Overview

Service Overview

Cloud Control service is a managed service that supports building, operating, and managing a multi‑account environment easily and securely on the Samsung Cloud Platform.
The Cloud Control service automates an organization’s cloud governance (security, compliance, standardization, etc.) and provides consistent, centralized account and resource management based on Samsung Cloud Platform best practices.

Features

The Cloud Control service offers the following advantages.

Landing Zone (Landing Zone) Automatic Provisioning: Automatically configure essential infrastructure such as Samsung Cloud Platform accounts, organizational units (OU), guardrails, logging, etc. * In a standardized environment, you can create new accounts and invite existing accounts.
Centralized governance and policy enforcement: Automatically apply security, compliance, and operational policies (guardrails) across the entire organization. * Provides policy violation detection and monitoring capabilities.
Multi-Region and Scalability: You can apply the same governance and policies across multiple Samsung Cloud Platform regions.

Provided Features

The Cloud Control service provides the following features.

Automated Landing Zone (Landing Zone) Setup: Security, logging, and account structure based on Samsung Cloud Platform best practices are configured automatically.
Apply Guardrail
- Preventive Guardrail : Blocks the creation of resources that violate policy
- Detective Guardrail: Automatically detect and notify policy-violating resources
- Integrate with ACP, Samsung Cloud Platform Config Inspection, etc., of the Samsung Cloud Platform Organization
Dashboard provision: You can visually monitor the account, OU, guardrail implementation status, and compliance status of the entire organization.
Centralized logging and auditing
- Provides centralized log storage and audit accounts for all accounts via Logging&Audit, Object Storage, Config Inspection, and other methods.
ID and Permission Management Integration: Integrates with Samsung Cloud Platform ID Center to manage account-level access control and permission groups.
Monitoring and Notification (Notification) feature: Provides real-time alerts for policy violations, Cloud Control configuration changes, etc.

information

Monitoring and alerting features will be available in July 2026.

Component

Landing Zone (Landing Zone)

The basic architecture of a standardized Samsung Cloud Platform environment, including governance, security, networking, and logging, is as follows.

Category	Detailed description
admin account	Organization and account structure management, policy (SCP) implementation, automation of new account creation Organization-wide highest privileges, governance-focused operation
Log account	Centralized collection and storage of all account logs, log integrity, and long‑term retention Independent account operation, strict access control, and encryption
audit account	Enterprise-wide security and compliance monitoring and auditing, automated security assessments Apply the principle of least privilege, cross-account role delegation

Guardrails

The guardrails that are automatically applied for policy violation detection and prevention (detect/prevent type) rules, and security/compliance standards are as follows.

Category	Detailed description
Preventive Guardrail	Preemptive blocking role to prevent policy violations Implementation: Using Access Control Policy(ACP) to prohibit or limit the scope of actions for specific Samsung Cloud Platform services Example: Prohibit creation of root user access keys Block resource creation in specific regions Block public read/write on S3 buckets Features: Fundamentally prevent the violation act itself, preemptively blocking policy violations
Detection Guardrail	Continuously monitor for policy violations or abnormal configurations, and provide alerts when violations occur Implementation: Based on the Samsung Cloud Platform Config Inspection checklist, evaluate resource status and notify via dashboard or alerts when violations are detected Example: Detection of unencrypted S3 bucket Detection of disabled CloudTrail Detection of EBS volume encryption status Features: Detect violating resources in real time and deliver them to the administrator

Baseline (Baseline)

The essential resources and configuration sets, such as security, logging, and networking, that are automatically deployed per account are as follows.

Category	Detailed description
AuditBaseline	Configure security and audit roles and policies on the central audit account Check the security status and compliance status of all accounts centrally
LogArchiveBaseline	Aggregate log Trail of all accounts into a central bucket Used for log integrity, long-term storage, and audit tracing
IDCenterBaseline	Automatic resource provisioning integrated with ID Center Unified user/group/role management within the organization

Provision status by region

The Cloud Control service is available in the environments below.

Region	Provision status
Korea West 1 (kr-west1)	Provided
Korea East 1 (kr-east1)	Provided
South Korea 1 (kr-south1)	Provided
South Korea South 2 (kr-south2)	Provided
South Korea 3 (kr-south3)	Provide

Table. Cloud Control regional availability status

Pre-service

This is a list of services that must be pre-configured before creating the service. For detailed information, please refer to the guide provided for each service and prepare in advance.

Service Category	service	Detailed description
Storage	Object Storage	Object storage that simplifies data storage and retrieval
Management	Loggin&Audit	A service that collects and analyzes user activity data
Management	Organization	A service that organizes accounts by organizational units, manages them hierarchically, and controls resource access permissions.
Management	ID Center	A service that enables easy centralized management of access permissions for resources by account

Table. Cloud Control Preliminary Service