# Plan your deployment
<a name="plan-your-deployment"></a>

This section describes the Region, [cost](cost.md), [security](security.md), [quota](quotas.md), and other considerations for planning your deployment.

## Supported AWS Regions
<a name="regional-deployments"></a>

This solution uses the AWS Control Tower and AWS Organizations services, which aren’t currently available in all AWS Regions. We recommend using AWS Control Tower and AWS Organizations when launching this solution in an AWS Region where these services are available. For the most current availability of AWS services by Region, refer to the [AWS Regional Services List](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

To deploy this solution to AWS GovCloud(US) Regions, see [Deploy to AWS GovCloud(US) Regions](united-states-us-federal-and-department-of-defense-dod.md).

To deploy this solution to a [Region that is deactivated by default](https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable), see [Opt-in Regions](opt-in-regions.md).

# Cost
<a name="cost"></a>

You are responsible for the cost of the AWS services used while running this solution. As of this revision, the cost for running this solution using the Landing Zone Accelerator on AWS [sample configuration](https://github.com/awslabs/landing-zone-accelerator-on-aws/tree/main/reference/sample-configurations/lza-sample-config) with AWS Control Tower in the US East (N. Virginia) Region within a non-critical sandbox environment with no activity or workloads is approximately **\$1430.22 (USD)** each month.

We recommend creating a [budget](https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-create.html) through [AWS Cost Explorer](https://aws.amazon.com/aws-cost-management/aws-cost-explorer/) to help manage costs. Prices are subject to change. For full details, refer to the pricing webpage for each AWS service used in this solution.

## Sample cost table
<a name="cost-table"></a>

The following table provides a sample cost breakdown for deploying this solution with the default parameters in the US East (N. Virginia) Region, with no activity, for one month.


| AWS service | Dimensions | Monthly cost [USD] | 
| --- | --- | --- | 
|  AWS CloudTrail  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/cost.html)  |  \$199.00  | 
|  AWS Config  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/cost.html)  |  \$123.00  | 
|  AWS KMS  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/cost.html)  |  \$144.56  | 
|  Amazon Kinesis  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/cost.html)  |  \$111.22  | 
|  Amazon Data Firehose  |  33,735 records x 5 KB  |  \$14.66  | 
|  Amazon S3  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/cost.html)  |  \$12.79  | 
|  Amazon VPC  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/cost.html)  |  \$1175.35  | 
|  Amazon CloudWatch  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/cost.html)  |  \$115.71  | 
|  AWS Security Hub  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/cost.html)  |  \$130.00  | 
|  Amazon GuardDuty  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/cost.html)  |  \$111.52  | 
|  Amazon Route 53  |  6 hosted zones  |  \$13.00  | 
|  Amazon Macie  |  16 Amazon S3 buckets  |  \$11.60  | 
|  AWS Secrets Manager  |  2 secrets for 30 days  |  \$10.81  | 
|  AWS CodePipeline  |  2 pipelines each month  |  \$11.00  | 
|  AWS CodeBuild  |  60 builds a month x 5 minutes  |  \$16.00  | 
|   **Total monthly cost**   |  |   **\$1430.22**   | 

**Note**  
Data transfer, AWS CodeArtifact, Amazon Detective, Amazon DynamoDB, AWS Lambda, AWS Service Catalog, Amazon Simple Notification Service (Amazon SNS), Amazon Simple Queue Service (Amazon SQS), AWS Step Functions, and AWS Systems Manager are priced at the Free Tier or less than \$10.01 each month.

# Security
<a name="security"></a>

When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This [shared model](https://aws.amazon.com/compliance/shared-responsibility-model/) reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, visit [AWS Cloud Security](https://aws.amazon.com/security/).

## IAM roles
<a name="iam-roles"></a>

AWS Identity and Access Management (IAM) roles allow customers to assign granular access policies and permissions to services and users on the AWS Cloud. This solution creates IAM roles that grant the solution’s CodePipeline pipelines read/write access to their respective artifact S3 buckets, source code repositories, and run CodeBuild projects. Additional IAM roles are created that grant CodeBuild projects to write to Amazon CloudWatch Logs log groups and create Regional resources.

## AWS KMS keys
<a name="aws-kms-keys"></a>

AWS KMS helps you create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. This solution uses AWS KMS keys to turn on encryption at rest for the applicable services it deploys. In a default installation, these keys will rotate automatically once per year. More information about the key management infrastructure for this solution is outlined in [Architecture details](architecture-details.md).

# Quotas
<a name="quotas"></a>

Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account. Make sure you have sufficient quota for each of the [services implemented in this solution](architecture-details.md#aws-services-in-this-solution). For more information, see [AWS service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html). To view the service quotas for all AWS services in the documentation without switching pages, view the information in the [Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/aws-general.pdf#aws-service-information) page in the PDF instead.

# Deployment options
<a name="deployment-options"></a>

Before deploying the Landing Zone Accelerator on AWS, you need to choose a method to centralize the management of resources provisioned by this solution. You can use either AWS Control Tower or AWS Organizations for the management capabilities. We strongly recommend AWS Control Tower if you’re deploying in a Region where it’s supported, as it automatically provisions best practice security configurations and guardrails across your multi-account environment.

**Note**  
If you want to deploy the solution in an existing multi-account environment, refer to [Prerequisites](prerequisites.md) and [Working with existing landing zones](working-with-existing-landing-zones.md) before deploying the solution.

# External pipeline deployment
<a name="external-pipeline-deployment"></a>

In a default Landing Zone Accelerator on AWS installation, the CodePipeline and S3 bucket deploys into the AWS Organizations management account. You may want to deploy and operate these components in a member AWS account to limit access to the management account. This solution supports this model with an optional pipeline deployment account. In this model, the solution assumes a role in the AWS Organizations management account to deploy resources to workload accounts.

 **External pipeline deployment** 

![\[external pipeline deployment\]](http://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/images/external-pipeline-deployment.png)


Follow these instructions to implement this pattern:

1. Select an AWS account for the pipeline deployment account. We recommend having the account as a member of the AWS Organizations environment.

1. Create a new IAM role in the AWS Organizations management account that allows access from the pipeline deployment account. `AcceleratorPipelineDeploymentRole` is the preferred name for this role.

1. Update the trust policy of the `AcceleratorPipelineDeploymentRole` to allow access from the pipeline deployment account:

```
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::${PIPELINE_DEPLOYMENT_ACCOUNT_ID}:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": "arn:aws:iam::${PIPELINE_DEPLOYMENT_ACCOUNT_ID}:role/${AcceleratorQualifier}-*"
        }
      }
    }
  ]
}
```

1. Attach the `AdministratorAccess` AWS managed IAM policy to the role.

**Note**  
By default, AWS IAM roles with prefix AcceleratorQualifier in the pipeline account are used by AWS CodeBuild to assume role in the management account and deploy resources. To protect these roles, you should implement additional security measures, such as Service control policies (SCPs).

After you create the IAM role in the management account, synthesize the Landing Zone Accelerator on AWS installer template configured for external deployments by following these instructions:

1. Clone or download the latest release of the Landing Zone Accelerator on AWS [source code](https://github.com/awslabs/landing-zone-accelerator-on-aws/tree/main/source).

1. Navigate to the `source` folder:

   ```
   cd landing-zone-accelerator-on-aws/source
   ```

1. Install dependencies and build the source code:

   ```
   yarn install && yarn build
   ```

1. Navigate to the installer folder:

   ```
   cd packages/\@aws-accelerator/installer/
   ```

1. Synthesize the installer template by running:

   ```
   cdk synth --context use-external-pipeline-account=true
   ```

1. Retrieve the synthesize template named `AWSAccelerator-InstallerStack.template.json` from the `cdk.out` directory.

1. Use this template to create the `AWSAccelerator-Installer` CloudFormation stack in the external deployment account.

1. The deployment now follows the same process as the [standard deployment process](https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/deployment-overview.html) with the addition of the following parameters:

   1.  **AcceleratorQualifier** - Names the resources in the external deployment account. This must be unique for each Landing Zone Accelerator on AWS pipeline created in a single external deployment account, for example "env2" or "app1." Do not use "aws-accelerator" or a similar value that could be confused with the prefix.

   1.  **ManagementAccountId** - This is the AWS account ID of the AWS Organizations management account.

   1.  **ManagementAccountRoleName** - This is the name of the IAM role used to access the management account from the external deployment account.

# Source code location
<a name="source-code-location"></a>

In a default Landing Zone Accelerator on AWS deployment, CodePipeline retrieves the source code from the [solution’s GitHub repository](https://github.com/awslabs/landing-zone-accelerator-on-aws/tree/main). You may want to instead store the source code in Amazon S3 to use only Amazon-provided products. This solution supports this operating model by uploading the LZA source code to an existing S3 bucket before deploying the solution.

Follow these instructions to implement this pattern:

1. Create an S3 bucket with [versioning](https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html) enabled. This bucket should be created in the same AWS account and region you plan to deploy the Landing Zone Accelerator on AWS solution.

1. Clone or download the latest release of the Landing Zone Accelerator on AWS [source code](https://github.com/awslabs/landing-zone-accelerator-on-aws/tree/main/source).

1. Navigate to the landing-zone-accelerator-on-aws folder:

   ```
   cd landing-zone-accelerator-on-aws
   ```

1. Compress all files and folders inside the landing-zone-accelerator-on-aws folder into a versioned zip archive file and upload it to your S3 bucket:

   ```
   SOURCE_CODE_BUCKET_NAME=YOUR_BUCKET_NAME
   LZA_VERSION=v1.14.2
   zip -q -T -r ../$LZA_VERSION.zip .  # quiet, test integrity, recursive
   aws s3 cp ../$LZA_VERSION.zip s3://$SOURCE_CODE_BUCKET_NAME/release/$LZA_VERSION.zip
   ```
**Note**  
Replace `v1.14.2` with the actual LZA version you are deploying. The zip file must contain all the contents inside the landing-zone-accelerator-on-aws folder or the build will fail.

1. Install dependencies and build the source code:

   ```
   yarn install && yarn build
   ```

1. Navigate to the installer folder:

   ```
   cd packages/\@aws-accelerator/installer/
   ```

1. Synthesize the installer template by running:

   ```
   cdk synth --context use-s3-source=true
   ```

**Note**  
If your S3 bucket is encrypted with KMS (S3-KMS), you must pass the KMS key ID when synthesizing the template:  

```
cdk synth --context use-s3-source=true --context
s3-source-kms-key-arn=arn:aws:kms:us-east-1:000000000000:key/aaaaaaaa-1111-bbbb-2222-cccccc333333
```

1. Retrieve the synthesize template named `AWSAccelerator- InstallerStack.template.json` from the cdk.out directory.

1. Use this template to create the `AWSAccelerator-Installer` CloudFormation stack in the account and region the S3 bucket was created in.

1. The deployment now follows the same process as the [standard deployment process](https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/deployment-overview.html) with the addition of the following parameters:
   +  **RepositoryBucketName** - The name of the S3 bucket used to contain the source code.
   +  **RepositoryBucketObject** - The S3 object key of the source code uploaded in Step 5.
   +  **RepositoryBucketKmsKeyArn** - (OPTIONAL) The ARN of the KMS key used to encrypt the S3 bucket.

# Mandatory accounts
<a name="mandatory-accounts"></a>

The Landing Zone Accelerator on AWS builds on top of an existing AWS Control Tower or AWS Organizations multi-account structure. If using AWS Control Tower, this solution uses the same initial accounts that are generated by deploying the Control Tower Landing Zone. If using AWS Organizations only in a Region without AWS Control Tower, the following mandatory accounts must be created:
+  **Management account** - This account is designated when first creating an AWS Organization. It’s a privileged account where all AWS Organizations global configuration management and billing consolidation occurs.
+  **LogArchive account** - This account is used for centralized logging of AWS service logs and AWS CloudTrail trails.
+  **Audit account** - This account is used to centralize all security operations and management activities. This account is typically used as a delegated administrator of centralized security services such as Amazon Macie, Amazon GuardDuty, and AWS Security Hub.

# Administrative role
<a name="administrative-role"></a>

Landing Zone Accelerator on AWS uses an IAM role with administrative privileges to manage the orchestration of resources across the environment. We recommend you activate AWS Control Tower and use the `AWSControlTowerExecution` role. You can also leverage other existing cross-account access roles such as `OrganizationAccountAccessRole`, which is the default cross-account role that’s utilized by AWS Organizations.

If you prefer using custom roles, a role with administrative privileges must be deployed in each member account managed by the Landing Zone Accelerator on AWS. These roles must have a trust relationship defined that grants the `sts:AssumeRole` permission to the IAM service role for the Landing Zone Accelerator on AWS CodeBuild projects. The following demonstrates the ARN changes based on the [partition](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/pseudo-parameter-reference.html#cfn-pseudo-param-partition) of the resource:

```
{
    "Version": "2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:$PARTITION:iam::$MANAGEMENT_ACCOUNT_ID:root"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
```

# Customizing the solution
<a name="customizing-the-solution"></a>

This solution deploys an S3 bucket with six customizable YAML configuration files contained in a single ZIP archive.. The YAML files are pre-populated with a minimal configuration for the solution. You can create an optional seventh configuration file (`customizations-config.yaml`) to define customizations to the core solution. You can customize the YAML configuration files to deploy additional resources and infrastructure to the solution environment. Refer to [Using configuration files](using-configuration-files.md) for more information, and our [sample configuration](https://github.com/awslabs/landing-zone-accelerator-on-aws/tree/main/reference/sample-configurations/lza-sample-config) for an example of sample implementation.