AWS LANDING ZONE vs. CONTROL TOWER

INTRODUCTION

While you deploy your applications on Amazon Web Services (AWS), you would first need to design and configure a base environment. With a large number of design choices, traditional ways of setting up a multi-account AWS environment may require a considerable amount of time and effort.  AWS deployments will involve the configuration of multiple accounts and services and require a deep understanding of AWS services.

AWS Control Tower and AWS Landing Zone are two solutions from Amazon that helps customers quickly set up secure, scalable, multi-account environments based on best practices.

AWS LANDING ZONE

AWS Landing Zone is another solution by AWS, which is a well-architected, multi-account baseline that follows AWS best practices and provides guardrails for governance, security, compliance, and operations. AWS Landing Zone is an orchestration framework for your foundational AWS environment, which provides a baseline to get started with governance, data security, multi-account architecture, identity and access management, network design, and logging. It saves time by automating an environment’s setup for running secure and scalable workloads while implementing an initial security baseline by creating core accounts and resources.

  • AWS Landing Zone comes with rich customization options. Some of the customer add-ons include Active Directory, Okta Directory, etc. Ongoing changes and modifications can be done through code deployments using configuration pipelines.
  • This solution is delivered by professional services consultants or AWS Solutions Architects to create a customized baseline of AWS accounts, security settings, policies, and networks.

AWS Control Tower, CLOUDCONTROL

                             Fig: AWS Landing Zone Architecture (Source AWS)

KEY BENEFITS

  • Allows implementing multiple core accounts in an organization.
  • Automates setup of an AWS environment (IaC)
  • Automates provisioning of accounts.
  • Builds a baseline for security.
  • In a DevOps environment, it can operate and integrate with Gitlab.
  • Supports security features like monitoring, logging, alerts, IAM, service control policies, and MFA (Multi-Factor Authentication).
  • Automatically enable rules and dashboards using governance rules.
  • Option to view and manage resource utilization.
  • Support for creating new accounts using the AVM.
  • Supports single sign-on
  • Security guardrails at global and account-levels
  • Fully managed service
  • AWS provided best practices, guardrails, and compliance
  • Effective governance and operational model

AWS CONTROL TOWER

Want to quickly set up and govern a new, secure, multi-account AWS environment? AWS Control Tower is the way to go. It is based on best-practices and enables governance using guardrails from a pre-packaged list. With AWS Control Tower, new AWS accounts can be provisioned in few clicks, while your AWS accounts will still conform to your company-wide policies. If you start a new journey to AWS, Control Tower will help you get started quickly with the necessary governance and best practices.

  • AWS Control Tower can automate the setup of a new landing zone using best-practices blueprints for federated access, identity, and account structure
  • AWS Control Tower can be managed using a set of recommended and mandatory guardrails. Customers select it through a self-service console experience to ensure accountsand configurations comply with your policies.
  • Provisioning of new accounts in your organization can be automated using the account factory. Using configurable account templates,  Control Tower helps you standardize the provisioning of new accounts.
  • Preventive & Detective Guardrails. Control Tower automatically translates guardrails into suitable AWS policies. Supports for mandatory and optional guardrails
  • AWS Control Tower is free, but the configured services and policies are not free.

AWS Control Tower, CLOUDCONTROL

                       Fig: AWS Control Tower Architecture (Source AWS)

KEY BENEFITS

  • Helps to set up and configure a new AWS Environment quickly.
  • Multiple teams can provision new AWS accounts quickly.
  • All the accounts will get aligned with centrally established, company-wide policies.
  • Automate ongoing policy management
  • View policy level summaries of your AWS Environment
  • AWS workloads can be managed using rules for security, operations, and internal compliance
  • Automate the setup of the AWS environment.
  • You can select and apply pre-packaged policies globally or to specific groups or accounts.

KEY DIFFERENCES

Though both look similar and are created for similar purposes by AWS, there are some differences too. The following section gives a brief comparison of key differences between the two AWS technologies for managing multi-account environments.

FEATURE/FUNCTIONAWS Landing Zone AWS Control Tower
Launched inJune 2018June 2019
Delivery mechanismCloudFormation and TerraformAWS Managed Service
Architectural SupportFully customizable and owned by the customerCustomizable via solution + AWS recommends best practices with managed blueprints and guardrails.
Account StructureComplete flexibility for customer-defined account structureNon-configurable core accounts with no SS and no Amazon VPC in core
Federated AccessSupports AWS SSO, Microsoft AD or Active Directory ConnectorsIt comes preconfigured with AWS SSO (Active Directory or Single Sign-On) and integrated with third-party SSO providers
OperationsCapabilities of Landing Zone are extensible to manage the most complex and advanced environments.Simple setup and management for reduced operational overhead
Use existing AWS Organization.YesNo
Use existing SSO environment.YesNo
Use existing AWS Service Catalog environment.YesNo
When to use?You are building a new offering or having teams starting on their AWS journey or are entirely new to AWS. Use when you want a self-service experience to set up a new AWS environment based on a landing zone with preconfigured blueprints. And then you want to govern your accounts with preconfigured guardrails interactively.You are looking for rich customizations and configurations. AWS Landing Zone comes with such options and add-ons. Example: Active Directory, Okta Directory, etc. Ongoing changes and modifications can also be done through code deployments using configuration pipelines.

CAN YOU USE BOTH?

You may ask whether we can use AWS Landing Zone and AWS Control Tower in the same multi-account environment?
Those who are using AWS Control Tower can use AWS Landing Zone features by customizing AWS Control Tower and deploying additional new resources to existing and new accounts within your organization. You can also apply SCPs (Custom Service Control Policies) to those accounts on top of AWS Control Tower’s already provided.

SUMMARY

Both AWS Control Tower and AWS Landing Zone help enterprises to set up and manage secure multi-account AWS environments. If you are a novice to AWS, it is better to use AWS Control Tower or if you need a configurable landing zone with full customization options and control, use AWS Landing Zone.

References:

https://aws.amazon.com/controltower/

https://aws.amazon.com/solutions/implementations/aws-landing-zone/

Are you interested in reading similar articles?  Please follow us on LinkedIn.

About The Author

AWS Control Tower, CLOUDCONTROL

Dr. Anil Kumar

VP Engineering, CLOUD CONTROL
Founder | Vice President | CTO | Architect | Consultant | Mentor | Advisor | Faculty

A solution architect and IT consultant with more than 25 years of IT experience. Held various roles with both national and international institutions. Expertise in working with both legacy and advanced technology stacks and business domains.