DEV Community

Cover image for AWS Landing Zone and Control Tower
Shweta Vohra
Shweta Vohra

Posted on


AWS Landing Zone and Control Tower

Client is looking to get into AWS for the first time, they may know a bit about platform architecture such as Regions, Availability Zones, EC2, S3, VPN's etc. But they may not know that there is a whole other space around procurement, billing, and AWS accounts, organization and sub organization structure, network, security infrastructure and many more things that needs to be considered as part of any enterprise-grade setup, especially at scale. That’s where you need Landing Zone.

Landing zone can provide following things:

  • A landing zone is a well-architected, multi-account AWS environment that’s based on security and compliance best practices
  • It provides a baseline to get started with multi-account architecture
  • Fundamental aspects for any complex hybrid cloud such as access control, governance, data security, network design, and shared services such as logging/ monitoring etc.
  • Automating and setting up cloud using AWS control tower for faster pace and repeatability
  • Setting up right set of policies and compliances for the your Industry

Landing Zone Benefits

The Landing Zone solution provides users with a few key benefits designed to allow easy control of multiple accounts. Here’s a quick overview of all the benefits you can expect:

  • Automatic AWS environment setup
  • Saves a lot of time and effort
  • AVM or Account Vending Machine
  • Managing multiple accounts
  • Automatic baseline security feature setup
  • Account management
  • Centralized logging
  • The setup is done according to the best practices
  • Efficient governance and operation
  • Creates a flexible business environment

How to create Landing Zone?

When we start thinking about AWS and what customers want to do on AWS, we need to first think about requirements to better understand what the customers need. For example:

  • Which is the right service/tool to use?
  • What about security, governance, and baseline?
  • How many accounts should I create for my customer based on use cases?
  • How many users, groups, and what permissions should they have?

Let me also introduce you to the concept of a Landing Zone and Control Tower with respect to when they work well together.

AWS Landing Zone vs. Control Tower

AWS Control Tower is an AWS managed service able to control all the resources that are part of: AWS Organizations, Identity and Access Management, Guardrails, Service Catalog and multi AWS accounts. Through the Service Catalog, you can create as many accounts as you want and apply to them the rules based on the requirements. Control Tower sets up a Landing zone in easy and secure way.
Landing Zone is a solution provided by AWS Control Tower or you can create your own solution based on your requirements. Your own CloudFormation or Terraform stacks across AWS accounts.

Both Control Tower and Landing Zone help set up and manage secure multi-account AWS environments. Now the question comes which one should customers use? Let's take a closer look and figure out.

Three different ways to create landing zones are:

  1. A landing zone based on services using AWS Control Tower
  2. A CloudFormation solution build within the AWS Landing Zone
  3. A Custom landing zone you build manually

More details in upcoming article. Watch this space for more.

Top comments (0)

Super Useful CSS Resources

A collection of 70 hand-picked, web-based tools which are actually useful.
Each will generate pure CSS without the need for JS or any external libraries.