Create a landing zone
A landing zone is a well-architected, multi-account AWS environment that is a starting point from which you can deploy workloads and applications. It provides a baseline to get started with multi-account architecture, identity and access management, governance, data security, network design, and logging. AWS Control Tower is a service that simplifies the maintenance and governance of a multi-account environment by providing automated guardrails. Typically, you provision a single AWS Control Tower landing zone that manages your environment across all AWS Regions. AWS Control Tower works by orchestrating other AWS services within your account. For more information, see What happens when you set up a landing zone (AWS Control Tower documentation).
When you set up a landing zone with AWS Control Tower, you identify three shared accounts: the management account, the log archive account, and the audit account. For more information, see What are the shared accounts (AWS Control Tower documentation). For the management account, you must use an existing account that isn't hosting any workloads to set up the landing zone. For the log archive and audit accounts, you can choose to reuse existing AWS accounts, or AWS Control Tower can create them for you.
For instructions about how to set up your AWS Control Tower landing zone, see Getting started (AWS Control Tower documentation).
Best practices
-
Adhere to the best practices in Design principles for your multi-account strategy (AWS Whitepaper).
-
Adhere to the Best practices for AWS Control Tower administrators (AWS Control Tower documentation).
-
Create your landing zone in the AWS Region that hosts the majority of your workloads.
Important
If you decide to change this Region after deploying your landing zone, you need the assistance of AWS Support, and you must decommission the landing zone. This practice isn’t recommended.
-
When determining which Regions AWS Control Tower will govern, select only the Regions in which you expect to immediately deploy workloads. You can change these Regions or add more later. If AWS Control Tower governs a Region, it will deploy its detective guardrails into that Region as AWS Config Rules.
-
After determining which Regions AWS Control Tower will govern, deny access to all ungoverned Regions. This helps ensure that your workloads and developers can only use approved AWS Regions. This is implemented as a service control policy (SCP) in the organization. For more information, see Configure the AWS Region deny control (AWS Control Tower documentation).
-
When setting up your landing zone in AWS Control Tower, we recommend you rename the following OUs and accounts:
-
We recommend that you rename the Security OU to Security_Prod to signify that this OU will be used for production security-related AWS accounts.
-
We recommend that you allow AWS Control Tower to create an additional OU and then rename it from Sandbox to Workloads. In the next section, you create additional OUs within the Workloads OU, which you use to organize your AWS accounts.
-
We recommend that you rename the centralized logging AWS account from Log Archive to log-archive-prod.
-
We recommend that you rename the audit account from Audit to security-tooling-prod.
-
-
To help prevent fraud, AWS requires that AWS accounts have a history of use before they can be added to an AWS Control Tower landing zone. If you are using a new AWS account without any usage history, in the new account, you can launch an Amazon Elastic Compute Cloud (Amazon EC2) instance that is not in the AWS Free Tier. Let the instance run for a few minutes and then terminate it.