CoursesCompliance as codeCompliance at scale

Compliance at scale

Inherited guardrails, secure-by-default accounts.

Expert30 min · lesson 13 of 15

A compliance program that works for one account rarely survives contact with fifty. Compliance at scale depends on inherited guardrails and secure-by-default provisioning, so controls apply everywhere automatically rather than being reapplied — and forgotten — account by account.

Inherit controls from the top

The key to scale is hierarchy: set preventive guardrails once at the organization or management-group level and let every account, subscription, or project beneath inherit them. Service Control Policies, Org Policy, and hierarchical admission constraints make the non-negotiable controls — no public data, no disabling logging, encryption required, region limits — apply org-wide and impossible to cross, even by an account admin. This turns "did every team implement the control?" into "the control is structurally enforced for all of them", which is the only way compliance keeps pace as the estate grows. Inheritance also means a new control is added in one place and immediately covers everything.

set a control once, inherit everywhere
# A preventive control at the org root — inherited by EVERY account below:
{
"Sid": "DenyDisableLogging", "Effect": "Deny",
"Action": ["cloudtrail:StopLogging", "config:StopConfigurationRecorder"],
"Resource": "*"
}
# No account, including its admin, can disable logging. One policy, org-wide
# coverage — compliance that scales without per-account effort.

Secure-by-default provisioning

The other half of scale is that new environments arrive compliant. A landing zone or account-vending process provisions each new account with the baseline already applied — inherited guardrail policies, centralized immutable logging, the standard IaC compliance gates, detection enabled — so there is no window in which it exists unprotected and no checklist for a team to forget. Compliance becomes a property of how environments are created, not a task performed after the fact. Combined with inherited guardrails, framework overlap (one control mapped to many frameworks), and continuous evidence, this is what lets a small team keep a large, multi-framework estate continuously compliant — the payoff of treating compliance as code.

Compliance that scales
inherit
guardrails at org/MG root
SCP / Org Policy
set once, covers all
new accounts included
provision compliant
landing zone / vending
baseline pre-applied
no unprotected window
secure by default
Inherit non-negotiable controls from the top and vend compliant accounts. Scale comes from structure, not per-account effort.
Per-account compliance does not scale and always drifts
Configuring controls account by account guarantees inconsistency and a window where each new account is non-compliant. Enforce the non-negotiables through inherited org-level guardrails and vend secure-by-default accounts, so compliance is structural rather than a task every team must remember to perform.