Cyber Intelligence
Management and Security Governance · 14% of exam

L17. AWS Organizations, SCPs & Multi-Account Guardrails

Video generating

Check back soon for the video lesson on AWS Organizations, SCPs & Multi-Account Guardrails

Why the management account is the one account SCPs can never touch, how Control Tower splits guardrails into preventive (SCP) and detective (Config), and why delegated administrators exist.

Centralized Management Across Many Accounts

AWS Organizations provides centralized management for a fleet of AWS accounts, consolidating billing into a single invoice and letting a management account apply policy consistently everywhere. Accounts are grouped into Organizational Units (OUs), and OUs are what policies actually target: service control policies (SCPs), tag policies, and backup policies attach to an OU (or directly to an account) and then apply to every account nested underneath it.

The One Account SCPs Cannot Touch

SCPs apply to OUs and member accounts, but never to the management account itself. There is no way to attach an SCP that restricts what the management account's principals can do, which means the management account has no ceiling above IAM. That is exactly why it needs the strongest independent protection available: hardware MFA on the root user, no routine workloads or human logins, and tightly scoped IAM policies for the few people who need access. A compromised member account is contained by the SCPs wrapped around its OU; a compromised management account is not contained by anything the organization itself can enforce.

Control Tower: Preventive vs. Detective Guardrails

AWS Control Tower automates the setup of a multi-account "landing zone," complete with a pre-built OU structure, logging, and a library of guardrails you enable per OU. Guardrails come in two flavors that map directly to two different AWS services:

Guardrail typeEnforcement mechanismBehavior
PreventiveService control policy (SCP)Blocks the disallowed action before it happens
DetectiveAWS Config ruleEvaluates existing resources and flags non-compliance after the fact
A preventive guardrail stops an API call outright: an account simply cannot disable CloudTrail if a preventive guardrail denies it. A detective guardrail does not block anything; it continuously checks resource state and reports when something drifts out of compliance, such as an S3 bucket becoming public.

A mature multi-account design separates responsibilities by account:

  • Management account: used only for billing and organization administration, never for workloads.
  • Security tooling and log-archive accounts: hold aggregated GuardDuty findings, Security Hub data, and centralized CloudTrail/Config logs, with access restricted to the security team.
  • Per-workload or per-environment accounts: each application or environment gets its own account, so a compromise in one cannot laterally reach another and the blast radius stays contained.

Delegated Administrator: Keeping the Management Account Out of Daily Operations

Many org-wide security services (GuardDuty, Security Hub, and Macie among them) support delegated administrator: a member account (never the management account) can be designated to administer that service across the entire organization. Security teams enable, configure, and view findings from the delegated administrator account instead of logging into the management account for routine security work, which shrinks how often that highest-privilege account needs to be touched at all. Exam tip: If a scenario asks what stops even an account's own administrator from taking an action, the answer is an SCP, never an IAM policy, since IAM policies inside that account can always be changed by that account's administrator. If the scenario instead mentions the management account being restricted, that is a trap: SCPs cannot apply to it.

Exam Focus Points
  • SCPs apply to organizational units and member accounts, never to the management account itself, which is why the management account needs the strongest independent protection
  • AWS Control Tower automates multi-account landing zone setup with guardrails: preventive guardrails are implemented as SCPs, detective guardrails are implemented as AWS Config rules
  • Recommended account structure separates the management account (billing/org admin only), dedicated security/log-archive accounts, and per-workload or per-environment accounts to contain blast radius
  • A delegated administrator is a member account (never the management account) designated to administer org-wide services like GuardDuty, Security Hub, and Macie
  • Using a delegated administrator reduces how often the high-privilege management account needs to be accessed for routine security operations
Knowledge Check

1. A security team wants to enforce that no account in the "Sandbox" OU can ever disable CloudTrail, even by an account administrator. Which control enforces this even against the account's own administrators?

2. In AWS Control Tower, what is the difference between a preventive guardrail and a detective guardrail?

3. Why would a company designate a delegated administrator account for GuardDuty instead of managing it directly from the management account?

Recommended: Pluralsight

This free course covers the theory. Pluralsight adds structured SCS-C02 learning paths, hands-on AWS security labs, and timed practice exams to make it stick before exam day.

Start Security Specialty prep free10-day free trial available