Generate AWS Landing Zone Diagrams from Text with AI
Describe your AWS Organizations hierarchy, Control Tower guardrails, and Transit Gateway topology in plain English. Get a valid Draw.io diagram with official AWS icons.
This AWS landing zone diagram generator converts plain-text descriptions of your multi-account AWS environment into Draw.io diagrams with correct OU hierarchies, SCP boundaries, and network topology. Describe a setup like 'AWS Organizations root with Security, Infrastructure, Workloads, and Sandbox OUs. Security OU containing a Log Archive account with CloudTrail organization trail writing to S3 with object lock, and a Security Tooling account running GuardDuty delegated administrator. Infrastructure OU with a Network Hub account hosting Transit Gateway attached to all workload VPCs.' The AI builds the OU tree, maps SCPs to their attachment points, and draws Transit Gateway spoke connections. Architecture warnings flag single-region deployments (WARN-01) and accounts missing centralized logging (WARN-04). Every element snaps to a 10px grid. Output is native .drawio XML.
What Is an AWS Landing Zone Diagram?
An AWS landing zone is a pre-configured multi-account environment built on AWS Organizations, AWS Control Tower, and centralized networking. The diagram captures how organizational units nest under the root, where accounts sit in that hierarchy, which Service Control Policies restrict API calls at each OU boundary, and how Transit Gateway connects workload VPCs to shared services and on-premises networks. Building this manually means drawing an OU tree, placing accounts inside each OU, annotating SCPs with their deny statements, and wiring up Transit Gateway route tables with association and propagation rules. Diagrams.so automates all of it. Describe your hierarchy in plain English and the AI maps each OU to a container, nests accounts inside, and draws Transit Gateway attachments with route table labels. The generator distinguishes foundational accounts (Log Archive, Security Tooling, Network Hub) from workload accounts (production, staging, sandbox). RULE-02 enforces official AWS icons for Control Tower, Organizations, Transit Gateway, IAM Identity Center, and CloudTrail. RULE-06 groups resources by OU scope. Opinionated mode enforces the AWS Security Reference Architecture layout with security accounts on the left and workload accounts on the right. Architecture warning WARN-04 fires when workload accounts lack VPC Flow Logs or CloudTrail integration. WARN-02 catches workload accounts exposing public endpoints without AWS WAF. WARN-01 flags Transit Gateway deployments in a single region without cross-region peering. VLM visual validation detects overlapping SCP labels on dense hierarchies. The .drawio output opens in Draw.io, VS Code, or Confluence for landing zone design reviews with your cloud platform team.
Key components
- AWS Organizations OU tree from root through Security, Infrastructure, Workloads, and Sandbox organizational units
- Account placement containers showing each AWS account nested under its OU with account ID and alias labels
- Service Control Policies annotated at OU boundaries with deny-statement summaries (e.g., deny root user access, deny region outside approved list)
- Transit Gateway hub in the Network Hub account with VPC attachments from each workload account and route table associations
- Centralized logging pipeline: CloudTrail organization trail to S3 in Log Archive account with object lock and cross-account KMS key
- IAM Identity Center (AWS SSO) integration showing permission sets mapped to OU-scoped access with MFA enforcement
- AWS Control Tower guardrails categorized as preventive (SCPs), detective (AWS Config rules), and proactive (CloudFormation hooks)
- Architecture warnings for single-region Transit Gateway (WARN-01), public endpoints without WAF (WARN-02), and missing centralized logging (WARN-04)
How to generate with AI
- 1
Describe your landing zone hierarchy
Write your AWS Organizations structure in plain English. Be specific about OU names, account placement, and SCP assignments. For example: 'AWS Organizations root with SCP denying use of regions outside us-east-1 and eu-west-1. Security OU with two accounts: Log Archive (org CloudTrail trail writing to S3 with 1-year retention and object lock, AWS Config aggregator) and Security Tooling (GuardDuty delegated admin, Security Hub aggregator, IAM Access Analyzer). Infrastructure OU with Network Hub account (Transit Gateway with three route tables: shared-services, workloads, on-premises; Direct Connect gateway to corporate data center at 10Gbps). Workloads OU with Prod and Non-Prod child OUs. Prod OU: app-prod-01 (VPC 10.1.0.0/16 attached to TGW), data-prod-01 (VPC 10.2.0.0/16 attached to TGW). Sandbox OU: sandbox-01 with SCP denying Transit Gateway attachment and Direct Connect.'
- 2
Select architecture type and AWS provider
Choose 'Architecture' as the diagram type and 'AWS' as the cloud provider. Diagrams.so loads the official AWS icon set with icons for Organizations, Control Tower, Transit Gateway, IAM Identity Center, CloudTrail, GuardDuty, and Security Hub. Enable opinionated mode to enforce the AWS Security Reference Architecture layout with foundational accounts on the left and workload accounts flowing right.
- 3
Generate and review
Click generate. The AI produces .drawio XML with an OU hierarchy tree, account containers, Transit Gateway hub-spoke topology with route table labels, SCP annotations at each OU boundary, and centralized logging arrows from workload accounts to the Log Archive. Architecture warnings flag single-region Transit Gateway (WARN-01), exposed public endpoints (WARN-02), and missing centralized logging integration (WARN-04). VLM visual validation catches overlapping labels on dense OU trees. Download as .drawio for editing, or export to PNG or SVG for design reviews.
Example prompt
AWS landing zone following the AWS Security Reference Architecture. AWS Organizations root with SCP denying use of all regions except us-east-1 and eu-west-1, SCP denying root user access in all member accounts. Security OU: Log Archive account with CloudTrail organization trail delivering to S3 bucket with 365-day retention, object lock in governance mode, cross-account KMS CMK for encryption; Security Tooling account with GuardDuty delegated administrator covering all member accounts, Security Hub with CIS AWS Foundations Benchmark and AWS Foundational Security Best Practices standards enabled, IAM Access Analyzer at organization scope. Infrastructure OU: Network Hub account with Transit Gateway (ASN 64512), three route tables (shared-services association, workloads-propagation, on-premises-propagation), Direct Connect gateway connected to corporate DC via 10Gbps dedicated connection with BGP peering, DNS Hub with Route 53 Resolver inbound and outbound endpoints for hybrid DNS resolution. Workloads OU with Prod and Non-Prod child OUs. Prod OU with SCP denying deletion of CloudTrail and VPC Flow Logs: app-prod account with VPC 10.1.0.0/16 (public subnets 10.1.1.0/24 and 10.1.2.0/24, private subnets 10.1.10.0/24 and 10.1.20.0/24) attached to Transit Gateway workloads route table. Non-Prod OU: app-staging account with VPC 10.3.0.0/16 attached to Transit Gateway workloads route table. Sandbox OU: sandbox-dev account with SCP denying Transit Gateway, Direct Connect, and VPC peering. IAM Identity Center federated to Okta with AdministratorAccess permission set for Platform team, ReadOnlyAccess permission set for Auditors, and PowerUserAccess for Developers scoped to Non-Prod and Sandbox OUs only.
Example diagrams from the gallery
AWS Control Tower vs Azure Landing Zone Accelerator vs GCP Organization Blueprint
Each cloud provider structures multi-account governance differently. AWS uses Organizations with Control Tower guardrails and SCPs. Azure uses management groups with Azure Policy. GCP uses organizations and folders with Organization Policies. The automation depth, policy model, and networking topology differ across all three.
| Feature | AWS Control Tower | Azure Landing Zone Accelerator | GCP Organization Blueprint |
|---|---|---|---|
| Governance hierarchy | Organization root > organizational units (up to 5 levels) > accounts; SCPs at OU or account level; Control Tower manages the lifecycle | Tenant Root Group > management groups (up to 6 levels) > subscriptions > resource groups; Azure Policy assigned at any scope with exemptions | Organization > folders (up to 10 levels) > projects; Organization Policies inherit downward with folder-level overrides and tag-based conditions |
| Policy enforcement model | SCPs are deny-only guardrails that restrict API calls; AWS Config rules detect non-compliance; CloudFormation hooks enforce standards at deployment time | Azure Policy initiatives with deny, audit, deployIfNotExists, and modify effects; compliance scoring per scope; remediation tasks for existing resources | Organization Policy constraints (boolean or list-based); custom constraints via Common Expression Language; enforcement happens at resource creation |
| Account/subscription provisioning | Account Factory vends new accounts with pre-configured VPC, CloudTrail, and AWS Config; Account Factory for Terraform (AFT) adds GitOps customization pipelines | Subscription vending via Bicep/Terraform modules; portal-based guided setup for initial deployment; no built-in account factory lifecycle | Project Factory Terraform module creates projects with billing, APIs, and IAM; Fabric FAST provides end-to-end org bootstrapping |
| Network topology | Transit Gateway in shared Network Hub account; VPC attachments per workload account; route tables separate shared services, workloads, and on-premises traffic | Hub-spoke with Azure Firewall in Connectivity subscription; VNet peering with UDRs; Azure Virtual WAN as alternative for SD-WAN integration | Shared VPC in host project; service projects attach to shared subnets; Cloud Interconnect in a dedicated connectivity project |
| Identity integration | IAM Identity Center (AWS SSO) with permission sets per OU; federated to external IdP (Okta, Entra ID); temporary credentials, no long-lived keys | Entra ID as single tenant identity plane; Conditional Access policies at tenant level; Privileged Identity Management for just-in-time role elevation | Google Cloud Identity or Workspace; IAM roles at org/folder/project scope; Workforce Identity Federation for external IdP integration |
| Diagram layout pattern | OU tree on the left, Transit Gateway star topology on the right; accounts as VPC containers connected to TGW; security accounts at the top | Management group tree on the left, hub-spoke VNet topology on the right; subscriptions as bounded regions inside management groups | Org/folder tree on the left, Shared VPC flat layout on the right; projects as containers with subnet CIDR labels |
When to use this pattern
Use an AWS landing zone diagram when designing or documenting your multi-account AWS environment. It's the right choice for Control Tower onboarding, OU restructuring, SCP policy reviews, and network hub design sessions. The diagram shows stakeholders how OUs enforce SCP inheritance, where accounts sit in the hierarchy, and how Transit Gateway routes traffic between workload VPCs and on-premises networks. If you only need to document a single application's VPC layout, use an AWS architecture diagram instead. If your focus is purely on Transit Gateway routing without the governance hierarchy, an AWS networking diagram fits better. Landing zone diagrams deliver the most value during initial cloud adoption, when onboarding new business units that need their own accounts, or when preparing for AWS Well-Architected Framework reviews that evaluate organizational-level controls.
Frequently asked questions
What does the AWS landing zone diagram generator include?
This AWS landing zone diagram generator produces OU hierarchies, account placement, Transit Gateway hub-spoke topology, SCP annotations at each OU boundary, centralized logging pipelines, and IAM Identity Center integration. It follows the AWS Security Reference Architecture and uses official AWS icons from Diagrams.so's 30+ icon libraries. RULE-06 groups resources by OU scope automatically.
How are Service Control Policies shown in the diagram?
SCPs appear as annotations on the OU or account where they're attached. The AI labels each SCP with a summary of its deny statements, such as 'Deny regions outside us-east-1, eu-west-1' or 'Deny root user actions.' Inheritance is implied by the OU hierarchy. Account-level SCP overrides get distinct labels.
Can I customize the OU structure beyond the default Control Tower layout?
Yes. Describe any OU structure in your prompt. Control Tower's default is Security and Sandbox OUs, but you can add Infrastructure, Workloads with Prod and Non-Prod child OUs, Suspended, or any custom grouping. The AI nests them under the Organization root exactly as you specify.
Does the diagram show Transit Gateway routing?
Yes. Describe your Transit Gateway with its route tables, VPC attachments, and Direct Connect or VPN connections. The AI draws spoke attachments from each workload VPC to the Transit Gateway hub with route table association labels. WARN-01 flags single-region Transit Gateway deployments lacking cross-region peering for disaster recovery.
What architecture warnings apply to landing zone diagrams?
WARN-01 flags single-region Transit Gateway setups without cross-region failover. WARN-02 catches workload accounts with public-facing ALBs or API Gateways missing AWS WAF. WARN-04 detects accounts without centralized CloudTrail or VPC Flow Log integration. WARN-03 identifies databases in workload accounts without cross-AZ replicas. All warnings are non-blocking annotations.
Related diagram generators
Generate AWS Architecture Diagrams from Text with AI
Describe your AWS infrastructure in plain English. Get a valid Draw.io diagram with official AWS icons, VPC boundaries, and Multi-AZ placement.
Generate AWS Networking Diagrams from Text with AI
Describe your VPC topology, Transit Gateway attachments, Direct Connect circuits, and Route 53 DNS resolution in plain English. Get a valid Draw.io diagram with official AWS icons.
Generate Azure Landing Zone Diagrams from Text with AI
Describe your Azure management group hierarchy, hub-spoke network topology, and policy assignments in plain English. Get a valid Draw.io diagram with official Azure icons.
Generate Cloud Architecture Diagrams from Text
Describe your cloud infrastructure in plain English. Get a valid Draw.io diagram with region boundaries, availability zones, managed services, and DR paths.