Root OU Service Control Policies

ACM.170 Secure your organization — before — not after- you start creating new accounts

Part of my series on Automating Cybersecurity Metrics. AWS Organizations. Governance. The Code.

Free Content on Jobs in Cybersecurity | Sign up for the Email List

In the last post we considered our Service Control Policy architecture.

AWS Service Control Policy Architecture

In this post, we want to add a few Service Control Policies at the root of our organization before we grant our billing administrator permission to create new accounts.

Note that if you have an existing AWS account, I do NOT recommend applying things at the root OU without testing in a parallel or separate OU environment first so you don’t break things.

The SCPs we will create:

At the root OU we will create these service control policies, which we expect will rarely change. That way we do not have to login as the OrgRoot user very often.

• AllowedRegions: to which…