A comprehensive blueprint for building a secure, scalable, and governable enterprise cloud foundation β covering the 8 design dimensions, multi-account architecture, identity management, cost governance, security, monitoring, and governance metrics.
A Landing Zone is the foundational environment where workloads are deployed β providing standardized governance, security, and operations from day one. The Tencent Cloud Landing Zone framework defines 8 design dimensions, each with 3 sub-dimensions, to ensure comprehensive coverage of enterprise requirements.
| Dimension | Sub-Dimensions | Description |
|---|---|---|
| Resource Planning | Account Structure, Resource Limits, Capacity Planning | Define the multi-account organization model, allocate resource quotas per account/region, and forecast capacity for compute, storage, and network to ensure scalable growth without hitting service limits. |
| Identity & Permission | SSO Integration, CAM Role Design, Permission Baselines | Centralize authentication through enterprise IdP (e.g., Entra ID via SAML 2.0/SCIM), design CAM roles following least-privilege, and establish baseline permission sets (Administrator, Ops, ReadOnly). |
| Cost Management | Cost Allocation, Budget Alerts, Tag Governance | Implement cost allocation tags and units for multi-dimensional chargeback, set up budget thresholds and anomaly alerts, and enforce mandatory tagging policies across all resources. |
| Compliance Audit | Compliance Libraries, Audit Logging, Config Monitoring | Apply 190+ pre-built compliance rules (CIS, PCI DSS, ISO 27001, SOC 2), centralize CloudAudit logs across all member accounts, and continuously monitor resource configurations via CloudConfig. |
| Network Planning | Hub-and-Spoke Topology, CIDR Allocation, Traffic Segmentation | Design centralized CCN-based hub-and-spoke network, allocate non-overlapping CIDR blocks across environments, and enforce north-south and east-west traffic isolation with route table separation. |
| Security Design | Defense in Depth, Threat Detection, Access Control | Layer security controls from internet edge to host OS (EdgeOne, WAF, NAT, VPC Firewall, NACL, Security Groups, CWPP, TCSS), centralize threat detection via CSC, and enforce least-privilege access. |
| Monitoring & Ops | Observability Stack, Alerting, Operational Procedures | Deploy unified observability via TCOP (metrics, traces, logs, events), establish alerting thresholds and escalation procedures, and integrate synthetic and real-user monitoring for end-to-end visibility. |
| Automation | Infrastructure as Code, CI/CD Pipelines, Module Reusability | Standardize on Terraform with 50 reusable modules, build GitLabβJenkinsβTKE CI/CD pipelines, and manage Terraform state centrally via COS with native state locking. |
Each dimension addresses a distinct governance concern. Skipping any dimension creates blind spots β for example, without tag governance, cost allocation breaks; without network segmentation, east-west lateral movement is unrestricted. The 8 dimensions together form a complete, defense-in-depth foundation.
The Tencent Cloud Organization (TCO) multi-account model provides strict isolation boundaries, reduces blast radius, and enables centralized governance. The architecture follows proven enterprise patterns with clear separation of security, network, DevOps, and workload responsibilities.
The organization is structured into 6 top-level OUs, each containing dedicated accounts with specific responsibilities:
root_account β Master payer, org structure, SCPs, cross-account admin roles
security β CloudAudit, CloudConfig, CSC (delegated admin)
security_logging β Centralized log collection & retention (CLS/COS)
backup_audit β Backup/snapshot behavior tracking
platform_core β Terraform state storage (COS)
billing β Cost monitoring, billing center (delegated admin)
sso β Account governance & permission management
network_sec_nonprod β SIT/Staging VPCs, subnets, routes, firewalls, CLB WAF, EdgeOne
network_sec_prod β Production network, public CLBs, NAT gateways, VPC firewall, internet edge firewall
devops β CI/CD pipelines (CODING/GitLab Runner), IaC storage, TKE addons deployment
Separate accounts by function: security, logging, network, DevOps, billing β each with dedicated ownership and clear boundaries.
Group applications by business domain (e.g., API, Digital Touchpoint, ESS) to align with organizational structure and ownership.
Strict isolation between Production and Non-Production (DEV/SIT/Staging) at the account level to prevent cross-environment access.
Dedicated accounts for Partner access, Sandbox testing, and Decommissioned resources with tailored guardrails.
The Root OU enforces organization-wide SCPs including security guardrails, regional restrictions, and protection of critical governance and audit controls. All child OUs and accounts inherit these policies.
Accounts in the Decommissioned OU are locked down with restrictive SCPs that deny most actions except read-only access and deletion β ensuring isolated, auditable retirement. SCPs can be deployed via Terraform.
When a new account is created through the Account Factory, the following baselines are automatically applied:
| Mode | Structure | Use Case |
|---|---|---|
| Standalone | tfbaseline-<app>/ + <app>-tfworkload/ |
Application has its own dedicated VPC and baseline. Used for large or business-critical applications requiring strong isolation boundaries. |
| Consolidated | tfbaseline-<consolidated>/ (shared VPC) + multiple <app>-tfworkload/ |
Multiple small/medium applications share one VPC, isolated by subnets and security groups. Reduces total account count while maintaining logical isolation. |
| shared-infra | shared-infra/ + tfbaseline-shared-infra/ |
Account-level shared resources (e.g., TCR container registry, KMS keys, shared security group templates) referenced by all applications under a business unit. |
Tencent Cloud Cloud Access Management (CAM) provides authentication and authorization for users, roles, and groups. The identity model integrates with enterprise IdP (Microsoft Entra ID) via SAML 2.0 and SCIM for SSO, with post-login access control enforced through CAM policies and tag-based ABAC.
A sub-account under the root account with its own credentials. Used for programmatic API access and console login for specific users.
A virtual identity with a set of permissions that can be assumed by trusted entities. Used for cross-account access and service-to-service authorization.
A collection of CAM users that shares the same permissions. Simplifies permission management by assigning policies to groups rather than individual users.
A predefined role automatically created for Tencent Cloud services (e.g., TKE, CLB) to access other resources on your behalf. Pre-authorized and service-specific.
Cloud Identity Center (CIC) user β a federated identity synchronized from an external IdP (e.g., Entra ID) via SCIM, enabling SSO across all member accounts.
| Permission Set | Description | Attached Policies |
|---|---|---|
| LimitedAdmin | All administrative permissions except write access to CAM (deny-based AdminAccess). Prevents privilege escalation while allowing full resource management. | AdministratorAccess with explicit deny list for all cam:* write actions (AddUser, CreateRole, DeletePolicy, AttachRolePolicy, etc.) |
| Administrator | Full administrative-level privileges including CAM management. Reserved for root account and identity governance team only. | AdministratorAccess |
| Ops | Full management for core compute (CVM, TKE), databases (CynosDB, CDB, Redis, PostgreSQL, MongoDB, MariaDB), operations automation (TAT), bastion host (BH), security (CWPP, TCSS, WAF, Config), and KMS. Read-only for all other modules. | QcloudCVMFullAccess, QcloudTKEFullAccess, QcloudCynosDBFullAccess, QcloudCDBFullAccess, QcloudRedisFullAccessPreset, QcloudBhFullAccess, QcloudKMSFullAccess, QcloudCWPFullAccess, QcloudTCSSFullAccess, QcloudWAFFullAccess, QcloudConfigFullAccess, ReadOnlyAccess |
| ReadOnly | Read-only access across all service modules. For auditors, monitoring teams, and users who need visibility without modification rights. | ReadOnlyAccess |
Each account maintains standard permission sets (Administrator, Ops, ReadOnly) mapped 1:1 to AD groups. Simple but can lead to AD group proliferation if ad-hoc permission sets are created frequently.
Authorization based on resource tags and user attributes. Combine baseline permissions with app tags (e.g., ReadOnly_MyApp) to grant scoped access β reducing the need for ad-hoc permission sets.
| Component | Protocol | Function |
|---|---|---|
| Entra ID | SAML 2.0 + SCIM | Enterprise identity provider. Authenticates users and synchronizes users/groups to CIC. Saviynt handles request approval and lifecycle governance. |
| CIC (Cloud Identity Center) | Federation | Tencent Cloud's centralized identity service. Receives synchronized users/groups from Entra ID and manages access assignments across member accounts. |
| CAM | Policy-based | Enforces fine-grained permissions after authentication. Users access accounts as mapped CAM users or by assuming CAM roles. |
| ABAC | Tag-based | Post-login access control using resource tags + user attributes. Enforces access rules aligned with organizational security requirements. |
TOTP-based authenticator apps (Google Authenticator, Microsoft Authenticator). Most common MFA method.
Hardware security key supporting FIDO U2F standard. Provides phishing-resistant hardware-based authentication.
Passwordless authentication using device biometrics (Face ID, Touch ID) or device PIN. Modern FIDO2-based credential.
Global MFA enforcement setting at the account level. Requires all CAM users to enable MFA before accessing console.
Enhanced protection flag for high-risk operations (e.g., deleting resources, modifying security groups). Adds an extra verification step.
Security Token Service (STS) enables temporary credential issuance for cross-account access. Users authenticate in one account, then assume a role in another account to gain scoped permissions β no long-term keys shared.
| Scenario | Description |
|---|---|
| 1. Single App Access | User/group can only access a specific application (e.g., only MyApp). Achieved by combining a baseline permission set with the app's tag via ABAC. |
| 2. Multi-App Access | User/group can access multiple applications (e.g., MyApp & PartnerApp). Multiple tag-based permission sets are assigned to the user's group. |
| 3. Team-Wide Access | User/group can access all applications within their team (e.g., all apps in the Digital Touchpoint account). Granted via account-level permission sets. |
| 4. Role-Specific Access | User/group has one or multiple roles in an application (e.g., Admin, Developer, Operations, Read Only). Multiple baseline permission sets are assigned per app tag. |
| 5. Infra-Only Access | User/group can access infrastructure but not application workloads (or vice versa). Uses Tencent Cloud console dashboard isolation and CAM policy conditions. |
Scope: All members under the organization account
Event Type: All
Resource Type: CAM
Destination: Central log COS bucket
Centralized audit trail for CAM role changes across the entire organization β managed by the Security account as delegated admin.
Scope: This account only
Event Type: All
Resource Type: CAM
Destination: Local CLS / COS
Account-level audit trail for local compliance and operational troubleshooting β supplements the org-wide trail.
Cost governance is a foundational element of scalable cloud governance. A unified tagging framework ensures consistent resource management, enables granular cost tracking, and supports chargeback/showback models across teams and business units.
A simple way to track expenses by labeling cloud resources. Suitable for viewing costs from a single dimension such as by project, department, or environment.
Example: Filter all resources with environment: prod to see total production cost.
Designed for organizations with complex structures. Allows customized allocation rules and sharing ratios based on internal hierarchies for multi-dimensional cost aggregation.
Example: Allocate shared network costs to 5 business units with different ratios (30%/25%/20%/15%/10%).
A dedicated billing account is set as the delegated admin for cost management. This account monitors billing across all OUs, allows cost analysis by OU, tags, accounts, and products, and isolates financial access from operational teams. The Cloud Identity Center assigns this account as the billing center delegated admin.
Each resource on Tencent Cloud can be associated with up to 50 tags. The following 11 tags are mandatory for all resources:
| Tag Key | Description | Example Values |
|---|---|---|
app-name | Identifies the application or service the resource supports | myapp, shared-services |
cost-center | Cost center or department associated with the resource | it-ess-single-approval, shared-services |
cloud-provider | Cloud service provider hosting the resource | aws, gcp, azure, huawei, tencent |
business-critical | Whether the resource is part of a business-critical service | yes, no |
criticality | Asset criticality based on CIA framework (Confidentiality, Integrity, Availability) | cj (Crown Jewel), mcj, c1, c2, nc (Non-critical) |
info-class | Classification of information stored/processed by the application | confidential / PII, internal, public |
environment | Deployment environment (production vs non-production) | prod, non-prod |
business-owner | Business Owner using the resource (directorate-level) | commercial, finance, sales |
system-owner | System/Application Owner responsible for lifecycle & budget | it-ess, it-dt, it-api |
managed-by | Party managing the resource (mandatory for shared services) | internal-devops, managed-service-provider |
resource-type | Whether the resource is shared or application-specific | shared-resource, app-resource |
For data platform and analytics workloads, the following extended tags provide enhanced visibility for data lifecycle management, analytics, and platform optimization:
| Tag Key | Logical Hierarchy | Description / Example Values |
|---|---|---|
environment | Environment | Production, Development |
app-name | Application | MyApp, Data_Pipeline (underscore between words) |
technical-owner | Owner | Team responsible for the resource |
business-owner | Business Owner | Team that owns and uses the resource |
business-area | Business Area | Mobile, Home, Business_Solution |
cost-center | Cost Center | CC12345, CC67890 |
data-sensitivity | Data Sensitivity | PII, Non-PII |
info-class | Data Security Classification | Public, Confidential, Internal |
business-unit | Business Unit | Marketing, Finance |
app-component | Application Component | Frontend, Backend |
criticality | Criticality | CJ, CMJ, C1, C2, C3 |
job | Job | Specific job/task identifier |
datalake-layer | Datalake Layer | bronze, silver, gold β data layer in the Data Ocean |
content-classification | Classification | reference, master_data, subject_base |
subject-area | Subject Area | customer, consumption |
hot-retention | Hot Retention | Days as integer (e.g., H7, H14, H30, H60, H90) |
warm-retention / cold-retention | Warm/Cold Retention | W90, W180 / C365, C730 |
cost-center, data-classification)A clear naming convention turns every resource name into instantly usable metadata (environment, region, app, owner, purpose) β reducing ambiguity, speeding up troubleshooting, and strengthening governance.
| Resource | Naming Pattern | Example |
|---|---|---|
| VPC | [application]-[prod/nonprod] | myapp-prod |
| Subnet | [application]-[prod/nonprod]-[private/protected/public]-[region] | myapp-prod-private-ap-jakarta |
| NAT Gateway | nat-gateway-[primary/secondary/...]-[prod/nonprod] | nat-gateway-primary-prod |
| VPN Gateway | [environment]-[tencent]-to-[destination]-[region]-vpn-gateway | prod-tencent-to-aws-jakarta-vpn-gateway |
| CCN | CCN-[prod/nonprod] | CCN-prod |
| CVM | [application]-[servicename]-[productname]-[environment] | myapp-web-nginx-prod |
| TKE (dedicated) | [application]-[servicename]-[productname]-[environment] | myapp-cluster-myapp-prod |
| TKE (consolidated) | [application]-[cons{1-10}]-[productname]-[environment] | myapp-cons1-shared-prod |
| CLB | [application]-[servicename]-[productname]-[private/public]-[environment] | myapp-web-nginx-public-prod |
| COS | [application]-[bucketname]-[environment] | myapp-terraform-state-prod |
Tencent Cloud CloudConfig provides 6 compliance libraries with 190+ rule templates for automated compliance auditing. These libraries cover major international standards and regulatory requirements, enabling continuous monitoring and automated compliance reporting.
Cybersecurity and Data Security Best Practices. A comprehensive inspection of network architecture and data security to validate proper configuration and protection of systems and data, with reference to the CIS Benchmarks.
PCI DSS Data Security Standard Compliance Package. Providing proposed compliance assessments for cloud resource usage and governance, aligned with the PCI DSS v4.0 baseline standards for account data protection.
ISO 27001 Security Management Standard Compliance Package. Compliance assessments aligned with ISO/IEC 27001 Annex A, supporting implementation, maintenance, and continual improvement of information security management.
SOC 2 Audit Standard Practice Compliance Package. Aligned with SOC 2 Criteria covering Data Security, Availability, Integrity, and Confidentiality.
Pre-Compliance Assessment Package for Cybersecurity Classified Protection Level 3. Auditing the compliance of Tencent Cloud resources in accordance with specific requirements of the Classified Protection Level 3.
Account permission and security best practice. Conducts a comprehensive compliance check on the behaviors of users, user groups, roles, and policies under your account to detect and avoid related risks in advance.
| Challenge | Solution |
|---|---|
| Manual compliance checks are time-consuming and error-prone | CloudConfig continuously evaluates resource configurations against compliance rules and generates automated reports β no manual auditing required. |
| Multi-account visibility is fragmented across accounts | Centralize CloudConfig in the Security account as delegated admin. All member accounts' compliance status is aggregated into a single dashboard. |
| Configuration drift after initial compliance | CloudConfig continuously records and evaluates configuration changes. Any deviation triggers an alert and is recorded for remediation. |
| Compliance reporting for auditors is slow | Pre-built rule sets generate compliance reports on demand. Export results as Excel for auditors and regulators. |
| Permission risks from ad-hoc role/policy creation | Account Security Best Practices library (11 rules) automatically detects risky permission configurations, excessive privileges, and unused credentials. |
CloudConfig continuously records and evaluates the configuration information and related changes of cloud resources across different regions under your account. It achieves efficient automated supervision and standardized operations by:
Automatically synchronizes security data of assets from 34 Tencent Cloud products. Manually add external IPs and domain names for unified management.
Health check tasks detect port risks, vulnerabilities, weak passwords, content risks, configuration risks, and exposed services. Scheduled checks keep monitoring the security posture.
Collects alerts from WAF and CWPP with categorized views. Handle alerts of all security products in the CSC console. Includes Cloud API Exception monitoring for AK breaches.
The security architecture follows a defense-in-depth model with 12 layered controls β from the internet edge through network, subnet, resource, host, container, to audit and compliance layers. Each layer addresses specific threat vectors and together they form a comprehensive security posture.
| Security Layer | Product | Function & Protection Scope |
|---|---|---|
| Internet Edge | EdgeOne | CDN + fundamental security protection at the edge. Provides DDoS protection, WAF, bot management, and accelerated content delivery. First line of defense at the internet boundary. |
| North-South Inbound | CLB WAF + Public CLB | CLB WAF inspects HTTP/HTTPS traffic before it reaches the CLB cluster. Blocks SQL injection, XSS, trojan upload, CC attacks, and OWASP Top 10. Public CLB handles TLS termination and L7 routing. |
| North-South Outbound | NAT Gateway | Centralized outbound internet access (SNAT only) for private subnets. All workload VPCs route egress through the Network Hub's NAT Gateway, enabling traffic inspection and policy enforcement. |
| East-West | VPC Firewall (attached to CCN) | Inspects and controls inter-VPC traffic flowing through CCN. Enforces east-west segmentation between workload VPCs, preventing lateral movement and unauthorized cross-VPC access. |
| Subnet Level | Network ACLs | Coarse-grained, stateless subnet-level filtering. Three-tier NACL model: Public (internet allowed), Private (internal + outbound via NAT), Protected (maximum isolation, database subnets only). |
| Resource Level | Security Groups | Fine-grained, stateful resource-level filtering. Applied to CVM, TKE nodes, CLB, databases. Managed via Terraform for consistency. Includes cluster SG, node shared SG, and service-specific SGs. |
| Host/OS Level | CWPP (Pro) | Cloud Workload Protection Platform for OS-level security: web shell detection, abnormal login, password cracking, malware/trojan detection, vulnerability alerts, and baseline compliance. |
| Container Level | TCSS (Pro) | Tencent Container Security Service for Kubernetes/container security: image security scanning, runtime intrusion detection, CIS baselines, cluster security assessment, and asset management. |
| Audit/Compliance | CloudConfig + CloudAudit | CloudConfig continuously evaluates resource configurations against 190+ compliance rules. CloudAudit records all management API operations for compliance and forensic review. |
| Security Center | CSC (Ultimate) | Cloud Security Center aggregates protections across accounts: vulnerability/baseline/intrusion/malware detection, asset management, risk detection, security alerts, and Cloud API Exception monitoring. |
| Access Management | Bastion Host (Pro) | Centralized Ops management with authentication, authorization, asset access proxy, and comprehensive operation audit. Establishes pre-event prevention, mid-event monitoring, and post-event audit. |
| Network Visibility | Flow Logs (FL) | Continuous, full-traffic, non-intrusive network flow logging. Captures all/allowed/rejected traffic from ENI, NAT Gateway, and cross-region CCN. Delivered to CLS for analysis and COS for retention. |
Deploying CWPP provides in-depth OS-level security protection covering core capabilities for vulnerability management, intrusion detection, and baseline compliance:
TCSS safeguards containers through their entire lifecycle β from image generation and storage to runtime β helping you set up a container security protection system:
Internet β EdgeOne β Public CLB β CLB WAF β Public CLB β CCN β Workload VPCs
EdgeOne provides edge security and CDN. CLB WAF inspects HTTP/HTTPS traffic before the CLB cluster. Traffic then routes through CCN to different VPCs under different Production accounts.
Workload VPC β CCN β NAT Gateway β Internet
All outbound internet access is centralized through the Network Hub's NAT Gateway (SNAT only). Enables centralized logging, policy enforcement, and traffic inspection.
Static password, LDAP integration, two-factor authentication
Least-privilege access to assets, commands, clipboards, file transfers
SSO login to managed IT assets for Ops operations
Records and analyzes all user operation logs for traceability
The Landing Zone implements a unified observability layer via Tencent Cloud Observability Platform (TCOP) and a standardized Terraform delivery pipeline for Infrastructure-as-Code (IaC) governance.
TCOP consolidates metrics, traces, logs, events, and user experience data into a single platform, enabling end-to-end observability from infrastructure to end-user experience.
Cloud Monitor collects native metrics from Tencent Cloud products (CVM, TKE, databases). These metrics are integrated and converted into Prometheus format by TCOP Prometheus service, creating a unified Prometheus ecosystem for both cloud services and custom business applications. Enables cross-cloud monitoring.
Application Performance Monitoring (APM) provides distributed tracing, application topology discovery, and code-level profiling. Delivers deep insights for performance optimization, rapid fault diagnosis, and microservices health monitoring.
All logs from infrastructure, platforms, and applications are centralized in Cloud Log Service (CLS). Offers powerful real-time search, analysis, and alerting β breaking down data silos for comprehensive operational analysis.
EventBridge processes events from three sources: default events from Tencent Cloud products, audit events for compliance, and custom events from applications. Acts as the central nervous system for automated responses and governance workflows.
Cloud Automated Testing uses a global network of probes to actively test availability, performance, and public network quality (e.g., CDN) from worldwide locations and ISPs.
Instruments web pages and mobile apps (Android/iOS) to collect real user performance data, providing insights into actual user experience. Correlates front-end issues with backend traces and infrastructure metrics.
The interconnected data fabric is powered by AI and Large Language Models (LLMs), transitioning observability from reactive monitoring to proactive intelligence. Scenarios include correlating a front-end page slowdown (via RUM) with a microservice latency spike (via APM traces) and further down to a resource bottleneck on a Kubernetes node (via Prometheus metrics) β transforming isolated data points into a complete, contextualized story for every transaction.
The architecture defines a standardized Terraform delivery pipeline built on GitLab, Jenkins, TKE, and Tencent Cloud β enforcing clear separation between pipeline control, execution runtime, and workload environments.
All modules are named as tfmodule-Tencentcloud-<resource-type> and organized by category:
tke, tke-addon, tke-auth, tke-node-pool, tke-log-config, tke-health-check-policy
vpc, nat, eip, clb, clb-listener, clb-target-group, private-link, ccn, ccn-attachment, dc, vpn-gateway, vpn-connection, vpn-customer-gateway-new, vpn-gateway-routes
postgres, postgres-readonly, mysql, mysql-readonly, mongodb, redis, elasticsearch
security-group, security-group-template, waf, waf-clb-domain, ssl-certificate, kms, ssm
cam-role, cic, cic-role, org
cos, cfs
cvm
privatedns, tcr, ses, ses-config, cls, prometheus, sshkey, tdmq-rabbitmq
Terraform state files are stored in Tencent Cloud Object Storage (COS) with native state locking capabilities β ensuring exclusive access to the state file and preventing concurrent Terraform executions from applying changes simultaneously. Separate COS buckets are used for Non-Production and Production environments:
terraform-workload-nonprod-stateterraform-workload-prod-stateGovernance metrics provide measurable indicators of the Landing Zone's effectiveness across account management, cost, security, compliance, operations, and maturity. Metrics are divided into objective (quantitative, automatable) and subjective (qualitative, assessment-based) categories.
These metrics are automatically collected and can be tracked through dashboards, alerts, and reports:
| Metric Category | Metric | Measurement Method |
|---|---|---|
| Account Governance | Account onboarding time | Time from account creation request to fully baselined and production-ready (target: < 2 days) |
| Account compliance rate | Percentage of accounts with all mandatory baselines applied (Network, Security, Financial, Tags) | |
| Cost Governance | Tag compliance rate | Percentage of resources with all 11 mandatory tags correctly applied (target: > 95%) |
| Cost allocation coverage | Percentage of total cloud spend attributable to a cost center / business unit via tags or units | |
| Security | Compliance violations | Number of non-compliant resources detected by CloudConfig across 190+ rules |
| Security alerts | Number of open security alerts from CSC, CWPP, TCSS, and WAF (by severity) | |
| Vulnerabilities | Number of unresolved vulnerabilities detected by CWPP and TCSS (by severity: Critical/High/Medium/Low) | |
| Container | Image scan coverage | Percentage of container images scanned by TCSS before deployment |
| Protected cores | Number of TKE cores protected by TCSS (e.g., 12,000 cores target) | |
| Audit | Audit events | Volume and completeness of CloudAudit events collected org-wide (sec-main-trail coverage) |
| Identity | SSO users | Number of active federated users accessing via Entra ID β CIC SSO |
| MFA | MFA registration rate | Percentage of CAM users with MFA enabled (Virtual MFA, U2F, or Passkey) (target: 100%) |
| IaC | Terraform success rate | Percentage of Terraform pipeline runs completing successfully without manual intervention (target: > 95%) |
| Compliance | Compliance check pass rate | Percentage of CloudConfig rule evaluations passing across all compliance libraries (target: > 90%) |
These metrics are assessed through periodic reviews, architecture audits, and maturity assessments:
| Metric | Assessment Focus | Evaluation Method |
|---|---|---|
| Architecture Quality | Adherence to Landing Zone design principles, pattern consistency, and alignment with Tencent Cloud best practices | Quarterly architecture review with solution architects. Evaluate against the 8 design dimensions and 4 account separation principles. |
| Security Posture Maturity | Effectiveness of defense-in-depth layers, threat detection coverage, and incident response readiness | Annual security assessment. Review CSC dashboard, compliance reports, and penetration test results. Measure against CIS/CIS benchmarks. |
| Governance Sustainability | Long-term maintainability of policies, processes, and guardrails as the environment scales | Bi-annual governance audit. Assess policy coverage, SCP effectiveness, tag enforcement, and account lifecycle management. |
| Operational Efficiency | Speed and quality of operational tasks β incident response, troubleshooting, change management | Monthly ops review. Track MTTR (Mean Time to Resolve), change success rate, and automation coverage. |
| IaC Maturity | Adoption and standardization of Terraform across teams, module reusability, and pipeline automation | Quarterly IaC audit. Review module usage, pipeline success rates, state management hygiene, and code review practices. |
| Migration Risk Level | Overall risk posture of the migration β blast radius, rollback readiness, and cutover confidence | Per-wave migration risk assessment. Evaluate environment readiness, testing completeness, and rollback plan quality. |
Combine objective and subjective metrics for a holistic view of Landing Zone health. Objective metrics provide real-time, automated visibility β ideal for dashboards and alerts. Subjective metrics capture qualitative aspects that automation cannot measure β requiring human judgment and periodic review. Review the full metrics dashboard monthly and conduct deep-dive assessments quarterly.
This page covered all 8 design dimensions for building a secure, scalable, and governable enterprise cloud foundation.
Return to the main migration guide to continue your journey.