AWS Landing Zone versus AWS Control Tower
AWS Landing Zone and AWS Control Tower help set up and govern a new, secure, multi-account AWS environment based on AWS best practices. Both consist of core accounts and resources which will implement a initial security baseline. The following table compares the managed service (AWS Control Tower) with the solution (AWS Landing Zone).
Update:
π¨ AWS Control Tower allows existing organizations to set up a landing zone.
| Feature | 
|
|
|---|---|---|
| Delivery mechanism | CloudFormation or Terraform | AWS managed service |
| Architectural support | Fully customizable and owned by customer | Customizable via Solution + AWS recommend best practices with managed blueprints and guardrails |
| Account structure | Complete flexibility for customer-defined account structure 
|
Two non-configurable core accounts, no SS, no Amazon VPC in core 
|
| Federated access | AWS SSO, AWS-Managed Microsoft AD or Active Directory Connector | Preconfigured with AWS SSO (AD or SSO Directory?) and integrated with third-party SSO providers |
| Operations | Extensible capabilities to manage the most complex and advanced environments | Simple setup and management for reduced operational overhead |
| Automated account creation | β Account Vending Machine | β |
| Member account region support (VPC) | β All regions are supported1 | β North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1), Sydney (ap-southeast-2) 2 |
| General region support | β All regions are supported | β North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1), Sydney (ap-southeast-2) |
| Use existing AWS Organization | β | β |
| Use existing SSO environment | β | β |
| Use existing AWS Service Catalog environment | β | β |
| New or Existing Security Hub environment | β Multiaccount Scripts | β |
References
AWS Landing Zone
- π Implementation Guide
- π Developers Guide
- π User Guide
- π Upgrade Guide
- πΊ Videos
- π§° Solutions
AWS Control Tower
- π User Guide
- π Pricing
- π Labs
- πΊ Videos
- π§° Solutions
Which one should I choose?
βAre you new two AWS? βοΈUse AWS Control Tower βDo you need a configurable landing zone with full customization and control over every part? βοΈUse AWS Landing Zone
-
Member accounts could be provisioned in every region no matter where the Account Vending Machine is deployed. β οΈYou just need to take care that your CloudFormation templates & Lambdas are available in the requested region.
β© -
AWS Control Tower could provision new Accounts (Network baseline) into the following regions: North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1) and Sydney (ap-southeast-2).
β©
Related posts
WAF Managed Rules updates Slack Notification
Get Notifications for updates on Managed Rules to Slack
AWS Marketplace Automation
Share Marketplace subscriptions with your AWS Organization
Best practices for REST API development
What to consider when designing a REST API