMS keys, and more) that are shared with principals outside the organization. It satisfies Security Hub control IAM.28 / CIS AWS Foundations Benchmark v3.0.0 1.20 for the account and region that own the analyzer. Analyzers are regional, so the StackSet deploys one per configured region.
Props
| Prop | Type | Required |
|---|---|---|
analyzerName | string | No (default organization-external-access-analyzer) |
Shipped by: OrganizationSecurityStackSet (security account, all configured regions).
SecurityHubV2Construct
Configures the unified Security Hub V2 management layer from the security account, giving you one place to govern Security Hub CSPM, GuardDuty, Inspector, and Macie across every account and region. Each service ships wired but disabled by default; you turn one on by flipping its options block (cspmOptions, guardDutyOptions, inspectorOptions, or macieOptions) and redeploying.
Props
| Prop | Type | Required |
|---|---|---|
rootId | string | Yes |
securityAccountId | string | Yes |
suspendedOuId | string | Yes |
managementAccountId | string | Yes |
enabledRegions | string[] | Yes |
cspmOptions | SecurityHubCspmOptions | No |
guardDutyOptions | GuardDutyOptions | No |
inspectorOptions | InspectorOptions | No |
macieOptions | MacieOptions | No |
Shipped by: SecurityHubV2StackSet (security account). Composes SecurityHubCspmConstruct, GuardDutyConstruct, InspectorConstruct, and MacieConstruct.
SecurityHubCspmConstruct
Configures Security Hub CSPM central configuration from the security account: cross-region finding aggregation, the AWS Config organization aggregator, and the organization policies that decide which standards are enabled and which controls are suppressed.
Props
The behavior is driven by cspmOptions (SecurityHubCspmOptions):
| Field | Type | Default |
|---|---|---|
enabled | boolean | true |
enabledStandardIdentifiers | string[] | AWS FSBP v1.0.0 and CIS v5.0.0 |
autoEnableNewControls | boolean | true |
consolidatedControlFindings | boolean | true |
Use the SecurityHubV2Standard static constants (for example SecurityHubV2Standard.AWS_FOUNDATIONAL_SECURITY_BEST_PRACTICES) or raw standard ARNs for enabledStandardIdentifiers.
Shipped by: via SecurityHubV2Construct.
GuardDutyConstruct
Configures GuardDuty across the organization from the security account, with per-protection-plan control. Existing member accounts are discovered from AWS Organizations at deploy time and associated automatically, so you do not maintain an account list; the delegated administrator, management account, and Suspended OU accounts are excluded.
Props
The behavior is driven by guardDutyOptions (GuardDutyOptions):
| Field | Type | Default |
|---|---|---|
enabled | boolean | true |
s3DataEvents | boolean | true |
eksAuditLogs | boolean | true |
ec2MalwareProtection | boolean | true |
lambdaNetworkLogs | boolean | true |
rdsLoginEvents | boolean | true |
eksRuntimeMonitoring | boolean | true |
ecsFargateRuntimeMonitoring | boolean | true |
ec2RuntimeMonitoring | boolean | true |
Shipped by: via SecurityHubV2Construct.
InspectorConstruct
Configures organization-wide Amazon Inspector scanning from the security account for EC2 instances, ECR container images, Lambda functions, and code repositories.
Props
The behavior is driven by inspectorOptions (InspectorOptions):
| Field | Type | Default |
|---|---|---|
enabled | boolean | true |
ec2Scanning | boolean | true |
ecrScanning | boolean | true |
codeRepositoryScanning | boolean | true |
lambdaStandardScanning | boolean | true |
lambdaCodeScanning | boolean | true |
Shipped by: via SecurityHubV2Construct.
MacieConstruct
Configures Amazon Macie across the organization from the security account for sensitive-data discovery and S3 bucket classification, with optional automated discovery. Setting enabled to false suspends Macie across the organization so it stops billing, and re-enabling it restores member coverage from your current AWS Organizations accounts. Existing member accounts are discovered from AWS Organizations at deploy time and associated automatically; the delegated administrator, management account, and Suspended OU accounts are excluded.
Props
The behavior is driven by macieOptions (MacieOptions):
| Field | Type | Default |
|---|---|---|
enabled | boolean | true |
automatedSensitiveDataDiscovery | boolean | true |
Shipped by: via SecurityHubV2Construct.
OrganizationTrailConstruct
Creates a single organization-wide CloudTrail trail from the delegated administrator security account. One trail captures management events (and optional data events) across every account in the organization, including the management account, into the centralized log archive bucket, and optionally raises the 14 CIS AWS Foundations Benchmark CloudWatch alarms for near-real-time security notifications. The alarms cover root account usage, unauthorized API calls, sign-in without MFA, IAM and policy changes, CloudTrail configuration changes, console authentication failures, KMS key disable or delete, S3 bucket policy changes, AWS Config changes, and network changes.
By default the construct sends logs to the landing zone's centralized destinations: the log archive bucket, and (when enableCloudWatchLogs is set) the shared notifications topic. Data events and CloudTrail Insights are opt-in and off by default.
Props
| Prop | Type | Required |
|---|---|---|
managementAccountId | string | Yes |
logArchiveAccountId | string | Unless s3Bucket is set |
s3Bucket | s3.IBucket | No (overrides the convention) |
snsTopic | sns.ITopic | No (only used with CloudWatch Logs) |
enableCloudWatchLogs | boolean | No (default false) |
enableS3DataEvents | boolean | No (default false) |
enableLambdaDataEvents | boolean | No (default false) |
enableDynamoDbDataEvents | boolean | No (default false) |
enableApiCallRateInsights | boolean | No (default false) |
enableApiErrorRateInsights | boolean | No (default false) |
The OrganizationSecurityStackSet enables enableCloudWatchLogs, so the landing zone ships with the CIS alarms wired to the shared notifications topic.
Shipped by: OrganizationSecurityStackSet (security account, primary region).
EncryptedSNSTopicConstruct
A KMS-encrypted SNS topic with resource policies scoped to your organization or account, with optional email subscriptions. It is the notification backbone for the landing zone's security alerts and budget notifications.
Props
| Prop | Type | Required |
|---|---|---|
topicName | string | Yes |
servicePrincipal | string | Yes |
subscribers | Subscribers | Yes |
organizationId | string | No |
additionalServicePrincipals | string[] | No |
subscribers accepts an optional emails string array.
Shipped by: CentralAlertsStackSet (security account) and CostControlStackSet (member accounts).
BudgetConstruct
Creates an AWS Budget that notifies an SNS topic when actual or forecasted spend crosses 100 percent of the configured limit, with optional tag filtering for per-team or per-project cost attribution.
Props
| Prop | Type | Required |
|---|---|---|
name | string | Yes |
amount | number | Yes |
snsTopic | sns.ITopic | Yes |
timeUnit | TimeUnit (MONTHLY, QUARTERLY, ANNUALLY) | No (default MONTHLY) |
forTags | { [key: string]: string } | No |
Shipped by: CostControlStackSet.
CostAnomalyConstruct
Sets up Cost Explorer anomaly detection across all AWS services and notifies an SNS topic as soon as an anomaly reaches full impact, so unexpected spend spikes surface early.
Props
| Prop | Type | Required |
|---|---|---|
snsTopic | sns.ITopic | Yes |
Shipped by: CostControlStackSet.
CdkToolkitConstruct
Provisions the standard CDK bootstrap resources (asset S3 bucket, container image repository, and deploy roles) in a StackSet-compatible form, so every target account is CDK-deployable without anyone running cdk bootstrap by hand.
Props
| Prop | Type | Required |
|---|---|---|
assetRemovalPolicy | cdk.RemovalPolicy | No (default RETAIN) |
qualifier | string | No (default hnb659fds) |
Shipped by: CdkBootstrapStackSet (Development and Production OUs).
CdkToolkitCleanerConstruct
Periodically removes unused assets (S3 objects and container images) from the CDK bootstrap bucket and repository, so bootstrap storage does not grow without bound.
Props
| Prop | Type | Required |
|---|---|---|
bucketName | string | Yes |
repositoryName | string | Yes |
schedule | events.Schedule | No (default daily) |
scheduleEnabled | boolean | No (default true) |
dryRun | boolean | No (default false) |
retainAssetsNewerThan | cdk.Duration | No |
dockerTagPrefix | string | No |
Shipped by: CdkBootstrapStackSet (Development and Production OUs).
IncreaseServiceQuotaConstruct
Requests a Service Quotas increase for a specific quota during deployment, so accounts raise their limits without manual console steps. The request is idempotent: it does not re-request a value that is already requested or already met. A higher limit is not guaranteed to be active during the deploy that submits it, since AWS still has to approve the request.
Props
| Prop | Type | Required |
|---|---|---|
quotaCode | string | Yes |
serviceCode | string | Yes |
desiredValue | number | Yes |
scope | ServiceQuotaScope | No (default REGIONAL) |
scope decides where the request applies. REGIONAL requests the increase in each region the construct is deployed to. GLOBAL is for account-wide quotas and is submitted once for the account.
Shipped by: ServiceQuotasStackSet (regional workload quotas such as Elastic IPs and Lambda concurrency) and ProvisionManagementStackSet (the global AWS Organizations maximum-accounts quota, when organizationAccountLimit is set).
SetAlternateContactConstruct
Reconciles the security, billing, and operations alternate contacts on every active account in the organization on each deploy, so contact details stay current as accounts come and go.
Props
| Prop | Type | Required |
|---|---|---|
securityContact | AlternateContact | Yes |
billingContact | AlternateContact | Yes |
operationsContact | AlternateContact | Yes |
reconcileTrigger | string | No |
Each AlternateContact has a required name, title, emailAddress, and phoneNumber. You set these in alternate-contacts.ts.
Shipped by: LandingZoneOrganizationStack (management account).
UnsubscribeMarketingMailsConstruct
Opts every account's root email out of AWS marketing mail, and re-runs as new accounts are added so they are unsubscribed in the same deploy.
Props
| Prop | Type | Required |
|---|---|---|
reconcileTrigger | string | No |
Shipped by: LandingZoneOrganizationStack (management account).
CloseAccountConstruct
Runs on a schedule (every 8 hours) and permanently closes any accounts in your close-account OU that are still active, retrying any that could not be closed on the previous run. It only exists when your organization structure includes a CloseAccountOU.
Props
| Prop | Type | Required |
|---|---|---|
closeAccountOuId | string | Yes |
closeAccountOuId is the ID of the OU whose active accounts get closed. The landing zone wires it from the CloseAccountOU in your organization structure.
Shipped by: LandingZoneOrganizationStack (management account).
DetectCloudFormationDriftConstruct
Runs a daily check that starts CloudFormation drift detection on the landing zone's own StackSets and stacks in the account where it is deployed, so configuration drift on landing-zone resources surfaces in CloudFormation instead of going unnoticed. It is deployed once per account that owns landing-zone CloudFormation resources: the management account (through the organization phase) and the landing zone account (through the foundation stack).
No configurable props.
Shipped by: LandingZoneOrganizationStack (management account) and LandingZoneFoundationStack (landing zone account).