APA

Establishing an enterprise-grade, compliant Landing Zone using AWS Landing Zone Accelerator (LZA)

Challenge

APA Group undergoing cloud transformation, needed to accelerate cloud adoption while maintaining strict compliance with government and industry regulations. They lacked a secure, scalable AWS foundation that could support rapid onboarding of workloads such as data lakes, microservices, and AI/ML prototypes. Fragmented IAM, inconsistent logging, and manual deployment processes were causing operational inefficiencies, security gaps, and increased compliance risks.

Key Issues

• Absence of a Centralized Governance and Account Provisioning Model – The customer lacked a standardized, scalable mechanism to provision and govern AWS accounts. This led to inconsistent configurations across environments, poor visibility of resource usage, and increased operational overhead to manage workloads across business units.
• Manual Infrastructure Deployments Without Auditability – Infrastructure provisioning was heavily manual, relying on ad-hoc scripts and individual developer practices. This not only delayed delivery cycles but also introduced risks related to configuration drift, poor repeatability, and limited traceability—hindering security audits and operational reviews.
• Fragmented and Non-Scalable Network Architecture – The customer’s network landscape lacked a unified design approach. Point-to-point VPC peering and inconsistent subnet allocation caused bottlenecks in scalability, made inter-environment connectivity difficult, and introduced challenges in securing east-west and north-south traffic.
• Disparate and Unintegrated Security Tooling – Security controls such as logging, threat detection, and posture management were fragmented and operated in silos. There was no centralized visibility or alerting framework, making it difficult to detect or respond to potential threats effectively and in real-time.
• Inability to Meet Regulatory and Compliance Baselines (ISM & Essential Eight) – The platform lacked automated mechanisms to enforce baseline security and compliance requirements defined by the Australian ISM and the Essential Eight. Controls such as least-privilege access, centralized logging, software patching, and change control were inconsistently implemented, putting the environment at risk of non-compliance.

Solution

Versent implemented the AWS Landing Zone Accelerator (LZA) to deliver a secure, compliant, and production-ready AWS foundation within hours. Using a multi-account, multi-AZ architecture governed by AWS Control Tower, we deployed infrastructure as code using a modular AWS CDK pattern library, ensuring consistency and repeatability.
The solution included automated account provisioning, centralized logging, and a hub-and-spoke network model powered by Transit Gateway and AWS Network Firewall for east-west and north-south traffic inspection. Identity federation via Microsoft Entra ID with MFA enforced secure access controls, while region locking to ap-southeast-2 (Sydney) met data residency requirements. Pre-provisioned subnets enabled rapid deployment of common workloads. The design aligned with AWS Well-Architected principles, enabling secure scalability and long-term operational efficiency.

As Part of the Process, We

• Conducted a Thorough Assessment of IAM, Logging, Network Topology, and Compliance Gaps – Performed a comprehensive review of the customer’s existing AWS footprint, evaluating identity and access management practices, logging configurations, network segmentation, and alignment with compliance standards such as the ISM and Essential Eight. This gap analysis helped shape the future-state design and informed risk mitigation strategies from day one.
• Engineered a Modular, Reusable CDK-Based Landing Zone Framework – Developed an extensible infrastructure-as-code baseline using AWS Cloud Development Kit (CDK), enabling consistent deployment of foundational services across multiple environments. The modular approach supports custom overlays for future workloads and allows security and network patterns to be reused across business units without rework.
• Performed a Total Cost of Ownership (TCO) Analysis for Deployment Options – Created a detailed TCO model comparing three Landing Zone configurations: Core-only, Core + Basic Shared Services, and Core + Advanced Shared Services. The model factored in projected AWS usage, compliance automation savings, operational efficiency, and year-on-year growth. This analysis was critical in demonstrating long-term value and ROI to executive stakeholders.
• Recommended Core + Advanced Shared Services to Meet Strategic Requirements – Based on the customer’s need for centralised identity federation, east-west and north-south network inspection, automated compliance enforcement, and accelerated workload onboarding, the Core + Advanced model was recommended. It offered the best balance of security, scalability, and operational maturity.
• Implemented Automated Guardrails for Security and Compliance – Deployed preventive and detective controls using Service Control Policies (SCPs), AWS Config Rules, and AWS Security Hub. These automated guardrails ensure policy adherence across accounts, reduce audit overhead, and maintain a continuous compliance posture aligned to frameworks like ISM and Essential Eight.
• Enabled Cost Visibility and Control via FinOps Tagging Framework – Integrated cost allocation tagging from the foundation layer, enabling real-time cost insights across business units, environments, and workloads. This FinOps capability supports chargeback, budget tracking, and cost optimisation initiatives, providing accountability across the organisation.

Outcomes

The customer now operates a secure and compliant AWS foundation that enables rapid and scalable workload onboarding. Manual tasks were replaced with automated workflows, reducing operational overhead. The platform is audit-ready and aligned with ISM and Essential Eight controls, supporting continuous delivery while reducing risk.

• 95% reduction in manual provisioning efforts via automation
• 3x faster onboarding of cloud-native workloads
• Break-even in 14–18 months due to cost optimization and reduced engineering overhead