Whether you’re writing a book, making a lifestyle change, or doing any number of other tasks or projects, getting started is usually the hardest part. This is also true when it comes to an AWS implementation project plan. There’s a lot to do in the early stages. And doing all of it right can affect your overall success.
Among the recommended first steps for a cloud implementation or migration project is setting up a landing zone. An Amazon Web Services (AWS) landing zone specifically, if AWS is your cloud of choice.
While it isn’t required, creating a landing zone makes working in the cloud go much more smoothly. This applies regardless of if you’re working with AWS, Google, Microsoft, or any other cloud provider.
What is a Landing Zone?
In the cloud world, the definition of a landing zone is a base cloud environment that supports multiple teams or projects. It establishes foundational elements for working in the cloud such as the account structure, security rules, governance, network design, logging, automation, and identity and access management (IAM).
Building a landing zone requires you to make technical and business decisions to ensure these foundational elements are configured in alignment with your company’s broader organizational strategy and work within industry regulations. This also helps in enforcing best practices for any workload deployment.
Among the benefits is that by building in elements such as security and compliance upfront, application teams don’t have to deal with these issues. In the case of security, for example, the creation of a landing zone establishes a centralized security baseline for all implementations. Developers can innovate and focus on tasks that deliver project value ─ and do so securely ─ rather than dealing with security issues.
At the same time, landing zones reduce overall risk by providing guardrails to prevent the cloud environment from becoming difficult to control. There’s also a cost benefit as landing zones offer a way to consolidate cost management.
Nonetheless, there’s a lot that goes into establishing a landing zone. Fortunately, numerous best practices are associated with creating one, and cloud providers like AWS also have their own.
The Multi-account Best Practice
Among landing zone best practices is the use of multiple accounts. While you can work with a single account, it becomes more difficult to manage a cloud environment as it grows.
For example, it’s common to have multiple teams working on a cloud project. If they’re all sharing the same account, issues can easily arise due to their different responsibilities, priorities, and resource needs. Or, you may have different business units or products that require their own accounts for any number of reasons. For instance, you may need to isolate some accounts due to varying security needs or regulatory compliance requirements.
With multiple accounts, each team and/or project can have its own account, making it easy to delineate between their respective requirements. Plus, multiple accounts help with billing and cost management by keeping things separate at the billing level and facilitating the transfer of charges across departments or business units.
The AWS Landing Zone Option
AWS has devoted extensive resources to helping customers set up landing zones, including establishing and managing the multiple accounts associated with them. It started with AWS Landing Zone, which uses an Account Vending Machine (AVM) product for provisioning and automatically configuring new accounts. The AVM is provided as an AWS Service Catalog product.
It automates the setup of a landing zone environment with a multi-account architecture, an initial security baseline, IAM, governance, data security, network design, and logging. It can also scale to support production implementations for large-scale migrations.
The AVM leverages AWS Single Sign-On (SSO) for managing user account access. You can customize the environment by setting up your own account baselines through a Landing Zone configuration and update pipeline.
The AWS Control Tower Option
It’s important to note that AWS Landing Zone is currently in AWS’ “Long-term Support”. That means it won’t receive any additional features. In its place now is AWS Control Tower, a managed service for orchestrating an AWS cloud environment.
AWS refers to AWS Control Tower as “an AWS native service providing a pre-defined set of blueprints and guardrails to help you implement a landing zone for AWS accounts.” These blueprints include:
- A multi-account environment using AWS Organizations
- Identity management using AWS Single Sign-On (AWS SSO) default directory
- Centralized logging from AWS CloudTrail and AWS Config that is stored in Amazon Simple Storage Service (Amazon S3)
- Cross-account security audits using AWS Identity and Access Management and AWS SSO
- Preventive or detective guardrails ─ high-level rules that provide ongoing governance for your overall AWS environment
The Partner Advantage for Setting Up an AWS Implementation Project Plan
AWS has gone above and beyond to provide extremely helpful resources for setting up a landing zone. But things can still get complicated. Even more so if you don’t have in-depth experience working with AWS services. This is particularly true if you need a more customized landing zone.
That’s why working with a partner well versed in creating AWS landing zones can reduce time requirements, costs, and complexities. The good news is that AWS has a strong partner network with this expertise – including ClearScale.
ClearScale has worked with companies across various industries to develop secure, compliant landing zones and cloud architectures that help keep mission-critical applications, databases, and workloads safe. The following three customer stories provide a brief overview of some of that work.
In fact, ClearScale is an AWS Premier Tier Services Partner with 11 AWS competencies, including migration. We’ve helped hundreds of customers migrate to the AWS cloud.