Root OU Service Control Policies
ACM.170 Secure your organization — before — not after- you start creating new accounts
Part of my series on Automating Cybersecurity Metrics. AWS Organizations. Governance. The Code.
Free Content on Jobs in Cybersecurity | Sign up for the Email List
In the last post we considered our Service Control Policy architecture.
In this post, we want to add a few Service Control Policies at the root of our organization before we grant our billing administrator permission to create new accounts.
Note that if you have an existing AWS account, I do NOT recommend applying things at the root OU without testing in a parallel or separate OU environment first so you don’t break things.
The SCPs we will create:
At the root OU we will create these service control policies, which we expect will rarely change. That way we do not have to login as the OrgRoot user very often.
- AllowedRegions: to which…