Well-Architected AWS Landing Zones with the Landing Zone Accelerator on AWS

June 9, 2025

complex-city

A landing zone is a well-architected, multi-account AWS environment that is scalable and secure. This is a starting point from which your organization can quickly launch and deploy workloads and applications with confidence in your security and infrastructure environment. Building a landing zone involves technical and business decisions to be made across account structure, networking, security, and access management in accordance with your organization’s growth and business goals for the future. (AWS Prescriptive Guidance, What is a landing zone?)

Our Context

At superluminar, we have a wide range of different clients who regularly ask us to help them deploy a well-architected AWS Landing Zone.

Some of these clients are larger engineering organizations with 200+ engineers, which require a custom landing zone solution. Most of our clients, though, are small to mid-size engineering organizations with a few teams and around 5–60 engineers.

For this blog post we will focus on AWS Landing Zones for small to mid-size engineering organizations.

A couple of examples:

  • A start-up has been running its workloads on one AWS account and asked us to guide them in deploying a well-architected AWS Landing Zone setup.
  • A medium-sized engineering organization wants to migrate its on-premise workloads to AWS and needs a well-architected AWS Landing Zone to start with.

For us, a well-architected AWS Landing Zone solves the client’s problems and heavily aligns with AWS best practices like the Guidance for Establishing an Initial Foundation using Control Tower on AWS, the Prescriptive Guidance for Setting up a secure and scalable multi-account AWS environment, and the AWS Well-Architected Framework.

The Landing Zone Accelerator on AWS

Traditionally, building a well-architected AWS Landing Zone has been a complex task that required a lot of expertise, time, and mostly third-party automation. In the past, superluminar tried to fill this gap and released its open-source project superwerker, which we now, for various reasons, consider deprecated.

With the introduction of the Landing Zone Accelerator on AWS, this process has become significantly easier and more efficient. Most importantly, it is now based on AWS-managed tooling, which means that it is maintained by AWS and can be used by anyone without the need for third-party solutions.

While the Landing Zone Accelerator on AWS has been built with highly regulated workloads and complex compliance requirements in mind, we believe that it’s a great fit for most small to mid-size engineering organizations. A few of the advantages are:

  • Cost effectiveness. It is free and open source, and you only pay for the resources it deploys. The costs depend on your requirements and configuration. That said, most of the cost drivers can be disabled if not needed.
  • Automation. It is fully automated and can be deployed with a few clicks. Except for a few exceptions, it automates most of the tedious tasks of setting up a landing zone. It can be configured using YAML configuration files and customized using, e.g., CloudFormation templates. It can be deployed in a GitOps workflow style with, for example, GitHub Actions.
  • Maintenance. It is maintained by AWS and is regularly updated with new features and improvements. This means that you can focus more on your business and less on maintaining your landing zone.
  • Security and Compliance. It allows you to centrally manage security and compliance best practices across your AWS accounts.

Our experiences

While deploying the Landing Zone Accelerator on AWS in several client organizations, we’ve noticed that there are common pitfalls and room for improvement.

  • Managing the YAML configuration files can quickly become cumbersome, repetitive, and error-prone. Unsurprisingly, this also applies to the Landing Zone Accelerator on AWS configuration files.
  • Deploying a GitOps workflow with GitHub Actions or similar tools still requires some additional automation steps.
  • Developing customizations for the Landing Zone Accelerator on AWS is not as straightforward as it could be. This is mainly due to the unhandy Core CLI and the missing CDK support for customizations.
  • Due to the repetitive nature of YAML, putting our gathered experiences into a configuration blueprint similar to the sample configurations wouldn’t make it easily applicable and would be hard to manage.

Our solution: the AWS Luminarlz CLI

With the AWS Luminarlz CLI we’ve released a solution that we believe significantly simplifies the deployment of a well-architected AWS Landing Zone, as well as making maintenance and development much more pleasant, time-efficient, and less error-prone.

In more detail, we…

  • decided to use a template engine to generate the YAML configuration files for the Landing Zone Accelerator on AWS, effectively replacing the YAML configuration files with one TypeScript config file. This allows us to leverage the power of types and remove repetitive boilerplate configuration.
  • started using AWS CDK to generate the CloudFormation templates for the customizations of the Landing Zone Accelerator on AWS. This allows us to use the full power of TypeScript and makes it easier to develop and maintain customizations.
  • created a blueprint that makes it easy to deploy a well-architected AWS Landing Zone. This includes GitOps workflows, security & compliance best practices, as well as basic documentation, runbooks, Architecture Decision Records, and so on.
  • published a CLI that makes the usage of the Core CLI much more pleasant. It automates common tasks such as configuration validation, synthesis, and deployment, as well as deploying customizations or updating the Landing Zone Accelerator on AWS. The CLI effectively tightens the feedback loop and reduces error potential when developing and deploying customizations.
  • made sure to think ahead and have left an exit path open. Should the Landing Zone Accelerator on AWS one day solve some of these problems, it should be easy to migrate to the new solution.

Please have a look at the Usage documentation of the AWS Luminarlz CLI as well as the foundational blueprint README as they let you deploy a well-architected AWS Landing Zone in a matter of hours.

architecture-diagram

Summary

Deploying a well-architected AWS Landing Zone can be challenging, especially for small to mid-size engineering organizations.

The Landing Zone Accelerator on AWS simplifies this process, but managing configurations and customizations can still be complex and repetitive.

To minimize these obstacles for solution architects and builders alike, we developed the AWS Luminarlz CLI. Using the AWS Luminarlz CLI and a TypeScript-based blueprint streamlines configuration, automates common tasks, and enables easier maintenance and customization.

This solution empowers organizations to quickly and confidently deploy secure, scalable AWS Landing Zones while reducing manual effort and error potential.

photo of Joscha

Joscha is a Cloud Consultant at superluminar. After working as a software engineer for various start-ups, he continues to enjoy learning new things and sharing his knowledge and passion for Clojure, Typescript, automation and distributed systems. He left Twitter during the lockdown and now prefers to talk to his neighbours.