Skip to main content


The first step to using Gruntwork Landing Zone is to use AWS Control Tower to create a new multi-account setup, which requires that you meet the prerequisites below.

  1. A new AWS Account and a user with administrator permissions. (We recommend using an IAM user with admin permissions rather than the root user)


    This account will become the root of your multi-account setup after enabling Control Tower.

    1. Log in as that administrator user.
  2. You will need three new unique email addresses for your logs, shared, and security (audit) accounts. It's important to note that these email addresses cannot be already associated with an AWS root login.

  3. A home region selection where your Control Tower configuration will reside.


    Your home Region is the AWS Region in which you'll run most of your workloads or store most of your data. It cannot be changed after you've set up your AWS Control Tower landing zone. For more information about how to choose a home Region, see Administrative tips for landing zone setup.

  4. A KMS Key for encrypting Control Tower Resources with a suitable permissions policy


    For more help setting up KMS see the AWS docs: Guidance for KMS keys

    1. Logged in as an admin user, navigate to KMS in your root AWS account to create KMS Keys

    2. Ensure you are in your home region and click Create Key

      1. Configure a key with the default parameters (shown in screenshot below)

      KMS Key DefaultsKMS Key Defaults

      1. Give the key a descriptive alias like control_tower_key

      KMS Key AliasKMS Key Alias

      1. Select your admin user as a key administrator

      2. Select your admin user as a key user

      3. Click Finish to create the key

    3. On the next screen, find the key you just created and click on it to edit the following:

      1. In the key policy tab, click edit

      Edit Key PolicyEdit Key Policy

      1. Add the following config policy statement to the list of Statements, replacing YOUR-HOME-REGION, YOUR-MANAGEMENT-ACCOUNT-ID and YOUR_KMS_KEY_ID with values from your own account.

        "Sid": "Allow Config to use KMS for encryption",
        "Effect": "Allow",
        "Principal": {
        "Service": ""
        "Action": ["kms:Decrypt", "kms:GenerateDataKey"],
      2. Add the following CloudTrail policy statement to the list of Statements, replacing YOUR-HOME-REGION, YOUR-MANAGEMENT-ACCOUNT-ID and YOUR_KMS_KEY_ID with values from your own account.

        "Sid": "Allow CloudTrail to use KMS for encryption",
        "Effect": "Allow",
        "Principal": {
        "Service": ""
        "Action": ["kms:GenerateDataKey*", "kms:Decrypt"],
        "Condition": {
        "StringEquals": {
        "aws:SourceArn": "arn:aws:cloudtrail:YOUR-HOME-REGION:YOUR-MANAGEMENT-ACCOUNT-ID:trail/aws-controltower-BaselineCloudTrail"
        "StringLike": {
        "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:YOUR-MANAGEMENT-ACCOUNT-ID:trail/*"
    4. Click Save Changes