AWS Landing Zone

An AWS Landing Zone is a secure, scalable, multi-account AWS environment based on best practices. It provides a foundation for cloud adoption, enabling organizations to deploy workloads with governance, security, and compliance from day one.


What is an AWS Landing Zone?

  • A pre-configured AWS environment with multiple accounts (e.g., security, logging, shared services, workloads)

  • Implements guardrails using Service Control Policies (SCPs), AWS Organizations, IAM, and centralized logging

  • Automates account creation, baseline networking (VPCs), and security controls

References:


Real-Life Use Cases

  • Enterprise Cloud Adoption: Standardize environments for multiple business units

  • Regulated Industries: Enforce compliance (e.g., PCI, HIPAA) with automated guardrails

  • Startups/Scale-ups: Rapidly scale with secure, repeatable account structures


Configuration Options

  • Account Structure: Define core accounts (security, log archive, shared services, workload)

  • Networking: Centralized VPCs, shared subnets, Transit Gateway, VPC peering

  • Security: SCPs, IAM roles, AWS Config, CloudTrail, GuardDuty, Security Hub

  • Automation: Use AWS Control Tower, custom Terraform, or CloudFormation


Example: AWS Landing Zone with Terraform

Below is a simplified example using Terraform to create an AWS Organization, core accounts, and baseline guardrails.

provider "aws" {
  region = "us-east-1"
}

resource "aws_organizations_organization" "main" {
  feature_set = "ALL"
}

resource "aws_organizations_account" "security" {
  name      = "Security"
  email     = "security@example.com"
  parent_id = aws_organizations_organization.main.roots[0].id
}

resource "aws_organizations_account" "log_archive" {
  name      = "LogArchive"
  email     = "logs@example.com"
  parent_id = aws_organizations_organization.main.roots[0].id
}

resource "aws_organizations_policy" "deny_s3_public" {
  name        = "DenyS3PublicAccess"
  description = "Deny S3 public access"
  content     = file("policies/deny_s3_public.json")
  type        = "SERVICE_CONTROL_POLICY"
}

resource "aws_organizations_policy_attachment" "attach_scp" {
  policy_id = aws_organizations_policy.deny_s3_public.id
  target_id = aws_organizations_organization.main.roots[0].id
}

Tip: Store your SCP JSON in a policies/deny_s3_public.json file for modularity.


Example: Terraform Test with terraform-compliance

You can use terraform-compliance to test your Terraform code for security and compliance. Example test to ensure S3 public access is denied:

Feature: Deny S3 Public Access
  Scenario: Ensure S3 buckets do not allow public access
    Given I have aws_s3_bucket defined
    Then it must contain public_access_block
    And its block_public_acls must be true
    And its block_public_policy must be true

Notes for Linux, WSL, and NixOS Users

  • Linux: Use the latest Terraform binary and AWS CLI. Install via your package manager or official releases.

  • WSL: Ensure your AWS credentials are accessible in your WSL home directory. Use wsl --mount for shared filesystems if needed.

  • NixOS: Use nixpkgs for reproducible installs:

    environment.systemPackages = with pkgs; [ terraform awscli ];
  • Always use environment variables or AWS profiles for credentials—never hard-code secrets.


Landing Zone Joke

Why did the DevOps engineer refuse to deploy in an unprepared AWS account?

Because there was no landing zone—he didn’t want to crash the cloud party!


For more advanced patterns, see AWS Control Tower and the AWS Landing Zone Accelerator.

Last updated