AWS Landing Zone Setup through AWS Control Tower

May 20, 2024
3 mins. read
Kunal Shah
Cloud Solutions Architect - AWS

The AWS Landing Zone Setup project aims to architect a secure, well-governed, and scalable cloud environment using AWS Control Tower. The project’s primary goal is to provide a standardized framework for setting up multiple AWS accounts while adhering to AWS best practices and compliance requirements.

1.     Multi-account Management: Today many organizations use an AWS Landing Zone to establish a multi-account strategy, where each account serves a specific purpose, such as security, logging, audit, operations, development, testing, production, or for individual teams or projects. This segmentation allows better isolation, resource allocation, and account level management. It gives holistic view of all accounts associated to it.

2.     Security and Compliance: AWS Landing Zones help enforce consistent security and compliance standards across all AWS accounts within an organization. By implementing predefined security controls, access policies, and configurations, AWS Landing Zones reduce the risk of security breaches and ensure regulatory compliance. It acts as a single point for security measures.

3.     Cost Optimization: With an AWS Landing Zone, organizations can effectively manage AWS costs by implementing cost-tracking mechanisms, usage policies, and access controls. This allows better visibility into resource usage and cost allocation across various accounts.

4.     Operational and Governance Automation: A well-designed AWS Landing Zone enables automation of repetitive operational tasks, such as user provisioning, account setup, resource deployment, centralized audit & logging and policy enforcement. This streamlines operations and reduces the chances of manual errors.

5.     Network Connectivity and Architecture: AWS Landing Zones facilitate the creation of consistent networking and architecture patterns across AWS accounts, allowing organizations to maintain a standardized and well-organized cloud infrastructure.

Overall, AWS Landing Zone offers a standardized, secure, and scalable approach for managing AWS environments in complex, multi-account scenarios. They enable organizations to efficiently manage their cloud resources, enhance security, and streamline governance and compliance practices.

Prerequisite -

·      WS Account with Admin Access.

·      3 unique email addresses.

AWS Services Usage -

AWS Control Tower, IAM, CloudFormation


Terminologies —

·      AWS Organization: An AWS Organization is a group of AWS accounts created to simplify the management and billing of multiple AWS accounts. It serves as the root of your account hierarchy.

·      Organizational Units (OUs): OUs are logical groupings of AWS accounts within an AWS Organization. They help you organize and manage accounts with common requirements or purposes.

·      Guardrails: Guardrails area set of predefined policies and best practices that AWS Control Tower enforces to ensure security, compliance, and governance across all accounts within the organization.

·      Service Control Policies (SCPs): SCPs are policies that you attach to OUs or individual AWS accounts to manage permissions and access control across the organization.

·      IAM Identity Center (SSO): AWS IAM Identity Center is a service that enables centralized management of user access and permissions across AWS accounts and business applications.



Note — AWS Control Tower sets up paid services, such as AWS CloudTrail, AWS Config, Amazon CloudWatch, Amazon S3, and Amazon VPC. When used, these services may incur costs, as shown on the pricing page.


STEP 1: Review pricing & select regions

·      Log in to the AWS Management Console of the AWS Account where you plan to deploy AWS Control Tower. This account will be referred to as the Management account.

·      Select the service Control Tower under Management & Governance.

·      Make sure you are in one of the supported regions. Keep in mind that the region selected here is the HOMEREGION and cannot be changed once AWS Control Tower is installed.

·      On AWS Control Tower homepage, select Set up landing zone button.

·      Select the region deny setting to not enabled & click next.

STEP 2: Configure organizational units (OUs)

·      Now give names to Organizational units (OUs) & click next.


STEP 3: Configure shared accounts

·      Proceed by giving email addresses for Management account, Log archive account & Audit account. Click next.

STEP 4: Additional Configurations

·      Select AWS Control Tower sets up AWS account access with IAM Identity Center.

·      This helps in managing users, roles, policies under one umbrella.

·      Next, Enable Cloud Trail configuration.

·      Set up frequency of Logs retention.

·      Keep KMS encryption as not selected as its optional & click next.

STEP 5: Review and set up landing zone

·      Review all details thoroughly.

·      Select the check box “I understand...

·      Click Set up landing zone.

STEP 6: Accept Invitation to join IAM Identity center.

·      Now, process of deploying AWS resources is started.

·      All 3 email addresses provided will receive “ACCEPT INVITATION” along with AWS portal link.

·      Click on ACCEPT INVITATION to join IAM Identity center.

STEP 7: Track progress & complete the setup

·      Keep the track of progress as it will take around 30–45 mins to complete the entire setup.

·      Check CloudFormation stacks to check AWS resources provisioned.

·      AWS Landing Zone is Finally Active & ready to manage.

Get in touch with us
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.