How would you design a landing zone for a new organisation adopting AWS at scale?
AWS · Advanced level
Answer
A landing zone for AWS at scale establishes accounts, OUs, identity, networking, logging, security guardrails, tagging, budgets, account vending, and baseline IaC so teams can move fast within controlled boundaries.
Technical explanation
A landing zone should make the secure path the easy path through automated account vending and standard baselines.
A mature AWS foundation standardizes identity, accounts, networking, logging, security, tags, budgets, and deployment guardrails before teams scale usage.
The platform should provide paved roads: account vending, baseline modules, CI/CD patterns, observability, and clear ownership.
Guardrails should enable safe self-service rather than forcing every team through manual platform tickets.
Hands-on example
1. Create OUs, baseline accounts, IAM Identity Center permission sets, central logging, security services, network baselines, budgets, and required tags.
2. Define preventive guardrails with SCPs and detective guardrails with Config, GuardDuty, Security Hub, CloudTrail, and Access Analyzer.
3. Build account vending so new accounts receive standard VPC, logging, KMS, budget, tags, and CI/CD bootstrap automatically.
4. Test with a new workload account and verify developers can deploy safely without bypassing governance.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More AWS interview questions
- What is the AWS shared responsibility model, and where is the line between AWS and the customer?
- Explain the difference between a Region, an Availability Zone, and an Edge Location.
- What is a VPC, and what are its core components (subnets, route tables, IGW, NAT)?
- Difference between a public and a private subnet, and how does each reach the internet?
- What is the difference between a Security Group and a Network ACL?
- Are Security Groups stateful or stateless? What about NACLs?
- What is an Internet Gateway versus a NAT Gateway, and when do you need each?
- How does a NAT Gateway differ from a NAT instance?