Back to Migration Guide
Landing Zone Design & CAM Identity Management

Landing Zone Design & CAM Identity Management

A comprehensive blueprint for building a secure, scalable, and governable enterprise cloud foundation β€” covering the 8 design dimensions, multi-account architecture, identity management, cost governance, security, monitoring, and governance metrics.

8
Design Dimensions
6
Organization Units
190+
Compliance Rules
50
Terraform Modules
On This Page
01

Landing Zone 8 Design Dimensions

The foundational pillars for a governable enterprise cloud

A Landing Zone is the foundational environment where workloads are deployed β€” providing standardized governance, security, and operations from day one. The Tencent Cloud Landing Zone framework defines 8 design dimensions, each with 3 sub-dimensions, to ensure comprehensive coverage of enterprise requirements.

DimensionSub-DimensionsDescription
Resource Planning Account Structure, Resource Limits, Capacity Planning Define the multi-account organization model, allocate resource quotas per account/region, and forecast capacity for compute, storage, and network to ensure scalable growth without hitting service limits.
Identity & Permission SSO Integration, CAM Role Design, Permission Baselines Centralize authentication through enterprise IdP (e.g., Entra ID via SAML 2.0/SCIM), design CAM roles following least-privilege, and establish baseline permission sets (Administrator, Ops, ReadOnly).
Cost Management Cost Allocation, Budget Alerts, Tag Governance Implement cost allocation tags and units for multi-dimensional chargeback, set up budget thresholds and anomaly alerts, and enforce mandatory tagging policies across all resources.
Compliance Audit Compliance Libraries, Audit Logging, Config Monitoring Apply 190+ pre-built compliance rules (CIS, PCI DSS, ISO 27001, SOC 2), centralize CloudAudit logs across all member accounts, and continuously monitor resource configurations via CloudConfig.
Network Planning Hub-and-Spoke Topology, CIDR Allocation, Traffic Segmentation Design centralized CCN-based hub-and-spoke network, allocate non-overlapping CIDR blocks across environments, and enforce north-south and east-west traffic isolation with route table separation.
Security Design Defense in Depth, Threat Detection, Access Control Layer security controls from internet edge to host OS (EdgeOne, WAF, NAT, VPC Firewall, NACL, Security Groups, CWPP, TCSS), centralize threat detection via CSC, and enforce least-privilege access.
Monitoring & Ops Observability Stack, Alerting, Operational Procedures Deploy unified observability via TCOP (metrics, traces, logs, events), establish alerting thresholds and escalation procedures, and integrate synthetic and real-user monitoring for end-to-end visibility.
Automation Infrastructure as Code, CI/CD Pipelines, Module Reusability Standardize on Terraform with 50 reusable modules, build GitLab→Jenkins→TKE CI/CD pipelines, and manage Terraform state centrally via COS with native state locking.
Why 8 Dimensions?

Each dimension addresses a distinct governance concern. Skipping any dimension creates blind spots β€” for example, without tag governance, cost allocation breaks; without network segmentation, east-west lateral movement is unrestricted. The 8 dimensions together form a complete, defense-in-depth foundation.

02

Multi-Account Architecture (TCO)

Organization structure, OUs, SCPs, and account baselines

The Tencent Cloud Organization (TCO) multi-account model provides strict isolation boundaries, reduces blast radius, and enables centralized governance. The architecture follows proven enterprise patterns with clear separation of security, network, DevOps, and workload responsibilities.

Organization Unit (OU) Design

The organization is structured into 6 top-level OUs, each containing dedicated accounts with specific responsibilities:

Root OU (Enterprise Organization)
Root OU β€” Core Governance & Shared Services
The top-level organizational node providing consolidated governance, billing, and security policy inheritance.
root_account β€” Master payer, org structure, SCPs, cross-account admin roles
security β€” CloudAudit, CloudConfig, CSC (delegated admin)
security_logging β€” Centralized log collection & retention (CLS/COS)
backup_audit β€” Backup/snapshot behavior tracking
platform_core β€” Terraform state storage (COS)
billing β€” Cost monitoring, billing center (delegated admin)
sso β€” Account governance & permission management
Decommissioned OU
Controlled intermediate state between "active" and "deleted" accounts. Enforces SCP-based restrictions and a two-step approval workflow for secure, auditable account retirement.
Sandbox OU
Controlled, non-production environment for testing, learning, and proof-of-concept activities β€” isolated from production with strict guardrails.
Network OU β€” Network Management
Isolates and manages networking components for multiple workload environments.
network_sec_nonprod β€” SIT/Staging VPCs, subnets, routes, firewalls, CLB WAF, EdgeOne
network_sec_prod β€” Production network, public CLBs, NAT gateways, VPC firewall, internet edge firewall
DevOps OU
Enterprise-wide automation, deployment orchestration, and resource provisioning.
devops β€” CI/CD pipelines (CODING/GitLab Runner), IaC storage, TKE addons deployment
Workload OU β€” Application Workloads
Hosts all application and business workloads with clear Non-Production / Production separation.
Non-Production: DEV / SIT accounts per application domain
Production: Staging / Production accounts per application domain
Partner: Isolated accounts for third-party integrations (Non-Prod & Prod)

4 Design Principles for Account Separation

01. By Responsibility

Separate accounts by function: security, logging, network, DevOps, billing β€” each with dedicated ownership and clear boundaries.

02. By Business

Group applications by business domain (e.g., API, Digital Touchpoint, ESS) to align with organizational structure and ownership.

03. By Environment

Strict isolation between Production and Non-Production (DEV/SIT/Staging) at the account level to prevent cross-environment access.

04. By Special Requirements

Dedicated accounts for Partner access, Sandbox testing, and Decommissioned resources with tailored guardrails.

SCP (Service Control Policy) Design

Root OU β€” Governs All Accounts

The Root OU enforces organization-wide SCPs including security guardrails, regional restrictions, and protection of critical governance and audit controls. All child OUs and accounts inherit these policies.

Decommissioned OU β€” SCP Restrictions

Accounts in the Decommissioned OU are locked down with restrictive SCPs that deny most actions except read-only access and deletion β€” ensuring isolated, auditable retirement. SCPs can be deployed via Terraform.

Account Factory Baselines

When a new account is created through the Account Factory, the following baselines are automatically applied:

Network Baseline

  • VPC, subnets (private/protected/public)
  • CCN attachment
  • Route tables
  • Network ACLs
  • Security group templates

Security Baseline

  • CWPP agent installation
  • TCSS integration
  • CloudConfig rules
  • CloudAudit tracking set
  • CSC enrollment

Financial & Comms

  • Financial policy (budget alerts)
  • Mandatory tag policies
  • Message subscription (alarms)
  • Account initialization (roles, MFA)
  • Billing linkage

3 Terraform Baseline Modes

ModeStructureUse Case
Standalone tfbaseline-<app>/ + <app>-tfworkload/ Application has its own dedicated VPC and baseline. Used for large or business-critical applications requiring strong isolation boundaries.
Consolidated tfbaseline-<consolidated>/ (shared VPC) + multiple <app>-tfworkload/ Multiple small/medium applications share one VPC, isolated by subnets and security groups. Reduces total account count while maintaining logical isolation.
shared-infra shared-infra/ + tfbaseline-shared-infra/ Account-level shared resources (e.g., TCR container registry, KMS keys, shared security group templates) referenced by all applications under a business unit.
03

Identity & Access Management (CAM)

Identity types, permission baselines, SSO, MFA, and access scenarios

Tencent Cloud Cloud Access Management (CAM) provides authentication and authorization for users, roles, and groups. The identity model integrates with enterprise IdP (Microsoft Entra ID) via SAML 2.0 and SCIM for SSO, with post-login access control enforced through CAM policies and tag-based ABAC.

Identity Types

CAM User

A sub-account under the root account with its own credentials. Used for programmatic API access and console login for specific users.

CAM Role

A virtual identity with a set of permissions that can be assumed by trusted entities. Used for cross-account access and service-to-service authorization.

CAM User Group

A collection of CAM users that shares the same permissions. Simplifies permission management by assigning policies to groups rather than individual users.

Service-Linked Role

A predefined role automatically created for Tencent Cloud services (e.g., TKE, CLB) to access other resources on your behalf. Pre-authorized and service-specific.

CIC User

Cloud Identity Center (CIC) user β€” a federated identity synchronized from an external IdP (e.g., Entra ID) via SCIM, enabling SSO across all member accounts.

4 Baseline Permission Sets

Permission SetDescriptionAttached Policies
LimitedAdmin All administrative permissions except write access to CAM (deny-based AdminAccess). Prevents privilege escalation while allowing full resource management. AdministratorAccess with explicit deny list for all cam:* write actions (AddUser, CreateRole, DeletePolicy, AttachRolePolicy, etc.)
Administrator Full administrative-level privileges including CAM management. Reserved for root account and identity governance team only. AdministratorAccess
Ops Full management for core compute (CVM, TKE), databases (CynosDB, CDB, Redis, PostgreSQL, MongoDB, MariaDB), operations automation (TAT), bastion host (BH), security (CWPP, TCSS, WAF, Config), and KMS. Read-only for all other modules. QcloudCVMFullAccess, QcloudTKEFullAccess, QcloudCynosDBFullAccess, QcloudCDBFullAccess, QcloudRedisFullAccessPreset, QcloudBhFullAccess, QcloudKMSFullAccess, QcloudCWPFullAccess, QcloudTCSSFullAccess, QcloudWAFFullAccess, QcloudConfigFullAccess, ReadOnlyAccess
ReadOnly Read-only access across all service modules. For auditors, monitoring teams, and users who need visibility without modification rights. ReadOnlyAccess

Authorization Modes

Baseline Permission Set Method

Each account maintains standard permission sets (Administrator, Ops, ReadOnly) mapped 1:1 to AD groups. Simple but can lead to AD group proliferation if ad-hoc permission sets are created frequently.

ABAC (Tag-Based Access Control)

Authorization based on resource tags and user attributes. Combine baseline permissions with app tags (e.g., ReadOnly_MyApp) to grant scoped access β€” reducing the need for ad-hoc permission sets.

SSO Integration

ComponentProtocolFunction
Entra ID SAML 2.0 + SCIM Enterprise identity provider. Authenticates users and synchronizes users/groups to CIC. Saviynt handles request approval and lifecycle governance.
CIC (Cloud Identity Center) Federation Tencent Cloud's centralized identity service. Receives synchronized users/groups from Entra ID and manages access assignments across member accounts.
CAM Policy-based Enforces fine-grained permissions after authentication. Users access accounts as mapped CAM users or by assuming CAM roles.
ABAC Tag-based Post-login access control using resource tags + user attributes. Enforces access rules aligned with organizational security requirements.

5 MFA Types

Virtual MFA

TOTP-based authenticator apps (Google Authenticator, Microsoft Authenticator). Most common MFA method.

U2F Token

Hardware security key supporting FIDO U2F standard. Provides phishing-resistant hardware-based authentication.

Passkey

Passwordless authentication using device biometrics (Face ID, Touch ID) or device PIN. Modern FIDO2-based credential.

MFA Flag

Global MFA enforcement setting at the account level. Requires all CAM users to enable MFA before accessing console.

Safe Auth Flag

Enhanced protection flag for high-risk operations (e.g., deleting resources, modifying security groups). Adds an extra verification step.

STS Token & Cross-Account Access (AssumeRole)

Security Token Service (STS) enables temporary credential issuance for cross-account access. Users authenticate in one account, then assume a role in another account to gain scoped permissions β€” no long-term keys shared.

# Terraform provider configuration for cross-account AssumeRole provider "tencentcloud" { region = var.region assume_role { role_arn = "qcs::cam::uin/${var.account_uin}:roleName/${var.assume_role_name}" session_name = "terraform-<app>-workload-<env>-session" session_duration = 7200 } } # Backend: Terraform state stored in COS with native state locking terraform { backend "cos" { region = "ap-jakarta" bucket = "terraform-workload-nonprod-state" prefix = "terraform/workloads/<path>/" encrypt = true assume_role { role_arn = "qcs::cam::uin/${var.platform_account_uin}:roleName/TerraformAssumeRoleForDevops" session_name = "terraform-backend-session" session_duration = 7200 } } }

5 Common Login Scenarios

ScenarioDescription
1. Single App Access User/group can only access a specific application (e.g., only MyApp). Achieved by combining a baseline permission set with the app's tag via ABAC.
2. Multi-App Access User/group can access multiple applications (e.g., MyApp & PartnerApp). Multiple tag-based permission sets are assigned to the user's group.
3. Team-Wide Access User/group can access all applications within their team (e.g., all apps in the Digital Touchpoint account). Granted via account-level permission sets.
4. Role-Specific Access User/group has one or multiple roles in an application (e.g., Admin, Developer, Operations, Read Only). Multiple baseline permission sets are assigned per app tag.
5. Infra-Only Access User/group can access infrastructure but not application workloads (or vice versa). Uses Tencent Cloud console dashboard isolation and CAM policy conditions.

CloudAudit Tracking Sets

sec-main-trail

Scope: All members under the organization account

Event Type: All

Resource Type: CAM

Destination: Central log COS bucket

Centralized audit trail for CAM role changes across the entire organization β€” managed by the Security account as delegated admin.

audit-trail (local)

Scope: This account only

Event Type: All

Resource Type: CAM

Destination: Local CLS / COS

Account-level audit trail for local compliance and operational troubleshooting β€” supplements the org-wide trail.

04

Cost Management & Tagging

Cost allocation, financial architecture, mandatory tags, and naming conventions

Cost governance is a foundational element of scalable cloud governance. A unified tagging framework ensures consistent resource management, enables granular cost tracking, and supports chargeback/showback models across teams and business units.

Cost Allocation Methods

Tags β€” Single Dimension

A simple way to track expenses by labeling cloud resources. Suitable for viewing costs from a single dimension such as by project, department, or environment.

Example: Filter all resources with environment: prod to see total production cost.

Units β€” Multi-Dimension

Designed for organizations with complex structures. Allows customized allocation rules and sharing ratios based on internal hierarchies for multi-dimensional cost aggregation.

Example: Allocate shared network costs to 5 business units with different ratios (30%/25%/20%/15%/10%).

Financial Architecture β€” Dedicated Billing Account

A dedicated billing account is set as the delegated admin for cost management. This account monitors billing across all OUs, allows cost analysis by OU, tags, accounts, and products, and isolates financial access from operational teams. The Cloud Identity Center assigns this account as the billing center delegated admin.

11 Mandatory Tags

Each resource on Tencent Cloud can be associated with up to 50 tags. The following 11 tags are mandatory for all resources:

Tag KeyDescriptionExample Values
app-nameIdentifies the application or service the resource supportsmyapp, shared-services
cost-centerCost center or department associated with the resourceit-ess-single-approval, shared-services
cloud-providerCloud service provider hosting the resourceaws, gcp, azure, huawei, tencent
business-criticalWhether the resource is part of a business-critical serviceyes, no
criticalityAsset criticality based on CIA framework (Confidentiality, Integrity, Availability)cj (Crown Jewel), mcj, c1, c2, nc (Non-critical)
info-classClassification of information stored/processed by the applicationconfidential / PII, internal, public
environmentDeployment environment (production vs non-production)prod, non-prod
business-ownerBusiness Owner using the resource (directorate-level)commercial, finance, sales
system-ownerSystem/Application Owner responsible for lifecycle & budgetit-ess, it-dt, it-api
managed-byParty managing the resource (mandatory for shared services)internal-devops, managed-service-provider
resource-typeWhether the resource is shared or application-specificshared-resource, app-resource

17 Big Data Extended Tags

For data platform and analytics workloads, the following extended tags provide enhanced visibility for data lifecycle management, analytics, and platform optimization:

Tag KeyLogical HierarchyDescription / Example Values
environmentEnvironmentProduction, Development
app-nameApplicationMyApp, Data_Pipeline (underscore between words)
technical-ownerOwnerTeam responsible for the resource
business-ownerBusiness OwnerTeam that owns and uses the resource
business-areaBusiness AreaMobile, Home, Business_Solution
cost-centerCost CenterCC12345, CC67890
data-sensitivityData SensitivityPII, Non-PII
info-classData Security ClassificationPublic, Confidential, Internal
business-unitBusiness UnitMarketing, Finance
app-componentApplication ComponentFrontend, Backend
criticalityCriticalityCJ, CMJ, C1, C2, C3
jobJobSpecific job/task identifier
datalake-layerDatalake Layerbronze, silver, gold β€” data layer in the Data Ocean
content-classificationClassificationreference, master_data, subject_base
subject-areaSubject Areacustomer, consumption
hot-retentionHot RetentionDays as integer (e.g., H7, H14, H30, H60, H90)
warm-retention / cold-retentionWarm/Cold RetentionW90, W180 / C365, C730

Tag Naming Conventions

Tag Naming Rules
  • Use lowercase letters for keys and values to ensure consistency
  • Use hyphens (-) to separate words (e.g., cost-center, data-classification)
  • Avoid special characters except hyphens and underscores
  • Keep tag keys and values concise but descriptive
  • Maximum 50 tags per resource on Tencent Cloud

Resource Naming Conventions

A clear naming convention turns every resource name into instantly usable metadata (environment, region, app, owner, purpose) β€” reducing ambiguity, speeding up troubleshooting, and strengthening governance.

ResourceNaming PatternExample
VPC[application]-[prod/nonprod]myapp-prod
Subnet[application]-[prod/nonprod]-[private/protected/public]-[region]myapp-prod-private-ap-jakarta
NAT Gatewaynat-gateway-[primary/secondary/...]-[prod/nonprod]nat-gateway-primary-prod
VPN Gateway[environment]-[tencent]-to-[destination]-[region]-vpn-gatewayprod-tencent-to-aws-jakarta-vpn-gateway
CCNCCN-[prod/nonprod]CCN-prod
CVM[application]-[servicename]-[productname]-[environment]myapp-web-nginx-prod
TKE (dedicated)[application]-[servicename]-[productname]-[environment]myapp-cluster-myapp-prod
TKE (consolidated)[application]-[cons{1-10}]-[productname]-[environment]myapp-cons1-shared-prod
CLB[application]-[servicename]-[productname]-[private/public]-[environment]myapp-web-nginx-public-prod
COS[application]-[bucketname]-[environment]myapp-terraform-state-prod
05

Compliance & Audit

6 compliance libraries with 190+ rules for continuous monitoring

Tencent Cloud CloudConfig provides 6 compliance libraries with 190+ rule templates for automated compliance auditing. These libraries cover major international standards and regulatory requirements, enabling continuous monitoring and automated compliance reporting.

6 Compliance Libraries (190+ Rules)

CIS Benchmarks 32 rules

Cybersecurity and Data Security Best Practices. A comprehensive inspection of network architecture and data security to validate proper configuration and protection of systems and data, with reference to the CIS Benchmarks.

PCI DSS v4.0 46 rules

PCI DSS Data Security Standard Compliance Package. Providing proposed compliance assessments for cloud resource usage and governance, aligned with the PCI DSS v4.0 baseline standards for account data protection.

ISO 27001 69 rules

ISO 27001 Security Management Standard Compliance Package. Compliance assessments aligned with ISO/IEC 27001 Annex A, supporting implementation, maintenance, and continual improvement of information security management.

SOC 2 67 rules

SOC 2 Audit Standard Practice Compliance Package. Aligned with SOC 2 Criteria covering Data Security, Availability, Integrity, and Confidentiality.

Network Security Level 3 65 rules

Pre-Compliance Assessment Package for Cybersecurity Classified Protection Level 3. Auditing the compliance of Tencent Cloud resources in accordance with specific requirements of the Classified Protection Level 3.

Account Security Best Practices 11 rules

Account permission and security best practice. Conducts a comprehensive compliance check on the behaviors of users, user groups, roles, and policies under your account to detect and avoid related risks in advance.

Common Compliance Challenges & Solutions

ChallengeSolution
Manual compliance checks are time-consuming and error-prone CloudConfig continuously evaluates resource configurations against compliance rules and generates automated reports β€” no manual auditing required.
Multi-account visibility is fragmented across accounts Centralize CloudConfig in the Security account as delegated admin. All member accounts' compliance status is aggregated into a single dashboard.
Configuration drift after initial compliance CloudConfig continuously records and evaluates configuration changes. Any deviation triggers an alert and is recorded for remediation.
Compliance reporting for auditors is slow Pre-built rule sets generate compliance reports on demand. Export results as Excel for auditors and regulators.
Permission risks from ad-hoc role/policy creation Account Security Best Practices library (11 rules) automatically detects risky permission configurations, excessive privileges, and unused credentials.

CloudConfig β€” Continuous Monitoring

How CloudConfig Works

CloudConfig continuously records and evaluates the configuration information and related changes of cloud resources across different regions under your account. It achieves efficient automated supervision and standardized operations by:

  • Recording: Tracks all configuration changes to resources in real-time
  • Evaluating: Compares configurations against compliance rules automatically
  • Alerting: Triggers notifications when resources become non-compliant
  • Reporting: Generates compliance reports for audits and governance reviews
  • Centralized: Managed from the Security account as delegated admin across all member accounts

CSC (Cloud Security Center) β€” Risk Detection

Asset Management

Automatically synchronizes security data of assets from 34 Tencent Cloud products. Manually add external IPs and domain names for unified management.

Risk Detection

Health check tasks detect port risks, vulnerabilities, weak passwords, content risks, configuration risks, and exposed services. Scheduled checks keep monitoring the security posture.

Security Alerts

Collects alerts from WAF and CWPP with categorized views. Handle alerts of all security products in the CSC console. Includes Cloud API Exception monitoring for AK breaches.

06

Security Architecture

Defense-in-depth from internet edge to host OS β€” 12 security layers

The security architecture follows a defense-in-depth model with 12 layered controls β€” from the internet edge through network, subnet, resource, host, container, to audit and compliance layers. Each layer addresses specific threat vectors and together they form a comprehensive security posture.

Security Product Matrix

Security LayerProductFunction & Protection Scope
Internet Edge EdgeOne CDN + fundamental security protection at the edge. Provides DDoS protection, WAF, bot management, and accelerated content delivery. First line of defense at the internet boundary.
North-South Inbound CLB WAF + Public CLB CLB WAF inspects HTTP/HTTPS traffic before it reaches the CLB cluster. Blocks SQL injection, XSS, trojan upload, CC attacks, and OWASP Top 10. Public CLB handles TLS termination and L7 routing.
North-South Outbound NAT Gateway Centralized outbound internet access (SNAT only) for private subnets. All workload VPCs route egress through the Network Hub's NAT Gateway, enabling traffic inspection and policy enforcement.
East-West VPC Firewall (attached to CCN) Inspects and controls inter-VPC traffic flowing through CCN. Enforces east-west segmentation between workload VPCs, preventing lateral movement and unauthorized cross-VPC access.
Subnet Level Network ACLs Coarse-grained, stateless subnet-level filtering. Three-tier NACL model: Public (internet allowed), Private (internal + outbound via NAT), Protected (maximum isolation, database subnets only).
Resource Level Security Groups Fine-grained, stateful resource-level filtering. Applied to CVM, TKE nodes, CLB, databases. Managed via Terraform for consistency. Includes cluster SG, node shared SG, and service-specific SGs.
Host/OS Level CWPP (Pro) Cloud Workload Protection Platform for OS-level security: web shell detection, abnormal login, password cracking, malware/trojan detection, vulnerability alerts, and baseline compliance.
Container Level TCSS (Pro) Tencent Container Security Service for Kubernetes/container security: image security scanning, runtime intrusion detection, CIS baselines, cluster security assessment, and asset management.
Audit/Compliance CloudConfig + CloudAudit CloudConfig continuously evaluates resource configurations against 190+ compliance rules. CloudAudit records all management API operations for compliance and forensic review.
Security Center CSC (Ultimate) Cloud Security Center aggregates protections across accounts: vulnerability/baseline/intrusion/malware detection, asset management, risk detection, security alerts, and Cloud API Exception monitoring.
Access Management Bastion Host (Pro) Centralized Ops management with authentication, authorization, asset access proxy, and comprehensive operation audit. Establishes pre-event prevention, mid-event monitoring, and post-event audit.
Network Visibility Flow Logs (FL) Continuous, full-traffic, non-intrusive network flow logging. Captures all/allowed/rejected traffic from ENI, NAT Gateway, and cross-region CCN. Delivered to CLS for analysis and COS for retention.

CWPP Key Features

CWPP (Cloud Workload Protection Platform) β€” Pro Version

Deploying CWPP provides in-depth OS-level security protection covering core capabilities for vulnerability management, intrusion detection, and baseline compliance:

  • Web Shell Detection: Scans newly created web program files for suspicious risks. Machine learning detection engine analyzes and deletes confirmed web shells in real-time. Full scan runs daily by default.
  • Abnormal Login Reminder: Identifies abnormal admin logins by analyzing source IP, time, username, and login status. Login log data retained on cloud for one month.
  • Password Cracking Reminder: Detects brute-force password attacks against servers. Collects and analyzes source IP, attack time, username, and login status from logs.
  • Malware/Trojan Detection: Agent collects hash values of suspicious programs. Cloud-based scanning and blocking engine inspects values. Unknown executables are reported and inspected by the anti-virus engine. Samples deleted in real-time after inspection.
  • Vulnerability Alert: Detects Linux and Windows vulnerabilities and security baselines complying with Tencent Cloud requirements.

TCSS Key Features

TCSS (Tencent Container Security Service) β€” Pro Version

TCSS safeguards containers through their entire lifecycle β€” from image generation and storage to runtime β€” helping you set up a container security protection system:

  • Asset Management: Automatic asset inventory visualizes key assets β€” containers, images, image repositories, and servers.
  • Image Security: Scans images and image repositories for vulnerabilities, trojans, viruses, and sensitive information.
  • Runtime Security: Identifies hacker attacks adaptively, monitors and protects container runtime in real-time. Includes container escape detection, process blocklist/allowlist, and file access control.
  • CIS Baselines: Supports CIS Benchmarks for containers, images, and servers. Displays multidimensional baseline compliance of container assets.
  • Cluster Security: Scans clusters for vulnerabilities and configuration risks automatically or manually. Aggregates risk data across the business environment.

North-South Traffic Flow

Inbound Traffic

Internet β†’ EdgeOne β†’ Public CLB β†’ CLB WAF β†’ Public CLB β†’ CCN β†’ Workload VPCs

EdgeOne provides edge security and CDN. CLB WAF inspects HTTP/HTTPS traffic before the CLB cluster. Traffic then routes through CCN to different VPCs under different Production accounts.

Outbound Traffic

Workload VPC β†’ CCN β†’ NAT Gateway β†’ Internet

All outbound internet access is centralized through the Network Hub's NAT Gateway (SNAT only). Enables centralized logging, policy enforcement, and traffic inspection.

Bastion Host Design

Authentication

Static password, LDAP integration, two-factor authentication

Authorization

Least-privilege access to assets, commands, clipboards, file transfers

Asset Access

SSO login to managed IT assets for Ops operations

Operation Audit

Records and analyzes all user operation logs for traceability

07

Monitoring & Automation

TCOP observability stack and Terraform CI/CD pipeline

The Landing Zone implements a unified observability layer via Tencent Cloud Observability Platform (TCOP) and a standardized Terraform delivery pipeline for Infrastructure-as-Code (IaC) governance.

TCOP β€” Unified Observability Platform

TCOP consolidates metrics, traces, logs, events, and user experience data into a single platform, enabling end-to-end observability from infrastructure to end-user experience.

Metrics β€” Cloud Monitor β†’ Prometheus

Cloud Monitor collects native metrics from Tencent Cloud products (CVM, TKE, databases). These metrics are integrated and converted into Prometheus format by TCOP Prometheus service, creating a unified Prometheus ecosystem for both cloud services and custom business applications. Enables cross-cloud monitoring.

Traces β€” APM Distributed Tracing

Application Performance Monitoring (APM) provides distributed tracing, application topology discovery, and code-level profiling. Delivers deep insights for performance optimization, rapid fault diagnosis, and microservices health monitoring.

Logs β€” CLS Centralized Aggregation

All logs from infrastructure, platforms, and applications are centralized in Cloud Log Service (CLS). Offers powerful real-time search, analysis, and alerting β€” breaking down data silos for comprehensive operational analysis.

Events β€” EventBridge Governance

EventBridge processes events from three sources: default events from Tencent Cloud products, audit events for compliance, and custom events from applications. Acts as the central nervous system for automated responses and governance workflows.

CAT β€” Synthetic Monitoring

Cloud Automated Testing uses a global network of probes to actively test availability, performance, and public network quality (e.g., CDN) from worldwide locations and ISPs.

RUM β€” Real User Monitoring

Instruments web pages and mobile apps (Android/iOS) to collect real user performance data, providing insights into actual user experience. Correlates front-end issues with backend traces and infrastructure metrics.

AI-Enhanced Observability

The interconnected data fabric is powered by AI and Large Language Models (LLMs), transitioning observability from reactive monitoring to proactive intelligence. Scenarios include correlating a front-end page slowdown (via RUM) with a microservice latency spike (via APM traces) and further down to a resource bottleneck on a Kubernetes node (via Prometheus metrics) β€” transforming isolated data points into a complete, contextualized story for every transaction.

Terraform CI/CD Pipeline

The architecture defines a standardized Terraform delivery pipeline built on GitLab, Jenkins, TKE, and Tencent Cloud β€” enforcing clear separation between pipeline control, execution runtime, and workload environments.

Pipeline Flow: GitLab β†’ Jenkins β†’ TKE Pod β†’ Tencent Cloud API β†’ COS (State)

# 1. GitLab (Source Repository + Trigger) # - Terraform workload repos contain infrastructure code + Jenkinsfile # - Developer push/MR/comment β†’ webhook to Jenkins # - GitLab does NOT execute pipeline logic or interact with cloud # 2. Jenkins (Orchestrator) # - Pulls Jenkins Shared Library from dedicated GitLab repo # - Invokes reusable terraformPipeline logic # - Determines target environment (prod/nonprod) from parameters # - Cloud credentials managed via Jenkins Credentials (injected at runtime) # 3. TKE Pod (Execution Runtime) # - Jenkins dynamically creates ephemeral pod in TKE cluster # - Terraform runs inside containers β€” isolation + clean lifecycle # - Access keys never stored in GitLab or Terraform code # 4. Tencent Cloud API (Resource Provisioning) # - Terraform calls Tencent Cloud APIs via AKSK # - Provisions network, TKE, databases, and supporting services # 5. COS (State Management) # - Terraform state centrally managed in COS # - COS provides native state locking β€” prevents concurrent modifications # - No DynamoDB table needed (unlike AWS S3 backend)

50 Reusable Terraform Modules

All modules are named as tfmodule-Tencentcloud-<resource-type> and organized by category:

Container 6

tke, tke-addon, tke-auth, tke-node-pool, tke-log-config, tke-health-check-policy

Network 14

vpc, nat, eip, clb, clb-listener, clb-target-group, private-link, ccn, ccn-attachment, dc, vpn-gateway, vpn-connection, vpn-customer-gateway-new, vpn-gateway-routes

Database 7

postgres, postgres-readonly, mysql, mysql-readonly, mongodb, redis, elasticsearch

Security 7

security-group, security-group-template, waf, waf-clb-domain, ssl-certificate, kms, ssm

Identity 4

cam-role, cic, cic-role, org

Storage 2

cos, cfs

Compute 1

cvm

Other 9

privatedns, tcr, ses, ses-config, cls, prometheus, sshkey, tdmq-rabbitmq

Terraform State Management

Terraform state files are stored in Tencent Cloud Object Storage (COS) with native state locking capabilities β€” ensuring exclusive access to the state file and preventing concurrent Terraform executions from applying changes simultaneously. Separate COS buckets are used for Non-Production and Production environments:

  • NonProd: terraform-workload-nonprod-state
  • Prod: terraform-workload-prod-state
08

Governance Metrics

Objective and subjective metrics for measuring Landing Zone success

Governance metrics provide measurable indicators of the Landing Zone's effectiveness across account management, cost, security, compliance, operations, and maturity. Metrics are divided into objective (quantitative, automatable) and subjective (qualitative, assessment-based) categories.

Objective Metrics (Quantitative)

These metrics are automatically collected and can be tracked through dashboards, alerts, and reports:

Metric CategoryMetricMeasurement Method
Account Governance Account onboarding time Time from account creation request to fully baselined and production-ready (target: < 2 days)
Account compliance rate Percentage of accounts with all mandatory baselines applied (Network, Security, Financial, Tags)
Cost Governance Tag compliance rate Percentage of resources with all 11 mandatory tags correctly applied (target: > 95%)
Cost allocation coverage Percentage of total cloud spend attributable to a cost center / business unit via tags or units
Security Compliance violations Number of non-compliant resources detected by CloudConfig across 190+ rules
Security alerts Number of open security alerts from CSC, CWPP, TCSS, and WAF (by severity)
Vulnerabilities Number of unresolved vulnerabilities detected by CWPP and TCSS (by severity: Critical/High/Medium/Low)
Container Image scan coverage Percentage of container images scanned by TCSS before deployment
Protected cores Number of TKE cores protected by TCSS (e.g., 12,000 cores target)
Audit Audit events Volume and completeness of CloudAudit events collected org-wide (sec-main-trail coverage)
Identity SSO users Number of active federated users accessing via Entra ID β†’ CIC SSO
MFA MFA registration rate Percentage of CAM users with MFA enabled (Virtual MFA, U2F, or Passkey) (target: 100%)
IaC Terraform success rate Percentage of Terraform pipeline runs completing successfully without manual intervention (target: > 95%)
Compliance Compliance check pass rate Percentage of CloudConfig rule evaluations passing across all compliance libraries (target: > 90%)

Subjective Metrics (Qualitative)

These metrics are assessed through periodic reviews, architecture audits, and maturity assessments:

MetricAssessment FocusEvaluation Method
Architecture Quality Adherence to Landing Zone design principles, pattern consistency, and alignment with Tencent Cloud best practices Quarterly architecture review with solution architects. Evaluate against the 8 design dimensions and 4 account separation principles.
Security Posture Maturity Effectiveness of defense-in-depth layers, threat detection coverage, and incident response readiness Annual security assessment. Review CSC dashboard, compliance reports, and penetration test results. Measure against CIS/CIS benchmarks.
Governance Sustainability Long-term maintainability of policies, processes, and guardrails as the environment scales Bi-annual governance audit. Assess policy coverage, SCP effectiveness, tag enforcement, and account lifecycle management.
Operational Efficiency Speed and quality of operational tasks β€” incident response, troubleshooting, change management Monthly ops review. Track MTTR (Mean Time to Resolve), change success rate, and automation coverage.
IaC Maturity Adoption and standardization of Terraform across teams, module reusability, and pipeline automation Quarterly IaC audit. Review module usage, pipeline success rates, state management hygiene, and code review practices.
Migration Risk Level Overall risk posture of the migration β€” blast radius, rollback readiness, and cutover confidence Per-wave migration risk assessment. Evaluate environment readiness, testing completeness, and rollback plan quality.
Metrics-Driven Governance

Combine objective and subjective metrics for a holistic view of Landing Zone health. Objective metrics provide real-time, automated visibility β€” ideal for dashboards and alerts. Subjective metrics capture qualitative aspects that automation cannot measure β€” requiring human judgment and periodic review. Review the full metrics dashboard monthly and conduct deep-dive assessments quarterly.

Landing Zone Foundation Complete

This page covered all 8 design dimensions for building a secure, scalable, and governable enterprise cloud foundation.
Return to the main migration guide to continue your journey.

Back to Migration Guide