# Deploy a cloud foundation to support highly-regulated workloads and complex compliance requirements Solution overview The Landing Zone Accelerator on AWS (LZA) is architected to align with AWS best practices and in conformance with multiple, global compliance frameworks. We recommend customers deploy [AWS Control Tower](https://aws.amazon.com/controltower/) as the foundational landing zone and enhance their landing zone capabilities with Landing Zone Accelerator. These complementary capabilities provide a comprehensive no-code solution across 35\$1 AWS services to manage and govern a multi-account environment built to support customers with highly-regulated workloads and complex compliance requirements. AWS Control Tower and Landing Zone Accelerator help you establish platform readiness with security, compliance, and operational capabilities. We provide this solution as an open-source project that we built using the [AWS Cloud Development Kit](https://aws.amazon.com/cdk/) (AWS CDK). You can install it directly into your environment, giving you full access to the infrastructure as code (IaC) solution. Through a simplified set of configuration files, you can: + Configure additional functionality, controls, and security services such as [AWS Config](https://aws.amazon.com/config/) Managed Rules and [AWS Security Hub](https://aws.amazon.com/security-hub/). + Manage your foundational networking topology such as [Amazon Virtual Private Cloud](https://aws.amazon.com/vpc/) (Amazon VPC), [AWS Transit Gateway](https://aws.amazon.com/transit-gateway/), and [AWS Network Firewall](https://aws.amazon.com/network-firewall/). + Generate additional workload accounts using the AWS Control Tower Account Factory. There are no additional charges or upfront commitments required to use Landing Zone Accelerator on AWS. You pay only for AWS services turned on to set up your platform and operate your controls. This solution can also support non-standard AWS partitions, including the AWS GovCloud (US), AWS Secret, and AWS Top Secret Regions. This implementation guide describes architectural considerations and configuration steps for deploying the Landing Zone Accelerator on AWS. It includes links to an [AWS CloudFormation](https://aws.amazon.com/cloudformation/) template synthesized from AWS CDK that launches and configures the AWS services required to deploy this solution using AWS best practices for security and availability. Use this navigation table to quickly find answers to these questions: | If you want to…​ | Read…​ | | --- | --- | | Know the cost for running this solution. The estimated cost for running this solution using AWS [sample configuration](https://github.com/awslabs/landing-zone-accelerator-on-aws/tree/main/reference/sample-configurations/lza-sample-config) with AWS Control Tower in the US East (N. Virginia) Region within a non-critical sandbox environment with no activity or workloads is approximately **\$1430.22 (USD) per month**. | [Cost](cost.md) | | Understand the security considerations for this solution. | [Security](security.md) | | Know how to plan for quotas for this solution. | [Quotas](quotas.md) | | Know which AWS Regions are supported for this solution. | [Supported AWS Regions](plan-your-deployment.md#regional-deployments) | | View or download the AWS CloudFormation template included in this solution to automatically deploy the infrastructure resources (the "stack") for this solution. | [AWS CloudFormation template](aws-cloudformation-template.md) | | Deploy this solution in a configuration that supports a specific Region or industry. | [Landing Zone Accelerator on AWS solution page](https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/) | | Know how to troubleshoot common deployment errors. | [Troubleshooting](troubleshooting.md) | | Use AWS Support to help you deploy, use, or troubleshoot the solution. | [AWS Support](contact-aws-support.md) | | Access the source code and optionally use the AWS Cloud Development Kit (AWS CDK) to deploy the solution. | [GitHub repository](https://github.com/awslabs/landing-zone-accelerator-on-aws) | This guide is intended for solution architects, business decision makers, DevOps engineers, data scientists, and cloud professionals who want to implement the Landing Zone Accelerator on AWS solution in their environment. **Important** This solution will not, by itself, make you compliant. It provides the foundational infrastructure from which additional complementary solutions can be integrated. The information contained in this solution implementation guide is not exhaustive. You must review, evaluate, assess, and approve the solution in compliance with your organization’s particular security features, tools, and configurations. It is the sole responsibility of you and your organization to determine which regulatory requirements are applicable and to ensure that you comply with all requirements. Although this solution discusses both the technical and administrative requirements, this solution does not help you comply with the non-technical administrative requirements. # Use cases You can use configurations of this solution to support alignment with the following Regions and industries (see the [Landing Zone Accelerator on AWS page](https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/) for more information): + AWS opt-in Regions + Country guidelines: + Canadian Centre for Cyber Security (CCCS) Cloud Medium + United Kingdom (UK) National Cyber Security Centre (NCSC) + United States (US) Federal and Department of Defense (DoD) + Industries: + Education + Elections + Finance (tax) + Healthcare + National Security, Defense, and National Law Enforcement + US aerospace + US state and local government Central IT # Concepts and definitions This section describes key concepts and defines terminology specific to this solution. **AWSAccelerator** and **aws-accelerator** As of version 1.4.0, this solution allows for a user-defined resource name prefix in the [Installer stack parameters](step-1.-launch-the-stack.md). This guide uses the default prefix values `AWSAccelerator` and `aws-accelerator` for the named resource it describes. If you input a custom prefix, your solution-deployed CloudFormation stacks and Amazon S3 buckets use your custom prefix value. **landing zone** A cloud environment that offers a recommended starting point—​including default accounts, account structure, core networking infrastructure, and security configurations. Using a landing zone as a foundation, you can deploy your mission-critical application workloads and solutions across a centrally-governed multi-account environment. **Installer pipeline (`AWSAccelerator-Installer`)** Deploys an installer that, in turn, deploys the solution’s core features. Because this installer functions separately from the Core pipeline, you can update to future versions of the solution with a single parameter through the AWS CloudFormation console. **Core pipeline (`AWSAccelerator-Pipeline`)** Deploys the solution’s core features. **Note** For a general reference of AWS terms, see the [AWS Glossary](https://docs.aws.amazon.com/general/latest/gr/glos-chap.html).