Setting up my own landing zone on AWS

25 Dec, 2023
Xebia Background Header Wave

As a consultant I am used to a certain level of quality that I need to deliver to our customers. For this reason I have built a landing zone for my own website, initiatives and experiments. By using the same structure that our customers have, I can test and build my ideas and apply them in customer environments if they are successful.

At first it might feel like a massive overkill to set up a complete landing zone. But once you have set it up you will be capable of performing experiments very easily.

My landing zone

For my landing zone I used the Customizations for AWS Control Tower (CfCt) project. When I created my landing zone the Landing Zone Accelerator was not yet available. I still need to evaluate if I can switch, but my initial concerns are the cost of running it. CfCt has low costs and depending on your usage it might even fit in the free tier. The Landing Zone Accelerator comes with VPCs and transit gateways and some other services that will generate costs regardless of what you are doing with the landing zone.

A default landing zone typically has the following accounts:

  • Management – Used for billing for all accounts in an organization, to create new accounts, and to manage access to all accounts.
  • Audit – A restricted account for your security and compliance teams to gain read and write access to all accounts.
  • Logs – Used as a repository of logs of API activities and resource configurations from all accounts.

Next to the default accounts I have some additional accounts setup:

For the rest I have some workload accounts that have an account per environment. Each workload has at least a development account, but it can be extended to have a test, acceptance and production account as well.

Account creation

When I want to build something new, I need a new development account. For account creation I use aws-samples/aws-control-tower-automate-account-creation. I altered the solution to directly inject a record into the DynamoDB table that triggers the account creation process. I have a simple command that I can run on the command line that requires the following arguments: workload name, description and the environment type.

Go build!

After I created a development account I login to the build account and navigate to the Service Catalog service. Depending on the idea I require a different product but up until now I created the following products:

  • Generic Project – Contains a CodePipeline including a CodeCommit repository, CodeBuild step and a CloudFormation deployment step for each environment.
  • S3 Hosted Website – Contains a CodePipeline including a CodeCommit repository, CodeBuild step and a CloudFormation deployment step for each environment and a S3 deployment step.

I use these Service Catalog products to create the CI/CD pipelines to host for example, my own website

Screenshot of the parameters needed for the S3 hosted website

The CodeCommit repository will be pre-filled with the following files:

  • .pre-commit-config.yaml – contains the cfn-lint and cfn_nag pre-commit hooks.
  • buildspec.yml – installs the aws-sam-cli and builds and packages the template.
  • parameters-development.json – The CloudFormation parameters, tags and policies for the development environment.
  • parameters-production.json – The CloudFormation parameters, tags and policies for the production environment.
  • – Initial read me file.
  • template.yaml – Initial CloudFormation template.

After the Service Catalog product has been successfully launched. I only need to execute the following command:

git clone codecommit::<AWS_REGION>://<MY_PROFILE_NAME>@<PROJECT_NAME>

And I am ready to start building, I can start with adding resources to my template. If I need to use parameters I can use the parameters-development.json file. If I need to do additional steps I can add them in the buildspec.yml. When I commit the changes and push them to the remote repository CodePipeline will be triggered and deploy the changes into the development account.

For visibility of the pipelines I have set up a NotificationTopic, this topic is a SNS Topic that has AWS ChatBot as a subscriber. Chatbot will then send the updates to my Slack workspace that I have set up. This way when the pipeline is triggered I will get the notifications on my phone and laptop.


Setting up your own landing zone is quite some work, but you will learn a lot from it. And, when you have one it makes it very easy to start a new initiative in an empty AWS Account.

Photo by Vincent Albos

Joris Conijn
Joris has been working with the AWS cloud since 2009 and focussing on building event driven architectures. While working with the cloud from (almost) the start he has seen most of the services being launched. Joris strongly believes in automation and infrastructure as code and is open to learn new things and experiment with them, because that is the way to learn and grow. In his spare time he enjoys running and runs a small micro brewery from his home.

Get in touch with us to learn more about the subject and related solutions

Explore related posts