Landing zone schemas
A landing zone is an AWS resource, which is created by means of schemas. Each AWS Control Tower landing zone version has a unique schema.
The schemas for AWS Control Tower landing zones, version 3.0 and newer, are published in this reference section, to assist you in choosing a compatible version.
Note
A known issue regarding unneccessary access logging is present in landing zone version 3.0. The issue is addressed in landing zone version 3.1. For more information about the changes, see AWS Control Tower landing zone version 3.1.
Landing zone 3.1 schema
{ "type": "object", "required": [ "centralizedLogging", "organizationStructure", "securityRoles" ], "properties": { "accessManagement": { "$ref": "#/definitions/AccessManagement" }, "backup": { "$ref": "#/definitions/Backup" }, "centralizedLogging": { "$ref": "#/definitions/CentralizedLogging" }, "governedRegions": { "type": "array", "items": { "type": "string", "maxLength": 24, "minLength": 1, "pattern": "^[a-z]{2}-[a-z\\-]*-[0-9]{1}$", "additionalProperties": false }, "additionalProperties": false }, "organizationStructure": { "$ref": "#/definitions/OrganizationStructure" }, "securityRoles": { "$ref": "#/definitions/SecurityRoles" } }, "additionalProperties": false, "definitions": { "AccessManagement": { "type": "object", "required": [ "enabled" ], "properties": { "enabled": { "type": "boolean", "additionalProperties": false, "default": true } }, "additionalProperties": false }, "Backup": { "type": "object", "properties": { "configurations": { "$ref": "#/definitions/BackupConfigurations" }, "enabled": { "type": "boolean", "additionalProperties": false, "default": false } }, "additionalProperties": false, "if": { "properties": { "enabled": { "const": true } } }, "then": { "required": [ "configurations" ] } }, "BackupAdminConfigurations": { "type": "object", "required": [ "accountId" ], "properties": { "accountId": { "type": "string", "maxLength": 12, "minLength": 12, "pattern": "^\\d{12}$", "additionalProperties": false } }, "additionalProperties": false }, "BackupConfigurations": { "type": "object", "required": [ "backupAdmin", "centralBackup", "kmsKeyArn" ], "properties": { "backupAdmin": { "$ref": "#/definitions/BackupAdminConfigurations" }, "centralBackup": { "$ref": "#/definitions/CentralBackupConfigurations" }, "kmsKeyArn": { "type": "string", "maxLength": 2048, "minLength": 1, "additionalProperties": false } }, "additionalProperties": false }, "CentralBackupConfigurations": { "type": "object", "required": [ "accountId" ], "properties": { "accountId": { "type": "string", "maxLength": 12, "minLength": 12, "pattern": "^\\d{12}$", "additionalProperties": false } }, "additionalProperties": false }, "CentralizedLogging": { "type": "object", "required": [ "accountId" ], "properties": { "accountId": { "type": "string", "maxLength": 12, "minLength": 12, "pattern": "^\\d{12}$", "additionalProperties": false }, "configurations": { "$ref": "#/definitions/LoggingConfigurations" }, "enabled": { "type": "boolean", "additionalProperties": false, "default": true } }, "additionalProperties": false }, "LoggingConfigurations": { "type": "object", "properties": { "accessLoggingBucket": { "$ref": "#/definitions/S3BucketConfiguration" }, "kmsKeyArn": { "type": "string", "maxLength": 2048, "minLength": 1, "additionalProperties": false }, "loggingBucket": { "$ref": "#/definitions/S3BucketConfiguration" } }, "additionalProperties": false }, "OrganizationalUnit": { "type": "object", "required": [ "name" ], "properties": { "name": { "type": "string", "maxLength": 120, "minLength": 1, "pattern": "^[\\s\\S]*$", "additionalProperties": false } }, "additionalProperties": false }, "OrganizationStructure": { "type": "object", "required": [ "security" ], "properties": { "sandbox": { "$ref": "#/definitions/OrganizationalUnit" }, "security": { "$ref": "#/definitions/OrganizationalUnit" } }, "additionalProperties": false }, "S3BucketConfiguration": { "type": "object", "properties": { "retentionDays": { "type": "number", "minimum": 1, "additionalProperties": false } }, "additionalProperties": false }, "SecurityRoles": { "type": "object", "required": [ "accountId" ], "properties": { "accountId": { "type": "string", "maxLength": 12, "minLength": 12, "pattern": "^\\d{12}$", "additionalProperties": false } }, "additionalProperties": false } } }
Landing zone 3.2 schema
{ "type": "object", "required": [ "centralizedLogging", "organizationStructure", "securityRoles" ], "properties": { "accessManagement": { "$ref": "#/definitions/AccessManagement" }, "backup": { "$ref": "#/definitions/Backup" }, "centralizedLogging": { "$ref": "#/definitions/CentralizedLogging" }, "governedRegions": { "type": "array", "items": { "type": "string", "maxLength": 24, "minLength": 1, "pattern": "^[a-z]{2}-[a-z\\-]*-[0-9]{1}$", "additionalProperties": false }, "additionalProperties": false }, "organizationStructure": { "$ref": "#/definitions/OrganizationStructure" }, "securityRoles": { "$ref": "#/definitions/SecurityRoles" } }, "additionalProperties": false, "definitions": { "AccessManagement": { "type": "object", "required": [ "enabled" ], "properties": { "enabled": { "type": "boolean", "additionalProperties": false, "default": true } }, "additionalProperties": false }, "Backup": { "type": "object", "properties": { "configurations": { "$ref": "#/definitions/BackupConfigurations" }, "enabled": { "type": "boolean", "additionalProperties": false, "default": false } }, "additionalProperties": false, "if": { "properties": { "enabled": { "const": true } } }, "then": { "required": [ "configurations" ] } }, "BackupAdminConfigurations": { "type": "object", "required": [ "accountId" ], "properties": { "accountId": { "type": "string", "maxLength": 12, "minLength": 12, "pattern": "^\\d{12}$", "additionalProperties": false } }, "additionalProperties": false }, "BackupConfigurations": { "type": "object", "required": [ "backupAdmin", "centralBackup", "kmsKeyArn" ], "properties": { "backupAdmin": { "$ref": "#/definitions/BackupAdminConfigurations" }, "centralBackup": { "$ref": "#/definitions/CentralBackupConfigurations" }, "kmsKeyArn": { "type": "string", "maxLength": 2048, "minLength": 1, "additionalProperties": false } }, "additionalProperties": false }, "CentralBackupConfigurations": { "type": "object", "required": [ "accountId" ], "properties": { "accountId": { "type": "string", "maxLength": 12, "minLength": 12, "pattern": "^\\d{12}$", "additionalProperties": false } }, "additionalProperties": false }, "CentralizedLogging": { "type": "object", "required": [ "accountId" ], "properties": { "accountId": { "type": "string", "maxLength": 12, "minLength": 12, "pattern": "^\\d{12}$", "additionalProperties": false }, "configurations": { "$ref": "#/definitions/LoggingConfigurations" }, "enabled": { "type": "boolean", "additionalProperties": false, "default": true } }, "additionalProperties": false }, "LoggingConfigurations": { "type": "object", "properties": { "accessLoggingBucket": { "$ref": "#/definitions/S3BucketConfiguration" }, "kmsKeyArn": { "type": "string", "maxLength": 2048, "minLength": 1, "additionalProperties": false }, "loggingBucket": { "$ref": "#/definitions/S3BucketConfiguration" } }, "additionalProperties": false }, "OrganizationalUnit": { "type": "object", "required": [ "name" ], "properties": { "name": { "type": "string", "maxLength": 120, "minLength": 1, "pattern": "^[\\s\\S]*$", "additionalProperties": false } }, "additionalProperties": false }, "OrganizationStructure": { "type": "object", "required": [ "security" ], "properties": { "sandbox": { "$ref": "#/definitions/OrganizationalUnit" }, "security": { "$ref": "#/definitions/OrganizationalUnit" } }, "additionalProperties": false }, "S3BucketConfiguration": { "type": "object", "properties": { "retentionDays": { "type": "number", "minimum": 1, "additionalProperties": false } }, "additionalProperties": false }, "SecurityRoles": { "type": "object", "required": [ "accountId" ], "properties": { "accountId": { "type": "string", "maxLength": 12, "minLength": 12, "pattern": "^\\d{12}$", "additionalProperties": false } }, "additionalProperties": false } } }
Landing zone 3.3 schema
{ "type": "object", "required": [ "centralizedLogging", "organizationStructure", "securityRoles" ], "properties": { "accessManagement": { "$ref": "#/definitions/AccessManagement" }, "backup": { "$ref": "#/definitions/Backup" }, "centralizedLogging": { "$ref": "#/definitions/CentralizedLogging" }, "governedRegions": { "type": "array", "items": { "type": "string", "maxLength": 24, "minLength": 1, "pattern": "^[a-z]{2}-[a-z\\-]*-[0-9]{1}$", "additionalProperties": false }, "additionalProperties": false }, "organizationStructure": { "$ref": "#/definitions/OrganizationStructure" }, "securityRoles": { "$ref": "#/definitions/SecurityRoles" } }, "additionalProperties": false, "definitions": { "AccessManagement": { "type": "object", "required": [ "enabled" ], "properties": { "enabled": { "type": "boolean", "additionalProperties": false, "default": true } }, "additionalProperties": false }, "Backup": { "type": "object", "properties": { "configurations": { "$ref": "#/definitions/BackupConfigurations" }, "enabled": { "type": "boolean", "additionalProperties": false, "default": false } }, "additionalProperties": false, "if": { "properties": { "enabled": { "const": true } } }, "then": { "required": [ "configurations" ] } }, "BackupAdminConfigurations": { "type": "object", "required": [ "accountId" ], "properties": { "accountId": { "type": "string", "maxLength": 12, "minLength": 12, "pattern": "^\\d{12}$", "additionalProperties": false } }, "additionalProperties": false }, "BackupConfigurations": { "type": "object", "required": [ "backupAdmin", "centralBackup", "kmsKeyArn" ], "properties": { "backupAdmin": { "$ref": "#/definitions/BackupAdminConfigurations" }, "centralBackup": { "$ref": "#/definitions/CentralBackupConfigurations" }, "kmsKeyArn": { "type": "string", "maxLength": 2048, "minLength": 1, "additionalProperties": false } }, "additionalProperties": false }, "CentralBackupConfigurations": { "type": "object", "required": [ "accountId" ], "properties": { "accountId": { "type": "string", "maxLength": 12, "minLength": 12, "pattern": "^\\d{12}$", "additionalProperties": false } }, "additionalProperties": false }, "CentralizedLogging": { "type": "object", "required": [ "accountId" ], "properties": { "accountId": { "type": "string", "maxLength": 12, "minLength": 12, "pattern": "^\\d{12}$", "additionalProperties": false }, "configurations": { "$ref": "#/definitions/LoggingConfigurations" }, "enabled": { "type": "boolean", "additionalProperties": false, "default": true } }, "additionalProperties": false }, "LoggingConfigurations": { "type": "object", "properties": { "accessLoggingBucket": { "$ref": "#/definitions/S3BucketConfiguration" }, "kmsKeyArn": { "type": "string", "maxLength": 2048, "minLength": 1, "additionalProperties": false }, "loggingBucket": { "$ref": "#/definitions/S3BucketConfiguration" } }, "additionalProperties": false }, "OrganizationalUnit": { "type": "object", "required": [ "name" ], "properties": { "name": { "type": "string", "maxLength": 120, "minLength": 1, "pattern": "^[\\s\\S]*$", "additionalProperties": false } }, "additionalProperties": false }, "OrganizationStructure": { "type": "object", "required": [ "security" ], "properties": { "sandbox": { "$ref": "#/definitions/OrganizationalUnit" }, "security": { "$ref": "#/definitions/OrganizationalUnit" } }, "additionalProperties": false }, "S3BucketConfiguration": { "type": "object", "properties": { "retentionDays": { "type": "number", "minimum": 1, "additionalProperties": false } }, "additionalProperties": false }, "SecurityRoles": { "type": "object", "required": [ "accountId" ], "properties": { "accountId": { "type": "string", "maxLength": 12, "minLength": 12, "pattern": "^\\d{12}$", "additionalProperties": false } }, "additionalProperties": false } } }
