What is the difference between AWS Landing Zones and AWS Control Tower? Customised Solution or Managed Service?!
AWS Landing Zone and AWS Control Tower help set up and govern a new, secure, multi-account AWS environment based on AWS best practices. Both consist of core accounts and resources which will implement a initial security baseline.
The following table compares the managed service (AWS Control Tower) with the solution (AWS Landing Zone).
Update:
🚨 AWS Control Tower allows existing organizations to set up a landing zone.
| Feature |  |
 |
|---|---|---|
| Delivery mechanism | CloudFormation or Terraform | AWS managed service |
| Architectural support | Fully customizable and owned by customer | Customizable via Solution + AWS recommend best practices with managed blueprints and guardrails |
| Account structure | Complete flexibility for customer-defined account structure 
|
Two non-configurable core accounts, no SS, no Amazon VPC in core 
|
| Federated access | AWS SSO, AWS-Managed Microsoft AD or Active Directory Connector | Preconfigured with AWS SSO (AD or SSO Directory?) and integrated with third-party SSO providers |
| Operations | Extensible capabilities to manage the most complex and advanced environments | Simple setup and management for reduced operational overhead |
| Automated account creation | ✅ Account Vending Machine | ✅ |
| Member account region support (VPC) | ✅ All regions are supported1 | ➖ North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1), Sydney (ap-southeast-2) 2 |
| General region support | ✅ All regions are supported | ➖ North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1), Sydney (ap-southeast-2) |
| Use existing AWS Organization | ✅ | ✅ |
| Use existing SSO environment | ✅ | ❌ |
| Use existing AWS Service Catalog environment | ✅ | ❌ |
| New or Existing Security Hub environment | ✅ Multiaccount Scripts | ✅ |
References
AWS Landing Zone
- 📚 Implementation Guide
- 📚 Developers Guide
- 📚 User Guide
- 📚 Upgrade Guide
- 📺 Videos
- 🧰 Solutions
- - 🔧 Account Vending Machine
- - 🔧 Security Hub Multiaccount Scripts
AWS Control Tower
- 📚 User Guide
- 📚 Pricing
- 🎓 Labs
- 📺 Videos
- 🧰 Solutions
- - 🔧 Customizations for AWS Control Tower
- - 🔧 Enabling guardrails in new AWS Regions the AWS Control Tower supports
Which one should I choose?
❓Are you new two AWS?
❗️Use AWS Control Tower
❓Do you need a configurable landing zone with full customization and control over every part?
❗️Use AWS Landing Zone
-
Member accounts could be provisioned in every region no matter where the Account Vending Machine is deployed. ⚠️You just need to take care that your CloudFormation templates & Lambdas are available in the requested region. ↩
-
AWS Control Tower could provision new Accounts (Network baseline) into the following regions: North-Virginia (us-east-1), Ohio (us-east-2), Oregon (us-west-2), Irland (eu-west-1) and Sydney (ap-southeast-2). ↩
Top comments (0)