GitHub Pages Documentation Site
Complete guide to setting up and customizing the GitHub Pages documentation site.
Table of contents
- Overview
- Quick Setup
- Configuration
- Customization
- Adding Content
- Deployment
- Local Development
- GitHub Pages Settings
- Troubleshooting
- File Structure
- Best Practices
- Advanced Features
- Resources
- Support
Overview
This project includes a professional documentation site built with:
- Jekyll - Static site generator
- Just the Docs - Modern documentation theme
- GitHub Pages - Free hosting
- GitHub Actions - Automated deployment
Features
✅ Full-text search across all documentation
✅ Responsive design for mobile and desktop
✅ Professional theme with AWS branding
✅ Automatic deployment on push
✅ Syntax highlighting for code blocks
✅ Automatic navigation generation
✅ Table of contents for long pages
✅ Callout boxes for important information
Quick Setup
Automated Setup
# Run setup script
./scripts/setup-github-pages.sh
# Follow the prompts to:
# 1. Install dependencies
# 2. Configure repository URL
# 3. Enable GitHub Pages
# 4. Test local build
Manual Setup
# 1. Install Ruby and Bundler
brew install ruby
gem install bundler
# 2. Install dependencies
cd docs
bundle install
# 3. Build site
bundle exec jekyll build
# 4. Serve locally
bundle exec jekyll serve --livereload
# 5. Access at http://localhost:4000
Configuration
Update Site Settings
Edit docs/_config.yml:
# Site information
title: AWS Control Tower Landing Zone
description: Your description here
url: "https://your-org.github.io"
baseurl: "/your-repo"
# GitHub links
aux_links:
"View on GitHub":
- "//github.com/your-org/your-repo"
"Download":
- "//github.com/your-org/your-repo/archive/main.zip"
# Footer
footer_content: "Copyright © 2024 Your Organization"
Update Repository URLs
Replace all instances of your-org/aws-control-tower-landingzone:
# Find and replace
find docs -type f -name "*.md" -exec sed -i '' \
's/your-org\/aws-control-tower-landingzone/YOUR-ORG\/YOUR-REPO/g' {} +
Customization
Add Your Logo
- Create a logo image (PNG, 200x50px recommended)
- Save as
docs/assets/images/logo.png - Update
_config.yml:
logo: "/assets/images/logo.png"
favicon_ico: "/assets/images/favicon.ico"
Customize Colors
Edit docs/assets/css/custom.scss:
// Your brand colors
$primary-color: #FF9900;
$secondary-color: #232F3E;
$success-color: #28a745;
$warning-color: #ffc107;
$danger-color: #dc3545;
Add Custom CSS
Add to docs/assets/css/custom.scss:
// Custom styles
.my-custom-class {
color: $primary-color;
font-weight: bold;
}
Adding Content
Create New Page
---
layout: default
title: My New Page
nav_order: 5
parent: Getting Started
---
# My New Page
Content goes here...
Navigation Hierarchy
# Parent page
---
title: Parent
nav_order: 1
has_children: true
---
# Child page
---
title: Child
parent: Parent
nav_order: 1
---
# Grandchild page
---
title: Grandchild
parent: Child
grand_parent: Parent
---
Callout Boxes
{: .note }
> This is a note
{: .important }
> This is important
{: .warning }
> This is a warning
{: .highlight }
> This is highlighted
Code Blocks
```bash
terraform init
terraform apply
```
```hcl
resource "aws_s3_bucket" "example" {
bucket = "my-bucket"
}
```
Tables
| Column 1 | Column 2 | Column 3 |
|:---------|:--------:|---------:|
| Left | Center | Right |
Buttons
[Get Started](#link){: .btn .btn-primary }
[View on GitHub](url){: .btn }
Deployment
Automatic Deployment
The site automatically deploys when you push to main:
- Make changes to
docs/directory - Commit and push to
mainbranch - GitHub Actions builds and deploys
- Site updates in ~2 minutes
Manual Deployment
# Trigger workflow manually
gh workflow run github-pages.yml
# Or via GitHub UI:
# Actions → Deploy GitHub Pages → Run workflow
Deployment Status
Check deployment status:
# View workflow runs
gh run list --workflow=github-pages.yml
# View specific run
gh run view <run-id>
Local Development
Start Development Server
cd docs
bundle exec jekyll serve --livereload
Access at: http://localhost:4000
Build Site
cd docs
bundle exec jekyll build
Output in: docs/_site/
Clean Build
cd docs
bundle exec jekyll clean
bundle exec jekyll build
GitHub Pages Settings
Enable GitHub Pages
- Go to repository Settings
- Navigate to Pages section
- Under Build and deployment:
- Source: GitHub Actions
- Save changes
Custom Domain (Optional)
- Add CNAME file:
docs/CNAME - Content:
docs.example.com - Configure DNS:
CNAME docs.example.com your-org.github.io
HTTPS
GitHub Pages automatically provides HTTPS:
https://your-org.github.io/your-repo/https://docs.example.com/(with custom domain)
Troubleshooting
Build Fails
# Check Ruby version
ruby --version # Should be 2.7+
# Update dependencies
cd docs
bundle update
# Clear cache
bundle exec jekyll clean
Search Not Working
# Rebuild search index
cd docs
bundle exec jekyll clean
bundle exec jekyll build
Styles Not Applying
# Clear browser cache
# Hard refresh: Cmd+Shift+R (Mac) or Ctrl+Shift+R (Windows)
# Rebuild site
cd docs
bundle exec jekyll clean
bundle exec jekyll build
404 Errors
Check baseurl in _config.yml:
# For project pages
baseurl: "/your-repo"
# For organization pages
baseurl: ""
File Structure
docs/
├── _config.yml # Jekyll configuration
├── Gemfile # Ruby dependencies
├── index.md # Home page
├── getting-started.md # Getting started
├── architecture.md # Architecture docs
├── _layouts/ # Custom layouts
│ └── default.html # Default layout
├── assets/ # Static assets
│ ├── css/
│ │ └── custom.scss # Custom styles
│ ├── images/ # Images
│ │ ├── logo.png # Site logo
│ │ └── favicon.ico # Favicon
│ └── js/ # JavaScript
├── _site/ # Generated site (gitignored)
└── README_DOCS.md # Documentation README
Best Practices
- Keep URLs stable - Use
permalinkfor important pages - Use descriptive titles - Clear, concise page titles
- Organize with hierarchy - Use parent/child relationships
- Add navigation order - Use
nav_orderfor logical flow - Include TOC - Add table of contents for long pages
- Use callouts - Highlight important information
- Test locally - Always test before pushing
- Optimize images - Compress images before adding
- Write clear content - Use simple, direct language
- Update regularly - Keep documentation current
Advanced Features
Custom Layouts
Create custom layout in docs/_layouts/:
---
layout: default
---
<div class="custom-layout">
<!DOCTYPE html>
<html lang="en-US">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<link rel="stylesheet" href="/aws-control-tower-landingzone/assets/css/just-the-docs-default.css">
<link rel="stylesheet" href="/aws-control-tower-landingzone/assets/css/just-the-docs-head-nav.css" id="jtd-head-nav-stylesheet">
<style id="jtd-nav-activation">
.site-nav > ul.nav-list:first-child > li:not(:nth-child(3)) > a,
.site-nav > ul.nav-list:first-child > li > ul > li a {
background-image: none;
}
.site-nav > ul.nav-list:not(:first-child) a,
.site-nav li.external a {
background-image: none;
}
.site-nav > ul.nav-list:first-child > li:nth-child(3) > a {
font-weight: 600;
text-decoration: none;
}.site-nav > ul.nav-list:first-child > li:nth-child(3) > button svg {
transform: rotate(-90deg);
}.site-nav > ul.nav-list:first-child > li.nav-list-item:nth-child(3) > ul.nav-list {
display: block;
}
</style>
<script src="/aws-control-tower-landingzone/assets/js/vendor/lunr.min.js"></script>
<script src="/aws-control-tower-landingzone/assets/js/just-the-docs.js"></script>
<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- Begin Jekyll SEO tag v2.8.0 -->
<title>Architecture | AWS Control Tower Landing Zone</title>
<meta name="generator" content="Jekyll v3.10.0" />
<meta property="og:title" content="Architecture" />
<meta property="og:locale" content="en_US" />
<meta name="description" content="Enterprise-grade Terraform automation for AWS Control Tower" />
<meta property="og:description" content="Enterprise-grade Terraform automation for AWS Control Tower" />
<link rel="canonical" href="https://anuu1989.github.io/aws-control-tower-landingzone/architecture" />
<meta property="og:url" content="https://anuu1989.github.io/aws-control-tower-landingzone/architecture" />
<meta property="og:site_name" content="AWS Control Tower Landing Zone" />
<meta property="og:type" content="website" />
<meta name="twitter:card" content="summary" />
<meta property="twitter:title" content="Architecture" />
<script type="application/ld+json">
{"@context":"https://schema.org","@type":"WebPage","description":"Enterprise-grade Terraform automation for AWS Control Tower","headline":"Architecture","url":"https://anuu1989.github.io/aws-control-tower-landingzone/architecture"}</script>
<!-- End Jekyll SEO tag -->
<!-- Custom CSS -->
<link rel="stylesheet" href="/aws-control-tower-landingzone/assets/css/custom.css">
</head>
<body>
<a class="skip-to-main" href="#main-content">Skip to main content</a>
<svg xmlns="http://www.w3.org/2000/svg" class="d-none">
<symbol id="svg-link" viewBox="0 0 24 24">
<title>Link</title>
<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link">
<path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path>
</svg>
</symbol>
<symbol id="svg-menu" viewBox="0 0 24 24">
<title>Menu</title>
<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-menu">
<line x1="3" y1="12" x2="21" y2="12"></line><line x1="3" y1="6" x2="21" y2="6"></line><line x1="3" y1="18" x2="21" y2="18"></line>
</svg>
</symbol>
<symbol id="svg-arrow-right" viewBox="0 0 24 24">
<title>Expand</title>
<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-chevron-right">
<polyline points="9 18 15 12 9 6"></polyline>
</svg>
</symbol>
<!-- Feather. MIT License: https://github.com/feathericons/feather/blob/master/LICENSE -->
<symbol id="svg-external-link" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-external-link">
<title id="svg-external-link-title">(external link)</title>
<path d="M18 13v6a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V8a2 2 0 0 1 2-2h6"></path><polyline points="15 3 21 3 21 9"></polyline><line x1="10" y1="14" x2="21" y2="3"></line>
</symbol>
<symbol id="svg-doc" viewBox="0 0 24 24">
<title>Document</title>
<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-file">
<path d="M13 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V9z"></path><polyline points="13 2 13 9 20 9"></polyline>
</svg>
</symbol>
<symbol id="svg-search" viewBox="0 0 24 24">
<title>Search</title>
<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-search">
<circle cx="11" cy="11" r="8"></circle><line x1="21" y1="21" x2="16.65" y2="16.65"></line>
</svg>
</symbol>
<!-- Bootstrap Icons. MIT License: https://github.com/twbs/icons/blob/main/LICENSE.md -->
<symbol id="svg-copy" viewBox="0 0 16 16">
<title>Copy</title>
<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-clipboard" viewBox="0 0 16 16">
<path d="M4 1.5H3a2 2 0 0 0-2 2V14a2 2 0 0 0 2 2h10a2 2 0 0 0 2-2V3.5a2 2 0 0 0-2-2h-1v1h1a1 1 0 0 1 1 1V14a1 1 0 0 1-1 1H3a1 1 0 0 1-1-1V3.5a1 1 0 0 1 1-1h1v-1z"/>
<path d="M9.5 1a.5.5 0 0 1 .5.5v1a.5.5 0 0 1-.5.5h-3a.5.5 0 0 1-.5-.5v-1a.5.5 0 0 1 .5-.5h3zm-3-1A1.5 1.5 0 0 0 5 1.5v1A1.5 1.5 0 0 0 6.5 4h3A1.5 1.5 0 0 0 11 2.5v-1A1.5 1.5 0 0 0 9.5 0h-3z"/>
</svg>
</symbol>
<symbol id="svg-copied" viewBox="0 0 16 16">
<title>Copied</title>
<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-clipboard-check-fill" viewBox="0 0 16 16">
<path d="M6.5 0A1.5 1.5 0 0 0 5 1.5v1A1.5 1.5 0 0 0 6.5 4h3A1.5 1.5 0 0 0 11 2.5v-1A1.5 1.5 0 0 0 9.5 0h-3Zm3 1a.5.5 0 0 1 .5.5v1a.5.5 0 0 1-.5.5h-3a.5.5 0 0 1-.5-.5v-1a.5.5 0 0 1 .5-.5h3Z"/>
<path d="M4 1.5H3a2 2 0 0 0-2 2V14a2 2 0 0 0 2 2h10a2 2 0 0 0 2-2V3.5a2 2 0 0 0-2-2h-1v1A2.5 2.5 0 0 1 9.5 5h-3A2.5 2.5 0 0 1 4 2.5v-1Zm6.854 7.354-3 3a.5.5 0 0 1-.708 0l-1.5-1.5a.5.5 0 0 1 .708-.708L7.5 10.793l2.646-2.647a.5.5 0 0 1 .708.708Z"/>
</svg>
</symbol>
</svg>
<header class="side-bar">
<div class="site-header">
<a href="/aws-control-tower-landingzone/" class="site-title lh-tight">
AWS Control Tower Landing Zone
</a>
<button id="menu-button" class="site-button btn-reset" aria-label="Menu" aria-expanded="false">
<svg viewBox="0 0 24 24" class="icon" aria-hidden="true"><use xlink:href="#svg-menu"></use></svg>
</button>
</div>
<nav aria-label="Main" id="site-nav" class="site-nav">
<ul class="nav-list"><li class="nav-list-item"><a href="/aws-control-tower-landingzone/" class="nav-list-link">Home</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/getting-started" class="nav-list-link">Getting Started</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/architecture" class="nav-list-link">Architecture</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/QUICK_REFERENCE.html" class="nav-list-link">Quick Reference</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/GITHUB_PAGES_SETUP.html" class="nav-list-link">GitHub Pages Setup</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/IMPLEMENTATION_SUMMARY.html" class="nav-list-link">AWS Control Tower Implementation - Complete Summary</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/COMPLETE_IMPLEMENTATION_GUIDE.html" class="nav-list-link">AWS Control Tower Landing Zone - Complete Implementation Guide</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/IMPLEMENTATION_COMPLETE.html" class="nav-list-link">AWS Control Tower Landing Zone - Complete Implementation Summary</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/DEPLOYMENT_GUIDE.html" class="nav-list-link">AWS Control Tower Landing Zone - Deployment Guide</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/ACCOUNT_VENDING.html" class="nav-list-link">Account Vending - Automated Account Creation and Bootstrapping</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/ACCOUNT_VENDING_IMPLEMENTATION_COMPLETE.html" class="nav-list-link">Account Vending Implementation - Complete</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/ADDITIONAL_BEST_PRACTICES.html" class="nav-list-link">Additional Best Practices for AWS Control Tower</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/BACKEND_MODULE_COMPLETE.html" class="nav-list-link">Backend Module Implementation - Complete</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/BEST_PRACTICES_IMPLEMENTATION_STATUS.html" class="nav-list-link">Best Practices Implementation Status</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/BEST_PRACTICES_IMPLEMENTATION_SUMMARY.html" class="nav-list-link">Best Practices Implementation Summary</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/DISASTER_RECOVERY.html" class="nav-list-link">Disaster Recovery Runbook</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/README_DOCS.html" class="nav-list-link">Documentation Site - Setup Guide</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/NETWORKING.html" class="nav-list-link">Enterprise Networking Architecture</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/SECURITY.html" class="nav-list-link">Enterprise Security and Logging</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/SCP_POLICIES.html" class="nav-list-link">Service Control Policies (SCPs) - Comprehensive Guide</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/BACKEND.html" class="nav-list-link">Terraform Backend Configuration Guide</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/BACKEND_IMPLEMENTATION.html" class="nav-list-link">Terraform Backend Implementation Summary</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/TERRAFORM_BACKEND_MODULE.html" class="nav-list-link">Terraform Backend Module - Implementation Summary</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/TESTING.html" class="nav-list-link">Testing Guide</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/TESTING_IMPLEMENTATION_SUMMARY.html" class="nav-list-link">Testing Implementation Summary</a></li><li class="nav-list-item"><a href="/aws-control-tower-landingzone/ZERO_TRUST.html" class="nav-list-link">Zero Trust Architecture Implementation</a></li></ul>
</nav>
<div class="d-md-block d-none site-footer">
This site uses <a href="https://github.com/just-the-docs/just-the-docs">Just the Docs</a>, a documentation theme for Jekyll.
</div>
</header>
<div class="main" id="top">
<div id="main-header" class="main-header">
<div class="search" role="search">
<div class="search-input-wrap">
<input type="text" id="search-input" class="search-input" tabindex="0" placeholder="Search AWS Control Tower Landing Zone" autocomplete="off">
<label for="search-input" class="search-label">
<span class="sr-only">Search AWS Control Tower Landing Zone</span>
<svg viewBox="0 0 24 24" class="search-icon" aria-hidden="true"><use xlink:href="#svg-search"></use></svg>
</label>
</div>
<div id="search-results" class="search-results"></div>
</div>
<nav aria-label="Auxiliary" class="aux-nav">
<ul class="aux-nav-list">
<li class="aux-nav-list-item">
<a href="//github.com/anuu1989/aws-control-tower-landingzone" class="site-button"
target="_blank" rel="noopener noreferrer"
>
View on GitHub
</a>
</li>
</ul>
</nav>
</div>
<div class="main-content-wrap">
<div id="main-content" class="main-content">
<main>
<h1 class="no_toc" id="architecture-overview">
<a href="#architecture-overview" class="anchor-heading" aria-labelledby="architecture-overview"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Architecture Overview
</h1>
<p class="fs-6 fw-300">Comprehensive architecture documentation for AWS Control Tower Landing Zone.</p>
<h2 class="no_toc text-delta" id="table-of-contents">
<a href="#table-of-contents" class="anchor-heading" aria-labelledby="table-of-contents"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Table of contents
</h2>
<ol id="markdown-toc">
<li><a href="#system-architecture" id="markdown-toc-system-architecture">System Architecture</a> <ol>
<li><a href="#high-level-architecture" id="markdown-toc-high-level-architecture">High-Level Architecture</a></li>
</ol>
</li>
<li><a href="#core-components" id="markdown-toc-core-components">Core Components</a> <ol>
<li><a href="#1-control-tower-landing-zone" id="markdown-toc-1-control-tower-landing-zone">1. Control Tower Landing Zone</a></li>
<li><a href="#2-organizational-units" id="markdown-toc-2-organizational-units">2. Organizational Units</a></li>
<li><a href="#3-service-control-policies" id="markdown-toc-3-service-control-policies">3. Service Control Policies</a></li>
</ol>
</li>
<li><a href="#network-architecture" id="markdown-toc-network-architecture">Network Architecture</a> <ol>
<li><a href="#transit-gateway-hub" id="markdown-toc-transit-gateway-hub">Transit Gateway Hub</a></li>
<li><a href="#network-firewall" id="markdown-toc-network-firewall">Network Firewall</a></li>
<li><a href="#zero-trust-architecture" id="markdown-toc-zero-trust-architecture">Zero Trust Architecture</a></li>
</ol>
</li>
<li><a href="#security-architecture" id="markdown-toc-security-architecture">Security Architecture</a> <ol>
<li><a href="#defense-in-depth" id="markdown-toc-defense-in-depth">Defense in Depth</a></li>
<li><a href="#security-services" id="markdown-toc-security-services">Security Services</a></li>
</ol>
</li>
<li><a href="#data-flow" id="markdown-toc-data-flow">Data Flow</a> <ol>
<li><a href="#logging-pipeline" id="markdown-toc-logging-pipeline">Logging Pipeline</a></li>
<li><a href="#security-event-flow" id="markdown-toc-security-event-flow">Security Event Flow</a></li>
</ol>
</li>
<li><a href="#deployment-architecture" id="markdown-toc-deployment-architecture">Deployment Architecture</a> <ol>
<li><a href="#terraform-state-management" id="markdown-toc-terraform-state-management">Terraform State Management</a></li>
<li><a href="#cicd-pipeline" id="markdown-toc-cicd-pipeline">CI/CD Pipeline</a></li>
</ol>
</li>
<li><a href="#scalability" id="markdown-toc-scalability">Scalability</a> <ol>
<li><a href="#horizontal-scaling" id="markdown-toc-horizontal-scaling">Horizontal Scaling</a></li>
<li><a href="#vertical-scaling" id="markdown-toc-vertical-scaling">Vertical Scaling</a></li>
</ol>
</li>
<li><a href="#high-availability" id="markdown-toc-high-availability">High Availability</a> <ol>
<li><a href="#multi-az-deployment" id="markdown-toc-multi-az-deployment">Multi-AZ Deployment</a></li>
<li><a href="#disaster-recovery" id="markdown-toc-disaster-recovery">Disaster Recovery</a></li>
</ol>
</li>
<li><a href="#related-documentation" id="markdown-toc-related-documentation">Related Documentation</a></li>
</ol><hr />
<h2 id="system-architecture">
<a href="#system-architecture" class="anchor-heading" aria-labelledby="system-architecture"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> System Architecture
</h2>
<p>The AWS Control Tower Landing Zone implements a multi-account architecture with comprehensive security, networking, and governance controls.</p>
<h3 id="high-level-architecture">
<a href="#high-level-architecture" class="anchor-heading" aria-labelledby="high-level-architecture"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> High-Level Architecture
</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>┌─────────────────────────────────────────────────────────────────┐
│ Management Account │
│ ┌────────────────────────────────────────────────────────────┐ │
│ │ Control Tower Landing Zone │ │
│ │ │ │
│ │ • GuardDuty • Security Hub • AWS Config │ │
│ │ • CloudTrail • Network Firewall │ │
│ │ • Transit Gateway • KMS Encryption │ │
│ └────────────────────────────────────────────────────────────┘ │
└──────────────────────────┬───────────────────────────────────────┘
│
┌──────────────────┴──────────────────┐
│ │
┌───────▼────────┐ ┌────────▼───────┐
│ Security OU │ │ Workload OUs │
│ │ │ │
│ • Log Archive │ │ • Production │
│ • Audit │ │ • Non-Prod │
│ • Security │ │ • Development │
└────────────────┘ └────────────────┘
</code></pre></div></div><hr />
<h2 id="core-components">
<a href="#core-components" class="anchor-heading" aria-labelledby="core-components"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Core Components
</h2>
<h3 id="1-control-tower-landing-zone">
<a href="#1-control-tower-landing-zone" class="anchor-heading" aria-labelledby="1-control-tower-landing-zone"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> 1. Control Tower Landing Zone
</h3>
<p>The foundation of the multi-account environment:</p>
<ul>
<li><strong>Automated Setup</strong> - Terraform-based deployment</li>
<li><strong>Account Factory</strong> - Automated account provisioning</li>
<li><strong>Guardrails</strong> - Preventive and detective controls</li>
<li><strong>Dashboard</strong> - Centralized monitoring</li>
</ul>
<h3 id="2-organizational-units">
<a href="#2-organizational-units" class="anchor-heading" aria-labelledby="2-organizational-units"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> 2. Organizational Units
</h3>
<p>Hierarchical structure for account organization:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Root
├── Security OU
│ ├── Log Archive Account
│ ├── Audit Account
│ └── Security Tooling Account
├── Infrastructure OU
│ ├── Network Account
│ └── Shared Services Account
├── Production OU
│ └── Production Workload Accounts
├── Non-Production OU
│ ├── Staging Accounts
│ └── Development Accounts
├── Sandbox OU
│ └── Sandbox Accounts
└── Suspended OU
└── Decommissioned Accounts
</code></pre></div></div>
<h3 id="3-service-control-policies">
<a href="#3-service-control-policies" class="anchor-heading" aria-labelledby="3-service-control-policies"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> 3. Service Control Policies
</h3>
<p>35+ SCPs for governance:</p>
<ul>
<li><strong>Security Controls</strong> - MFA, encryption, region restrictions</li>
<li><strong>Cost Controls</strong> - Instance type restrictions, resource limits</li>
<li><strong>Compliance Controls</strong> - Audit logging, data residency</li>
<li><strong>Operational Controls</strong> - Service restrictions, API limits</li>
</ul><hr />
<h2 id="network-architecture">
<a href="#network-architecture" class="anchor-heading" aria-labelledby="network-architecture"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Network Architecture
</h2>
<h3 id="transit-gateway-hub">
<a href="#transit-gateway-hub" class="anchor-heading" aria-labelledby="transit-gateway-hub"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Transit Gateway Hub
</h3>
<p>Centralized network connectivity:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>┌─────────────────────────────────────────────────────────┐
│ Transit Gateway │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Inspection │ │ Egress │ │ Workload │ │
│ │ VPC │ │ VPC │ │ VPCs │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │ │ │ │
│ └─────────────────┴──────────────────┘ │
└─────────────────────────────────────────────────────────┘
</code></pre></div></div>
<h3 id="network-firewall">
<a href="#network-firewall" class="anchor-heading" aria-labelledby="network-firewall"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Network Firewall
</h3>
<p>Stateful inspection and filtering:</p>
<ul>
<li><strong>Inspection VPC</strong> - Centralized traffic inspection</li>
<li><strong>Firewall Rules</strong> - Domain filtering, IPS/IDS</li>
<li><strong>Logging</strong> - Flow logs and alert logs</li>
<li><strong>High Availability</strong> - Multi-AZ deployment</li>
</ul>
<h3 id="zero-trust-architecture">
<a href="#zero-trust-architecture" class="anchor-heading" aria-labelledby="zero-trust-architecture"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Zero Trust Architecture
</h3>
<p>Deny-by-default security model:</p>
<ul>
<li><strong>Explicit Allow</strong> - All traffic explicitly allowed</li>
<li><strong>Least Privilege</strong> - Minimal required access</li>
<li><strong>Micro-segmentation</strong> - Granular network controls</li>
<li><strong>Continuous Verification</strong> - Ongoing validation</li>
</ul><hr />
<h2 id="security-architecture">
<a href="#security-architecture" class="anchor-heading" aria-labelledby="security-architecture"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Security Architecture
</h2>
<h3 id="defense-in-depth">
<a href="#defense-in-depth" class="anchor-heading" aria-labelledby="defense-in-depth"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Defense in Depth
</h3>
<p>Multiple layers of security controls:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>┌─────────────────────────────────────────────────────────┐
│ Layer 7: Governance (SCPs, AWS Organizations) │
├─────────────────────────────────────────────────────────┤
│ Layer 6: Identity (IAM, SSO, MFA) │
├─────────────────────────────────────────────────────────┤
│ Layer 5: Application (WAF, API Gateway) │
├─────────────────────────────────────────────────────────┤
│ Layer 4: Data (KMS, Encryption, DLP) │
├─────────────────────────────────────────────────────────┤
│ Layer 3: Network (Firewall, Security Groups, NACLs) │
├─────────────────────────────────────────────────────────┤
│ Layer 2: Compute (GuardDuty, Inspector, Patch Mgmt) │
├─────────────────────────────────────────────────────────┤
│ Layer 1: Physical (AWS Data Centers) │
└─────────────────────────────────────────────────────────┘
</code></pre></div></div>
<h3 id="security-services">
<a href="#security-services" class="anchor-heading" aria-labelledby="security-services"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Security Services
</h3>
<ul>
<li><strong>GuardDuty</strong> - Threat detection</li>
<li><strong>Security Hub</strong> - Security posture management</li>
<li><strong>AWS Config</strong> - Configuration compliance</li>
<li><strong>IAM Access Analyzer</strong> - Access analysis</li>
<li><strong>CloudTrail</strong> - API activity logging</li>
<li><strong>VPC Flow Logs</strong> - Network traffic logging</li>
</ul><hr />
<h2 id="data-flow">
<a href="#data-flow" class="anchor-heading" aria-labelledby="data-flow"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Data Flow
</h2>
<h3 id="logging-pipeline">
<a href="#logging-pipeline" class="anchor-heading" aria-labelledby="logging-pipeline"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Logging Pipeline
</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>┌──────────────┐
│ Services │
└──────┬───────┘
│
▼
┌──────────────┐
│ CloudWatch │
│ Logs │
└──────┬───────┘
│
▼
┌──────────────┐
│ S3 Bucket │
│ (Encrypted) │
└──────┬───────┘
│
▼
┌──────────────┐
│ Glacier │
│ (Archive) │
└──────────────┘
</code></pre></div></div>
<h3 id="security-event-flow">
<a href="#security-event-flow" class="anchor-heading" aria-labelledby="security-event-flow"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Security Event Flow
</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>┌──────────────┐
│ Security │
│ Event │
└──────┬───────┘
│
▼
┌──────────────┐
│ EventBridge │
└──────┬───────┘
│
├──────────────────┐
│ │
▼ ▼
┌──────────────┐ ┌──────────────┐
│ SNS │ │ Lambda │
│ Notification │ │ Remediation │
└──────────────┘ └──────────────┘
</code></pre></div></div><hr />
<h2 id="deployment-architecture">
<a href="#deployment-architecture" class="anchor-heading" aria-labelledby="deployment-architecture"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Deployment Architecture
</h2>
<h3 id="terraform-state-management">
<a href="#terraform-state-management" class="anchor-heading" aria-labelledby="terraform-state-management"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Terraform State Management
</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>┌──────────────────────────────────────────────────────┐
│ S3 Backend │
│ │
│ • State File (encrypted with KMS) │
│ • Native State Locking (Terraform 1.6+) │
│ • Versioning Enabled │
│ • Cross-Region Replication (optional) │
└──────────────────────────────────────────────────────┘
</code></pre></div></div>
<h3 id="cicd-pipeline">
<a href="#cicd-pipeline" class="anchor-heading" aria-labelledby="cicd-pipeline"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> CI/CD Pipeline
</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>┌──────────────┐
│ Developer │
│ Commit │
└──────┬───────┘
│
▼
┌──────────────┐
│ Pre-Commit │
│ Hooks │
└──────┬───────┘
│
▼
┌──────────────┐
│ GitHub │
│ Actions │
└──────┬───────┘
│
├──────────────────┬──────────────────┐
│ │ │
▼ ▼ ▼
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Validation │ │ Security │ │ OPA Tests │
│ │ │ Scanning │ │ │
└──────┬───────┘ └──────┬───────┘ └──────┬───────┘
│ │ │
└──────────────────┴──────────────────┘
│
▼
┌──────────────┐
│ Terraform │
│ Apply │
└──────────────┘
</code></pre></div></div><hr />
<h2 id="scalability">
<a href="#scalability" class="anchor-heading" aria-labelledby="scalability"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Scalability
</h2>
<h3 id="horizontal-scaling">
<a href="#horizontal-scaling" class="anchor-heading" aria-labelledby="horizontal-scaling"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Horizontal Scaling
</h3>
<ul>
<li><strong>Account Vending</strong> - Automated account creation</li>
<li><strong>OU Structure</strong> - Unlimited OUs</li>
<li><strong>SCP Policies</strong> - Flexible policy assignment</li>
<li><strong>Network Expansion</strong> - Transit Gateway attachments</li>
</ul>
<h3 id="vertical-scaling">
<a href="#vertical-scaling" class="anchor-heading" aria-labelledby="vertical-scaling"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Vertical Scaling
</h3>
<ul>
<li><strong>Resource Limits</strong> - AWS service quotas</li>
<li><strong>Performance</strong> - Multi-AZ deployment</li>
<li><strong>Throughput</strong> - Network Firewall capacity</li>
<li><strong>Storage</strong> - S3 unlimited storage</li>
</ul><hr />
<h2 id="high-availability">
<a href="#high-availability" class="anchor-heading" aria-labelledby="high-availability"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> High Availability
</h2>
<h3 id="multi-az-deployment">
<a href="#multi-az-deployment" class="anchor-heading" aria-labelledby="multi-az-deployment"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Multi-AZ Deployment
</h3>
<p>All critical components deployed across multiple availability zones:</p>
<ul>
<li><strong>Network Firewall</strong> - Active in multiple AZs</li>
<li><strong>NAT Gateways</strong> - One per AZ</li>
<li><strong>Transit Gateway</strong> - Multi-AZ by default</li>
<li><strong>S3 Storage</strong> - Replicated across AZs</li>
</ul>
<h3 id="disaster-recovery">
<a href="#disaster-recovery" class="anchor-heading" aria-labelledby="disaster-recovery"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Disaster Recovery
</h3>
<ul>
<li><strong>RTO</strong> - Recovery Time Objective: 4 hours</li>
<li><strong>RPO</strong> - Recovery Point Objective: 1 hour</li>
<li><strong>State Backups</strong> - Automated every 6 hours</li>
<li><strong>Cross-Region</strong> - Optional replication</li>
</ul><hr />
<h2 id="related-documentation">
<a href="#related-documentation" class="anchor-heading" aria-labelledby="related-documentation"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Related Documentation
</h2>
<ul>
<li><a href="SECURITY.html">Security Architecture</a></li>
<li><a href="NETWORKING.html">Network Architecture</a></li>
<li><a href="ZERO_TRUST.html">Zero Trust Implementation</a></li>
<li><a href="DISASTER_RECOVERY.html">Disaster Recovery</a></li>
</ul><hr />
<p class="fs-3">For detailed implementation, see the <a href="COMPLETE_IMPLEMENTATION_GUIDE.html">Complete Implementation Guide</a>.</p>
</main>
<hr>
<footer>
<p><a href="#top" id="back-to-top">Back to top</a></p>
<p class="text-small mb-0">Copyright © 2024. Distributed under the MIT License.</p>
<div class="d-md-none mt-4 fs-2">
This site uses <a href="https://github.com/just-the-docs/just-the-docs">Just the Docs</a>, a documentation theme for Jekyll.
</div>
</footer>
</div>
</div>
<div class="search-overlay"></div>
</div>
</body>
</html>
</div>
Collections
Add to _config.yml:
collections:
guides:
output: true
permalink: /:collection/:path/
Plugins
Add to Gemfile:
group :jekyll_plugins do
gem "jekyll-sitemap"
gem "jekyll-feed"
end
Analytics
Add Google Analytics to _config.yml:
google_analytics: UA-XXXXXXXXX-X
Resources
- Jekyll Documentation
- Just the Docs Theme
- GitHub Pages Documentation
- Markdown Guide
- Liquid Template Language
Support
For issues with the documentation site:
- Check README_DOCS.md
- Review Jekyll documentation
- Check GitHub Actions logs
- Open an issue on GitHub
Site URL: https://your-org.github.io/your-repo/
Build Time: ~2 minutes
Cost: Free with GitHub Pages