Landing Zone Accelerator¶
AWS Landing Zone Accelerator (LZA) is a configurable framework for deploying secure, compliant, and operationally efficient multi-account AWS environments. LZA provides guardrails, networking patterns, identity federation, and automated compliance checks across organizations.
Authoritative reference: Landing Zone Accelerator on AWS
How runbooks Implements Landing Zone Accelerator¶
The runbooks cfat and runbooks inventory groups provide discovery and compliance validation for LZA-deployed organizations:
cfat Group (LZA Compliance Validation)¶
| Command | Capability | Purpose |
|---|---|---|
runbooks cfat assess --lza-mode |
LZA guardrail check | Verify guardrails are deployed and controls are enforced across all accounts |
runbooks cfat compliance |
Compliance gate | Validate logging, SCPs, and network isolation per LZA design |
runbooks cfat risk-score |
Remediation prioritization | Identify compliance gaps against deployed LZA baseline |
inventory Group (Multi-Account Discovery)¶
| Command | Capability | Purpose |
|---|---|---|
runbooks inventory check-landingzone |
LZA state discovery | Validate organizational structure, account enrollment, and guardrail deployment |
runbooks inventory organizations |
Organizations API scan | Enumerate all accounts in the organization with metadata (name, status, email) |
runbooks inventory resource-explorer |
Unified resource discovery | Query resources across all accounts using AWS Resource Explorer aggregator |
Code Paths¶
- LZA assessment:
runbooks/src/runbooks/cfat/cloud_foundations_assessment.py - Organizations discovery:
runbooks/src/runbooks/inventory/organizations_discovery.py,inventory/organizations_utils.py - LZA landing zone check:
runbooks/src/runbooks/inventory/check_landingzone.py
See the cfat CLI Reference and inventory CLI Reference for complete documentation.
Quality Gate¶
Multi-account discovery compatibility: <2 seconds for organizations with ≤50 accounts
Organizations using LZA with Resource Explorer aggregator enabled can enumerate all accounts and their core resources within 2 seconds. This ensures CMDB import workflows and discovery pipelines remain responsive at enterprise scale.
Measured via: runbooks inventory resource-explorer --profile $AWS_OPERATIONS_PROFILE --time-limit 2s (requires Resource Explorer aggregator in management account)
Related Solutions¶
- Cloud Foundations — LZA builds on Cloud Foundations security baselines (cloud-foundations.md)
- Account Assessment — validates account readiness before enrollment in LZA (account-assessment.md)
- Network Orchestration — Transit Gateway networking patterns work with LZA multi-account design (network-orchestration-tgw.md)
Last checked¶
2026-05-21 — Landing Zone Accelerator URL verified live (HTTP 200)