100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

Cloud Landing Zone Design Cheat Sheet

Cloud Landing Zone Design Cheat Sheet

Multi-account structure, guardrails, networking, and IAM patterns for designing a secure, scalable cloud landing zone.

3 PagesAdvancedMay 6, 2026

Multi-Account Structure

The baseline organizational unit (OU) layout used by most landing zones.

  • Management account- root of the org; billing and SCPs only, no workloads
  • Security OU- log archive + audit/security-tooling accounts, cross-account read access
  • Shared services OU- networking hub, CI/CD, DNS, directory services
  • Workload OUs- split by environment (dev/stage/prod) or business unit
  • Sandbox OU- isolated, auto-expiring accounts for experimentation

Preventive Guardrail (Service Control Policy)

Deny disabling of CloudTrail and leaving approved regions, applied at the OU level.

json
{  "Version": "2012-10-17",  "Statement": [    {      "Sid": "DenyCloudTrailDisable",      "Effect": "Deny",      "Action": ["cloudtrail:StopLogging", "cloudtrail:DeleteTrail"],      "Resource": "*"    },    {      "Sid": "DenyOutsideApprovedRegions",      "Effect": "Deny",      "NotAction": ["iam:*", "organizations:*", "route53:*", "support:*"],      "Resource": "*",      "Condition": {        "StringNotEquals": { "aws:RequestedRegion": ["us-east-1", "eu-west-1"] }      }    }  ]}

Hub-and-Spoke Networking (Terraform sketch)

Central transit gateway with spoke VPCs attached per workload account.

hcl
resource "aws_ec2_transit_gateway" "hub" {  description = "landing-zone-hub-tgw"  default_route_table_association = "disable"}resource "aws_ec2_transit_gateway_vpc_attachment" "spoke" {  for_each           = var.spoke_vpcs  transit_gateway_id = aws_ec2_transit_gateway.hub.id  vpc_id             = each.value.vpc_id  subnet_ids         = each.value.subnet_ids  tags               = { Name = "${each.key}-tgw-attachment" }}

Landing Zone Design Pillars

What a review of a landing zone design should cover, end to end.

  • Identity- federated SSO, centralized IAM Identity Center / Entra ID, no long-lived keys
  • Guardrails- preventive (SCP/Policy) and detective (Config rules, Security Hub) controls
  • Networking- hub-and-spoke or mesh, centralized egress, private connectivity to on-prem
  • Logging- centralized, immutable CloudTrail/Activity Log archive account
  • Account vending- automated, templated account creation (Control Tower / Landing Zone Accelerator)
  • Cost management- consolidated billing, budgets and tagging policy enforced at the org level
Pro Tip

Bake guardrails into the account-vending pipeline itself (e.g. Control Tower Account Factory or a custom Terraform module) rather than applying SCPs after the fact — accounts should be compliant from the first API call, not retrofitted.

Was this cheat sheet helpful?

Explore Topics

#CloudLandingZoneDesign#CloudLandingZoneDesignCheatSheet#CloudComputing#Advanced#MultiAccountStructure#Preventive#Guardrail#Service#Networking#CheatSheet#SkillVeris