Technical and Product News and Insights from Rackspace
Currently, enterprises are looking for more sophisticated ways of managing their multi-account Amazon® Web Services (AWS) environments with AWS best practices, while at the same time incorporating their internal governance and security mandates.
Until recently, there wasn’t an out-of-the-box solution for multi-account management from AWS. This problem led enterprises to patch together various tools and services to meet their requirements.
In 2018, AWS announced Landing Zone. Landing Zone provides a solution to automate the setup of a multi-account management solution while implementing best practice security baselines and creating core accounts, including the following:
The initial deployment of Landing Zone in a multi-account environment requires you to set up the following Amazon services:
Understandably, manually putting these services together is time-consuming, and you need a high level of expertise to complete the task. However, you can use Landing Zone to simplify the deployment. AWS recommends that you connect with AWS partners to help deploy Landing Zone. Partners take into account specific business requirements and deploy Landing Zone to best suit your business.
Landing Zone helps to perform the following tasks:
The deployment uses a configuration zip file that is maintained and versioned by AWS. Sign in to your AWS account to launch the Landing Zone stack, which creates an S3 bucket and other related resources in your account. Amazon places the configuration zip file in the S3 bucket, which you can use as a reference source for CodePipeline.
Because you have access to the source files, you can modify the code to fit your business needs. The following image shows the default Landing Zone deployment:
If you make any changes to the source, CodePipeline runs them in your infrastructure. Therefore, if you want to create a baseline Virtual Private Cloud (VPC) with specific network requirements for all new accounts, you can add this to the source S3 bucket for CodePipeline to deploy.
Each account that you deploy sets up the following services:
As you can see, Landing Zone consumes many AWS services. Therefore the running costs are approximately $200 a month. However, if you decide to enable Amazon ElasticSearch as part of the Centralized Logging add-on, the estimated monthly cost doubles to $400 a month.
Landing Zone is a step in the right direction when it comes to baselining AWS best practices as part of an enterprise solution. With access to the source, companies can choose to develop their internal process and tooling alongside the offering.
Furthermore, Landing Zone helps smaller organizations by removing some of the overhead when it comes to incorporating AWS best practices.
Keep in mind that you might need to spend time and money to troubleshoot and fix any Landing Zone failures.
Control Tower is a Platform as a Service (PaaS) alternative to Landing Zone. Both tools have great offerings when you need to set up a multi-account solution with AWS best practices. It’s just a matter of which solution best meets your business needs.
Use the Feedback tab to make any comments or ask questions. You can also visit www.rackspace.com and click Sales Chat to get started.