Landing Zone Accelerator on AWS

Deploy a cloud foundation to support highly-regulated workloads and complex compliance requirements

Overview

The Landing Zone Accelerator on AWS solution deploys a foundational set of capabilities that is designed to align with AWS best practices and multiple global compliance frameworks. With this AWS Solution, you can better manage and govern your multi-account environment that have highly-regulated workloads and complex compliance requirements. When used in coordination with other AWS services, it provides a comprehensive, low-code solution across more than 35 AWS services.

Note: This solution will not, by itself, make you compliant. It provides the foundational infrastructure from which additional complementary solutions can be integrated.

You can use this solution to support alignment with specific regions and industries.

Benefits

Automation

Automatically set up a cloud environment suitable for hosting secure workloads. You can deploy this solution in all AWS Regions. This helps you maintain consistency of your operations and governance across AWS standard Regions, AWS GovCloud (US), and other non-standard partitions in AWS.

Data security

Deploy this solution in an AWS Region suitable for your data classification, and use Amazon Macie to provide sensitive data detection in Amazon Simple Storage Service (Amazon S3). This solution also helps you deploy, operate, and govern a centrally managed encryption strategy using AWS Key Management System (AWS KMS).

Foundation for compliance

Leverage a foundational infrastructure for deploying mission-critical workloads across a centrally governed multi-account environment.

Technical details

You can automatically deploy this architecture using the implementation guide and the accompanying AWS CloudFormation template.

Use cases for this AWS Solution
  • Headline
More…
Deployment options
Ready to get started?
Deploy this solution by launching it in your AWS Console

Need help? Deploy with a partner.
Find an AWS Certified third-party expert to assist with this deployment

Support for specific regions and industries

Select from the following options for how to deploy the Landing Zone Accelerator on AWS solution to support your specific region or industry.

Important: These assets aren't intended to be feature-complete or fully compliant, but rather to help accelerate cloud migrations and cloud refactoring efforts by entities required to meet region- or industry-specific security requirements. While these assets can help you reduce the effort required to manually build a production-ready infrastructure, you will still need to tailor them to your unique business needs. For more information about how to use AWS in compliance with specific requirements, see AWS Compliance Programs. Consult with your AWS team to understand controls to meet your requirements.

  • We built the following geographical region-specific configurations for the Landing Zone Accelerator on AWS solution to align with AWS best practices and country-specific compliance frameworks. Select your desired geographical region for deployment instructions.

    Note: Details about security of the cloud are contained in AWS third-party security and compliance reports in AWS Artifact.

    • United States
    • United States (US)

      See our implementation guide for instructions on how to deploy this solution in our AWS GovCloud (US) Regions. Doing so can help you align with:

      If you wish to deploy in one of our US East or US West AWS Regions, follow the general deployment instructions in our implementation guide.
    • United Kingdom (UK)
    • United Kingdom (UK)

      The National Cyber Security Centre (NCSC) published cloud security guidance to allow cloud users to store and process data in the cloud, or use cloud platforms to build and host their own services securely. Select one of the principles below to see how the Landing Zone Accelerator on AWS sample configuration can help you meet these requirements.

      • To meet Principle 1 requirements, you can implement the following controls in addition to the solution’s best practices sample configuration:
        • Amazon S3 only – Enforce a minimum of Transport Layer Security (TLS) 1.2 through a service control policy (SCP) that denies all actions if s3:TLSVersion is less than 1.2.
        • Amazon S3 Object Lambda only – Enforce a minimum of TLS 1.2 through an SCP that that denies all actions if s3-object-lambda:TlsVersion is less than 1.2.
        • Amazon ElastiCache only – Enforce TLS for CreateReplicationGroup operation through an SCP that denies the action if elasticache:TransitEncryptionEnabled is false.
      • This solution’s best practices sample configuration meets the requirements of Principle 2 through the following controls:
        • Configure AWS Control Tower to prohibit access to AWS services in certain Regions (for example, Regions located in geographies with no data access agreement with the UK).
        • AWS Control Tower allows and configures AWS Config to track the deployment and configuration of AWS resources. Providing a configuration management database that customers can use for visibility and undertaking specific automated audits can help ensure compliance.
        • This solution implements detective compliance controls to ensure alignment to asset protection (for example, controls such as identifying unencrypted storage and load balancers not configured to export access logs to the central archive account or endpoints without TLS encryption).
         
        For additional security, you can implement the following controls:
        • Disallow certain AWS artificial intelligence (AI) services to store and use customer content processed by those services for the development and continuous improvement of other AWS services.
        • Enforce encryption at rest by denying creation of or updates to certain resources unless they’re encrypted. You can do this by adding the following conditions to the SCPs:
          • Amazon EC2 by setting "ec2:Encrypted": "true" 
          • Amazon EFS by setting "elasticfilesystem:Encrypted": "true" 
          • Amazon RDS by setting "rds:StorageEncrypted": "true" 
          • Amazon S3 by setting "s3:x-amz-server-side-encryption": "aws:kms" 
          • Amazon ElastiCache by setting "elasticache:AtRestEncryptionEnabled": "true"

         

      • AWS configuration for security of the cloud can help you meet Principle 3 requirements. We recommend reviewing the Logical Separation on AWS whitepaper for details on implementation. More information is contained within AWS security and compliance documents, such as AWS International Organization for Standardization (ISO) certifications, Payment Card Industry (PCI) certifications, and System and Organization Control (SOC) reports. You can download these reports through AWS Artifact.

      • To understand the broader governance that AWS implements for its service management, see AWS security and compliance documents, such as AWS ISO and PCI certifications and SOC reports. You can download these reports through AWS Artifact.
         
        Governance is equally important within your environment when meeting Principle 4 requirements. We designed the prescriptive architecture (separation of security, logging, and core networking functions into isolated accounts) and controls (refer to Principle 5) implemented by this solution to help you gain visibility into your AWS resources, centrally implement automated controls, and establish and enforce governance across your cloud environments.
      • This solution’s best practices sample configuration meets Principle 5 requirements by creating a centralised security account, known as a delegated security account. This account receives information from the security services that the solution activates by default, including the following:
        • Amazon GuardDuty to continuously monitor, analyse, and process the following data sources across all accounts within the solution environment:
        • Amazon Macie to support discovery, monitoring, and protection of sensitive data in Amazon S3 using machine learning and pattern matching.
        • AWS Config to provide:
          • Detailed view of the configuration of AWS resources in all accounts in the solution environment
          • Audit resources against compliance rules (for example, identifying storage that isn’t encrypted at rest)
          • Compliance rules to check for non-conformance
        • AWS Security Hub to provide a single dashboard to view feeds from the preceding services. This allows an organisations security team to see an aggregated view of their threat detection and compliance control status to mitigate threats in a single place.
        • AWS Audit Manager to support compliance reporting across the organization.
        • Amazon Detective to help with security incident investigations.
      • This solution doesn’t provide specific configurations to support Principle 6. However, AWS configuration for security of the cloud helps you meet the requirements of this principle. More information is contained within AWS security and compliance documents, such as AWS ISO and PCI certifications and SOC reports. You can download these reports through AWS Artifact.

      • To support Principle 7, this solution provides architecture that has been vetted by AWS solutions architects as a well-architected, robust, complete, best-practice, prescriptive, real-world solution. This solution can save you time and effort with self-service and automated installation and deployment when building on AWS.

         

      • This solution doesn’t provide specific configurations to support Principle 8. However, AWS configuration for security of the cloud helps you meet the requirements of this principle. More information is contained within AWS security and compliance documents, such as AWS ISO and PCI certifications and SOC reports. You can download these reports through AWS Artifact.

      • This solution’s best practices sample configuration meets the requirements of Principle 9 through the following controls:

        This solution helps you deploy IAM policies based on access analyzer suggestions. A walkthrough is available on AWS Security Blog.

      • This solution doesn’t provide specific configurations to support Principle 10. However, AWS configuration for security of the cloud helps you meet the requirements of this principle. More information is contained within AWS security and compliance documents, such as AWS ISO and PCI certifications and SOC reports. You can download these reports through AWS Artifact.

      • This solution’s best practices sample configuration meets Principle 11 requirements through the following controls:
        • Set up AWS PrivateLink to ensure traffic between AWS services doesn’t traverse the public internet.
      • This solution doesn’t provide specific configurations to support Principle 12. However, AWS configuration for security of the cloud helps you meet the requirements of this principle. More information is contained within AWS security and compliance documents, such as AWS ISO and PCI certifications and SOC reports. You can download these reports through AWS Artifact.

      • This solution’s best practices sample configuration meets the requirements of Principle 13 through the following controls:

        • Set up AWS CloudTrail to record—and securely store for 365 days—all actions taken by a user, role, or AWS service across all accounts within the solution environment.
        • Store CloudTrail logs in a separate AWS account with restricted read-only access as a safeguard against unauthorized modification.
        • Send email alerts when AWS Security Hub detects an event at the following severity levels:
          • Low
          • Medium
          • High
      • To support Principle 14, we offer this solution to help customers wanting to adopt prescriptive security best practices with AWS. You can use this solution with other resources and services such as the AWS Well Architected framework and AWS Trusted Advisor to help you rapidly implement secure-by-design architectures.

         

    • Canada
    • Canada

      We built the Canadian Centre for Cyber Security (CCCS) Cloud Medium (formerly Protected B, Medium Integrity, Medium Availability [PBMM]) configuration to deploy an opinionated and prescriptive architecture. We designed this architecture to help customers address controls required to receive an Authority to Operate (ATO) as described in ITSP.50.105.

      Deploying this configuration can help you reduce the time required to implement CCCS Cloud Medium controls from 90+ days to 2 days. Inheriting controls covered by CCCS Cloud Medium assessment, along with using the Landing Zone Accelerator on AWS solution to address common controls that are the responsibility for the customer, can accelerate a Security Assessment & Authorization (SA&A) process.

      You can also meet the Government of Canada (GC)'s minimum guardrails as part of the GC Cloud Operationalization Framework. Meeting the minimum guardrails with the Landing Zone Accelerator on AWS solution also helps you support CCCS Cloud Medium controls if the sensitivity of your workload changes. Tuning the parameters within the configuration file allows you to deploy customized architectures to meet requirements of a range of governments and public sector organizations.

      To install this configuration, use the Landing Zone Accelerator for CCCS Cloud Medium sample configuration file and instructions on GitHub.

      Note: The Landing Zone Accelerator on AWS solution is now the recommended solution for public sector organizations seeking to deploy an AWS Environment in alignment with the requirements of the CCCS Cloud Medium Profile. Previously, Canadian public sector customers that sought alignment with the CCCS Cloud Medium profile deployed the AWS Secure Environment Accelerator to address controls that are the responsibility of the customer in the shared responsibility model. Release versions 1.3.0 and above of the Landing Zone Accelerator on AWS solution provide the same control coverage as the AWS Secure Environment Accelerator solution. If you're currently using the AWS Secure Environment Accelerator solution, there isn’t currently a deadline to migrate to the Landing Zone Accelerator on AWS solution.

  • We built the following industry-specific configurations for the Landing Zone Accelerator on AWS solution to align with AWS best practices and industry-specific compliance frameworks. Select your desired industry for deployment instructions.

    Note: Details about security of the cloud are contained in AWS third-party security and compliance reports in AWS Artifact.

    • Aerospace
    • Video
      AWS Summit DC 2022 - Scaling automated governance with Landing Zone Accelerator on AWS
      Watch the video 

      Aerospace (US)

      To support aerospace use cases in the US, see our implementation guide for instructions on how to deploy this solution in our AWS GovCloud (US) Regions. Doing so can help you align with:

      If you wish to deploy in one of our US East or US West AWS Regions, follow the general deployment instructions in our implementation guide.
    • Central IT (US state and local government)
    • Central IT (US state and local government)

      We built the US state and local government Central IT configuration to provide guardrails to help mitigate the threats faced by central IT organizations. To support these organizations, this configuration uses controls from the following frameworks:

      • AWS controls from the National Institute of Standards and Technology (NIST) Cybersecurity Framework
      • Optional Health Insurance Portability and Accountability Act (HIPAA)-aligned control configurations

      Step 1. Launch the stack

      Launch the AWS CloudFormation template into your AWS account. Review the template parameters and enter or adjust the default values as needed. See the solution implementation guide for more detailed instructions.

      Step 2. Await initial environment deployment

      Await successful completion of the AWSAccelerator-Pipeline pipeline.

      Steps 3 and 4. Copy and update the configuration files

      Follow Steps 3 and 4 in the Deployment Overview for the Landing Zone Accelerator on AWS for State and Local Government Central IT sample configuration on GitHub.

    • Education
    • Education

      We built the Education configuration to provide guardrails to help mitigate the threats faced by education organizations. To support these organizations, this configuration uses controls from the following frameworks:

      • International Traffic in Arms Regulations (ITAR)
      • National Institute of Standards and Technology (NIST) 800-171
      • NIST 800-53
      • Cybersecurity Maturity Model Certification (CMMC)

      Step 1. Launch the stack

      Launch the AWS CloudFormation template into your AWS account. Review the template parameters and enter or adjust the default values as needed. See the solution implementation guide for more detailed instructions.

      Step 2. Await initial environment deployment

      Await successful completion of the AWSAccelerator-Pipeline pipeline.

      Steps 3 and 4. Copy and update the configuration files

      Follow Step 3 and Step 4 in the Deployment Overview for the Landing Zone Accelerator on AWS for Education sample configuration on GitHub.

    • Finance (Tax)
    • Finance (tax)

      We built the Finance (tax) configuration to deploy an account structure commonly used with tax workloads along with security controls and network configurations to secure Federal Tax Information (FTI) data. This configuration aligns with the Internal Revenue Service (IRS)-1075 requirements to encrypt Amazon S3, Amazon EBS, and Amazon FSx hosting FTI data using Customer Managed Keys (CMK) under customer control.

      Step 1. Launch the stack

      Launch the AWS CloudFormation template into your AWS account. Review the template parameters and enter or adjust the default values as needed. See the solution implementation guide for more detailed instructions.

      Step 2. Await initial environment deployment

      Await successful completion of the AWSAccelerator-Pipeline pipeline.

      Steps 3 and 4. Copy and update the configuration files

      Follow Step 3 and Step 4 in the Deployment Overview for the Landing Zone Accelerator on AWS for Finance (Tax) sample configuration on GitHub.

    • Healthcare
    • Healthcare

      We built the Healthcare configuration to provide guardrails to help mitigate the threats faced by healthcare organizations. To support these organizations, this configuration uses controls from the following frameworks:

      • Health Insurance Portability and Accountability Act (HIPAA)
      • National Cyber Security Centre (NCSC)
      • Esquema Nacional de Seguridad (ENS) High
      • Cloud Computing Compliance Controls Catalog (C5)
      • Fascicolo Sanitario Elettronico

      Step 1. Launch the stack

      Launch the AWS CloudFormation template into your AWS account. Review the template parameters and enter or adjust the default values as needed. See the solution implementation guide for more detailed instructions.

      Step 2. Await initial environment deployment

      Await successful completion of the AWSAccelerator-Pipeline pipeline.

      Steps 3 and 4. Copy and update the configuration files

      Follow Step 3 and Step 4 in the Deployment Overview for the Landing Zone Accelerator on AWS for Healthcare sample configuration on GitHub.

    • National security, defence, and national law enforcement (outside the US)
    • National security, defence, and national law enforcement (outside the US)

      National security, defence, and national law enforcement organizations around the world need the scale, global footprint, agility, and services that cloud brings to their critical missions—all while they’re required to meet stringent security and compliance requirements for their data. Increasingly, these organizations leverage the AWS global hyper-scale cloud to deliver their missions while keeping their sensitive data and workloads secure.

      To help you accelerate these sensitive missions in the cloud, we developed Trusted Secure Enclaves Sensitive Edition (TSE-SE) for National Security, Defence, and National Law Enforcement. The TSE-SE Reference Architecture is a comprehensive, multi-account AWS cloud architecture targeting sensitive level workloads. We designed this architecture in collaboration with our national security; defence; national law enforcement; and federal, provincial, and municipal government customers to accelerate compliance with strict and unique security and compliance requirements.

      We designed this architecture to help customers address central identity and access management, governance, data security, comprehensive logging, and network design and segmentation in alignment with security frameworks such as National Institute of Standards and Technology (NIST) 800-53, Information Technology Standards Guidance (ITSG)-33, Federal Risk and Authorization Management Program (FedRAMP) Moderate, Information Security Registered Assessors Program (IRAP), and other Sensitive, Protected, or Medium level security profiles.

      We developed this reference architecture using the following design principles:

      • Deliver security outcomes aligned with a medium level security control profile.
      • Maximize agility, scalability, and availability, while minimizing cost.
      • Allow the full capabilities of the AWS Cloud.
      • Remain open to supporting and incorporating the AWS pace of innovation and the latest technological capabilities.
      • Allow for seamless auto-scaling and provide unbounded bandwidth as bandwidth requirements increase (or decrease) based on actual customer load (a key aspect of the value proposition of cloud computing).
      • Architect for high availability: the design uses multiple AWS Availability Zones, such that the loss of one Availability Zone doesn’t impact application availability.
      • Operate as least privilege: all principals in the accounts are intended to operate with the lowest-feasible permission set.
      • Help address customer data sovereignty considerations.

      For architectural details, refer to the TSE-SE Reference Architecture. Use the configuration file and instructions to install the architecture.

  • Some AWS Regions are not activated by default. To deploy the Landing Zone Accelerator on AWS solution into one of these AWS Regions, see our implementation guide.

    Note: Details about security of the cloud are contained in AWS third-party security and compliance reports in AWS Artifact.

Video
Introduction to Landing Zone Accelerator on AWS | AWS Public Sector
Watch the video 
Video
AWS Summit DC 2022 - Scaling automated governance with Landing Zone Accelerator on AWS
Watch the video 
Video
AWS re:Inforce 2022 - Build automated compliance using Landing Zone Accelerator on AWS
Watch the video 
AWS for Industries Blog
Introducing Landing Zone Accelerator for Healthcare

The Landing Zone Accelerator for Healthcare is an industry-specific deployment of the Landing Zone Accelerator on AWS solution. It's architected to align with AWS best practices and in conformance with multiple, global compliance frameworks.

Read the blog 
AWS Public Sector Blog
What US federal customers need to know about memorandum M-21-31

In this blog post, learn the services from AWS that have been called out explicitly in the memorandum M-21-31 for logging and retention requirements at the EL1 level, and the resources you can use to set up these services to capture the required log data.  

Read the blog 

Was this page helpful?