AWS Landing Zone Planning Checklist
Practical questions for reviewing accounts, identity, governance, logging, networking, operations and cost before workloads move onto AWS.
Preview planning questions
| area | planning question | evidence or decision | next action |
|---|---|---|---|
| Business drivers | Which business outcomes should the landing zone support: migration, resilience, compliance, cost control or product velocity? | Executive sponsor, migration business case, risk register | Document the landing-zone success criteria before selecting tooling |
| Application scope | Which workloads, teams, environments and security boundaries need separate AWS accounts? | Current application inventory, environment map, ownership model | Define an account vending pattern before broad migration starts |
| Account structure | Which accounts are required for management, logging, security, shared services, network, production, non-production and sandbox use? | Account taxonomy, OU model, workload criticality tiers | Build the account and OU model before onboarding workloads |
| Region strategy | Which AWS regions must be enabled, blocked or monitored? | Data residency requirements, latency needs, service availability | Create region enablement rules and exception process |
| Network design | Which VPC, transit, DNS, ingress, egress and inspection patterns are required? | IP plan, connectivity diagrams, routing constraints | Confirm landing-zone network guardrails and exception routes |
| Identity and access | How will users, administrators, break-glass access and workload roles authenticate? | Identity provider, role catalogue, privileged access process | Map IAM Identity Center permission sets and operational roles |
| Privileged access | How will privileged activity be approved, logged, time-limited and reviewed? | Admin role catalogue, approval process, audit requirements | Define break-glass and just-in-time access runbooks |
| Security guardrails | Which controls must be preventative, detective or advisory? | Regulatory needs, baseline controls, security tooling | Prioritise SCPs, AWS Config rules, logging and alerting |
| Logging and audit | Where will CloudTrail, Config, VPC Flow Logs and security findings be centralised? | Retention requirements, SIEM/SOC integration needs | Create central logging and security account design |
| Threat detection | Which AWS native or third-party services will cover threat detection and vulnerability visibility? | GuardDuty, Security Hub, Inspector, Access Analyzer, SOC requirements | Define detection coverage and escalation paths |
| Backup and recovery | Which landing-zone services and workloads need backup, restore and cross-account recovery patterns? | RPO/RTO requirements, backup policy, recovery test history | Create backup policies and recovery test calendar |
| Operations model | Who owns platform operations, incident response, patching and cost governance? | RACI, support hours, runbook ownership | Agree operating model before onboarding production workloads |
| Change management | How will platform changes, account vending and guardrail exceptions be requested and approved? | ITSM process, Git workflow, approval matrix | Create change workflows for common platform requests |
| Cost governance | How will budgets, tagging, chargeback and anomaly detection be enforced? | Finance reporting needs, tag taxonomy, budget owners | Create mandatory tags and budget alert patterns |
| Workload onboarding | What evidence must each workload provide before entering the landing zone? | Architecture review, data classification, DR plan, support model | Create a workload onboarding checklist |
| Migration waves | How will accounts and shared services support phased migration waves? | Wave plan, dependency map, landing-zone capacity assumptions | Align account provisioning and network readiness to migration waves |
| Policy exceptions | How will exceptions to SCPs, regions, encryption and networking rules be requested and expired? | Exception register, risk owner, expiry date | Define exception lifecycle and review cadence |
| Validation tests | How will the landing zone be tested before production use? | Control evidence, penetration test scope, logging validation, recovery test | Run a pre-production landing-zone validation exercise |
