Eugene Istrati

Proud Father. Lucky Husband. Open Source Contributor. DevOps | Automation | Serverless @MitocGroup. Former @AWScloud and @HearstCorp.

My Architecture: AWS Control Tower vs AWS Landing Zone

Sep 20, 2019 ~ 3 min read

Both Control Tower and Landing Zone help set up and manage secure multi-account AWS environments. Which one should customers use? Let's take a closer look and figure out together.

partner aws

What is AWS Control Tower?

Quote : AWS Control Tower is a service that offers the easiest way to set up and govern a new, secure, multi-account AWS environment. It establishes a landing zone that is based on best-practices blueprints, and enables governance using guardrails you can choose from a pre-packaged list. The landing zone is a well-architected, multi-account baseline that follows AWS best practices. Guardrails implement governance rules for security, compliance, and operations.


What is AWS Landing Zone?

Quote: AWS Landing Zone is a solution that helps customers more quickly set up a secure, multi-account AWS environment based on AWS best practices. With the large number of design choices, setting up a multi-account environment can take a significant amount of time, involve the configuration of multiple accounts and services, and require a deep understanding of AWS services.

AWS Control Tower vs AWS Landing Zone

Although official documentation explains the difference between AWS Control Tower and AWS Landing Zone, we believe that customers should learn more details about these two offerings. And keep in mind, these solutions are not apples to apples comparable, more like apples to oranges. AWS Landing Zone solution was launched in June 2018, while AWS Control Tower was announced in November 2018 and launched in June 2019. It's not very clear why in just a couple of months AWS introduced two competing products. Based on our limited experience, we would assume AWS Landing Zone solution was very well received by enterprise customers, but in the same time required fundamental changes which led to AWS Control Tower service. As of time of writing, AWS Control Tower doesn't support existing setups for AWS Organization or AWS SSO, although official FAQ claims it will be added in the future, as well as ability to migrate from AWS Landing Zone solution to AWS Control Tower service.

Service or FeatureAWS Control TowerAWS Landing Zone
New AWS Organization account✅ yes✅ yes
Existing AWS Organization account❌ no✅ yes
New AWS SSO environment✅ yes✅ yes
Existing AWS SSO environment❌ no✅ yes
New AWS Service Catalog environment✅ yes✅ yes
Existing AWS Service Catalog environment❌ no✅ yes
New or Existing Security Hub environment✅ yes❌ no
Support for CI/CD❌ no✅ yes
Interactive APIs❌ no❌ no
CloudFormation template(s)❌ no✅ yes
Terrafom module(s)❌ no✅ yes


Therefore, in summary, which one should we use: AWS Control Tower or AWS Landing Zone? The answer is: depends. If you start from scratch or can afford destroying existing AWS resources, then AWS Control Tower is the way forward. Otherwise, consider AWS Landing Zone and fingers crossed for future migration solution from AWS Landing Zone to AWS Control Tower.

Share your thoughts and your experience on LinkedIn, Twitter, Facebook or in the comments section below.

Eugene Istrati
Eugene Istrati
Mitoc Group