Multi-Account AWS Environment options.
AWS Landing Zone
In short, it a collection of AWS accounts and other mechanisms to establish guardrails within those accounts.
Created as part of AWS Solutions Library.
AWS Landing Zone is currently in Long-term Support and will not receive any additional features
Should now use AWS Control Tower
- zip file with CloudFormation templates
- builds accounts types
- enables AWS Config, apply config rules
- enables CloudTrail
- enables SSO and AD connector
- Builds Account Vending Machine - self-service portal using Service Catalog to allow devs to request accounts, which are then created via CodePipeline
Core Accounts
The following landing zone managed accounts are created as part of landing zone
- Log Archive - consolidated log files
- Security - creates auditor (read-only) and administrator (full-access) cross-account roles from a Security account to all AWS Landing Zone managed accounts. Also master Amazon GuardDuty account
- Shared services - AD, DNS, LDAP
- Sandbox Accounts - devs can experiment / PoCs/ etc.
- Business Unit accounts - dev, test, prod workloads
AWS Control Tower
- Better packaged and managed AWS Landing Zone. AWS Landing Zone as a first class AWS service.
- Functions as a pre-baked layer of abstraction on top of AWS Organizations, AWS Config, CloudTrail, CloudFormation, and a few other services
- All in AWS Console. No IaC for it.
Control Tower Landing Zone Creating
Service Catalog | Create Control Tower Manged Account
superwerker
- Opinionated layer on top of Control Tower.
- Automates the setup of an AWS Cloud environment with prescriptive best practices.
AWS Organization Formation
- Infrastructure as Code (IaC) tool for AWS Organizations.
- Implemented using CloudFormation Custom Resource Types (providers) which then orchestrate and call the relevant AWS APIs
Resources
- AWS Control Tower
- Customizations for AWS Control Tower | Implementations | AWS Solutions
- AWS Organizations
- superwerker
- AWS Organization Formation
- AWS CONTROL TOWER - How to Automate Landing Zone deployment with AWS Control Tower | Detailed DEMO
Twitter • Reddit