SCPs, RCPs, and a kill switch: a real AWS org setup

AWS FOR THE REAL WORLD

⏱️

Reading time: 12 minutes

🎯

Main Learning: Wrapping a multi-account AWS org in multiple layers of guardrails, featuring SCPs, RCPs, CloudTrail and Bugdet Actions

📝

Blog Post

Hey Reader 👋🏽
As you hopefully know, we're really obsessed with security, observability and auditability.

That's why we've carefully crafted our AWS Organization's setup. 🏗️

In this issue, we want to walk you through our most important guardrails!

Including all the whats and whys. 😊

AWS Savings Plan pricing, without the lock-in

A 3-year Savings Plan locks you in. Migrate to Fargate or Graviton before it expires, and the commitment is stranded. Archera's insured commitments give you the same discount with a release guarantee — release in as little as 30 days when your architecture changes. Free platform; you only pay when you save.

See How Insured Commitments Work →

📚 This Week's Deep Dive

A single AWS account is fine until it isn't 😅 The moment you have more than one workload, the math mostly flips! You want separation, isolation, per-project billing, and the same set of guardrails everywhere!

We rebuilt our AWS Organization from the ground up in Terraform. Three OUs, six member accounts, no IAM users anywhere, Identity Center for humans and GitHub OIDC for CI. The post walks through the four layers that turn a bare org into something we trust ourselves with:

SCPs - block expensive instance families, pin everyone to four regions, deny Bedrock org-wide, kill CloudTrail tampering, and enforce MFA on every IAM user.
RCPs - enforce TLS on S3, SQS, and Secrets Manager, and slam shut S3 public access — even for callers outside the org.
CloudTrail → EventBridge → Lambda - an org-wide trail and a small Node.js Lambda that fans events out to SES and Slack, color-coded by severity.
The kill switch - a $50 monthly budget on the Sandbox OU paired with a Budget Action that automatically attaches a deny SCP at 80% actual spend.

The post is honest about the sharp edges too: SCPs do not restrict the root user of the management account and AWS Budgets data lags 8 to 12 hours so no native AWS feature truly enforces a real-time spending cap.

🚀 Read the Full Tutorial →

📰 This Week in AWS

🤖Claude Platform on AWS is now GA

Anthropic's native Claude Platform is now available straight through your AWS account — same APIs, Managed Agents, Skills, and MCP connectors as Anthropic offers directly. Different from Bedrock: Anthropic operates the inference stack, AWS handles the billing relationship.

🛡️AWS Organizations doubles the SCP quotas

You can now attach up to 10 SCPs per node (root, OU, or account) instead of 5, and a single SCP can be up to 10,240 characters instead of 5,120. Available everywhere automatically. If you have ever fought the old limits while consolidating policies, this is a real quality-of-life bump.

🧰Agent Toolkit for AWS launches

Official AWS MCP servers, plugins, and 40+ agent skills for CloudFormation, serverless, data pipelines, and more. Works with Claude Code, Cursor, and Kiro out of the box. No extra cost — you pay only for the AWS resources the agents actually use.

If you take one thing away: the value of a multi-account setup is what you build around the accounts, not the accounts themselves.

A "bare" AWS Organization with no SCPs, no audit trail, and no spending guardrails is just multiple places (=accounts) for the same mistake(s) to happen.
See you soon!
Sandro & Tobi

AWS for the Real World