The AWS Landing Zone Accelerator (LZA) is a solution that helps organizations quickly set up a secure, multi-account AWS environment based on AWS best practices. It provides a standardised architecture that incorporates security, compliance, and operational capabilities, enabling enterprises to accelerate their cloud adoption journey while maintaining governance and control.
While it is an open-source solution, it has a dedicated AWS engineering team that are the core maintainers of the solution and has greatly standardised the deployment format for customers and partners alike.
Below is the standard deployment approach that is included out of the box, which provides for the delivery pipeline deployed within the Management Account. It’s worth noting the AWS whitepaper that dives into the details of a secure landing zone using multiple AWS accounts, reducing access to the Management Account, given it has elevated permissions within the AWS Organisation. For rapid proof-of-concepts and initial setup, it’s acceptable to use the Management Account; however, with continued use, it increases the risk profile, as operators must be in that account, and through this period, the potential for misadventure increases (through human error or compromised credentials).
With the above in mind, AWS released the feature allowing the pipeline to be deployed in an external account, therefore significantly reducing the foot traffic needed in the AWS Management Account.
What we aim to walk through in this article is to highlight exactly what is required for anyone considering this for a new or existing solution, where a migration from the existing pipeline will need to take place.
The most basic of prerequisites is the presence of the “Deployment” account. Like with most things in technology, there are multiple ways to achieve an outcome, for example: