Mandatory accounts
The Landing Zone Accelerator on AWS builds on top of an existing AWS Control Tower or AWS Organizations multi-account structure. If using AWS Control Tower, this solution uses the same initial accounts that are generated by deploying the Control Tower Landing Zone. If using AWS Organizations only in a Region without AWS Control Tower, the following mandatory accounts must be created:
- 
                  Management account - This account is designated when first creating an AWS Organization. It’s a privileged account where all AWS Organizations global configuration management and billing consolidation occurs. 
- 
                  LogArchive account - This account is used for centralized logging of AWS service logs and AWS CloudTrail trails. 
- 
                  Audit account - This account is used to centralize all security operations and management activities. This account is typically used as a delegated administrator of centralized security services such as Amazon Macie, Amazon GuardDuty, and AWS Security Hub.