AWS LANDING ZONE vs. CONTROL TOWER
While you deploy your applications on Amazon Web Services (AWS), you would first need to design and configure a base environment. With a large number of design choices, traditional ways of setting up a multi-account AWS environment may require a considerable amount of time and effort. AWS deployments will involve the configuration of multiple accounts and services and require a deep understanding of AWS services.
AWS Control Tower and AWS Landing Zone are two solutions from Amazon which helps customers quickly set up secure, scalable, multi-account environments based on best practices.
AWS LANDING ZONE
AWS Landing Zone is another solution by AWS, which is a well-architected, multi-account baseline that follows AWS best practices and provides guardrails for governance, security, compliance, and operations. AWS Landing Zone is an orchestration framework for your foundational AWS environment, which provides a baseline to get started with governance, data security, multi-account architecture, identity and access management, network design, and logging. It saves time by automating an environment’s setup for running secure and scalable workloads while implementing an initial security baseline by creating core accounts and resources.
- AWS Landing Zone comes with rich customization options. Some of the customer add-ons include Active Directory, Okta Directory, etc. Ongoing changes and modifications can be done through code deployments using configuration pipelines.
- This solution is delivered by professional services consultants or AWS Solutions Architects to create a customized baseline of AWS accounts, security settings, policies, and networks.
Fig: AWS Landing Zone Architecture (Source AWS)
- Allows implementing multiple core accounts in an organization.
- Automates setup of an AWS environment (IaC)
- Automates provisioning of accounts.
- Builds a baseline for security.
- In a DevOps environment, it can operate and integrate with Gitlab.
- Supports security features like monitoring, logging, alerts, IAM, service control policies, and MFA (Multi-Factor Authentication).
- Automatically enable rules and dashboards using governance rules.
- Option to view and manage resource utilization.
- Support for creating new accounts using the AVM.
- Supports single sign-on
- Security guardrails at global and account-levels
- Fully managed service
- AWS provided best practices, guardrails, and compliance
- Effective governance and operational model
AWS CONTROL TOWER
Want to quickly set up and govern a new, secure, multi-account AWS environment? AWS Control Tower is the way to go. It is based on best-practices and enables governance using guardrails from a pre-packaged list. With AWS Control Tower, new AWS accounts can be provisioned in few clicks, while your AWS accounts will still conform to your company-wide policies. If you start a new journey to AWS, Control Tower will help you get started quickly with the necessary governance and best practices.
- AWS Control Tower can automate the setup of a new landing zone using best-practices blueprints for federated access, identity, and account structure
- AWS Control Tower can be managed using a set of recommended and mandatory guardrails. Customers select it through a self-service console experience to ensure accountsand configurations comply with your policies.
- Provisioning of new accounts in your organization can be automated using the account factory. Using configurable account templates, Control Tower helps you standardize the provisioning of new accounts.
- Preventive & Detective Guardrails. Control Tower automatically translates guardrails into suitable AWS policies. Supports for mandatory and optional guardrails
- AWS Control Tower is free, but the configured services and policies are not free.
Fig: AWS Control Tower Architecture (Source AWS)
- Helps to set up and configure a new AWS Environment quickly.
- Multiple teams can provision new AWS accounts quickly.
- All the accounts will get aligned with centrally established, company-wide policies.
- Automate ongoing policy management
- View policy level summaries of your AWS Environment
- AWS workloads can be managed using rules for security, operations, and internal compliance
- Automate the setup of the AWS environment.
- You can select and apply pre-packaged policies globally or to specific groups or accounts.
Though both look similar and are created for similar purposes by AWS, there are some differences too. The following section gives a brief comparison of key differences between the two AWS technologies for managing multi-account environments.
|FEATURE/FUNCTION||AWS Landing Zone||AWS Control Tower|
|Launched in||June 2018||June 2019|
|Delivery mechanism||CloudFormation and Terraform||AWS Managed Service|
|Architectural Support||Fully customizable and owned by the customer||Customizable via solution + AWS recommends best practices with managed blueprints and guardrails.|
|Account Structure||Complete flexibility for customer-defined account structure||Non-configurable core accounts with no SS and no Amazon VPC in core|
|Federated Access||Supports AWS SSO, Microsoft AD or Active Directory Connectors||It comes preconfigured with AWS SSO (Active Directory or Single Sign-On) and integrated with third-party SSO providers|
|Operations||Capabilities of Landing Zone are extensible to manage the most complex and advanced environments.||Simple setup and management for reduced operational overhead|
|Use existing AWS Organization.||Yes||No|
|Use existing SSO environment.||Yes||No|
|Use existing AWS Service Catalog environment.||Yes||No|
|When to use?||You are building a new offering or having teams starting on their AWS journey or are entirely new to AWS. Use when you want a self-service experience to set up a new AWS environment based on a landing zone with preconfigured blueprints. And then you want to govern your accounts with preconfigured guardrails interactively.||You are looking for rich customizations and configurations. AWS Landing Zone comes with such options and add-ons. Example: Active Directory, Okta Directory, etc. Ongoing changes and modifications can also be done through code deployments using configuration pipelines.|
You may ask whether we can use AWS Landing Zone and AWS Control Tower in the same multi-account environment?
Both AWS Control Tower and AWS Landing Zone help enterprises to set up and manage secure multi-account AWS environments. If you are a novice to AWS, it is better to use AWS Control Tower or if you need a configurable landing zone with full customization options and control, use AWS Landing Zone.
Are you interested in reading similar articles? Please follow us on LinkedIn.
About The Author
About The Author
Dr. Anil Kumar
VP Engineering, CLOUD CONTROL
Founder | Vice President | CTO | Architect | Consultant | Mentor | Advisor | Faculty
A solution architect and IT consultant with more than 25 years of IT experience. Held various roles with both national and international institutions. Expertise in working with both legacy and advanced technology stacks and business domains.