globaldatanetmenu

.AWS Landing Zone versus AWS Control Tower

Apr 20th 2020-2 min read

AWS Landing Zone and AWS Control Tower help set up and govern a new, secure, multi-account AWS environment based on AWS best practices. Both consist of core accounts and resources which will implement a initial security baseline.
The following table compares the managed service (AWS Control Tower) with the solution (AWS Landing Zone).

Update:

🚨 AWS Control Tower allows existing organizations to set up a landing zone.

FeatureControl TowerCloudFormation
Delivery mechanismAWS managed service
Architectural supportFully customizable and owned by customerCustomizable via Solution + AWS recommend best practices with managed blueprints and guardrails
Account structureComplete flexibility for customer-defined account structureTwo non-configurable core accounts, no SS, no Amazon VPC in core
Federated accessAWS SSO, AWS-Managed Microsoft AD or Active Directory ConnectorPreconfigured with AWS SSO (AD or SSO Directory?) and integrated with third-party SSO providers
OperationsExtensible capabilities to manage the most complex and advanced environmentsSimple setup and management for reduced operational overhead
Automated account creationβœ…
Member account region support (VPC)βœ… All regions are supported1βž– North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1), Sydney (ap-southeast-2) 2
General region supportβœ… All regions are supportedβž– North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1), Sydney (ap-southeast-2)
Use existing AWS Organizationβœ…βœ…
Use existing SSO environmentβœ…βŒ
Use existing AWS Service Catalog environmentβœ…βŒ
New or Existing Security Hub environmentβœ…

References

AWS Landing Zone

AWS Control Tower

Which one should I choose?

❓Are you new two AWS?
❗️Use AWS Control Tower

❓Do you need a configurable landing zone with full customization and control over every part?
❗️Use AWS Landing Zone

  1. ↩

Member accounts could be provisioned in every region no matter where the Account Vending Machine is deployed.
⚠️You just need to take care that your CloudFormation templates & Lambdas are available in the requested region.

  1. ↩

AWS Control Tower could provision new Accounts (Network baseline) into the following regions: North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1) and Sydney (ap-southeast-2).

globaldatanetCloud Development, Optimization & Automation

.Navigation

.Social

  • follow globaldatanet on instagram
  • follow globaldatanet on facebook
  • follow globaldatanet on twitter
  • follow globaldatanet on linkendin
  • follow globaldatanet on twitch
  • follow globaldatanet's tech rss feed
  • follow globaldatanet at github
Β© 2021 by globaldatanet. All Right Reserved