Landing Zone Reference Architecture

Uploaded by

jose espinoza

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

72 views3 pages

Landing Zone Reference Architecture

Uploaded by

jose espinoza

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 3

Module 2: Governance at Scale

Landing zone reference architecture

Management Infrastructure_prod
Shared services Network

AWS Control Tower Additional AWS AWS Single

preventive Organizations Sign-On Code repositories AWS Direct Connect
guardrails

AWS AWS Service AWS SSO AWS Service Catalog AWS Transit Gateway
CloudFormation Catalog Account directory hub portfolios
Baseline StackSets Factory
Additional OUs
Core Sandbox
Workloads_SDLC
Log archive Audit Workloads_Prod
Member accounts

S3 bucket Amazon GuardDuty

audit logs management SC Spoke GuardDuty
portfolios member
AWS Config AWS
Server access additional Config
logging bucket detective aggregator AWS Security Hub Detective Security Hub
guardrails management guardrails member

© 2020 Amazon Web Services, Inc. or its affiliates. All rights reserved. 1
Whether you are a new customer or migrating your existing account into AWS Control Tower, a finished landing zone contains these
components:

• You start with a management account. You can apply guardrails to any OU level (best practices dictate to apply guardrails at the
OU level instead of on individual accounts) that will cascade down to your other accounts.

• You get an AWS Organizations structure with at least two OUs – core and custom. If you launch the landing zone when an existing
organization is already in place, it will be set up in parallel.

• You get centralized account federation through single sign-on. By default, AWS Control Tower uses the built-in AWS SSO service.
Additionally, you can integrate with an existing identity provider, such as Microsoft Active Directory or Okta. (More on these
options later in this module.)

• You get Account Factory, a console-based product that is part of the AWS Service Catalog. You can use Account Factory to
automate account provisioning and apply account baselines and guardrails.

• You get two shared accounts – one for auditing and one for archiving. You can share the accounts with other teams or third-party
companies for auditing, log management, and analytics.
• Log archive account contains the centralized logging for AWS CloudTrail and AWS Config. Logging gets stored in a new
Amazon S3 bucket provisioned by Control Tower. Additionally customer can add their own S3 bucket on the log archive
account for other logging purposes.
• Audit account can be used as the management account for security services, like Amazon GuardDuty and AWS Security
Hub.
• The AWS Config aggregator on the audit account can be used to monitor the status on additional Detective guardrails.

• You get a set of guardrails – Detective controls using AWS Config rules and preventive controls using service control policies. (More
on guardrails later in this module.)

• The Production Infrastructure OU hosts additional accounts, such as a shared services account and network account.
• Shared services account hosts the hub portfolio and common code repositories of the AWS Service Catalog.
• Network account hosts the shared networking services, such as AWS Transit Gateway and AWS Direct Connect.
• You can configure all the remaining accounts in the organization as member accounts for GuardDuty and Security Hub.