A well-designed AWS landing zone is the foundation everything else builds on. Get it wrong, and you’ll spend months untangling the mess. Here are the five most common mistakes we see — and how to avoid them.

1. Single Account for Everything

The most common anti-pattern: one AWS account for dev, staging, production, and shared services. It starts simple and becomes a nightmare.

Why it hurts:

IAM policies become impossibly complex
Cost allocation is guesswork
A misconfigured dev resource can take down production
Blast radius is unbounded

The fix: Multi-account strategy from day one. At minimum: management, security, log archive, shared services, and separate workload accounts per environment.

2. No Centralized IAM Strategy

Every team creates their own IAM users, their own policies, their own access patterns. Six months in, you have 200 IAM users, no MFA enforcement, and access keys that haven’t been rotated since creation.

The fix: AWS IAM Identity Center (SSO) from the start. Federate with your identity provider, use permission sets, and enforce MFA at the organization level.

3. Logging as an Afterthought

CloudTrail is enabled but nobody looks at it. VPC Flow Logs don’t exist. GuardDuty isn’t turned on. When something goes wrong, you have no forensic trail.

The fix: Centralized logging account with CloudTrail organization trails, Config rules, GuardDuty, and Security Hub — all feeding into a dedicated log archive account.

4. Manual Network Setup

VPCs created through the console. CIDR ranges that overlap. No transit gateway. Peering connections added ad-hoc. When you need to connect to a new account, it takes a week of manual work.

The fix: Define your network topology upfront. Use AWS Transit Gateway for hub-and-spoke connectivity. Plan CIDR ranges with future growth in mind. Automate everything with Terraform or CloudFormation.

5. No Infrastructure as Code

The original landing zone was clicked together in the console. Now nobody knows what’s deployed, configurations drift, and recreating the environment is impossible.

The fix: IaC from the beginning. Every resource in Terraform or CloudFormation. State stored remotely. Changes go through pull requests with plan reviews.

The Pattern

Notice a theme? All five mistakes share a root cause: moving fast without a foundation. The irony is that skipping the foundation costs more time than building it properly.

A well-designed landing zone takes 1-2 weeks to implement. Cleaning up a poorly designed one takes months — and you’re doing it while production is running.

Our Approach

When we build landing zones for clients, we follow the AWS Well-Architected Framework and deploy:

Multi-account structure with AWS Organizations and Service Control Policies
Centralized IAM with SSO federation
Organization-wide security services (GuardDuty, Config, Security Hub)
Transit Gateway networking with planned CIDR allocation
Full IaC with Terraform, stored in version control
Automated compliance checks and drift detection

The result: a production-ready foundation in under two weeks that scales with your business.

5 AWS Landing Zone Mistakes That Cost Startups Months