Building a landing zone - AWS Prescriptive Guidance

Building a landing zone

You have a few options for creating your landing zone on AWS. You can choose a managed service to orchestrate your environment or work with a partner to build your own. AWS offers AWS Control Tower, a managed service. We recommend new customers start off with AWS Control Tower. However, it is important to understand the differences and capabilities of each approach so you can make the best decision for your organization.

Options for landing zones on AWS:

      Options for landing zones on AWS

Delivery mechanism:

      Delivery mechanism showing the differences between AWS Control Tower and a customized
        landing zone that is managed by the customer or partner

Benefits and trade-offs for each approach:

Solution Benefits Trade-offs

AWS Control Tower

  • Fully managed service

  • AWS-provided guardrails and compliance policies applied by default

  • Central dashboard for monitoring and compliance status

  • Account factory for provisioning new accounts

AWS Organizations with a customer or partner built custom solution

Custom-built solution

  • Customer or partner owns all development and coding.

  • Customer or partner is responsible for integration and implementation.

All multi-account environment offerings are powered by AWS Organizations. AWS Organizations provides the underlying infrastructure and capabilities for you to build and manage your AWS environment. With AWS Organizations, you can take the multi-account strategy guidance provided by AWS and customize your environment yourself to best fit your business needs. If you are an existing customer and you’re happy with your current AWS Organizations implementation, you should continue to operate your current AWS environment.

AWS Control Tower

AWS Control Tower runs as an AWS managed service. When you’re looking for a pre-packaged environment solution out of the box, you can use AWS Control Tower for prescriptive guidance and a fully managed environment. The service sets up a landing zone based on multi-account best practices, centralizes identity and access management, and establishes pre-configured governance rules for security and compliance.

        AWS Control Tower setup

AWS Control Tower automates the setup of a new landing zone using best practices, blueprints for identity, federated access, and account structure. Some of the blueprints implemented on AWS Control Tower include:

  • A multi-account environment using AWS Organizations

  • Identity management using AWS Single Sign-On (AWS SSO) default directory

  • Centralized logging from AWS CloudTrail, and AWS Config stored in Amazon Simple Storage Service (Amazon S3)

  • Cross-account security audits using AWS Identity and Access Management (IAM) and AWS SSO

Guardrails are high-level rules that provide ongoing governance for your overall AWS environment. Guardrails can be both preventive or detective. Preventive guardrails are implemented using service control policies (SCPs), which are a part of AWS Organizations. Detective guardrails are implemented using AWS Config Rules and AWS Lambda functions. Examples of AWS Control Tower guardrails include:

  • Disallow creation of access keys for the root user

  • Disallow internet connection through RDP

  • Disallow public write access to S3 buckets

  • Disallow Amazon Elastic Block Store (Amazon EBS) volumes that are unattached to an Amazon Elastic Compute Cloud (Amazon EC2) instance


AWS Control Tower is a starting point for a landing zone. You need to determine your strategy for networking, access management, and security based on your unique requirements as you build out your landing zone.

Custom-built landing zone

You can choose to build your own customized landing zone solution. In this case, you have to implement the baseline environment to get started with identity and access management, governance, data security, network design, and logging. We recommend this approach if you want to build all of your environment components from scratch, or if you have requirements that only a custom solution can support. You must have enough expertise in AWS to manage, upgrade, maintain, and operate the solution once it’s deployed.

However, before you move forward with a customized landing zone design, we recommend that you consider AWS Control Tower first. AWS Control Tower has been customized and used by many customers across industries to successfully deploy workloads on AWS. If AWS Control Tower does not meet your needs for customization, try AWS Landing Zone. This is a landing zone implementation based on AWS CloudFormation.

We recommend that all new landing zones start with AWS Control Tower. AWS Control Tower helps you build out an initial prescriptive landing zone configuration, use out-of-the-box guardrails and blueprints, and create new accounts using AWS Control Tower account factory.

If you require custom guardrails and blueprints, see Customizations for AWS Control Tower for customizing your AWS Control Tower landing zone. This reference implementation integrates with AWS Control Tower lifecycle events and notifications feature to push landing zone customizations in response to applicable AWS Control Tower lifecycle events.

If you are an existing AWS Control Tower customer, you have both native AWS Control Tower lifecycle events and the reference implementation for customization available to support your customization needs. All you need to do is deploy the reference implementation’s AWS CloudFormation template into your existing AWS Control Tower account.