Book a Consultation
Back to insights
DevOps & SREJuly 15, 2025 8 min read

A Practical Guide to Building a Secure AWS Landing Zone

KN
Kavya Nair
Rescape Technical Specialist
A Practical Guide to Building a Secure AWS Landing Zone

Establishing a secure foundation in AWS is critical for any growing organization. A multi-account architecture isolates environments and limits the blast radius of potential security incidents. In this guide, we walk through building a production-ready AWS Landing Zone leveraging automation and governance best practices.

1. Establish a Multi-Account Structure

Do not run workloads in a single AWS account. Group your accounts into logical Organizational Units (OUs) under AWS Organizations:

  • Security OU: Host dedicated accounts for centralized log archiving and audit tools (AWS Config, Security Hub, GuardDuty).
  • Infrastructure OU: Centralized networking (AWS Transit Gateway, shared VPCs) and shared services (CI/CD agents, artifact repositories).
  • Workloads OU: Separated dev, staging, and production accounts for running user-facing services.
  • Sandbox OU: Unattached, highly restricted environments for developers to experiment safely without corporate network access.
Key Principle: Logs aggregated in the Log Archive account must be immutable. Enforce S3 Object Lock and strict bucket access policies to prevent logs from being altered or deleted, even by root admins.

2. Automate with AWS Control Tower

AWS Control Tower is the easiest way to launch a secure, well-architected multi-account environment. It automatically configures:

  • An AWS Organization with core OUs and accounts.
  • Federated identity using IAM Identity Center.
  • Centralized logging using AWS CloudTrail and AWS Config.
  • A library of preventive and detective guardrails.

3. Define Guardrails (SCPs and Config Rules)

Guardrails enforce organizational compliance and block risky activities before they happen:

  1. Preventive (Service Control Policies): Enforce region restrictions, block disables of security services (like GuardDuty and CloudTrail), and restrict modifications to IAM roles managed by Control Tower.
  2. Detective (AWS Config Rules): Continuously scan configurations to ensure EBS volumes are encrypted, S3 buckets are private, and public SSH access is completely blocked.
# Sample Service Control Policy (SCP) to deny disabling CloudTrail
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyDisablingCloudTrail",
      "Effect": "Deny",
      "Action": [
        "cloudtrail:StopLogging",
        "cloudtrail:UpdateTrail",
        "cloudtrail:DeleteTrail"
      ],
      "Resource": "*"
    }
  ]
}

4. Centralized Network Baseline

Instead of exposing public subnets in every account, route outbound traffic through a central Egress VPC. Connect your workload VPCs using AWS Transit Gateway and inspect cross-account traffic using AWS Network Firewall.

5. Federated Access

Ban long-lived IAM access keys. Standardize on IAM Identity Center linked to your corporate identity provider (Okta, Google Workspace, Azure AD) and enforce temporary credentials with mandatory Multi-Factor Authentication (MFA).

Summary

A secure landing zone is a living system. Use infrastructure-as-code (Terraform or AWS LZA) to automate adjustments, and continuously audit your baseline against the AWS Well-Architected Framework.