All Products
Search
Document Center

Cloud Governance Center:Build a landing zone

Last Updated:Sep 25, 2023

A landing zone is a framework that Alibaba Cloud provides for enterprises to migrate business to the cloud. Landing zones help you manage and implement resource structures, access security, network architectures, and security compliance systems in the cloud. This way, you can create a secure, efficient, and manageable cloud environment. Cloud Governance Center provides blueprint templates that you can use to build landing zones with higher efficiency. This topic describes how to use a standard blueprint to build a landing zone.

Background information

Cloud Governance Center automatically checks whether a resource directory is created for a specific management account. If no resource directory is created for the management account, Cloud Governance Center automatically creates a resource directory for the management account.

Step 1: Configure items

  1. Log on to the Cloud Governance Center console.

  2. In the left-side navigation pane, click LandingZone Setup.

  3. On the LandingZone Setup page, find the Select Blueprint section. In the Standard Blueprint section, click Build.

  4. In the Added Items section of the Configure Blueprint page, view the items that are added to the blueprint. You can add or remove items based on your business requirements.

    • Click Add Item. In the dialog box that appears, add new items and click Add.

      Some items may use other items as dependencies. In this case, you must add all items that depend on each other.

    • To remove an item, click the 删除 icon next to the item.

      Do not remove a required item in a blueprint.

    In this example, only the following required items are retained: Create Folder, Create Core Account, and Guardrails.

Step 2: Create folders

A folder is an organizational unit in a resource directory. A folder may indicate a branch, a line of business, or a project of your enterprise. Each folder can contain member accounts and subfolders that are in a tree-shaped organizational structure. You can manage accounts and resources by using folders. For example, you can allocate resources, manage permissions, and implement security control and compliance control by using folders.

We recommend that you create the following folders based on the best practices. If the folders are not created for the management account, Cloud Governance Center automatically creates the folders.

  • Core: This folder contains member accounts that are used to manage resources.

  • Applications: This folder contains member accounts that are used to perform specific business operations.

In the Added Items section, click Create Folder. On the right side of the page, the automatically created folders are displayed. You can change the name of each folder. If you no longer need a folder, you can delete the folder.

In addition to the Core and Applications folders, you can perform the following steps to create finer-grained folders by department or business environment: Log on to the Resource Management console, choose Resource Directory > Overview > Organization. On the left side of the Organization tab, select a node and click Create Folder.

Step 3: Create core accounts

You can create core accounts for existing functional units. This way, you can perform subsequent governance tasks. The governance tasks include resource allocation, permission management, security control, and compliance control.

  1. In the Create Core Account section, select the folder to which the core account belongs from the Default Folder drop-down list.

    In this example, the Core folder created in Step 2 is selected. This way, the core account is created in the Core folder.

  2. Specify a settlement method.

    • Trusteeship: If you use the method, the core account is used to settle the bills and manage split bills of all accounts in a centralized manner. We recommend that you select this method.

    • Finance management: Compared with the trusteeship method, this method allows you to use the core account to manage specific finance capabilities of all accounts in a centralized manner. If you use this method, the self-pay settlement method is automatically used for each account. After you build the landing zone, you can use the financial management account to specify another method.

    • Self-pay for each account: If you use this method, the owner of each account settles the bills of the account. No centralized finance management method is specified.

  3. Optional: If you select Trusteeship, you must specify a main account.

    To specify a main account, you can use one of the following methods:

    • Specify Existing Account: Specify the current management account or a member account in a resource directory as a main account.

      Cloud Governance Center automatically checks whether the member account meets the requirements for a main account. You can specify a main account based on the check result.

      Note

      If a message indicating that the member account does not meet the requirements appears, the financial information may be incomplete for the member account. To complete the financial information, go to the User Center console.

    • Create Account: Create a member account as the main account.

    • Invite Account: Invite the owner of an Alibaba Cloud account to join a resource directory and specify the account as the main account.

  4. Specify core accounts.

    In this example, the following core accounts are specified.

    • Log archive account: This account is used to collect the logs of all member accounts. By default, this account is enabled. You cannot disable the account.

    • Shared service account: This account is used to deploy shared services for an enterprise. By default, this account is enabled. You can disable the account.

    • Security account: This account is used to perform security control and compliance control in a centralized manner. By default, this account is enabled. You can disable the account.

    You can create a core account or specify an existing account as a core account. If you want to create a core account, you must specify basic information for the core account.

  5. Click Next.

Step 4: Configure protection rules

You can configure and enable the protection rules of Cloud Config in a centralized manner. This prevents the basic configurations and the resource structure that are created from being modified in Cloud Governance Center. This also ensures the security of multi-account environments.

In the Guardrails section, view protection rules and select the required protection rules. For more information, see Configure protection rules in a centralized manner.

Step 5: Run a task to build the landing zone

  1. After you configure the preceding parameters, click Preview Configuration. On the page that appears, check the configuration information about each item.

  2. After you verify the information, click Execute.

  3. View the status of the task and click Close after the task is completed.

What to do next

Configure more items for a landing zone

By performing the preceding steps, you have configured only the basic items that are required to build a landing zone. To configure more items for your landing zone, click Continue to Build in the upper-right corner of the LandingZone Setup page. For more information, see the Supported items section of the "Overview" topic.

Create member accounts

On the Account Factory page, you can view the details of the core accounts that are created in Step 3. You can also configure an account baseline, and create member accounts in the account factory based on the account baseline. For more information, see Create an account.

Manage multiple accounts

  • View the multi-account structure

    You can get an overview of the multi-account structure of your enterprise and view the folders and member accounts in the multi-account structure. For more information, see View the account structure.

  • Configure identities and permissions

    You can configure identities and permissions for multiple member accounts in a resource directory in a centralized manner. For more information, see Configure identities and permissions.

  • Manage protection rules

    You can view the details of the protection rules that are configured when you build a landing zone, view the compliance evaluation results of resources, and enable or disable a recommended rule or an optional rule. For more information, see Configure protection rules in a centralized manner.

  • Deliver audit logs in a unified manner

    You can deliver the ActionTrail logs and Cloud Config logs of all member accounts in a resource directory to a log archive account in a unified manner. You can deliver the logs to Object Storage Service (OSS) for persistent storage. You can also deliver the logs to Simple Log Service for real-time log analysis. For more information, see Deliver audit logs in a unified manner.

  • View resources

    On the Resource Search page, you can view resources across accounts, services, or regions. For more information, see Overview.

View governance maturity check results

The governance maturity check feature helps you continuously monitor the cloud-based IT governance performance of your enterprise and provides governance guidance. This helps optimize your IT governance configurations in the cloud and reduces risks. Cloud Governance Center automatically checks the member accounts in a resource directory of your enterprise. This way, you can identify governance deficiencies and potential risks at the earliest opportunity. For more information, see View and download governance maturity check results.