AWS Landing Zone
Multi-account AWS strategy for enterprise workloads. Security isolation, centralized logging and guardrails across all accounts.
Overview
A Landing Zone establishes a secure, well-architected multi-account AWS environment based on AWS best practices. This pattern eliminates the single-account anti-pattern that creates security and billing risks as organizations grow.
Each workload environment (dev, staging, prod) lives in its own AWS account. Security tooling runs in a dedicated Security account. Shared networking and DNS live in a Shared Services account. AWS Organizations Service Control Policies enforce guardrails across the entire structure.
Architecture Diagram
Architecture Diagram
AWS Landing Zone — Account Structure
AWS Landing Zone — Account Structure
Components
Root Account
Billing consolidation, AWS Organizations management, SCP enforcement. No workloads run here. Root credentials locked away with MFA.
Security Account
Centralized CloudTrail for all accounts, AWS Config rules, GuardDuty findings aggregation, Security Hub. Read-only access to all other accounts for security auditing.
Shared Services Account
Route 53 hosted zones, AWS Certificate Manager, Transit Gateway hub. Shared NAT Gateway to reduce per-account NAT costs. Optional bastion host.
Workload Accounts
One account per environment (dev, staging, prod). Isolated blast radius. VPC, EKS/ECS, RDS, S3 per account. SCPs restrict dangerous operations.
Trade-offs
Complexity
✅ Better security isolation and blast radius reduction
⚠️ Higher operational overhead, more IAM to manage
Cost
✅ Free Tier applies per account, consolidated billing visibility
⚠️ Transit Gateway data transfer charges, multiple NAT costs
Management
✅ SCPs centrally enforced, audit trail in one place
⚠️ Requires AWS Organizations, Control Tower recommended
Best Practices
Never use root account for daily operations — lock the credentials and forget them
Enable MFA on all IAM users, enforce via SCP
Use AWS IAM Identity Center (SSO) for human access — no IAM users in workload accounts
Automate account vending with AWS Control Tower Account Factory
GuardDuty must be enabled in every account and every region you use
Log everything to the Security account — S3 bucket with object lock for immutability
Stack
Need this implemented?
We implement Landing Zones with Terraform from scratch. Includes SCP design, Control Tower setup and account vending automation.
Start a conversation →