AWS Landing Zone versus AWS Control Tower
AWS Landing Zone and AWS Control Tower help set up and govern a new, secure, multi-account AWS environment based on AWS best practices. Both consist of core accounts and resources which will implement a initial security baseline. The following table compares the managed service (AWS Control Tower) with the solution (AWS Landing Zone).
Update:
π¨ AWS Control Tower allows existing organizations to set up a landing zone.
| Feature | 
|
|
|---|---|---|
| Delivery mechanism | CloudFormation or Terraform | AWS managed service |
| Architectural support | Fully customizable and owned by customer | Customizable via Solution + AWS recommend best practices with managed blueprints and guardrails |
| Account structure | Complete flexibility for customer-defined account structure 
|
Two non-configurable core accounts, no SS, no Amazon VPC in core 
|
| Federated access | AWS SSO, AWS-Managed Microsoft AD or Active Directory Connector | Preconfigured with AWS SSO (AD or SSO Directory?) and integrated with third-party SSO providers |
| Operations | Extensible capabilities to manage the most complex and advanced environments | Simple setup and management for reduced operational overhead |
| Automated account creation | β Account Vending Machine | β |
| Member account region support (VPC) | β All regions are supported1 | β North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1), Sydney (ap-southeast-2) 2 |
| General region support | β All regions are supported | β North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1), Sydney (ap-southeast-2) |
| Use existing AWS Organization | β | β |
| Use existing SSO environment | β | β |
| Use existing AWS Service Catalog environment | β | β |
| New or Existing Security Hub environment | β Multiaccount Scripts | β |
References
AWS Landing Zone
- π Implementation Guide
- π Developers Guide
- π User Guide
- π Upgrade Guide
- πΊ Videos
- π§° Solutions
AWS Control Tower
- π User Guide
- π Pricing
- π Labs
- πΊ Videos
- π§° Solutions
Which one should I choose?
βAre you new two AWS? βοΈUse AWS Control Tower βDo you need a configurable landing zone with full customization and control over every part? βοΈUse AWS Landing Zone
-
Member accounts could be provisioned in every region no matter where the Account Vending Machine is deployed. β οΈYou just need to take care that your CloudFormation templates & Lambdas are available in the requested region.
β© -
AWS Control Tower could provision new Accounts (Network baseline) into the following regions: North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1) and Sydney (ap-southeast-2).
β©
Related posts
SCP performance with ssm-agent
A performance comparison of scp with ssm-agent and without
Using AWS KMS with golang
How-to encrypt and decrypt data with AWS KMS and the aws-sdk-go.
Secure handling of AWS api keys
A brief how-to store and access local aws api keys with aws-vault.