The following blog post provides an overview of the ACAI reference architecture for an AWS Landing Zone.

Three types of accounts can be distinguished: Foundation Core Accounts, Shared Service Accounts and Business Solution Accounts.


A zoom-in shows more explicitly the Foundation Core Accounts – the links provided in the table below allow you to directly access and navigate through the accounts via the AWS Management Console:

Account TypeDescriptionLink to Lab-Account (AWS Management Console)Lab-Account-ID
AWS Organizations MasterAWS Organizations Master, OU Hierarchy, SCPs, Consolidated Billing297780133428
Core VendingResponsible for joining new AWS accounts to the AWS Foundationpendingpending
Core IaC ProvisioningResponsible for hosting the terraform Infrastructure as Code CI/CD pipelines for all accounts of the AWS FoundationLink to Core Provisioning851519347965
Core VPC & NetworkingResponsible for design of shared vpc´s, management of AWS Transit Gateway TGW, vpc/vpn attachments, AWS Direct ConnectLink to Core Networking134653435903
Core LoggingS3 Buckets for AWS Foundation wide AWS CloudTrail, AWS Config, VPC Flow LogsLink to Core Logging735600569007
Core AuditingMaster for AWS Security Hub, Amazon GuardDuty and AWS Detective (optional)Link to AWS SecurityHub
Link to Amazon GuardDuty
Core MonitoringAggregating AWS Foundation logsLink to Monitoring Dashboard321744974957
Other Shared ServicesFurther shared services like EKS, PKI, Kafka, Sandbox-Accounts…
Business ProdSample of a baselined business accountLink to Business Prod212262933260
Business NonProdSample of a baselined business accountLink to Business Non-Prod001683013005

We are ACAI Consulting – specialized in AWS Multi Account Security and Governance. If you have any questions, feel free to get in touch with us:


[1] aws-landing-zone/

[2] migration-aws-environment

[3] Swiss Post Case Study