AWS Yarns

A blog about AWS things.

2022: The Year of the AWS Landing Zone

Posted by Chris McKinnel - 16 February 2022
5 minute read

It's 2022, why would I be writing about AWS Landing Zones? Doesn't everyone already have one? Well, no, as it turns out - does your organisation have an AWS Landing Zone? No? You should think about getting one. Today.

There's a heap of cool stuff you can do on AWS with your data, and you can see value really quickly. The trouble comes when you want to start using production data, and you've got to jump through pesky governance, security and compliance hoops.

Man jumping through a hoop. This is you trying to get your POC into production without a Landing Zone.

How do you jump through all those hoops and convince the business that you're not going to end up on the front page of the news for blasting your customers data out to the world in a public S3 bucket? Or end up having late night conversations with a nice Russian man demanding Bitcoin in exchange for encryption keys?

You build a rock-solid Landing Zone that nails cloud fundamentals, and you build it before you build POCs and MVPs of your cool stuff.

Already have an AWS Landing Zone?

If your organisation does have an AWS Landing Zone, does it pass the sniff test? Cross-check the Landing Zone component list later in this post to make sure your Landing Zone is nailing current best practice. And if it's not, get it reviewed and fixed up. They're a bit of a moving target and they change almost every AWS re:Invent when AWS releases new features and services that quickly become must-haves.

I've written a previous post about the evolution of landing zones which you can check out if you're interested in its history.

Alright, what is an AWS Landing Zone?

It's the foundation of your cloud footprint. It's the bedrock that everything you do in the cloud will be built on, and it's crucial to the security and governance of your cloud workloads.

A Landing Zone is a set of AWS accounts that are configured to be scalable, secure and conform to industry best practice out-of-the-box.

Diagram of AWS account structure.

If it's so important, why don't the cloud providers just give everyone a Landing Zone?

Best practice ain't free.

There are associated monthly costs that come with a solid Landing Zone. This means enabling some AWS services that don't have a free tier, so if AWS gave everyone a fully functional Landing Zone the barrier to entry for innovators and new customers looking to have a play around would be too high.

Imagine if the only way you could play with AWS was to have a Landing Zone that cost $1000 a month. Good luck with that sales story.

How do I get a Landing Zone?

AWS has a managed "Landing Zone Service" called Control Tower. It will deploy you the most basic Landing Zone, and it's a great start compared to just having a single account and hand-jamming some config.

You can either take the component list I provide in this post and attempt to put it together yourself (very doable), or you can get in touch with your AWS sales rep who will hook you up with an AWS partner, like CCL, who will build it for you with existing automation and infrastructure as code.

What does a good Landing Zone look like?

Here's what I deploy for my customers. If you do something different, hit me up - maybe you know something I don't!

Foundational Components

  • A baseline Control Tower deploy (with CloudTrail encryption)
  • A multi-account structure that suits your organisation
  • AWS Organisations Organisational Units set up

Security Components

  • Security Hub Enabled in all accounts, in the regions you use
  • GuardDuty enabled in all accounts, in the region you use
  • Password policy set on all accounts
  • Recommended Guardrails enabled
  • CloudTrail metric filters for CIS 1/2
  • IAM Access Analyser enabled
  • Route 53 Resolver DNS Firewal enabled
  • SCP to resource creation to a set of regions
  • SCP to disable backup policy tampering
  • Federated identities from AAD or similar
  • Enable MFA on all root accounts and SSO
  • Enable AWS Config conformance packs (e.g., NZISM)

Networking Components

  • Default VPCs deleted from all regions, in all accounts
  • Network infrastructure deployed (I like a hub and spoke)
  • VPN or Direct Connect for on-premises connectivity (if required)
  • Deploy AWS Network Firewall if required
  • Enable VPC Flow Logs

Operational Components

  • Baseline patch management policy
  • Backup policy
  • Robust tagging strategy
  • Budget alerts set up
  • Automated hardened AMI baker
  • Documentation! (borrrrrrrrrrrrrrrring)

By the time you're finished deploying everything, you should have a SecurityHub that shows 0 findings and 100% on both the CIS framework and the AWS Security Best Practices.

As you will have noticed, the components are security heavy. Security should be your top priority, especially considering your organisation's data is at stake.

Graphic depicting cloud security.

Your AWS partner should have a templated, automated AWS Landing Zone that they deploy for their customers, and they should have an automated test suite that they can run to verify each component is configured correctly.

Landing Zones are boring

Of course they are, they're mainly security components. And security is boring. It should be boring! It should be so boring that your attackers give up and disappear to find something more interesting.

To be fair, everything is boring when you've done it a few times. But if you haven't done it before, deploying an enterprise-ready Landing Zone is a great learning experience. And as you can see by looking at the components, it actually covers quite a lot of ground.

Are you an AWS consultant?

If you're an AWS consultant, you should know Landing Zones inside out. Advising your customers on how they should design and deploy workloads on AWS without having deployed a Landing Zone is kind of like being a network engineer without understandng the TCP/IP stack.

Sure, you'll probably muddle through and get things working, but you'll likely risk leaving the door open for the bad guys at a platform level, so it might not matter that you design the most secure workload in the world.

I always ask questions about Landing Zones when I'm interviewing potential new hires. If someone hasn't heard of a Landing Zone, a multi-account structure or Control Tower I really dig deep on what they do know. Do they have solid enough foundations to throw them to the wolves (customers) that'll be looking to them to be technical leaders?

AWS coming to NZ

A full region is coming to New Zealand by 2024 - that's only 2 short years away. If you don't have an AWS Landing Zone deployed by then, you'll have months of punishing admin to go through to retrofit your POCs and MVPs into a new Landing Zone to tick your organisations security and governance boxes.

Your competitors will have shifted their Landing Zones left (if they've been talking to me) and will take advantage of the AWS data centres in New Zealand the moment they are available for general use.

Go and get an AWS Landing Zone deployed. Today.