If you've ever wondered how to get started with AWS Control Tower, this guide will walk you through creating your very first landing zone — the foundation for a well-governed, multi-account AWS environment.
What is a Landing Zone?
A landing zone is AWS's recommended starting point for a secure, multi-account environment. When you set one up, Control Tower will automatically:
- Create Organizational Units (OUs) for governance
- Provision Log Archive and Audit accounts
- Enable CloudTrail, AWS Config, and baseline guardrails
- Give you a dashboard to monitor compliance across accounts
Prerequisites
Before you begin, ensure you have:
-
Management account access – Use an IAM user/role with
AdministratorAccess
, not the root user - Fresh AWS Organization – Control Tower needs to be the one creating the OUs and shared accounts
- Supported Region – Make sure you're logged into a Control Tower-supported region > 📝 Tip: The region you choose becomes the home region and cannot be changed later without deleting and recreating the landing zone
- Time allocation – Allow 30–60 minutes for landing zone setup (it's a long-running process)
Step 1: Navigate to Control Tower
- In the AWS Management Console, search for Control Tower and open it
- Ensure you're in your desired home region (e.g.,
ap-southeast-2
) - You should see the Set up landing zone button
Click Set up landing zone to begin.
Step 2: Select Regions and Pricing
You'll first see a screen to review pricing and select regions for governance. Here you will:
- Confirm Home Region – This is where Control Tower and shared accounts will be provisioned
- Select Governed Regions – Choose any additional regions where you want AWS Config, CloudTrail, and guardrails automatically enabled
- Region Deny Setting – (Optional) Enable to block workloads from being launched in non-governed regions > ⚠️ Warning: Once enabled, this prevents using resources in any region not on your approved list. Make sure you don't have workloads in those regions before turning this on
Click Next when ready.
Step 3: Configure Organizational Units (OUs)
In this step, Control Tower creates your OU structure:
- Security OU – Holds the Log Archive and Audit accounts
- Sandbox OU – For experimentation, POCs, or non-production accounts
You can rename these OUs now or later.
💡 Tip: Keep the default names (
Security
andSandbox
) unless you have strict naming rules in your organization.
Step 4: Configure Shared Accounts
Control Tower will create two shared accounts automatically:
- Log Archive Account – Centralizes CloudTrail and Config logs
- Audit Account – Used for security and compliance auditing
You only need to provide unique account email addresses during this step.
⚠️ Important: These accounts are permanent for the life of this landing zone.
- You cannot change their email addresses later
- You cannot swap in a different account later
- The only way to replace them is to decommission the entire landing zone and start over
💡 Pro Tip: You don't need separate email accounts! Many email providers support aliases (like Gmail's +aliases) to create unique addresses that all deliver to your main inbox. For example:
yourname+logarchive@gmail.com
for the Log Archive accountyourname+audit@gmail.com
for the Audit accountLearn more about Gmail aliases and how to use them for better email organization.
Step 5: Additional Configurations
This step lets you configure account access, logging, and optional services:
- AWS Account Access Configuration – Select AWS Control Tower sets up AWS account access with IAM Identity Center unless you already manage access yourself
- AWS CloudTrail Configuration – Leave Enabled selected. This creates an organization-wide CloudTrail and sends logs to the Log Archive account
- Log Configuration for Amazon S3 – Optionally adjust retention (default: 1 year for logging bucket, 10 years for access logging)
- KMS Encryption – (Optional) Enable if you want to use a customer-managed KMS key for encrypting logs
- AWS Backup – (Optional) Enable during setup, or leave disabled and configure later once backup policies are ready
Click Next when finished.
Step 6: Review and Launch
Finally, review all of your settings:
- Home and governed regions
- OU structure
- Email addresses for shared accounts
- CloudTrail and log retention settings
- Optional encryption and backup settings
When everything looks good, click Set up landing zone.
Step 7: Wait and Verify
Landing zone creation can take 30–60 minutes. Once it's done, you'll see the Control Tower Dashboard, showing your OUs, accounts, and compliance status.
What's Next?
Once your landing zone is set up, consider these next steps:
-
Create additional OUs for workloads (e.g.,
Workloads
,SharedServices
) - Enroll existing accounts or create new ones in your landing zone
- Enable additional guardrails to enforce security and compliance requirements
- Set up cross-account roles for easier account management
Why This Matters
Creating a landing zone is the first step toward a governed, scalable AWS environment. It gives you a foundation for security, compliance, and multi-account operations — all automated by AWS.
Are you using Control Tower for your AWS organization? Drop a comment and share how you structure your OUs and guardrails — I'd love to hear how others approach governance at scale! 🚀
Top comments (0)