• Articles

What is an AWS Landing Zone?

What is an AWS Landing Zone?

AWS Landing Zone is designed for businesses who wish to set up a multi-account environment but lack the time or knowledge to configure several accounts and services – as this may necessitate an expert grasp of AWS services. Landing Zones will help automate the deployment of a safe and scalable multi-account AWS environment.

Check out this AWS Training video by Intellipaat

AWS Landing Zone Overview

A landing zone is a well-designed, multi-account, scalable, and secure AWS infrastructure. This is a starting point for your organization to swiftly build and deploy workloads and apps while remaining confident in your security and infrastructure environment.

Creating a landing zone requires technical and commercial decisions in account structure, networking, security, and access control that are in line with your organization’s long-term growth and business objectives.

The AWS landing zone is a solution that fully automates the entire setup process by creating core accounts and the resources required to monitor numerous accounts. Identity and access management, data security, network design, governance, and logging are all components of the process.

Check out Intellipaat’s best AWS training to get ahead in your career!

How it Works

Running an operation with many accounts caused problems for most medium and large businesses, so Amazon developed AWS, which aimed to speed up the process while also providing a secure and functioning environment.

However, before you can use the landing page option, you must first construct a reliable base environment with AWS. The traditional method of creating multiple accounts takes a lot of time because it involves all procedures, such as security, logging, and service configuration. In other words, AWS will automatically ensure that each account fulfills the baseline requirements.

Once the accounts are set up, the Landing Zone solution provides clients with an easy way to create and manage numerous account setups in compliance with industry best practices. In other words, it organizes all baseline AWS setups and creates a basic multi-account structure.

The solution then manages each account equally, saving you a significant amount of time and money. Not only that, but you may scale your business much faster without having to register additional accounts.

Cloud Computing IITM Pravartak

AWS Landing Zone Benefits

The Landing Zone system offers a few important advantages that enable customers to easily manage several accounts. Here’s a brief breakdown of all the advantages you can expect:

  • AWS Account Vending Machine allows you to establish child accounts from AWS Organization. AVM uses single sign-on to manage user account access across all accounts, allowing you to grant rights and impose limitations to enforce policies and compliance.
  • Landing Zones provide visibility into resource consumption across the enterprise, making it simple to assure baseline security and monitor and control IT budgets.
  • Landing Zone is ideal for enterprises with diverse IT roles since it allows you to regulate resource access and restrict actions for various activities such as security, development, network and database administration, DevOps, and so on.
  • Landing Zone codifies AWS best practices like CloudTrail and VPC, as well as DevOps principles like infrastructure-as-code via CloudFormation templates and continuous delivery via CodePipeline.

Go through these Top Amazon AWS Interview Questions And Answers to excel in your AWS interview.

AWS Landing Zone Architecture

AWS Landing Zone solutions typically contain four accounts: AWS Organization, which deploys the landing zone and handles configuration and access; shared services account, which hosts directory services; logging account, which is typically stored in S3; and security account, which is used for audit and compliance purposes.

AWS Landing Zone Architecture

AWS Organization account

AWS Landing Zone is set up in an AWS Organizations account.

This account is used to handle the configuration and access to AWS Landing Zone managed accounts.

The AWS Organizations account allows you to create and manage member accounts financially.

It includes the Amazon Simple Storage Service (Amazon S3) bucket and pipeline settings, account configuration StackSets, AWS Organizations Service Control Policies (SCPs), and AWS Single Sign-On (SSO) configuration.

Shared Services account

The Shared Services account is a starting point for developing infrastructure shared services like directory services.

 This account hosts AWS Managed Active Directory for AWS SSO integration by default in a shared Amazon Virtual Private Cloud (Amazon VPC) that may be automatically peered at with new AWS accounts created with Account Vending Machine (AVM).

Log Archive account

The Log Archive account includes a central Amazon S3 bucket for keeping copies of all AWS CloudTrail and AWS Config log files in a log archive account.

Security account

The Security account adds auditor (read-only) and administrator (full-access) cross-account privileges to all AWS Landing Zone managed accounts.

The goal of these positions is for a company’s security and compliance team to use them to audit or undertake emergency security operations in the event of an incident.

Interested in learning more? Go through this AWS Tutorial!

Get 100% Hike!

Master Most in Demand Skills Now !

AWS Landing Zone Security Baseline

It contains a basic security baseline that may be used to build and deploy a customized account security baseline for your organization. The following settings are included by default in the initial security baseline:

AWS CloudTrail

Each account has one CloudTrail trail that is configured to transmit logs to a centrally managed Amazon Simple Storage Service (Amazon S3) bucket in the log archive account and to AWS CloudWatch Logs in the local account for local activities.

Cross-Account Access

Cross-account access allows the security account to configure audit and emergency security administration access to AWS Landing Zone accounts.

AWS Config

AWS Config is enabled, and account configuration log files are saved in the log archive account’s centrally controlled Amazon S3 bucket.

Amazon Virtual Private Cloud (VPC)

An Amazon VPC is used to set up an account’s initial network. This includes eliminating the default VPC in all regions, deploying the AVM-specified network type, and network peering with the Shared Services VPC when applicable.

AWS Config Rules

Storage encryption, AWS Identity and Access Management (IAM) password policy, root account multi-factor authentication (MFA), Amazon S3 public read and write, and unsecure security group rules are all enabled via AWS Config rules.

AWS Landing Zone Notifications

Amazon CloudWatch alarms and events are set up to notify you when a root account login, console sign-in failure, or API authentication failure occurs within an account.

AWS Identity and Access Management

An IAM password policy is configured using AWS Identity and Access Management.

Amazon GuardDuty

Amazon GuardDuty is set up in the member account to allow you to monitor and handle GuardDuty findings.

AWS Landing Zone Setup

AWS Control Tower offers a solution called Landing Zone, while you can also create your own depending on your requirements.

Landing Zone solution using Control Tower Service

Master Account  

You can build an AWS Control Tower from the Master account, which allows you to:

  • Core Unit and Custom Unit, which are two Organizational Units (OUs)
  • Guardrails-Control Tower by default establishes the baseline rules that are used in each AWS Account, but you can also extend them.
  • You can create brand-new AWS accounts from the AWS Service Catalog and assign these accounts to your preferred Organization Units.

Enroll today in our AWS Certification Master’s Course to speed up your career!

Shared Accounts

Examples of shared accounts include audit and logging accounts. They are set up during Control Tower configuration rather than through the Service Catalog.

Resources are divided among all offered Landing Zone accounts. It may be products or services for your company, such as centralized directories, Active Directory for SSO integration, infrastructure scanning, EBS volumes, golden AMI, or a straightforward DNS.

A Cross Account IAM Role is necessary to assign access across AWS accounts.

Logging Account

This account is automatically created by Control Tower with the intention of consolidating all logs from several accounts into it.

What sort of logs are we looking for, though? Logs from the infrastructure, applications, VPC, security, databases, and other sources might all be included.

If you do log in, you should take it seriously because it’s alarming. Using a Lambda function and a Kinesis stream, the log can be gathered instantly

Audit Account

In order to establish security, Control Tower also establishes this account. Reports, real-time notifications, and a cross-account role have all been configured for this account. You have to verify the permissions that users, groups, and applications have.

Functional Account

Your situation, design and implementation of your application will dictate how many accounts you should create.

A large-scale software development project necessitates the use of various environments, each of which is distinct.

Let’s go over the four AWS accounts that you should have at the absolute least in your solution: Development, Quality Assurance, Pre-Production, and Production. By using the service catalog in the master account, you can easily scale by adding more AWS accounts.

  • Dev: Developers can start deploying things in this environment, as well as experimenting, learning, and creating new things. Developers can test any new features or bugs here and deploy their work. They can start constructing and rolling out the code to more accounts once it has been deemed stable.
  • Pre-Prod: This is the location of Quality Assurance (QA). To ensure that the program runs smoothly, testers access the staging environment. They carry out a number of tests in this setting to identify flaws and determine whether the application is ready for deployment in a live environment.
  • Prod: The setting here is the most constricting. It’s the location where users can access the production applications. There shouldn’t be much access to the account for anyone. We must check that the appropriate connectivity is present, that our logs are being sent to the correct logging account, and that they may be subject to stronger security regulations and policies.
  • DevOps: Thanks to this account, the DevOps team can efficiently distribute apps across numerous AWS accounts (in this case, dev, pre-prod, and prod). Regardless of how your DevOps process is structured or the tools you employ, it is crucial for security reasons that these tools be isolated from other environments. Continuous delivery and integration are among the services hosted here..

Baseline Requirements

Building a set of requirements in each AWS account is the first step in building a landing zone based on these account-level demands.

You have the idea of accounts, and every account operates separately from the others. Therefore, the minimum requirements that you seek ought to include the following:

  • For root access, enable MFA. Verify that it is locked.
  • No credentials are required.
  • No root account access keys are required.
  • Enable the cloud trail, which records the account’s API log-off action.
  • access to every area of the ecosystem, not just the functioning one. Consider about the roles in business.


The Landing Zone solution enables customers with large businesses to automate and easily add as many accounts, organizations, and guardrails as they need. You must choose how you will construct the Landing Zone based on your particular instance and requirements because employing Control Tower to set up a Landing Zone has both benefits and drawbacks.

If you have any doubts or queries related to this technology, do post on AWS Community.

Course Schedule

Name Date Details
AWS Certification 20 Jul 2024(Sat-Sun) Weekend Batch
View Details
AWS Certification 27 Jul 2024(Sat-Sun) Weekend Batch
View Details
AWS Certification 03 Aug 2024(Sat-Sun) Weekend Batch
View Details