Landing zone

A landing zone is an orchestration framework for your foundational AWS environment. It provides a baseline to get started with multi-account architecture, identity and access management, governance, data security, network design, and logging.

AWS has two options for creating your landing zone: a service-based landing zone using AWS Control Tower and a customized landing zone that you build. Each option requires a different level of AWS knowledge.

AWS Control Tower helps you save time by automating the setup of a landing zone so you can run secure and scalable workloads. AWS Control Tower is managed by AWS and uses best practices and guidelines to help you create your foundational environment. AWS Control Tower uses integrated services such as AWS Service Catalog and AWS Organizations to provision accounts in your landing zone and manage access to those accounts.

Objectives

Create a landing zone with an initial configuration for the following:

Account structure
Network structure
Predefined identity and billing frameworks
Predefined user-selectable packages
Ability to customize and configure

Outcomes

A defined and secure landing zone ready for migration and further customization

How-to guide

Setting up a secure and scalable multi-account AWS environment

Related resources

AWS Control Tower
AWS Service Catalog
AWS Organizations
Architecting security & governance across your landing zone (AWS re:Invent 2019 presentation)

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Migration governance

Security, risk, and compliance