The following blog-post introduces the ACAI Lab – Secure AWS Landing Zone.

It lets you experience a live AWS Landing Zone deployment in a publicly accessible sandbox environment from two perspectives: Security Operator, Application DevOps-Team.

Lab Overview

Here are the direct links to the accounts of the individual roles –It’s recommended to open each account’s URL in a different private browser window in order to avoid single-sign-on related issues:

Security OperatorCore Monitoring321744974957
Security OperatorCore Logging735600569007
Security OperatorCore Auditing263761644432
Application DevOps-TeamBusiness Prod212262933260
Application DevOps-TeamBusiness NonProd001683013005

Core Monitoring Account

The provided Kibana dashboard visualizes event logs (AWS CloudTrail, AWS Security Hub and Amazon GuardDuty) of all AWS accounts belonging to your landing zone and collected in real-time.

Core Monitoring

Core Logging Account

Try the Core Logging live demo by clicking here:

The Core Logging account contains the S3 buckets for the audit logs. The logs are KMS encrypted have versioning enabled and a life-cycle policy configured for limited data retention.

Core Logging

Core Auditing Account

The Core Auditing Account provides the Amazon Security Hub master and the Amazon GuardDuty master aggregating the data from all members. So, from a single navigation point you can get security insights on the whole landscape of your AWS accounts.

AWS Security Hub

Try the Core Auditing Security Hub live demo by clicking here:

AWS Security Hub is your single pane of security.

In the lab AWS Security Hub has two standards enabled – for details see our other blog post: Security Standards recommended for your AWS Landing Zone

Sec Hub Detail

Amazon GuardDuty

Try the Core Auditing GuardDuty live demo by clicking here:

GuardDuty provides you an overview of the security findings which popped up in your account landscape. Per finding you get detailed information as a starting point for your analysis:


Business Accounts

This is where the landing zone scales out – you can have hundreds of business accounts.

Try out the existing sample business accounts by clicking here: or

Note, that you can also navigate to Amazon Security Hub and Amazon GuardDuty in each of the accounts and will see the data on account-level.

Detailed Lab-Overview

The following image provides you an overview of the AWS services deployed in the lab and the dataflows.

Lab Details
Important information on data privacy
Please note that for AWS Console Access you will be redirected to AWS. Your IP-address will be logged and show up in various AWS services.
To hide your IP-address you can either create an EC2 instance and use it as a jump-host or use a VPN provider.

We are ACAI Consulting - specialized in AWS Multi Account Security and Governance. If you have any questions, feel free to get in touch with us: