Skip to main content

Introduction

AWS Landing Zone is designed to help customers quickly set up a secure, multi-account environment that is pre-configured with security, governance, and compliance controls. This can help customers to reduce the time and effort required to set up a multi-account environment and ensure that it is configured according to best practices.

AWS Landing Zone includes the following components:

  • A set of AWS accounts: including a management account and one or more member accounts. The management account is used to centrally manage the other accounts, and the member accounts are used to run your workloads.
  • A shared services accounts: it provides a centralized location to manage common services like security, compliance and governance.
  • A set of security controls: including AWS Identity and Access Management (IAM), AWS Organizations, AWS Resource Access Manager (RAM), and AWS Config. These controls are used to manage access to resources and ensure that they are configured according to best practices and more.

While AWS provides an option to setup the Landing Zone, we use our own templates that combines CloudFormation and Terraform templates to control what resources are deployed and keep it more flexible.

Key Components

AWS Landing Zone consists of multiple of components, in this deployment we focus on following two key components.

AWS Organization

AWS Organizations is a service that allows customers to manage and govern their AWS accounts as a single entity, it enables customers to create a structure of accounts, group them under a root, and organize them in organizational units (OUs) which also can have policies attached to them. It allows to centrally manage access and permissions across all of their accounts, automate account creation and management, and consolidate billing for multiple accounts.

AWS Organizations is the best way to manage multiple AWS accounts in a centralized, streamlined manner, and also to take advantage of the scalability and flexibility of the AWS platform but need a way to manage and govern the resources across multiple accounts.

AWS IAM Identity Center

AWS Identity and Access Management (IAM) Identity Center is a service that allows us to manage and govern AWS identities in a centralized and streamlined way across multiple AWS accounts and to provide a consistent user experience across all of their AWS accounts. It enables us to create and manage user identities and permissions, define and enforce access policies, and provide single sign-on (SSO) access to AWS resources and applications using our existing identity provider (IdP).