THE 6-WEEK LANDING ZONE_
Six weeks. That is how long it took to go from an empty AWS account to a production-ready landing zone. Not because the technology was hard. Because the decisions were.
> WHAT IS A LANDING ZONE
A landing zone is the foundation you build before you build anything else. Networking. Identity. Logging. Security baselines. The boring stuff that nobody wants to do first but everybody regrets skipping.
AWS has Control Tower. It is fine for enterprises with 50 accounts and a dedicated platform team. For a solo operator or a small team, it is overkill. You need something leaner.
> WEEK 1-2: ACCOUNT STRUCTURE
One management account. One workload account. That is it to start. Do not create dev/staging/prod accounts until you have something to put in them.
SSO via IAM Identity Center. One permission set per role. No long-lived access keys anywhere. If you are still using aws configure with static credentials, stop.
> WEEK 3-4: NETWORKING AND SECURITY
VPC with public and private subnets. NAT gateway in one AZ to start (multi-AZ when traffic justifies the cost). Security groups that default to deny-all inbound.
CloudTrail enabled. Config rules for the basics: S3 buckets not public, EBS volumes encrypted, root account MFA enabled. GuardDuty on. These cost almost nothing and catch real problems.
> WEEK 5-6: DEPLOYMENT PIPELINE
CDK with a single pipeline stack. Source from CodeCommit (or GitHub, does not matter). Build with CodeBuild. Deploy with CloudFormation via CDK.
The pipeline deploys itself. Change the pipeline definition, push, it updates. This is the pattern that makes everything else possible.
> THE SIGNAL
Six weeks is not fast. It is not slow. It is the time it takes to make decisions you will not regret in six months. Rush it and you will rebuild it. Take longer and you are procrastinating.
The landing zone is not the product. It is the foundation that makes the product possible. Treat it accordingly.