What is an AWS Landing Zone?
AWS Landing Zone is designed for businesses who wish to set up a multi-account environment but lack the time or knowledge to configure several accounts and services – as this may necessitate an expert grasp of AWS services. Landing Zones will help automate the deployment of a safe and scalable multi-account AWS environment.
Table of contents:
- AWS Landing Zone Overview
- How it Works
- AWS Landing Zone Benefits
- AWS Landing Zone Architecture
- AWS Landing Zone Security Baseline
- AWS Landing Zone Setup
Check out this AWS Training video by Intellipaat
AWS Landing Zone Overview
A landing zone is a well-designed, multi-account, scalable, and secure AWS infrastructure. This is a starting point for your organization to swiftly build and deploy workloads and apps while remaining confident in your security and infrastructure environment. Creating a landing zone requires technical and commercial decisions in account structure, networking, security, and access control that are in line with your organization’s long-term growth and business objectives.
The AWS landing zone is a solution that fully automates the entire setup process by creating core accounts and the resources required to monitor numerous accounts. Identity and access management, data security, network design, governance, and logging are all components of the process.
How it Works
Running an operation with many accounts caused problems for most medium and large businesses, so Amazon developed AWS, which aimed to speed up the process while also providing a secure and functioning environment.
However, before you can use the landing page option, you must first construct a reliable base environment with AWS. The traditional method of creating multiple accounts takes a lot of time because it involves all procedures, such as security, logging, and service configuration. In other words, AWS will automatically ensure that each account fulfills the baseline requirements.
Once the accounts are set up, the Landing Zone solution provides clients with an easy way to create and manage numerous account setups in compliance with industry best practices. In other words, it organizes all baseline AWS setups and creates a basic multi-account structure.
The solution then manages each account equally, saving you a significant amount of time and money. Not only that, but you may scale your business much faster without having to register additional accounts.
Check out Intellipaat’s best AWS training to get ahead in your career!
AWS Landing Zone Benefits
The Landing Zone system offers a few important advantages that enable customers to easily manage several accounts. Here’s a brief breakdown of all the advantages you can expect:
- AWS Account Vending Machine allows you to establish child accounts from AWS Organization. AVM uses single sign-on to manage user account access across all accounts, allowing you to grant rights and impose limitations to enforce policies and compliance.
- Landing Zones provide visibility into resource consumption across the enterprise, making it simple to assure baseline security and monitor and control IT budgets.
- Landing Zone is ideal for enterprises with diverse IT roles since it allows you to regulate resource access and restrict actions for various activities such as security, development, network and database administration, DevOps, and so on.
- Landing Zone codifies AWS best practices like CloudTrail and VPC, as well as DevOps principles like infrastructure-as-code via CloudFormation templates and continuous delivery via CodePipeline.
Go through these Top Amazon AWS Interview Questions And Answers to excel in your AWS interview.
AWS Landing Zone Architecture
AWS Landing Zone solutions typically contain four accounts: AWS Organization, which deploys the landing zone and handles configuration and access; shared services account, which hosts directory services; logging account, which is typically stored in S3; and security account, which is used for audit and compliance purposes.
AWS Organization account
AWS Landing Zone is set up in an AWS Organizations account. This account is used to handle the configuration and access to AWS Landing Zone managed accounts. The AWS Organizations account allows you to create and manage member accounts financially. It includes the Amazon Simple Storage Service (Amazon S3) bucket and pipeline settings, account configuration StackSets, AWS Organizations Service Control Policies (SCPs), and AWS Single Sign-On (SSO) configuration.
Shared Services account
The Shared Services account is a starting point for developing infrastructure shared services like directory services. This account hosts AWS Managed Active Directory for AWS SSO integration by default in a shared Amazon Virtual Private Cloud (Amazon VPC) that may be automatically peered at with new AWS accounts created with Account Vending Machine (AVM).
Log Archive account
The Log Archive account includes a central Amazon S3 bucket for keeping copies of all AWS CloudTrail and AWS Config log files in a log archive account.
The Security account adds auditor (read-only) and administrator (full-access) cross-account privileges to all AWS Landing Zone managed accounts. The goal of these positions is for a company’s security and compliance team to use them to audit or undertake emergency security operations in the event of an incident.
Interested in learning more? Go through this AWS Tutorial!
AWS Landing Zone Security Baseline
It contains a basic security baseline that may be used to build and deploy a customized account security baseline for your organization. The following settings are included by default in the initial security baseline:
Each account has one CloudTrail trail that is configured to transmit logs to a centrally managed Amazon Simple Storage Service (Amazon S3) bucket in the log archive account and to AWS CloudWatch Logs in the local account for local activities.
Cross-account access allows the security account to configure audit and emergency security administration access to AWS Landing Zone accounts.
AWS Config is enabled, and account configuration log files are saved in the log archive account’s centrally controlled Amazon S3 bucket.
Courses you may like
Amazon Virtual Private Cloud (VPC)
An Amazon VPC is used to set up an account’s initial network. This includes eliminating the default VPC in all regions, deploying the AVM-specified network type, and network peering with the Shared Services VPC when applicable.
AWS Config Rules
Storage encryption, AWS Identity and Access Management (IAM) password policy, root account multi-factor authentication (MFA), Amazon S3 public read and write, and unsecure security group rules are all enabled via AWS Config rules.
AWS Landing Zone Notifications
Amazon CloudWatch alarms and events are set up to notify you when a root account login, console sign-in failure, or API authentication failure occurs within an account.
AWS Identity and Access Management
An IAM password policy is configured using AWS Identity and Access Management.
Amazon GuardDuty is set up in the member account to allow you to monitor and handle GuardDuty findings.
AWS Landing Zone Setup
AWS Control Tower is an AWS-managed service that allows you to manage all of your AWS resources, including AWS Organizations, Identity and Access Management, Guardrails, Service Catalog, and multiple AWS accounts. You can establish as many accounts as you like through the Service Catalog and apply requirements-based rules to them. The Control Tower can easily and securely establish a landing zone.
Landing Zone is an AWS Control Tower solution, you can even develop your own solution according to your needs. You can use your own CloudFormation or Terraform stacks across multiple AWS accounts.
You can build an AWS Control Tower from the Master account, which allows you to:
- There are two Organizational Units (OUs), the Core Unit and Custom Unit.
- Guardrails -Control Tower by default creates rules that are part of the baseline and are applied in each AWS Account; however, you can extend them as well.
- AWS Service Catalog enables you to create new AWS accounts and assign them to your preferred Organization Unit.
If you have any doubts or queries related to this technology, do post on AWS Community.
Logging and Audit Accounts are examples of shared accounts. They are not provisioned through the Service Catalog, but rather during Control Tower setup. They distribute resources among all provided Landing Zone accounts. It could be services or tools for your organization, such as centralized directories, Active Directory for SSO integration, infrastructure scanning, EBS volumes, golden AMI, or a basic DNS. To delegate access across AWS accounts, a Cross Account IAM Role is required.
Control Tower creates this account by default, and the goal of having this account is to collect all logs from multiple accounts into this one. But what kinds of logs are we looking for? Infrastructure logs, application logs, VPC logs, Security logs, database logs, and so on could all be included. If you do log into the account, you should consider it alarming. The log can be collected in real-time using a Kinesis stream and a Lambda function.
Control Tower creates this account as well, with the goal of establishing security. This account has been configured with a cross-account role, reports, and real-time notifications. Check that users, groups, and applications have the appropriate permissions.
The number of accounts you should establish here is determined by your situation and how you intend to construct and implement your application. A major software development project requires the utilization of several environments, with the environment being unique. Let’s go over the four AWS accounts (Dev, QA, Pre-Prod, and Production) that you should have at the very least in your solution. You may easily scale by adding extra AWS accounts using the service catalog in the master account.
- Dev: This environment enables developers to begin deploying things, experiment, learn, innovate, and build things. Developers can deploy their work and test any new features or bugs here. When the code is declared stable, they begin building and deploying it to more accounts.
- Pre-Prod: This is where Quality Assurance (QA) takes place. Testers access the staging environment to check that the program functions properly. In this environment, they conduct various tests to find defects and confirm that the application is suitable for deployment in production.
- Prod: This is the most restricted mode. It is the location where end-users can access production apps. We should only have restricted access to the account. We must ensure proper connectivity, that our logs are routed to the logging account, and that tougher security regulations and procedures are in place.
- DevOps: This account enables the DevOps team to successfully distribute applications across AWS accounts. It makes little difference what your DevOps process looks like or what tools you use, but it is critical that these tools are isolated from other environments for security reasons. Among the services hosted here are continuous integration and continuous delivery.
The first step in creating a Landing Zone based on these account level needs is to construct a set of requirements in each AWS account. We have the concept of accounts, and each account is completely independent of the others. As a result, the baseline standards we seek should contain the following:
- Enable MFA for our root access. Make sure that’s locked.
- No credentials are required.
- No access keys for the root account
- Enable the cloud trail, which is the API log-off activity for the account.
- Access to all regions within the environment, not just the one which is operating. Consider the business roles.
AWS’s landing zone is a new solution that is used to create a scalable, secure multi-account AWS environment. Building a multi-account the traditional way requires a substantial amount of time and work, especially when it comes to establishing a baseline security configuration and other features like turning on AWS Config, AWS Inspector, AWS GuardDuty, and setting up VPCs. The landing zone assists in setting up numerous accounts with a baseline for security and other AWS features, considerably reducing the time and work required to create these accounts and subsequent new accounts within the same business.
Customers with large companies can use the Landing Zone solution to automate and simply add as many accounts, organizations, and guardrails as they require. There are advantages and disadvantages of using Control Tower to set up a Landing Zone, so you must decide how you will build up the Landing Zone based on your specific instance and requirements.
Enroll today in our AWS Certification Master’s Course to speed up your career!