Key features

100% Terraform-native

Manage your AWS Landing Zone & Foundation entirely with Terraform without dependencies on AWS Control Tower and CloudFormation.

Designed for GitOps

Manage your AWS Landing Zone & Foundation with a full GitOps approach. Segregation of duties can be enforced with Git repositories and pipeline permissions.

Simple to customize

Our modular approach offers a lot of flexibility when it comes to implementing a personalized AWS Landing Zone & Foundation. We provide customization templates as a starting point which can be adopted or modified.

Illustration of ntc-module

Updates and support

Receive updates and support for our modules and keep your AWS Landing Zone & Foundation up to date and running.

Enterprise-ready and scalable

Designed for enterprises with high scalability requirements, aligned with industry standards and AWS best practices. Reliably manage hundreds of accounts.

Accelerate your cloud journey

Building a scalable AWS Landing Zone & Foundation takes a lot of time and effort. With our collection, you can leverage our extensive experience with AWS and Terraform to significantly accelerate your implementation process.

Nuvibit Terraform Collection (NTC) Modules

NAME DESCRIPTION
NTC Parameters Terraform module to store and retrieve Terraform or JSON parameters across multiple AWS accounts and CI/CD pipelines. This module is specifically designed to integrate with our NTC modules.
NTC Organizations Terraform module to manage AWS Organizations. Supports managing nested Organizational Units (OUs), delegated administrators and Service Control Policies.
NTC Account Factory Terraform module to manage Account Vending, Account Lifecycle, and Account Baseline. Provision new AWS accounts, define custom account lifecycle actions, and roll out baseline configuration for multiple accounts and regions.
NTC Identity Center Terraform module to deploy and manage Single Sign-On via AWS IAM Identity Center (successor to AWS SSO).
NTC Log Archive Terraform module to deploy and manage a central log archive, where foundation logs like Cloudtrail, AWS Config, Amazon GuardDuty and VPC flow logs will be stored.
NTC Security Tooling Terraform module to deploy and manage central security tooling like AWS Security Hub, AWS Config and Amazon GuardDuty.
NTC IPAM Terraform module to deploy and manage Amazon VPC IP Address Manager (IPAM). In combination with the VPC module a highly automated AWS network can be realized.
NTC VPC Terraform module to deploy and manage AWS VPC networking. This module is designed for high flexibility and allows extensive scaling.
Account Baseline Templates Terraform module which provides templates for account baseline configurations. Can be combined with NTC Account Factory module to precisely roll out account baselines across AWS accounts in multiple regions.
Account Lifecycle Templates Terraform module which provides templates for account lifecycle customization. Can be combined with NTC Account Factory module to manage the AWS account lifecycle (e.g. destroy default VPC when new account is created).
SCP Templates Terraform module which provides templates for Service Control Policies (SCP). Can be combined with NTC Organizations module to precisely roll out SCPs across Organizational Units (OUs) and specific AWS accounts.


AWS Landing Zone & Foundation Comparison


An AWS Landing Zone & Foundation refers to a well-architected, pre-configured environment that serves as a foundation for deploying and managing workloads in the AWS cloud. It provides a set of best practices and architectural patterns to ensure consistency, security, and scalability across your AWS infrastructure. It helps organizations establish a standardized and secure baseline setup, reducing the time and effort required for initial infrastructure deployment.

There are several solutions for deploying a ready-to-use AWS Landing Zone & Foundation. Each solution offers certain benefits and has its own limitations.

NUVIBIT TERRAFORM COLLECTION AWS LANDING ZONE ACCELERATOR AWS CONTROL TOWER
Purpose Provides a flexible, declarative, and modular approach to deploying and managing an enterprise-ready and scalable AWS environment with potentially hundreds of accounts. Provides a framework for rapidly deploying a multi-account AWS environment with recommended best practices. Offers an automated and prescriptive approach to set up and govern a secure multi-account AWS environment.
Delivery Mechanism Terraform CDK and CloudFormation AWS managed service + Add-on solutions
Setup Complexity Requires Terraform knowledge to implement and operate. The modules will be parameterized and deployed individually. Detailed sample repositories are provided as a blueprint for implementing the entire solution. Additional documentation and step-by-step instructions are also available. Requires CloudFormation and ideally CDK knowledge. Control Tower or AWS Organizations must be set up first. A CloudFormation template must be executed for the initial deployment of the solution. YAML configuration files are then managed in AWS CodeCommit and deployed through CodePipelines and CloudFormation StackSets. Control Tower itself can be deployed and managed directly via the AWS console. For customization, additional knowledge in CloudFormation and/or Terraform is required. Add-on solutions for Control Tower need to be provisioned separately and can drastically increase complexity.
Solution Lifecycle Each module has its own lifecycle and can be updated and downgraded individually. Running a Terraform plan highlights the changes and should be reviewed to avoid unwanted changes. A staged rollout is supported and recommended. Entire solution needs to be updated via CloudFormation template. After updating the solution all CodePipelines will be invoked and rolled out. There is no support for a staged rollout. AWS Control Tower can be updated through the landing zone settings page. Additionally enrolled accounts need to be updated in a second step. Add-on solutions need to be updated separately.
Flexibility and Customization Terraform modules offer maximum flexibility in terms of deployment. As long as the underlying services are available, all regions can be managed. It is even possible for certain modules to be deployed in a different region until the underlying service is available (e.g. using Identity Center in Frankfurt until it is available in a new region). Customer managed modules can be used alongside. Dedicated template modules are available as a blueprint for customizing the solution. Can be used with AWS Control Tower or simply AWS Organizations and can be deployed in regions where AWS Control Tower is not supported. Configuration files allow customization of the solution and deployment of additional CloudFormation StackSets. AWS Control Tower must be deployed in a supported region (home region) and unsupported regions cannot be fully governed. Add-on solutions are available for limited customization via CloudFormation and/or Terraform.
Automation in CI/CD All Terraform modules are deployed via customer pipelines. In addition, NTC Account Factory provides a native AWS solution (based on CodePipelines) to dynamically roll out account baselines with Terraform across multiple accounts and regions. Based on AWS CodeCommit, CodeBuild and CodePipelines. Cannot be integrated with customer pipelines. Automation is executed in the background by AWS and is not configurable by the user. Add-on solutions (e.g. Account Factory for Terraform) offer limited customization via customer pipelines.
Troubleshooting Everything is deployed with Terraform and therefore potential errors are also related to Terraform. Errors can occur in the Terraform code, Terraform dependencies (versions and providers) and the customization (account lifecycle and account baseline). Errors can occur in the CDK code (TypeScript), CloudFormation Templates / StackSets and CodePipelines. In combination with the Control Tower, the effort for operation and troubleshooting increases considerably. Errors can occur in AWS Service Catalog, CloudFormation Templates / StackSets, and by not updating landing zone and account enrollments. When using add-on solutions (e.g. Account Factory for Terraform), additional errors may occur in the add-on solution itself and when customizing the solution (e.g. account baseline).
Support Support for the Terraform modules is included in the license. Additional assistance (e.g. training) can be offered separately. Issues can be submitted to Github Repository. AWS offers assistance with an AWS Business or Enterprise Support plan. AWS offers assistance for Control Tower itself with an AWS Business or Enterprise Support plan. Issues with add-on solutions (e.g. Account Factory for Terraform) can be submitted to Github Repository.
License Must be licensed to access modules, updates, documentation, and support. The source code is fully viewable, and downloaded modules can be used and modified even after the license expires. Open source. The source code is fully viewable. Proprietary AWS managed service. Control Tower source code is not viewable. No additional fees for Control Tower service itself.

Choose the right AWS Landing Zone & Foundation approach

There is no single solution for AWS Landing Zone & Foundation which meets the requirements for all customers.
There are many aspects to consider when choosing the right solution (e.g. delivery mechanism determines how customization and troubleshooting is performed).

This simplified decision tree is intended to provide guidance in choosing the right solution:

Illustration of ntc-decision-tree