AWS Landing Zone

“Our AWS setup was built by whoever was available at the time”

Everything runs in one account. IAM users have admin access because nobody had time to set up proper permissions. There's no audit trail, no backup governance, and no tagging. It works. Until it doesn't.

Book a foundations review

Trusted by

Virgin Experience DaysStream (formerly Wagestream)CharangaChemist 4 UAtriumMohidThe eArIPOSGVectorTracxTMSWild DogLinxSideLightPupil TrackingVitaccessLucky Day CompetitionsFlorida RealtorsFHCNEMSQBenchVirgin Experience DaysStream (formerly Wagestream)CharangaChemist 4 UAtriumMohidThe eArIPOSGVectorTracxTMSWild DogLinxSideLightPupil TrackingVitaccessLucky Day CompetitionsFlorida RealtorsFHCNEMSQBench
Where you'll be

A governed AWS estate you can build on with confidence.

Multi-account structure with separated environments. Centralised logging and audit trails. Cross-account backup to an isolated account. IAM with SSO. No shared credentials. Tagging policies enforced. The foundation that makes every other AWS service safer, cheaper, and easier to manage.

What LogiZone delivers

LogiZone is Logicata’s AWS Landing Zone product. It deploys and maintains the foundational infrastructure that every well-run AWS estate needs, and that most businesses don’t have.

This isn’t a one-time setup. LogiZone is a maintained deployment: guardrails enforced by Service Control Policies, logging configurations kept current, and the Organisation structure managed as your needs change.

What gets deployed

AWS Organisation structure. A multi-account setup with Organisational Units for production, development, compliance, and suspended accounts. Legacy accounts are imported into a dedicated OU with non-breaking controls, so your existing workloads aren’t disrupted.

Access control. AWS IAM Identity Center replaces IAM users with federated SSO. Group-based permissions across all accounts. IAM user creation blocked by policy in new accounts.

Security baseline. IAM Access Analyzer, EBS encryption by default, CloudTrail management events, and AWS Config inventory across every account. Service Control Policies protect the deployment from accidental removal.

Centralised logging. CloudTrail and Config data from all accounts flows to a dedicated Log Archive account. This is your audit trail. Independent of the accounts being audited.

Backup governance. AWS Backup configured from a central account, with restore points protected by SCPs. Backup policies driven by tagging. Tag a resource correctly and it’s backed up automatically.

Guardrails. SCPs applied at the OU level: no root user access, no public S3 buckets, no default VPCs, no unsupported regions, no IAM user logins. Different guardrails for production vs development vs legacy accounts.

What it costs to run

LogiZone’s ongoing AWS costs. Config, CloudTrail storage, Access Analyzer, SNS. Are typically under $50/month, excluding backup storage. Backup costs depend on data volume and retention.

The deployment cost is included when LogiZone is part of a broader engagement (migration, managed services). As a standalone foundations project, it’s scoped and priced based on your current account structure and complexity.

Who needs this

If you’re moving to managed services, migrating workloads, or simply realising that your AWS estate has outgrown its original setup. LogiZone is the foundation that makes everything else work properly.

Services like AWS Management, Backup & DR, and AWS Security are more effective and cheaper to deliver when the underlying estate is properly structured. LogiZone is how we get there.

What's usually in the way

  1. Everything in one AWS account

    Production, staging, and development share one account. A mistake in dev can take down production. There's no blast radius containment and no separation of billing.

  2. IAM chaos: users, keys, no SSO

    People log in with IAM users. Access keys were created years ago and never rotated. Nobody knows who has access to what, and removing someone means hunting through multiple services.

  3. No centralised logging or audit trail

    CloudTrail might be on in one region. Config isn't enabled. If something goes wrong, or someone asks who changed what, you can't answer with confidence.

  4. No backup governance

    Individual teams back up individual resources. There's no cross-account backup, no isolated backup account, no tested restores. Backups are assumptions, not guarantees.

  5. No tagging: costs are a black box

    Resources aren't tagged consistently. You can't allocate costs by team, environment, or service. Finance gets one number. Engineering gets one number. Nobody can explain the difference.

  6. No cost controls: the bill is a surprise every month

    Nobody's watching spend in real time. There are no budgets, no alerts, no forecasts. The invoice arrives and it's the first time anyone sees the number. A misconfigured resource can run for weeks before anyone notices.

What we resolve

  1. Multi-account Organisation with proper OU structure

    Separated accounts for production, staging, development, security, logging, and backup. Each with its own blast radius, billing, and access controls. Legacy accounts imported safely into a dedicated OU.

  2. IAM Identity Center: SSO, no IAM users

    Single Sign-On across all accounts via AWS IAM Identity Center. Group-based access control. IAM user logins blocked by policy. Access reviews become simple.

  3. Centralised CloudTrail and Config logging

    Management events logged across every account and region, stored in a dedicated Log Archive account. AWS Config inventory enabled everywhere. You can answer 'who changed what, when' in seconds.

  4. Cross-account backup to isolated account

    AWS Backup configured centrally with policies enforced by tagging. Backup data stored in a dedicated account that nobody can accidentally delete from. Restore points protected by SCPs.

  5. Tagging policies enforced by SCPs

    Consistent tagging across the estate, enforced at the Organisation level. Cost allocation tags flow into Cost Explorer automatically. Finance gets the breakdown they need.

  6. Budget controls and cost anomaly alerts

    AWS Budgets set per account with threshold alerts before costs overrun. Cost Anomaly Detection flags unexpected spikes automatically. Monthly spend is visible before the invoice, not after.

100% AWS accounts compliant

“We have 100% confidence that our security policies and guardrails are consistently applied across our entire AWS estate.”

Director, Platform & Delivery , FinTech

Clients who choose this also need

Often alongside AWS Security LogiZone puts the security baseline in place. AWS Security keeps it monitored AWS Security → Backup & DR Backup governance builds on the cross-account structure LogiZone creates Backup & DR →
A natural next step AWS Managed Services With foundations in place, managed services are more effective and cheaper to deliver AWS Managed Services →

Ready to take the next step?

No obligation, just a clear conversation about where you are and what's possible.

Book a foundations review Free AWS Healthcheck