Sorry, currently no German translation is available for this blog post

This AWS Lab is decomissioned - please check out the ACAI AWS Lab 2024

The following blog post provides an overview of the ACAI reference architecture for an AWS Landing Zone.

Three types of accounts can be distinguished: Foundation Core Accounts, Shared Service Accounts and Business Solution Accounts.

Overview

A zoom-in shows more explicitly the Foundation Core Accounts – the links provided in the table below allow you to directly access and navigate through the accounts via the AWS Management Console:

Foundation
Account TypeDescriptionLink to Lab-Account (AWS Management Console)Lab-Account-ID
AWS Organizations MasterAWS Organizations Master, OU Hierarchy, SCPs, Consolidated Billing297780133428
Core VendingResponsible for joining new AWS accounts to the AWS Foundationpendingpending
Core IaC ProvisioningResponsible for hosting the terraform Infrastructure as Code CI/CD pipelines for all accounts of the AWS FoundationLink to Core Provisioning851519347965
Core VPC & NetworkingResponsible for design of shared vpc´s, management of AWS Transit Gateway TGW, vpc/vpn attachments, AWS Direct ConnectLink to Core Networking134653435903
Core LoggingS3 Buckets for AWS Foundation wide AWS CloudTrail, AWS Config, VPC Flow LogsLink to Core Logging735600569007
Core AuditingMaster for AWS Security Hub, Amazon GuardDuty and AWS Detective (optional)Link to AWS SecurityHub
Link to Amazon GuardDuty
263761644432
Core MonitoringAggregating AWS Foundation logsLink to Monitoring Dashboard321744974957
Other Shared ServicesFurther shared services like EKS, PKI, Kafka, Sandbox-Accounts…
Business ProdSample of a baselined business accountLink to Business Prod212262933260
Business NonProdSample of a baselined business accountLink to Business Non-Prod001683013005

We are ACAI Consulting – specialized in AWS Multi Account Security and Governance. If you have any questions, feel free to get in touch with us: blog@acai.gmbh

References

[1] aws-landing-zone/

[2] migration-aws-environment

[3] Swiss Post Case Study