Step 2: Launch your landing zone (original) (raw)
The AWS Control Tower CreateLandingZone API requires a landing zone version and a landing zone manifest file as input parameters. You can use the AWS Control Tower landing zone manifest file to configure the following features:
- Optionally configure log retention
- Optionally self-manage AWS account access
- Optionally configure AWS CloudTrail trails
- Optionally configure AWS KMS keys
After compiling your manifest file, you're ready to create a new landing zone.
For more information about what's in the manifest file, see View the details of your landing zone manifest file.
For more information about landing zone schemas that apply to the landing zone manifest file, see Landing zone schemas.
Note
AWS Control Tower does not support the Region deny control when using APIs to configure and launch a landing zone. After successfully launching your landing zone using APIs, you can use the AWS Control Tower console to Configure the Region deny control.
- Call the AWS Control Tower
CreateLandingZoneAPI. This API requires a landing zone version and a landing zone manifest file as input.
aws controltower create-landing-zone --landing-zone-version 3.3 --manifest "file://LandingZoneManifest.json" For more detail about the contents of the landing zone manifest file, see View the details of your landing zone manifest file.
The following example shows a LandingZoneManifest.json manifest, which includes settings for governed Regions and centralized logging:
{
"governedRegions": ["us-west-2","us-west-1"],
"organizationStructure": {
"security": {
"name": "CORE"
},
"sandbox": {
"name": "Sandbox"
}
},
"centralizedLogging": {
"accountId": "222222222222",
"configurations": {
"loggingBucket": {
"retentionDays": 60
},
"accessLoggingBucket": {
"retentionDays": 60
},
"kmsKeyArn": "arn:aws:kms:us-west-1:123456789123:key/e84XXXXX-6bXX-49XX-9eXX-ecfXXXXXXXXX"
},
"enabled": true
},
"securityRoles": {
"accountId": "333333333333"
},
"accessManagement": {
"enabled": true
}
} Note
As shown in the example, the AccountId for the CentralizedLogging and SecurityRoles accounts must be different.
The following example shows a LandingZoneManifest.json manifest file, which includes settings for backup and centralized logging:
{
"landingZoneIdentifier": "LANDING ZONE ARN",
"manifest": {
"accessManagement": {
"enabled": true
},
"securityRoles": {
"accountId": "333333333333"
},
"backup": {
"configurations": {
"centralBackup": {
"accountId": "CENTRAL BACKUP ACCOUNT ID"
},
"backupAdmin": {
"accountId": "BACKUP MANAGER ACCOUNT ID"
},
"kmsKeyArn": "arn:aws:kms:us-west-1:123456789123:key/e84XXXXX-6bXX-49XX-9eXX-ecfXXXXXXXXX"
},
"enabled": true
},
"governedRegions": [
"us-west-1"
],
"organizationStructure": {
"sandbox": {
"name": "Sandbox"
},
"security": {
"name": "Security"
}
},
"centralizedLogging": {
"accountId": "222222222222",
"configurations": {
"loggingBucket": {
"retentionDays": 365
},
"accessLoggingBucket": {
"retentionDays": 3650
}
},
"enabled": true
}
},
"version": "3.3"
} Output:
{
"arn": "arn:aws:controltower:us-west-2:123456789012:landingzone/1A2B3C4D5E6F7G8H",
"operationIdentifier": "55XXXXXX-e2XX-41XX-a7XX-446XXXXXXXXX"
} - Call the
GetLandingZoneOperationAPI to check the status of theCreateLandingZoneoperation. TheGetLandingZoneOperationAPI returns a status ofSUCCEEDED,FAILED, orIN_PROGRESS.
aws controltower get-landing-zone-operation --operation-identifier "55XXXXXX-eXXX-4XXX-aXXX-44XXXXXXXXXX" Output:
{
"operationDetails": {
"operationType": "CREATE",
"startTime": "Thu Nov 09 20:39:19 UTC 2023",
"endTime": "Thu Nov 09 21:02:01 UTC 2023",
"status": "SUCCEEDED"
}
} - When the status returns as
SUCCEEDED, you can call theGetLandingZoneAPI to review the landing zone configuration.
aws controltower get-landing-zone --landing-zone-identifier "arn:aws:controltower:us-west-2:123456789123:landingzone/1A2B3C4D5E6F7G8H" Output:
{
"landingZone": {
"arn": "arn:aws:controltower:us-west-2:123456789012:landingzone/1A2B3C4D5E6F7G8H",
"driftStatus": {
"status": "IN_SYNC"
},
"latestAvailableVersion": "3.3",
"manifest": {
"accessManagement": {
"enabled": true
},
"securityRoles": {
"accountId": "333333333333"
},
"governedRegions": [
"us-west-1",
"eu-west-3",
"us-west-2"
],
"organizationStructure": {
"sandbox": {
"name": "Sandbox"
},
"security": {
"name": "Security"
}
},
"centralizedLogging": {
"accountId": "222222222222",
"configurations": {
"loggingBucket": {
"retentionDays": 60
},
"kmsKeyArn": "arn:aws:kms:us-west-1:123456789123:key/e84XXXXX-6bXX-49XX-9eXX-ecfXXXXXXXXX",
"accessLoggingBucket": {
"retentionDays": 60
}
},
"enabled": true
}
},
"status": "PROCESSING",
"version": "3.3"
}
} Step 1: Configure your landing zone
Identify your landing zone
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.