Night Mode LabsBlue Book
Cloud Foundations

Account and Landing Zone

A landing zone is the baseline cloud environment that makes teams safe and fast by default. It should define ownership, network boundaries, identity, logging, policy, and cost allocation before application teams build on top of it.

Account structure

Use separate accounts, subscriptions, or projects for strong isolation. Common boundaries include:

  • Production and non-production workloads.
  • Shared networking and security services.
  • Logging, audit, and compliance evidence.
  • Sandboxes and experiments.
  • Business units or regulated domains.

Avoid putting unrelated production systems into one account just because it is faster during kickoff. Weak account boundaries become expensive to fix later.

Landing zone baseline

Every landing zone should provide:

  • SSO and role-based access.
  • Central audit logging.
  • Required tags or labels.
  • Network layout and egress controls.
  • DNS and certificate patterns.
  • Secret and key management.
  • Baseline security policies.
  • Budget alerts and cost allocation.
  • Break-glass access and incident procedures.

Provisioning flow

Ownership

Landing zones need platform ownership, but application teams still own what they deploy. Document the shared responsibility boundary clearly:

  • Platform team owns baseline controls and paved-road modules.
  • Security owns required policy and evidence expectations.
  • Application teams own workload configuration and runtime behavior.
  • Finance owns allocation rules and budget escalation.

Watchouts

  • Do not rely on manual console setup for new accounts.
  • Do not grant broad administrative access as an onboarding shortcut.
  • Do not create landing zones without lifecycle and decommissioning flows.
  • Keep exceptions visible with owners and expiry dates.

Decommissioning

Previous Page

Resource Naming and Tagging

Next Page

On this page

Account structureLanding zone baselineProvisioning flowOwnershipWatchouts