Overview
A landing zone is a foundational AWS environment that enables secure,
scalable, and governed cloud adoption. It establishes multi-account structure,
network architecture, security guardrails, and centralized logging before
workloads are deployed.
Why Multi-Account Strategy?
- Reduces blast radius
- Isolates workloads by environment (Prod, Dev, QA)
- Enables cost allocation per business unit
- Improves security governance
- Supports compliance boundaries
Core Components
AWS Organizations
Used to manage multiple AWS accounts under a centralized management account.
Organizational Units (OUs) group accounts by environment or business function.
Service Control Policies (SCPs)
Guardrails that restrict actions across accounts.
Example: Deny disabling CloudTrail or creating resources outside approved regions.
Account Structure Example
- Management Account
- Log Archive Account
- Security Account
- Shared Services Account
- Production Account
- Non-Production Account
Network Architecture Design
- Centralized networking model (Hub-and-Spoke)
- Transit Gateway for VPC connectivity
- Dedicated Shared Services VPC
- Private subnets for application & database tiers
- VPC endpoints for private AWS service access
Hub-and-Spoke Model (Conceptual)
Management & Shared Services VPC connected via Transit Gateway to workload VPCs.
Centralized Logging & Monitoring
- CloudTrail enabled in all accounts
- Logs centralized to Log Archive account
- GuardDuty & Security Hub enabled organization-wide
- Centralized CloudWatch dashboards
Security Guardrails
- Mandatory tagging policies
- Restrict public S3 bucket access
- Enforce encryption by default
- Restrict root account usage
Identity & Access Management Model
- AWS SSO / IAM Identity Center integration
- Role-based access control
- Cross-account role assumption
- Least privilege principle
Cost Governance Integration
- Account-level cost allocation
- Budgets per environment
- Centralized cost visibility dashboard
- Enforced tagging standards
Scalability & Future Expansion
- New accounts can be provisioned via automation
- Infrastructure as Code (Terraform / CloudFormation)
- Baseline security policies applied automatically
- Supports multi-region expansion
Common Mistakes
- Starting migration without landing zone
- Using single account for all workloads
- Not enforcing tagging early
- Ignoring centralized logging
Key Lessons
- Landing zone must be built before workload migration
- Security and governance should be automated
- Network design decisions impact long-term scalability
- Cost governance starts at account structure level