AWS Landing Zone: A Hilarious Horror Story of Account Chaos
Setting up an AWS Landing Zone can feel like navigating a minefield. One wrong step, and boom – your deployment is in tatters. As an AWS Community Builder armed with $500 in credits, I embarked on a quest to create a Trusted Enclaves landing zone with Entra ID integration. What followed was a chaotic comedy of errors that turned a weekend project into an ongoing saga.
This article isn't just a cautionary tale. It's a blueprint for what not to do and how to potentially avoid similar pitfalls when deploying your AWS Landing Zone architecture.
My Grand (and Utterly Naive) AWS Landing Zone Plan
My initial plan was deceptively simple:
- Use my personal account with community credits.
- Deploy AWS Landing Zone Accelerator with Control Tower.
- Apply the Trusted Enclaves configuration.
- Connect everything to Entra ID.
Sounded easy enough, right? Prepare for a laugh riot.
Day 1: The Quota Request Black Hole
My first hurdle? Service quotas. A 12-hour wait just to increase my account quota. Patience is a virtue, they say. It was about to be tested.
Day 2: SCP Nightmares and Orphaned Accounts
After clearing the quota hurdle, I deployed stage one. That's when the real fun began. The Trusted Enclaves configuration tried to apply a 6th Service Control Policy (SCP) to an OU. AWS allows a maximum of five.
Thinking I was clever, I removed an all-access SCP, only to plunge my AWS Landing Zone deployment into chaos. New accounts lost trust relationships, and I dove into CloudWatch logs. Attempting manual fixes proved futile.
Key Takeaway: SCP limits bite you hard. Plan accordingly.
Days 3-4: Operation Clean Slate (Almost)
Frustrated, I decided to restart everything. The catch? Keeping my master billing account for those sweet, sweet credits. My plan:
- Close all child accounts.
- Remove all resources using bash scripts.
- Return the billing account to pristine condition.
- Try again.
Except, the Landing Zone Accelerator saw my suspended accounts as active, blocking new deployments. Ugh.
Days 5-6: Account Purgatory and Unexplained Errors
Now, I needed AWS to unsuspend accounts, so I could properly remove them. Another support ticket, another 24-hour wait.
Once unsuspended, each account refused to leave to, returning an generic error.
Current Status: Another support case is open, with no answers yet. It's like dealing with adult children who refuse to move out.
Hard-Earned Lessons from my AWS Landing Zone Deployment
Here's what I learned during this AWS Landing Zone deployment:
- Service Quotas Are Real: Request increases before starting.
- SCPs Are Tricky: Understand limits before modifying anything.
- Document Everything: Every change. Every error. Every support response.
- Account Lifecycle is Complex: Understand the states and their implications.
- Double Your Time Estimate: What you think will take a weekend will take weeks.
Building AWS Landing Zones: The Community Connection
Have you attempted to deploy an AWS Landing Zone with enhanced security controls and Entra ID integration? What challenges did you face integrating Entra ID for AWS Access Management with enhanced security controls and the deployment of AWS Landing Zone? Share your pain (and successes!). Let's learn from each other. Maybe we can finally figure out how to navigate this AWS Landing Zone together.
![Is [X Service] Down? Reduce Support Tickets with an IT Status Page](https://media2.dev.to/dynamic/image/width=1000,height=500,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4711peq7blgvbjijnfb0.jpg)
