A best-practice framework for enterprise-grade AWS environments: secure, compliant, serverless, cloud-native

Whether you're starting your cloud journey or you're a seasoned cloud veteran, governing your cloud resources and ensuring that they conform to necessary standards is not an easy task. Although security best-practices guides exist and are publicly available, knowing which services to use, how to configure them, and how to perform these tasks at scale can easily end up in misconfiguration unless it's done in a clear, automated, and repeatable way.

AllCloud's Next-Generation Landing Zone (NGLZ) consulting offer provides a fully automated enterprise-scale governance and security framework that configures and updates multi-account, multi-region AWS Organizations organizational units (OUs) based on AWS services. The offer has already been deployed across a large number of AllCloud customers of all sizes and it continues to grow and evolve alongside the AWS ecosystem with periodic version updates and releases.


AWS Partner Network | Competency


Austria, Canada, Germany, Israel, Switzerland, United States


Easily applied cloud best practices

Uses configured templates based on industry standards, compliance frameworks, and AWS best practices.

Single-pane-of-glass observability

Findings, alerts, and notifications are consolidated into AWS Security Hub and pushed to an external SIEM.

Cost governance and control

Central control over accounts limits and budgets, with cost control monitoring and alerts.

Flexible and expandable

Open framework with settings, configurations, and templates customizable to support third-party tools.

  • How it works
  • Key activities
  • Customer contribution
  • About this consultant
  • Architecture diagram
  • How it works
  • NGLZ is a fully automated, enterprise-scale governance and security solution. It is built to configure and update multi-account, multi-region AWS Organizations OUs and based on AWS services. The solution works as a security baseline to lay the foundation for a cloud migration or any modernization journey, or to manage large growing AWS environments. The process of onboarding to NGLZ consists of two parts: technical design sessions and NGLZ framework deployment.

    The technical design sessions are intended to map out the customer's business needs. They are held between AllCloud's solutions architects (SAs) and the customer's stakeholders in research and development, security, networking, finance, and operations. Technical design sessions cover AWS account structure, AWS Identity and Access Management structure, business continuity, backup policies, compliance requirements, and more.

    The solution offers three predefined OU profiles (Sandbox, Non-Production, and Production). Customizable elements include a serverless orchestration pipeline that uses AWS Developer Tools and AWS Step Functions, and a built-in Amazon Machine Images (AMI) factory to create, share, deploy, and customize AMIs across OUs with automated delivery workflows. Flexible network blueprints offer customizable network topologies using AWS shared subnets with virtual private clouds (VPCs) protected by AWS WAF.

    The deployment of NGLZ is simple and straightforward through AWS Service Catalog. Once the framework has been deployed, AllCloud's engineers will configure the solution alongside the customer according to the requirements from the technical design sessions to ensure that by the end of the process the customer has the necessary know-how to operate and manage the framework. Cost governance and control are assured by enabling detective guardrails for unused resources and setting resource limits and account budget alerts.

    NGLZ implements AWS security best practices using services such as AWS Control Tower, AWS Key Management Service (AWS KMS), AWS Config, Amazon GuardDuty, AWS Security Hub, Amazon Inspector, and AWS Service Catalog. Robust and customizable security policies can include public Amazon Simple Storage Service (Amazon S3) buckets, encryption, key deletion, custom alerts, and backup, as well as incident response using cloud-native tools, automated indicators of compromise (IoC) detection and response, and SIEM integration. NGLZ builds on AWS Control Tower to provide a single end-to-end framework for security orchestration and visibility that meets the most stringent security, governance, and compliance standards and regulations.

  • Key activities
  • 1) Technical design sessions

    Meetings between AllCloud’s SAs and customer stakeholders to map out business needs

    2) NGLZ framework deployment

    Deployment of NGLZ through AWS Service Catalog

    3) Configuration and customization

    AllCloud’s engineers will configure the framework alongside the customer according to the requirements from the technical design sessions

    4) Flexible network blueprints

    Customizable network topologies using AWS shared subnets with flexible virtual private clouds (VPCs) protected by AWS WAF

    5) Data protection

    Enforce security policies such as public Amazon Simple Storage Service (Amazon S3) buckets, encryption, key deletion, custom alerts, and backup

    6) Incident response

    Investigate incidents using cloud-native tools, automated indicators of compromise (IoC) detection and response, and SIEM integration

    7) Cost governance and control

    Enable detective guardrails for unused resources, setting resources limits and account budget alerts

  • Customer contribution
  • AWS Organizations

    An AWS account with AWS Organizations configured ("All Features" enabled)

    AWS Organizations account access

    Admin access to the AWS Organizations main account

    Git knowledge

    Basic knowledge in Git to maintain and operate the NGLZ configuration files

  • About this consultant
  • AllCloud is an AWS Partner and a global player in the cloud managed services market for a range of customers from startups to multibillion-dollar companies or divisions. AllCloud has achieved a number of AWS Competencies including the AWS Migration, AWS DevOps, and AWS Security Competencies. AllCloud works in a DevOps culture of speed, automation, re-use, and best practices and has the agility, experience, expertise, competencies, and proven methodology to design, deliver, and support strategic, holistic digital transformation and IT modernization road maps.

    AllCloud's offerings range from world-class advisory services to best-in-class design patterns, prebuilt ready-to-deploy technology assets, and fully managed services. No matter how simple or complex the project, however, AllCloud works closely with its customers to ensure that they benefit from short time to value, mitigated risk, and optimized cloud operations. AllCloud's phased build-and-grow approach captures business value from Day 1 and continuously drives customer success.

  • Architecture diagram

Ready to get started?

AWS Partner Highlights

AllCloud’s AWS validated qualifications, customer references, and office locations.

AWS Competency Details

AllCloud has demonstrated deep AWS technical expertise and proven customer success.

Blog Post

Best Practices for Organizational Units with AWS Organizations

AWS Marketplace Details

View and procure AllCloud's solution in AWS Marketplace.

Explore icon
Explore all Consulting Offers

Browse our portfolio of Consulting Offers to get AWS verified help with solution deployment.

Learn more 
Build icon
Deploy a solution yourself

Browse our library of AWS self-deploy solutions to common architectural problems.

Learn more 
Find an APN Partner icon
Find an AWS Partner

Engage with AWS Partners for secure, innovative, and cost-effective custom solutions that leverage the power and scalability of AWS services to meet your needs.

Learn more