Multi-Account AWS Environment

Multi-Account AWS Environment options.

AWS Landing Zone

In short, it a collection of AWS accounts and other mechanisms to establish guardrails within those accounts.

Created as part of AWS Solutions Library.

AWS Landing Zone is currently in Long-term Support and will not receive any additional features

Should now use AWS Control Tower

  • zip file with CloudFormation templates
  • builds accounts types
  • enables AWS Config, apply config rules
  • enables CloudTrail
  • enables SSO and AD connector
  • Builds Account Vending Machine - self-service portal using Service Catalog to allow devs to request accounts, which are then created via CodePipeline

Core Accounts

The following landing zone managed accounts are created as part of landing zone

  • Log Archive - consolidated log files
  • Security - creates auditor (read-only) and administrator (full-access) cross-account roles from a Security account to all AWS Landing Zone managed accounts. Also master Amazon GuardDuty account
  • Shared services - AD, DNS, LDAP
  • Sandbox Accounts - devs can experiment / PoCs/ etc.
  • Business Unit accounts - dev, test, prod workloads

AWS Control Tower

  • Better packaged and managed AWS Landing Zone. AWS Landing Zone as a first class AWS service.
  • Functions as a pre-baked layer of abstraction on top of AWS Organizations, AWS Config, CloudTrail, CloudFormation, and a few other services
  • All in AWS Console. No IaC for it.

Control Tower Landing Zone Creating

Service Catalog | Create Control Tower Manged Account


  • Opinionated layer on top of Control Tower.
  • Automates the setup of an AWS Cloud environment with prescriptive best practices.

AWS Organization Formation

  • Infrastructure as Code (IaC) tool for AWS Organizations.
  • Implemented using CloudFormation Custom Resource Types (providers) which then orchestrate and call the relevant AWS APIs