Cloud Landing Zone Design Cheat Sheet
Multi-account structure, guardrails, networking, and IAM patterns for designing a secure, scalable cloud landing zone.
3 PagesAdvancedMay 6, 2026
Multi-Account Structure
The baseline organizational unit (OU) layout used by most landing zones.
- Management account- root of the org; billing and SCPs only, no workloads
- Security OU- log archive + audit/security-tooling accounts, cross-account read access
- Shared services OU- networking hub, CI/CD, DNS, directory services
- Workload OUs- split by environment (dev/stage/prod) or business unit
- Sandbox OU- isolated, auto-expiring accounts for experimentation
Preventive Guardrail (Service Control Policy)
Deny disabling of CloudTrail and leaving approved regions, applied at the OU level.
json
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyCloudTrailDisable", "Effect": "Deny", "Action": ["cloudtrail:StopLogging", "cloudtrail:DeleteTrail"], "Resource": "*" }, { "Sid": "DenyOutsideApprovedRegions", "Effect": "Deny", "NotAction": ["iam:*", "organizations:*", "route53:*", "support:*"], "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": ["us-east-1", "eu-west-1"] } } } ]}
Hub-and-Spoke Networking (Terraform sketch)
Central transit gateway with spoke VPCs attached per workload account.
hcl
resource "aws_ec2_transit_gateway" "hub" { description = "landing-zone-hub-tgw" default_route_table_association = "disable"}resource "aws_ec2_transit_gateway_vpc_attachment" "spoke" { for_each = var.spoke_vpcs transit_gateway_id = aws_ec2_transit_gateway.hub.id vpc_id = each.value.vpc_id subnet_ids = each.value.subnet_ids tags = { Name = "${each.key}-tgw-attachment" }}
Landing Zone Design Pillars
What a review of a landing zone design should cover, end to end.
- Identity- federated SSO, centralized IAM Identity Center / Entra ID, no long-lived keys
- Guardrails- preventive (SCP/Policy) and detective (Config rules, Security Hub) controls
- Networking- hub-and-spoke or mesh, centralized egress, private connectivity to on-prem
- Logging- centralized, immutable CloudTrail/Activity Log archive account
- Account vending- automated, templated account creation (Control Tower / Landing Zone Accelerator)
- Cost management- consolidated billing, budgets and tagging policy enforced at the org level
Pro Tip
Bake guardrails into the account-vending pipeline itself (e.g. Control Tower Account Factory or a custom Terraform module) rather than applying SCPs after the fact — accounts should be compliant from the first API call, not retrofitted.
Was this cheat sheet helpful?
Explore Topics
#CloudLandingZoneDesign#CloudLandingZoneDesignCheatSheet#CloudComputing#Advanced#MultiAccountStructure#Preventive#Guardrail#Service#Networking#CheatSheet#SkillVeris