CoursesAdvanced cloud securityPosture, compliance & workloads

Guardrails as code & landing zones

SCPs/Org Policy, Control Tower, and secure-by-default accounts.

Expert30 min · lesson 15 of 15

Everything in this course is more durable when it is the default rather than a thing each team remembers to do. A landing zone encodes the guardrails as code and applies them automatically, so a brand-new account arrives already logged, already fenced by policy, and already wired into central identity — secure on day zero, not after a hardening sprint.

Preventive guardrails beat detective controls

There are two ways to enforce a rule: detect the violation after it happens and alert, or prevent the action entirely. Detective controls are essential but reactive — the misconfiguration existed for some window. A preventive guardrail, expressed as a service control policy or organization policy, stops the action at request time for every principal in the org, including account admins. Encode the non-negotiables — no public data, no disabling logging, region limits — as SCPs so they cannot be crossed rather than merely reported.

preventive guardrails as an SCP
# Attached to the Workloads OU: these are hard limits, not suggestions.
{
"Version": "2012-10-17",
"Statement": [
{ "Sid": "DenyDisablePublicAccessBlock", "Effect": "Deny",
"Action": ["s3:PutAccountPublicAccessBlock","s3:PutBucketPublicAccessBlock"],
"Resource": "*",
"Condition": { "Bool": { "s3:PublicAccessBlockConfiguration": "false" } } },
{ "Sid": "DenyCloudTrailTampering", "Effect": "Deny",
"Action": ["cloudtrail:StopLogging","cloudtrail:DeleteTrail"], "Resource": "*" },
{ "Sid": "DenyRootUser", "Effect": "Deny", "Action": "*", "Resource": "*",
"Condition": { "StringLike": { "aws:PrincipalArn": "arn:aws:iam::*:root" } } }
]
}

Secure-by-default accounts

An account vending process — Control Tower, Landing Zone Accelerator, or your own Terraform — provisions each new account with the baseline already in place: the org trail delivering logs to the archive account, the guardrail SCPs attached, SSO wired to roles, a hardened default network, and detection enabled. Teams request an account and receive a secure one, with no window in which it sits unprotected and no checklist to forget. Security becomes a property of how accounts are created.

Account vending applies the baseline
1account request
a team needs a new account
2automated vending
Control Tower / Terraform
3baseline applied
logging, SCPs, SSO, network, detection
4secure on day zero
no unprotected window, no checklist
Guardrails as code make the secure path the default path — the strongest form of security is the one nobody has to remember.
Manual account setup always drifts
Hand-configuring each new account guarantees inconsistency and a window where the account exists without its guardrails. Automate the baseline through account vending so every account — including the one spun up in a hurry — arrives fully fenced. Guardrails you apply by hand are guardrails someone eventually skips.