Exploring the AWS Landing Zone Accelerator Solution

In these series of blog posts, I will share some considerations regarding AWS Landing Zone Accelerator; before, during, and after deployment.


The AWS Landing Zone Accelerator (LZA) is an enterprise-grade solution designed to simplify and streamline the process of setting up a new multi-account AWS environment. This service automates the setup process, expediting the journey with AWS best practices, well-architected framework design principles. LZA offers a consistent approach to account configuration, security baselines, governance controls, and best practices – facilitating the setup of a multi-account AWS environment, saving time, minimizing errors, and ensuring security and compliance from the start. 

Moreover, LZA amplifies the efficiency of establishing a new AWS environment. This solution deploys a foundational set of capabilities aligning with AWS best practices and numerous global compliance frameworks, thereby enabling better management and governance of multi-account environments, especially in cases with highly regulated workloads and intricate compliance requirements. 

Should I use Control Tower or LZA? 

AWS Landing Zone Accelerator (LZA) works best with AWS Control Tower (CT). The LZA extends the functionality of the Control Tower. Based on my discussions with AWS professional services consultants (AWS employees), the aim is to gradually merge the LZA functionalities into Control Tower. Both services (LZA and CT) are continuously being developed and improved. You can follow the LZA development on their Github repository and open issues if you face any.  

For organizations dealing with fewer accounts and less complex operations, it’s advisable to begin with AWS Control Tower. This approach not only simplifies management but also lowers costs. However, if your organization requires enterprise-level governance, it would be logical to implement the Landing Zone Accelerator (LZA) in conjunction with CT. 

Considerations before using LZA 

There are numerous considerations before deciding whether to use LZA solution or not. I will share some of my experiences. 

Requirements Discovery 

It is important to remember that LZA is a solution. We should always start with our specific needs, requirements and problems we want to satisfy. To satisfy industry regulations and standards, organizations must follow various requirements for their cloud workloads. For example, the Health Insurance Portability and Accountability Act (HIPAA) framework for healthcare industry, National Institute of Standards and Technology (NIST) for education sector are two well-known frameworks.  

Moreover, organizations have their own unique needs and requirements. For instance:  

  • Federated Identity: is there a need for integration with external identity provider (IdP)?  
  • Network connectivity: do cloud resources need connectivity to on-premises networks? How about connectivity to other clouds?  
  • FinOps: need a central reporting of costs and budgets across the organization 
  • Security: ability to log and audit all cloud activities in a centralized way, ability to enforce security policies at different levels of the organization
  • Operations: ability to create, change, monitor and upkeep the landing zone using Infrastructure as Code  

This phase requires communication and collaboration with different teams and stakeholders. It is highly recommended to document all the gathered requirements and make sure all stakeholders are aligned with decisions. Going forward, the support of those stakeholders will be necessary for a successful landing zone deployment.  

LZA Evaluation  

It is easier to evaluate LZA solution when having a list of requirements. There should be alignment between your organization requirements and what LZA and CT offer. There are different things to consider in this phase.  

  • Cost evaluation: The LZA is usually used in coordination with other AWS services. There are associated costs with those services. These recurring costs are increasing as you add more AWS accounts and services to your organization. Here is an example cost table.  
  • Get familiar with LZA implementation guide: The implementation guide provides detailed architecture overview, and explains how to deploy, customize, and maintain the LZA solution.  
  • Try out LZA in a dedicated sandbox environment: Before committing to use LZA or CT, I recommend asking your AWS account manager to plan a landing zone accelerator immersion day for your team. AWS Immersion Day is an opportunity to try out different AWS services and solutions in a separate sandbox environment with the help of AWS experts. Feel free to browse the content of this workshop here.  

After these steps, you should have a good understanding of the LZA and CT solution and find out whether they satisfy your business requirements.  

Who could benefit from LZA?  

The AWS Landing Zone Accelerator (LZA) solution is especially beneficial to enterprises or large organizations that are setting up new multi-account AWS environments. It is ideally suited for those managing complex workloads with stringent regulations, intricate compliance requirements, and robust security needs. Companies seeking a streamlined, efficient, scalable approach to establish their AWS environment can also benefit greatly from this solution. Furthermore, if an organization aims to minimize errors or save time in the setup process while adhering to AWS’s best practices, they should consider utilizing AWS LZA. 

In the following blog posts, I will share my experiences regarding considerations for deployment and post-deployment phases of landing zone accelerator and control tower.  

[The article is written by me, assisted by AI]