Secured Landing Zone service Overview

This page provides you an overview of the Secured Landing Zone service.


Google provides best practice guidance through security blueprints, allowing you to meet your security and compliance objectives as you deploy workloads on Google Cloud. You can deploy a blueprint and provision Google Cloud resources. When the resources start interacting in real time, the best practices lets these resources operate in a secure way.


Before you get started with using the Secured Landing Zone service, here are some terminologies that'll help set the context through the rest of this topic.

Security blueprint

A security blueprint is a package of deployable, reusable best practice configuration and/or policy artifacts. The blueprint also has a recommended architecture for the purpose of implementing a specific opinionated landing zone and/or workload solution along with associated documentation and attestations. Developers can combine and compose blueprints to assemble more complex infrastructure, platforms, and application services. For more information on security blueprints, see Deployable landing zone blueprints.


A deployment is the hydration of a blueprint into actual resources.

Landing zone

A landing zone is a deployed cloud environment consisting of all the preconfigured and connected resources that you need, on which you can build your specific workload.

Components of a security posture

The security posture of a deployment consists of three components:

  • Stateful configurations of each of the deployed resources—for example, VPC service perimeter architecture of the deployment, IAM settings of the individual resources, defined labels, data tags, and policy tags.
  • Behavioral constraints associated with the actions taken on and by the resources—for example, data access patterns, admin access patterns, allowed and restricted Create, Read, Update, and Delete (CRUD) resources.
  • Environmental constraints and configurations of the environment around and between the resources—for example, organization- and folder-level policies, access paths from admin group roles and permissions, and software supply chain security of services that interact with the deployment and data.

Secured Landing Zone service

The Secured Landing Zone service is a Security Command Center Premium feature. It protects the security posture of landing zone and workload deployments that are created from a security blueprint by doing the following:

  • Detecting policy violations in stateful, behavioral, and environmental controls from those specified in the blueprint.
  • Generating Secured Landing Zone service findings for the policy violations.
  • Automatically correcting a subset of policy violations by restoring the deployment to the configurations specified in the original blueprint.

Secured landing zone

A secured landing zone is a deployment that has been protected by the Secured Landing Zone service.


Terraform is an infrastructure-as-code tool that enables you to safely and predictably create, change, and improve production infrastructure. It is an open source tool that codifies APIs into declarative configuration files that can be shared among team members, treated as code, edited, reviewed, and versioned. For more information on managing infrastructure as code, see Managing infrastructure as code with Terraform.

Terraform plan file

Using Terraform, you create an execution plan, which lets you preview the changes that Terraform is configured to make in your infrastructure. The Terraform plan file lets you to determine the desired state of all the resources it declares, then compares that desired state to the real infrastructure objects being managed with the current working directory and workspace.

How to use the Secured Landing Zone service

After you deploy a security blueprint, you can enable an instance of the Secured Landing Zone service on that deployment to protect and enforce the security posture defined in the original blueprint.

The following figure illustrates the workflow for using the Secured Landing Zone service:

How Secured Landing Zone service works

The workflow has the following phases:

Build: Configure policies

You use a security blueprint to configure security policies for implementing a workload solution in a landing zone. These include architecture, network security, allowed data flow, logging, and other security best practices for the underlying resources. Terraform allows you to express, initialize, and provision the resources with the help of declarative configuration files.

Deploy: Configure resources

Using Terraform tooling and the Terraform plan file, you apply the configurations and deploy the resources.

Run: Detect and correct

You enable an instance of the Secured Landing Zone service for the specific deployment. The Secured Landing Zone service can help detect, alert, and remediate any real-time policy violations in the deployments from the originally defined policies. The Secured Landing Zone service keeps track of the deployed resources (as described in the Deploy stage), tracks changes in the security posture of the infrastructure, identifies policy violations, and invokes appropriate remediation actions. These policy violations are identified and displayed as relevant findings.

When a security violation occurs, a finding is generated. For more information on the finding categories and remediations available, see Remediating Security Landing Zone Service findings.

What's next