Landing zones that survive an audit

Most landing zones fail audit not because of missing controls, but because nobody can produce the evidence on demand. The fix is architectural: design so that evidence is a query, not a screenshot exercise.

Centralise the boring things

Identity, networking, logging and billing belong in dedicated accounts owned by a small platform team. Push everything else into workload accounts where teams move fast inside guardrails. This split is what makes both auditors and product engineers happy at the same time.

Treat guardrails as code

Service Control Policies, IAM permission boundaries, AWS Config rules and CloudTrail organization trails should all live in version control alongside the landing-zone Terraform. A pull request is the only legitimate way to change a guardrail — and the diff IS the audit trail.

Make evidence cheap

Aggregate CloudTrail, Config, GuardDuty and access-analyzer findings into a single security account with Athena or a SIEM on top. When the auditor asks 'show me every privileged role assumption in Q1', the answer is one query, not a six-person scramble.

Where automation pays back fastest

Account vending, baseline IAM, network attachment and break-glass paths. Each of these is high-friction when manual and high-risk when inconsistent. Automating them removes a class of human error and frees the platform team to work on the genuinely hard problems.