AWS Landing Zone: When Good Intentions (and \$500 Credits) Go Bad

AWS Landing Zone: When Good Intentions (and $500 Credits) Go Bad

Planning to deploy an AWS Landing Zone with Entra ID integration? Learn from my mistakes! As an AWS Community Builder, I set out to build a Trusted Enclaves landing zone and document the process but quickly learned that even "straightforward" AWS projects can turn into multi-day troubleshooting sagas. This is my cautionary tale—so you can learn how to avoid the same pitfalls when creating your AWS Landing Zone Accelerator.

Day 1: Service Quotas – The First Sign of Land(ing Zone) Trouble

My initial plan was simple: use my AWS credits, deploy the Landing Zone Accelerator, apply the Trusted Enclaves config, and connect to Entra ID. The first roadblock? Service quotas.

The speedbump: A 12-hour wait just to increase my account quota. I should have requested the quota increase far in advance - lesson learned!

Day 2: SCPs and Account Trust – Where My Landing Zone Dreams Died

The nightmare truly began after deploying stage one and applying the Trusted Enclaves configuration. The sixth Service Control Policy (SCP) was the culprit.

SCP limits: AWS defaults to a maximum of five SCPs per OU. The config tried to apply a sixth.
The domino effect: Removing the "all access" SCP was a huge mistake. The newly-created accounts lost trust with the audit and master billing accounts.
Trust is key: Without established trust, accounts fall outside the organization's control.

Avoid account trust issues: Carefully plan your SCPs and stay within quota limits.

Days 3-4: The Clean Slate (That Wasn't)

I scrapped everything and started from scratch. The goal? A pristine master billing account (to keep those sweet $500 credits) and a fresh deployment.

The challenge: The Landing Zone Accelerator still detected my suspended accounts as active.
Bash to the rescue: Use scripts to hunt down and terminate lingering AWS resources

Before redeploying, ensure all resources from any previous attempts are completely gone.

Days 5-6: Account Purgatory – My AWS Accounts Refused to Leave!

The suspended accounts needed unsuspending, resource cleaning, and proper removal from the organization.

Unexplained Errors Accounts refused to leave the organization, giving no reason for the failure.
Lesson Learned: Understanding the AWS Account Lifecycle States. AWS accounts have complex lifecycle states that can affect operations in non-obvious ways.

Critical Takeaways for Your AWS Landing Zone Implementation

Don't repeat my mistakes! Keep these lessons in mind when deploying your AWS Landing Zone:

Service Quotas are Important: Request your necessities well before deployment.
SCPs are powerful, SCP Limits are real: Plan and understand their impact early.
Documentation is your lifeline: Track everything. Every. Single. Thing.
Account Lifecycle Awareness: Suspended vs. closed vs. active—know the differences.
Time Allocation: Triple Your Initial Estimate: What looks simple easily explodes.

Have you braved the AWS Landing Zone setup (especially with advanced security controls)? What hurdles did you encounter? I'd love to compare notes! Share your own tales of AWS triumphs (or tribulations) in the comments below.