Setting Up and Enabling a Landing Zone

Background

With RGC:

You will have the necessary permissions to govern all organizational units (OUs) and member accounts in your organization.
You need to set up a landing zone in RGC and determine which OUs and member accounts to govern in the landing zone. RGC does not extend governance to other existing OUs or member accounts in your organization.
When existing OUs are governed by RGC, they are called registered OUs.
After your landing zone is set up, you can still register existing OUs in RGC.

Prerequisites

The current account has enable Enterprise Center. For details, see Enabling Enterprise Center.

Setting Up a Landing Zone

Log in to Huawei Cloud using an enterprise master account.
Click and choose Management & Governance > Resource Governance Center (RGC).
Click Enable.

Figure 1 Enabling RGC
Select the home region for RGC. The region will be regarded as the default region to set up your landing zone.

Figure 2 Selecting the home region
(Optional) Select additional regions to be governed in addition to the home region. After the regions are selected, resources in the regions will also be governed by RGC.

Figure 3 Selecting additional regions
Click Next.
Under OU Settings, specify the name for the core OU.

To build a complete OU structure in the landing zone, RGC presets a core OU. This OU contains two core accounts: a log archive account and a security audit account (or an audit account for short).

Ensure that the OU name is unique. You are not allowed to change the name once your landing zone is set up.

Figure 4 Configuring the core OU
Determine whether to create additional OUs.

To help set up a multi-account system, you are advised to create additional OUs when setting up a landing zone. Each OU functions as a container or grouping unit for service accounts. After your landing zone is set up, you can create more OUs.
- Create: Create an additional OU while you are setting a landing zone. The OU name must be unique. The default name of the additional OU is Sandbox.
- Skip: If you choose this option, you will have no other OUs except the preset core OU in your landing zone. You can create more OUs after your landing zone is set up.
Figure 5 Creating an additional OU
Click Next.
On the Configure Core Accounts page, configure the management account. Enter the IAM Identity Center email address. The email address of the management account must not be used for other IAM Identity Center users. It is used for creating the RGC administrator in IAM Identity Center. The administrator has the Admin permission.

Figure 6 Configuring the management account
Configure a log archive account. It is used to store logs of API activities and resource configurations from all accounts.
- Account Type: You can create an account or use an existing account. The existing account you want to use must belong to the same organization as the management account.
- Account Name: Enter the name of the log archive account. Ensure that the name is unique. You are not allowed to change the name once your landing zone is set up. The account name can only contain digits, letters, underscores (_), and hyphens (-), but cannot start with a digit. It can have from 6 to 30 characters.
- Account ID: If you choose to use an existing account, enter the ID of the Huawei Cloud account you registered. The account ID cannot be the ID of the management account or of a member account in another organization.
Configure an audit account. The audit account has permission to access all member accounts in your organization. You are encouraged to strictly control the identity that uses this account.
- Account Type: You can create an account or use an existing account. The existing account must belong to the same organization as the management account.
- Alert Email: Enter the email address of the audit account. It is used to receive alarm notifications preset by RGC. The email address cannot be currently used for any Huawei Cloud accounts. It can have a maximum of 64 characters.
- Account Name: Enter the name of the audit account. Ensure that the name is unique. You are not allowed to change the name once your landing zone is set up. The account name can only contain digits, letters, underscores (_), and hyphens (-), but cannot start with a digit. It can have from 6 to 30 characters.
- Account ID: If you choose to use an existing account, enter the ID of the Huawei Cloud account you registered. The account ID cannot be the ID of the management account or of a member account in another organization.
  Figure 7 Configuring an audit account
Click Next.
Determine whether to enable CTS.

If you do not enable CTS, RGC will not manage your CTS audit logs. It is strongly recommended that you enable CTS. Preconfigured mandatory governance policies will check whether CTS is enabled for enrolled accounts.

Figure 8 Enabling CTS
Configure the OBS bucket retention for your logs. Logs are automatically stored in the two default OBS buckets, and you are not allowed to rename them.
- OBS Bucket Retention for Log Aggregation: The default period is one year, but you can change this to up to 15 years.
  The configuration snapshots of Config resource recorder and the CTS operation auditing logs are stored in the bucket rgcservice-managed-audit-logs-{management account ID}.
- OBS Bucket Retention for Access Logs: The default period is 10 years, but you can change this to up to 15 years.
  The logs for accessing the log aggregation bucket are stored in the bucket rgcservice-managed-access-logs-{management account ID}.
  
  Figure 9 Configuring the OBS bucket retention for logging
Review and confirm the landing zone settings, and then select I understand the permissions required by RGC to manage resources and apply policies. I also know the basics of how to use RGC and other Huawei Cloud resources.

Figure 10 Confirming the landing zone settings
Click Set Up Landing Zone.