Create Your First Project
Start adding your projects to your portfolio. Click on "Manage Projects" to get started
AWS Landing Zone
A landing zone is a well-architected, multi-account AWS environment that is scalable and secure. This is a starting point from which your organization can quickly launch and deploy workloads and applications with confidence in your security and infrastructure environment. Building a landing zone involves technical and business decisions to be made across account structure, networking, security, and access management in accordance with your organization’s growth and business goals for the future.
Security controls – Different applications might have different security profiles, requiring different control policies and mechanisms around them. It’s easier to talk to an auditor and point to a single account hosting the Payment Card Industry (PCI) workload.
Isolation – An account is a unit of security protection. Potential risks and security threats should be contained within an account without affecting others. There could be different security needs that require you to isolate one account from one another, whether due to multiple teams or a different security profile.
Data isolation – Isolating data stores to an account limits the number of people that can access and manage that data store. This contains exposure to highly private data and helps with General Data Protection Regulation (GDPR) compliance.
Many teams – Different teams have their different responsibilities and resource needs. They should not over-step one another in the same account.
Business process – Different business units or products might have different purposes and processes. You should establish different accounts to serve business-specific needs.
Billing – An account is the only true way to separate items at a billing level, including things like transfer charges. Multiple accounts help separate items at a billing level across business units, functional teams, or individual users.
Limit allocation – Limits are per account. Separating workloads into different accounts prevents them from consuming limits or potentially overprovisioning resources and then preventing other applications from working as intended.