AWS Landing Zone Implementation for Dutch Businesses

Building a secure, compliant, and scalable AWS foundation for Dutch enterprises

Introduction

For Dutch businesses embarking on their AWS journey, establishing a proper foundation is critical. An AWS Landing Zone provides a well-architected, multi-account AWS environment that serves as a secure and scalable starting point for your cloud infrastructure.

This guide walks you through implementing an AWS Landing Zone specifically tailored for Dutch enterprises, considering local regulations, compliance requirements, and best practices.

What is an AWS Landing Zone?

An AWS Landing Zone is a pre-configured, secure, multi-account AWS environment based on AWS best practices. It provides:

• Multi-account architecture using AWS Organizations
• Identity and access management centralization
• Network architecture with proper segmentation
• Security baseline and guardrails
• Logging and monitoring infrastructure
• Compliance controls for regulatory requirements

Why Dutch Businesses Need a Landing Zone

1. Regulatory Compliance

Dutch businesses must comply with:

• AVG (GDPR) - Data protection regulations
• NIS2 Directive - Cybersecurity requirements
• DNB regulations - For financial institutions
• NEN 7510 - For healthcare organizations

A properly configured Landing Zone helps ensure compliance from day one.

2. Scalability and Growth

Starting with a solid foundation allows your organization to:

• Scale seamlessly across multiple AWS accounts
• Maintain consistent security and governance
• Support different business units and projects
• Enable innovation without compromising security

3. Cost Management

Proper account structure enables:

• Clear cost allocation per business unit
• Centralized billing and reporting
• FinOps best practices implementation
• Resource optimization strategies

Core Components of an AWS Landing Zone

1. AWS Organizations Structure

Root
├── Security OU
│   ├── Log Archive Account
│   └── Security Audit Account
├── Infrastructure OU
│   ├── Network Account
│   └── Shared Services Account
├── Production OU
│   └── Production Workload Accounts
├── Development OU
│   └── Development Workload Accounts
└── Sandbox OU
    └── Sandbox Accounts

2. AWS Control Tower

AWS Control Tower automates the setup of your Landing Zone:

• Account Factory - Automated account provisioning
• Guardrails - Preventive and detective controls
• Dashboard - Centralized compliance view
• Account Vending Machine - Self-service account creation

3. Identity and Access Management

Centralized Identity:

• Integration with Azure AD or other Dutch identity providers
• SSO implementation for all AWS accounts
• MFA enforcement for all users
• Role-based access control (RBAC)

Service Control Policies (SCPs):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "ec2:Region": [
            "eu-west-1",
            "eu-central-1"
          ]
        }
      }
    }
  ]
}

Example: Restrict resources to EU regions for GDPR compliance

4. Network Architecture

Hub-and-Spoke Model:

• Central Transit Gateway in Network account
• VPC per workload account
• Centralized egress/ingress control
• VPN/Direct Connect to on-premises infrastructure

Dutch Data Residency:

• Primary region: eu-west-1 (Ireland)
• Secondary region: eu-central-1 (Frankfurt)
• Ensure data stays within EU boundaries

5. Security Baseline

Essential Security Services:

• AWS CloudTrail - All API activity logging
• AWS Config - Resource compliance tracking
• Amazon GuardDuty - Threat detection
• AWS Security Hub - Centralized security findings
• AWS IAM Access Analyzer - Permission analysis

Encryption Standards:

• S3 bucket encryption enabled by default
• EBS volume encryption mandatory
• KMS keys for encryption management
• TLS 1.2+ for data in transit

Implementation Steps

Step 1: Planning Phase

Business Requirements:

1. Identify business units and project teams
2. Define account structure and naming conventions
3. Map compliance requirements (AVG/GDPR, NIS2, etc.)
4. Plan network architecture and connectivity

Technical Preparation:

1. Choose primary and secondary AWS regions
2. Design IP addressing scheme
3. Plan identity integration (Azure AD, ADFS, etc.)
4. Define tagging strategy

Step 2: Core Account Setup

1. Management Account:

# Enable AWS Organizations
aws organizations create-organization

# Enable all features
aws organizations enable-all-features

2. Log Archive Account:

• Centralized CloudTrail logs
• Config snapshots and history
• VPC Flow Logs aggregation
• Long-term retention (7+ years for compliance)

3. Security Audit Account:

• Security Hub aggregation
• GuardDuty findings
• IAM Access Analyzer
• Read-only access to all accounts

Step 3: AWS Control Tower Deployment

# Prerequisites check
aws sts get-caller-identity

# Deploy Control Tower via Console
# 1. Navigate to AWS Control Tower
# 2. Set up Landing Zone
# 3. Configure regions: eu-west-1, eu-central-1
# 4. Configure Log Archive and Audit accounts

Enable Guardrails:

• Mandatory: Disallow public S3 buckets
• Mandatory: Require MFA for root access
• Strongly Recommended: Detect unencrypted resources
• Elective: Restrict region usage to EU

Step 4: Network Setup

Transit Gateway Configuration:

import * as cdk from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';

// Network Account - Transit Gateway
const tgw = new ec2.CfnTransitGateway(this, 'CentralTGW', {
  description: 'Central Transit Gateway for all workloads',
  defaultRouteTableAssociation: 'enable',
  defaultRouteTablePropagation: 'enable',
  amazonSideAsn: 64512,
  tags: [
    { key: 'Environment', value: 'Network' },
    { key: 'DataResidency', value: 'EU' }
  ]
});

VPC Template for Workload Accounts:

• Public subnets: NAT Gateways, Load Balancers
• Private subnets: Application tier
• Isolated subnets: Database tier
• Transit Gateway attachment for inter-account communication

Step 5: Compliance Configuration

GDPR/AVG Compliance:

# AWS Config Rule for data residency
Resources:
  S3BucketRegionCheck:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: s3-bucket-eu-region-only
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_REGION_CHECK
      InputParameters:
        allowedRegions: eu-west-1,eu-central-1

Encryption Enforcement:

# Service Control Policy - Require encryption
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "s3:PutObject",
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": [
                        "AES256",
                        "aws:kms"
                    ]
                }
            }
        }
    ]
}

Step 6: Account Vending Automation

Account Factory Customization:

# Lambda function for custom account setup
import boto3

def lambda_handler(event, context):
    account_id = event['account_id']

    # Enable security services
    enable_guardduty(account_id)
    enable_security_hub(account_id)
    enable_config(account_id)

    # Create VPC from template
    create_standard_vpc(account_id)

    # Apply baseline security
    apply_baseline_security(account_id)

    return {
        'statusCode': 200,
        'body': f'Account {account_id} configured successfully'
    }

Best Practices for Dutch Organizations

1. Data Residency

✅ Do:

• Use only eu-west-1 and eu-central-1 regions
• Implement SCPs to prevent resource creation in other regions
• Document data location in asset inventory
• Use AWS Artifact for compliance documentation

❌ Don’t:

• Store EU citizen data in non-EU regions
• Use global services without understanding data flows
• Ignore data residency requirements in disaster recovery planning

2. Identity Federation

✅ Do:

• Integrate with existing Azure AD or identity provider
• Implement SSO for all AWS access
• Use role-based access with least privilege
• Enable MFA for all users

Example: Azure AD Integration:

# Configure SAML 2.0 identity provider
aws iam create-saml-provider \
  --name AzureAD \
  --saml-metadata-document file://azure-ad-metadata.xml

3. Cost Management

✅ Do:

• Tag all resources with cost center and project
• Use AWS Cost Explorer for analysis
• Implement budget alerts per account
• Regular FinOps reviews

Tagging Strategy:

{
  "CostCenter": "IT-001",
  "Project": "CustomerPortal",
  "Environment": "Production",
  "Owner": "team@company.nl",
  "Compliance": "AVG"
}

4. Security Monitoring

✅ Do:

• Centralize logs in Log Archive account
• Enable all security services (GuardDuty, Security Hub, Config)
• Configure alerts for compliance violations
• Regular security audits and reviews

Common Challenges and Solutions

Challenge 1: Existing AWS Accounts

Solution: Use AWS Control Tower Account Factory to enroll existing accounts:

# Register existing account
aws controltower enroll-account \
  --account-id 123456789012 \
  --organizational-unit ou-xxxx-xxxxxxxx

Challenge 2: On-Premises Integration

Solution: Implement hybrid connectivity:

• AWS Direct Connect from Dutch data center
• Site-to-Site VPN as backup
• Transit Gateway for centralized routing
• DNS integration with Route 53 Resolver

Challenge 3: Compliance Auditing

Solution: Automated compliance reporting:

# AWS Config compliance report
import boto3

config = boto3.client('config')

# Get compliance summary
response = config.get_compliance_summary_by_config_rule()

for rule in response['ComplianceSummary']:
    print(f"Rule: {rule['RuleName']}")
    print(f"Compliance: {rule['Compliance']['ComplianceType']}")

Migration Strategy

Phase 1: Foundation (Weeks 1-2)

• Set up AWS Organizations
• Deploy Control Tower
• Configure core accounts (Log Archive, Audit)
• Implement network architecture

Phase 2: Security & Compliance (Weeks 3-4)

• Enable security services
• Configure guardrails and SCPs
• Implement identity federation
• Set up compliance monitoring

Phase 3: Workload Accounts (Weeks 5-6)

• Create account vending automation
• Deploy first workload accounts
• Migrate pilot workloads
• Validate compliance

Phase 4: Scale & Optimize (Weeks 7-8)

• Roll out to all business units
• Implement FinOps practices
• Optimize costs and performance
• Knowledge transfer and training

Conclusion

Implementing an AWS Landing Zone is a critical first step for Dutch businesses adopting AWS. By following this guide and considering Dutch-specific requirements like AVG/GDPR compliance and data residency, you can build a secure, scalable, and compliant cloud foundation.

Key Takeaways:

• Start with a solid multi-account architecture
• Ensure EU data residency from day one
• Automate compliance and security controls
• Plan for scale and growth
• Integrate with existing Dutch infrastructure

Ready to implement your AWS Landing Zone? Contact Forrict for expert guidance tailored to Dutch enterprises.

Resources

• AWS Control Tower Documentation
• AWS Organizations Best Practices
• GDPR on AWS
• NIS2 Directive Resources