CoursesAWS security engineeringGuardrails, IR & forensics

SCP guardrails & landing zones

Preventive limits and secure-by-default accounts.

Advanced30 min · lesson 13 of 15

Everything else in this course is more durable as a default than as a thing each team remembers to do. Guardrails as code — service control policies and an account factory — apply the non-negotiables automatically, so a new account arrives already fenced rather than after a hardening sprint.

Preventive beats detective

There are two ways to enforce a rule: detect the violation after it happens and alert, or prevent the action entirely. Detective controls are essential but reactive — the misconfiguration existed for some window. A service control policy stops the action at request time for every principal in the account, including the account admin and root. Encode the non-negotiables — no disabling logging, no leaving the approved region, no weakening public-access blocks — as SCPs so they cannot be crossed rather than merely reported.

preventive guardrails as an SCP
# Attached to the Workloads OU: hard limits, not suggestions.
{
"Version": "2012-10-17",
"Statement": [
{ "Sid": "DenyLoggingTamper", "Effect": "Deny",
"Action": ["cloudtrail:StopLogging","cloudtrail:DeleteTrail","config:StopConfigurationRecorder"],
"Resource": "*" },
{ "Sid": "RegionLock", "Effect": "Deny", "NotAction": ["iam:*","sts:*","organizations:*","cloudfront:*"],
"Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": "eu-west-1" } } },
{ "Sid": "DenyRootActions", "Effect": "Deny", "Action": "*", "Resource": "*",
"Condition": { "StringLike": { "aws:PrincipalArn": "arn:aws:iam::*:root" } } }
]
}

Secure-by-default accounts

Control Tower or the Landing Zone Accelerator provisions each new account with the baseline already in place: the org trail delivering to the log-archive account, guardrail SCPs attached, IAM Identity Center wired to permission sets, a hardened network, and GuardDuty/Config enabled. Teams request an account and receive a secure one — no window in which it sits unprotected, no checklist to forget. Security becomes a property of how accounts are created.

Account vending applies the baseline
1account request
a team needs an account
2Control Tower / LZA
automated vending
3baseline applied
trail, SCPs, SSO, network, GuardDuty
4secure on day zero
no unprotected window
Guardrails as code make the secure path the default path — the strongest security is the one nobody has to remember.
Manual account setup always drifts
Hand-configuring each new account guarantees inconsistency and a window where the account exists without its guardrails. Automate the baseline through account vending so every account — including the one spun up in a hurry — arrives fully fenced.