digital modernization

PADE Multi-Account
Landing Zone

A landing zone is the secure, ready-to-use AWS foundation — accounts, networking, and guardrails — that every Leidos practice area starts from. Built as code, BSoC-compliant by design.

~$300–350 /mo
BASELINE COST
4
PRACTICE AREAS
3
ACCESS ROLES
8
DEPLOY PHASES
SCROLL
02 / Architecture

AWS Organizations hierarchy

CloudBank owns the management account; every PADE account lives under a single Organizational Unit, governed by Service Control Policies.

CloudBank
Payer Organization · Consolidated Billing
PADE OU
PADE Management Account
IAM Identity Center · Org Control
Shared Services
10.0.0.0/16
Centralized Logging
CLOUDTRAIL · CONFIG
Secure Cloud & Data Center
10.1.0.0/16
Defensive Cyber
10.2.0.0/16
Information Advantage
10.3.0.0/16
Enterprise Digital Experience
10.4.0.0/16
03 / Network

Centralized egress through one hub

Practice VPCs hold private subnets only — no Internet Gateways. All egress routes through the Transit Gateway to a single shared NAT fleet.

Transit Gateway
Cross-VPC routing · practice isolation
NAT Gateways (3 AZ)
Shared Services VPC only
VPC Endpoints
SSM · S3 — bypass NAT
04 / Identity & Access

Three roles, one front door

Every user signs in once through IAM Identity Center, picks a permission set, and lands in the target account — no long-lived credentials.

PROJECT-OPS
Infrastructure Admin

Full administrative control — manages networking, IAM, and baselines.

PROJECT-ENGINEER
Practice Power User

Deploys and operates workloads within their own practice account — with guardrails.

PROJECT-READER
Read-only + Audit

Read-only visibility plus security audit access across every account.

05 / Security Controls

Guardrails baked into the platform

Service Control Policies and managed detection enforce the Leidos Baseline Standard of Care across every account.

SCPs block IGW & NAT creation in workloads
Practice accounts cannot open their own internet path.
SCPs block disabling CloudTrail / GuardDuty / Config
Detection and audit logging cannot be turned off — even by admins.
MFA enforced for all users via Identity Center
No password-only access anywhere in the organization.
SSM Session Manager replaces SSH / RDP
No open ports, no key pairs — every session is logged.
GuardDuty + Inspector + Config + Access Analyzer
Layered detection — deliberately without Security Hub.
06 / Design Decisions

Why it's built this way

Five opinionated choices that trade flexibility for cost control, simplicity, and a tighter security boundary.

Centralized NAT

One shared NAT fleet — single egress point with predictable cost.

No Security Hub

Replaced by individual services — fewer moving parts, same coverage.

Flow Logs to S3 only

No CloudWatch duplication — queryable in S3 at a fraction of the cost.

Practice isolation

No cross-practice routing — TGW route tables keep blast radius contained.

SSM-only access

No SSH keys or bastions — all access via audited Session Manager.

07 / Deployment

Eight phases, fully automated

The landing zone deploys in a fixed order — governance first, then logging, network, identity, and security, before practice baselines roll out.

PHASE 1
Organization
PHASE 2
Logging
PHASE 3
Org Trail
PHASE 4
Shared Services
PHASE 5
Identity Center
PHASE 6
Security
PHASE 7
StackSets
PHASE 8
Optional
08 / Cost

Where the baseline spend goes

Roughly $300–350 / month before any workload usage.

NAT Gateway
~$90
VPC Endpoints
~$80
Transit Gateway
~$70
GuardDuty + Inspector
~$50
S3 / KMS Logging
~$30
Total baseline
~$320
per month · range $300–350
Onboarding

Request access

Ask to be onboarded to the PADE environment. The platform team will provision your Identity Center account and assign the right permission set.

90 days maximum — renew after that.
L E I D O S  ·  P A D E

Leidos BSoC-compliant by design.

Infrastructure-as-Code landing zone · AWS Organizations · Transit Gateway · Centralized logging & detection