The document outlines the concept of landing zones in AWS, which provide a foundational multi-account environment based on best practices for secure and scalable cloud operations. It highlights the components and architecture needed for landing zones, including network design, security measures, and identity access management. Additionally, it offers best practices for building and optimizing AWS infrastructure while emphasizing automation and collaboration.

1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ali Asgar Juzer
Sr. Advisory Consultant, Professional Services
Amazon Web Services
Landing Zones: Creating a
Foundation for Your AWS Migrations

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Session Agenda
1. Definition of the Problem
2. Landing Zone Concept
3. Components of a Landing Zone
4. AWS Best Practices & Tips for Building a Landing Zone

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Definition of the Problem

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
meets the organization’s
security and auditing
requirements
ready to support highly
available and scalable
workloads
configurable to
support evolving business
requirements
What do you need

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Landing Zone Concept

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Landing
Zone
What is a Landing Zone
Multi-Account AWS Environment
Based on AWS Best Practices
Set of Architecture Patterns
For Shared Core Services
Adaptable Foundation
With Governance Guardrails
Automation Driven
Versioned Infrastructure

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Logging Configuration Image
Migrate
Iterate
Operate &
Optimize
Start Accounts
End User
Interaction
AutomationService
Catalog
Domains Direct
Connect
Central
Services
Access Identities Federation
Network Security
Identity &
Access
Cloud
Users
What’s
Next ?
Building a Landing Zone
Business
Needs

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Landing Zone Components

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Start Accounts Network Security
Identity &
Access
Cloud
Users
What’s
Next ?

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Account Structure
Billing visibility
Environment isolation
Small blast radius
Shared Core services
Centralized logs
Governance at Scale

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Start Accounts Network Security
Identity &
Access
Cloud
Users
What’s
Next ?

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Non-overlapping
IP range
VPC Design
Logging and
Monitoring
VPN / AWS
Direct
Connect
Subnet Design
Access Control Lists &
Security Groups
Network Design

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network Design
VPN/Direct Connect
VPC Peering
DNS Domains Ingress/Egress Points
Bastion Hosts

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Start Accounts Network Security
Identity &
Access
Cloud
Users
What’s
Next ?

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security
CloudWatch Metrics &
Alarms
CloudTrail Logs for
Auditing
VPC Flow Logs for
Network Insights
AMI Factory for
Hardened OS Images
Amazon GuardDuty for
Threat Detection
AWS Config Rules for
Dynamic Compliance
and more…

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Start Accounts Network Security
Identity &
Access
Cloud
Users
What’s
Next ?

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Identity & Access Management

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Corporate Data Center
Browser interface
Identity
Store
AD Group
Identity and
authentication
AWS Accounts
Identity & Access Management
Mapping to specific
IAM roles with
access policies
Example: Federation with AD

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Start Accounts Network Security
Identity &
Access
Cloud
Users
What’s
Next ?

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud
consumers
Browse
products
2
5
Notifications and
outputs
Notifications
and outputs
5
4
Deploy
Administrator
3 Select version,
Provision
product,
configure
parameters
Portfolio
Cloud Consumption Model
Example: AWS Service Catalog
1 Maintain Products

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Start Accounts Network Security
Identity &
Access
Cloud
Users
What’s
Next ?

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Build, Operate and Optimize
AWS Managed
Services
AWS Managed Services
Provider Partners
Build & Manage
Your Own
Infrastructure Operations
Management for the
Enterprise by AWS
Next Gen Managed Services
Providers with 3rd Party
Audits
In-house Capabilities to Run
& Operate at Scale

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tips to Get Started

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Best Practices & Tips
LZ
1. Automate Everything
2. Start Small, Develop Fast, Iterate Frequently
3. Collaborate & Improve
4. Assess Build vs. Buy Decisions
5. Learn & Seek from the Experts
6. Think Holistic - Business, Governance, People, Platform,
Security & Operations

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What Did We Cover in This Session
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
meets the organization’s
security and auditing
requirements
ready to support highly
available and scalable
workloads
configurable to
support evolving business
requirements
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Landing
Zone
Multi-Account AWS Environment
Based on AWS Best Practices
Set of Architecture Patterns
For Shared Core Services
Adaptable Foundation
With Governance Guardrails
Automation Driven
Versioned Infrastructure
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Managed
Services
AWS Managed Services
Provider Partners
Build & Manage
Your Own
Infrastructure Operations
Management for the
Enterprise by AWS
Next Gen Managed Services
Providers with 3rd Party
Audits
In-house Capabilities to Run
& Operate at Scale

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Please complete the session survey in
the summit mobile app.