SCP guardrails & landing zones
Preventive limits and secure-by-default accounts.
Everything else in this course is more durable as a default than as a thing each team remembers to do. Guardrails as code — service control policies and an account factory — apply the non-negotiables automatically, so a new account arrives already fenced rather than after a hardening sprint.
Preventive beats detective
There are two ways to enforce a rule: detect the violation after it happens and alert, or prevent the action entirely. Detective controls are essential but reactive — the misconfiguration existed for some window. A service control policy stops the action at request time for every principal in the account, including the account admin and root. Encode the non-negotiables — no disabling logging, no leaving the approved region, no weakening public-access blocks — as SCPs so they cannot be crossed rather than merely reported.
# Attached to the Workloads OU: hard limits, not suggestions.{"Version": "2012-10-17","Statement": [{ "Sid": "DenyLoggingTamper", "Effect": "Deny","Action": ["cloudtrail:StopLogging","cloudtrail:DeleteTrail","config:StopConfigurationRecorder"],"Resource": "*" },{ "Sid": "RegionLock", "Effect": "Deny", "NotAction": ["iam:*","sts:*","organizations:*","cloudfront:*"],"Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": "eu-west-1" } } },{ "Sid": "DenyRootActions", "Effect": "Deny", "Action": "*", "Resource": "*","Condition": { "StringLike": { "aws:PrincipalArn": "arn:aws:iam::*:root" } } }]}
Secure-by-default accounts
Control Tower or the Landing Zone Accelerator provisions each new account with the baseline already in place: the org trail delivering to the log-archive account, guardrail SCPs attached, IAM Identity Center wired to permission sets, a hardened network, and GuardDuty/Config enabled. Teams request an account and receive a secure one — no window in which it sits unprotected, no checklist to forget. Security becomes a property of how accounts are created.