Landing Zone Accelerator in Theory

Preparing your team and your organization to use AWS has never been this easy. Let’s learn what LZ and LZA are about

It’s not a straightforward path for every team and organization to begin using AWS. As many teams try to “experiment” using AWS resources by creating a root account, they usually carry on using this account, until their experiment becomes part of production and they end up following the opposite direction of what many agree on best practices.

Landing Zone is a tool offered by AWS to challenge this common mistake. It’s a “warm-up tool” which prepares the organizational structure needed by the team, together with good practices covering security policies, network configurations and management instruments. Yet Landing Zone by itself is also not perfect, and could improve a lot (definitely!). To acknowledge the feedback AWS received from experts, a year ago they announced a new tool called “Landing Zone Accelerator” – which brings deployment of AWS infrastructure for organizations to another level.

Think of LZA as an advanced tool to help you build your AWS environment for the entire organization, then also will allow you to add new tools, configure policies and create accounts from a centralized spot. Let’s deep dive into what LZA is and I will introduce you a few simple steps on how to use it at first hand.

Landing Zone vs. Landing Zone Accelerator

What’s The Difference?

Landing Zone (LZ) is mostly a “one-time use” tool that will help you to setup a secure, multi-account AWS environment based on AWS best practices. If you are a team – whether small or big – with multiple departments, team members who need access to AWS, develop and maintain in the cloud, LZ helps you to establish such infrastructure with a few simple clicks, following best practices.
Landing Zone Accelerator (LZA) is an advancement to LZ, which allows you to generate additional resources, security policies, accounts in an automated way. Landing Zone is a pre-requisite to LZA, which means you need to deploy Landing Zone first, in order to implement LZA.

Let’s be fair, the definition of Landing Zone in official AWS Documentation is somehow outdated. When I read it, I feel the sense to convince the user to have multiple accounts instead of a single account. This is not the concern of organizations anymore, everyone is convinced on this. The greater concern is, how to handle multiple accounts and organizational units in a secure way.

This is where LZA comes into practice! After creating multiple accounts and organizational units with Landing Zone, LZA helps you to manage the environment via pipelines.

How Does Landing Zone Work?

Probably the most known step in practice, well-architected tool is accessible in your console, providing you with a set of questions in each category, aiming to bring you a step closer to owning a well-architected infrastructure. In its official page, AWS well-architected tool is introduced as follows: “The AWS Well-Architected Tool is designed to help you review the state of your applications and workloads, and it provides a central place for architectural best practices and guidance. It is based on the AWS Well-Architected Framework, which was developed to help cloud architects build secure, high-performing, resilient, and efficient application infrastructures”.

As of mid-2023, LZA is deployed with a CloudFormation template. With more details below, you simply deploy the template provided by official GitHub account of AWS in your root account, then make all the changes in CodePipeline.

First step is to deploy the template in CloudFormation
Once deployed, you can head to CodeCommit and you will see several YAML files generated in the pipeline.
Each YAML file refers to a particular configuration. accounts-config.yaml file helps to configure accounts in your organization. network-config.yaml file helps you to configure your network etc.
It’s also possible to generate additional resources, such as launching Amazon Inspector or Amazon GuardDuty for security.
With changes made in yaml files, you can release the changes in your CodePipeline and you will see the improvements in your infrastructure once the process is completed.

LZA Benefits: What’s in it for us?

Even though the advantages LZA will bring to an organization will vary from team to team, it’s possible to mention expected benefits in a few key areas:

Security: As the accounts are centralized, you will be able to manage access policies over members. Service Control Policies will help you to define standard rules for your entire organization. You can also enforce various rules, such as MFA activation per account, to guarantee certain level at security with LZA.
Infrastructure: You will be able to create resources automated and easily. Also providing templates cross accounts and networks are easier with LZA.
Cost Management: Using LZA, it is possible to apply tag policies on resources created by accounts. Tagging will help your organization to determine costs for each account and department/project. To decrease your costs,
AWS has useful tools already (AWS Budgets, Cost and Usage Reports etc.) however applying the tag policy is the challenge for teams. With LZA, this challenge is overcome and it can help you to get most out of cost management tools.
Monitoring: By default, Security and Log Management OUs are created in Landing Zone, helping you to receive all the logs and activity reports received in a proper way. Logging and observability are topics somehow undermined by teams at establishment. LZA helps to overcome the issue from the very start, providing you the fundamental resources needed to receive the input.

In addition to all these points mentioned, Governance and Compliance can be also counted as a great plus. The area is very much industry specific and therefore difficult to define the advantages. However, the four points mentioned are already a baseline when it comes to satisfying audit standards and will certainly make the work much easier for teams to prepare on it.

The cost calculation of LZA refers to $433 a month - which is only for a specific scenario. It gives the wrong impression that LZA costs ~$400 a month, which should be communicated better.

LZA Challenges: One Tool Fits All?

Even though the solution is promising to overcome problems faced with deployment of Landing Zone, LZA still has a lot of room to improve. To begin with, the documentation and implementation guide provided is quite basic – additional guidelines and details needed to make the tool applicable and understandable by everyone, especially by those who are not experts in AWS.

More important, configuring the infrastructure via yaml files is still a blind shot. While experimenting LZA, I decided to create two new accounts, each dedicated to an employee. Somehow they were allowed to enroll into custom organizational units while some were not allowed to enroll into security organizational units, then surprisingly some were!

Following, imagine these employees leave your organization and now you need to get rid of these accounts in your architecture. It’s also challenging to kick them out of the organization. Simply “deleting” the entries from the yaml file creates an error in the pipeline and creates a dead-end that you need to apply many manual steps (close the account, suspend it, clear out of organization etc.) in order to rollback the environment back to where it was.

The tool is fresh, then surely LZA team will improve the tool every time there is a newer version. However, for the time being it’s ideal to receive assistance from an expert in the field who will guide you in every step of LZA implementation to make sure that the tool is deployed properly and you get the most out of it for your organization.

As the next step, I will provide raw, to-the-point steps to introduce LZA in Practice, so you can experiment with it too!