profile

AWS for the Real World

SCPs, RCPs, and a kill switch: a real AWS org setup

Published about 1 month agoΒ β€’Β 2 min read
AWS FOR THE REAL WORLD
⏱️
Reading time: 12 minutes
🎯
Main Learning: Wrapping a multi-account AWS org in multiple layers of guardrails, featuring SCPs, RCPs, CloudTrail and Bugdet Actions
πŸ“

Hey Reader πŸ‘‹πŸ½
As you hopefully know, we're really obsessed with security, observability and auditability.

That's why we've carefully crafted our AWS Organization's setup. πŸ—οΈ

In this issue, we want to walk you through our most important guardrails!

Including all the whats and whys. 😊

Sponsored
Archera

AWS Savings Plan pricing, without the lock-in

Same Savings Plan discount β€” Archera insured commitments release in 30 days vs traditional 3-year lock-in

A 3-year Savings Plan locks you in. Migrate to Fargate or Graviton before it expires, and the commitment is stranded. Archera's insured commitments give you the same discount with a release guarantee β€” release in as little as 30 days when your architecture changes. Free platform; you only pay when you save.

Sponsored by Archera

πŸ“š This Week's Deep Dive

A single AWS account is fine until it isn't πŸ˜… The moment you have more than one workload, the math mostly flips! You want separation, isolation, per-project billing, and the same set of guardrails everywhere!

We rebuilt our AWS Organization from the ground up in Terraform. Three OUs, six member accounts, no IAM users anywhere, Identity Center for humans and GitHub OIDC for CI. The post walks through the four layers that turn a bare org into something we trust ourselves with:

  • SCPs - block expensive instance families, pin everyone to four regions, deny Bedrock org-wide, kill CloudTrail tampering, and enforce MFA on every IAM user.
  • RCPs - enforce TLS on S3, SQS, and Secrets Manager, and slam shut S3 public access β€” even for callers outside the org.
  • CloudTrail β†’ EventBridge β†’ Lambda - an org-wide trail and a small Node.js Lambda that fans events out to SES and Slack, color-coded by severity.
  • The kill switch - a $50 monthly budget on the Sandbox OU paired with a Budget Action that automatically attaches a deny SCP at 80% actual spend.

The post is honest about the sharp edges too: SCPs do not restrict the root user of the management account and AWS Budgets data lags 8 to 12 hours so no native AWS feature truly enforces a real-time spending cap.

πŸ“° This Week in AWS

πŸ€–Claude Platform on AWS is now GA

Anthropic's native Claude Platform is now available straight through your AWS account β€” same APIs, Managed Agents, Skills, and MCP connectors as Anthropic offers directly. Different from Bedrock: Anthropic operates the inference stack, AWS handles the billing relationship. Read More β†’

πŸ›‘οΈAWS Organizations doubles the SCP quotas

You can now attach up to 10 SCPs per node (root, OU, or account) instead of 5, and a single SCP can be up to 10,240 characters instead of 5,120. Available everywhere automatically. If you have ever fought the old limits while consolidating policies, this is a real quality-of-life bump. Read More β†’

🧰Agent Toolkit for AWS launches

Official AWS MCP servers, plugins, and 40+ agent skills for CloudFormation, serverless, data pipelines, and more. Works with Claude Code, Cursor, and Kiro out of the box. No extra cost β€” you pay only for the AWS resources the agents actually use. Read More β†’

If you take one thing away: the value of a multi-account setup is what you build around the accounts, not the accounts themselves.

A "bare" AWS Organization with no SCPs, no audit trail, and no spending guardrails is just multiple places (=accounts) for the same mistake(s) to happen.
See you soon!
​Sandro & Tobi

AWS for the Real World

by Tobi & Sandro

We teach AWS for the real world - not for certifications. Join more than 10,500 developers learning how to build real-world applications on AWS.

Read more from AWS for the Real World

AWS FOR THE REAL WORLD ⏱️ Reading time: 11 minutes 🎯 Main Learning: Most teams should stay serverless. EKS only pays off at real scale. πŸ“ Blog Post Hey Reader πŸ‘‹πŸ½For years we told everyone the same thing: don't run Kubernetes! And we meant it. Running k8s yourself is a second full-time job. Cluster upgrades, etcd backups, some networking plugin that falls over on a Tuesday and nobody can say why.We're serverless people through and through. Lambda first, a queue behind it, scale to zero, go...

5 days agoΒ β€’Β 3 min read

AWS FOR THE REAL WORLD ⏱️ Reading time: 12 minutes 🎯 Main Learning: Most of the complaints in the viral "leaving AWS" post are skill issues β€” but egress pricing is a fair hit. πŸ“ Blog Post Hey Reader πŸ‘‹πŸ½Recently, a post with the title "I returned to AWS and was reminded why I left" hit 810 upvotes on Hacker News last week and went pretty viral with it.I read it twice before forming an opinion. My honest take: most of the complaints are skill issues! πŸ€·β™‚οΈNevertheless, the post is well written and...

25 days agoΒ β€’Β 2 min read

AWS FOR THE REAL WORLD ⏱️ Reading time: 10 minutes 🎯 Main Learning: Describe the agent: model, prompt, tools and AWS runs the orchestration loop behind one API call! πŸ“ Blog Post Hey Reader πŸ‘‹πŸ½ If you've ever built an agent on AWS, you know the pain: glue Bedrock, Lambda, and DynamoDB together, grab LangGraph or Strands, then also own the orchestration loop, the memory layer, and your own tracing. πŸ˜… A "simple" agent ends up with multiple layers of pain.AWS just shipped something that takes most...

about 1 month agoΒ β€’Β 2 min read