Why the Foundation Matters

A well-designed landing zone establishes governance, security, and structure across multiple AWS accounts. This is particularly important in large organisations where different teams and workloads need to operate independently while maintaining consistent security controls across the estate.

Key Components of a Secure AWS Landing Zone

Multi-Account Structure

A multi-account structure aligned to environments such as production, non-production, and shared services provides clear separation of blast radius. If one account is compromised, the scope of damage is limited. Shared services accounts centralise logging, security tooling, and networking resources that serve the whole estate.

Designing Secure AWS Landing Zones — Key Components Foundation before workloads · Governance · Identity · Network · Security · IaC 1. Account Structure AWS Organizations + Control Tower Sandbox → Dev → Staging → Prod SCPs enforce guardrails across all accounts Account vending automation via Service Catalog 2. Identity Foundation IAM Identity Center — SSO for all accounts Permission sets · Least privilege RBAC Break-glass accounts — MFA enforced, monitored No long-lived keys · Roles only · SCIM sync 3. Network Baseline Transit Gateway — hub-spoke routing AWS Network Firewall · WAF · Shield Private subnets only · No public endpoints VPC Flow Logs enabled from day one 4. Security Baseline GuardDuty · Security Hub · CloudTrail Config Rules · Inspector · Macie All enabled at org level from account creation SIEM export to Splunk / Sentinel day one 5. IaC Pipeline Terraform · GitHub Actions · tfsec OPA policy gate · Approval workflow No manual AWS console changes permitted Drift detection alerts to SIEM 6. Compliance Baseline CIS AWS Foundations benchmark NIST CSF · ISO 27001 · PCI DSS AWS Security Hub standards enforced Evidence auto-generated for audit Sequence: Account structure → Identity → Network → Security → IaC → Compliance Build in this order — workloads come after the foundation is validated · Full Lucidchart: lucid.app/lucidchart/396d639a-5d9d-4dbe-abb7-a076f71f93a0/edit saleemyousaf.co.uk · Enterprise AWS Landing Zone Design
// Secure AWS Landing Zone key components — account structure, identity, network, security, IaC, compliance

Identity and Access Management

IAM designed on least privilege principles ensures users and roles can only perform the actions they need. Service Control Policies at the organisation level provide guardrails that prevent even account administrators from overriding baseline security requirements. Permission boundaries and IAM roles with narrow scopes are the building blocks of a trustworthy access model.

Centralised Logging and Monitoring

Centralised logging across all accounts using CloudTrail and VPC Flow Logs, forwarded to a dedicated logging account that workload accounts cannot modify, ensures visibility across the estate. GuardDuty and Security Hub provide centralised threat detection and security posture visibility. Without this, incidents in one account may go undetected.

Network Segmentation

Hub-and-spoke network models with Transit Gateway provide controlled traffic flows between workload VPCs and shared services. Network inspection can be centralised in a dedicated inspection VPC. Private subnets for all workloads, with explicit and minimal egress paths, reduces the attack surface significantly.

Supporting Tooling and Services

AWS Control Tower provides guardrails and account vending for new landing zone accounts. IAM Identity Centre provides centralised single sign-on across accounts. Transit Gateway provides scalable inter-VPC routing. AWS Config provides continuous compliance monitoring. Security Hub aggregates findings from GuardDuty, Inspector, and Macie into a single pane of glass.

AWS Security Architecture Repository
Reference architecture, Terraform modules, and security design patterns for secure AWS landing zones.
github.com/saleem-yousaf/AWS-Security-Architecture
A well-architected landing zone provides a strong foundation that enables organisations to scale confidently, maintain control, and reduce operational risk. Security should be embedded from the start rather than introduced later as an afterthought.
Back to all articles