A landing zone is the secure, ready-to-use AWS foundation — accounts, networking, and guardrails — that every Leidos practice area starts from. Built as code, BSoC-compliant by design.
CloudBank owns the management account; every PADE account lives under a single Organizational Unit, governed by Service Control Policies.
Practice VPCs hold private subnets only — no Internet Gateways. All egress routes through the Transit Gateway to a single shared NAT fleet.
Every user signs in once through IAM Identity Center, picks a permission set, and lands in the target account — no long-lived credentials.
Full administrative control — manages networking, IAM, and baselines.
Deploys and operates workloads within their own practice account — with guardrails.
Read-only visibility plus security audit access across every account.
Service Control Policies and managed detection enforce the Leidos Baseline Standard of Care across every account.
Five opinionated choices that trade flexibility for cost control, simplicity, and a tighter security boundary.
One shared NAT fleet — single egress point with predictable cost.
Replaced by individual services — fewer moving parts, same coverage.
No CloudWatch duplication — queryable in S3 at a fraction of the cost.
No cross-practice routing — TGW route tables keep blast radius contained.
No SSH keys or bastions — all access via audited Session Manager.
The landing zone deploys in a fixed order — governance first, then logging, network, identity, and security, before practice baselines roll out.
Roughly $300–350 / month before any workload usage.
Ask to be onboarded to the PADE environment. The platform team will provision your Identity Center account and assign the right permission set.
Infrastructure-as-Code landing zone · AWS Organizations · Transit Gateway · Centralized logging & detection