AWS Landing Zone and AWS Control Tower help set up and govern a new, secure, multi-account AWS environment based on AWS best practices. Both consist of core accounts and resources which will implement a initial security baseline.
The following table compares the managed service (AWS Control Tower) with the solution (AWS Landing Zone).
🚨 AWS Control Tower allows existing organizations to set up a landing zone.
|Delivery mechanism||AWS managed service|
|Architectural support||Fully customizable and owned by customer||Customizable via Solution + AWS recommend best practices with managed blueprints and guardrails|
|Account structure||Complete flexibility for customer-defined account structure||Two non-configurable core accounts, no SS, no Amazon VPC in core|
|Federated access||AWS SSO, AWS-Managed Microsoft AD or Active Directory Connector||Preconfigured with AWS SSO (AD or SSO Directory?) and integrated with third-party SSO providers|
|Operations||Extensible capabilities to manage the most complex and advanced environments||Simple setup and management for reduced operational overhead|
|Automated account creation||✅|
|Member account region support (VPC)||✅ All regions are supported1||➖ North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1), Sydney (ap-southeast-2) 2|
|General region support||✅ All regions are supported||➖ North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1), Sydney (ap-southeast-2)|
|Use existing AWS Organization||✅||✅|
|Use existing SSO environment||✅||❌|
|Use existing AWS Service Catalog environment||✅||❌|
|New or Existing Security Hub environment||✅|
❓Are you new two AWS?
❗️Use AWS Control Tower
❓Do you need a configurable landing zone with full customization and control over every part?
❗️Use AWS Landing Zone
Member accounts could be provisioned in every region no matter where the Account Vending Machine is deployed.
⚠️You just need to take care that your CloudFormation templates & Lambdas are available in the requested region.
AWS Control Tower could provision new Accounts (Network baseline) into the following regions: North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1) and Sydney (ap-southeast-2).