This blog is part of a multi-part series that talks about the AWS Landing Zone Accelerator solution and my experience in deploying it at scale, what is possible, what is not possible, some benefits and challenges in using the solution. The source code can be found here:
https://github.com/awslabs/landing-zone-accelerator-on-aws
The Landing Zone Accelerator on AWS solution deploys a cloud foundation platform that is architected to align with AWS best practices and multiple global compliance frameworks. The solution (depending on configuration of services and features) helps to establish a Well-Architected foundational landing zone to help customers meet their compliance and governance requirements.
With this solution, customers with highly regulated workloads and complex compliance requirements can better manage and govern their multi-account environment. When used in coordination with other AWS services, it provides a comprehensive low-code solution across 35+ AWS services. Using a dedicated pipeline deployment pattern, the solution deploys a structure like the below:
The LZA solution is a fully customisable and comprehensive platform solution built using AWS Cloud Development Kit (CDK) and is an extension to an existing AWS Control Tower deployment. The AWS Control Tower solution on its own is a great initial way of establishing a multi-account, AWS Organizations structure complete with consolidated billing (taking advantage of economies of scale for services usage charges) and a foundational IAM Identity Centre (formerly AWS Single Sign-On – SSO) deployment.
Challenge LZA Sets to Solve
Beyond the initial deployment of Control Tower – customers and partners were left wanting to build a platform to expand security compliance, networking, logging, events, Service Control Policies (SCP’s), tagging policies, services and budgets using Infrastructure as Code (IaC) to capitalise on automation. This often fell to customers or partners to create bespoke solutions (often referred to as foundations solutions). The role of LZA is to fill this gap between Control Tower capabilities with a fully customisable, scalable, and cloud-native platform solution while addressing the gap in operating bespoke platform solutions in a consistent manner.
Benefits
Automation
Automatically set up a cloud environment suitable for hosting secure workloads. You can deploy this solution in all AWS Regions. This helps you maintain consistency of your operations and governance across AWS standard Regions, AWS GovCloud (US), and other non-standard partitions in AWS. The LZA builds foundations fast and consistently.
Data security
Deploy the solution in an AWS Region suitable for your data classification and use Amazon Macie to provide sensitive data detection in Amazon S3. This solution also helps you deploy, operate, and govern a centrally managed encryption strategy using AWS KMS.
Foundation for compliance
Leverage a foundational infrastructure for deploying mission-critical workloads across a centrally governed multi-account environment. It also helps to ensure compliance against industry benchmarks such as CIS, NIST, Finance (APRA (Australian Prudential Regulatory Agency)), Education, Healthcare, Government (ASD) and Law Enforcement.
Easy management and deployment
The LZA leverages cloud native services to build and deploy critical baseline services without the need to build or manage infrastructure. Management of the LZA post-deployment is carried out through simple configuration files and changes / updates are deployed through a central repository and Code Pipeline.
Documentation Included
Providing prescriptive guidance and simple configuration is a key value in ensuring successful solutions. The implementation guide is a great start in documenting the processes and procedures to get started. The full implementation guide can be found here:
https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/solution-overview.html
The developers of the solution have also had the foresight to document a set of GitHub Pages for the solution as well to help supplement the Implementation Guide. It is more focussed on the running of the solution with the combination of docs providing excellent initial guidance and helping to operate the solution from day 1 operations. The GitHub docs can be found here:
https://awslabs.github.io/landing-zone-accelerator-on-aws/latest/
Further Documentation Required
While the documentation is good – for customer handover and complete operational oversight, it still needs additional guidance. Things not covered include:
- Updating the GitHub Access Token on expiry
- Temporarily disabling deployed SCP’s during upgrade
- Assigning the KMS policy to the default “EC2-Default-SSM-AD-Role” to use Systems Manager – Session Manager and Fleet Manager for Windows RDP secure remote access
- Enabling MFA (Multi Factor Authentication) on root account in newly minted AWS accounts
- Guidance around use of SCIM groups with Entra ID (formerly Azure AD) for IAM Identity Centre
- Detailed configuration guides for each config file complete with decision register
The above needs to be supplementary documentation created for operational documentation by the customer or the partner deploying the solution.
How Much Does LZA Cost?
The cost is determined by the number of services and network complexity influences the costs significantly. A small deployment could run between USD $450 – $1,000 per month. A medium deployment could run between USD $1,000 – $3,000 per month. A large deployment could run up to $4,000+ per month. These are only rough estimates and most of the costs being attributed to services such as Direct Connect, Transit Gateways and VPC Attachments, number of VPC Endpoints deployed, assuming centralised Internet Egress, AWS Config Rules applied and activation of services such as Macie.
Conclusion
As a cloud consultancy, Cevo works with many different industry verticals and organisations across the full spectrum of their cloud adoption journey. Organisations embarking on the “Cloud 2.0” journey and using older platform accelerators will benefit from LZA in simplifying the operating model while remaining and maintaining compliance at scale.
When you consider cloud security posture and with a lens of the AWS Well-Architected Framework – it is easy to see how LZA positions itself well against all six pillars of Well-Architected principles. With a deep focus on the Security pillar but also touching on the remaining five pillars – Operational Excellence, Reliability, Performance Efficiency, Cost Optimisation and Sustainability.
In part 2 of this series, we will discuss the differentiators, capabilities, limitations, and recommendations for using the AWS Landing Zone Accelerator (LZA) Solution.
If you or your organisation are considering an uplift to an existing platform or are new to AWS – consider reaching out to Cevo or contact me for a confidential discussion on how AWS LZA and Cevo’s Launch platform capability practices with exceptional experience could benefit you.
