Landing Zones#

A landing zone is the pre-built baseline the infrastructure lands on before the first workload ships. Account and organization structure, identity, network skeleton, logging, and guardrails are stood up once, as code, so every later environment inherits the same controls instead of re-deriving them by hand.

The structure of the landing zone fixes the blast radius. A flat single account puts production, staging, and the security tooling in one trust boundary; a multi-account organization with per-environment and per-team accounts contains a compromise to the account it started in. The same account boundaries reveal which credentials reach which systems, the first thing an attacker enumerates on contact.

        flowchart TB
  Root["Organization root"]
  Mgmt["Management account<br/>billing, policy, vending"]
  Root --> Mgmt
  Root --> SecOU["Security OU"]
  Root --> InfraOU["Infrastructure OU"]
  Root --> WorkloadsOU["Workloads OU"]
  SecOU --> Log["Log archive account"]
  SecOU --> Audit["Security / audit account"]
  InfraOU --> Net["Network hub account"]
  InfraOU --> Shared["Shared services account"]
  WorkloadsOU --> Prod["Prod accounts"]
  WorkloadsOU --> NonProd["Non-prod accounts"]
  WorkloadsOU --> Sandbox["Sandbox accounts"]
    

Hierarchy#

The infrastructure is a tree. A single organization root owns everything, groups of accounts hang off it under organizational units, and the individual account is the hard isolation boundary where workloads actually run. Policy attaches to a node and flows down, so a control set on an organizational unit reaches every account beneath it without being copied.

The operator keeps the tree shallow enough to reason about and deep enough to separate what must not share a blast radius. Environments (prod, non-prod, sandbox) split first because they fail independently; teams and applications split underneath when their credentials should not reach each other. See Environments for the development, training, and operational tiers these accounts carry.

Accounts#

A landing zone reserves a handful of foundational accounts before any workload account exists. Each one isolates a concern that would be dangerous to co-locate with running services.

Account

Purpose

Management

Organization root. Holds billing, organization policy, and account vending. Runs no workloads.

Log archive

Write-once destination for org-wide audit and access logs. Locked down so a compromised account cannot erase its tracks.

Security / audit

Read-only cross-account access for the security team and detection tooling. The seat the blue team works from.

Network

The shared network hub. Transit, central egress, DNS, and inspection live here.

Shared services

Directory, CI runners, golden images, and internal tooling used across the org.

Sandbox

Disposable accounts for experiments, isolated from production and capped on spend.

Workload

One per application and environment. Where the services the mission cares about actually run.

Guardrails#

Guardrails are the controls the landing zone enforces from above so no account can opt out. Preventive guardrails block a disallowed action before it happens; detective guardrails flag drift after the fact. A guardrail left in detect-only mode is a tripwire, not a wall, and the operator should know which is which on a target.

Guardrail

Effect

Deny org leave

Block an account detaching itself from the organization.

Deny log tampering

Block disabling or deleting the organization audit trail.

Region lockdown

Deny resource creation outside approved regions.

Root user guard

Block root-credential use and access-key creation.

Public-access guard

Block public object storage and public disk snapshots.

A preventive guardrail is a policy document attached high in the tree. The denial below stops every account under it from leaving the organization, regardless of what permissions a local admin grants.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyLeaveOrg",
      "Effect": "Deny",
      "Action": "organizations:LeaveOrganization",
      "Resource": "*"
    }
  ]
}

Identity#

Identity is centralized once and federated everywhere. One identity provider holds the humans, the cloud trusts it through SSO, and permission sets map from groups onto accounts. No account carries local users, and no automation carries a long-lived key.

  • Federate, one IdP via SAML or OIDC, MFA enforced, short sessions.

  • Assume, never store, workloads take short-lived roles instead of holding keys.

  • Scope by account, a group’s reach stops at the accounts its permission set names.

  • Break glass, one sealed, hardware-MFA account, monitored, used only when SSO is down.

Network#

The address plan is drawn before the first subnet exists. Ranges are carved non-overlapping across every account so they can peer later without renumbering, and the spokes attach to a central hub that owns transit, egress, and inspection. See Network Topology for the topology patterns the hub implements.

  • Plan the space, non-overlapping CIDR ranges allocated per account up front.

  • Hub and spoke, a transit gateway, shared VPC, or hub VNet the workload accounts attach to.

  • Central egress, outbound traffic crosses one inspected, logged point.

  • Private reach, private endpoints to provider services so traffic skips the public internet.

Logging#

Every account ships its record of itself to the log archive account, where the operator (or the operator’s adversary) cannot quietly rewrite history. The trail is org-wide so a newly vended account is covered the moment it exists.

  • Org-wide trail, every control-plane API call captured org-wide.

  • Write once, object-lock or immutability on the archive bucket.

  • Centralize the rest, flow logs, access logs, and config snapshots land in the same account.

  • Alert on the trail itself, a disabled or deleted trail is a high-signal event.

Provisioning#

The landing zone is itself code. The baseline lives in a Git repository, a pipeline applies it, and new accounts are vended from a factory that wires in the identity, network, logging, and guardrail defaults before anyone logs in. Click-ops account creation is the thing the factory exists to kill, because a hand-built account is one that drifted from the baseline on day zero. See Infrastructure as Code for the tooling that applies it.

Providers#

The pattern is identical across providers; only the nouns change. The operator who learns the structure once carries it onto any infrastructure.

Concept

AWS

GCP

Azure

Top of hierarchy

Organization

Organization

Tenant root group

Grouping node

Organizational unit

Folder

Management group

Isolation boundary

Account

Project

Subscription

Preventive guardrail

Service control policy

Organization policy

Azure policy

Baseline framework

Control Tower

Cloud Foundation Toolkit

Azure Landing Zones

Central audit log

CloudTrail

Cloud Audit Logs

Activity Logs

Pitfalls#

  • Workloads in the management account, its blast radius is the whole organization.

  • Detect-only guardrails, controls that report a violation but never stop it.

  • No break-glass path, an SSO outage locks every operator out at once.

  • Overlapping CIDR ranges, addresses chosen per account block later peering.

  • Account sprawl, new accounts vended without a factory drift from the baseline.

  • One account for every environment, prod and sandbox sharing a single trust boundary.

References#