One of the first starting points for many organisations using Public Cloud is the establishment of a Landing Zone. A Landing Zone is a well-architected, multi-account environment that’s based on security and compliance best practices..
There are several reasons why organisations leverage a multi-account strategy including but not limited to:
- Service Quotas: Each AWS Service typically has a number of different quotas; some of these are soft limits that can be increased by requesting an increase in the limit through a support ticket whilst others have hard limits that cannot be increased.
- Limiting the Blast Radius: As an AWS Account is a boundary of isolation, potential risks and threats can be contained within an account without affecting others.
- Security Controls: Workloads may have different complianye needs based on the Industry or the Geographical location. Whilst there are synergies between the different compliancy frameworks, the Security Controls that are implemented to help achieve the compliance may need to be implemented in a slightly different manner or may not be required at all.
- Billing Separation: AWS Accounts are the only real way to separate items at a billing level e.g. Data Transfer costs.
When I first started using AWS in 2016 there was no pre-packaged solution for a Landing Zone; there were several recommendations provided by AWS but in essence it was something that organizations had to build themselves.
Continue reading
