Why architecture matters here

Landing zone architecture matters because retrofits are painful. Changing account structure after workloads have deployed is a multi-quarter migration. Adding guardrails after teams have adopted risky patterns is a diplomacy exercise. Setting logging correctly from day one means audit trails exist when regulators ask; setting it up later means gaps you cannot fill.

Cost is the second driver. Landing zones with baseline networking, IAM, and tagging save 15-30% on cloud bills through reserved instances, right-sizing, and cost allocation that would otherwise be impossible. Without them, every team invents its own patterns and none share savings.

Security is the third and probably the most important. A landing zone with SCP-enforced guardrails prevents the classes of mistakes that cause breaches: public S3 buckets, root user misuse, unencrypted volumes, unrestricted egress. These aren't detections; they are enforcement. The account can't do the wrong thing.

Advertisement

The architecture: every piece explained

Walk the diagram top to bottom.

Management Account. The organization root. Billing consolidation, service control policies, top-level identity. This account has no workloads; access is strictly controlled.

Security Account. Central audit logs, security tooling (GuardDuty, Security Hub, config aggregation), and cross-account role for security team. Central pane of glass for security events across the org.

Network Account. Shared VPC, transit gateway, VPN and Direct Connect. Centralized network gives you consistent security groups, predictable egress, and a single place to enforce network policy.

OU Structure. Organizational Units group accounts. Common structure: Production, Non-Production, Sandbox, Shared Services, Suspended. Each OU has different guardrails.

Guardrails. Service Control Policies (AWS), Organization Policies (GCP), or Azure Policy. Deny-by-default for dangerous actions: no root user activity, mandatory encryption at rest, restricted regions, no public S3, no unauthenticated internet gateway.

Workload Accounts. One account per team per environment (team-A-prod, team-A-nonprod, team-B-prod). Blast radius bounded to a single account. Teams get autonomy within their account; guardrails prevent the worst.

Baseline (Terraform). Every new account gets a Terraform baseline: VPC, IAM roles, logging destinations, tags. Managed centrally so changes propagate. Account vending pipeline creates + baselines in one flow.

Identity (SSO). AWS IAM Identity Center, GCP Identity, or Azure AD federated to your workforce identity provider. No local users. Least-privilege roles per team. MFA everywhere.

Central Logging + SIEM. CloudTrail, VPC flow logs, and application logs stream to the security account for retention and analysis. SIEM (Splunk, Sumo, Chronicle) queries them for threats.

Cost + Tag Compliance. Every resource has mandatory tags: team, environment, cost-center, business-unit. Budgets alert on overrun; showback dashboards inform; chargeback bills teams.

Automation. Account vending (Control Tower Account Factory, GCP Cloud Foundation Toolkit), drift detection (Cloud Custodian, config rules), and compliance-as-code (OPA, Sentinel) enforce the standards.

Management Accountorg root + billingSecurity Accountaudit + logs + guardrailsNetwork Accountshared VPC / transitOU Structureprod, non-prod, sandbox, sharedGuardrails (SCP/Org Policy)encryption, regions, deny riskyWorkload Accountsone per team + envBaseline (Terraform)VPC, IAM, logging, tagsIdentity (SSO)AAD/Okta/IAM CenterCentral Logging + SIEMCloudTrail/Audit → securityCost + Tag ComplianceBudgets, showback, chargebackAutomation: account vending, drift detection, compliance-as-code
Cloud landing zone: management + security + network accounts, OU structure, guardrails, workload accounts, SSO, central logging, cost management, and automation.
Advertisement

End-to-end account onboarding flow

Trace a new workload. Team A wants a production account for a new service.

They file a request through the account vending portal. The pipeline creates a new account under the Production OU, applies the baseline Terraform (VPC in the shared network, IAM roles, tags, logging destinations), enables SCPs that deny public S3 and restrict regions to us-east-1 and us-west-2, and enrolls it in IAM Identity Center with team-A-prod-admins group.

Team A logs in via SSO with MFA. They see only their account and their team's roles. They can deploy services within their account but cannot disable logging, use unauthorized regions, or create IAM users. Any attempt returns a policy-denied error.

Their application runs. CloudTrail events stream to the security account. VPC flow logs land in the same place. Their spend is tagged with their team and cost center; the finance dashboard shows their run rate.

A month in, security team runs a drift scan. Cloud Custodian finds an untagged S3 bucket in Team A's account. It notifies the team; if not fixed in 24 hours, it deletes the bucket. Compliance-as-code enforces baseline.

Team A ships. Team B follows the same pattern. Team C follows the same pattern. Each account inherits the guardrails; each team enjoys autonomy within them. The org can add a hundred accounts without changing the shape.