Recent content

The foundations of a secure agentic architecture

The foundations of a secure agentic architecture

How to secure the new generation of EUD

How to secure the new generation of EUD

AI browsers, a risky innovation

AI browsers, a risky innovation

SAAS security starts with you

SAAS security starts with you

Popular topics

CSA Framework Responsability Model SAAS SSPM agentAI agentic agenticAI ai architecture aws beginner browser cloud crypto cybersecurity data genai guardrail iam innovation introduction keys kms landingzone mcp multi-cloud report security strategy vibe coding
aws cloud landingzone security

Organizing your landing zone

Setting up a landing zone is a prerequisite for the secure evolution of your cloud consumption.

Cédric Thibault
Cédric Thibault
Organizing your landing zone
Photo generated by ChatGPT

Introduction

Highlighted by Google in its latest report on cloud threats, lateral movement in Cloud environments is one of the most frequent observations during a compromise. This lateral movement is made all the easier by the fact that many companies began their cloud journey in the form of proof-of-concept projects a few years ago.

Focused on migrating an application, these companies sometimes lost the macro vision of the cloud infrastructure to focus on a very project-oriented DevOps vision. In English, this is what we call “putting the cart before the horse…”.

Indeed, before moving workloads, it is interesting to question how the cloud platform will be administered over a multi-year horizon, and thereby how it will be architected holistically.

Concept

The architectural concept of “landing zones” in cloud computing stems from the need to provide a secure and well-structured framework for managing resources in complex cloud environments. Initially developed by AWS and then adopted by Azure and Google Cloud, a landing zone serves as a standardized starting point for deploying cloud environments in production, including network, security, governance, and compliance configurations. This allows companies to accelerate cloud adoption while maintaining a secure and elastic posture from the start.

As its name suggests, it is therefore the environment in which workloads will land, the foundation of your Cloud in a way.

It is interesting to note that this foundation is not only a security-related concept. Indeed, even if Landing zones are a strong recommendation from cloud security teams, they also greatly facilitate the work for network teams through their Hub and Spoke model, as well as finance teams for accountability. In reality, all IT teams involved in the cloud will be positively impacted by the implementation of a landing zone.

One of the strong characteristics of landing zones is the isolation of workloads by isolated environments. In AWS for example, it is recommended to create one account per workload type.

The benefits

The benefits are numerous, but we can mainly find the following:\

  • Integrated standardization and security: Each new workload deployment is done through the implementation of a new standardized environment, using AWS Control Tower or Azure Blueprints for compliant and secure deployments right from setup.
  • Centralized management of multi-environment accounts: A large enterprise can quickly end up with hundreds of accounts or subscriptions, which is why we recommend and deploy AWS Organizations or Azure Management Groups; companies can easily manage multiple accounts or subscriptions while applying global policies.
  • Strengthened governance controls: Implementation of policies via AWS Service Control Policies (SCPs) or Azure Policy to automate compliance. This is what allows us to implement what is known as invariant security.
  • Modular and scalable infrastructure: Use of AWS CloudFormation or Azure Resource Manager (ARM) to automate and standardize resources in the infrastructure. With the landing zone systematically comes the concepts of IaC. Why? Because it is the only way to obtain standardized components and repeatable, reliable architectural concepts.
  • Network and access control optimization: With AWS VPC and Azure Virtual Networks, companies can configure secure network architectures right from the initial phase. The configuration of these components in landing zones is done in a star topology to offer centralized network inspection and configuration mechanisms.
  • Centralized management of security and logs: Integration of AWS Security Hub or Azure Security Center for global tracking of threats and security policies. The idea here is that the landing zone greatly facilitates security operations by centralizing events and alerts.

With the landing zone, you will not only technically set up a hosting environment, but you will also choose and validate several additional solutions such as your CI/CD solution or your choice of firewalls. This will allow you to set the global framework for your cloud operations. Setting up a landing zone is a project during which you will have to make many decisions, be ready…

When to deploy it

A landing zone is not a project that necessarily requires having several production accounts already. Often when I talk to clients, they tell me they are not there yet and their cloud footprint is too small.

In reality, it is precisely when you have few workloads that the time is ideal to deploy a landing zone. Because it means you can easily migrate your workloads to your new environment, and it also means you haven’t yet formed too many bad habits or defined processes that will need to be modified.

Indeed, we must not forget that a landing zone is not just technology, it is also about ways of working with DevSecOps and security tools. It encompasses many concepts which, the earlier they are defined, the easier they are to adopt.

Conclusion

Deploying the technology is increasingly simple with the help of accelerators provided by platforms like the AWS Landing Zone Accelerator. Consequently, if you have sufficient qualified resources internally, this should not be the most complicated part. What can prove more challenging is the validation of certain architectural concepts as well as the choice of technologies:

  • Native firewall or one provided by our traditional equipment manufacturer?
  • Centralized outbound traffic inspection or not?
  • Pipeline model?
  • Centralized PAAS (K8s) architecture or decentralization by team?

For this, it is recommended to be supported by experts with experience across multiple organizations.

Organizing your landing zone
Older post

Track the deployment of your SCPs

Deploying SCPs in AWS can be a source of unwanted blockages. Track the effects of your SCPs with these metrics.

Newer post

Analysis of Datadog's 2024 State of Cloud Security Report

Datadog is a well-known player in cloud security, and its state of security report is always full of insights.

Organizing your landing zone

You may also like

See all aws
The responsibility of security in the Cloud
Cédric Thibault

The responsibility of security in the Cloud

The Right Strategies for Implementing AI Agents
Cédric Thibault

The Right Strategies for Implementing AI Agents

2025 Status Report on Cloud Threats and Strategies
Cédric Thibault

2025 Status Report on Cloud Threats and Strategies

Data Encryption in AWS
Cédric Thibault

Data Encryption in AWS