Our AWS footprint is growing rapidly with dozens of sub-accounts. I am struggling to maintain a consistent security posture. How can I use AWS Organizations and Service Control Policies (SCPs) to set guardrails that prevent even root users in sub-accounts from disabling logging or making buckets public? What is the best way to structure these OUs to balance developer freedom and compliance?
3 answers
AWS Organizations is essential for managing multi-account environments. Using Service Control Policies (SCPs), you can define maximum permissions for an OU. You can create a policy that denies deleting S3 buckets or modifying logs, applying to everyone—including the root user. I recommend structuring your OUs based on lifecycle stages like "Dev" and "Prod." This allows for strict guardrails on production accounts while giving developers flexibility in their sandboxes. Always test new SCPs in a dedicated "Test" OU before rolling them out to avoid breaking critical production access and workloads.
When you implement these strict SCPs at the OU level, how do you handle "Exception Requests" from specific development teams that might need temporary access to a restricted service for a new experimental project?
SCPs are great for preventative control, but you should also use AWS Config to monitor for compliance in real-time. It’s the perfect detective control to complement your SCP guardrails.
I agree with Brian. Combining SCPs for prevention and AWS Config for detection creates a comprehensive security framework that is much harder for attackers or negligent users to bypass.
Handling exceptions is where most governance models fail. We use a dedicated "Exceptions OU" where we move an account temporarily while the specific project is active. This allows us to apply a slightly more relaxed SCP without weakening the security of the main OUs. However, this move is always time-bound and requires a secondary approval from the CISO's office. It ensures that we maintain a clear audit trail of why the guardrails were lowered and for how long.