If your organization is setting up a multi-account AWS environment, your first step is to design and configure your base environment. As part of that process, you will face many decisions about what tools and services will enable you to establish the foundation for how you will manage and govern your environment moving forward. AWS offers various services to help manage multi-account environments, including AWS Account Factory for Terraform (AFT) and AWS Landing Zone Accelerator.
Both AFT and Landing Zone Accelerator enable customers to adopt a GitOps approach to create, organize, and manage multiple AWS accounts, and to setup accounts consistently and in compliance with the organization’s security standards. Additionally, both apply policies and guardrails automatically to help secure the provisioned accounts. But which is right for your organization? This post explores the key differences between AFT and Landing Zone Accelerator that you may want to consider. First, we provide an overview of how these tools fit into your cloud architecture design.
Designing the Base Environment for a Multi-Account AWS Environment
In any cloud environment, planning the right design is critical to set the stage for efficient, secure, compliant, and scalable operations. A common practice includes a pre-defined, secure, multi-account foundation for your developers, architects, and engineers to build upon. In this design, the AWS accounts are purpose-built for administrative tasks, security, logging/archiving, and shared services, and are collectively referred to as a “landing zone”.
With AWS, you can either manually build a custom landing zone or use AWS Control Tower, a managed service. AWS Control Tower creates an automated landing zone using AWS Organizations, follows AWS best practices, and enables governance using guardrails. Alternatively, some companies just use the AWS Organizations service to manage policies for groups of accounts and automate account creation.
However, if your goal is a fully automated cloud design, both AFT and Landing Zone Accelerator can help get you there, so it’s important to understand how they fit into your architecture. When you deploy AFT, you need to start with AWS Control Tower. AWS Landing Zone Accelerator works with AWS Control Tower as well as just AWS Organizations, although AWS recommends using it with AWS Control Tower if possible.
Key Differences Between AWS AFT and AWS Landing Zone Accelerator
One of the main differences between AFT and Landing Zone Accelerator is that AFT is an open-source tool, while Landing Zone Accelerator is a proprietary tool. AFT sets up a Terraform pipeline that helps you provision and customize your accounts in AWS Control Tower. Landing Zone Accelerator, conversely, is a proprietary solution that deploys a cloud foundation that is architected to align with AWS best practices and multiple global compliance frameworks.
As you evaluate which tool is right for you, consider compatibility, flexibility and customization, maintenance, and technical expertise.
Compatibility
As mentioned previously, AFT works exclusively with AWS Control Tower. That means you can only use it if you have enabled AWS Control Tower and in regions where AWS has deployed AWS Control Tower.
On the other hand, AWS Landing Zone Accelerator can be used with both AWS Control Tower and simply AWS Organizations, and it can be used in regions where AWS Control Tower is not supported. This means that you have more flexibility and options when using Landing Zone Accelerator versus AFT.
Flexibility and Customization
AFT uses Terraform for deployment and gives organizations complete control over the resources and configurations they want to deploy. That feature allows you to fully customize your AWS accounts according to your specific needs and requirements.
AWS Landing Zone Accelerator, meanwhile, uses CloudFormation for deployment, a tool provided by AWS. The tool comes with a pre-defined set of configurations and options based on AWS best practices. You get a pre-built environment for creating and managing multiple AWS accounts, but with less control over the specific configurations and resources that are deployed.
Maintenance
With AFT, organizations take ownership of maintaining and updating their Terraform code whenever new features and options are released by AWS. This gives you full control over the automation process and means you are not dependent on AWS to provide new features and options; however, it also means you are entirely responsible for implementing those new features and options into your code.
Since Landing Zone Accelerator is maintained by AWS, you are not responsible for updating the tool with new features and options. While this provides a more streamlined experience, it also means that you must wait for AWS to implement new features and options before you can take advantage of them.
Technical Expertise
AFT requires a solid understanding of Terraform, which can be a challenge for organizations that are new to the tool. However, if you are already using Terraform, then you can have all your automation processes under the same umbrella. This can help to streamline automation efforts and provide a more cohesive solution.
On the other hand, AWS Landing Zone Accelerator is a good option for organizations with limited technical expertise as it only requires creating a CloudFormation (CF) stack and maintaining everything through GIT. This pre-defined solution is a good choice if you want a more straightforward way to manage your AWS accounts.
Making the Right Choice: AFT or Landing Zone Accelerator?
Both AFT and AWS Landing Zone Accelerator have their own advantages and disadvantages. If you already have experience with Terraform and want complete control over customizations, AFT may be the better choice for your organization. However, if you’re new to AWS and want a pre-configured solution, Landing Zone Accelerator is another option. Additionally, Landing Zone Accelerator can be used in regions where AWS Control Tower is not yet supported, which provides more flexibility for global organizations looking to use this tool.
Ultimately, the choice between AFT and Landing Zone Accelerator will depend on your specific needs and requirements. Consider your technical teams’ expertise, the type of automation you want to implement, and the level of control you want to have over your AWS accounts when deciding which tool is best for you.
If you have additional questions or are looking for advice as you set up your AWS multi-account environment, our DevOps team is ready to share our learnings with you. Contact us today to set up a meeting.