What is an AWS landing zone?

AWS landing zones and multi-account environments

AWS recommends creating more than one AWS account since multiple accounts provide the highest level of resource and security isolation. Such isolation is particularly important for businesses that require administrative isolation between workloads, want to minimize workload visibility and discoverability, need to minimize the scope of impact, or are looking to isolate recovery and/or auditing data. Creating multiple accounts also enables organizations to set up different security profiles for different applications, contain potential security risks in one account without affecting others, control access to data, minimize the exposure of private data, prevent clashes between teams or business units with differing resource needs, and simplify billing and limit allocation.

That said, setting up a multi-account environment can be a complex and time-consuming endeavor and may require an expert understanding of AWS services -- a problem that can be mitigated with a landing zone. AWS landing zones are ideal for companies that want to set up a multi-account environment but may not have the time or skills to implement a configuration of multiple accounts and services. Landing zones help automate the setup of a multi-account AWS environment that is secure and scalable. Also, by helping to create core accounts and resources, a landing zone helps organizations implement an initial security baseline and, ultimately, run secure workloads.

AWS landing zones and account vending machine

Landing zones use AWS' AVM product for provisioning and automatic configuration of new accounts. Also known as Account Factory, AVMs are crucial building blocks for setting up AWS landing zones. They consist of three layers: a public interface for users, an engine that drives interaction with AWS and an integration layer between the first two layers. AVMs also use single sign-on (SSO) to manage account access.

Account Factory lets users implement an account baseline in an AWS Control Tower landing zone. Accounts created and provisioned through Account Factory can be updated, unmanaged and even closed. They can also be recycled or repurposed by updating the user parameters.

How to build an AWS landing zone

Businesses can build two types of landing zones in AWS: a service-based landing zone and a customized landing zone.

A service-based landing zone can be built using AWS Control Tower, a managed service that makes it easy to quickly set up and securely govern a multi-account AWS environment in just a few minutes. AWS Control Tower includes numerous preconfigured controls to enforce best practices, standards and regulatory requirements and to orchestrate multiple AWS services. For instance, the multi-account environment is implemented using AWS Organizations, cross-account security audits using AWS IAM and AWS IAM Identity Center, and centralized logging from AWS CloudTrail.

In addition, AWS Control Tower applies AWS-provided security guardrails -- high-level preventive and detective rules -- and compliance policies, ensuring quick landing zone setup without compromising the organization's security or compliance requirements. It also provides custom guardrails and blueprints for customizing the landing zone per the organization's specific requirements.

AWS recommends that new users start off with AWS Control Tower. This is because building a customized landing zone requires more advanced AWS knowledge. Regardless of the type of landing zone, all users need to determine their own networking, access management and security strategy while building the landing zone.

Custom-built AWS landing zones typically include custom-built components -- built from scratch – that the organizations or their partners manage, rather than AWS. This approach is only suitable for companies that have the necessary expertise to implement the baseline environment and to operate and manage the solution once deployed.

Creating a landing zone with AWS CloudFormation

CloudFormation is an AWS IaC service that makes it easy to model, provision and manage AWS and third-party resources. IaC and CloudFormation are based on the concept of creating templates to describe the AWS resources required and their properties. CloudFormation uses these templates, which are JavaScript Object Notation- or YAML-formatted text files, as blueprints to provision the resources.

CloudFormation accommodates creating a template to set up a landing zone in AWS. AWS provides the template, which can be deployed from the CloudFormation console or by using AWS Command Line Interface, to create the landing zone.

Parameters:
  Version:
    Type: String
    Description: The version number of Landing Zone
  GovernedRegions:
    Type: List
    Description: List of governed regions
  SecurityOuName:
    Type: String
    Description: The security Organizational Unit name
  SandboxOuName:
    Type: String
    Description: The sandbox Organizational Unit name
  CentralizedLoggingAccountId:
    Type: String
    Description: The AWS account ID for centralized logging
  SecurityAccountId:
    Type: String
    Description: The AWS account ID for security roles
  LoggingBucketRetentionPeriod:
    Type: Number
    Description: Retention period for centralized logging bucket
  AccessLoggingBucketRetentionPeriod:
    Type: Number
    Description: Retention period for access logging bucket
  KMSKey:
    Type: String
    Description: KMS key ARN used by CloudTrail and Config service to encrypt data in logging bucket
Resources:
  MyLandingZone:
    Type: 'AWS::ControlTower::LandingZone'
    Properties:
      Version:
        Ref: Version
      Tags:
        - Key: "keyname1"
          Value: "value1"
        - Key: "keyname2"
          Value: "value2"
      Manifest:
        governedRegions:
          Ref: GovernedRegions
        organizationStructure:
          security:
            name:
              Ref: SecurityOuName
          sandbox:
            name:
              Ref: SandboxOuName
        centralizedLogging:
          accountId:
            Ref: CentralizedLoggingAccountId
          configurations:
            loggingBucket:
              retentionDays:
                Ref: LoggingBucketRetentionPeriod
            accessLoggingBucket:
              retentionDays:
                Ref: AccessLoggingBucketRetentionPeriod
            kmsKeyArn:
              Ref: KMSKey
          enabled: true
        securityRoles:
          accountId:
            Ref: SecurityAccountId
        accessManagement:
          enabled: true

CloudFormation can also be used to manage an existing landing page. This requires importing the landing zone in a new or existing AWS CloudFormation stack.

Landing Zone Accelerator on AWS

Landing Zone Accelerator on AWS is a comprehensive, low-code product to automatically set up, manage and govern multi-account environments -- in all AWS Regions -- with highly regulated or secure workloads and complex compliance requirements. It also lets users deploy, operate and govern a centrally managed encryption strategy using AWS Key Management Service (AWS KMS). The product includes numerous foundational capabilities that align with AWS best practices and multiple global compliance frameworks for deploying mission-critical workloads across a multi-account environment.

AWS recommends installing the tool using AWS CloudFormation and updating it to future versions from the CloudFormation console. The CloudFormation template above deploys AWS CodePipeline containing Landing Zone Accelerator on AWS installation engine.

AWS landing zone security

AWS landing zones provide self-service security guardrails through setting up accounts and resources. AWS landing zones are partly composed of a security account, which, by default, includes security-focused tools, such as an account baseline, security cross-account roles, Amazon GuardDuty and Amazon Simple Notification Service (security notifications). The security account provides what AWS sees as essential security functions for all AWS accounts in an organization, such as security management, Log Archive and directory services.

Security account baselines include the following:

• IAM policies in which a user can set up a security admin and read-only policies for employees.
• IAM password policy in which a user can set the password policy for complexity.
• AWS Config, which can forward AWS resource configurations to an S3 Log Archive bucket storage resource available in AWS.
• AWS CloudTrail calls to an Amazon S3 Log Archive bucket.
• AWS Config rules, used to define rules surrounding provisioning, configuring and monitoring AWS resources, multifactor authentication (MFA) and encryption -- Config audits resource configurations continuously.
• Notifications, which can configure an Amazon CloudWatch alarm or events, sending notifications for application programming interface (API) authentication failures, root account logins or console sign-in failures.
• Configurable Amazon Virtual Private Cloud infrastructure that lets landing zones configure initial networks for accounts, which means it can delete the default VPC, deploy requested AVM network types and use a shared services VPC.

The security account also includes Amazon GuardDuty, a managed cloud security monitoring service that can be used to detect behavior and threats that have the potential to compromise AWS accounts, resources or workloads. GuardDuty supports continuous monitoring and can detect attacker reconnaissance, compromised resources and compromised accounts. Attacker reconnaissance refers to threats such as failed login patterns, unusual API activity and port scanning. Compromised resources could refer to spikes in network traffic, while compromised accounts can refer to API calls from odd locations or attempts to disable CloudTrail.

These security precautions can enable an organization to implement its AWS environment with greater confidence about security.

Security may be a concern for an organization while implementing an AWS environment, but it may lack the staff, centralized governance or skills to ensure security while migrating environments. On its website, AWS refers to a use case in which an organization, Netenrich, was concerned about data security during migrations. A customer of Netenrich wanted to gain better control of its AWS environment while enforcing a system that was compliant with regulatory frameworks, such as Health Insurance Portability and Accountability Act and System and Organization Controls 1, all while maintaining a system of checks, balances and access controls. Netenrich had these concerns along with an emphasis on account-level visibility and security. Netenrich used AWS landing zones to accomplish its customer's goal and, with the focus on security, implemented data security, logging, automated account provisioning and IAM. Configured policies were integrated with the customer's Active Directory Federation Services and AWS SSO.

AWS landing zone basic setup

AWS recommends an expert handle landing zone installation since the setup process can be complicated. An AWS landing zone installation is handled using an initiation template, which lets users select specific and basic settings in their landing zone setup.

The initiation template writes to a config template on an S3 bucket, which facilitates creating CodePipeline. CodePipeline is used to run changes made to the config and applies changes to the surrounding infrastructure.

The basic tenants in the setup process include the master, security, logging and shared services. The master includes core features and tools, such as CodePipeline, SSO and AVM, which help automate the creation of new AWS accounts. Security includes the AWS Config aggregator and GuardDuty. Logging is the central location for logs that, for example, could come from CloudTrail audits. Shared services is the location where all accounts can access services in landing zones.

When Netenrich started to deploy AWS landing zones, its security account included the AWS Config aggregator, GuardDuty and alerts. Netenrich's logging focused on adding Amazon VPC Flow Logs. Shared services focused on implementing a shared VPC for remote connectivity to different accounts.

Users who choose to set up AWS landing zones should also focus on implementing design, setting service limits if needed, creating and securing root users, creating member accounts and deploying AWS Landing Zone Initialization AWS CloudFormation stack. Users considering design should focus on securing passwords, MFA tokens and storage for the root user in each account. Design should also focus on organizing member accounts, implementing service control policies and naming root user email addresses for AWS accounts. Member accounts can be set using AVMs.

Limits are placed by default to a specific number of accounts for an organization. To increase the limit, users can fill out an AWS support ticket.

Users should also focus on setting up and securing root users. Create root user email addresses with a naming scheme that helps organize any root user accounts. AWS generates a random password for a root user when a member account is created. The password can be changed by going through the account recovery process for the root user.

Users should also deploy AWS Landing Zone Initialization AWS CloudFormation stack. How long that takes can vary. Typically, AWS Landing Zone Initialization AWS CloudFormation stack should take a couple of minutes, and CodePipeline should take a few hours to complete.

Benefits of AWS landing zones

AWS landing zones provide numerous benefits:

• Supporting user implementation of multiple core accounts in an organization and then administration of all accounts from a single management account.
• Automating setup of an AWS environment and account provisioning.
• Creating a useful baseline for security.
• Providing automated guardrails that simplify account maintenance and governance, even in multi-account environments.
• Helping users easily apply and enforce security and compliance controls for both existing and new accounts.
• Unifying billing across all organizational groups when implemented using AWS Control Tower.
• Working in a DevOps environment.
• Accommodating integration with GitLab.
• Enhancing security with monitoring, alerts, logging, IAM, service control policies and MFA.
• Automatically enabling rules and dashboards as governance options.
• Providing resource utilization visibility.
• Letting users create new accounts from AVMs.
• Using SSO to manage access to user accounts.

Concerns around AWS landing zones

Although AWS landing zones can be useful in setting up an AWS environment, users should still be aware of some concerns that may require attention:

• Customized landing zones usually require an AWS expert to set up. The expected complexity explains why AWS recommends deploying landing zones using its managed AWS Control Tower service.
• The more services that are used in the landing zone, the more complex the system can be, making it potentially difficult for users to use, manage and maintain.

Given the complexity of setting up landing zones, it can also be complicated to troubleshoot them:

• A landing zone may not be compatible with existing master accounts, meaning a new master account must be used.
• The overhead associated with setting up a landing zone may be unmanageable for smaller organizations.

AWS landing zone cost

By default, landing zones have resources that require payments, such as AWS Config rules and GuardDuty, for example. The cost of these resources should total about $200 monthly.

Learn what you need to know to manage multiple AWS accounts by exploring AWS services and best practices that can optimize multi-account management across your organization. Also, read about the resource hierarchy structure in AWS and implementing AWS Organizations best practices.