Summary Prerequisites and limitations Epics Related resources Attachments

Document your AWS landing zone design

Created by Michael Daehnert (AWS), Florian Langer (AWS), and Michael Lodemann (AWS)

Environment: Production

Technologies: Management & governance; Infrastructure; Security, identity, compliance

AWS services: AWS Control Tower

Summary

A landing zone is a well-architected, multi-account environment that's based on security and compliance best practices. It is the enterprise-wide container that holds all of your organizational units (OUs), AWS accounts, users, and other resources. A landing zone can scale to fit the needs of an enterprise of any size. AWS has two options for creating your landing zone: a service-based landing zone using AWS Control Tower or a customized landing zone that you build. Each option requires a different level of AWS knowledge.

AWS created AWS Control Tower to help you save time by automating the setup of a landing zone. AWS Control Tower is managed by AWS and uses best practices and guidelines to help you create your foundational environment. AWS Control Tower uses integrated services, such as AWS Service Catalog and AWS Organizations, to provision accounts in your landing zone and manage access to those accounts.

AWS landing zone projects vary in requirements, implementation details, and operational action items. There are customization aspects that need to be handled with every landing zone implementation. This includes (but is not limited to) how access management is handled, which technology stack is used, and what the monitoring requirements are for operational excellence. This pattern provides a template that helps you document your landing zone project. By using the template, you can document your project more quickly and help your development and operations teams understand your landing zone.

Prerequisites and limitations

Limitations

This pattern does not describe what a landing zone is or how to implement one. For more information about these topics, see the Related resources section.

Epics

Task	Description	Skills required
Identify key stakeholders.	Identify key service and team managers that are linked to your landing zone.	Project manager
Customize the template.	Download the template in the Attachments section, and then update the template as follows: Remove any sections that don't apply to your organization's landing zone or processes. Add any sections that are unique to your organization.	Project manager
Complete the template.	In meetings with the stakeholders or by using a write-and-review process, complete the template as follows: Use the guidance and information in the blue boxes to complete each section. Replace or remove any yellow fields with custom values for your organization. Replace or remove any image fields with your custom architecture or flow diagrams. Complete the Revision history and Contributors section of the template.	Project manager
Share the design document.	When your landing zone design documentation is complete, save it in a shared repository or central location where all stakeholders can access it. We recommend that you use standard document control processes to record and approve revisions to the design document.	Project manager

Related resources

AWS Control Tower documentation
Customizations for AWS Control Tower (AWS Solutions Library)
Setting up a secure and scalable multi-account AWS environment (AWS Prescriptive Guidance)

Attachments

To access additional content that is associated with this document, unzip the following file: attachment.zip

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Create an AWS Cloud9 IDE with default encrypted EBS volumes

Drift detection and reporting