A secure AWS landing zone you can defend on day one

A blank AWS account is dangerous. Region sprawl, root credentials, public S3 buckets, no centralised logging. Most breaches we see in early stage cloud estates trace back to a missing foundation, not an exotic exploit.

The fix is not a tool, it is a structure. A landing zone is the layered set of accounts, controls, and patterns that make every workload you deploy start from a defensible baseline.

We model three organisational units. Core for shared services (audit, log archive, identity). Workloads for production, staging, and development environments. Sandbox for experiments with time bound, budget limited access.

Control Tower orchestrates account vending and applies baseline guardrails. IAM Identity Center is the only path to human access, with SCIM provisioning from your IdP. AWS Config, GuardDuty, and Security Hub are enabled organisation wide on day one.

SCPs are the steel rebar of an AWS landing zone. They cannot be overridden by an account administrator. We default to a deny first posture and add back only what is needed.

Account creation goes through a pipeline. A pull request adds the account to a Terraform manifest, GitHub Actions provisions it through Control Tower, and the new account inherits all guardrails automatically. There is no manual click path.

For audit, the Log Archive account holds CloudTrail and Config history in an S3 bucket with object lock. Nothing else writes to that account. The Audit account is read only.