What is the difference between AWS Landing Zones and AWS Control Tower? Customised Solution or Managed Service?!
AWS Landing Zone and AWS Control Tower help set up and govern a new, secure, multi-account AWS environment based on AWS best practices. Both consist of core accounts and resources which will implement a initial security baseline.
The following table compares the managed service (AWS Control Tower) with the solution (AWS Landing Zone).
Update:
π¨ AWS Control Tower allows existing organizations to set up a landing zone.
| Feature |  |
 |
|---|---|---|
| Delivery mechanism | CloudFormation or Terraform | AWS managed service |
| Architectural support | Fully customizable and owned by customer | Customizable via Solution + AWS recommend best practices with managed blueprints and guardrails |
| Account structure | Complete flexibility for customer-defined account structure 
|
Two non-configurable core accounts, no SS, no Amazon VPC in core 
|
| Federated access | AWS SSO, AWS-Managed Microsoft AD or Active Directory Connector | Preconfigured with AWS SSO (AD or SSO Directory?) and integrated with third-party SSO providers |
| Operations | Extensible capabilities to manage the most complex and advanced environments | Simple setup and management for reduced operational overhead |
| Automated account creation | β Account Vending Machine | β |
| Member account region support (VPC) | β All regions are supported1 | β North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1), Sydney (ap-southeast-2) 2 |
| General region support | β All regions are supported | β North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1), Sydney (ap-southeast-2) |
| Use existing AWS Organization | β | β |
| Use existing SSO environment | β | β |
| Use existing AWS Service Catalog environment | β | β |
| New or Existing Security Hub environment | β Multiaccount Scripts | β |
References
AWS Landing Zone
- π Implementation Guide
- π Developers Guide
- π User Guide
- π Upgrade Guide
- πΊ Videos
- π§° Solutions
- - π§ Account Vending Machine
- - π§ Security Hub Multiaccount Scripts
AWS Control Tower
- π User Guide
- π Pricing
- π Labs
- πΊ Videos
- π§° Solutions
- - π§ Customizations for AWS Control Tower
- - π§ Enabling guardrails in new AWS Regions the AWS Control Tower supports
Which one should I choose?
βAre you new two AWS?
βοΈUse AWS Control Tower
βDo you need a configurable landing zone with full customization and control over every part?
βοΈUse AWS Landing Zone
-
Member accounts could be provisioned in every region no matter where the Account Vending Machine is deployed. β οΈYou just need to take care that your CloudFormation templates & Lambdas are available in the requested region. Β β©
-
AWS Control Tower could provision new Accounts (Network baseline) into the following regions: North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1) and Sydney (ap-southeast-2).Β β©
Top comments (0)