CloudFormation StackSets let a single template deploy simultaneously to multiple accounts and regions. The landing zone uses StackSets to roll out its account baseline, so every account that joins a targeted OU automatically receives the full baseline without manual intervention. Each StackSet composes one or more single-purpose constructs from @towardsthecloud/cdk-landing-zone-constructs into the template it ships.
The landing zone uses two StackSet permission models:
- Service-managed (default): CloudFormation manages the required IAM roles and targets OUs directly. New accounts that join a targeted OU receive the StackSet automatically. It cannot deploy to the management account.
- Self-managed: used when the target is a specific account rather than an OU. It relies on the StackSet IAM roles created by the landing zone foundation in Phase 2.
At a glance
| StackSet | Phase | Permission | Deployed to |
|---|---|---|---|
| LogArchiveStackSet | 2 | Service-managed | Log archive account, primary region |
| CentralAlertsStackSet | 2 | Service-managed | Security account, all configured regions |
| ProvisionManagementStackSet | 2 | Self-managed | Management account, all configured regions |
| SecureDefaultsStackSet | 3 | Service-managed | All member accounts, all configured regions |
| CloudTrailStackSet | 3 | Service-managed | All member accounts, primary region |
| CostControlStackSet | 3 | Service-managed | All member accounts, primary region |
| CdkBootstrapStackSet | 3 | Service-managed | Development and Production OUs, primary region |
| ServiceQuotasStackSet | 3 | Service-managed | Development and Production OUs, primary region |
| SecurityHubV2StackSet | 3 | Self-managed | Security account, primary region |
The security services (Security Hub, GuardDuty, Inspector, and Macie) work in two parts. ProvisionManagementStackSet registers the security account as the delegated administrator for all four services in Phase 2, and SecurityHubV2StackSet applies the organization-wide configuration from that account in Phase 3.
Phase 2: foundation StackSets
LogArchiveStackSet
Creates the centralized CloudTrail storage in the log archive account. Composes raw CDK resources rather than a baseline construct.
| Resource | Details |
|---|---|
| CloudTrail log S3 bucket | cloudtrail-logs-{account}, SSL-only, S3-managed encryption, public access blocked, 365-day expiry |
| Access logging bucket | cloudtrail-access-logs-{account} capturing S3 access logs for the CloudTrail bucket |
| Bucket policy | Grants the CloudTrail service write access from all organization accounts |
Both buckets use a DESTROY removal policy with object auto-deletion, so removing the StackSet cleans up the storage rather than stranding it.
Target: Log archive account (root OU intersected with the log archive account ID), primary region.
Deployed by: LandingZoneFoundationStack. Must deploy before ProvisionManagementStackSet.
CentralAlertsStackSet
Creates the centralized CloudTrail notification topic in the security account. Member-account and management-account CloudTrail trails publish to this topic.
| Resource | Details |
|---|---|
| CloudTrail notifications topic | Encrypted SNS topic cloudtrail-notifications, subscribed to the security contact email |
Composes: EncryptedSNSTopicConstruct.
Target: Security account (root OU intersected with the security account ID), all configured regions.
Deployed by: LandingZoneFoundationStack. Must deploy before ProvisionManagementStackSet.
ProvisionManagementStackSet
Applies the account baseline to the management account and registers the security account as the delegated administrator for the four security services. Service-managed StackSets cannot deploy to the management account, so this self-managed StackSet handles everything the member-account StackSets do, plus the delegation that only the management account can perform.
| Resource | Details |
|---|---|
| CloudTrail trail | Management-account trail sending to the centralized CloudTrail bucket and notification topic (primary region) |
| Secure defaults | Deletes default VPCs, enables EBS encryption, hardens default security groups, configures SSM service settings, sets S3 Block Public Access and password policy |
| Account closure automation | Closes accounts that are moved to the Suspended OU (primary region) |
| StackSet drift detection | Scheduled Lambda that detects StackSet configuration drift (primary region) |
| GuardDuty delegated admin | Registers the security account as the GuardDuty organization administrator (all regions) |
| Security Hub delegated admin | Registers the security account as the Security Hub administrator (primary region) |
| Inspector delegated admin | Registers the security account as the Inspector delegated administrator (primary region) |
| Macie delegated admin | Registers the security account as the Macie organization administrator (all regions) |
Composes: SecureDefaultsConstruct, CloudTrailConstruct, CloseAccountConstruct, DetectStackSetDriftConstruct.
Target: Management account, all configured regions.
Deployed by: LandingZoneFoundationStack, after LogArchiveStackSet and CentralAlertsStackSet.
Phase 3: account-baseline StackSets
SecureDefaultsStackSet
Applies account-level security hardening to every member account in every configured region.
| Resource | Details |
|---|---|
| Default VPC deletion | Removes the default VPC in each region so workloads must use explicitly created VPCs |
| EBS encryption | Enables EBS encryption by default for all new volumes |
| Security group hardening | Strips all rules from newly created default security groups (Lambda triggered on CreateVpc) |
| SSM service settings | Blocks public sharing of SSM documents and routes automation script logs to CloudWatch |
| S3 Block Public Access | Enables account-level S3 Block Public Access (global settings region only) |
| Password policy | Sets the IAM account password policy: 18 characters, 90-day expiry, reuse prevention (global settings region only) |
Composes: SecureDefaultsConstruct.
Target: All member accounts (root OU), all configured regions. The management account gets the same hardening via ProvisionManagementStackSet.
Deployed by: LandingZoneAccountProvisioningStack.
CloudTrailStackSet
Creates a CloudTrail trail in each member account, sending logs to the centralized log archive bucket and notifications to the security account topic. The trail ships with the full set of CIS-aligned CloudWatch alarms.
| Resource | Details |
|---|---|
| CloudTrail trail | Multi-region trail recording management events, delivering to the log archive bucket |
| CIS alarms | 14 metric filters and alarms (root activity, unauthorized API calls, IAM and CloudTrail changes, and more) |
| SNS notification | Publishes alarms to the cloudtrail-notifications topic in the security account |
Composes: CloudTrailConstruct.
Target: All member accounts (root OU), primary region. The management account gets CloudTrail via ProvisionManagementStackSet.
Deployed by: LandingZoneAccountProvisioningStack.
CostControlStackSet
Sets up cost monitoring in every account with AWS Budgets and Cost Anomaly Detection.
| Resource | Details |
|---|---|
| AWS Budget | Monthly budget that alerts on actual and forecast spend over $500 |
| Cost Anomaly Detection | Monitor that alerts when an anomaly's total impact reaches 100% |
| SNS topic | Encrypted SNS topic budgets-notifications, subscribed to the security contact email |
AWS Budgets does not support cross-account SNS topics, so each account creates its own notification topic.
Composes: BudgetConstruct, CostAnomalyConstruct, EncryptedSNSTopicConstruct.
Target: All member accounts (root OU), primary region.
Deployed by: LandingZoneAccountProvisioningStack.
CdkBootstrapStackSet
Bootstraps your workload accounts for CDK deployments and keeps the bootstrap assets tidy. The StackSet mirrors the default cdk bootstrap deployment (qualifier hnb659fds) so the CDK CLI and DefaultStackSynthesizer work unchanged in the target accounts, with no synthesizer configuration in your workload apps.
| Resource | Details |
|---|---|
| CDK bootstrap IAM roles | cdk-hnb659fds-cfn-exec-role, -deploy-role, -file-publishing-role, -image-publishing-role, -lookup-role |
| CDK assets S3 bucket | cdk-hnb659fds-assets-{account}-{region}, versioned, SSL-only, stores templates and file assets |
| CDK assets ECR repository | cdk-hnb659fds-container-assets-{account}-{region}, immutable tags, stores Docker image assets |
| Bootstrap version SSM | /cdk-bootstrap/hnb659fds/version so the CDK CLI can validate the environment |
| Asset cleaner | Scheduled Lambda that deletes unreferenced S3 and ECR assets each day |
The starter sets assetRemovalPolicy to DESTROY (overriding the construct's RETAIN default), so tearing down the StackSet removes the bootstrap buckets and repositories rather than retaining them.
Things to know:
- Brownfield accounts: an account that already has a manually created
CDKToolkitstack collides on the fixedcdk-hnb659fds-*resource names. Delete the old stack, itscdk-hnb659fds-assets-*bucket, and empty its ECR repository before the StackSet rolls out to that account. - Workload OUs only: this StackSet targets the Development and Production OUs, not the security or log archive accounts, since those accounts don't run CDK workloads.
Composes: CdkToolkitConstruct, CdkToolkitCleanerConstruct.
Target: Development and Production OUs, primary region.
Deployed by: LandingZoneAccountProvisioningStack.
ServiceQuotasStackSet
Requests service quota increases in each Development and Production account. Quota requests are asynchronous, so the requested value may not be active immediately after the StackSet deploys.
| Quota | Service | Requested value |
|---|---|---|
EC2 Elastic IP addresses (L-0263D0A3) | ec2 | 10 |
Lambda concurrent executions (L-B99A9384) | lambda | 2000 |
The quota list is configurable in the StackSet, so you can add your own requests. The AWS Organizations account limit is separate: when you set organizationAccountLimit in landing-zone-settings.ts, the Phase 2 foundation requests that increase from us-east-1.
Composes: IncreaseServiceQuotaConstruct.
Target: Development and Production OUs, primary region.
Deployed by: LandingZoneAccountProvisioningStack.
SecurityHubV2StackSet
Configures the four organization-wide security services from the security account, which ProvisionManagementStackSet has already registered as the delegated administrator for each. A single SecurityHubV2Construct coordinates Security Hub CSPM, GuardDuty, Inspector, and Macie behind one shared IAM role.
| Resource | Details |
|---|---|
| Security Hub V2 hub | The Security Hub V2 hub in the security account, with an optional cross-region aggregator |
| Security Hub CSPM | Central configuration, the AWS Config aggregator, and the organization standards policy |
| GuardDuty | Organization auto-enable and protection plans |
| Inspector | The organization scanning policy for EC2, ECR, Lambda, and code repositories |
| Macie | Organization auto-enable and automated sensitive data discovery |
In the starter defaults, all four services ship wired but disabled (enabled: false on each options block). The delegated-admin registration still happens in Phase 2, so when you're ready to turn a service on, you flip its options block (cspmOptions, guardDutyOptions, inspectorOptions, or macieOptions) in securityhub-v2-stackset-stack.ts and redeploy.
Composes: SecurityHubV2Construct.
Target: Security account, primary region.
Deployed by: LandingZoneAccountProvisioningStack. Depends on ProvisionManagementStackSet having registered the delegated administrators.