AWS Landing Zone versus AWS Control Tower
AWS Landing Zone and AWS Control Tower help set up and govern a new, secure, multi-account AWS environment based on AWS best practices. Both consist of core accounts and resources which will implement a initial security baseline. The following table compares the managed service (AWS Control Tower) with the solution (AWS Landing Zone).
Update:
π¨ AWS Control Tower allows existing organizations to set up a landing zone.
Feature | ![]() |
![]() |
---|---|---|
Delivery mechanism | CloudFormation or Terraform | AWS managed service |
Architectural support | Fully customizable and owned by customer | Customizable via Solution + AWS recommend best practices with managed blueprints and guardrails |
Account structure | Complete flexibility for customer-defined account structure ![]() |
Two non-configurable core accounts, no SS, no Amazon VPC in core ![]() |
Federated access | AWS SSO, AWS-Managed Microsoft AD or Active Directory Connector | Preconfigured with AWS SSO (AD or SSO Directory?) and integrated with third-party SSO providers |
Operations | Extensible capabilities to manage the most complex and advanced environments | Simple setup and management for reduced operational overhead |
Automated account creation | β Account Vending Machine | β |
Member account region support (VPC) | β All regions are supported1 | β North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1), Sydney (ap-southeast-2) 2 |
General region support | β All regions are supported | β North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1), Sydney (ap-southeast-2) |
Use existing AWS Organization | β | β |
Use existing SSO environment | β | β |
Use existing AWS Service Catalog environment | β | β |
New or Existing Security Hub environment | β Multiaccount Scripts | β |
References
AWS Landing Zone
- π Implementation Guide
- π Developers Guide
- π User Guide
- π Upgrade Guide
- πΊ Videos
- π§° Solutions
AWS Control Tower
- π User Guide
- π Pricing
- π Labs
- πΊ Videos
- π§° Solutions
Which one should I choose?
βAre you new two AWS? βοΈUse AWS Control Tower βDo you need a configurable landing zone with full customization and control over every part? βοΈUse AWS Landing Zone
-
Member accounts could be provisioned in every region no matter where the Account Vending Machine is deployed. β οΈYou just need to take care that your CloudFormation templates & Lambdas are available in the requested region.
β© -
AWS Control Tower could provision new Accounts (Network baseline) into the following regions: North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1) and Sydney (ap-southeast-2).
β©
Related posts
Detect noncompliant Lambda runtimes in your environment
Use AWS Config Rules to detect noncompliant Lambda runtimes
Tasks that require root user
It is AWS best practice to not use the root user. However, there are certain Tasks which requires root credentials.
CloudFormation Best Practices
Recommendations that can help you to use CloudFormation more effectively and securely throughout its entire workflow.