Landing Zone & Governance
Account/subscription structure, guardrails, SCPs, blueprints
A cloud landing zone is a pre-configured, secure, and scalable multi-account environment that serves as the foundation for all cloud workloads. AWS Control Tower automates landing zone setup using AWS Organizations, establishing account vending, Service Control Policies (SCPs) as guardrails, and centralised logging/audit trails. Azure equivalent is Azure Landing Zone (ALZ) / Enterprise Scale; GCP equivalent is Resource Hierarchy with Organization Policies. Landing zones enforce security baselines before any workload team touches the cloud.
Key Points
- AWS Organizations structure: Management Account (billing, SCPs) → Organizational Units (OUs) by environment (Prod, NonProd, Sandbox) → Member Accounts — each workload team gets its own account for blast radius isolation.
- Service Control Policies (SCPs) are IAM permission boundaries at the OU/account level — use deny SCPs to prevent: root account API calls, disabling GuardDuty, creating public S3 buckets, or deploying outside approved regions.
- AWS Control Tower Account Factory (+ Account Factory for Terraform/AFT) vends new member accounts pre-configured with SCPs, logging, security baselines, and VPC templates in minutes.
- Centralised logging account: all CloudTrail, Config, and VPC Flow Logs from member accounts aggregate to an immutable S3 bucket in the Log Archive account — tamper-proof for compliance.
- Network hub account (or Shared Services account) hosts the Transit Gateway, Direct Connect, and DNS — all member VPCs attach to the TGW for spoke-and-hub connectivity without inter-account VPC peering mesh.
- Security account (Audit account) hosts GuardDuty delegated administrator, Security Hub aggregator, and Config aggregator — security team has read access to all member accounts without lateral movement risk.
- Azure Management Group hierarchy: Root → Platform (Identity, Connectivity, Management) → Landing Zones (Corp, Online) → Sandboxes — mirrors the AWS OU structure with Entra ID RBAC instead of SCPs.
- Landing zone day-2 operations: automate account decommissioning (resource cleanup, SCP removal, billing separation), periodic SCP compliance reviews, and landing zone version upgrades via Control Tower updates.
Real-World Example
A Fortune 100 retailer deployed AWS Control Tower with 200+ member accounts across 4 OUs, using Account Factory for Terraform to vend PCI-compliant accounts with pre-baked VPC, GuardDuty, Security Hub, and CloudTrail in under 15 minutes per account.