- Newest
- Most votes
- Most comments
I apologize, but there seems to be a misunderstanding in your question. Landing Zone and AWS Control Tower are specifically designed for multi-account AWS environments, not for single AWS accounts.
A landing zone is defined as a well-architected, multi-account AWS environment that serves as a starting point for deploying workloads and applications. It provides a baseline for multi-account architecture, identity and access management, governance, data security, network design, and logging.
Similarly, AWS Control Tower is a service that simplifies the setup and governance of a multi-account AWS environment. It automates the process of setting up a landing zone based on best practices for multi-account structures.
Both Landing Zone and AWS Control Tower require the use of AWS Organizations to manage multiple accounts. They cannot be implemented on a single AWS account without creating additional accounts under an organization.
If you're looking to implement best practices and governance on a single AWS account, you might consider using other AWS services individually, such as AWS Config, AWS CloudTrail, and IAM policies. However, this would not be considered a "Landing Zone" or "Control Tower" implementation in the traditional sense, as these concepts are inherently tied to multi-account architectures.
Sources
Create a landing zone - AWS Prescriptive Guidance
Building a landing zone - AWS Prescriptive Guidance
AWS Control Tower Features
Landing zone - AWS Prescriptive Guidance
The AI bot is correct up to a point, which is that Control Tower is used for managing multiple accounts.
I think what you're actually asking is whether it's possible to set it up in a single account, presumably just so you can gain familiarity with it? I agree there's no actual point in setting up Control Tower if you're not going to be enrolling member accounts into it.
Control Tower needs at least three accounts https://docs.aws.amazon.com/controltower/latest/userguide/accounts.html#special-accounts.
Three special AWS accounts are associated with AWS Control Tower; the management account, the audit account, and the log archive account.
Note as well that:
- You also can specify an existing AWS account as an AWS Control Tower security or logging account, during the initial landing zone setup process.
This is walked through in depth here https://aws.amazon.com/blogs/mt/use-existing-logging-and-security-account-with-aws-control-tower/
When you talk about Landing Zone in your question, do you mean Landing Zone Accelerator? I think that requires at least one additional account, the LZA Identity Delegate account. Although you may be able to delegate that to one of either the other accounts described above.
Relevant content
- asked a year ago
- asked 3 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago