AWS Landing Zone versus AWS Control Tower


AWS Landing Zone and AWS Control Tower help set up and govern a new, secure, multi-account AWS environment based on AWS best practices. Both consist of core accounts and resources which will implement a initial security baseline.
The following table compares the managed service (AWS Control Tower) with the solution (AWS Landing Zone).

AWS Landing Zone
AWS Control Tower
AWS Control Tower
Delivery mechanism CloudFormation or Terraform AWS managed service
Architectural support Fully customizable and owned by customer Customizable via Solution + AWS recommend best practices with managed blueprints and guardrails
Account structure Complete flexibility for customer-defined account structure
AWS LandingZone Architecture
AWS LandingZone Architecture
Two non-configurable core accounts, no SS, no Amazon VPC in core
AWS ControlTower Architecture
AWS ControlTower Architecture
Federated access AWS SSO, AWS-Managed Microsoft AD or Active Directory Connector Preconfigured with AWS SSO (AD or SSO Directory?) and integrated with third-party SSO providers
Operations Extensible capabilities to manage the most complex and advanced environments Simple setup and management for reduced operational overhead
Automated account creation Account Vending Machine
Member account region support (VPC) ✅ All regions are supported1
North-Virginia (us-east-1), Ohio (us-east-2),
Oregon (us-west-2), Irland (eu-west-1),
Sydney (ap-southeast-2) 2
General region support ✅ All regions are supported
North-Virginia (us-east-1), Ohio (us-east-2),
Oregon (us-west-2), Irland (eu-west-1),
Sydney (ap-southeast-2)
Use existing AWS Organization 3
Use existing SSO environment
Use existing AWS Service Catalog environment
New or Existing Security Hub environment Multiaccount Scripts


AWS Landing Zone

AWS Control Tower

Which one should I choose?

❓Are you new two AWS?
❗️Use AWS Control Tower

❓Do you need a configurable landing zone with full customization and control over every part?
❗️Use AWS Landing Zone

  1. Member accounts could be provisioned in every region no matter where the Account Vending Machine is deployed.
    ⚠️You just need to take care that your CloudFormation templates & Lambdas are available in the requested region.

  2. AWS Control Tower could provision new Accounts (Network baseline) into the following regions: North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1) and Sydney (ap-southeast-2).

  3. You cannot deploy AWS Control Tower on an existing account that is a member of AWS Organizations yet. In the near future you will be able to deploy Control Tower to an existing AWS Organizations account structure.


Using AWS KMS with golang

How-to encrypt and decrypt data with AWS KMS and the aws-sdk-go.


Mar 25th 2020


Sascha Lange

Secure handling of AWS api keys

A brief how-to store and access local aws api keys with aws-vault.


Mar 24th 2020


Sascha Lange

SSH and SCP with AWS SSM

Using AWS Session Manager with enhanced SSH and SCP capability to connect to your EC2 without using firewalls and bastion hosts


Feb 17th 2020


David Krohn