AWS CDK Landing Zone

Constructs

The account-baseline CDK constructs in @towardsthecloud/cdk-landing-zone-constructs that the StackSets compose to harden, secure, and bootstrap every account.

The account baseline is built from single-purpose CDK constructs that ship in @towardsthecloud/cdk-landing-zone-constructs. Each one does a single job (delete the default VPC, configure GuardDuty for the organization, request a quota increase) and exposes a small, typed props interface.

You do not instantiate these constructs yourself. The StackSets compose them into the templates they roll out across your accounts, and the Organization stack uses a few directly in the management account. The props are preset for you as part of the landing zone wiring. This page is the reference for what each construct does, which props it exposes, and which StackSet ships it, so you know exactly what lands in your accounts.

At a glance

ConstructPurposeShipped by
SecureDefaultsConstructBundles per-account security hardening into one unitAccountSecurityStackSet, ProvisionManagementStackSet
DeleteDefaultVPCConstructDeletes the default VPC in every regionvia SecureDefaults
EnableEbsEncryptionConstructTurns on EBS encryption by defaultvia SecureDefaults
S3BlockPublicAccessConstructEnforces account-level S3 Block Public Accessvia SecureDefaults
SetAccountPasswordPolicyConstructEnforces a strong IAM password policyvia SecureDefaults
ConfigureSsmServiceSettingsConstructHardens Systems Manager service settingsvia SecureDefaults
CentralizedRootAccessConstructEnables IAM centralized root access org-wideOrganizationSecurityStackSet
SecurityHubV2ConstructManages the four org-wide security services from one placeSecurityHubV2StackSet
SecurityHubCspmConstructSecurity Hub CSPM central configuration and standardsvia SecurityHubV2
GuardDutyConstructGuardDuty organization configurationvia SecurityHubV2
InspectorConstructAmazon Inspector organization scanningvia SecurityHubV2
MacieConstructAmazon Macie organization configurationvia SecurityHubV2
OrganizationTrailConstructOrganization-wide CloudTrail with CIS alarmsOrganizationSecurityStackSet
IamAccessAnalyzerConstructOrganization external access analyzerOrganizationSecurityStackSet
EncryptedSNSTopicConstructKMS-encrypted SNS topic with scoped policiesCentralAlertsStackSet, CostControlStackSet
BudgetConstructAWS Budget with actual and forecast alertsCostControlStackSet
CostAnomalyConstructCost anomaly detection monitorCostControlStackSet
CdkToolkitConstructCDK bootstrap resources for an accountCdkBootstrapStackSet
CdkToolkitCleanerConstructRemoves unused CDK bootstrap assetsCdkBootstrapStackSet
IncreaseServiceQuotaConstructRequests a Service Quotas increaseServiceQuotasStackSet, ProvisionManagementStackSet
SetAlternateContactConstructReconciles alternate contacts across all accountsLandingZoneOrganizationStack
UnsubscribeMarketingMailsConstructOpts account emails out of AWS marketing mailLandingZoneOrganizationStack
CloseAccountConstructCloses accounts moved to the close-account OULandingZoneOrganizationStack
DetectCloudFormationDriftConstructDaily drift detection on landing-zone StackSets and stacksLandingZoneOrganizationStack, LandingZoneFoundationStack

SecureDefaultsConstruct

Applies the per-account hardening baseline in one unit: deletes the default VPC, turns on EBS encryption by default, blocks S3 public access at the account level, enforces a strong IAM password policy, tightens Systems Manager service settings, and strips every inbound and outbound rule from the default security group of any newly created VPC. You interact with the hardening controls through this construct; the five constructs that follow are the pieces it composes.

Props

PropTypeRequired
globalSettingsRegionstringYes

globalSettingsRegion is the region where account-global settings (S3 Block Public Access and the password policy) are applied once. The region-local controls run in every targeted region. This prevents duplicate account-wide calls when the StackSet rolls out to multiple regions.

Shipped by: AccountSecurityStackSet (member accounts) and ProvisionManagementStackSet (management account).

DeleteDefaultVPCConstruct

Removes the default VPC in every region of an account, so workloads have to run in an explicitly created VPC instead of the wide-open default.

No configurable props.

Shipped by: via SecureDefaultsConstruct.

EnableEbsEncryptionConstruct

Turns on EBS encryption by default for the whole account, so every new EBS volume is encrypted at rest without workload teams having to opt in.

No configurable props.

Shipped by: via SecureDefaultsConstruct.

S3BlockPublicAccessConstruct

Enables all four account-level S3 Block Public Access settings, so no bucket or object in the account can be made public regardless of its own configuration.

No configurable props.

Shipped by: via SecureDefaultsConstruct.

SetAccountPasswordPolicyConstruct

Enforces a strong IAM user password policy: minimum 18 characters, 90-day maximum age, no reuse of the last 24 passwords, and required uppercase, lowercase, number, and symbol complexity.

No configurable props.

Shipped by: via SecureDefaultsConstruct.

ConfigureSsmServiceSettingsConstruct

Hardens account-level AWS Systems Manager settings: blocks public sharing of SSM documents and routes SSM Automation execution logs to CloudWatch.

No configurable props.

Shipped by: via SecureDefaultsConstruct.

CentralizedRootAccessConstruct

Enables IAM centralized root access for the organization, so member accounts do not carry their own root credentials and privileged root actions run as short-lived sessions. It runs from the security account, which the organization phase registers as the IAM delegated administrator, once IAM trusted access is enabled, and it leaves centralized root access enabled if the stack is deleted, so member accounts keep centrally managed root rather than being handed back standalone root credentials. Because the setting is account-global, its resources are applied once from the configured primary region.

Props

PropTypeRequired
primaryRegionstringYes

primaryRegion is the region where the account-global setting is applied once, so a multi-region StackSet rollout does not repeat the call.

Shipped by: OrganizationSecurityStackSet (security account).

IamAccessAnalyzerConstruct

Creates an organization-wide IAM Access Analyzer external access analyzer from the security account, which the organization phase registers as the Access Analyzer delegated administrator. The analyzer uses the organization as its zone of trust, so it reports resources (S3 buckets, IAM roles, KMS keys, and more) that are shared with principals outside the organization. It satisfies Security Hub control IAM.28 / CIS AWS Foundations Benchmark v3.0.0 1.20 for the account and region that own the analyzer. Analyzers are regional, so the StackSet deploys one per configured region.

Props

PropTypeRequired
analyzerNamestringNo (default organization-external-access-analyzer)

Shipped by: OrganizationSecurityStackSet (security account, all configured regions).

SecurityHubV2Construct

Configures the unified Security Hub V2 management layer from the security account, giving you one place to govern Security Hub CSPM, GuardDuty, Inspector, and Macie across every account and region. Each service ships wired but disabled by default; you turn one on by flipping its options block (cspmOptions, guardDutyOptions, inspectorOptions, or macieOptions) and redeploying.

Props

PropTypeRequired
rootIdstringYes
securityAccountIdstringYes
suspendedOuIdstringYes
managementAccountIdstringYes
enabledRegionsstring[]Yes
cspmOptionsSecurityHubCspmOptionsNo
guardDutyOptionsGuardDutyOptionsNo
inspectorOptionsInspectorOptionsNo
macieOptionsMacieOptionsNo

Shipped by: SecurityHubV2StackSet (security account). Composes SecurityHubCspmConstruct, GuardDutyConstruct, InspectorConstruct, and MacieConstruct.

SecurityHubCspmConstruct

Configures Security Hub CSPM central configuration from the security account: cross-region finding aggregation, the AWS Config organization aggregator, and the organization policies that decide which standards are enabled and which controls are suppressed.

Props

The behavior is driven by cspmOptions (SecurityHubCspmOptions):

FieldTypeDefault
enabledbooleantrue
enabledStandardIdentifiersstring[]AWS FSBP v1.0.0 and CIS v5.0.0
autoEnableNewControlsbooleantrue
consolidatedControlFindingsbooleantrue

Use the SecurityHubV2Standard static constants (for example SecurityHubV2Standard.AWS_FOUNDATIONAL_SECURITY_BEST_PRACTICES) or raw standard ARNs for enabledStandardIdentifiers.

Shipped by: via SecurityHubV2Construct.

GuardDutyConstruct

Configures GuardDuty across the organization from the security account, with per-protection-plan control. Existing member accounts are discovered from AWS Organizations at deploy time and associated automatically, so you do not maintain an account list; the delegated administrator, management account, and Suspended OU accounts are excluded.

Props

The behavior is driven by guardDutyOptions (GuardDutyOptions):

FieldTypeDefault
enabledbooleantrue
s3DataEventsbooleantrue
eksAuditLogsbooleantrue
ec2MalwareProtectionbooleantrue
lambdaNetworkLogsbooleantrue
rdsLoginEventsbooleantrue
eksRuntimeMonitoringbooleantrue
ecsFargateRuntimeMonitoringbooleantrue
ec2RuntimeMonitoringbooleantrue

Shipped by: via SecurityHubV2Construct.

InspectorConstruct

Configures organization-wide Amazon Inspector scanning from the security account for EC2 instances, ECR container images, Lambda functions, and code repositories.

Props

The behavior is driven by inspectorOptions (InspectorOptions):

FieldTypeDefault
enabledbooleantrue
ec2Scanningbooleantrue
ecrScanningbooleantrue
codeRepositoryScanningbooleantrue
lambdaStandardScanningbooleantrue
lambdaCodeScanningbooleantrue

Shipped by: via SecurityHubV2Construct.

MacieConstruct

Configures Amazon Macie across the organization from the security account for sensitive-data discovery and S3 bucket classification, with optional automated discovery. Setting enabled to false suspends Macie across the organization so it stops billing, and re-enabling it restores member coverage from your current AWS Organizations accounts. Existing member accounts are discovered from AWS Organizations at deploy time and associated automatically; the delegated administrator, management account, and Suspended OU accounts are excluded.

Props

The behavior is driven by macieOptions (MacieOptions):

FieldTypeDefault
enabledbooleantrue
automatedSensitiveDataDiscoverybooleantrue

Shipped by: via SecurityHubV2Construct.

OrganizationTrailConstruct

Creates a single organization-wide CloudTrail trail from the delegated administrator security account. One trail captures management events (and optional data events) across every account in the organization, including the management account, into the centralized log archive bucket, and optionally raises the 14 CIS AWS Foundations Benchmark CloudWatch alarms for near-real-time security notifications. The alarms cover root account usage, unauthorized API calls, sign-in without MFA, IAM and policy changes, CloudTrail configuration changes, console authentication failures, KMS key disable or delete, S3 bucket policy changes, AWS Config changes, and network changes.

By default the construct sends logs to the landing zone's centralized destinations: the log archive bucket, and (when enableCloudWatchLogs is set) the shared notifications topic. Data events and CloudTrail Insights are opt-in and off by default.

Props

PropTypeRequired
managementAccountIdstringYes
logArchiveAccountIdstringUnless s3Bucket is set
s3Buckets3.IBucketNo (overrides the convention)
snsTopicsns.ITopicNo (only used with CloudWatch Logs)
enableCloudWatchLogsbooleanNo (default false)
enableS3DataEventsbooleanNo (default false)
enableLambdaDataEventsbooleanNo (default false)
enableDynamoDbDataEventsbooleanNo (default false)
enableApiCallRateInsightsbooleanNo (default false)
enableApiErrorRateInsightsbooleanNo (default false)

The OrganizationSecurityStackSet enables enableCloudWatchLogs, so the landing zone ships with the CIS alarms wired to the shared notifications topic.

Shipped by: OrganizationSecurityStackSet (security account, primary region).

EncryptedSNSTopicConstruct

A KMS-encrypted SNS topic with resource policies scoped to your organization or account, with optional email subscriptions. It is the notification backbone for the landing zone's security alerts and budget notifications.

Props

PropTypeRequired
topicNamestringYes
servicePrincipalstringYes
subscribersSubscribersYes
organizationIdstringNo
additionalServicePrincipalsstring[]No

subscribers accepts an optional emails string array.

Shipped by: CentralAlertsStackSet (security account) and CostControlStackSet (member accounts).

BudgetConstruct

Creates an AWS Budget that notifies an SNS topic when actual or forecasted spend crosses 100 percent of the configured limit, with optional tag filtering for per-team or per-project cost attribution.

Props

PropTypeRequired
namestringYes
amountnumberYes
snsTopicsns.ITopicYes
timeUnitTimeUnit (MONTHLY, QUARTERLY, ANNUALLY)No (default MONTHLY)
forTags{ [key: string]: string }No

Shipped by: CostControlStackSet.

CostAnomalyConstruct

Sets up Cost Explorer anomaly detection across all AWS services and notifies an SNS topic as soon as an anomaly reaches full impact, so unexpected spend spikes surface early.

Props

PropTypeRequired
snsTopicsns.ITopicYes

Shipped by: CostControlStackSet.

CdkToolkitConstruct

Provisions the standard CDK bootstrap resources (asset S3 bucket, container image repository, and deploy roles) in a StackSet-compatible form, so every target account is CDK-deployable without anyone running cdk bootstrap by hand.

Props

PropTypeRequired
assetRemovalPolicycdk.RemovalPolicyNo (default RETAIN)
qualifierstringNo (default hnb659fds)

Shipped by: CdkBootstrapStackSet (Development and Production OUs).

CdkToolkitCleanerConstruct

Periodically removes unused assets (S3 objects and container images) from the CDK bootstrap bucket and repository, so bootstrap storage does not grow without bound.

Props

PropTypeRequired
bucketNamestringYes
repositoryNamestringYes
scheduleevents.ScheduleNo (default daily)
scheduleEnabledbooleanNo (default true)
dryRunbooleanNo (default false)
retainAssetsNewerThancdk.DurationNo
dockerTagPrefixstringNo

Shipped by: CdkBootstrapStackSet (Development and Production OUs).

IncreaseServiceQuotaConstruct

Requests a Service Quotas increase for a specific quota during deployment, so accounts raise their limits without manual console steps. The request is idempotent: it does not re-request a value that is already requested or already met. A higher limit is not guaranteed to be active during the deploy that submits it, since AWS still has to approve the request.

Props

PropTypeRequired
quotaCodestringYes
serviceCodestringYes
desiredValuenumberYes
scopeServiceQuotaScopeNo (default REGIONAL)

scope decides where the request applies. REGIONAL requests the increase in each region the construct is deployed to. GLOBAL is for account-wide quotas and is submitted once for the account.

Shipped by: ServiceQuotasStackSet (regional workload quotas such as Elastic IPs and Lambda concurrency) and ProvisionManagementStackSet (the global AWS Organizations maximum-accounts quota, when organizationAccountLimit is set).

SetAlternateContactConstruct

Reconciles the security, billing, and operations alternate contacts on every active account in the organization on each deploy, so contact details stay current as accounts come and go.

Props

PropTypeRequired
securityContactAlternateContactYes
billingContactAlternateContactYes
operationsContactAlternateContactYes
reconcileTriggerstringNo

Each AlternateContact has a required name, title, emailAddress, and phoneNumber. You set these in alternate-contacts.ts.

Shipped by: LandingZoneOrganizationStack (management account).

UnsubscribeMarketingMailsConstruct

Opts every account's root email out of AWS marketing mail, and re-runs as new accounts are added so they are unsubscribed in the same deploy.

Props

PropTypeRequired
reconcileTriggerstringNo

Shipped by: LandingZoneOrganizationStack (management account).

CloseAccountConstruct

Runs on a schedule (every 8 hours) and permanently closes any accounts in your close-account OU that are still active, retrying any that could not be closed on the previous run. It only exists when your organization structure includes a CloseAccountOU.

Props

PropTypeRequired
closeAccountOuIdstringYes

closeAccountOuId is the ID of the OU whose active accounts get closed. The landing zone wires it from the CloseAccountOU in your organization structure.

Shipped by: LandingZoneOrganizationStack (management account).

DetectCloudFormationDriftConstruct

Runs a daily check that starts CloudFormation drift detection on the landing zone's own StackSets and stacks in the account where it is deployed, so configuration drift on landing-zone resources surfaces in CloudFormation instead of going unnoticed. It is deployed once per account that owns landing-zone CloudFormation resources: the management account (through the organization phase) and the landing zone account (through the foundation stack).

No configurable props.

Shipped by: LandingZoneOrganizationStack (management account) and LandingZoneFoundationStack (landing zone account).

  • StackSets: how these constructs are composed into the templates that roll out across your accounts
  • Stacks: the deployment phases and what each stack owns