Landing Zone & Control Tower on Single AWS Account

0

Can Implement Landing Zone on Single AWS Account (Not Create aws accounts under organization)?

Can Implement Control Tower on Single AWS Account (Not Create aws accounts under organization)?

2 Answers
1

I apologize, but there seems to be a misunderstanding in your question. Landing Zone and AWS Control Tower are specifically designed for multi-account AWS environments, not for single AWS accounts.

A landing zone is defined as a well-architected, multi-account AWS environment that serves as a starting point for deploying workloads and applications. It provides a baseline for multi-account architecture, identity and access management, governance, data security, network design, and logging.

Similarly, AWS Control Tower is a service that simplifies the setup and governance of a multi-account AWS environment. It automates the process of setting up a landing zone based on best practices for multi-account structures.

Both Landing Zone and AWS Control Tower require the use of AWS Organizations to manage multiple accounts. They cannot be implemented on a single AWS account without creating additional accounts under an organization.

If you're looking to implement best practices and governance on a single AWS account, you might consider using other AWS services individually, such as AWS Config, AWS CloudTrail, and IAM policies. However, this would not be considered a "Landing Zone" or "Control Tower" implementation in the traditional sense, as these concepts are inherently tied to multi-account architectures.
Sources
Create a landing zone - AWS Prescriptive Guidance
Building a landing zone - AWS Prescriptive Guidance
AWS Control Tower Features
Landing zone - AWS Prescriptive Guidance

profile picture
answered a month ago
AWS
EXPERT
reviewed a month ago
1

The AI bot is correct up to a point, which is that Control Tower is used for managing multiple accounts.

I think what you're actually asking is whether it's possible to set it up in a single account, presumably just so you can gain familiarity with it? I agree there's no actual point in setting up Control Tower if you're not going to be enrolling member accounts into it.

Control Tower needs at least three accounts https://docs.aws.amazon.com/controltower/latest/userguide/accounts.html#special-accounts.

Three special AWS accounts are associated with AWS Control Tower; the management account, the audit account, and the log archive account.

Note as well that:

  • You also can specify an existing AWS account as an AWS Control Tower security or logging account, during the initial landing zone setup process.

This is walked through in depth here https://aws.amazon.com/blogs/mt/use-existing-logging-and-security-account-with-aws-control-tower/

When you talk about Landing Zone in your question, do you mean Landing Zone Accelerator? I think that requires at least one additional account, the LZA Identity Delegate account. Although you may be able to delegate that to one of either the other accounts described above.

profile picture
EXPERT
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions