Multi-Account AWS Environment options.
In short, it a collection of AWS accounts and other mechanisms to establish guardrails within those accounts.
Created as part of AWS Solutions Library.
AWS Landing Zone is currently in Long-term Support and will not receive any additional features
Should now use AWS Control Tower
- zip file with CloudFormation templates
- builds accounts types
- enables AWS Config, apply config rules
- enables CloudTrail
- enables SSO and AD connector
- Builds Account Vending Machine - self-service portal using Service Catalog to allow devs to request accounts, which are then created via CodePipeline
The following landing zone managed accounts are created as part of landing zone
- Log Archive - consolidated log files
- Security - creates auditor (read-only) and administrator (full-access) cross-account roles from a Security account to all AWS Landing Zone managed accounts. Also master Amazon GuardDuty account
- Shared services - AD, DNS, LDAP
- Sandbox Accounts - devs can experiment / PoCs/ etc.
- Business Unit accounts - dev, test, prod workloads
- Better packaged and managed AWS Landing Zone. AWS Landing Zone as a first class AWS service.
- Functions as a pre-baked layer of abstraction on top of AWS Organizations, AWS Config, CloudTrail, CloudFormation, and a few other services
- All in AWS Console. No IaC for it.
Control Tower Landing Zone Creating
Service Catalog | Create Control Tower Manged Account
- Opinionated layer on top of Control Tower.
- Automates the setup of an AWS Cloud environment with prescriptive best practices.
- Infrastructure as Code (IaC) tool for AWS Organizations.
- Implemented using CloudFormation Custom Resource Types (providers) which then orchestrate and call the relevant AWS APIs
- AWS Control Tower
- Customizations for AWS Control Tower | Implementations | AWS Solutions
- AWS Organizations
- AWS Organization Formation
- AWS CONTROL TOWER - How to Automate Landing Zone deployment with AWS Control Tower | Detailed DEMO