AWS Landing Zone: What It Is and When to Use It
Definition
An AWS Landing Zone is a well-architected, multi-account AWS environment that serves as a secure and scalable foundation for an organization's cloud workloads. It establishes a baseline for identity and access management, governance, data security, network design, and logging, allowing organizations to deploy applications with confidence.
How It Works
An AWS Landing Zone is not a single service but a comprehensive solution and orchestration framework that configures multiple AWS services based on best practices. The core idea is to move away from a single, monolithic AWS account to a structured, multi-account environment that provides better security, billing separation, and resource isolation.
The architecture of a typical landing zone is built upon AWS Organizations and includes several key components:
- Multi-Account Structure: The foundation is AWS Organizations, which allows you to centrally manage and govern multiple AWS accounts. Accounts are grouped into Organizational Units (OUs) based on function or security profile (e.g., Infrastructure, Workloads, Security, Sandbox).
- Core Accounts: A landing zone typically provisions a set of foundational accounts:
- Management Account: The payer account for the entire organization, used for billing and account creation.
- Log Archive Account: A centralized and immutable repository for all audit and log data (like AWS CloudTrail and AWS Config logs) from all accounts in the organization.
- Security Account: A dedicated account for security and audit teams. It provides read-only access to all other accounts for monitoring and houses centralized security services like Amazon GuardDuty and AWS Security Hub.
- Identity and Access Management: It establishes a centralized approach to identity using AWS IAM Identity Center (formerly AWS SSO). This allows users to use a single set of credentials to access multiple AWS accounts and applications, federating with existing identity providers if needed.
- Governance and Security Guardrails: Preventive and detective controls are enforced across the organization.
- Service Control Policies (SCPs): Used to enforce permission guardrails at the OU or account level, restricting which AWS services and actions are available.
- AWS Config Rules: Deployed to continuously monitor and assess the configuration of AWS resources for compliance with desired policies.
- Centralized Networking: A common networking model is established, often using a Transit Gateway in a dedicated network account to manage connectivity between Virtual Private Clouds (VPCs) and on-premises environments in a hub-and-spoke model.
- Automation: New accounts are provisioned using an automated, standardized process, often called an "Account Factory" or "Account Vending Machine (AVM)". This ensures that every new account is created with the necessary security baselines, IAM roles, and network configurations from the start.
Historically, AWS provided a solution called "AWS Landing Zone" which has since been succeeded by the managed service AWS Control Tower. AWS Control Tower automates the setup and governance of a new, secure, multi-account AWS environment based on the landing zone concept.
Key Features and Limits
Since AWS Landing Zone is a conceptual framework, its features are the capabilities of the underlying services it orchestrates.
- Automated Environment Setup: Drastically reduces the time to set up a secure, multi-account environment from weeks to hours.
- Centralized Governance: Enforce policies and controls across all accounts from a single management plane using AWS Organizations and SCPs.
- Pre-configured Security Baselines: New accounts are provisioned with established security and compliance guardrails, such as centralized logging and cross-account audit capabilities.
- Scalable Architecture: The multi-account structure is designed to scale as your organization grows, allowing you to easily add new accounts for different teams, projects, or business units.
- Customization: While AWS Control Tower provides a standardized landing zone, organizations can build custom landing zones using Infrastructure as Code (IaC) tools like AWS CloudFormation or Terraform for greater flexibility.
Limits: The limits are generally those of the underlying services. For example, the number of accounts you can have in an AWS Organization is subject to AWS Organizations quotas.
Common Use Cases
- Enterprise Cloud Adoption: For large organizations starting their cloud journey, a landing zone provides a robust, scalable, and secure foundation for migrating and building applications.
- Regulatory Compliance: Companies in regulated industries (e.g., finance, healthcare) can use a landing zone to enforce the strict security and compliance controls required for frameworks like PCI-DSS, HIPAA, or GDPR.
- Scaling Startups and Digital Businesses: As a business grows, a landing zone helps manage the increasing complexity of multiple teams, environments (dev, test, prod), and applications by providing clear separation and governance.
- Standardizing Environments for Mergers and Acquisitions: When integrating a new company, a landing zone provides a standard, secure environment to which the acquired company's workloads can be migrated.
- Educational and Research Institutions: Universities can use a multi-account strategy to provide separate, isolated environments for different departments, research projects, and student workloads, with centralized billing and control.
Pricing Model
There is no additional charge for the AWS Landing Zone concept itself or for using AWS Control Tower. You are billed for the AWS services that the landing zone provisions and that you consume. These costs typically include:
- AWS Config: For recording configuration items and evaluating compliance rules.
- AWS CloudTrail: For storing organization-level audit logs.
- Amazon S3: For storing logs in the Log Archive account.
- Amazon SNS and Amazon CloudWatch: For notifications and monitoring.
- Other services: Any other services deployed as part of the baseline, such as NAT Gateways in VPCs or AWS Service Catalog actions.
The overall cost is generally low for the foundational setup but will scale with the number of resources and configuration changes recorded across your accounts. You can use the AWS Pricing Calculator to estimate the costs of the underlying services.
Pros and Cons
| Pros | Cons | | :--- | :--- | | Enhanced Security & Compliance | Initial Complexity | | Provides a secure-by-default foundation with centralized logging, auditing, and policy enforcement. | The initial setup and understanding of the multi-account architecture can be complex for teams new to AWS. | | Scalability & Agility | Potential for Rigidity | | Enables teams to innovate faster by provisioning new, compliant accounts on demand. | A highly standardized landing zone might feel restrictive for teams that require unique configurations, though customization is possible. | | Improved Governance & Control | Operational Overhead | | Centralizes management of accounts, billing, and security policies, reducing administrative overhead. | While it automates much, a landing zone still requires management and updates, especially for custom-built solutions. | | Cost Visibility & Management | Learning Curve | | Separating workloads by account simplifies cost allocation and tracking for different business units or projects. | Developers and architects need to learn how to operate effectively within a multi-account environment. |
Comparison with Alternatives
| Approach | Description | Best For | | :--- | :--- | :--- | | AWS Control Tower | A managed AWS service that automates the deployment of a landing zone with pre-configured, best-practice blueprints. | The majority of organizations, especially those who want a quick, standardized, and AWS-managed way to set up a secure multi-account environment. | | Custom Landing Zone (IaC) | Building a landing zone from scratch using tools like AWS CloudFormation, Terraform, or the AWS CDK. | Organizations with highly specific requirements for networking, security, or compliance that are not met by AWS Control Tower's standard configuration. | | Single AWS Account | The default approach where all resources for all environments and teams are placed in a single account. | Very small projects, individual developers, or initial learning phases. It does not scale and is not recommended for production or team environments due to a lack of security and billing isolation. |
Exam Relevance
Understanding the AWS Landing Zone concept is crucial for several AWS certifications, particularly those focused on architecture and security.
- AWS Certified Solutions Architect - Associate & Professional: Questions will test your understanding of multi-account strategies, the purpose of AWS Organizations, and how to design for security and scalability. Knowing why and when to use a landing zone is key.
- AWS Certified Security - Specialty: Expect deep-dive questions on the security components of a landing zone, including SCPs, centralized logging, cross-account auditing, and using services like AWS Config and GuardDuty in a multi-account setup.
- AWS Certified Advanced Networking - Specialty: Questions may focus on the networking architecture of a landing zone, such as centralized ingress/egress, VPC sharing, and Transit Gateway deployment models.
Examinees should know the difference between AWS Landing Zone (the legacy solution/concept) and AWS Control Tower (the current managed service), and the core accounts (Management, Log Archive, Security) that form the foundation.
Frequently Asked Questions
Q: What is the difference between AWS Landing Zone and AWS Control Tower?
A: AWS Landing Zone was the original solution, deployed via a CloudFormation template, that established a multi-account environment. AWS Control Tower is the modern, managed AWS service that has succeeded it. Control Tower automates the setup of a landing zone, provides an integrated dashboard for governance, and simplifies ongoing management, making it the recommended approach for setting up new environments.
Q: Can I customize my AWS Landing Zone?
A: Yes. If you are using AWS Control Tower, you can use features like Customizations for AWS Control Tower (CfCT) and Account Factory for Terraform (AFT) to apply custom templates and policies during account provisioning. For ultimate flexibility, you can opt to build a completely custom landing zone using Infrastructure as Code (IaC) tools like Terraform or AWS CloudFormation, though this requires more effort to build and maintain.
Q: Is an AWS Landing Zone only for large enterprises?
A: No. While essential for large enterprises, the principles of a landing zone are beneficial for any organization that anticipates growth. Even small companies can benefit from the security isolation and billing separation provided by a multi-account structure, and starting with a service like AWS Control Tower makes it easy to implement from day one.
This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.