Building a landing zone
You have a few options for creating your landing zone on AWS. You can choose a managed
service to orchestrate your environment or work with a partner to build your own. AWS offers
AWS Control Tower
Options for landing zones on AWS:
Delivery mechanism:
Benefits and trade-offs for each approach:
Solution | Benefits | Trade-offs |
---|---|---|
AWS Control Tower |
|
|
AWS Organizations |
Custom-built solution |
|
All multi-account environment offerings are powered by AWS Organizations. AWS Organizations provides the underlying infrastructure and capabilities for you to build and manage your AWS environment. With AWS Organizations, you can take the multi-account strategy guidance provided by AWS and customize your environment yourself to best fit your business needs. If you are an existing customer and you’re happy with your current AWS Organizations implementation, you should continue to operate your current AWS environment.
AWS Control Tower
AWS Control Tower runs as an AWS managed service. When you’re looking for a pre-packaged environment solution out of the box, you can use AWS Control Tower for prescriptive guidance and a fully managed environment. The service sets up a landing zone based on multi-account best practices, centralizes identity and access management, and establishes pre-configured governance rules for security and compliance.
AWS Control Tower automates the setup of a new landing zone using best practices, blueprints for identity, federated access, and account structure. Some of the blueprints implemented on AWS Control Tower include:
-
A multi-account environment using AWS Organizations
-
Cross-account security audits using AWS Identity and Access Management (IAM) and AWS IAM Identity Center
-
Identity management using the Identity Center default directory
-
Centralized logging from AWS CloudTrail, and AWS Config stored in Amazon Simple Storage Service (Amazon S3)
Guardrails are high-level rules that provide ongoing governance for your overall AWS environment. Guardrails can be both preventive or detective. Preventive guardrails are implemented using service control policies (SCPs), which are a part of AWS Organizations. Detective guardrails are implemented using AWS Config Rules and AWS Lambda functions. Examples of AWS Control Tower guardrails include:
-
Disallow creation of access keys for the root user
-
Disallow internet connection through RDP
-
Disallow public write access to S3 buckets
-
Disallow Amazon Elastic Block Store (Amazon EBS) volumes that are unattached to an Amazon Elastic Compute Cloud (Amazon EC2) instance
Note
AWS Control Tower is a starting point for a landing zone. You need to determine your strategy for networking, access management, and security based on your unique requirements as you build out your landing zone.
Custom-built landing zone
You can choose to build your own customized landing zone solution. In this case, you have to implement the baseline environment to get started with identity and access management, governance, data security, network design, and logging. We recommend this approach if you want to build all of your environment components from scratch, or if you have requirements that only a custom solution can support. You must have enough expertise in AWS to manage, upgrade, maintain, and operate the solution once it’s deployed.
However, before you move forward with a customized landing zone design, we recommend that
you consider AWS Control Tower first. AWS Control Tower has been customized and used by many customers across
industries to successfully deploy workloads on AWS. If AWS Control Tower does not meet your needs for
customization, try AWS Landing
Zone
Recommended approach
We recommend that all new landing zones start with AWS Control Tower. AWS Control Tower helps you build out an initial prescriptive landing zone configuration, use out-of-the-box guardrails and blueprints, and create new accounts using AWS Control Tower account factory.
If you require custom guardrails and blueprints, see Customizations for AWS Control Tower
If you are an existing AWS Control Tower customer, you have both native AWS Control Tower lifecycle events and the reference implementation for customization available to support your customization needs. All you need to do is deploy the reference implementation’s AWS CloudFormation template into your existing AWS Control Tower account.