Skip to main content

Cloud Landing Zone Security Checklist

A security review of a multi-account cloud landing zone covering account isolation, centralized SSO with least-privilege roles, non-overridable guardrail policies, protected centralized logging, and default encryption. The landing zone itself is provisioned as version-controlled IaC.

Estimated Time
1-2 days
Type
security audit
Category
Cloud
Steps
13

When to Use This Checklist

Use this checklist when establishing a cloud foundation, often called a landing zone, before onboarding production workloads, or when auditing an existing one. A landing zone is the pre-configured, secure, multi-account baseline on which all future workloads are built. Getting it right early prevents the sprawl of inconsistent, insecure accounts that is painful to remediate later.

How to Use This Checklist

Work from the foundation up. Start with account structure: isolate environments and teams into separate accounts so a compromise or mistake in one cannot spread. Then centralize identity through SSO with federated, least-privilege roles, removing standing admin access. Apply organization-wide guardrails that local teams cannot override, and centralize audit logging into a dedicated, tamper-resistant account so logs survive even if a workload account is compromised.

Provision the landing zone itself as code. A landing zone clicked together by hand cannot be reliably reproduced, audited, or recovered, which defeats much of its purpose.

What Good Looks Like

Workloads live in isolated accounts with clear environment and team boundaries. Access flows through centralized SSO with least-privilege federated roles and no standing administrators. Organization-wide guardrail policies enforce non-negotiable rules, and all audit logs collect into a separate, protected account. The network baseline segments traffic and controls egress, encryption is on by default, and posture monitoring continuously checks against a recognized benchmark. New workloads onboard through a repeatable account-vending process, costs are tagged and budgeted, and break-glass access is secured and logged. The whole landing zone is defined in version-controlled IaC.

Common Pitfalls

The most common pitfall is a flat structure where many workloads share one or few accounts, so a single breach or runaway resource affects everything. Standing administrative access and over-broad roles are pervasive and dangerous. Teams often forget to centralize and protect logs, so an attacker who compromises an account can erase the evidence. Building the landing zone manually rather than as code makes it impossible to reproduce or audit, and missing cost guardrails lead to surprise bills as adoption grows.

Related Resources

Follow cloud landing zone guidance and the security pillars of the AWS and Azure well-architected frameworks. Enforce least privilege and benchmark against CIS Controls, provision with the IaC security playbook, and apply consistent tagging for cost allocation.