The Landing Zone Accelerator on AWS solution establishes a cloud foundation that is designed in accordance with AWS best practices and numerous international compliance frameworks. It helps you quickly deploy a secure, resilient, scalable, and fully automated cloud foundation that accelerates your readiness for your cloud compliance program. Customers with complicated compliance requirements and highly regulated workloads can better manage and administer their multi-account environment with the help of this solution.
- Introduction
- Architecture Overview
- AWS LZA for Industries
- Use cases for this AWS Solution
- Benefits
- Pricing
- FAQs
Introduction to Landing Zone Accelerator on AWS
The Landing Zone Accelerator (LZA) on AWS is an open-source project for quickening the implementation of your advanced compliance needs in AWS. It is intended to assist with the continuing deployment and management of secure multi-account, multi-region AWS systems.
It functions in concert with AWS Control Tower. Customers can specify their environment in a collection of configuration files using the LZA. These files are consumed by a CDK application that will use AWS CloudFormation to deploy particular AWS resources, like networking and security services, into a multi-account and multi-region environment.
It offers a complete low-code solution spanning 35+ AWS services when used in conjunction with other AWS services.
Landing Zone Accelerator on AWS Architecture
- To install the solution in your environment, you use AWS CloudFormation. Before implementing the solution, your environment must meet the requirements. The given CloudFormation template deploys an AWS CodePipeline using the Landing Zone Accelerator on the AWS installation engine.
- The Installer pipeline (AWSAccelerator-InstallerStack) operates independently of the Core pipeline. By doing so, you may use the AWS CloudFormation console to upgrade to upcoming versions of the solution with a single parameter.
- The solution’s AWS CDK application, which delivers the Core pipeline (AWSAccelerator-PipelineStack) and its associated dependencies, is built and run by an AWS CodeBuild project, which serves as an orchestration engine.
- The solution provides Amazon Simple Notification Service (Amazon SNS) topics, which you may subscribe to for alerts on Core pipeline events, improving your Core pipeline operations’ observability. AWS Key Management Service (AWS KMS) customer-managed keys are also deployed by the solution in order to manage the encryption of Installer and Core pipeline dependencies while at rest.
- The resources specified in the solution configuration files are distributed across multiple AWS CodeBuild deployment phases to your multi-account environment. You can see every modification that will be made by these stages by participating in an optional manual review stage.
- When an infrastructure resource’s actual configuration deviates from its planned configuration, the solution deploys resources that watch AWS Control Tower lifecycle events for potential drift against a known good state. Additionally, the solution provides tools that can automatically enroll fresh AWS accounts in your multi-account environment. Make sure all organizational units (OUs) and accounts within your AWS Control Tower environment are correctly enrolled before using this solution with AWS Control Tower.
- This can be controlled through the AWS Control Tower console.
AWS Landing Zone Accelerator for Industries
The LZA for Healthcare is an industry-specific deployment of the Landing Zone Accelerator on AWS solution architected to align with AWS best practices and in conformance with multiple, global compliance frameworks. When used in coordination with services such as AWS Control Tower, the Landing Zone Accelerator provides a comprehensive no-code solution across more than 35 AWS services and features to manage and govern a multi-account environment. The LZA is built to support customers with highly-regulated workloads and complex compliance requirements.
Healthcare customers can benefit from the LZA for Healthcare as the security controls implemented are aligned with several prominent international frameworks, including:
- Health Insurance Portability and Accountability Act (HIPAA)
- Cloud Computing Compliance Controls Catalog (C5)
- National Cyber Security Centre (NCSC)
- Esquema Nacional de Seguridad (ENS) High
- International Organization for Standardization (ISO) 27001 and ISO 27002
The following architecture offers an overview of the AWS landing zone deployed using the LZA for Healthcare:
Use cases for this AWS Solution
1. Cybersecurity Maturity Model Certification: The Cybersecurity Maturity Model Certification (CMMC) program enhances cybersecurity standards for businesses inside the DIB which is made to safeguard private, unclassified information that the DoD shares with its contractors/affiliates.
The framework contains three key features:
- Tiered Model: Depending on the kind and sensitivity of the material, CMMC mandates that businesses trusted with national security information implement cybersecurity requirements at progressively more advanced levels.
- Assessment Requirements: CMMC assessments allow the DoD to verify the implementation of clear cybersecurity standards.
- Implementation through Contracts: After CMMC is completely implemented, some DoD contractors who deal with sensitive unclassified DoD information may need to reach a specific CMMC level as a requirement for contract award.
2. Information System Modernization: Utilizing information system modernization technologies and a contemporary hybrid cloud, one can maximize current organizational investments while addressing operational concerns such as cost, risk, timeliness, and business continuity.
3. Infrastructure Management: As your AWS environment expands, you must make sure that your infrastructure’s security is current and that your resources adhere to your governance requirements.
4. Isolated Environments: While enabling businesses to benefit from the scalability of AWS Commercial Cloud, isolated environment solutions on AWS offer increased protection around workloads. With the help of AWS Regions, you may create private environments that provide you with more control over your security needs.
5. Security Compliance & Governance: Cloud security at AWS is the highest priority. As organizations embrace the scalability and flexibility of the cloud, AWS is helping them evolve security, identity, and compliance into key business enablers.
6. Workload Isolation: Workload Isolation enables you to create and manage isolated environments to contain newly created or migrated workloads which reduces the blast radius of vulnerabilities/threats, and eases the complexity of compliance by providing mechanisms to isolate access to resources.
Benefits of using the AWS Landing Zone Accelerator
- Quick and easy deployment: Deployment is quick and simple with the LZA, which comes with automation and pre-established best practices. By tailoring it to your requirements, it lets you swiftly and simply create secure, multi-account AWS environments.
- Scalable and secure environment: Core components of the LZA such as Control Tower and Organizations allow you to manage and govern your AWS environment at scale. This ensures that your environments are scalable and reliable, and can support your growing workloads.
- Centralized management and governance: By natively including Service Catalog and IAM, there’s one less step in ensuring that your environments are secure and compliant. This helps to protect your sensitive data and resources and to meet the security and compliance requirements of your industry.
- Pre-built framework: AWS Well-Architected comes built in! The LZA comes with a pre-built, well-architected framework with automation and pre-defined AWS best practices, making it simpler and faster for you to get set up while also following industry best practices.
Pricing
The monthly cost of running this system in a non-critical sandbox environment with no workloads or activity utilizing the Landing Zone Accelerator on AWS best practices configuration with AWS Control Tower in the US East (N. Virginia) Region is around $430.22 (USD).
To manage costs, we advise setting up a budget using AWS Cost Explorer. Prices can change at any time. Refer to the pricing page for each AWS service utilized in this solution for complete information.
FAQs
Q: What is AWS Control Tower?
Answer: AWS Control Tower enables end users on your distributed teams to provision new AWS accounts quickly, by means of configurable account templates in Account Factory. Meanwhile, your central cloud administrators can monitor that all accounts are aligned with established, company-wide compliance policies.
Q: What is the benefit of AWS Control Tower?
AWS Control Tower offers the easiest way to set up and govern a secure, multi-account AWS environment. It establishes a landing zone that is based on best-practices blueprints, and it enables governance using guardrails you can choose from a pre-packaged list.
Q: How is AWS Control Tower different from the AWS Landing Zone solution?
Answer: While AWS Control Tower automates creation of a new landing zone with predefined blueprints (e.g., IAM Identity Center for directory and access), the AWS Landing Zone solution provides a configurable setup of a landing zone with rich customization options through custom add-ons (such as Active Directory- or Okta Directory) and ongoing modifications through a code deployment and configuration pipeline.
Related Links/References
- AWS Certified DevOps Engineer – Professional
- Overview of Amazon Web Services & Concepts
- AWS Certified DevOps Professional
- Amazon CodeGuru – How and Why
- Mastering AWS CDK
- What is Disaster Recovery & How does it Work
Next Task For You
Begin your journey towards becoming an AWS Certified DevOps Engineer Professional by checking our FREE CLASS. Click on the below image to register for our FREE CLASS.
Amilcar Garcia Triana says
Thanks for sharing this information. It’s very uselful for me. Wondering if you can post a video how to deploy LZA on AWS.
Regards
Rahul Dangayach says
Hi Amilcar,
Glad you liked our blog.
Please stay tuned for more informative blogs like this.
Thanks and Regards
Rahul Dangayach
Team K21Academy
Syed Hamid Ali says
Any plans of having a training course on AWS LZA
Rahul Dangayach says
Hi Syed,
Currently, we don’t have any plans for the dedicated training on AWS LZA.
Thanks and Regards
Rahul Dangayach
Team K21Academy