What is an AWS Landing Zone? Understanding Multi-Account Architecture

What is an AWS Landing Zone? Understanding Multi-Account Architecture

Written on November 9th, 2025 by Danny Steenman

Last updated: November 10th, 2025

13 min read
0 views
--- likes

When you first start using AWS, everything seems simple. You create an account, spin up some EC2 instances, maybe an RDS database, and your application is running. Development, staging, and production all coexist in one account. It works, until it doesn't.

As your organization grows and your AWS usage expands, you start hitting walls. Your developers accidentally modify production resources. Your security team struggles to implement different compliance requirements for different environments. Your finance team can't figure out which team is responsible for that $10,000 spike in costs last month.

This is the natural evolution every growing organization faces on AWS. The single-account model that served you well in the beginning becomes a liability as complexity increases.

The Single Account Problem: Why One Account Isn't Enough

Starting with a single AWS account is logical. It's simple to manage, requires minimal setup, and gets you running quickly. However, as your organization scales, several critical issues emerge:

Security and Access Control Challenges In a single account, IAM policies become increasingly complex as you try to separate access between environments. Developers need different permissions for development versus production, but managing this through IAM alone becomes a tangled web of policies, roles, and exceptions.

Compliance and Regulatory Constraints Different environments often have different compliance requirements. Your production environment handling customer data needs strict PCI-DSS controls, while your development sandbox needs flexibility for experimentation. Implementing these contradictory requirements in one account is technically possible but operationally nightmarish.

Cost Attribution and Budget Control When all resources live in one account, determining which team or project is driving costs requires extensive tagging discipline, which rarely survives contact with reality. That unexpected AWS bill becomes a forensic investigation rather than a simple report.

Blast Radius and Risk Management A misconfiguration in one environment can impact all others. An overly permissive S3 bucket policy in development could expose production data. A runaway Lambda function in staging could consume your entire account's concurrent execution limit, impacting production.

The Natural Evolution: Why Organizations Create Multiple Accounts

As these pain points intensify, organizations naturally begin creating additional AWS accounts. This isn't a planned strategy initially. It's organic growth driven by immediate needs:

  • The security team creates a separate account for centralized logging after a compliance audit
  • The data science team requests their own account to experiment with SageMaker without impacting production
  • A new product team gets their own account to move faster without waiting for central IT approval
  • The finance team demands separate accounts for better cost tracking and budget controls

This organic growth solves immediate problems but creates new ones. Now you have multiple accounts, but no central way to manage them. Each account has its own security settings, its own IAM users, its own network configuration. You've traded one set of problems for another.

The Orchestration Challenge: Managing Multiple Accounts at Scale

Once you have multiple AWS accounts, new challenges emerge:

Identity and Access Management How do you manage user access across 10, 20, or 100 accounts? Creating IAM users in each account doesn't scale. Password policies, MFA requirements, and access reviews become exponentially complex.

Security and Compliance Governance Each account needs security baselines: CloudTrail for auditing, GuardDuty for threat detection, Config for compliance monitoring. Implementing these manually in each account is time-consuming and error-prone. Ensuring consistency across accounts becomes nearly impossible.

Network Architecture and Connectivity Your accounts need to communicate. The production API needs to reach the production database. The development environment needs access to shared services. Building and maintaining network connections between accounts without a central strategy leads to a complex mesh that nobody fully understands.

Policy Enforcement and Guardrails You want to prevent certain actions across all accounts: no unencrypted S3 buckets, no public RDS instances, no EC2 instances in unapproved regions. Implementing these policies account by account relies on human discipline, which inevitably fails.

The Solution: AWS Landing Zone as Your Orchestration Layer

A landing zone is fundamentally an orchestration methodology: a systematic approach to managing multiple AWS accounts from a central control plane. It's not a single service or tool, but rather a comprehensive framework that brings order to multi-account chaos.

Think of a landing zone as the operating system for your AWS infrastructure. Just as an OS manages hardware resources and provides a consistent interface for applications, a landing zone manages AWS accounts and provides a consistent governance model for workloads.

What a Landing Zone Orchestrates

Centralized Identity Management Instead of managing users in each account, a landing zone implements AWS Single Sign-On (SSO) or identity federation. Users authenticate once and assume roles in target accounts. No more password sprawl, no more orphaned IAM users.

Account Provisioning and Lifecycle New accounts are created through an automated "account factory" with pre-configured security baselines, network connectivity, and cost controls. What once took weeks of manual setup now takes minutes.

Policy Orchestration Through Service Control Policies (SCPs) Service Control Policies act as guardrails at the organization level. Unlike IAM policies that grant permissions, SCPs set maximum permissive boundaries that cannot be exceeded, even by account administrators. This creates unbreakable security boundaries.

Centralized Security and Logging All accounts automatically send logs to a central, immutable archive. Security services like GuardDuty aggregate findings across all accounts into a single pane of glass. Compliance monitoring happens continuously, not just during audits.

Network Orchestration A hub-and-spoke network architecture connects accounts through a central transit gateway. Network segmentation, routing, and security policies are managed centrally while allowing accounts to maintain isolation.

Cost Management and Optimization Consolidated billing provides a single invoice with detailed cost breakdowns by account. Budget alerts, spending limits, and automated cost optimization policies can be applied based on account type (production vs. development).

How Landing Zone Orchestration Works in Practice

Let's trace through a typical workflow to understand the orchestration in action:

New Team Onboarding

  1. A new product team needs AWS resources
  2. They request an account through a service catalog
  3. The landing zone automatically:
    • Creates a new account in the appropriate organizational unit
    • Applies relevant SCPs based on the environment type
    • Configures network connectivity to shared services
    • Enables security services (CloudTrail, GuardDuty, Config)
    • Sets up cost budgets and alerts
    • Grants the team access through SSO
  4. Within 30 minutes, the team has a fully configured, compliant account

This entire process happens through automation, ensuring consistency and compliance without manual intervention.

Implementation Approaches: Building Your Orchestration Layer

There are two primary approaches to implementing a landing zone on AWS:

AWS Control Tower: The Managed Orchestration Service

AWS Control Tower provides a pre-packaged landing zone with AWS-native orchestration. It includes:

  • Automated account provisioning through Account Factory
  • Pre-configured organizational units for security, production, and sandbox accounts
  • A baseline set of SCPs (called guardrails) for security and compliance
  • Centralized logging and security services
  • A dashboard for monitoring compliance and drift

Control Tower is ideal when you want to get started quickly with AWS best practices and don't need extensive customization.

Trade-offs: The main limitation is that Control Tower is managed through the AWS Console, which makes it difficult to track state changes over time. Without infrastructure as code, you lose the ability to version control your landing zone configuration, review changes through pull requests, or maintain a clear audit trail of what changed and when. This manual approach can lead to configuration drift and makes it harder to replicate your setup across multiple organizations.

Infrastructure as Code: Custom Orchestration

This solves the state management problem by defining your entire landing zone in code. Using tools like Terraform, CloudFormation, or AWS CDK, you can build a custom landing zone tailored to your specific requirements with full version control.

Organizations choose this path when they need:

  • Full infrastructure as code for version control and repeatability
  • Integration with existing enterprise tools and workflows
  • Custom compliance requirements not covered by Control Tower
  • Multi-region or multi-organization architectures
  • Specific network topologies or security patterns

Our AWS Landing Zone Solution: We've built a production-ready landing zone using AWS CDK that provides the governance and security of Control Tower with the flexibility of infrastructure as code. It's 100% open source, fully customizable, and includes:

  • Complete multi-account architecture deployed through CDK
  • 100% score on the industry-standard CIS AWS Foundation Benchmark
  • 96% rating on AWS's own foundational security best practices
  • Automated security baselines, logging, and monitoring
  • Hub-and-spoke network architecture
  • Pre-configured organizational units and SCPs
  • Full list of implemented features available in our public roadmap

Because it's infrastructure as code, every change is tracked in version control, reviewed through pull requests, and can be deployed consistently across multiple organizations.

Key Components of Landing Zone Architecture

Account Structure and Organization

A typical landing zone organizes accounts into a hierarchy using AWS Organizations:

Root Organization
├── Security OU
│   ├── Log Archive Account (centralized, immutable logging)
│   └── Audit Account (read-only access for compliance)
├── Production OU
│   ├── Production Workload Accounts
│   └── Production Data Accounts
├── Non-Production OU
│   ├── Development Accounts
│   ├── Staging Accounts
│   └── Sandbox Accounts
└── Infrastructure OU
    ├── Network Hub Account
    └── Shared Services Account

This structure provides logical separation while enabling central management through organizational units (OUs).

Preventive Controls Through SCPs

Service Control Policies prevent actions that violate your governance model. Common SCP implementations include:

  • Denying the ability to disable CloudTrail or delete logs
  • Preventing resource creation outside approved regions
  • Requiring encryption for all data storage services
  • Blocking public access to databases and storage
  • Enforcing tagging requirements for cost allocation

These policies are inherited through the organization hierarchy, ensuring consistent enforcement.

Detective Controls and Monitoring

While SCPs prevent violations, detective controls identify issues and drift:

  • AWS Config continuously evaluates resource compliance
  • CloudTrail provides an audit trail of all API actions
  • GuardDuty detects threats and anomalous behavior
  • Security Hub aggregates findings from multiple services
  • AWS Well-Architected reviews identify architectural improvements

Network Architecture Patterns

Landing zones typically implement a hub-and-spoke network topology:

  • A central network account hosts the transit gateway
  • Spoke accounts connect to the hub for inter-account communication
  • Shared services (DNS, directory services) reside in the hub
  • Network segmentation enforces security boundaries
  • Centralized egress reduces NAT gateway costs and improves security

The Business Benefits of Orchestration

Reduced Operational Overhead

Manual account management doesn't scale. With 20 accounts, you're spending more time on governance than innovation. Landing zone automation reduces operational overhead by 60-80%, freeing your team to focus on business value.

Improved Security Posture

Centralized security controls and monitoring dramatically reduce risk. Security baselines are consistently applied, detective controls identify issues quickly, and the blast radius of any incident is contained to a single account.

Accelerated Delivery

Teams get productive environments in minutes instead of weeks. Pre-approved patterns and guardrails mean less time in security reviews. Developers can experiment in sandboxes without risking production.

Cost Optimization

Centralized cost management provides visibility and control. Automated policies can terminate unused resources, right-size instances, and enforce budget limits. Organizations typically see 20-35% cost reduction after implementing proper account governance.

Compliance and Audit Readiness

With centralized logging, consistent security controls, and automated compliance monitoring, audit preparation changes from a fire drill to a routine report generation. Many compliance frameworks (SOC2, HIPAA, PCI-DSS) explicitly require the controls a landing zone provides.

For example, when we deployed our CDK-based landing zone for Accolade, they achieved a 100% score on the industry-standard CIS AWS Foundation Benchmark and a 96% rating on AWS's own foundational security best practices. This level of security posture dramatically simplified their SOC2 compliance process.

Common Misconceptions About Landing Zones

"We're too small for a landing zone" If you have more than one AWS account or more than one team using AWS, you need orchestration. The complexity of managing multiple accounts manually grows exponentially.

"It will slow down our development" The opposite is true. Developers wait days or weeks for properly configured accounts without a landing zone. With one, they get secure, compliant environments in minutes through self-service.

"We can build this ourselves as we go" Technical debt in account architecture is among the most expensive to remediate. Retrofitting governance, security, and network architecture across existing accounts is exponentially more complex than implementing it correctly from the start.

Getting Started: Your Path to Centralized Orchestration

For Organizations New to AWS

  1. Start with a landing zone before migrating workloads
  2. Use Control Tower for the fastest path to a governed multi-account environment
  3. Focus on account structure and basic guardrails first
  4. Add sophistication as your AWS usage matures

for Organizations Already Using AWS

  1. Assess your current account structure and pain points
  2. Design your target account architecture
  3. Implement the landing zone in parallel with existing accounts
  4. Migrate workloads incrementally, starting with non-production
  5. Use the migration as an opportunity to modernize and standardize

Key Decisions to Make

Before implementing a landing zone, decide on:

  • Account strategy (per application, per environment, or per team)
  • Network architecture (centralized, distributed, or hybrid)
  • Identity provider and federation approach
  • Compliance requirements and necessary controls
  • Budget and cost allocation model

Conclusion

The journey from a single AWS account to a multi-account architecture is a natural evolution that every growing organization experiences. As complexity increases, the need for central orchestration becomes critical.

An AWS Landing Zone provides that orchestration layer, transforming what would be chaos into a governed, scalable, and secure cloud foundation. It's not about adding bureaucracy or slowing down innovation. It's about creating the systematic approach that enables your organization to scale efficiently while maintaining security and compliance.

Whether you implement it through Control Tower or build it custom with infrastructure as code, the key is recognizing that multi-account orchestration isn't optional once you reach a certain scale. It's essential for sustainable cloud operations.

The question isn't whether you need a landing zone, but when you'll implement one. The earlier you establish this foundation, the less technical debt you'll accumulate and the faster you'll be able to scale.

Get Production-Ready, SOC 2 Compliant AWS Accounts from Day One

We deploy AWS Landing Zones using infrastructure as code with pre-configured multi-account architecture, built-in security controls and guardrails including monitoring to stay in control of what happens so you can safely start deploying workloads immediately.

Share this article on ↓

Related articles you might like

Case Study: Building Enterprise-Grade AWS Infrastructure for Accolade

Case Study: Building Enterprise-Grade AWS Infrastructure for Accolade

April 17th, 2025

Case study detailing how Towards the Cloud partnered with Accolade to build a secure, scalable, and SOC 2 compliant AWS landing zone.

AWS Enterprise Support vs Partners: Which One Do You Actually Need?

AWS Enterprise Support vs Partners: Which One Do You Actually Need?

November 5th, 2025

AWS Enterprise Support costs 10% of your monthly spend with a $15K minimum. But are TAMs worth it, or should you work with AWS Partners instead? Real experiences from AWS practitioners reveal what actually works.

Join ---- other subscribers on my journey as a Cloud Engineer building a six-figure Cloud Consulting business leveraging AWS. Here I share my real-world learnings, solutions, and the lessons learned the hard way, all delivered directly to your inbox.

← Back to blog