Overview

Service Overview

Cloud Control service is a managed service that supports building, operating, and managing a multi-account environment easily and securely on the Samsung Cloud Platform.
Cloud Control service automates an organization’s cloud governance (security, compliance, standardization, etc.) and provides consistent centralized account and resource management based on Samsung Cloud Platform best practices.

Features

Cloud Control service provides the following special features.

Landing Zone Automatic Setup: Samsung Cloud Platform accounts, organizational units (OU), guardrails, logging, etc. are automatically configured. In a standardized environment, new account creation and invitation of existing accounts are possible.
Centralized Governance and Policy Enforcement: Automatically applies security, compliance, and operational policies (guardrails) across the organization. Provides policy violation detection and monitoring capabilities.
Multi-Region and Scalability: You can apply the same governance and policies across multiple Samsung Cloud Platform regions.

Provided Features

Cloud Control service provides the following features.

Automated Landing Zone (Landing Zone) Construction: Security, logging, and account structure based on Samsung Cloud Platform best practices are automatically set.
Guardrail applied
- Preventive guardrail : block the creation of policy-violating resources itself
- Detective Guardrail : Automatically detect policy-violating resources and notify
- Integration with Samsung Cloud Platform Organization’s ACP, Samsung Cloud Platform Config Inspection, etc.
Dashboard Provision: You can visually monitor the accounts, OUs, guardrail implementation status, and compliance status of the entire organization.
Centralized logging and auditing
- Logging&Audit, Object Storage, Config Inspection through which provide centralized log storage for all accounts and an audit account
ID and Permission Management Integration: By integrating with Samsung Cloud Platform ID Center, you can manage account-based access control and permission groups.
Monitoring and Notification (Notification) Feature: Provides real-time alerts for policy violations, Cloud Control setting changes, etc.

Information

Detection Guardrail, Config Inspection integration feature is scheduled for March 2026, Monitoring and Alerting feature is scheduled for July 2026.

Components

Landing Zone(Landing Zone)

Governance, security, network, logging, etc. The basic structure of the standardized Samsung Cloud Platform environment is as follows.

Category	Detailed description
Management Account	Organization and account structure management, policy (SCP) application, new account creation automation Highest authority across the organization, governance-focused operation
Log Account	Central collection and storage of all account logs, log integrity and long-term retention Independent account operation, strict access control and encryption
Audit Account	Organization-wide security and compliance monitoring and audit, automated security checks Apply principle of least privilege, cross-account role assumption

Guardrails(Guardrails)

The guardrails that automatically apply policy violation detection and prevention (detection/prevention type) rules, security and compliance standards are as follows.

Category	Detailed description
Preventive Guardrail	Role of preemptively blocking to prevent policy violations Implementation method: Using Access Control Policy(ACP) to prohibit or limit the scope of actions on specific Samsung Cloud Platform services Example: Prohibit creation of root user access keys Block resource creation in specific regions Block public read/write on S3 buckets Feature: Fundamentally prevent the violation act itself, preemptively block policy violations
Detection Guardrail	Continuously monitor for policy violations or abnormal configurations, and provide alerts when violations occur Implementation Method: Based on the Samsung Cloud Platform Config Inspection checklist, evaluate resource status and notify via dashboard or alerts when violations are found Example: Detect S3 bucket encryption not applied Detect CloudTrail disabled Detect whether EBS volume encryption is enabled Feature: Detect violating resources in real-time and deliver to the administrator

Baseline(Baseline)

The essential resources and configuration sets, such as security, logging, and network, automatically deployed per account, are as follows.

Category	Detailed description
AuditBaseline	Configure security and audit roles, policies on the central audit account Check the security status and compliance status of all accounts centrally
LogArchiveBaseline	Aggregate logs of all accounts’ Trail to a central bucket Used for log integrity, long-term storage, and audit tracing
IDCenterBaseline	Automatic configuration of resources linked with ID Center Integrate user/group/permission management within the organization

Region-specific provision status

Cloud Control service is available in the following environments.

Region	Availability
Korea West 1 (kr-west1)	Provided
Korea East1 (kr-east1)	Provided
Korea South1(kr-south1)	Provided
South Korea 2(kr-south2)	Provided
South Korea South 3(kr-south3)	Provided

Table. Cloud Control Region-wise Provision Status

Pre-service

This is a list of services that must be pre-configured before creating the service. For detailed information, please refer to the guide provided for each service and prepare in advance.

Service Category	Service	Detailed Description
Storage	Object Storage	Object storage that facilitates data storage and retrieval
Management	Loggin&Audit	A service that collects and analyzes user activity history
Management	Organization	A service that organizes accounts by organizational units, manages them hierarchically, and controls resource access permissions.
Management	ID Center	A service that allows you to easily manage access permissions for resources per account centrally.

Table. Cloud Control Preceding Service