Gruntwork Landing Zone for AWS

Streamline the way you create, configure, and secure AWS accounts.

Get a Demo

Features

feature-icon

Create a Multi-Account AWS Structure

Gruntwork Landing Zone gives you the ingredients to create a best-practices multi-account structure using AWS Organizations, all based on official AWS recommendations.

feature-icon

Quickly create new AWS accounts with Terraform

Gruntwork Landing Zone includes an opinionated way to create a new AWS account as part of your AWS Organization using just a few lines of Terraform code:

Variables.tf
  
    // Create a new AWS account with just three lines of code and a Terraform apply
    child_accounts = {
      dev = {
        email = "dev@acme.com"
      },
      stage = {
        email = "stage@acme.com"
      },
      prod = {
        email = "prod@acme.com"
      }
    }
feature-icon

Alternatively, create AWS accounts with Control Tower (Gruntwork Enterprise only)

Alternatively, Gruntwork Enterprise customers can use the Gruntwork Landing Zone Control Tower Integration to create accounts using AWS Control Tower:

Gruntwork Landing Zone will automatically apply a best-practices security baseline to every new account using Terraform, as described in the next section.

feature-icon

Apply a best-practices security baseline to each AWS account

Automatically apply security baselines, defined in Terraform, to all your accounts. Whether you create the accounts using Terraform or Control Tower, this ensures that all of your accounts are properly configured with AWS CloudTrail, AWS Config, AWS Config rules, Amazon GuardDuty, Macie, IAM roles, IAM Access Analyzer, VPCs, and more.

feature-icon

Customize your AWS account baselines

You get 100% of the Terraform code for the security baselines, so you can extend or customize them any way you want, ensuring that every one of your accounts meets your company’s requirements.

feature-icon

Keep your code up to date automatically

With Patcher, keep your account baseline up to date automatically with the latest best practices, compliance requirements, AWS releases, Terraform releases, etc—even when those releases involve breaking changes.

feature-icon

Control Tower Integration: the best of both worlds (Enterprise only)

With the Gruntwork Landing Zone Control Tower Integration, you get the best of both worlds.

Use Control Tower to:

  • See all your accounts and OUs
  • Create new accounts
  • Ensure those accounts have CloudTrail, AWS Config, and AWS Identity Center (SSO) setup
  • Apply controls and guard rails (SCPs, AWS Config Rules) to your accounts
  • See which accounts and resources are non-compliant with your controls and guard rails

Use Terraform modules to:

  • Fill in features not supported by Control Tower: e.g., GuardDuty, Macie, IAM Access Analyzer, etc.
  • Customize the baseline applied to each account by updating the Terraform modules.
  • Integrate accounts created with Control Tower with your Terraform-managed infrastructure.
  • Stay up to date automatically using Patcher.

Docs

See our guide How to configure a production-grade AWS account structure using Gruntwork AWS Landing Zone for step-by-step instructions on how to setup your Terraform AWS Landing Zone.

Pricing

Gruntwork AWS Landing Zone is included as part of the Gruntwork Subscription. If you have questions about how it works or would like to see a demo, contact our sales team.