Opt-in Regions
We built the opt-in Region configuration to help customers use the Landing Zone Accelerator on AWS solution in opt-in Regions.
Note
Not all AWS services are
available in all Regions, including the AWS opt-in Regions. We
update our
AWS Regional Services
You must initially launch Landing Zone Accelerator on AWS in a Region where CodeCommit, AWS CodeBuild, and AWS CodePipeline are available. This will deploy the default resources that are depicted in the Architecture overview.
The following installation instructions leverage opt-in AWS Regions. Following these instructions deploys the default resources into the management account for items 1–8 of the architecture diagram. Items 9–10 of the architecture diagram, centralized logging and workload accounts, deploy in the opt-in (target) AWS Region.
Note
While the Landing Zone Accelerator on AWS solution can help you align with frameworks and best practices, customers are responsible for their own security and compliance practices.
Prerequisites
To launch the Landing Zone Accelerator on AWS solution into opt-in AWS Regions, verify that the user who launches the solution can:
-
Perform IAM administration tasks
Architecture
Landing Zone Accelerator on AWS architecture in opt-in (Target) Regions
Deployment
Using an opt-in Region as the target Region
Deploying this solution with the default parameters builds the environment depicted in the previous figure. The default parameters use the Home Region for the Landing Zone Accelerator on AWS Core pipeline and the Target Region for centralized logging.
Step 1. Deploy the solution in your AWS Management account
-
Identify the Home Region that you want to use. This Region must have Amazon S3, CodeBuild, and CodePipeline availability.
Note
Two main factors contribute to which Region to select as your Home Region: latency and cost. Choosing an AWS Region with close proximity to your user base location can achieve lower network latency. AWS services are priced differently from one Region to another.
-
Prepare for an AWS Organizations based installation (without AWS Control Tower). Use the following notes to guide you:
-
For a new environment, set up AWS Organizations.
-
Create a LogArchive account and an Audit/Security Tooling account.
-
Create a Security OU and Infrastructure OU.
-
-
Set up Landing Zone Accelerator on AWS in your AWS standard account.
Step 2. Allow your desired opt-in AWS Regions for all accounts
-
Sign in to your management account.
-
Allow the Regions you want to use.
Note
When you allow a Region, AWS prepares your account in that Region, such as by distributing your IAM resources to the Region. This process takes a few minutes for most accounts, but it can take several hours. You can’t use the Region until this process is complete.
-
Log in to the LogArchive and Audit/Security Tooling accounts to repeat the actions to allow the opt-in Regions that you want to use.
Step 3. Update the configuration file in your AWS Management account
-
Using your management account, update the
global-config.yamlfile to list the new Region under theenabledRegionsoption, as shown in the following sample. In the sample, Europe (London) (eu-west-2) is the home Region and Middle East (Bahrain) (me-south-1) is the opt-in (target) Region:homeRegion: eu-west-2 enabledRegions: - eu-west-2 - me-south-1 -
Using your management account, update the
global-config.yamlfile to list the opt-in Region under thecentralizedLoggingRegionoption, as shown in the following sample:logging: account: LogArchive centralizedLoggingRegion: me-south-1 cloudtrail: enable: true organizationTrail: true organizationTrailSettings: multiRegionTrail: true globalServiceEvents: true managementEvents: true s3DataEvents: true lambdaDataEvents: true sendToCloudWatchLogs: true apiErrorRateInsight: false apiCallRateInsight: false accountTrails: [] lifecycleRules: [] sessionManager: sendToCloudWatchLogs: false sendToS3: false excludeRegions: [] excludeAccounts: [] lifecycleRules: [] attachPolicyToIamRoles: [] -
After the commit, confirm that the pipeline runs successfully.
