In this session, we explore landing zone considerations as they apply to compliance and auditing. We include such topics as a repeatable approach to SCP and IAM policy creation, internal separation of duty & "need to know", compliance scope ringfencing, Region scoping, scope of impact limitation, and mandatory access control. We review approaches for log and event analytics and log record lifecycle management (including redaction where necessary) and alerting. We also discuss how compliance assessment tools can be deployed in multi-account environments and their output sensibly interpreted. We encourage you to attend the full AWS Landing Zone track, including SEC303. Search for #awslandingzone in the session catalog.