What is a landing zone? - AWS Prescriptive Guidance

What is a landing zone?

A landing zone is a well-architected, multi-account AWS environment that is scalable and secure. This is a starting point from which your organizations can quickly launch and deploy workloads and applications with confidence in their security and infrastructure environment. Building a landing zone involves technical and business decisions to be made across account structure, networking, security, and access management in accordance with your organization’s growth and business goals for the future.

When you start to use AWS at scale, you can look to AWS for prescriptive guidance and an approach for establishing your environment. AWS best practices in this area center around the need to isolate resources and workloads into multiple AWS accounts (resource containers) for isolation and scope of impact reductions. The next section explains why you want to use multiple accounts.

The multi-account framework

While there is no one-size-fits-all answer for how many AWS accounts you should have, we recommend that you create more than one AWS account. Multiple accounts provide the highest level of resource and security isolation. Consider creating additional AWS accounts if you answer yes to any of the following questions:

  • Does your business require administrative isolation between workloads?

  • Does your business require limited visibility and discoverability of workloads?

  • Does your business require isolation to minimize the blast radius?

  • Does your business require strong isolation of recovery and/or auditing data?


          Relationship of elements showing why one account isn't enough: many teams,
            security and compliance controls, billing, isolation, and business processes.

Further reasons why a single account might not be enough:

  • Security controls – Different applications might have different security profiles, requiring different control policies and mechanisms around them. It’s easier to talk to an auditor and point to a single account hosting the Payment Card Industry (PCI) workload.

  • Isolation – An account is a unit of security protection. Potential risks and security threats should be contained within an account without affecting others. There could be different security needs that require you to isolate one account from one another, whether due to multiple teams or a different security profile.

  • Data isolation – Isolating data stores to an account limits the number of people that can access and manage that data store. This contains exposure to highly private data and helps with General Data Protection Regulation (GDPR) compliance.

  • Many teams – Different teams have their different responsibilities and resource needs. They should not over-step one another in the same account.

  • Business process – Different business units or products might have different purposes and processes. You should establish different accounts to serve business-specific needs.

  • Billing – An account is the only true way to separate items at a billing level, including things like transfer charges. Multiple accounts help separate items at a billing level across business units, functional teams, or individual users.

  • Limit allocation – Limits are per account. Separating workloads into different accounts prevents them from consuming limits or potentially overprovisioning resources and then preventing other applications from working as intended.