AWS is introducing a new technical solution named ‘AWS Landing Zone’. This set of tools allows AWS customers to automate the deployment of multiple AWS accounts linked together and build according AWS best practices. By doing so, a new AWS based environment can be quickly deployed.
AWS has been talking about the ‘landing zone’ concept for a while. For example this re:Invent 2017 session was about Landing Zones.
A landing zone is a configured, secure, scalable, multi-account AWS environment based on AWS best practices. One of those best practices is to have multiple core AWS accounts. One of storing logfiles, one for security purposes, and one for running shared services like LDAP, DNS or Active Directory.
The landing zone also has one or more so called Sandbox accounts. This is an account in which developers can experiment, learn, do proof of concepts and innovate. A third type of account created is the business unit account. In this type of account applications are running in environments like test, dev, production.
To design and build this architecture using AWS best practices can take some time.
AWS made this easy for customers by making available the technical solution called ‘AWS Landing Zone’.
The AWS Landing Zone is basically a ZIP file made available in a S3 bucket. Inside the ZIP file you will find AWS CloudFormation templates and a manifest file. CloudFormation will build the Landing Zone based on the preference of the customer.
CloudFormation will build the accounts, will build VPC’s, will enable AWS Config and apply config rules to certain objects, will enable CloudTrail and will enable AWS Single Sign-On using the AD Connector.
It will also build a so-called AWS Account Vending Machine. This is a self-service portal using AWS Service Catalog which allows developers to request additional accounts which will be deployed automatically using AWS CodePipeline.
The AWS Landing Zone technical solution is free. At the moment organizations which are interested should apply using the Contact button at this webpage.
Customers do have to pay for the AWS services deployed by AWS Landing Zone. AWS Service Catalog is priced $5 per month for each portfolio of products in an account. AWS Config and CloudTrail are also non-free services.
So while the solution is free, AWS basically does upselling to customers. It is a nice way to provide more advanced services to customers so revenue for AWS will increase. So one of the most important best practices also apply here: make sure you monitor costs!
AWS Landing Zone is not available yet for AWS GovCloud as this does not offer AWS Organizations. Due to restrictions of the AD Connector used for connectivity to Directory Services for SSO setup of the connector must be deployed in us-east-1! This might be an issue for non-US customers. Landing Zone itself can be used in all AWS Regions which have the underlying services available.
AWS Landing Zone at the moment can only be used for creation of new AWS Accounts. Customers currently using operational AWS accounts cannot use it as AWS is carefull not to create any impact in current deployments.
A recording of a session with information on AWS Landing Zone can be watched here: (text continues under video)
At the AWS Public Summt 2018 AWS did a breakout session on Landing Zone. The recording can be watched here.