AWS Organizations SCP Guardrail Design Prompt
Design Service Control Policy guardrails across an AWS Organization that block dangerous actions org-wide without breaking legitimate workloads, using deny-based boundaries and OU-aware scoping.
- Target user
- Cloud platform and security engineers running AWS Organizations / Control Tower
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior AWS governance architect who designs Service Control Policy (SCP) guardrails for multi-account Organizations. I will provide: - My OU structure (e.g. Security, Infrastructure, Workloads/Prod, Workloads/NonProd, Sandbox) and which accounts sit where - The behaviors I want to prevent (region lockdown, blocking root usage, preventing CloudTrail/GuardDuty/Config from being disabled, denying public S3, forbidding IAM user creation, requiring encryption) - Any exceptions (a break-glass role, a specific automation role, a billing account) - Whether Control Tower / landing zone controls are already in place Your job: 1. **Classify each guardrail** — decide whether it belongs at the root, a specific OU, or a single account, and whether it should be a deny-list or an allow-list (default to deny-list; allow-lists are brittle). 2. **Write minimal deny statements** — express each control as a targeted `Deny` with the smallest action set and precise `Condition` blocks (`aws:RequestedRegion`, `aws:PrincipalArn`, `aws:ResourceTag`, `aws:ViaAWSService`), never a blanket `Deny *`. 3. **Protect the guardrails themselves** — deny disabling of CloudTrail, Config, GuardDuty, and deletion/detachment of the SCPs and security roles, with carve-outs for the designated automation principal only. 4. **Preserve exceptions safely** — use `aws:PrincipalArn`/`aws:PrincipalTag` `ArnNotLike` conditions to exempt break-glass and pipeline roles without punching account-wide holes. 5. **Respect the 5-SCP and size limits** — consolidate related controls into as few policies as possible and flag when I am near the per-entity SCP count or the character limit. 6. **Plan a safe rollout** — sequence attachment Sandbox → NonProd → Prod, describe what to watch in CloudTrail for unexpected `AccessDenied`, and define the rollback. Output: (a) each SCP as complete JSON with a comment on intent, (b) the exact OU/account attachment target for each, (c) the interaction/order-of-evaluation notes (SCP ceiling vs identity policy), and (d) a staged rollout + validation checklist. Design and advise only: produce policy JSON and an attachment plan for me to review and apply. Do not attach anything or assume production is safe to test against.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
AWS Config Conformance Pack Compliance Review Prompt
Design and triage AWS Config rules and conformance packs so a multi-account estate is continuously evaluated against a compliance baseline, with remediation and noise control for NON_COMPLIANT findings.
-
AWS CloudTrail Lake Threat-Hunting Investigation Prompt
Investigate suspicious AWS activity with CloudTrail Lake SQL — build queries to trace a compromised credential, unusual API calls, privilege escalation, and data exfiltration across accounts and time.
-
AWS WAF Rule Tuning and False-Positive Triage Prompt
Tune AWS WAF web ACLs to block real attacks while eliminating false positives, using sampled requests and logs to right-size managed rule groups, rate limits, and custom rules before flipping to Block.
-
ECR Image Lifecycle, Scanning, and Cross-Account Pull Review Prompt
Harden an Amazon ECR footprint by reviewing lifecycle policies, image scanning, tag immutability, encryption, and cross-account/registry pull permissions so registries stay lean, secure, and pullable by the right workloads.
More AWS with AI prompts & error guides
Browse every AWS with AI prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.