July 1, 2025

How to Configure an AWS Landing Zone with Terraform

Setting up a secure, scalable AWS foundation across multiple accounts isn’t something to piece together manually. AWS Control Tower and Terraform together offer a reliable way to automate your landing zone with governance, identity, and network baselines already in place.

Since this post was first published, AWS has rolled out several updates to Control Tower and Terraform tooling that are worth integrating into your approach.

What’s New in 2025

1. Expanded Control Tower Features
Control Tower now supports more AWS Config rules and gives you a centralized view of all enabled controls. You can view applied policies, resource baselines, and non-compliant resources directly from the dashboard. This simplifies governance at scale.

2. Improved Account Factory for Terraform (AFT)
The AFT module now allows custom VPC deployment during account provisioning. You can set project-specific tags, control naming conventions, and deploy standardized templates right out of the box. It’s more flexible and better suited for larger organizations managing many workloads.

3. Landing Zone Accelerator Available
If you need to align with regulatory or security frameworks, AWS now offers the Landing Zone Accelerator. It extends Control Tower with guardrails, security services, and compliance-aligned templates. You can still use Terraform to configure and manage these resources, including automated pipelines for updating your accounts.

4. Updated Terraform Best Practices
Recent AWS guidance recommends that teams use remote backends, clear module separation, consistent naming conventions, and locked provider versions. These changes help avoid drift and reduce issues with shared state files.

How to Get Started with Terraform and Control Tower

  1. Set up Control Tower
    Use the AWS console to initialize Control Tower in your management account. This will create your organization units, logging, audit account, and a few service control policies by default.
  2. Install and Configure AFT
    AFT provides a structure for managing new account creation with pre-approved Terraform modules. You’ll deploy AFT into its own pipeline account, which watches for new configuration files and provisions accounts accordingly.
  3. Write Account Configs in Terraform
    Define each account’s purpose, tags, and any custom modules (like VPCs or IAM roles). AFT picks up these configurations and handles the rest.
  4. Manage with Git
    AFT is Git-aware, so your account definitions and infrastructure modules are version-controlled and auditable.
  5. Monitor Compliance and Controls
    Use Control Tower’s dashboard to monitor applied guardrails, check compliance, and investigate policy violations. You can also integrate Control Tower with Security Hub for additional visibility.

Best Practices for 2025

  • Use AFT to reduce the complexity of multi-account provisioning
  • Adopt the Landing Zone Accelerator if your org requires stricter compliance standards
  • Separate your Terraform modules cleanly and pin provider versions
  • Use S3 and DynamoDB for Terraform state storage in a central management account
  • Monitor Control Tower compliance dashboards regularly and remediate drift

Summary

Setting up an AWS Landing Zone used to require a lot of custom scripting. That’s no longer the case. With AWS Control Tower, AFT, and Terraform, you can launch and manage a well-governed AWS environment at scale with repeatable infrastructure and clear accountability. The tooling has improved. The best practices are well defined. It’s a good time to revisit how you structure your AWS foundation.