Generated by Merlin Studio (https://app.merlin-studio.cloud). Licensed under the Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0).
Profile: ADVANCED Compliance: FEDRAMP_MODERATE, FEDRAMP_HIGH, NIST_800_53
This is an LZA-only Landing Zone — AWS Control Tower + Landing Zone Accelerator (LZA) YAML configuration. The tree below lists every file generated for this configuration.
.
├── README.md (this file)
├── DEPLOYMENT_GUIDE.md Step-by-step deploy runbook for the LZA pipeline
├── architecture.mmd Mermaid diagram of the landing zone topology
├── PLACEHOLDERS.md (only present if PLACEHOLDER_* tokens were emitted)
├── aws-lza/ Format 1: AWS Control Tower + Landing Zone Accelerator (YAML)
│ ├── global-config.yaml
│ ├── accounts-config.yaml
│ ├── organization-config.yaml
│ ├── iam-config.yaml
│ ├── network-config.yaml
│ ├── security-config.yaml
│ ├── customizations-config.yaml
│ └── service-control-policies/, kms/, vpc-endpoint-policies/ (supporting JSON)
| Organization name | Acme Agency |
| Primary contact | my1mail@acme.gov |
| Security contact | my2mail@acme.gov |
| Billing contact | my3mail@acme.gov |
| Home region | us-west-1 |
| Enabled regions | us-east-1, us-east-2, us-west-1, us-west-2 |
| Profile | advanced (enterprise) |
| Compliance | fedramp_moderate, fedramp_high, nist_800_53 |
| LZA version | 1.14.x |
| Name | Purpose | OU |
|---|---|---|
| Management | AWS Organizations payer + LZA control plane | Root |
| LogArchive | Central log archive (CloudTrail org trail, Config) | Security |
| Audit | Security tooling delegated administrator | Security |
| SharedServices | DNS resolver endpoints, golden AMIs, etc. | Infrastructure |
| Network | Central network hub (TGW, Direct Connect) | Infrastructure |
| Name | OU | Description |
|---|---|---|
| RegulatedWorkload | Workloads/Prod/Regulated | Dedicated CUI workload account — FedRAMP-High boundary, GovCloud-eligible services only, audit-flagged. |
| AppSandbox | Workloads/Sandbox | Application sandbox / experimentation |
| AppDev | Workloads/Dev | Application development |
| AppStaging | Workloads/Staging | Application staging / pre-prod |
| AppProd | Workloads/Prod | Application production |
| Sandbox | Workloads/Sandbox | Time-boxed experimentation account. |
| DrFailover | Workloads/Prod/DR | Disaster-recovery / warm-standby failover account. |
- Search and replace
PLACEHOLDER_tokens. The wizard could not infer real AWS account IDs, OU IDs, or some ARNs. SeePLACEHOLDERS.mdif present. - Pre-create your AWS Organization with a Management account. LZA cannot bootstrap the org itself.
- Enable AWS Organizations trusted service access. From the management
account, enable trusted access for each principal — or confirm AWS Control
Tower already has — before deploying:
And enable the organization policy types the zone uses:
aws organizations enable-aws-service-access --service-principal cloudtrail.amazonaws.com aws organizations enable-aws-service-access --service-principal config.amazonaws.com aws organizations enable-aws-service-access --service-principal controltower.amazonaws.com aws organizations enable-aws-service-access --service-principal guardduty.amazonaws.com aws organizations enable-aws-service-access --service-principal securityhub.amazonaws.com aws organizations enable-aws-service-access --service-principal ram.amazonaws.com aws organizations enable-aws-service-access --service-principal sso.amazonaws.com aws organizations enable-aws-service-access --service-principal fms.amazonaws.com
Skipping this breaks org-wide CloudTrail, the Config aggregator, GuardDuty / Security Hub org auto-enable, RAM sharing (Transit Gateway), IAM Identity Center, and Firewall Manager — they fail to deploy or silently no-op.aws organizations enable-policy-type --root-id <ROOT_ID> --policy-type SERVICE_CONTROL_POLICY aws organizations enable-policy-type --root-id <ROOT_ID> --policy-type TAG_POLICY
- Enable AWS IAM Identity Center in the management account if you want SSO
permission sets to provision. Set the instance ARN in
iam-config.yaml. - Stand up the LZA pipeline (AWS Control Tower + the Landing Zone
Accelerator installer) and point it at the
aws-lza/config — seeDEPLOYMENT_GUIDE.md.
This zone is configured to meet the requirements of:
- FEDRAMP MODERATE
- FEDRAMP HIGH
- NIST 800 53
Specific controls applied:
- CloudTrail organization trail with KMS-CMK encryption and log file validation
- AWS Config recorder + aggregator delegated to the Audit account
- GuardDuty with
auto_enable = truefor all org members - Security Hub with framework-aligned standards subscriptions
- IAM password policy: min length 14, rotation every 90 days
- KMS CMKs with auto-rotation every 365 days
- Object Lock on the central log archive bucket (when FedRAMP / SOX is in scope)
- S3 default encryption + SSL-only bucket policies
- VPC Flow Logs on every VPC, all-traffic, with CloudWatch + S3 destinations
This zone was authored by Merlin Studio v2, which uses a compile-AI approach. LLMs were used at design time to encode AWS best-practice patterns, compliance- framework requirements, and discovery-driven defaults into a static rules engine. At generation time, every value below was derived deterministically from your discovery answers + a layered rules engine — no LLM call happens during generation. The same answers always produce the same artifact.
Deeper reading: "Compiled AI for GCP Landing Zones" → dev.to/boristep. The methodology is identical for the AWS pipeline.
Values in this spec come from up to four layers, with later layers winning on conflict:
1. Schema defaults ← floor: a value exists for every field
2. Profile defaults ← simple / standard / advanced — broad shape
3. Compliance overlays ← HIPAA / CIS / PCI / FedRAMP add-ons (per framework)
4. Discovery overlays ← driven by YOUR answers (multi-region, encryption, ...)
5. User edits ← anything you typed in the wizard ALWAYS wins
Arrays append by name — a compliance overlay adding a required account (e.g.
PhiWorkload) to your workload_accounts inventory does not erase the accounts
you selected. Scalars: discovery
overlays overwrite profile defaults (the discovery answer is the more specific
signal); compliance overlays only fill empty slots; your saved values are merged
last and override everything.
The wizard ran these overlays against your answers. Each entry is the rules-engine trace — what was added, why, and what triggered it.
| Section | Triggered by | Rationale |
|---|---|---|
02_account_hierarchy |
FEDRAMP_HIGH | FedRAMP High requires workload isolation between CUI and non-CUI. A dedicated regulated-workload account scopes the boundary explicitly for the 3PAO. |
06_security_baseline |
FEDRAMP_HIGH |
| Section | Overlay | Triggered by | Rationale |
|---|---|---|---|
04_networking |
multi_region_secondary_networking |
multi_region_required=true |
Multi-region answers (warm/active-active DR) require a second hub VPC + workloads VPC in the secondary region, a secondary regional Transit Gateway, and an inter-region TGW peering attachment. Without these, the spec declares warm-standby but is physically single-region — a direct contradiction the generators cannot recover from. |
04_networking |
regulated_centralized_egress |
compliance_requirements contains 'pci_dss' OR compliance_requirements contains 'fedramp_moderate' OR compliance_requirements contains 'fedramp_high' OR compliance_requirements contains 'nist_800_53' OR compliance_requirements contains 'eucs' |
Boundary-control frameworks (PCI-DSS Req 1 NSCs, NIST 800-53 / FedRAMP SC-7, EUCS) require a controlled, inspected egress boundary. The egress model is set to centralized so spoke egress flows through the inspection VPC's AWS Network Firewall; the compliance overlay adds that inspection VPC. |
07_advanced_security |
regulated_enables_inspector |
compliance_requirements contains 'pci_dss' OR compliance_requirements contains 'fedramp_moderate' OR compliance_requirements contains 'fedramp_high' OR compliance_requirements contains 'nist_800_53' OR compliance_requirements contains 'eucs' |
PCI-DSS 11.3.1 (internal vulnerability scanning) and NIST 800-53 / FedRAMP RA-5 require continuous vulnerability scanning. Amazon Inspector is the native control, so it is enabled by default when any of these is in scope. Matches the Architecture Scorecard, which fails Inspector-off for these frameworks. |
08_logging_monitoring |
multi_region_enables_log_replication |
multi_region_required=true |
Multi-region DR needs the central log bucket replicated to the secondary region so a regional outage does not destroy the audit trail of last resort. |
10_backup_dr |
multi_region_secondary_region |
multi_region_required=true |
Multi-region answers (warm/active-active DR) require AWS Backup to copy recovery points to the secondary region. Pre-fill from discovery.secondary_region so the user does not have to retype it. |
10_backup_dr |
warm_or_active_standby_strengthens_backup |
dr_requirements = 'warm_standby' OR dr_requirements = 'active_active' |
Warm-standby / active-active DR strategies imply org-level backup policy + vault lock so the secondary region can never lag. |
This trace is scoped to the overlays whose resources are emitted in this LZA bundle. Overlays that targeted application-layer sections (data platform, observability, EC2 fleet) also fired in the wizard but are not part of an LZA foundation config.
See DEPLOYMENT_GUIDE.md for the deploy-and-verify runbook for the LZA pipeline.