Skip to content

Merlin-Studio/AWS-US-Federal-Agency-Example

Repository files navigation

Generated by Merlin Studio (https://app.merlin-studio.cloud). Licensed under the Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0).

AWS Landing Zone — Acme Agency

Profile: ADVANCED Compliance: FEDRAMP_MODERATE, FEDRAMP_HIGH, NIST_800_53


What's in this repository

This is an LZA-only Landing Zone — AWS Control Tower + Landing Zone Accelerator (LZA) YAML configuration. The tree below lists every file generated for this configuration.

.
├── README.md                  (this file)
├── DEPLOYMENT_GUIDE.md        Step-by-step deploy runbook for the LZA pipeline
├── architecture.mmd           Mermaid diagram of the landing zone topology
├── PLACEHOLDERS.md            (only present if PLACEHOLDER_* tokens were emitted)
├── aws-lza/                   Format 1: AWS Control Tower + Landing Zone Accelerator (YAML)
│   ├── global-config.yaml
│   ├── accounts-config.yaml
│   ├── organization-config.yaml
│   ├── iam-config.yaml
│   ├── network-config.yaml
│   ├── security-config.yaml
│   ├── customizations-config.yaml
│   └── service-control-policies/, kms/, vpc-endpoint-policies/  (supporting JSON)

Quick facts

Organization name Acme Agency
Primary contact my1mail@acme.gov
Security contact my2mail@acme.gov
Billing contact my3mail@acme.gov
Home region us-west-1
Enabled regions us-east-1, us-east-2, us-west-1, us-west-2
Profile advanced (enterprise)
Compliance fedramp_moderate, fedramp_high, nist_800_53
LZA version 1.14.x

Account inventory

Mandatory accounts (LZA-required)

Name Purpose OU
Management AWS Organizations payer + LZA control plane Root
LogArchive Central log archive (CloudTrail org trail, Config) Security
Audit Security tooling delegated administrator Security
SharedServices DNS resolver endpoints, golden AMIs, etc. Infrastructure
Network Central network hub (TGW, Direct Connect) Infrastructure

Workload accounts

Name OU Description
RegulatedWorkload Workloads/Prod/Regulated Dedicated CUI workload account — FedRAMP-High boundary, GovCloud-eligible services only, audit-flagged.
AppSandbox Workloads/Sandbox Application sandbox / experimentation
AppDev Workloads/Dev Application development
AppStaging Workloads/Staging Application staging / pre-prod
AppProd Workloads/Prod Application production
Sandbox Workloads/Sandbox Time-boxed experimentation account.
DrFailover Workloads/Prod/DR Disaster-recovery / warm-standby failover account.

Before you deploy

  1. Search and replace PLACEHOLDER_ tokens. The wizard could not infer real AWS account IDs, OU IDs, or some ARNs. See PLACEHOLDERS.md if present.
  2. Pre-create your AWS Organization with a Management account. LZA cannot bootstrap the org itself.
  3. Enable AWS Organizations trusted service access. From the management account, enable trusted access for each principal — or confirm AWS Control Tower already has — before deploying:
    aws organizations enable-aws-service-access --service-principal cloudtrail.amazonaws.com
    aws organizations enable-aws-service-access --service-principal config.amazonaws.com
    aws organizations enable-aws-service-access --service-principal controltower.amazonaws.com
    aws organizations enable-aws-service-access --service-principal guardduty.amazonaws.com
    aws organizations enable-aws-service-access --service-principal securityhub.amazonaws.com
    aws organizations enable-aws-service-access --service-principal ram.amazonaws.com
    aws organizations enable-aws-service-access --service-principal sso.amazonaws.com
    aws organizations enable-aws-service-access --service-principal fms.amazonaws.com
    And enable the organization policy types the zone uses:
    aws organizations enable-policy-type --root-id <ROOT_ID> --policy-type SERVICE_CONTROL_POLICY
    aws organizations enable-policy-type --root-id <ROOT_ID> --policy-type TAG_POLICY
    Skipping this breaks org-wide CloudTrail, the Config aggregator, GuardDuty / Security Hub org auto-enable, RAM sharing (Transit Gateway), IAM Identity Center, and Firewall Manager — they fail to deploy or silently no-op.
  4. Enable AWS IAM Identity Center in the management account if you want SSO permission sets to provision. Set the instance ARN in iam-config.yaml.
  5. Stand up the LZA pipeline (AWS Control Tower + the Landing Zone Accelerator installer) and point it at the aws-lza/ config — see DEPLOYMENT_GUIDE.md.

Compliance posture

This zone is configured to meet the requirements of:

  • FEDRAMP MODERATE
  • FEDRAMP HIGH
  • NIST 800 53

Specific controls applied:

  • CloudTrail organization trail with KMS-CMK encryption and log file validation
  • AWS Config recorder + aggregator delegated to the Audit account
  • GuardDuty with auto_enable = true for all org members
  • Security Hub with framework-aligned standards subscriptions
  • IAM password policy: min length 14, rotation every 90 days
  • KMS CMKs with auto-rotation every 365 days
  • Object Lock on the central log archive bucket (when FedRAMP / SOX is in scope)
  • S3 default encryption + SSL-only bucket policies
  • VPC Flow Logs on every VPC, all-traffic, with CloudWatch + S3 destinations

How this Landing Zone was generated

This zone was authored by Merlin Studio v2, which uses a compile-AI approach. LLMs were used at design time to encode AWS best-practice patterns, compliance- framework requirements, and discovery-driven defaults into a static rules engine. At generation time, every value below was derived deterministically from your discovery answers + a layered rules engine — no LLM call happens during generation. The same answers always produce the same artifact.

Deeper reading: "Compiled AI for GCP Landing Zones" → dev.to/boristep. The methodology is identical for the AWS pipeline.

The layer model

Values in this spec come from up to four layers, with later layers winning on conflict:

1. Schema defaults       ← floor: a value exists for every field
2. Profile defaults      ← simple / standard / advanced — broad shape
3. Compliance overlays   ← HIPAA / CIS / PCI / FedRAMP add-ons (per framework)
4. Discovery overlays    ← driven by YOUR answers (multi-region, encryption, ...)
5. User edits            ← anything you typed in the wizard ALWAYS wins

Arrays append by name — a compliance overlay adding a required account (e.g. PhiWorkload) to your workload_accounts inventory does not erase the accounts you selected. Scalars: discovery overlays overwrite profile defaults (the discovery answer is the more specific signal); compliance overlays only fill empty slots; your saved values are merged last and override everything.


What fired for your spec

The wizard ran these overlays against your answers. Each entry is the rules-engine trace — what was added, why, and what triggered it.

Compliance overlays

Section Triggered by Rationale
02_account_hierarchy FEDRAMP_HIGH FedRAMP High requires workload isolation between CUI and non-CUI. A dedicated regulated-workload account scopes the boundary explicitly for the 3PAO.
06_security_baseline FEDRAMP_HIGH

Discovery overlays

Section Overlay Triggered by Rationale
04_networking multi_region_secondary_networking multi_region_required=true Multi-region answers (warm/active-active DR) require a second hub VPC + workloads VPC in the secondary region, a secondary regional Transit Gateway, and an inter-region TGW peering attachment. Without these, the spec declares warm-standby but is physically single-region — a direct contradiction the generators cannot recover from.
04_networking regulated_centralized_egress compliance_requirements contains 'pci_dss' OR compliance_requirements contains 'fedramp_moderate' OR compliance_requirements contains 'fedramp_high' OR compliance_requirements contains 'nist_800_53' OR compliance_requirements contains 'eucs' Boundary-control frameworks (PCI-DSS Req 1 NSCs, NIST 800-53 / FedRAMP SC-7, EUCS) require a controlled, inspected egress boundary. The egress model is set to centralized so spoke egress flows through the inspection VPC's AWS Network Firewall; the compliance overlay adds that inspection VPC.
07_advanced_security regulated_enables_inspector compliance_requirements contains 'pci_dss' OR compliance_requirements contains 'fedramp_moderate' OR compliance_requirements contains 'fedramp_high' OR compliance_requirements contains 'nist_800_53' OR compliance_requirements contains 'eucs' PCI-DSS 11.3.1 (internal vulnerability scanning) and NIST 800-53 / FedRAMP RA-5 require continuous vulnerability scanning. Amazon Inspector is the native control, so it is enabled by default when any of these is in scope. Matches the Architecture Scorecard, which fails Inspector-off for these frameworks.
08_logging_monitoring multi_region_enables_log_replication multi_region_required=true Multi-region DR needs the central log bucket replicated to the secondary region so a regional outage does not destroy the audit trail of last resort.
10_backup_dr multi_region_secondary_region multi_region_required=true Multi-region answers (warm/active-active DR) require AWS Backup to copy recovery points to the secondary region. Pre-fill from discovery.secondary_region so the user does not have to retype it.
10_backup_dr warm_or_active_standby_strengthens_backup dr_requirements = 'warm_standby' OR dr_requirements = 'active_active' Warm-standby / active-active DR strategies imply org-level backup policy + vault lock so the secondary region can never lag.

This trace is scoped to the overlays whose resources are emitted in this LZA bundle. Overlays that targeted application-layer sections (data platform, observability, EC2 fleet) also fired in the wizard but are not part of an LZA foundation config.


Next

See DEPLOYMENT_GUIDE.md for the deploy-and-verify runbook for the LZA pipeline.

About

Example FedRAMP High + NIST 800-53 AWS landing zone built with Compiled AI by Merlin Studio — a US federal civilian agency mission system, one intent spec deterministically compiled to AWS LZA config. SCP-isolated CUI account, multi-region warm-standby DR, HSM-backed KMS, 100/100 (A+) security scorecard. A reference, not a turnkey deploy.

Topics

Resources

License

Stars

Watchers

Forks

Contributors