AWS Landing Zone versus AWS Control Tower

Mar 23rd 2020

David Krohn

AWS Landing Zone and AWS Control Tower help set up and govern a new, secure, multi-account AWS environment based on AWS best practices. Both consist of core accounts and resources which will implement a initial security baseline.
The following table compares the managed service (AWS Control Tower) with the solution (AWS Landing Zone).

Feature	AWS Landing Zone	AWS Control Tower
Delivery mechanism	CloudFormation or Terraform	AWS managed service
Architectural support	Fully customizable and owned by customer	Customizable via Solution + AWS recommend best practices with managed blueprints and guardrails
Account structure	Complete flexibility for customer-defined account structure AWS LandingZone Architecture	Two non-configurable core accounts, no SS, no Amazon VPC in core AWS ControlTower Architecture
Federated access	AWS SSO, AWS-Managed Microsoft AD or Active Directory Connector	Preconfigured with AWS SSO (AD or SSO Directory?) and integrated with third-party SSO providers
Operations	Extensible capabilities to manage the most complex and advanced environments	Simple setup and management for reduced operational overhead
Automated account creation	✅ Account Vending Machine	✅
Member account region support (VPC)	✅ All regions are supported¹	➖ North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1), Sydney (ap-southeast-2) ²
General region support	✅ All regions are supported	➖ North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1), Sydney (ap-southeast-2)
Use existing AWS Organization	✅	❌³
Use existing SSO environment	✅	❌
Use existing AWS Service Catalog environment	✅	❌
New or Existing Security Hub environment	✅ Multiaccount Scripts	✅

References

AWS Landing Zone

AWS Control Tower

📚 User Guide
📚 Pricing
🎓 Labs
📺 Videos
🧰 Solutions
- 🔧 Customizations for AWS Control Tower
- 🔧 Enabling guardrails in new AWS Regions the AWS Control Tower supports

Which one should I choose?

❓Are you new two AWS?
❗️Use AWS Control Tower

❓Do you need a configurable landing zone with full customization and control over every part?
❗️Use AWS Landing Zone

Member accounts could be provisioned in every region no matter where the Account Vending Machine is deployed.
⚠️You just need to take care that your CloudFormation templates & Lambdas are available in the requested region.
↩
AWS Control Tower could provision new Accounts (Network baseline) into the following regions: North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1) and Sydney (ap-southeast-2).
↩
You cannot deploy AWS Control Tower on an existing account that is a member of AWS Organizations yet. In the near future you will be able to deploy Control Tower to an existing AWS Organizations account structure.
↩

sdksecurity

Using AWS KMS with golang

How-to encrypt and decrypt data with AWS KMS and the aws-sdk-go.

Mar 25th 2020

Sascha Lange

securitycli

Secure handling of AWS api keys

A brief how-to store and access local aws api keys with aws-vault.

Mar 24th 2020

Sascha Lange

security

SSH and SCP with AWS SSM

Using AWS Session Manager with enhanced SSH and SCP capability to connect to your EC2 without using firewalls and bastion hosts

Feb 17th 2020