Speed-Up Large Scale Migrations with AWS Landing Zone Deployment

Numerous advancements are witnessed in Cloud Computing technology with rapid development in every aspect. The reason behind such development is the increase in the data leading to the big data, data mining and data warehousing solutions. But to manage such massive amount of data, on-premises can lead to out of range cost and labor as well.

Even while deploying applications on AWS, we need to design proactive infrastructure and configure the base environment in which we have to create multiple accounts for accessing multiple resources. A fair amount of time is consumed and to migrate a large-scale organization could lead to multiple issues such as numerous design architectures, data security and several accounts.

To overcome these significant obstacles AWS came up with a solution of Landing Zone. It is based on Amazon’s best practices and AWS account structures having pattern-based architecture with standards defined. One of the important key factors is its automation and versioned infrastructure which is more reliable and applicable.


  • Helps users to set up a secure, multi-account organization, based on AWS best practices.
  • Automating the setup of an environment for running secure scalable workloads, hence time-effective.
  • Provides a baseline environment to start with multi-account architecture, identity and access management, data security, governance, network design, and logging.
  • It deploys an AVM account vending machine for automating the configuration of accounts.

Baseline Requirements

  • Secure the root account using MFA.

  • Use identity solutions.

  • Establish Cross Account Roles.

  • Map Enterprise roles and permissions.

  • Set password policies for low-security threats.

  • Identify actions and conditions to enforce governance.

  • Use AWS CloudTrail for auditing your systems by assigning read-only access.

  • Define Rules for configurations of AWS resources.

  • Configure initial network for an account by deleting default VPCs and deploy AVM requested network type.

How Multi Account Structure Works on AWS Landing Zone

It consists of 4 core accounts in order to handle business processes, which are mentioned below:

AWS Organization Account: - The core account that handles all the AWS organizational functions. It is responsible for managing configurations regarding managed services, also has the ability to manage and create new member accounts and look towards their billing processes. It consists of AWS components like S3 & pipelines, account configurations stack sets, organization control policies, and SSO (Single Sign-on) configuration.

Shared Services Account: - Used to create an infrastructure shared services and hosts AWS active directory for SSO integration in a shared VPC. This also helps in peering account created by AVM.

Log to archive Account: - It consists of S3 buckets used for storing copies of AWS CloudTrail data and AWS configurations files.

Security Account: - Integrated policies to create auditor read-only account, admin access and cross-account roles for managing accounts. Roles are created to monitor the organization’s security.

Duties of Amazon Account Vending Machine (AVM):

Being one of the key components for AWS landing zone and is the automated product of AWS service catalog that helps in creating/updating users & new AWS accounts to organizational units and configured with account security baseline. It can update the users if the security baseline is updated from the service catalog and apply security control policies. Hence, organizations cover this in the least amount of time by not creating new users manually. By just having to create 4 core accounts and assign policies to the AVM and users will be generated automatically.

Are you looking to migrate a large number of complex applications to AWS? Then Royal Cyber can help you with a new solution that helps automate the build-out of a multi-account AWS architecture. To know more about the best practices of extending AWS Landing Zone and to get a solid basis for centrally maintaining AWS setups, you can email us at [email protected] or visit www.royalcyber.com.

Leave a Reply