Security, cost, and time are three variables cited most often as reasons companies hold back from moving their business data to the cloud. Landing zones have traditionally been used to provide easy cloud foundation, and burst the myth that the cloud is expensive and is not in reach to all.
Landing zones helps meet customer’s requirements for an environment that is:
- Secure & Complaint
- Scalable & resilient
- Adaptable & flexible
Moreover, landing zones are known to provide configured, scalable, multi-account cloud environments based on AWS best practices. It further helps set up a baseline to get started with IAM, governance, data security, network design, and logging. Amazon knows managing multi-accounts and other AWS services with landing zone requires comprehensive AWS knowledge and robust customization skills that are inevitably manual.
Though the AWS Landing Zone solution has been widely accredited and accepted by enterprise customers, but at the same time required fundamental changes. In response to that, Amazon comes up with AWS Control Tower Services that speed up landing zone set up by automating the process. Now enterprises may think about migrating from AWS Landing Zone to AWS Control Tower for several reasons.
What Is AWS Control Tower?
AWS Control Tower Service is built on top of other AWS services that enables setting up a well-architected environment. It is just another way to set up a landing zone and get control to govern an AWS multi-account environment, following prescriptive best practices.
Options for landing zones on AWS
It helps in orchestrating the capabilities of several other AWS services that you can easily manage and secure your multi-account, including AWS Organizations, AWS Service Catalog, and AWS Single Sign-on and many others. Provisioning of new accounts has been made easy and fast in the Control Tower. You get this functionality directly to the CT dashboard. Built-in guardrails that come with it help you protect your accounts.
What Are Guardrails?
Guardrails is a policy control mechanism that provides the capability to secure multiple accounts. It is a high-level rule and is available in plain language.
(image source: aws.amazon.com)
Two kinds of guardrails are available: preventive and detective. AWS Control Tower uses preventive control to an entire organizational unit (OU) to prevent issues to AWS accounts. Detective control, on the other hand, helps detect non-compliance of resources within your accounts and provides alerts. In this way, Control Tower ensures ongoing management of your accounts regarding security, operations, and compliance policy.
AWS Control Tower Vs. AWS Landing Zone
|AWS Control Tower
|AWS Landing Zone
|Speed and convenience
|Less than two hours require to set up a basic landing zone including 1) organization unit 2) guidelines 3) SSO 4) service catalog
|Setting up a complex/custom landing zone often takes weeks
|AWS managed services
|CloudFormation or Terraform
|You can create OU as much as you want, but you can’t add in Control Tower the existing OU
|You can create OU as much as you want and you can add existing and create a new one
|Cloud Tower only allows only two non-configurable core accounts while no SS, no Amazon VPC in its core
|Complete flexibility for customer-defined account structure
|Customizable via Solution + AWS recommends best practices with managed blueprints and guardrails
|Fully customizable and owned by the customer
|It comes with a pre-configured AWS SSO and is integrated with third-party SSO providers
|It supports AWS SSO, AWS-Managed Microsoft AD or Active Directory Connector
|Easy setup and management for reduced operational overhead
|Provides extendible capabilities to manage complex and advanced environments
|In the provision of a new AWS account, generate a new VPC with a maximum of 2 private subnets (this is limit) and support only these regions: US-EAST N.Virginia, US-EAST Ohio, US-west Oregon, EU-Ireland
|It allows you to set up your own custom network and delete the default
|There is no API, SDK, CDK
|You can set up with SDK, CDK, CloudFormation, Terraform
|Support version, you can scale adding more AWS account, rules, baseline, but manually
|Scale in an infinite way; you can build and set up everything you want until you automate that
AWS provides two options to create a landing zone; one is to create it by yourself, and the second is to automate its provisioning using Control Tower. Both the options have their pros and cons, and with that, both are serving the diverse needs of enterprises in one or another ways. Now the question is, which one do you need? And why would you migrate from AWS Landing Zone to Control Tower?
We also mentioned above that implementing an AWS landing zone for an organization demands robust AWS knowledge. So, if you are new to AWS, Control Tower is the best fit for you. You can answer the below questions and decide for yourself whether you should migrate from AWS Landing Zone to Control Tower or not?
- Want to decrease maintenance overhead, decrease the amount of custom code, and to look for an easy self-service user experience? Answer – AWS Control Tower
- Are you willing to grow with the pace of innovation? Answer – AWS Control Tower
- Do you need nested OUs? Answer – AWS landing zone
- Do you own a team that can take on the complexity of managing the AWS Landing Zone? If not, Answer – AWS Control Tower
- Do you need complete customization and complete control over every aspect of the landing area? Answer – AWS Landing Zone
- Do you have an existing landing zone that meets your current needs and exceeds AWS Control Tower’s feature set? Evaluate AWS control tower, but may need to wait
We hope these questions will help to decide the need and importance of effectively managing cloud landing zone.