Blog Blog Posts Business Management Process Analysis

What is an AWS Landing Zone?

AWS Landing Zone is designed for businesses who wish to set up a multi-account environment but lack the time or knowledge to configure several accounts and services – as this may necessitate an expert grasp of AWS services. Landing Zones will help automate the deployment of a safe and scalable multi-account AWS environment.

Table of contents:

Check out this AWS Training video by Intellipaat

AWS Landing Zone Overview

A landing zone is a well-designed, multi-account, scalable, and secure AWS infrastructure. This is a starting point for your organization to swiftly build and deploy workloads and apps while remaining confident in your security and infrastructure environment. Creating a landing zone requires technical and commercial decisions in account structure, networking, security, and access control that are in line with your organization’s long-term growth and business objectives.

The AWS landing zone is a solution that fully automates the entire setup process by creating core accounts and the resources required to monitor numerous accounts. Identity and access management, data security, network design, governance, and logging are all components of the process.

How it Works

Running an operation with many accounts caused problems for most medium and large businesses, so Amazon developed AWS, which aimed to speed up the process while also providing a secure and functioning environment.

However, before you can use the landing page option, you must first construct a reliable base environment with AWS. The traditional method of creating multiple accounts takes a lot of time because it involves all procedures, such as security, logging, and service configuration. In other words, AWS will automatically ensure that each account fulfills the baseline requirements.

Once the accounts are set up, the Landing Zone solution provides clients with an easy way to create and manage numerous account setups in compliance with industry best practices. In other words, it organizes all baseline AWS setups and creates a basic multi-account structure.

The solution then manages each account equally, saving you a significant amount of time and money. Not only that, but you may scale your business much faster without having to register additional accounts.

Check out Intellipaat’s best AWS training to get ahead in your career!

AWS Landing Zone Benefits

The Landing Zone system offers a few important advantages that enable customers to easily manage several accounts. Here’s a brief breakdown of all the advantages you can expect:

Go through these Top Amazon AWS Interview Questions And Answers to excel in your AWS interview.

Career Transition

AWS Landing Zone Architecture

AWS Landing Zone solutions typically contain four accounts: AWS Organization, which deploys the landing zone and handles configuration and access; shared services account, which hosts directory services; logging account, which is typically stored in S3; and security account, which is used for audit and compliance purposes.

AWS Landing Zone Architecture

AWS Organization account

AWS Landing Zone is set up in an AWS Organizations account. This account is used to handle the configuration and access to AWS Landing Zone managed accounts. The AWS Organizations account allows you to create and manage member accounts financially. It includes the Amazon Simple Storage Service (Amazon S3) bucket and pipeline settings, account configuration StackSets, AWS Organizations Service Control Policies (SCPs), and AWS Single Sign-On (SSO) configuration.

Shared Services account

The Shared Services account is a starting point for developing infrastructure shared services like directory services. This account hosts AWS Managed Active Directory for AWS SSO integration by default in a shared Amazon Virtual Private Cloud (Amazon VPC) that may be automatically peered at with new AWS accounts created with Account Vending Machine (AVM).

Log Archive account

The Log Archive account includes a central Amazon S3 bucket for keeping copies of all AWS CloudTrail and AWS Config log files in a log archive account.

Security account

The Security account adds auditor (read-only) and administrator (full-access) cross-account privileges to all AWS Landing Zone managed accounts. The goal of these positions is for a company’s security and compliance team to use them to audit or undertake emergency security operations in the event of an incident.

Interested in learning more? Go through this AWS Tutorial!

AWS Landing Zone Security Baseline

It contains a basic security baseline that may be used to build and deploy a customized account security baseline for your organization. The following settings are included by default in the initial security baseline:

AWS CloudTrail

Each account has one CloudTrail trail that is configured to transmit logs to a centrally managed Amazon Simple Storage Service (Amazon S3) bucket in the log archive account and to AWS CloudWatch Logs in the local account for local activities.

Cross-Account Access

Cross-account access allows the security account to configure audit and emergency security administration access to AWS Landing Zone accounts.

AWS Config

AWS Config is enabled, and account configuration log files are saved in the log archive account’s centrally controlled Amazon S3 bucket.

Amazon Virtual Private Cloud (VPC)

An Amazon VPC is used to set up an account’s initial network. This includes eliminating the default VPC in all regions, deploying the AVM-specified network type, and network peering with the Shared Services VPC when applicable.

AWS Config Rules

Storage encryption, AWS Identity and Access Management (IAM) password policy, root account multi-factor authentication (MFA), Amazon S3 public read and write, and unsecure security group rules are all enabled via AWS Config rules.

AWS Landing Zone Notifications

Amazon CloudWatch alarms and events are set up to notify you when a root account login, console sign-in failure, or API authentication failure occurs within an account.

AWS Identity and Access Management

An IAM password policy is configured using AWS Identity and Access Management.

Amazon GuardDuty

Amazon GuardDuty is set up in the member account to allow you to monitor and handle GuardDuty findings.

AWS Landing Zone Setup

AWS Control Tower is an AWS-managed service that allows you to manage all of your AWS resources, including AWS Organizations, Identity and Access Management, Guardrails, Service Catalog, and multiple AWS accounts. You can establish as many accounts as you like through the Service Catalog and apply requirements-based rules to them. The Control Tower can easily and securely establish a landing zone.

Landing Zone is an AWS Control Tower solution,  you can even develop your own solution according to your needs. You can use your own CloudFormation or Terraform stacks across multiple AWS accounts.

Landing Zone solution using Control Tower Service

Master Account  

You can build an AWS Control Tower from the Master account, which allows you to:

If you have any doubts or queries related to this technology, do post on AWS Community.

Shared Accounts

Logging and Audit Accounts are examples of shared accounts. They are not provisioned through the Service Catalog, but rather during Control Tower setup. They distribute resources among all provided Landing Zone accounts. It could be services or tools for your organization, such as centralized directories, Active Directory for SSO integration, infrastructure scanning, EBS volumes, golden AMI, or a basic DNS. To delegate access across AWS accounts, a Cross Account IAM Role is required.

Logging Account

Control Tower creates this account by default, and the goal of having this account is to collect all logs from multiple accounts into this one. But what kinds of logs are we looking for? Infrastructure logs, application logs, VPC logs, Security logs, database logs, and so on could all be included.  If you do log into the account, you should consider it alarming. The log can be collected in real-time using a Kinesis stream and a Lambda function.

Audit Account

Control Tower creates this account as well, with the goal of establishing security. This account has been configured with a cross-account role, reports, and real-time notifications. Check that users, groups, and applications have the appropriate permissions.

Functional Account

The number of accounts you should establish here is determined by your situation and how you intend to construct and implement your application. A major software development project requires the utilization of several environments, with the environment being unique. Let’s go over the four AWS accounts (Dev, QA, Pre-Prod, and Production) that you should have at the very least in your solution. You may easily scale by adding extra AWS accounts using the service catalog in the master account.

Baseline Requirements

The first step in creating a Landing Zone based on these account level needs is to construct a set of requirements in each AWS account. We have the concept of accounts, and each account is completely independent of the others. As a result, the baseline standards we seek should contain the following:

  1. Enable MFA for our root access. Make sure that’s locked.
  2. No credentials are required.
  3. No access keys for the root account
  4. Enable the cloud trail, which is the API log-off activity for the account.
  5. Access to all regions within the environment, not just the one which is operating. Consider the business roles.


AWS’s landing zone is a new solution that is used to create a scalable, secure multi-account AWS environment. Building a multi-account the traditional way requires a substantial amount of time and work, especially when it comes to establishing a baseline security configuration and other features like turning on AWS Config, AWS Inspector, AWS GuardDuty, and setting up VPCs. The landing zone assists in setting up numerous accounts with a baseline for security and other AWS features, considerably reducing the time and work required to create these accounts and subsequent new accounts within the same business.

Customers with large companies can use the Landing Zone solution to automate and simply add as many accounts, organizations, and guardrails as they require. There are advantages and disadvantages of using Control Tower to set up a Landing Zone, so you must decide how you will build up the Landing Zone based on your specific instance and requirements.

Enroll today in our AWS Certification Master’s Course to speed up your career!

The post What is an AWS Landing Zone? appeared first on Intellipaat Blog.

Blog: Intellipaat - Blog

Leave a Comment

Get the BPI Web Feed

Using the HTML code below, you can display this Business Process Incubator page content with the current filter and sorting inside your web site for FREE.

Copy/Paste this code in your website html code:

<iframe src="" frameborder="0" scrolling="auto" width="100%" height="700">

Customizing your BPI Web Feed

You can click on the Get the BPI Web Feed link on any of our page to create the best possible feed for your site. Here are a few tips to customize your BPI Web Feed.

Customizing the Content Filter
On any page, you can add filter criteria using the MORE FILTERS interface:

Customizing the Content Filter

Customizing the Content Sorting
Clicking on the sorting options will also change the way your BPI Web Feed will be ordered on your site:

Get the BPI Web Feed

Some integration examples