What is a landing zone?
A landing zone is a well-architected, multi-account AWS environment that is scalable and secure. This is a starting point from which your organization can quickly launch and deploy workloads and applications with confidence in your security and infrastructure environment. Building a landing zone involves technical and business decisions to be made across account structure, networking, security, and access management in accordance with your organization’s growth and business goals for the future.
When you start to use AWS at scale, you can look to AWS for prescriptive guidance and an approach for establishing your environment. AWS best practices in this area center around the need to isolate resources and workloads into multiple AWS accounts (resource containers) for isolation and scope of impact reductions. The next section explains why you want to use multiple accounts.
The multi-account framework
Although there is no standard number of AWS accounts you should have, we recommend that you create more than one AWS account. Multiple accounts provide the highest level of resource and security isolation. Consider creating additional AWS accounts if you answer yes to any of the following questions:
-
Does your business require administrative isolation between workloads?
-
Does your business require limited visibility and discoverability of workloads?
-
Does your business require isolation to minimize the scope of impact?
-
Does your business require strong isolation of recovery or auditing data?
Here are other reasons why a single account might not be enough:
-
Security controls – Different applications might have different security profiles that require different control policies and mechanisms. For example, it’s easier to talk to an auditor and point to a single account that hosts your Payment Card Industry (PCI) workload.
-
Isolation – An account is a unit of security protection. Potential risks and security threats should be contained within an account without affecting other accounts. Different security needs might require you to isolate one account from another due to multiple teams or a different security profile.
-
Data isolation – Isolating data stores to an account limits the number of people who can access and manage that data store. This restricts exposure to highly private data and helps with General Data Protection Regulation (GDPR) compliance.
-
Many teams – Different teams have different responsibilities and resource needs. They should not get in each other's way in the same account.
-
Business process – Different business units or products might have different purposes and processes. You should establish different accounts to serve business-specific needs.
-
Billing – An account is the only true way to separate items at a billing level, including separating transfer charges. Multiple accounts help separate items at a billing level across business units, functional teams, or individual users.
-
Limit allocation – Limits are per account. Separating workloads into different accounts prevents them from consuming limits or potentially overprovisioning resources and then preventing other applications from working as intended.