Cloud Landing Zones in AWS: Building a Solid Foundation for Cloud Adoption

In this post, we will investigate the concept of AWS Landing Zones, their importance, and how they empower enterprises to confidently pursue their goals in cloud adoption.

As businesses continue to embrace cloud technology, establishing resilient and standardised cloud foundations help reduce organisational complexities and promote flexibility, security and efficiency. AWS offers a methodical approach to building the groundwork for deploying workloads.^‍

^‍‍^‍‍

What Are Landing Zones in AWS?

To recap from our previous post, a landing zone is a well-architected environment that is highly scalable and secure. It is your cloud foundation, designed according to a set of best practices and guidelines.The key elements that make Landing Zones the solid foundation for your AWS environment include:

‍

• a multi-team account structure for workload isolation,
• an initial security baseline and governance,
• identity and access management,
• data security and logging,
• network design

‍

Each key element provides you with a set of guidelines and questions to consider when designing your Landing Zone.

‍

Why AWS Landing Zones Matter

Landing zones offer a set of best practices and architectural patterns that enable your organisation to scale. Without landing zones, businesses often struggle to enforce security standards and lack good visibility into the delivery process. Workloads often share accounts, increasing the risk of data exploits due to overly permissive policies and a lack of an audit trail. Therefore, the implementation of AWS Landing Zones for your organisation is crucial, as it helps you achieve:

‍

• Standardisation: Landing Zones provide a best-practice, standardised approach to setting up your environments, ensuring optimal performance in your cloud setup. For example, AWS offers a Service Catalog - a 'single pane of glass' to provision and share infrastructure across accounts and promote self-service. This helps you steer clear of common pitfalls such as inconsistent architectures and reduces organisational complexities by introducing consistency across all your accounts and environments.
• Efficiency: Robust cloud foundations enhance operational efficiency by promoting the most optimal designs with scaling, right-sizing and automation, allowing your organisation to concentrate on your product rather than constantly redesigning your infrastructure based on new requirements.
• Security and Compliance: AWS offers baseline guidelines and practices for security controls, including the AWS Identity and Access Management model, detective controls, infrastructure security, data protection, and incident response. It also provides, among many, AWS-managed policies and a variety of guardrails - out of the box governance rules included with the AWS Control Tower landing zone service. All these measures mitigate potential risks and assist in meeting compliance requirements.
• Cost Management: Landing Zones empower your organisation to focus on cost tracking, budget allocation, and optimization of AWS spending with a number of services including AWS Cost Explorer, AWS Budgets and AWS Cost Anomaly Detection.
• Confidence: With a solid landing zone foundation, your organisation can be confident that best practices are integrated with your cloud setup. This promotes innovation while adhering to industry standards.
• Scalability: AWS Landing Zones are designed to be flexible as their business requirements change, allowing you to adapt to the dynamic needs of your organisation.

‍

What does it look like in practice?

If you’re new to Landing Zones, we advise you to start out with the following reference architecture diagram, as it focuses on delivering cloud setup that adheres to AWS guidelines of multi-account structure, provides with baseline security, identity management and promotes scalability:

‍

A: AWS account structure: AWS operates on the basis of Organisations, enabling you to systematically organise your AWS accounts into organisational units (OUs). This concept ensures that your workloads stay segregated and logically organised.

B: Initial security baseline, governance, data security and logging: Best practices and tooling that your organisation can implement for audit and logging purposes.

C: Identity and access management: Best practices surrounding any privileged identity management actions, such as SSO, temporary access, and approval workflows.

D: Network Design: Best practices surrounding network design, connectivity, and remote access operations.

E: Optional additional considerations: DevOps practices implemented through infrastructure as code, such as automated deployment, pipeline management and various configurations.

‍

AWS Landing zone design deep dive

One of the most fundamental design considerations is your AWS account setup for your organisation. Although there are different ways in which your organisation could structure your accounts and organisational units, AWS account structure practise advise on the  following multi-account set up:

‍

• Root: Your root management account, housing your OUs.
• Account management OUs: such as Transitional OUs for any temporary accounts, Exceptions OU for non-standard accounts, Suspended OUs for temporarily suspended accounts, and Graveyard OUs for accounts awaiting deletion. Depending on the size of your organisation, you may decide not to implement all of the suggested OUs.
• Infrastructure OU: hosting any infrastructure-related components e.g. Networking.
• Deployments OU: recommended OU for separating private workloads such as CI private runners.
• Workloads OU: Where your main application workloads are to be deployed, split into logically separated OUs, such as development and production.
• Sandbox OU: separated and isolated sandbox accounts for testing purposes.
• Security OU: Audit and Log Archive OUs for central security tooling.

‍

As far as the initial security baseline is concerned, AWS suggests the following split of your Security OU:

‍

Your AWS-managed security tools, such as GuardDuty or Security Hub, should be managed through the Audit account, enabling you to analyse, understand, and alert on any unexpected activities in your organisation. It is also recommended to include an Archive account—a central logging account aggregating various logs across all of your OUs and tools, such as CloudTrail, Config, or VPC Flow Logs, for centralised and isolated audit of your estate. The creation of both Audit and Archive accounts is provided by default when using AWS Control Tower, the AWS-managed landing zone provisioning service.

‍

Identity and access management design principles concentrate on assessing your organisation’s identity management. The recommended approach is to apply the least privilege principle, which grants the minimum required access. You can also implement temporary elevated identity management through integration of SSO via any chosen Identity Provider.

‍

As far as the Network Design principle is concerned, AWS suggests creating a separate, centrally managed account for networking:

‍

‍

This should involve evaluating your CIDR allocation, as overlapping CIDR ranges within your organisation can present issues related to internal connectivity through Transit Gateways, VPC peering, or VPNs. Additionally, you could implement services such as AWS Network Firewall to implement secure connectivity across services and to on-premise infrastructure.

‍

Additional considerations should include the implementation of various DevOps practices, such as git repository management with a strong access management structure, use of deployment pipelines and any implementation/configuration best practices implemented through infrastructure as code: 

‍

‍

Challenges with AWS Landing Zones

It must be mentioned that currently, implementing Landing Zones in AWS may prove to be challenging, either due to the lack of customisation with AWS-managed landing zone solutions or the learning curve and additional cost associated with custom solutions.

‍

Additionally, customisation options can still be limited with the AWS landing zone accelerator, and adding your own elements requires specialist knowledge. As the solution is only CloudFormation-based, companies preferring Terraform or other infrastructure as code tooling may find it adds additional management overhead.

‍

Despite these limitations, AWS Landing Zones can provide a strong starting point for organisations looking to establish a secure, well-architected AWS environment. It's important to evaluate whether the benefits they offer align with your organisation's specific goals and requirements and whether any shortcomings can be addressed or mitigated. Appvia can also help your organisation with the complexities of AWS Landing Zone implementation.

‍

Implementing your Landing Zone

AWS landing zones can be implemented in one of the following ways:

‍

• Pre-built tools: AWS-managed landing zone service using AWS Control Tower, that automates many of the tasks associated with setting up and managing a landing zone, significantly reducing manual effort. 
• Custom tools: with either a custom implementation of a manual AWS Organisation-based landing zone or an implementation of automated AWS Landing Zone Accelerator.
• Bring in an expert: At Appvia we’ve helped many organisations implement Cloud Landing Zones. We work with your organisation to understand your requirements and implement the right solution to accelerate your journey to the Cloud.

‍

Next Steps

• Explore the AWS Control Tower, AWS Organisations or the AWS Landing Zone Accelerator: Kickstart your journey with pre-built guidance.
• Evolve with Your Business: Remember, landing zones aren’t static. They evolve as your cloud strategy matures.
• Speak to Appvia about our Cloud Landing Zones: We can help you build a Cloud Landing Zone that is right for your organisation.

‍

‍