My Architecture: AWS Control Tower vs AWS Landing Zone
Sep 20, 2019 ~ 3 min read
Both Control Tower and Landing Zone help set up and manage secure multi-account AWS environments. Which one should customers use? Let's take a closer look and figure out together.
What is AWS Control Tower?
Quote : AWS Control Tower is a service that offers the easiest way to set up and govern a new, secure, multi-account AWS environment. It establishes a landing zone that is based on best-practices blueprints, and enables governance using guardrails you can choose from a pre-packaged list. The landing zone is a well-architected, multi-account baseline that follows AWS best practices. Guardrails implement governance rules for security, compliance, and operations.
What is AWS Landing Zone?
Quote: AWS Landing Zone is a solution that helps customers more quickly set up a secure, multi-account AWS environment based on AWS best practices. With the large number of design choices, setting up a multi-account environment can take a significant amount of time, involve the configuration of multiple accounts and services, and require a deep understanding of AWS services.
AWS Control Tower vs AWS Landing Zone
Although official documentation explains the difference between AWS Control Tower and AWS Landing Zone, we believe that customers should learn more details about these two offerings. And keep in mind, these solutions are not apples to apples comparable, more like apples to oranges. AWS Landing Zone solution was launched in June 2018, while AWS Control Tower was announced in November 2018 and launched in June 2019. It's not very clear why in just a couple of months AWS introduced two competing products. Based on our limited experience, we would assume AWS Landing Zone solution was very well received by enterprise customers, but in the same time required fundamental changes which led to AWS Control Tower service. As of time of writing, AWS Control Tower doesn't support existing setups for AWS Organization or AWS SSO, although official FAQ claims it will be added in the future, as well as ability to migrate from AWS Landing Zone solution to AWS Control Tower service.
|Service or Feature||AWS Control Tower||AWS Landing Zone|
|New AWS Organization account||✅ yes||✅ yes|
|Existing AWS Organization account||❌ no||✅ yes|
|New AWS SSO environment||✅ yes||✅ yes|
|Existing AWS SSO environment||❌ no||✅ yes|
|New AWS Service Catalog environment||✅ yes||✅ yes|
|Existing AWS Service Catalog environment||❌ no||✅ yes|
|New or Existing Security Hub environment||✅ yes||❌ no|
|Support for CI/CD||❌ no||✅ yes|
|Interactive APIs||❌ no||❌ no|
|CloudFormation template(s)||❌ no||✅ yes|
|Terrafom module(s)||❌ no||✅ yes|
Therefore, in summary, which one should we use: AWS Control Tower or AWS Landing Zone? The answer is: depends. If you start from scratch or can afford destroying existing AWS resources, then AWS Control Tower is the way forward. Otherwise, consider AWS Landing Zone and fingers crossed for future migration solution from AWS Landing Zone to AWS Control Tower.
Share your thoughts and your experience on LinkedIn, Twitter, Facebook or in the comments section below.