AWS Landing Zone

An AWS Landing Zone is a secure, scalable, multi-account AWS environment based on best practices. It provides a foundation for cloud adoption, enabling organizations to deploy workloads with governance, security, and compliance from day one.

---

What is an AWS Landing Zone?

• A pre-configured AWS environment with multiple accounts (e.g., security, logging, shared services, workloads)

• Implements guardrails using Service Control Policies (SCPs), AWS Organizations, IAM, and centralized logging

• Automates account creation, baseline networking (VPCs), and security controls

References:

• AWS Landing Zone Solution

• AWS Control Tower

---

Real-Life Use Cases

• Enterprise Cloud Adoption: Standardize environments for multiple business units

• Regulated Industries: Enforce compliance (e.g., PCI, HIPAA) with automated guardrails

• Startups/Scale-ups: Rapidly scale with secure, repeatable account structures

---

Configuration Options

• Account Structure: Define core accounts (security, log archive, shared services, workload)

• Networking: Centralized VPCs, shared subnets, Transit Gateway, VPC peering

• Security: SCPs, IAM roles, AWS Config, CloudTrail, GuardDuty, Security Hub

• Automation: Use AWS Control Tower, custom Terraform, or CloudFormation

---

Example: AWS Landing Zone with Terraform

Below is a simplified example using Terraform to create an AWS Organization, core accounts, and baseline guardrails.

provider "aws" {
  region = "us-east-1"
}

resource "aws_organizations_organization" "main" {
  feature_set = "ALL"
}

resource "aws_organizations_account" "security" {
  name      = "Security"
  email     = "security@example.com"
  parent_id = aws_organizations_organization.main.roots[0].id
}

resource "aws_organizations_account" "log_archive" {
  name      = "LogArchive"
  email     = "logs@example.com"
  parent_id = aws_organizations_organization.main.roots[0].id
}

resource "aws_organizations_policy" "deny_s3_public" {
  name        = "DenyS3PublicAccess"
  description = "Deny S3 public access"
  content     = file("policies/deny_s3_public.json")
  type        = "SERVICE_CONTROL_POLICY"
}

resource "aws_organizations_policy_attachment" "attach_scp" {
  policy_id = aws_organizations_policy.deny_s3_public.id
  target_id = aws_organizations_organization.main.roots[0].id
}

Tip: Store your SCP JSON in a policies/deny_s3_public.json file for modularity.

---

Example: Terraform Test with terraform-compliance

You can use terraform-compliance to test your Terraform code for security and compliance. Example test to ensure S3 public access is denied:

Feature: Deny S3 Public Access
  Scenario: Ensure S3 buckets do not allow public access
    Given I have aws_s3_bucket defined
    Then it must contain public_access_block
    And its block_public_acls must be true
    And its block_public_policy must be true

---

Notes for Linux, WSL, and NixOS Users

• Linux: Use the latest Terraform binary and AWS CLI. Install via your package manager or official releases.
• WSL: Ensure your AWS credentials are accessible in your WSL home directory. Use wsl --mount for shared filesystems if needed.

• NixOS: Use nixpkgs for reproducible installs:

  environment.systemPackages = with pkgs; [ terraform awscli ];

• Always use environment variables or AWS profiles for credentials—never hard-code secrets.

---

Landing Zone Joke

Why did the DevOps engineer refuse to deploy in an unprepared AWS account?

Because there was no landing zone—he didn’t want to crash the cloud party!

---

For more advanced patterns, see AWS Control Tower and the AWS Landing Zone Accelerator.