AWS Landing Zone versus AWS Control Tower

Β 
Β 

AWS Landing Zone and AWS Control Tower help set up and govern a new, secure, multi-account AWS environment based on AWS best practices. Both consist of core accounts and resources which will implement a initial security baseline.
The following table compares the managed service (AWS Control Tower) with the solution (AWS Landing Zone).

Update:

🚨 AWS Control Tower allows existing organizations to set up a landing zone.


Feature
AWSLandingZone
AWS Landing Zone
AWS Control Tower
AWS Control Tower
Delivery mechanism CloudFormation or Terraform AWS managed service
Architectural support Fully customizable and owned by customer Customizable via Solution + AWS recommend best practices with managed blueprints and guardrails
Account structure Complete flexibility for customer-defined account structure
AWS LandingZone Architecture
AWS LandingZone Architecture
Two non-configurable core accounts, no SS, no Amazon VPC in core
AWS ControlTower Architecture
AWS ControlTower Architecture
Federated access AWS SSO, AWS-Managed Microsoft AD or Active Directory Connector Preconfigured with AWS SSO (AD or SSO Directory?) and integrated with third-party SSO providers
Operations Extensible capabilities to manage the most complex and advanced environments Simple setup and management for reduced operational overhead
Automated account creation βœ… Account Vending Machine βœ…
Member account region support (VPC) βœ… All regions are supported1 βž–
North-Virginia (us-east-1), Ohio (us-east-2),
Oregon (us-west-2), Irland (eu-west-1),
Sydney (ap-southeast-2) 2
General region support βœ… All regions are supported βž–
North-Virginia (us-east-1), Ohio (us-east-2),
Oregon (us-west-2), Irland (eu-west-1),
Sydney (ap-southeast-2)
Use existing AWS Organization βœ… βœ…
Use existing SSO environment βœ… ❌
Use existing AWS Service Catalog environment βœ… ❌
New or Existing Security Hub environment βœ… Multiaccount Scripts βœ…

References

AWS Landing Zone

AWS Control Tower

Which one should I choose?

❓Are you new two AWS?
❗️Use AWS Control Tower

❓Do you need a configurable landing zone with full customization and control over every part?
❗️Use AWS Landing Zone


  1. Member accounts could be provisioned in every region no matter where the Account Vending Machine is deployed.
    ⚠️You just need to take care that your CloudFormation templates & Lambdas are available in the requested region.

    ↩
  2. AWS Control Tower could provision new Accounts (Network baseline) into the following regions: North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1) and Sydney (ap-southeast-2).

    ↩


Β Β Β Β Β Β 

SCP performance with ssm-agent

A performance comparison of scp with ssm-agent and without

Β 

Apr 3rd 2020

Β 

Sascha Lange

Using AWS KMS with golang

How-to encrypt and decrypt data with AWS KMS and the aws-sdk-go.

Β 

Mar 25th 2020

Β 

Sascha Lange

Secure handling of AWS api keys

A brief how-to store and access local aws api keys with aws-vault.

Β 

Mar 24th 2020

Β 

Sascha Lange