3. AWS Landing Zones
Customize your AWS Control Tower landing zone - AWS Control Tower
- Select customized names during setup
- Select AWS Regions
- You can set the Region Deny control to Enabled or Not enabled, and control user access to most AWS services in ungoverned AWS Regions.
- Customize by adding optional controls
- Strongly recommended and elective controls are optional, can customize the level of enforcement for your landing zone
- Optional controls are not enabled by default.
- Customize your AWS CloudTrail trails
- Create customized member accounts in the console
Some customizations are not available through the AWS Control Tower console.
- Account Factory for Terraform
- Customizations for AWS Control Tower (CfCT) - this is not meant to create new accounts, but to customize the current accounts.
- Landing Zone Accelerator
CfCT
- https://aws.amazon.com/blogs/architecture/deploy-consistent-dns-with-aws-service-catalog-and-aws-control-tower-customizations/
- https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/guardduty/guardduty_org/customizations_for_aws_control_tower
- Additional code examples regarding CfCT are available as part of the AWS Security Reference Architecture, in the
aws-samplesrepository. Many of these examples contain samplemanifest.yamlfiles in a directory namedcustomizations_for_aws_control_tower.