A landing zone is the secure, multi-account foundation everything else on AWS sits on top of — Organizations OUs, guardrails (SCPs), centralized CloudTrail and Config, Security Hub and GuardDuty, single sign-on via IAM Identity Center, and the network spine. This page explains what a good one looks like, how Control Tower / Landing Zone Accelerator / DIY Terraform compare, gives you a reference design you can copy, and shows how CloudRoute routes you to a vetted AWS partner who builds it for you — an engagement that is often AWS-funded.
A landing zone is not a product you buy and it is not a single AWS service. It is a well-architected, multi-account AWS environment — the secure baseline your applications "land" in — set up so that every new account is governed, logged, and locked down from the first minute.
Concretely, a landing zone bundles five things that most teams otherwise bolt on painfully and late: a multi-account structure under AWS Organizations, preventive guardrails enforced by Service Control Policies (SCPs), centralized and tamper-resistant logging (CloudTrail and AWS Config aggregated into a dedicated log-archive account), a centralized security posture (Security Hub, GuardDuty, optionally Macie and Inspector rolling up to one place), and federated human access through IAM Identity Center so engineers never get long-lived IAM users. The network spine — typically a Transit Gateway and a shared-services VPC — usually rides along with it.
Why many accounts rather than one big account with tags and IAM? Because in AWS the account is the strongest isolation and billing boundary there is, and three things you want hard rather than soft all collapse into it. Security isolation: an SCP on the production OU can make it literally impossible to disable CloudTrail or delete the logs, even for an account admin — no IAM policy grants its way around a deny SCP. Blast radius: a leaked credential or a buggy IaC apply is contained to one account, not your whole company. Cost attribution: per-account billing is the cleanest cost signal AWS gives you, with every account mapping to a team, an environment, or a customer.
The counter-cost is real — more accounts means more to provision and more cross-account networking — and that overhead is exactly what a landing zone amortizes. Control Tower (or LZA, or your Terraform) turns "spin up a fully governed account" into a templated, minutes-not-days operation through Account Factory, so the marginal cost of one more account drops toward zero. The line in practice: not a separate account per microservice, but separation along the seams that matter — prod vs non-prod, the security tooling vs the workloads it watches, shared infrastructure vs app teams, and a throwaway sandbox.
If you have ever inherited an AWS estate that grew organically — root credentials in a password manager, AdministratorAccess IAM users named after people who left, CloudTrail off in several regions — you have seen the absence of a landing zone. Retrofitting one onto that mess is real work, but it is the single highest-leverage thing you can do for security, cost, and sanity.
Keep the management (payer) account empty. No workloads, no IAM users doing day-to-day work, no S3 buckets full of app data — nothing but Organizations, billing, and the landing-zone tooling itself. The management account is the keys to the entire kingdom; the fewer reasons anyone has to log into it, the smaller your worst-day blast radius. Control Tower enforces this convention by design, and it is the first thing a good partner will check on an existing estate.
A landing zone organizes accounts into Organizational Units (OUs) under AWS Organizations. OUs are how you apply policy to groups of accounts at once. The structure below is the well-trodden default — start here, adapt at the edges.
AWS Organizations gives you a tree: the management account at the root, OUs as branches, accounts as leaves. SCPs and other policies attach to OUs and flow down to every account inside, which is what makes the OU layout a security-design decision and not just filing. The standard landing-zone layout, drawn from AWS's own multi-account guidance, looks like this:
You do not have to start with all of these populated — a young startup might launch with Security (log archive + audit), one Shared-Services account, a Prod and a Staging workload account, and a Sandbox, and grow into the rest. The value is that the shape is decided up front, so the tenth account is as governed as the first. Resist the urge to model your org chart in OUs; model your security and environment boundaries. Teams reorganize; "production vs everything else" does not.
Guardrails are the rules of the building. They come in two flavors — preventive (this action is impossible) and detective (this misconfiguration gets flagged) — and a real landing zone uses both.
Preventive guardrails are enforced by Service Control Policies. An SCP is an org-level boundary that says what an account is even allowed to attempt; it does not grant permissions, it caps them. Because an SCP deny cannot be overridden by any IAM policy inside the account — not even by an account admin — SCPs are the one control workload teams cannot accidentally turn off. The starter set most landing zones ship with is short but high-value:
Detective guardrails are the other half: AWS Config rules and Security Hub controls that continuously evaluate your resources against a baseline (CIS AWS Foundations, AWS Foundational Security Best Practices, PCI) and raise a finding when something drifts — a bucket goes public, an SSH port opens to the world, a key has not rotated. They do not block; they tell you. The combination is the point: SCPs stop the catastrophic and irreversible, Config and Security Hub surface the gradual drift. Control Tower ships a managed library of both (mandatory, strongly-recommended, and elective controls); LZA and Terraform builds wire the equivalents up explicitly. The design question is the same either way — what must be impossible, and what must be visible.
The thing that turns a pile of accounts into a governed estate is centralization: every account ships its audit trail and its security findings to one place that the workload teams cannot tamper with.
The payoff is operational and audit-facing at once. Operationally, your security team works one inbox instead of N. For compliance, "show me that logging is centralized, immutable, and complete across the whole organization, and that threat detection is on everywhere" is a question a landing zone answers in a screenshot — which is exactly the question SOC 2, ISO 27001, HIPAA, and PCI assessors ask first. Teams that retrofit this after a failed audit always wish they had built it on day one; it is dramatically cheaper to inherit than to backfill.
CloudTrail records the who-did-what API history of every account; AWS Config records the configuration state and change history of every resource. In a landing zone both are enabled org-wide as a trusted-access integration and delivered into a dedicated Log Archive account in the Security OU — an account whose entire job is to be a write-only, long-retention vault. Because the buckets live in a different account from the workloads, and an SCP forbids touching them, an attacker who compromises an application account still cannot erase their tracks. This single design choice — logs in a separate account you cannot delete from — is what makes your CloudTrail trustworthy enough to put in front of an auditor.
GuardDuty is AWS's managed threat-detection service: it watches CloudTrail, VPC flow logs, and DNS logs for the signatures of compromise (crypto-mining, credential exfiltration, reconnaissance) and raises findings. Security Hub is the aggregator that collects GuardDuty findings plus Config-rule results plus its own standards checks (CIS, AWS FSBP) into one prioritized view. In a landing zone you enable both org-wide and designate the Audit account in the Security OU as the delegated administrator, so every finding from every account flows to one security team, one queue, one dashboard — rather than being scattered across dozens of consoles nobody checks. Inspector (vulnerability scanning) and Macie (sensitive-data discovery) plug into the same pattern when you need them.
Two cross-cutting concerns thread through every account: how humans get in, and how the accounts talk to each other. A landing zone solves both centrally.
IAM Identity Center (formerly AWS SSO) is how a landing zone gives people access. You connect it to your identity provider — Okta, Entra ID, Google Workspace, or its built-in directory — and define permission sets (ReadOnly, PowerUser, Admin) that map groups to roles across many accounts. Engineers log in once and assume short-lived, role-based credentials in whichever accounts they are entitled to, through one access portal and the AWS CLI. The effect: no long-lived access keys in dotfiles, no per-account user sprawl, central onboarding and — critically — instant central offboarding, since disabling someone in your IdP evaporates their access to every AWS account at once. A security win and an audit checkbox that is miserable to satisfy without it.
Once you have many accounts they need a network design. The modern default is a hub-and-spoke topology on AWS Transit Gateway: each workload account has its own VPC (the spoke), and all attach to a central Transit Gateway (the hub) in the Network account, which routes traffic between them and out to on-prem (Direct Connect or VPN) or the internet through centralized egress. This beats a mesh of VPC peering connections, which becomes unmanageable past a handful of VPCs. Shared services — DNS via Route 53 Resolver, centralized NAT/egress, inspection — live in the hub so every spoke inherits them, and PrivateLink plus centralized VPC endpoints handle private access to AWS and SaaS. You do not need all of it on day one — start with a couple of VPCs and add the Transit Gateway when peering gets annoying — but the landing zone reserves the address space and the Network account so the growth path stays clean.
There are three credible ways to stand up a landing zone in 2026, and choosing wrong costs weeks. The honest framing: most teams should start with Control Tower; a regulated or complex estate may need LZA; a platform team with strong opinions and the staff to maintain them may go pure Terraform/OpenTofu. The comparison table below lays them side by side.
AWS Control Tower is the managed, opinionated front door. It orchestrates Organizations, a baseline set of accounts (it provisions the Log Archive and Audit accounts for you), a curated library of preventive and detective controls, IAM Identity Center wiring, and an Account Factory for vending governed accounts. You give up some flexibility — it is opinionated, and some advanced layouts fight it — in exchange for a known-good, AWS-supported baseline in days, with AWS maintaining the control mappings as best practices evolve. For most startups and mid-size companies this is the right default.
The Landing Zone Accelerator on AWS (LZA) is an AWS Solutions-published, configuration-driven deployment (CloudFormation/CDK under the hood) for organizations with heavier requirements — public sector, healthcare, finance, multi-region or sovereign needs, dozens of controls mapped to specific compliance frameworks. More powerful and explicit than Control Tower, and it can layer on top of it or stand alone, but substantially more to operate: you own a large config repo and pipeline. Reach for LZA when Control Tower's opinions genuinely do not fit a regulated reality — not before.
A DIY Terraform or OpenTofu build (HashiCorp Terraform is BSL-licensed as of 2024; OpenTofu is the open fork, and AWS CDK, Pulumi, or CloudFormation are alternatives) gives you total control of every account, OU, SCP, and integration as code. Done well it is fully owned; done by a team without dedicated platform engineers it becomes a bespoke system one person understands and nobody can safely change — and you now maintain, by hand, all the control-mapping and account-vending logic Control Tower would have maintained for you. The pragmatic middle path many good teams land on: Control Tower owns the governed baseline (accounts, core controls, Account Factory, SSO), and Terraform/OpenTofu manages everything inside the accounts.
To make it concrete, here is a sensible day-one landing zone for a funded startup with a real product and a SOC 2 timeline — built on Control Tower, then extended with your own IaC. Management account: Organizations, billing, and Control Tower only, otherwise empty, root locked with hardware MFA. Security OU: a Log Archive account (org-wide CloudTrail + Config, write-only, long retention) and an Audit account (Security Hub + GuardDuty delegated admin). Infrastructure OU: a Network account (Transit Gateway hub, shared VPC, Route 53 Resolver, centralized egress) and a Shared-Services account (CI/CD, ECR, golden images). Workloads OU split into Prod (stricter SCPs: region-deny, encryption-required, no public ingress) and Non-Prod (dev + staging), one account per app-environment. Sandbox OU: disposable accounts with a hard budget, isolated from prod.
Identity is IAM Identity Center federated to the company IdP with three starter permission sets (ReadOnly, PowerUser, Admin). Guardrails are the Control Tower mandatory and strongly-recommended controls plus a few custom SCPs (region-deny, deny-disable on the security services, deny-root), and Security Hub runs the CIS and AWS FSBP standards so the SOC 2 evidence collects itself. That estate is small enough for a two-person team to operate, and structured so the fiftieth account is exactly as governed as the first — the whole promise of a landing zone.
A landing zone is not free to build or operate, so the honest question is timing. Build it too early and it is ceremony; build it too late and you are retrofitting under audit pressure. Here is where the line sits.
And when you genuinely do not need one yet: a true solo project or a pre-incorporation prototype running in a single account, with one person, no customer data, and no compliance timeline, does not need the full apparatus. Turn on CloudTrail, enable GuardDuty, avoid the root user, and keep a clean billing alarm — then build the landing zone as the second account or the first hire or the first customer contract appears. The mistake is not building one early; it is building one late, after the mess has set.
A landing zone is a known quantity for a good AWS partner: it is the engagement they do most. CloudRoute exists to put that partner in front of you fast, and for credit-eligible companies, to do it on AWS's dime.
You have two honest options for building this. Hire and train a platform engineer (months of recruiting, then ramp), or have a vetted AWS partner who has built dozens of landing zones stand yours up in weeks and hand it over documented. CloudRoute does the routing: you tell us your stage, region, and what you are trying to land on AWS, and within 24 hours we match you to a partner with the specific track record — Control Tower, LZA, regulated/SOC 2, your cloud-of-origin if you are migrating — and the right AWS partner tier to do the work well.
The funding mechanics, stated plainly so there is no overclaim: for credit-eligible companies (typically funded startups, but others qualify), the partner is paid through AWS partner-funding programs and your AWS consumption during the build is covered by Activate credits — so the landing-zone engagement is frequently AWS-funded and the customer pays $0 or close to it. If you have not claimed your credits yet, start there: see $100K AWS credits and the startup path, then have the same partner put that funding toward building the foundation. For companies that are not credit-eligible, CloudRoute is still a vetted-partner referral that skips the hiring-and-vetting slog — you just engage the partner directly. Either way you are not gambling on an unknown freelancer for the most security-sensitive thing in your AWS account.
The deliverable is the thing itself: a multi-account organization with the OU structure above, guardrails live, logging and security centralized, IAM Identity Center wired to your IdP, the network spine in place, and — the part teams undervalue — the whole thing handed over as documentation and (where appropriate) IaC, so your team can run and extend it. A landing zone built and walked away from is half a deliverable; CloudRoute partners hand you the keys and the manual.
The three credible ways to build a landing zone in 2026, compared on the dimensions that actually decide it. The short version: Control Tower for most, LZA for regulated/complex, DIY Terraform/OpenTofu when you have a platform team and a reason.
| Dimension | AWS Control Tower | Landing Zone Accelerator (LZA) | DIY Terraform / OpenTofu |
|---|---|---|---|
| What it is | Managed, opinionated AWS service | AWS Solutions config-driven deployment (CFN/CDK) | Your own IaC modules from scratch |
| Time to baseline | Days | 1–3 weeks | 3–8+ weeks |
| Flexibility | Opinionated; some layouts fight it | High; explicit config of everything | Total — you own every line |
| Ongoing maintenance | Low — AWS maintains controls | Medium–high — you own the config repo | High — you maintain all of it |
| Account vending | Account Factory (built in) | Config-driven account creation | You build it (e.g., AFT / custom) |
| Best fit | Most startups & mid-market | Regulated, multi-region, complex estates | Platform teams with strong opinions + staff |
| Skill required | Moderate AWS admin | Strong AWS + CDK/CFN | Senior platform engineering |
| Can combine? | Yes — baseline, then your IaC inside | Yes — can layer on Control Tower | Often used inside a CT baseline |
Situation: The whole company ran in a single AWS account with shared IAM users and root credentials in a password manager. CloudTrail was on in one region only, GuardDuty was off, and there was no separation between prod and dev. The pending SOC 2 audit needed centralized immutable logging, org-wide threat detection, least-privilege federated access, and prod/non-prod isolation — none of which existed. The lone senior engineer was fully allocated to product and could not own a multi-account rebuild.
What CloudRoute did: Routed within 20 hours to a partner with Control Tower + SOC 2 track record. The partner stood up a Control Tower landing zone: management account emptied, Security OU with Log Archive + Audit accounts, Infrastructure OU with a Network account (Transit Gateway) and Shared-Services account, a Workloads OU split into Prod and Non-Prod, and a Sandbox OU. IAM Identity Center was federated to the company's Okta, custom SCPs added (region-deny, deny-disable on security services, deny-root), and Security Hub set to CIS + AWS FSBP. The existing workload was migrated into a new Prod account. The company was credit-eligible, so the engagement ran on AWS partner funding and Activate credits.
Outcome: Governed baseline live in under four weeks; the existing app moved into the Prod account with no customer-facing downtime. SOC 2 logging, threat-detection, access-control, and isolation controls satisfied with screenshots instead of scrambling. Everything handed over as documentation plus the Control Tower config and supporting Terraform. Cumulative AWS spend during the build was credit-covered; CloudRoute's commission was paid by the partner from AWS's funding — the customer paid $0.
engagement window: ~4 weeks · founder/engineer time: ~12 hours · accounts provisioned: 8 · cost to customer: $0 (credit-eligible)
CloudRoute routes you to a vetted AWS partner who stands up the multi-account baseline, guardrails, logging, identity, and network spine — handed over documented. Credit-eligible companies pay $0. No hiring slog, no discovery theater.