MULTI-TENANT AWS LANDING ZONE MULTI-TENANT AWS LANDING ZONE

Multi-tenant AWS landing zone for a public sector client in Slovakia, built with AWS Account Factory for Terraform (AFT) and AWS Control Tower across a 10+ account organization.

Architecture

• AWS Control Tower as the governance layer with mandatory and elective controls enforcing security baselines
• AFT for automated account provisioning with account-level customizations and global customizations applied at vending time
• Multi-account structure with 10+ accounts following AWS best practices — separate accounts for workloads, security, logging, and shared services
• Security Hub aggregating findings across all accounts with AWS Foundational Security Best Practices (FSBP) v1.0, CIS AWS Foundations Benchmark v3.0, and NIST 800-53 Rev 5 standards enabled
• GuardDuty for continuous threat detection across the organization
• Control Tower controls (preventive SCPs and proactive controls) enforcing guardrails organization-wide
• Terraform modules for repeatable, auditable infrastructure provisioned through AFT pipelines
• EU compliance alignment: GDPR data residency requirements with all workloads pinned to EU regions

Key Outcomes

• Standardized account provisioning reducing setup time from days to hours via AFT automation
• Centralized security posture with Security Hub, GuardDuty, and CT controls across all accounts
• Continuous compliance monitoring against FSBP, CIS, and NIST frameworks
• Full EU regulatory compliance including GDPR data residency and processing requirements