The page has been translated by Gen AI.

How-to guides

Using Cloud Control

The user must first create a landing zone to use the Cloud Control service. When a landing zone is created, you can use the management features of Cloud Control.

Caution

There is no charge for the Cloud Control service, but services used within Cloud Control such as Logging&Audit, Object Storage, and Config Inspection may incur costs based on usage.

Create Landing Zone

To use Cloud Control in the Samsung Cloud Platform Console, you must first create a landing zone.

To create a landing zone, follow these steps.

Click the All Services > Management > Cloud Control menu. You will be taken to the Service Home page of Cloud Control.
On the Service Home page, click the Create Landing Zone button. You will be taken to the Create Landing Zone page.

After setting the configuration items in the Rate Review and Organizational Unit Configuration area, click the Next button.

Category	Required status	Detailed description
Home region	-	Home region of Cloud Control Cloud Control sets the default region as the home region and it cannot be changed All regions except the default region are managed by Cloud Control
Basic organizational unit	Required	Enter the default organizational unit within the landing zone Case-sensitive English letters, enter up to 128 characters The default organizational unit includes shared Account (Log Account, Audit Account) Security: Default organizational unit name of the shared Account Can be modified after creating the landing zone
Additional organizational unit	Required	Enter additional organizational unit within the landing zone Case-sensitive English letters, up to 128 characters Can be added after creating the landing zone

Category

Required status

Detailed description

Home region

Home region of Cloud Control

Cloud Control sets the default region as the home region and it cannot be changed

All regions except the default region are managed by Cloud Control

Basic organizational unit

Required

Enter the default organizational unit within the landing zone

Case-sensitive English letters, enter up to 128 characters

The default organizational unit includes shared Account (Log Account, Audit Account)

Security: Default organizational unit name of the shared Account

Can be modified after creating the landing zone

Additional organizational unit

Required

Enter additional organizational unit within the landing zone

Case-sensitive English letters, up to 128 characters

Can be added after creating the landing zone

Table. Landing zone creation - cost review and organizational unit configuration items

After setting the configuration items in the Shared Account Configuration area, click the Next button.

Category

Category	Required status	Detailed description
Management Account	-	The Management Account name is displayed and cannot be edited.
Log Account	Required	Enter Log Account Information Account name: Use Korean, English, numbers, spaces, and special characters (`+=-_@[](),.`) to enter within 3 to 30 characters Email, Confirm Email: Enter up to 60 characters in a valid email address format
Audit Account	Required	Enter Log Account information Account name: Korean characters, English letters, numbers, spaces, special characters(`+=-_@[](),.`) within 3 to 30 characters Email, Confirm Email: Enter up to 60 characters in a valid email address format Cannot use the same email as Log Account

Required status

Detailed description

Management Account - The Management Account name is displayed and cannot be edited.

Log Account

Required

Enter Log Account Information

Account name: Use Korean, English, numbers, spaces, and special characters (+=-_@[](),.) to enter within 3 to 30 characters

Email, Confirm Email: Enter up to 60 characters in a valid email address format

Audit Account

Required

Enter Log Account information

Account name: Korean characters, English letters, numbers, spaces, special characters(+=-_@[](),.) within 3 to 30 characters

Email, Confirm Email: Enter up to 60 characters in a valid email address format

Cannot use the same email as Log Account

Table. Landing zone creation – shared account configuration items

Reference

Log Account is a repository of logs for API activity and resource configuration collected from all Accounts. Log Account cannot be changed.
The Audit Account is a restricted account, allowing the security and compliance team to obtain access rights to all accounts within the organization through the Audit Account.

After setting the configuration items in the Additional configuration area, click the Next button.

Category	Required status	Detailed description
Account Access Configuration	Required	Select a method to manage access to the Account Account access via ID Center Create preconfigured groups and permission sets to configure users who perform specific tasks in the Account Automatically assign users when provisioning an Account with the Account Factory or registering an existing Account Selectable only when using ID Center’s own directory Self-managed Account access Cloud Control does not create directory groups or permission sets for the landing zone Automatically assign users when provisioning an Account with the Account Factory or registering an existing Account Manage access to the Account through ID Center or other Account access methods
Trail configuration	-	Automatic configuration in progress
Detection Guardrail	Selection	Select whether to enable detection guardrails When detection guardrails are enabled, they apply only to the default organizational unit Even after creating a landing zone, settings can be changed on the Landing Zone Settings page For more information about detection guardrails, refer to Detective Guardrail

Category

Required status

Detailed description

Account Access Configuration

Required

Select a method to manage access to the Account

Account access via ID Center
- Create preconfigured groups and permission sets to configure users who perform specific tasks in the Account
- Automatically assign users when provisioning an Account with the Account Factory or registering an existing Account
- Selectable only when using ID Center’s own directory

Self-managed Account access
- Cloud Control does not create directory groups or permission sets for the landing zone
- Automatically assign users when provisioning an Account with the Account Factory or registering an existing Account
- Manage access to the Account through ID Center or other Account access methods

Trail configuration

Automatic configuration in progress

Detection Guardrail

Selection

Select whether to enable detection guardrails

When detection guardrails are enabled, they apply only to the default organizational unit

Even after creating a landing zone, settings can be changed on the Landing Zone Settings page

For more information about detection guardrails, refer to Detective Guardrail

Table. Landing zone creation - additional configuration items

In the Input Information Confirmation area, after checking the landing zone configuration information and Service Permissions, check the agreement on permissions and guidelines.
Click the Create button. A popup notifying the creation of the landing zone opens.
After reviewing the information about creating a landing zone, click the Confirm button. The landing zone creation request will be completed.
- Creating a landing zone takes some time, and a notification is sent when the process is complete.
- When the landing zone creation is completed, you can view the full menu of Cloud Control and the organization status on the Service Home page.

Caution

You cannot cancel while creating a landing zone.
If creating the landing zone fails, delete the landing zone and then create it again.
If you select Self-Managed Account Access, you cannot view the Access Portal URL and User Credentials information.

Reference

When a landing zone is created, you can view the following in Cloud Control.

Two organizational units: shared Account, and an organizational unit for the Account that the user will provision
Two shared accounts: isolated accounts for log archiving and security auditing
Selected IAM management configuration
10 preventive guardrails: settings for policy enforcement
Enable control policies for the Organization service

View detailed information of the landing zone

On the Landing Zone Settings page, you can view detailed information about the landing zone.

Information

After creating a landing zone, you can view and edit its details.

Follow these steps to view the detailed information of the landing zone.

Click the All Services > Management > Cloud Control menu. Go to the Service Home page of Cloud Control.
On the Service Home page, click the Landing Zone Settings menu. You will be taken to the Landing Zone Settings page.

Category	Detailed description
Service	Service name
Resource Type	Resource Type
SRN	Unique resource ID in Samsung Cloud Platform In Cloud Control, it refers to the SRN of the resource type
Resource name	Resource name
Resource ID	Unique resource ID in the service
constructor	User who created the service
Creation date	Service creation date and time
Editor	User who edited the service information
Modification date and time	Date and time the service information was modified
Home region	Landing zone home region information
Account Access Configuration	How to manage access to an Account
Trail configuration	Trail configuration activation status active maintain status
Detection Guardrail	Detection guardrail activation status Active: Create and schedule diagnostics for Accounts under the registered organizational unit Display the guardrail’s pricing plan, checklist, diagnostic interval, and start time information Inactive: Delete diagnostics for all Accounts within the organizational unit Edit button can be clicked to change activation status Changes cannot be canceled after request
Delete landing zone	Delete landing zone For detailed information about deleting the landing zone, see Delete Landing Zone

Table. Landing zone configuration items

Delete Landing Zone

If the landing zone creation fails or is not used, you can delete the landing zone.

Caution

Deleted resources cannot be recovered.
Organization units, accounts, buckets, and ID Center resources are not deleted automatically.
- To use the same name as an existing resource that has not been deleted when recreating a landing zone, you must delete the existing resource directly before creating the landing zone.
- Existing resources can be deleted individually from the Organization, Object Storage, and ID Center services.

To delete a landing zone, follow these steps.

Click the All Services > Management > Cloud Control menu. You will be taken to the Service Home page of Cloud Control.
On the Service Home page, click the Landing Zone Settings menu. You will be taken to the Landing Zone Settings page.
On the Landing Zone Settings page, click the Delete Landing Zone button. The Delete Landing Zone popup will open.
Landing Zone Deletion popup, after entering the displayed Cloud Contorl ID in the deletion confirmation field, click the Confirm button. The landing zone deletion request will be completed.
- While deleting a landing zone, an explanation about the landing zone deletion process is displayed on the Service Home page.

Managing Organizational Units and Accounts

You can view the organization units and account list, register them in Cloud Control, and manage them.

To view and manage organizational units and the Account list, follow these steps.

Click the All Services > Management > Cloud Control menu. Navigate to the Service Home page of Cloud Control.
On the Service Home page, click the Organization menu. You will be taken to the Organization unit and Account management page.

Organizational Unit and Account Management page, select the view mode in the top‑right corner.

When you click the View Hierarchy button, you can view and manage organizational units and Accounts in a hierarchical structure.

Category	Detailed description
Create a subordinate organizational unit	Add a new organizational unit under the selected organizational unit Enabled only when a single organizational unit is selected in the hierarchy For more details, refer to Creating an Organizational Unit
More	Manage organization units or register a new Account Organization Unit: Ability to delete/register/re-register organization units, and apply/remove detection guardrails For detailed information on organization unit management, see Managing Organization Units reference For detailed information on detection guardrails, see Detection Guardrails reference Account: Ability to register/unregister an Account For detailed information on Account registration and deregistration, see Account Management reference
Organization unit/Account name	Display the names of organizational units and Accounts in a hierarchical structure Click the +, - buttons to expand or collapse the hierarchy Click an organizational unit or Account name to navigate to its detail page
ID/Email	Organization units display ID, and Account displays ID and email.
status	Cloud Control registration status of an organization unit or Account Registered, Not registered, Registering, Registration failed No status displayed when Root
Register organization unit	Cloud Control registration status of sub-organizational units number of registered organizational units / total number of organizational units displayed
Register Account	Cloud Control registration status of sub Accounts displayed as Number of registered Accounts / Total number of Accounts
Detection Guardrail	Detection guardrail application status for an organization unit or sub‑organization unit

Table. Hierarchy view items

View Account List: You can view and manage the list of Accounts that make up Cloud Control.

Category	Detailed description
Account registration	Register the selected Account from the Account list to Cloud Control When you select an Account in Unregistered, Registration Failed status from the Account list, it becomes active For detailed information on Account registration, refer to Register Account
More > Unregister Account	Deregister the selected Account from the Account list When you select an Account in the Account list that is in registered, registration failed status, it becomes enabled Shared Accounts cannot be deregistered For more details on Account deregistration, refer to Account Deregistration
Account name	Account name
Account ID	Account ID
email	Account user email
status	Cloud Control registration status of an organization unit or Account Registered, Unregistered, Registering, Registration Failed No status displayed when Root

Table. Account list view items

Account creation button click creates a new Account. For more details, see Create Account.

Check organization and Account detailed information

You can view and edit the detailed information of the organization unit and Account. To view detailed information about the organization unit and Account, follow these steps.

Click the All Services > Management > Cloud Control menu. Navigate to the Service Home page of Cloud Control.
Service Home page, click the Organization menu. Navigate to the Organization unit and Account management page.
Click the View Hierarchy button on the Organizational Unit and Account Management page.
Click the name of the resource whose details you want to view in the hierarchical list. You will be taken to the resource’s detail page.
- Root: Go to the Root Details page. For more information, see Root Details Information.
- Organization unit name: Organization unit details Go to the page. For more information, see Organization unit details.
- Account name: Account details page. For more details, see Account details.

Root detailed information

Root Details page allows you to view and manage the detailed information of the organization Root and the list of subordinate Accounts. Root Details page consists of Basic Information, Sub Account tabs.

Basic Information

You can view the basic information of the organization Root, as well as the organizational units and the number of accounts registered in Cloud Control.

Category	Detailed description
service	Service name
Resource Type	Service Type
SRN	Unique resource ID in Samsung Cloud Platform
Resource name	Resource Name
Resource ID	Unique resource ID in the service
constructor	User who created the service
Creation timestamp	Service creation timestamp
Editor	User who edited the service information
Modification date and time	Date and time the service information was modified
Register organization unit	Cloud Control registration status of sub-organizational units under Root Number of registered organizational units / total number of organizational units displayed as
Register Account	Cloud Control registration status of Accounts under the Root Number of registered Accounts / Total number of Accounts displayed

Table. Root Details - Basic Information Tab Items

Sub Account

You can view and manage the list of Accounts under the Root and the registration status of Cloud Control.

Category	Detailed description
Account registration	Register the selected Account from the Account list to Cloud Control When you select an Account in unregistered state from the Account list, it becomes active For details on Account registration, refer to Account Registration
Account name	Account name
email	Account user email
Status	Cloud Control registration status of an organization unit or Account Registered, Not registered, Registering, Registration failed When Root, no status displayed

Table. Root Details - Sub Account Tab Items

Organizational Unit Detailed Information

Organizational Unit Details page allows you to view and manage the unit’s detailed information, subordinate Accounts, applied preventive guardrails, and detection guardrails. Organization Unit Detail page consists of Basic Information, Sub Account, Preventive Guardrails, Detection Guardrails tabs.

Basic Information

You can view basic and detailed information about the organization unit.

Category	Detailed description
Service	Service name
Resource Type	Service type
SRN	Unique resource ID in Samsung Cloud Platform
Resource Name	Resource Name
Resource ID	Unique resource ID in the service
Constructor	User who created the service
Creation date and time	Service creation date and time
Editor	User who edited the service information
Modification date and time	Date and time the service information was modified
Organizational unit name	Name of the organizational unit
Apply guardrails	Number of guardrail types applied to the current organizational unit Prevention: Number of applied preventive guardrails Detection: Types of detection guardrails
Register organization unit	Current Cloud Control registration status of sub-units of the organization unit Number of registered organization units / Total number of organization units displayed
Register Account	Cloud Control registration status of sub-accounts under the current organization unit registered account count / total account count displayed
higher-level organization unit	Hierarchy of parent organizational units for the current unit
Apply detection guardrails / Remove detection guardrails	Change detection guardrail application status for the organization unit Clicking the button can apply or remove the detection guardrail
Re-registration	Re-register the current organization unit in Cloud Control For detailed information on organization unit re-registration, refer to Re-register organization unit

Table. Organization Unit Details - Basic Information Tab Items

Sub Account

You can view and manage the list of subordinate Accounts within an organizational unit.

Information

For Security organizational units, you cannot register an Account.

Category	Detailed description
Account registration	Register the selected Account from the Account list to Cloud Control When you select an Account in unregistered state from the Account list, it becomes active For details on Account registration, refer to Account Register
Account name	Account name
email	Account’s user email
status	Cloud Control registration status of an organization unit or Account Registered, Unregistered, Registering, Registration Failed No status displayed when Root

Table. Organization unit details - Sub Account tab items

Preventive Guardrail

You can view and manage the list of preventive guardrails applied at the organizational level.

Information

For security organizational units, you cannot apply or remove guardrails.

Category	Detailed description
Target service name	Name of the service to which the guardrail applies
Guardrail name	Guardrail name Click the guardrail name to view detailed information about that guardrail.
type	Application method
Application method	Display of guardrail application method If it is an inheritance method, you can click to view the detailed organizational unit name
Disable	Unapply the selected guardrail from the guardrail list Activate when a guardrail is selected from the guardrail list
Apply preventive guardrails	Apply new preventive guardrails at the organizational level When the button is clicked, navigate to the Preventive Guardrail Application page

Table. Organization Unit Details - Preventive Guardrail Tab Items

Detection Guardrail

You can view and manage the diagnostic results of detection guardrails applied at the organizational level.

Reference

Accounts with diagnostic history in Cloud Control are provided with the latest diagnostic results regardless of whether detection guardrails are applied.

Category	Detailed description
Account name	Account name to be diagnosed
Diagnosis name	Diagnosis Name
PASS	Number of checklist items with a diagnosis result of PASS (normal)
FAIL	Number of checklist items with a diagnosis result of FAIL (vulnerable)
CHECK	Number of items in the checklist with a diagnosis result of CHECK (verification required)
ERROR	Number of items in the checklist whose diagnosis result is ERROR (diagnosis not possible)
N/A	Number of items in the checklist where the diagnosis result is N/A (not applicable)
All	Total number of checklist items
Diagnostic Result	Diagnosis request result Completed: The diagnosis request has been successfully completed, and clicking will navigate to the detail page Error: The diagnosis request was not completed successfully, so detailed information cannot be viewed
Diagnosis date and time	Diagnosis request date and time

Table. Diagnosis result list items

Check detailed account information

Account Details page allows you to view the account’s detailed information and the list of applied preventive guardrails. Account Details page consists of the Basic Information and Preventive Guardrails tabs.

Basic Information

You can view basic and detailed information about the organization unit.

Category	Detailed description
Service	Service name
Resource Type	Service Type
SRN	Unique resource ID in Samsung Cloud Platform
Resource Name	Resource Name
Resource ID	Unique resource ID in the service
constructor	User who created the service
Creation date and time	Service creation date and time
Editor	User who edited the service information
Modification date and time	Date and time the service information was modified
email	Account user email
Apply guardrails	Number of guardrail types applied to the current organizational unit Prevention: Number of applied preventive guardrails Detection: Types of detection guardrails
ID Center username	ID Center user email
Higher-level organization unit	Current account’s parent organizational unit hierarchy
Register	You can change the organization unit of the current Account For detailed information on changing the organization unit, refer to Account Move

Table. Account Details - Basic Information Tab Items

Preventive Guardrail

You can view the list of preventive guardrails applied to the Account.

Category	Detailed description
Target Service Name	Guardrail target service name
Guardrail name	Guardrail name Click the guardrail name to view detailed information about that guardrail.
type	Application method
Application method	Guardrail application method display

Table. Account Details - Preventive Guardrail Tab Items

Check Access Portal connection information

User and Access page allows you to view the Access Portal connection URL and login methods (password, SSO, MFA).

Information

User and Access information is not displayed when creating a landing zone if Account Access Configuration is set to Self-Managed Account Access. Choose Account Access via ID Center to create the landing zone.

To check the Access Portal connection information, follow these steps.

Click the All Services > Management > Cloud Control menu. You will be taken to the Service Home page of Cloud Control.
On the Service Home page, click the User and Access menu. You will be taken to the User and Access page.
Check the information in the User and Access page’s Integrated Access Management area.

Category	Detailed description
Access type	How to access the Access Portal
Access Portal URL	Access Portal access URL When the URL is clicked, the Access Portal login page opens in a new tab Can be accessed using the ID login credentials from ID Center
Permission set	A collection of administrator policies used by ID Center to determine the valid permissions of users who can access a specific account.

Category

Detailed description

Access type

How to access the Access Portal

Access Portal URL

Access Portal access URL

When the URL is clicked, the Access Portal login page opens in a new tab

Can be accessed using the ID login credentials from ID Center

Permission set

A collection of administrator policies used by ID Center to determine the valid permissions of users who can access a specific account.

Table. Shared Account items

Reference

For more details about credential sources and ID Center, see ID Center.

information

If the landing zone is configured with a self-managed Account access, refer to the following.

Cloud Control does not automatically create directory groups or permission sets.
When provisioning an Account with the Account factory or registering an existing Account, the user is automatically assigned.
You can manage access to an account through ID Center or other account access methods.

Check user credential information

User and Access page allows you to view the user credential source type and ID Center ID.

information

User and Access information is not displayed when creating a landing zone if you select Account Access Configuration as Self-Managed Account Access. Select Account Access via ID Center to create the landing zone.

To verify user credential information, follow these steps.

Click the All Services > Management > Cloud Control menu. Navigate to the Service Home page of Cloud Control.
On the Service Home page, click the User and Access menu. You will be taken to the User and Access page.
Check the information in the User and Access page’s User Credentials Management area.

Category	Detailed description
Credential source	Credential source types configured in ID Center ID Center’s own directory: Directory within ID Center AD (Active Directory): Active Directory managed directly by the user
ID Center ID	ID Center’s ID when the ID is clicked, navigate to the ID Center Settings page
User group	A group formed to classify workers who perform specific tasks within an organization

Category

Detailed description

Credential source

Credential source types configured in ID Center

ID Center’s own directory: Directory within ID Center

AD (Active Directory): Active Directory managed directly by the user

ID Center ID

ID Center’s ID

when the ID is clicked, navigate to the ID Center Settings page

User group

A group formed to classify workers who perform specific tasks within an organization

Table. User credential management items

Reference

For detailed information about credential sources and ID Center, see ID Center.
Management > IAM You can add users and user groups. For more details, see the IAM.

Overview

Managing Guardrails