Sergey Suhinin is a DevOps Engineer at Godel. He recently ran a webinar about AWS Landing Zone for the B.E.E.R forum, dedicated to System Engineer’s Day. He discussed the concept of AWS Landing Zone and how users can quickly and securely deploy an AWS multi-account environment.

What is the concept AWS landing zone?

Landing Zone is a common (not just Amazon) concept of multi-account architecture for the environments. We consider a local solution of Amazon based on AWS best practices. Landing Zone is a creation of separate accounts that is justified by the requirements of the GDPR. This creates isolated accounts for logging, security and networking.

A lot of attention in the implementation of the Landing Zone is put into the safety and logging issues. Development, testing environments and production is maximally isolated from external access. Everything that happens in the infrastructure is logged and the data is stored in accordance with the established rules. Security services and working in the appropriate account conducts full control of what is happening in the infrastructure.

Can you talk about the differences between AWS Control Tower and Custom-Built Landing Zone?

The AWS Control Tower is an automated solution from Amazon that allows you to quickly deploy a Landing Zone of almost any complexity. For this, a library of templates for accounts and pre-established links between Amazon services are used. The control tower is a solution for teams with specialised knowledge but no deep knowledge of DevOps.

In turn, the Custom-Built approach allows the DevOps engineering team to be very flexible in setting up all the components of the Landing Zone. At the same time, you can create your own architecture based on this concept and use those services that they see fit. In this case, the Amazon documentation for the Landing Zone is just an instruction. Custom-Built is for people with existing knowledge of Landing Zone – and in return, offers more flexibility, security and is an overall more advanced system.

You can also use some of the Terraform modules that Amazon has prepared for the Landing Zone implementation.

What is Terraspace used for and how does it link to Landing Zone Conception?

In a nutshell, Terraspace is a high-level Terraform framework used to optimise infrastructure-as-code for multi-account architecture. It provides an organised structure and adds convenient tooling. Terraspace makes working with Terraform easier. It also helps customers quickly set up a secure, multi-account AWS environment based on AWS best practices.

Here are the key Terraspace features:

  1. Dry – You can keep your code DRY and is a way to keep your code free of duplication.
  2. Generators – This is used to quickly create starter modules and stacks.
  3. Multiple Environments – Tfvars & Layering allow you to use the same code with different tfvars to create multiple environments.
  4. Deploy multiple stacks – You can deploy multiple stacks with a single command.
  5. Secrets Support – Allows you to use helper methods to pull in secret data like passwords from Secret Storage providers like AWS Secrets Manager.
  6. Terrafile – The Terrafile is where you can define additional modules to add to your Terraspace project.
  7. Configurable CLI – Configurable CLI Hooks and CLI Args allow you to adjust the underlying terraform command.
  8. Testing – The test harness is a generated Terraspace project with the specified modules and stacks.


Talk me through the AWS Landing Zone solution.

AWS Landing Zone is a general name for the solution and is used for multiple services. Because of GDPR, this solution is used for lots of Godel projects. It is a general approach to creating multi-accounts for the infrastructure.

In my opinion, even small projects will use this approach soon. In addition to many security bonuses, the concept allows more convenient work with environments. Everything is structured and understandable. It is very important to involve different engineering teams in the project – it will not take much time to adapt, and it is a good approach for engineers. Tech teams can take diagrams, sources etc. and then they are able to do it.

How does DevOps fit into AWS Landing Zone?

Regardless of which approach is used (The Control Tower or Custom-Built), you cannot do it without a DevOps team. In the first case, DevOps engineers control the deployment of the infrastructure and then support it. And in the second case, you need a very experienced team who can do everything on their own.

What are AWS best practices?

These are engineering solutions based on Amazon’s long-term experience and helps protect your AWS resources. Such as the best combinations of services, optimal settings, solutions to complex and unusual situations etc. Best practices are used for troubleshooting – every DevOps team have their own best practices – AWS have their own approach. Following security best practices helps the root account being compromised. This is important as the root account has access to all the resources in your account.