Estimated reading time: 5 minutes

In our recent AWS Town Hall (recording), we discussed a challenge that resonates across the higher education landscape: managing multiple AWS accounts with a focus on strengthening security and maintaining compliance.

The session featured insights from AWS's higher education strategy team and technical experts who shared valuable perspectives on landing zones and AWS Control Tower.

Understanding the Challenge

Patrick Frontiera from AWS's higher education strategy team highlighted that higher education institutions face over 200 compliance regimes, with 24 specifically focused on IT. This complexity is further amplified by the decentralized nature of academic institutions, where IT responsibilities often span across departments and research units.

The key challenges institutions face include:

  • Managing numerous evolving compliance requirements
  • Balancing innovation with security in decentralized environments
  • Coordinating hybrid and multi-cloud infrastructures
  • Maintaining consistent security policies across diverse departments

AWS's Approach to Solutions

AWS has developed a comprehensive approach to these challenges, building upon their shared responsibility model. As institutions move towards managed services, AWS takes on more of the security and compliance burden. Some notable solutions include:

  • Support for 143 compliance programs relevant to higher education (including FERPA, HIPAA, and NIST 800-171)
  • AWS Audit Manager for identifying compliance gaps
  • AWS Artifact for generating compliance reports

Landing Zones: A Foundation for Success

Chris Kuehn, AWS Solutions Architect, introduced landing zones as AWS's strategic solution for creating secure, scalable environments. A well-designed landing zone includes:

  • Built-in security guardrails and encryption
  • Integration with university identity systems
  • Unified billing processes
  • Pre-configured networking
  • Customizable development environments

The Evolution of Landing Zones

The journey of AWS landing zones reflects the maturing needs of higher education:

  1. Custom-Built Solutions (Early Days)
  2. AWS Organizations (2017) - Introducing consolidated management
  3. AWS Control Tower (2019) - Automating setup and management
  4. Customizations for Control Tower (2020) - Adding flexibility for specific needs

Implementation Best Practices

AWS recommends a flat organizational unit (OU) structure to maintain simplicity while accommodating diverse needs; a flat structure means no nested OUs. A typical OU structure includes:

  • Management Account (central authority)
  • Core OU (logging and auditing)
  • Shared Services OU (common infrastructure)
  • Central IT OU
  • Sandbox OU (experimentation space)
  • College/Department OUs
  • Compliance-Specific OUs (e.g., HIPAA workloads)

Practical Insights from Q&A

The session concluded with valuable questions from attendees. Key takeaways include:

  • Testing Updates: Maintain a separate development landing zone for testing Control Tower updates
  • Migration Strategy: Use a migration OU with relaxed controls for staging existing accounts
  • Existing Organizations: While greenfield deployments are ideal, Control Tower can integrate existing accounts with proper planning

Looking Ahead

As compliance requirements continue to evolve, the structured approach offered by AWS landing zones becomes increasingly valuable. The key is to create guardrails, not roadblocks – enabling innovation while maintaining security.

For institutions looking to implement or optimize their landing zone strategy, AWS offers several solutions and support mechanisms:

  • Landing Zone Accelerator (open-source solution)
  • AWS Partner Network
  • AWS Professional Services

Be sure to check out the other blog posts we've written. As always, feel free to send any feedback to tmanik[at]internet2[dot]edu.