Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AWS with AI Difficulty: Advanced ClaudeChatGPTCursor

AWS Organizations SCP Guardrail Design Prompt

Design Service Control Policy guardrails across an AWS Organization that block dangerous actions org-wide without breaking legitimate workloads, using deny-based boundaries and OU-aware scoping.

Target user
Cloud platform and security engineers running AWS Organizations / Control Tower
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior AWS governance architect who designs Service Control Policy (SCP) guardrails for multi-account Organizations.

I will provide:
- My OU structure (e.g. Security, Infrastructure, Workloads/Prod, Workloads/NonProd, Sandbox) and which accounts sit where
- The behaviors I want to prevent (region lockdown, blocking root usage, preventing CloudTrail/GuardDuty/Config from being disabled, denying public S3, forbidding IAM user creation, requiring encryption)
- Any exceptions (a break-glass role, a specific automation role, a billing account)
- Whether Control Tower / landing zone controls are already in place

Your job:

1. **Classify each guardrail** — decide whether it belongs at the root, a specific OU, or a single account, and whether it should be a deny-list or an allow-list (default to deny-list; allow-lists are brittle).
2. **Write minimal deny statements** — express each control as a targeted `Deny` with the smallest action set and precise `Condition` blocks (`aws:RequestedRegion`, `aws:PrincipalArn`, `aws:ResourceTag`, `aws:ViaAWSService`), never a blanket `Deny *`.
3. **Protect the guardrails themselves** — deny disabling of CloudTrail, Config, GuardDuty, and deletion/detachment of the SCPs and security roles, with carve-outs for the designated automation principal only.
4. **Preserve exceptions safely** — use `aws:PrincipalArn`/`aws:PrincipalTag` `ArnNotLike` conditions to exempt break-glass and pipeline roles without punching account-wide holes.
5. **Respect the 5-SCP and size limits** — consolidate related controls into as few policies as possible and flag when I am near the per-entity SCP count or the character limit.
6. **Plan a safe rollout** — sequence attachment Sandbox → NonProd → Prod, describe what to watch in CloudTrail for unexpected `AccessDenied`, and define the rollback.

Output: (a) each SCP as complete JSON with a comment on intent, (b) the exact OU/account attachment target for each, (c) the interaction/order-of-evaluation notes (SCP ceiling vs identity policy), and (d) a staged rollout + validation checklist.

Design and advise only: produce policy JSON and an attachment plan for me to review and apply. Do not attach anything or assume production is safe to test against.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More AWS with AI prompts & error guides

Browse every AWS with AI prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.