Oliver Bühler

AWS Landing Zone: Multi-Account Strategy for Enterprise Environments

3 min read
#aws#landing-zone#control-tower#organizations

Why a Multi-Account Strategy Is Non-Negotiable

Running all workloads in a single AWS account is temptingly simple — until the first compliance requirements arrive, a team accidentally overwrites production data, or cost attribution becomes detective work. A well-designed multi-account strategy solves these problems structurally, before they occur.

In my work at T-Systems I built and operated a Landing Zone spanning roughly 2,000 AWS accounts across 40 AWS Organizations. The lessons from that project feed directly into this article.

The Building Blocks: Control Tower and Organizations

AWS Control Tower is the managed service for Landing Zones. It orchestrates AWS Organizations, AWS SSO (IAM Identity Center), AWS Config, CloudTrail, and Service Control Policies (SCPs) into a coherent framework.

AWS Organizations provides the hierarchical structure: Management Account → Organizational Units (OUs) → Member Accounts. The OU structure should reflect the company's security and compliance boundaries, not the team structure.

Control Tower builds on top and delivers:

  • Pre-configured guardrails (preventive and detective controls)
  • Account Factory for standardised account provisioning
  • A compliance overview dashboard

OU Design: The Most Important Decision

The OU structure is hard to change once accounts live inside it. A typical structure:

Root
├── Security (Log Archive, Audit)
├── Infrastructure (Shared Services, Network)
├── Workloads
│   ├── Production
│   ├── Non-Production
│   └── Sandbox
└── Suspended

Important: sandbox accounts for developers are not a luxury — they prevent experiments from landing in production environments.

Service Control Policies: Guardrails, Not Cages

SCPs are the most powerful tool in AWS Organizations. They define the maximum permissions for all accounts in an OU — regardless of what IAM policies allow.

Typical SCPs for an enterprise Landing Zone:

  • Region restriction to EU regions (GDPR compliance)
  • Prohibition of root account activities
  • Protection of security baseline resources from deletion
  • Restriction of certain services in sandbox accounts

Account Factory: Standardisation From Day One

Every new account should be provisioned through the Account Factory — never manually. This ensures that baseline configurations (CloudTrail, Config, Security Hub, GuardDuty) are active from the start.

With Account Factory for Terraform (AFT), this process can be fully automated and version-controlled.

Frequently Asked Questions

Conclusion

A Landing Zone is not a one-time project but a living system. The investment in a solid foundational structure pays off — in the form of faster account provisioning, better compliance visibility, and fewer security incidents.

This article is based on hands-on experience building an enterprise Landing Zone at T-Systems. Details have been adjusted for confidentiality.