Establishing your Cloud Foundations with an AWS Landing Zone

One of the key challenges for an enterprise that is just getting started with AWS is establishing a sensible cloud platform for people to work in.  

One that is safe, secure, and scalable, and can be successfully monitored and governed.  

One that won’t cause issues, rework and regrets further down the track.   

This is a complex problem area, as it requires the enterprise to consider, come up with answers, and then implement solutions for a range of topics such as:

  • Account structures
  • Security, identity, permissions and access control 
  • Monitoring and alerting
  • Logging and auditing 


Over time, a range of approaches have been developed to create robust AWS environments that are production-ready.

1. Build it from scratch

It’s completely possible to work all this out yourself, and in the early days of AWS, you had to. This approach continues to be a valid option, as it gives you the ultimate in flexibility and allows you to build a solution that is precisely tailored to your needs. However, “Do It Yourself” comes with a range of disadvantages:  

  • You are (likely) new to the cloud and Amazon services; you may not understand the precise implications of not having things in place.  For example, on billing.
  • It takes skill and effort to implement these things correctly, which you may or may not have
  • Even if you do solve all of the problems in an acceptable way, you’ve created a one of a kind solution, one that you need to support, patch, manage and change.

Finally, these problems are ancillary to actually adding value to your business by solving problems for them.  After all that effort, all you have is the start of a cloud platform.  You still don’t have any workloads installed and running, and the real work is only just beginning.

Fortunately, there is an easier way to get things started.

2. Enter the AWS Landing Zone

Amazon recognised the problem of DIY approach, and developed the concept of a Landing Zone.  A Landing Zone is:

“A well architected multi account AWS environment that’s based on security and compliance best practices”

A conceptual overview of the Landing Zone looks like this:

The Landing Zone consists of four key accounts:

  1. An Organisation Account – the command command centre for your new AWS environment, and provides you with a single place to configure, create and manage member accounts, and enables you to:
    1. Configure and implement environment wide security controls  (“guardrails”) for the environment
    2. Configure and implement further application specific accounts using the Account Vending Machine pattern and CI/CD pipeline. 
    3. Maintain a single perspective on billing for all of the subsidiary AWS Accounts and services you establish, as well as controlling cost savings through things like reserved instance sharing
    4. Configure and implement Single Sign-on, which reduces the need for traditional and highly risky individual IAM accounts.  With AWS Single Sign-on you can easily provision users and groups to provide varying degrees of access into any of the individual tenant account you may create later


  2. A Security Account – creates audit and administrative accounts, which ensure your Security team can audit and meaning your landing zone, and also supports the Amazon GuardDuty service.


  3. A Logging Account – contains centralised storage for all of the AWS Cloudtrail and Config log files created by your multiple accounts


  4. A Shared Service Account – acts as a reference point for the creation of further shared infrastructure services, such as Directory services, so that you can manage Single Sign On integration into your Virtual Private cloud and any other accounts 

All of this is created via templates and delivered via code pipelines, which will deliver fast, consistent, infinitely repeatable environment creation which embeds best practices and controls, and limits the chance of operator error. 

The Landing Zone delivers a comprehensive, stable and flexible base for your entry into the cloud.  By deploying your cloud infrastructure in a Landing Zone pattern, you are able to benefit from years of experience in running cloud focused platforms in a simple, cloud native approach.  

The Landing Zone is very positive, and represents a great leap forward from building it all by yourself from scratch, but similar to a “DIY” solution, once it has been implemented, the customer is responsible for the ongoing care and maintenance of the resulting platform.  Given that AWS continues to evolve their service offerings at a rapid pace, it can quickly become challenging to manage this solution and maintain its currency while ensuring there is no impact to your actual workloads.

For a long time, this represented the state of the art.

3. And now Control Tower

AWS Control Tower is: 

“a service that automates the setup of a new landing zone using best-practices blueprints for identity, federated access, and account structure.”

It takes the basic Landing Zone approach and cleans things up for you by wrapping a service around the various templates to enable you to simply and automatically implement blueprints into your landing zone on demand.  

It delivers most of the features of the Landing Zone pattern:

  • Create a multi-account environment using AWS Organisations
  • Provide identity management using AWS Single Sign-On (SSO) default directory
  • Provide federated access to accounts using AWS SSO
  • Centralize logging from AWS CloudTrail, and AWS Config stored in Amazon S3
  • Enable cross-account security audits using AWS IAM and AWS SSO

The Landing Zone set up by AWS Control Tower is managed using a set of mandatory and strongly recommended guardrails, which customers select through a self-service console experience to ensure accounts and configurations comply with your policies.

The real game changer in terms of productivity is that – In common with other AWS Managed services – Amazon retains the responsibility for ongoing maintenance of the resulting environment, leaving you to focus your attention and resources on value adding activities. 


As is typical in these kinds of scenarios, each has advantages and disadvantages:





  • Absolute control over the outcome,  making it possible to tailor the outcome to fit your organisations need
  • Requires a high degree of skill
  • Takes time and effort and attention to complete
  • You own the implementation risk from top to bottom
  • Easy to get wrong

AWS Landing Zone

  • Simpler and less effort than the DIY approach
  • Comprehensive, fast and accurate
  • Can be customised as needed
  • More complex than Control tower
  • Requires moderate AWS skill to get right
  • Expected to be end-of-life in the near future

Amazon Control Tower

  • Amazon own the implementation risk
  • Low complexity, Self Service model
  • Comprehensive, fast and accurate and reproducible
  • Standard AWS managed service, so it’s low risk and future proof
  • Easy to acquire skills on the open market
  • Can’t easily import  existing account structures
  • No programmatic API, currently impacts the ability to automate the setup of control tower.


The Cevo Verdict
  • “Do It Yourself” – Unless your requirements are highly specialised, or you are only really “having a play” with the technology to learn, and expect to never use it productively, then this approach is not advised

  • AWS Landing Zone – if you have the skills, this is a rapid way to establish a high quality environment that’s configured for your needs 

  • Amazon Control Tower – assuming you have no specialized requirements, is the fastest, easiest and lowest risk path to value.  It also aligns with the future product direction of AWS.

If you’re thinking about getting started with AWS or curious about how to optimise your current AWS environment, please contact us.