# Enterprise Landing Zone Checklist

## Ownership

- Named platform owner for management groups, policy, networking, monitoring, and security controls.
- Named workload owner for each subscription or application.
- Support path for deployment blockers and policy exceptions.

## Foundation

- Management group hierarchy matches environment, platform, and workload needs.
- Subscription vending process is documented.
- Allowed regions, tags, budgets, and diagnostics requirements are defined.
- RBAC model is reviewed for least privilege.

## Network and Security

- Hub, spoke, DNS, firewall, and ingress/egress responsibilities are clear.
- Security logging is enabled for critical platform services.
- Private connectivity expectations are documented.

## Review

- Monthly review for policy friction, cost signals, access drift, and platform incidents.