AWS Landing Zones provide a simple way to set up a secure and scalable multi-account environment on AWS based on best practices. The goal is to establish a solid account structure with controls around isolation, compliance, and access right from the start.
- Isolation between workloads and accounts
- Built-in security controls
- Centralized identity and access management
- Pre-configured network design
- Default governance guardrails
- Consolidated logging
Overall, Landing Zones give organizations a structured approach to launching new workloads and applications quickly and securely on AWS.
Benefits of a Multi-Account Environment
Using multiple AWS accounts provides important benefits for security, isolation, and organizational management. Here are some of the key advantages of structuring your AWS footprint with separate accounts:
- Account isolation limits blast radius of failures or breaches to a single account rather than impacting everything.
- Workload isolation ensures changes in one workload don’t affect others.
- Resource isolation contains impacts of outages, resource limits, etc.
- Data isolation secures and separates sensitive data.
- Per-account security controls enable fine-grained policies based on sensitivity.
- Separate accounts allow for more focused audits and compliance.
- Accounts can be managed by separate security teams.
- Granular IAM policies per account and workload.
- Access can be locked down at the account level.
- Cross-account access management establishes secure sharing.
- Account structure maps to business units and functions.
- Account ownership aligns with teams.
- Billing and chargeback can be accounted per account.
- Account quotas are separate - no noisy neighbor problems.
- Accounts facilitate delegation of ownership.
- Self-service account creation enables innovation.
- New workloads can be spun up quickly in new accounts.
So in summary, the multi-account approach is a security and design best practice for organizations using AWS at scale. AWS provides tools like AWS Organizations to make creating and managing multiple accounts easier.
AWS Organizations Overview
AWS Organizations is an AWS service that enables you to centrally manage and govern your environment as you scale your workloads across multiple AWS accounts.
With Organizations, you can create separate AWS accounts underneath a root account and organize them into organizational units (OUs). This supports the recommended account structure aligned to your business needs.
Key capabilities include:
- Centralized management of accounts and policies
- Hierarchical grouping of accounts into OUs
- Cross-account access controls
- Consolidated billing and chargeback
- Account isolation through Service Control Policies (SCPs)
AWS Organizations is made up of:
- Root account - The original AWS account used to setup Organizations.
- Organizational units (OUs) - Containers for grouping AWS accounts.
- AWS accounts - Individual accounts created under the Organizations structure.
- Master account - Central point of administration for the organization.
OUs provide the flexibility to model your account structure and hierarchy however you want.
Organizations enables you to apply policies across multiple accounts without having to manually configure each one:
- Service control policies (SCPs) - Whitelists and blacklists for AWS services.
- Tag policies - Require tags on resources for governance.
- Backup policies - Central backup settings.
These facilitate consistent guardrails and controls for compliance across all accounts.
Overall, AWS Organizations provides the foundation for a structured, governed multi-account environment aligned to your business’s needs.
AWS Control Tower vs Custom Landing Zones
When setting up a secure multi-account environment on AWS, you have two primary options:
- Use AWS Control Tower
- Build a custom landing zone
AWS Control Tower
AWS Control Tower provides a managed service to automate the setup of a landing zone based on AWS best practices.
- Creates core accounts and OUs
- Applies pre-configured guardrails and policies
- Provides account factory for provisioning new accounts
- Central dashboard for monitoring and visibility
- Fully managed service
- Fast setup following AWS blueprints
- Built-in governance and compliance
- Simple account provisioning
- Less flexible for customization
- Limited to AWS regions where Control Tower is available
Custom Landing Zone
You can build your own custom landing zone implementation on AWS.
This involves defining a baseline environment including:
- Identity and access management
- Network design
- Governance model
- Security controls
- Auditing and logging
- Complete customization to your requirements
- Not limited to Control Tower regions
- Full control over all aspects
- Time and expertise required for implementation
- Ongoing management overhead
- No built-in governance guardrails
For most organizations, we recommend starting with AWS Control Tower and then customizing as needed. But for advanced requirements, custom landing zones are an option.
Core Components of a Landing Zone
A landing zone provides the foundation for running secure, scalable workloads on AWS across multiple accounts.
The core components that need to be established for a robust landing zone are:
Identity and Access Management
- Centralized directory for user identities and SSO
- Federated access to AWS accounts
- Cross-account IAM roles for admin access
- Granular IAM policies in each account
- Account structure and hierarchy
- Naming conventions
- Resource tagging policies
- Change control processes
- VPC topology aligned to use cases
- Hybrid connectivity to on-premises
- Network security and DDoS protection
- Route tables and access controls
- Encryption enabled by default
- Security groups and NACLs
- AWS Config rules to audit configurations
- CloudTrail event logging
Auditing and Logging
- CloudTrail logs sent to central S3 bucket
- VPC Flow Logs for network monitoring
- AWS Config records aggregated centrally
- CloudWatch metrics and dashboards
By implementing these key pillars upon a solid AWS account structure, organizations can deploy workloads and applications with the security, governance, and network functionality required for business critical systems.
Ongoing management of the landing zone is also critical over time as the organization scales on AWS.
Implementing a Security Baseline
A core step in deploying a landing zone is defining and implementing a default security baseline across all accounts. This establishes fundamental security protections by default.
Elements of a strong multi-account security baseline include:
Identity and Access
- Ensure multi-factor authentication enabled for all privileged users
- Require strong passwords and rotation policies
- Disable root account access keys
- Enable AWS IAM Identity Center for SSO
- Restrict RDP/SSH access to bastion hosts
- Implement security groups to allow only required ports/protocols
- Enable VPC flow logs for visibility into traffic
- Enable encryption of data at rest and in transit
- Block public S3 buckets
- Enforce least privilege access to data
Visibility and Auditing
- Send CloudTrail logs to central logging account
- Aggregate AWS Config data centrally
- Enable AWS Config rules to audit configurations
- Forward logs to SIEM or monitoring tools
- Check regional regulatory compliance requirements
- Consult compliance team on applicable standards
- Adjust Config rules and controls to adhere to standards
- Enable GuardDuty for malicious behavior detection
- Configure event-driven notifications for security events
- Establish incident response playbooks and testing
The goal is to apply this baseline across all accounts consistently using tools like AWS Organizations SCPs. Exceptions can be handled through formal exemption processes.
Regular audits of the security baseline are critical to identify any drift from the desired state over time.
Account Provisioning Options
As your organization scales its use of AWS, new accounts will need to be created over time for new workloads, environments, and projects.
There are two primary options for provisioning new accounts in a secure and governed manner:
Account Vending Machine
The account vending machine (AVM) is an automation tool provided by AWS services like Control Tower and Organizations.
It allows new accounts to be created while adhering to your account structure, naming conventions, and security policies.
- Automated creation of accounts
- Enforces onboarding of required configurations
- Applies baseline security automatically
- Integrates with existing identity provider
- Allows governance of new accounts
- Increased speed of account provisioning
- Reduced manual processes
- Consistent configuration and security
- Oversight of account creation
Manual Account Creation
New AWS accounts can be manually created as needed outside of an automated approach.
This involves steps such as:
- Creating new AWS account
- Configuring users and groups
- Applying base policies
- Onboarding to centralized logging
- Integrating with AD or SSO
- Maximum flexibility in one-off scenarios
- No additional services required
- Slower process
- Risk of human error
- Duplicate work across accounts
- Loose governance over new accounts
For most organizations, implementing an AVM provides major efficiency and security gains as their AWS footprint scales. But manual approaches may be needed in some cases.
Best Practices for Deployment
When implementing landing zones and multi-account environments, there are a number of best practices to follow:
- Document account management procedures
- Automate policy and config management
- Centralize identity management
- Enforce naming conventions
- Implement processes for account creation/deletion
- Use separate VPCs for different environments
- Align VPC architecture to organizational needs
- Implement least privilege security groups
- Enable VPC flow logs
- Establish hybrid connectivity
- Never use root accounts except for emergencies
- Lock down IAM permissions to least privilege
- Enable encryption and role separation by default
- Continuously audit configurations
- Formalize exemption process for one-off changes
- Send logs to central repository
- Retain logs based on compliance requirements
- Aggregate logs into dashboards and alerts
- Correlate logs across services
- Automate analysis of logs via SIEM
- Utilize Infrastructure as Code tools
- Test changes in lower environments first
- Establish approval gates for changes
- Maintain audit trail of changes
- Implement change freeze windows where required
Adhering to strong practices in these areas will enable smooth growth and operation of even large-scale multi-account AWS environments.
Once a landing zone and multi-account environment is deployed, ongoing management and governance is required for it to continue meeting business needs over time.
- Have automated processes to push changes across accounts
- Review configurations for drift on regular basis
- Maintain approval workflows for change requests
- Ensure documentation stays up to date
- Review IAM permissions and roles quarterly
- Log and audit all privileged actions
- Rotate access keys and passwords per policy
- Integrate new human users/applications promptly
- Monitor VPN endpoints, security groups, NACLs
- Tuning and maintenance of WAF rules
- Alarm configuration for usage spikes or anomalies
- Regular penetration testing and red teams
- Keep unused resources turned off
- Right size instance types to workloads
- Delete unused volumes and orphaned resources
- Leverage Savings Plans and RI discounts
- Run regular incident response simulations
- Have 24/7 on-call contact information handy
- Document triage and escalation procedures
- Develop capabilities to isolate compromised accounts
- Maintain compliant configurations via Config Rules
- Collect evidence needed for control certification
- Perform internal audits to identify gaps
- Remediate issues prior to external audits
With strong processes in each of these areas, organizations can scale their multi-account AWS footprint while effectively managing risk, security, costs and compliance over time.
Implementing a secure and scalable multi-account environment on AWS is a best practice for organizations of any size.
The AWS account structure provides clear boundaries for management, isolation, and access controls.
Services like AWS Organizations make it easier to create accounts while maintaining centralized policies and compliance.
AWS Control Tower delivers pre-built landing zones following AWS security and governance guardrails.
For advanced customization, organizations can build their own landing zones tailored to their needs.
Key elements to focus on include:
- Identity and access management
- User and resource segmentation
- Network topology and connectivity
- Visibility through logging and auditing
- Automated governance and controls
- Incident response planning
No matter which approach is taken, maintaining the landing zone with strong change management processes is critical over time.
By leveraging the tools and best practices discussed, companies can deploy workloads on AWS across accounts with confidence in their security posture, operational integrity, and business alignment.
The multi-account model facilitated by landing zones provides the foundation for scale, agility, and innovation on the AWS cloud. Looking for help with AWS Landing Zones or other advanced cloud technologies? The IT professionals at God Particle IT Group have the skills and experience to architect, build, and manage complex systems at scale. We specialize in cloud platforms like AWS and can provide enterprise-level support to develop and Cloud engineered applications. Whether you need assistance with design, implementation, optimization, or managed services, contact us to see how we can help launch your next innovation. With deep expertise across today’s leading technologies, God Particle IT Group offers responsive, high-touch services to innovate faster.