Multi-Cloud Landing Zones & Governance Handbook

A platform engineering reference for account structure, identity hierarchy, network foundations, security guardrails, and governance operating models across AWS, Azure, and Google Cloud Platform.

Platform Engineering AWS · Azure · GCP Security Baselines April 2026

What Is a Landing Zone

A landing zone is a pre-configured, multi-account cloud environment that enforces security, identity, network, and compliance baselines before any application workload lands. It is infrastructure-as-policy: the goal is to make the right thing the easy thing.

Key idea: A landing zone is not a one-time deployment. It is a living platform foundation that evolves with your organization's posture and compliance requirements.

Core Outcomes a Landing Zone Must Deliver

Account isolation between workloads and environments
Consistent identity and least-privilege access controls enforced by default
Network segmentation with controlled egress and ingress
Enforced security guardrails — both preventative and detective
Audit trails and observability from day one, not retrofitted
Self-service account onboarding for teams without bypassing controls

Account / Subscription / Project Structure

Organize cloud accounts into an organizational hierarchy that reflects risk, compliance, and team boundaries — not feature boundaries.

Recommended Hierarchy

flowchart TD ROOT[Root Organization] SEC[Security OU\nAudit · Log Archive · SIEM] INFRA[Infrastructure OU\nNetwork Hub · DNS · Shared Services] SAND[Sandbox OU\nExploratory · Auto-expiry · Billing Cap] WL[Workloads OU] DEV[Dev Accounts\nRelaxed guardrails\nLimited quotas] STG[Staging Accounts\nProd-like guardrails\nNo internet egress] PROD[Production Accounts\nStrictest guardrails\nAll logging mandatory] ROOT --> SEC ROOT --> INFRA ROOT --> SAND ROOT --> WL WL --> DEV WL --> STG WL --> PROD classDef root fill:#00b89922,stroke:#00d4ac,color:#a0f0e0 classDef sec fill:#2f80ed22,stroke:#56ccf2,color:#7dc6ff classDef infra fill:#27ae6022,stroke:#6fe39a,color:#6fe39a classDef sand fill:#f2994a22,stroke:#f7bb77,color:#f7bb77 classDef wl fill:#bb6bd922,stroke:#d3a2ec,color:#d3a2ec class ROOT root class SEC sec class INFRA infra class SAND sand class WL,DEV,STG,PROD wl

Structural Rules

One account/subscription per environment per workload boundary — no mixing
Security and log archive accounts owned by the platform team; never delegated
Sandbox accounts must have hard billing caps and auto-expiry policies
Never mix production and non-production workloads in the same account
All new accounts created through the vending machine pipeline, never the console

Identity & Access Hierarchy

Core Principles

Centralize IdP — never create cloud-local users for humans
Use short-lived credentials; eliminate long-lived access keys entirely
Apply least privilege at every layer: org, account, resource, and action
Separate duty between platform team (account management) and application teams (workload IAM)
MFA required for all human console access without exception

Role Tier Structure

Role Tier	Who Uses It	Credential Lifetime
Break-glass / emergency admin	Security team only	Session < 1 hour, every use alerted
Platform admin	Cloud platform team	Federated session, max 8 h
Workload admin	Application team lead	Federated session, max 8 h
Developer read-only	All engineers	Federated session, max 4 h
CI/CD service identity	Pipelines	OIDC short-lived token — no static key
Workload runtime identity	Application processes	Instance profile / Managed Identity / WIF

Non-negotiable: CI/CD pipelines must use OIDC workload identity federation. Static credentials committed to repos or stored in secret managers for pipeline use are a violation of this standard.

Network Foundations

Hub-and-Spoke Topology

All spoke VPCs/VNets connect to a hub that owns shared services. Spokes never peer directly with each other.

flowchart LR INET[Internet] WAF[WAF / DDoS\nProtection] HUB[Hub Network\nFirewall · NAT · DNS\nVPN / Direct Connect] DEV[Dev Spoke\n10.1.0.0/16] STG[Staging Spoke\n10.2.0.0/16] PROD[Prod Spoke\n10.3.0.0/16] ONPREM[On-Premises\nNetwork] INET --> WAF --> HUB HUB --> DEV HUB --> STG HUB --> PROD ONPREM --- HUB classDef hub fill:#00b89922,stroke:#00d4ac,color:#a0f0e0 classDef spoke fill:#2f80ed22,stroke:#56ccf2,color:#7dc6ff classDef edge fill:#27ae6022,stroke:#6fe39a,color:#6fe39a class HUB hub class DEV,STG,PROD spoke class WAF,INET,ONPREM edge

Egress Control Standards

Traffic Type	Requirement
Internet egress	Proxied via centralized firewall with domain allowlist
Inter-spoke	Transits hub; explicit firewall rule required per path
Cloud-to-on-premises	Site-to-site VPN or dedicated circuit; no public internet path
PaaS services	Private endpoints / VPC endpoints only; disable public endpoint after activation
Inbound / ingress	WAF required for HTTP(S); allowlisted ports only; no wildcard rules

IP Addressing Standards

Allocate non-overlapping RFC 1918 ranges per environment tier at landing zone creation
Reserve a /16 per tier to allow future spoke growth without re-addressing
Maintain a central IPAM record (AWS VPC IPAM, Azure VNet Manager, or equivalent)
Never reuse CIDR ranges previously routed to on-premises
Enable VPC/VNet flow logs on all subnets at creation time, not retroactively

Security Baselines

Security baselines are guardrails the landing zone enforces on every account automatically. Preventative guardrails block non-compliant actions; detective guardrails alert on non-compliant state.

Preventative Guardrails

Control	AWS	Azure	GCP
Deny public storage buckets	SCP	Azure Policy (Deny)	Org Policy Constraint
Require encryption at rest	SCP + Config	Azure Policy	Org Policy
Restrict allowed regions	SCP	Azure Policy (allowed locations)	Org Policy
Deny root / global admin API calls	SCP	Conditional Access	Org Policy
Deny long-lived IAM keys for humans	SCP	Conditional Access / Entra	Org Policy

Detective Guardrails

Control	AWS	Azure	GCP
Config drift monitoring	AWS Config	Azure Policy / Defender	Security Command Center
Unused credential alerts	IAM Access Analyzer	Entra ID reports	IAM Recommender
Public resource exposure alert	Security Hub	Defender for Cloud	Security Command Center
Root / global admin login alert	CloudTrail + EventBridge	Entra audit logs	Cloud Audit Logs
Unencrypted storage alert	AWS Config Rule	Azure Policy	SCC Finding

Mandatory Logging

All accounts must ship the following to the centralized log archive account from day one:

Management plane / audit events (CloudTrail, Activity Log, Cloud Audit Logs)
VPC / VNet flow logs
DNS query logs
Authentication events: login, role assumption, privilege escalation
Config change events

Retention minimum: 1 year hot storage, 7 years cold archive. Application teams must not have delete access to the log archive account.

DNS & Connectivity Standards

DNS Architecture

Deploy private hosted zones per VPC/VNet; internal services resolve by name, never by IP
Central DNS resolvers in hub VPC/VNet handle cross-spoke and on-premises resolution
Internal names must not resolve from the public internet (no split-horizon leakage)
DNS over HTTPS is not permitted for workloads — all queries route through the controlled resolver

Private Endpoint Policy

All PaaS services (object storage, databases, queues, key management) must use private endpoints
Disable the public endpoint on every PaaS resource after the private endpoint is confirmed healthy
Private endpoint DNS entries must be registered in the central private zone automatically at creation
Do not rely on manual DNS record management — automate via IaC or event-driven pipeline

Cloud-Native Landing Zone Tooling

AWS: Control Tower + Account Factory for Terraform

AWS Control Tower provides pre-built OU structure, SCPs, Config rules, and Account Factory for self-service provisioning
Extend with Account Factory for Terraform (AFT) for IaC-managed account vending with customizations
Deploy AWS Security Hub aggregator in the security account to consolidate cross-account findings
Enroll all new accounts via Control Tower Account Factory — never create accounts manually in the console

Azure: Azure Landing Zones (ALZ)

Microsoft reference architecture at Azure/ALZ-Bicep covers management groups, policies, hub networking, and monitoring
Management group hierarchy: Root → Platform → Landing Zones → Sandbox
Built-in policy initiatives enforce logging, Defender for Cloud, encryption, and region restrictions automatically
Deploy via Azure DevOps or GitHub Actions pipeline using Bicep or Terraform modules, not the portal

GCP: Cloud Foundation Fabric

Google Cloud Foundation Fabric (GoogleCloudPlatform/cloud-foundation-fabric) is the reference Terraform implementation
Resource hierarchy: Organization → Folders (per environment) → Projects
Enforced via Org Policy Constraints applied at folder level, inherited by all projects
Use GCP Project Factory (Terraform) for self-service project vending with guardrail inheritance

Patterns Common to All Providers

Concern	Pattern
New account / project creation	Vending machine pipeline (IaC + CI/CD); never manual console
Guardrail deployment	Apply at org / MG / folder root; individual accounts inherit, never override
Logging destination	Dedicated audit account; app teams get read-only access only
Break-glass access	Credentials in secrets manager; alert on every use; time-limited session
Drift detection	Continuous compliance scan; P1 deviations alert within 15 minutes

Governance Operating Model

A landing zone without a governance loop decays. Establish clear ownership and a review cadence before day one.

Role Ownership

Role	Responsibility
Cloud Platform Team	Landing zone definition, vending pipeline, hub network, shared services
Security Team	Detective guardrails, SIEM integration, access review cadence, exception sign-off
FinOps / Cost Team	Tagging policy, budget alerts, rightsizing recommendations
Application Team	Consumes accounts via vending machine; owns workload IAM and workload network rules
Compliance / Risk	Reviews control exceptions; signs off on guardrail relaxation requests

Review Cadence

Review	Frequency	Owner
Guardrail compliance dashboard	Continuous (automated)	Platform + Security
Privileged role access review	Quarterly	Security
OU / account structure review	Semi-annual	Platform
Cost and quota review	Monthly	FinOps
DR drill for platform accounts	Annual	Platform + Security
Landing zone version upgrade	Per provider major release	Platform

Exception Process

Application team submits exception request with business justification and compensating controls
Security team reviews and classifies as accepted risk or rejected within 5 business days
Accepted exceptions are time-boxed (maximum 90 days) and tracked in a risk register
Exceptions automatically expire; teams must re-justify to extend

Anti-pattern: Permanent exceptions are architectural debt. Every exception that persists past its expiry without re-justification is a control gap. Automate expiry enforcement.

Cloud Mappings

Concept	AWS	Azure	GCP
Root grouping	Organization	Tenant / Root Management Group	Organization
Account grouping	Organizational Unit (OU)	Management Group	Folder
Isolation unit	Account	Subscription	Project
Landing zone tooling	Control Tower + AFT	Azure Landing Zones (Bicep/TF)	Cloud Foundation Fabric
Preventative guardrails	Service Control Policy (SCP)	Azure Policy (Deny effect)	Org Policy Constraint
Detective guardrails	AWS Config + Security Hub	Defender for Cloud + Azure Policy	Security Command Center
Identity federation	IAM Identity Center (SSO)	Microsoft Entra ID	Cloud Identity / Workspace
Workload identity	IAM Role (Instance Profile)	Managed Identity	Workload Identity Federation
CI/CD identity	OIDC → IAM Role	OIDC → Workload Identity	OIDC → WIF + Service Account
Centralized logging	CloudTrail + S3 (audit account)	Diagnostic Settings → Log Analytics	Cloud Audit Logs → GCS Sink
Hub networking	Transit Gateway + AWS Firewall	Virtual WAN + Azure Firewall	Network Connectivity Center + Cloud Firewall
Private connectivity	VPC Endpoint (Interface / Gateway)	Private Endpoint	Private Service Connect
Private DNS	Route 53 Private Hosted Zone	Azure Private DNS Zone	Cloud DNS Private Zone
IP address management	VPC IPAM	Azure VNet Manager	Custom IPAM (no native equivalent)
Secrets management	AWS Secrets Manager	Azure Key Vault	Secret Manager

Implementation Checklist

Organization & Structure

Root organization / tenant created and documented
OU / management group hierarchy matches security domains (Security, Infrastructure, Workloads, Sandbox)
Account vending machine pipeline operational — no manual account creation
Break-glass account exists, stored in secrets manager, alerts on every use
Sandbox accounts have billing caps and auto-expiry configured

Identity & Access

All human access via federated SSO — no cloud-local users for humans
MFA enforced for all human access without exception
No long-lived access keys for humans or CI/CD pipelines
CI/CD pipelines use OIDC workload identity federation
Workload runtime uses instance profile / managed identity / WIF
Quarterly access review scheduled and owned

Network

Hub VPC/VNet deployed in dedicated infrastructure account
Non-overlapping CIDR ranges allocated and recorded in IPAM
Flow logs enabled on all VPCs/VNets at creation
All internet egress proxied through centralized firewall
Spokes do not peer directly with each other
Private endpoints deployed for all PaaS services in production
Private DNS zones registered and resolvable from all spokes

Security Baselines

SCP / Azure Policy / Org Policy applied at root preventing public storage
Encryption at rest required by policy for all new storage resources
Allowed regions restricted by policy
All accounts enrolled in Security Hub / Defender for Cloud / Security Command Center
Centralized log archive account operational; retention policy enforced (1 yr hot / 7 yr cold)
Alert configured for root / global admin login activity

Governance

Platform, Security, and FinOps ownership documented and acknowledged
Compliance dashboard visible to platform and security teams continuously
Exception process documented and accessible to application teams
Review cadence (quarterly, semi-annual, annual) scheduled in team calendar
Landing zone version upgrade process defined and owned

Multi-Cloud Landing Zones & Governance Handbook · April 2026