# Landing zone schemas
A landing zone is an AWS resource, which is created by means of schemas. Each AWS Control Tower landing zone version has a unique schema.
The schemas for AWS Control Tower landing zones, version 3.1 and newer, are published in this reference section, to assist you in choosing a compatible version.
**Note**
A known issue regarding *unneccessary access logging* is present in landing zone version 3.0. The issue is addressed in landing zone version 3.1. For more information about the changes, see [AWS Control Tower landing zone version 3.1](2023-all.md#lz-3-1).
## Landing zone 4.0 schema
```
{
"type": "object",
"required": [],
"properties": {
"accessManagement": {
"$ref": "#/definitions/AccessManagement"
},
"backup": {
"$ref": "#/definitions/Backup"
},
"centralizedLogging": {
"$ref": "#/definitions/CentralizedLogging"
},
"governedRegions": {
"type": "array",
"items": {
"type": "string",
"maxLength": 24,
"minLength": 1,
"pattern": "^[a-z]{2}-[a-z\\-]*-[0-9]{1}$",
"additionalProperties": false
},
"additionalProperties": false
},
"securityRoles": {
"$ref": "#/definitions/SecurityRoles"
},
"config": {
"$ref": "#/definitions/Config"
}
},
"additionalProperties": false,
"definitions": {
"AccessManagement": {
"type": "object",
"required": [
"enabled"
],
"properties": {
"enabled": {
"type": "boolean",
"additionalProperties": false
}
},
"additionalProperties": false
},
"Backup": {
"type": "object",
"required": [
"enabled"
],
"properties": {
"configurations": {
"$ref": "#/definitions/BackupConfigurations"
},
"enabled": {
"type": "boolean",
"additionalProperties": false
}
},
"additionalProperties": false,
"if": {
"properties": {
"enabled": {
"const": true
}
}
},
"then": {
"required": [
"configurations"
]
}
},
"BackupAdminConfigurations": {
"type": "object",
"required": [
"accountId"
],
"properties": {
"accountId": {
"type": "string",
"maxLength": 12,
"minLength": 12,
"pattern": "^\\d{12}$",
"additionalProperties": false
}
},
"additionalProperties": false
},
"BackupConfigurations": {
"type": "object",
"required": [
"backupAdmin",
"centralBackup",
"kmsKeyArn"
],
"properties": {
"backupAdmin": {
"$ref": "#/definitions/BackupAdminConfigurations"
},
"centralBackup": {
"$ref": "#/definitions/CentralBackupConfigurations"
},
"kmsKeyArn": {
"type": "string",
"maxLength": 2048,
"minLength": 1,
"additionalProperties": false
}
},
"additionalProperties": false
},
"CentralBackupConfigurations": {
"type": "object",
"required": [
"accountId"
],
"properties": {
"accountId": {
"type": "string",
"maxLength": 12,
"minLength": 12,
"pattern": "^\\d{12}$",
"additionalProperties": false
}
},
"additionalProperties": false
},
"CentralizedLogging": {
"type": "object",
"required": [
"enabled"
],
"properties": {
"accountId": {
"type": "string",
"maxLength": 12,
"minLength": 12,
"pattern": "^\\d{12}$",
"additionalProperties": false
},
"configurations": {
"$ref": "#/definitions/LoggingConfigurations"
},
"enabled": {
"type": "boolean",
"additionalProperties": false
}
},
"additionalProperties": false,
"if": {
"properties": {
"enabled": {
"const": true
}
}
},
"then": {
"required": [
"accountId"
]
}
},
"LoggingConfigurations": {
"type": "object",
"properties": {
"accessLoggingBucket": {
"$ref": "#/definitions/S3BucketConfiguration"
},
"kmsKeyArn": {
"type": "string",
"maxLength": 2048,
"minLength": 1,
"additionalProperties": false
},
"loggingBucket": {
"$ref": "#/definitions/S3BucketConfiguration"
}
},
"additionalProperties": false
},
"S3BucketConfiguration": {
"type": "object",
"properties": {
"retentionDays": {
"type": "number",
"minimum": 1,
"additionalProperties": false
}
},
"additionalProperties": false
},
"SecurityRoles": {
"type": "object",
"required": [
"enabled"
],
"properties": {
"accountId": {
"type": "string",
"maxLength": 12,
"minLength": 12,
"pattern": "^\\d{12}$",
"additionalProperties": false
},
"enabled": {
"type": "boolean",
"additionalProperties": false
}
},
"additionalProperties": false,
"if": {
"properties": {
"enabled": {
"const": true
}
}
},
"then": {
"required": [
"accountId"
]
}
},
"Config": {
"type": "object",
"required": [
"enabled"
],
"properties": {
"accountId": {
"type": "string",
"maxLength": 12,
"minLength": 12,
"pattern": "^\\d{12}$",
"additionalProperties": false
},
"configurations": {
"$ref": "#/definitions/ConfigConfiguration"
},
"enabled": {
"type": "boolean",
"additionalProperties": false
}
},
"additionalProperties": false,
"if": {
"properties": {
"enabled": {
"const": true
}
}
},
"then": {
"required": [
"accountId"
]
}
},
"ConfigConfiguration": {
"type": "object",
"required": [],
"properties": {
"loggingBucket": {
"$ref": "#/definitions/S3BucketConfiguration"
},
"accessLoggingBucket": {
"$ref": "#/definitions/S3BucketConfiguration"
},
"kmsKeyArn": {
"type": "string",
"maxLength": 2048,
"minLength": 1,
"additionalProperties": false
}
}
}
}
}
```
## Landing zone 3.3 schema
```
{
"type": "object",
"required": [
"centralizedLogging",
"organizationStructure",
"securityRoles"
],
"properties": {
"accessManagement": {
"$ref": "#/definitions/AccessManagement"
},
"backup": {
"$ref": "#/definitions/Backup"
},
"centralizedLogging": {
"$ref": "#/definitions/CentralizedLogging"
},
"governedRegions": {
"type": "array",
"items": {
"type": "string",
"maxLength": 24,
"minLength": 1,
"pattern": "^[a-z]{2}-[a-z\\-]*-[0-9]{1}$",
"additionalProperties": false
},
"additionalProperties": false
},
"organizationStructure": {
"$ref": "#/definitions/OrganizationStructure"
},
"securityRoles": {
"$ref": "#/definitions/SecurityRoles"
}
},
"additionalProperties": false,
"definitions": {
"AccessManagement": {
"type": "object",
"required": [
"enabled"
],
"properties": {
"enabled": {
"type": "boolean",
"additionalProperties": false,
"default": true
}
},
"additionalProperties": false
},
"Backup": {
"type": "object",
"properties": {
"configurations": {
"$ref": "#/definitions/BackupConfigurations"
},
"enabled": {
"type": "boolean",
"additionalProperties": false,
"default": false
}
},
"additionalProperties": false,
"if": {
"properties": {
"enabled": {
"const": true
}
}
},
"then": {
"required": [
"configurations"
]
}
},
"BackupAdminConfigurations": {
"type": "object",
"required": [
"accountId"
],
"properties": {
"accountId": {
"type": "string",
"maxLength": 12,
"minLength": 12,
"pattern": "^\\d{12}$",
"additionalProperties": false
}
},
"additionalProperties": false
},
"BackupConfigurations": {
"type": "object",
"required": [
"backupAdmin",
"centralBackup",
"kmsKeyArn"
],
"properties": {
"backupAdmin": {
"$ref": "#/definitions/BackupAdminConfigurations"
},
"centralBackup": {
"$ref": "#/definitions/CentralBackupConfigurations"
},
"kmsKeyArn": {
"type": "string",
"maxLength": 2048,
"minLength": 1,
"additionalProperties": false
}
},
"additionalProperties": false
},
"CentralBackupConfigurations": {
"type": "object",
"required": [
"accountId"
],
"properties": {
"accountId": {
"type": "string",
"maxLength": 12,
"minLength": 12,
"pattern": "^\\d{12}$",
"additionalProperties": false
}
},
"additionalProperties": false
},
"CentralizedLogging": {
"type": "object",
"required": [
"accountId"
],
"properties": {
"accountId": {
"type": "string",
"maxLength": 12,
"minLength": 12,
"pattern": "^\\d{12}$",
"additionalProperties": false
},
"configurations": {
"$ref": "#/definitions/LoggingConfigurations"
},
"enabled": {
"type": "boolean",
"additionalProperties": false,
"default": true
}
},
"additionalProperties": false
},
"LoggingConfigurations": {
"type": "object",
"properties": {
"accessLoggingBucket": {
"$ref": "#/definitions/S3BucketConfiguration"
},
"kmsKeyArn": {
"type": "string",
"maxLength": 2048,
"minLength": 1,
"additionalProperties": false
},
"loggingBucket": {
"$ref": "#/definitions/S3BucketConfiguration"
}
},
"additionalProperties": false
},
"OrganizationalUnit": {
"type": "object",
"required": [
"name"
],
"properties": {
"name": {
"type": "string",
"maxLength": 120,
"minLength": 1,
"pattern": "^[\\s\\S]*$",
"additionalProperties": false
}
},
"additionalProperties": false
},
"OrganizationStructure": {
"type": "object",
"required": [
"security"
],
"properties": {
"sandbox": {
"$ref": "#/definitions/OrganizationalUnit"
},
"security": {
"$ref": "#/definitions/OrganizationalUnit"
}
},
"additionalProperties": false
},
"S3BucketConfiguration": {
"type": "object",
"properties": {
"retentionDays": {
"type": "number",
"minimum": 1,
"additionalProperties": false
}
},
"additionalProperties": false
},
"SecurityRoles": {
"type": "object",
"required": [
"accountId"
],
"properties": {
"accountId": {
"type": "string",
"maxLength": 12,
"minLength": 12,
"pattern": "^\\d{12}$",
"additionalProperties": false
}
},
"additionalProperties": false
}
}
}
```
## Landing zone 3.2 schema
```
{
"type": "object",
"required": [
"centralizedLogging",
"organizationStructure",
"securityRoles"
],
"properties": {
"accessManagement": {
"$ref": "#/definitions/AccessManagement"
},
"backup": {
"$ref": "#/definitions/Backup"
},
"centralizedLogging": {
"$ref": "#/definitions/CentralizedLogging"
},
"governedRegions": {
"type": "array",
"items": {
"type": "string",
"maxLength": 24,
"minLength": 1,
"pattern": "^[a-z]{2}-[a-z\\-]*-[0-9]{1}$",
"additionalProperties": false
},
"additionalProperties": false
},
"organizationStructure": {
"$ref": "#/definitions/OrganizationStructure"
},
"securityRoles": {
"$ref": "#/definitions/SecurityRoles"
}
},
"additionalProperties": false,
"definitions": {
"AccessManagement": {
"type": "object",
"required": [
"enabled"
],
"properties": {
"enabled": {
"type": "boolean",
"additionalProperties": false,
"default": true
}
},
"additionalProperties": false
},
"Backup": {
"type": "object",
"properties": {
"configurations": {
"$ref": "#/definitions/BackupConfigurations"
},
"enabled": {
"type": "boolean",
"additionalProperties": false,
"default": false
}
},
"additionalProperties": false,
"if": {
"properties": {
"enabled": {
"const": true
}
}
},
"then": {
"required": [
"configurations"
]
}
},
"BackupAdminConfigurations": {
"type": "object",
"required": [
"accountId"
],
"properties": {
"accountId": {
"type": "string",
"maxLength": 12,
"minLength": 12,
"pattern": "^\\d{12}$",
"additionalProperties": false
}
},
"additionalProperties": false
},
"BackupConfigurations": {
"type": "object",
"required": [
"backupAdmin",
"centralBackup",
"kmsKeyArn"
],
"properties": {
"backupAdmin": {
"$ref": "#/definitions/BackupAdminConfigurations"
},
"centralBackup": {
"$ref": "#/definitions/CentralBackupConfigurations"
},
"kmsKeyArn": {
"type": "string",
"maxLength": 2048,
"minLength": 1,
"additionalProperties": false
}
},
"additionalProperties": false
},
"CentralBackupConfigurations": {
"type": "object",
"required": [
"accountId"
],
"properties": {
"accountId": {
"type": "string",
"maxLength": 12,
"minLength": 12,
"pattern": "^\\d{12}$",
"additionalProperties": false
}
},
"additionalProperties": false
},
"CentralizedLogging": {
"type": "object",
"required": [
"accountId"
],
"properties": {
"accountId": {
"type": "string",
"maxLength": 12,
"minLength": 12,
"pattern": "^\\d{12}$",
"additionalProperties": false
},
"configurations": {
"$ref": "#/definitions/LoggingConfigurations"
},
"enabled": {
"type": "boolean",
"additionalProperties": false,
"default": true
}
},
"additionalProperties": false
},
"LoggingConfigurations": {
"type": "object",
"properties": {
"accessLoggingBucket": {
"$ref": "#/definitions/S3BucketConfiguration"
},
"kmsKeyArn": {
"type": "string",
"maxLength": 2048,
"minLength": 1,
"additionalProperties": false
},
"loggingBucket": {
"$ref": "#/definitions/S3BucketConfiguration"
}
},
"additionalProperties": false
},
"OrganizationalUnit": {
"type": "object",
"required": [
"name"
],
"properties": {
"name": {
"type": "string",
"maxLength": 120,
"minLength": 1,
"pattern": "^[\\s\\S]*$",
"additionalProperties": false
}
},
"additionalProperties": false
},
"OrganizationStructure": {
"type": "object",
"required": [
"security"
],
"properties": {
"sandbox": {
"$ref": "#/definitions/OrganizationalUnit"
},
"security": {
"$ref": "#/definitions/OrganizationalUnit"
}
},
"additionalProperties": false
},
"S3BucketConfiguration": {
"type": "object",
"properties": {
"retentionDays": {
"type": "number",
"minimum": 1,
"additionalProperties": false
}
},
"additionalProperties": false
},
"SecurityRoles": {
"type": "object",
"required": [
"accountId"
],
"properties": {
"accountId": {
"type": "string",
"maxLength": 12,
"minLength": 12,
"pattern": "^\\d{12}$",
"additionalProperties": false
}
},
"additionalProperties": false
}
}
}
```
## Landing zone 3.1 schema
```
{
"type": "object",
"required": [
"centralizedLogging",
"organizationStructure",
"securityRoles"
],
"properties": {
"accessManagement": {
"$ref": "#/definitions/AccessManagement"
},
"backup": {
"$ref": "#/definitions/Backup"
},
"centralizedLogging": {
"$ref": "#/definitions/CentralizedLogging"
},
"governedRegions": {
"type": "array",
"items": {
"type": "string",
"maxLength": 24,
"minLength": 1,
"pattern": "^[a-z]{2}-[a-z\\-]*-[0-9]{1}$",
"additionalProperties": false
},
"additionalProperties": false
},
"organizationStructure": {
"$ref": "#/definitions/OrganizationStructure"
},
"securityRoles": {
"$ref": "#/definitions/SecurityRoles"
}
},
"additionalProperties": false,
"definitions": {
"AccessManagement": {
"type": "object",
"required": [
"enabled"
],
"properties": {
"enabled": {
"type": "boolean",
"additionalProperties": false,
"default": true
}
},
"additionalProperties": false
},
"Backup": {
"type": "object",
"properties": {
"configurations": {
"$ref": "#/definitions/BackupConfigurations"
},
"enabled": {
"type": "boolean",
"additionalProperties": false,
"default": false
}
},
"additionalProperties": false,
"if": {
"properties": {
"enabled": {
"const": true
}
}
},
"then": {
"required": [
"configurations"
]
}
},
"BackupAdminConfigurations": {
"type": "object",
"required": [
"accountId"
],
"properties": {
"accountId": {
"type": "string",
"maxLength": 12,
"minLength": 12,
"pattern": "^\\d{12}$",
"additionalProperties": false
}
},
"additionalProperties": false
},
"BackupConfigurations": {
"type": "object",
"required": [
"backupAdmin",
"centralBackup",
"kmsKeyArn"
],
"properties": {
"backupAdmin": {
"$ref": "#/definitions/BackupAdminConfigurations"
},
"centralBackup": {
"$ref": "#/definitions/CentralBackupConfigurations"
},
"kmsKeyArn": {
"type": "string",
"maxLength": 2048,
"minLength": 1,
"additionalProperties": false
}
},
"additionalProperties": false
},
"CentralBackupConfigurations": {
"type": "object",
"required": [
"accountId"
],
"properties": {
"accountId": {
"type": "string",
"maxLength": 12,
"minLength": 12,
"pattern": "^\\d{12}$",
"additionalProperties": false
}
},
"additionalProperties": false
},
"CentralizedLogging": {
"type": "object",
"required": [
"accountId"
],
"properties": {
"accountId": {
"type": "string",
"maxLength": 12,
"minLength": 12,
"pattern": "^\\d{12}$",
"additionalProperties": false
},
"configurations": {
"$ref": "#/definitions/LoggingConfigurations"
},
"enabled": {
"type": "boolean",
"additionalProperties": false,
"default": true
}
},
"additionalProperties": false
},
"LoggingConfigurations": {
"type": "object",
"properties": {
"accessLoggingBucket": {
"$ref": "#/definitions/S3BucketConfiguration"
},
"kmsKeyArn": {
"type": "string",
"maxLength": 2048,
"minLength": 1,
"additionalProperties": false
},
"loggingBucket": {
"$ref": "#/definitions/S3BucketConfiguration"
}
},
"additionalProperties": false
},
"OrganizationalUnit": {
"type": "object",
"required": [
"name"
],
"properties": {
"name": {
"type": "string",
"maxLength": 120,
"minLength": 1,
"pattern": "^[\\s\\S]*$",
"additionalProperties": false
}
},
"additionalProperties": false
},
"OrganizationStructure": {
"type": "object",
"required": [
"security"
],
"properties": {
"sandbox": {
"$ref": "#/definitions/OrganizationalUnit"
},
"security": {
"$ref": "#/definitions/OrganizationalUnit"
}
},
"additionalProperties": false
},
"S3BucketConfiguration": {
"type": "object",
"properties": {
"retentionDays": {
"type": "number",
"minimum": 1,
"additionalProperties": false
}
},
"additionalProperties": false
},
"SecurityRoles": {
"type": "object",
"required": [
"accountId"
],
"properties": {
"accountId": {
"type": "string",
"maxLength": 12,
"minLength": 12,
"pattern": "^\\d{12}$",
"additionalProperties": false
}
},
"additionalProperties": false
}
}
}
```