Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Step 2: Launch your landing zone

PDF
RSS
Focus mode
Step 2: Launch your landing zone - AWS Control Tower

The AWS Control Tower CreateLandingZone API requires a landing zone version and a landing zone manifest file as input parameters. You can use the AWS Control Tower landing zone manifest file to configure the following features:

After compiling your manifest file, you're ready to create a new landing zone.

For more information about what's in the manifest file, see View the details of your landing zone manifest file.

For more information about landing zone schemas that apply to the landing zone manifest file, see Landing zone schemas.

Note

AWS Control Tower does not support the Region deny control when using APIs to configure and launch a landing zone. After successfully launching your landing zone using APIs, you can use the AWS Control Tower console to Configure the Region deny control.

  1. Call the AWS Control Tower CreateLandingZone API. This API requires a landing zone version and a landing zone manifest file as input. 

    aws controltower create-landing-zone --landing-zone-version 3.3 --manifest "file://LandingZoneManifest.json"

    For more detail about the contents of the landing zone manifest file, see View the details of your landing zone manifest file.

    The following example shows a LandingZoneManifest.json manifest, which includes settings for governed Regions and centralized logging: 

    {
   "governedRegions": ["us-west-2","us-west-1"],
   "organizationStructure": {
       "security": {
           "name": "CORE"
       },
       "sandbox": {
           "name": "Sandbox"
       }
   },
   "centralizedLogging": {
        "accountId": "222222222222",
        "configurations": {
            "loggingBucket": {
                "retentionDays": 60
            },
            "accessLoggingBucket": {
                "retentionDays": 60
            },
            "kmsKeyArn": "arn:aws:kms:us-west-1:123456789123:key/e84XXXXX-6bXX-49XX-9eXX-ecfXXXXXXXXX"
        },
        "enabled": true
   },
   "securityRoles": {
        "accountId": "333333333333"
   },
   "accessManagement": {
        "enabled": true
   }
}
    Note

    As shown in the example, the AccountId for the CentralizedLogging and SecurityRoles accounts must be different.

    The following example shows a LandingZoneManifest.json manifest file, which includes settings for backup and centralized logging: 

    {
        "landingZoneIdentifier": "LANDING ZONE ARN",
        "manifest": {
            "accessManagement": {
                "enabled": true
            },
            "securityRoles": {
                "accountId": "333333333333"
            },
            "backup": {
                "configurations": {
                    "centralBackup": {
                        "accountId": "CENTRAL BACKUP ACCOUNT ID"
                    },
                    "backupAdmin": {
                        "accountId": "BACKUP MANAGER ACCOUNT ID"
                    },
                    "kmsKeyArn": "arn:aws:kms:us-west-1:123456789123:key/e84XXXXX-6bXX-49XX-9eXX-ecfXXXXXXXXX"
                },
                "enabled": true
            },
            "governedRegions": [
                "us-west-1"
            ],
            "organizationStructure": {
                "sandbox": {
                    "name": "Sandbox"
                },
                "security": {
                    "name": "Security"
                }
            },
            "centralizedLogging": {
                "accountId": "222222222222",
                "configurations": {
                    "loggingBucket": {
                        "retentionDays": 365
                    },
                    "accessLoggingBucket": {
                        "retentionDays": 3650
                    }
                },
                "enabled": true
            }
        },
        "version": "3.3"
}

    Output: 

    {
   "arn": "arn:aws:controltower:us-west-2:123456789012:landingzone/1A2B3C4D5E6F7G8H",
   "operationIdentifier": "55XXXXXX-e2XX-41XX-a7XX-446XXXXXXXXX"
}

  2. Call the GetLandingZoneOperation API to check the status of the CreateLandingZone operation. The GetLandingZoneOperation API returns a status of SUCCEEDED, FAILED, or IN_PROGRESS. 

    aws controltower get-landing-zone-operation --operation-identifier "55XXXXXX-eXXX-4XXX-aXXX-44XXXXXXXXXX"

    Output: 

    {
    "operationDetails": {
        "operationType": "CREATE",
        "startTime": "Thu Nov 09 20:39:19 UTC 2023",
        "endTime": "Thu Nov 09 21:02:01 UTC 2023",
        "status": "SUCCEEDED"
    }
}

  3. When the status returns as SUCCEEDED, you can call the GetLandingZone API to review the landing zone configuration. 

    aws controltower get-landing-zone --landing-zone-identifier "arn:aws:controltower:us-west-2:123456789123:landingzone/1A2B3C4D5E6F7G8H"

    Output: 

    {
    "landingZone": {
        "arn": "arn:aws:controltower:us-west-2:123456789012:landingzone/1A2B3C4D5E6F7G8H",
        "driftStatus": {
            "status": "IN_SYNC"
        },
        "latestAvailableVersion": "3.3",
        "manifest": {
            "accessManagement": {
                "enabled": true
            },
            "securityRoles": {
                "accountId": "333333333333"
            },
            "governedRegions": [
                "us-west-1",
                "eu-west-3",
                "us-west-2"
            ],
            "organizationStructure": {
                "sandbox": {
                    "name": "Sandbox"
                },
                "security": {
                    "name": "Security"
                }
            },
            "centralizedLogging": {
                "accountId": "222222222222",
                "configurations": {
                    "loggingBucket": {
                        "retentionDays": 60
                    },
                    "kmsKeyArn": "arn:aws:kms:us-west-1:123456789123:key/e84XXXXX-6bXX-49XX-9eXX-ecfXXXXXXXXX",
                    "accessLoggingBucket": {
                        "retentionDays": 60
                    }
                },
                "enabled": true
            }
        },
        "status": "PROCESSING",
        "version": "3.3"
    }
}
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.