Hands-on workshop: Building and scaling AWS SCPs for platform governance

Service Control Policies (SCPs) are the most effective way to establish a security posture in AWS, yet many platform teams struggle to implement them without breaking developer workflows. This interactive workshop moves past theory to provide a practical guide for writing and deploying guardrails that actually scale.

Attendees will participate in a live coding session to build and implement three specific SCPs designed to protect critical cloud infrastructure. We will focus on the logic required to block the tampering of security controls, enforce data encryption, and restrict AI usage patterns.

Workshop Agenda:

Live Policy Authoring: Write 3-5 production-ready SCPs using the terminal to block unauthorized configuration changes and enforce separation of duties.

Implementation Mechanics: Move from local policy creation to active enforcement within an AWS Organization.

Scaling Beyond Manual Entry: Compare manual policy management with automated enforcement methods to handle permission creep across hundreds of accounts.

Optimization Tactics: Best practices for structuring policies to avoid reaching the AWS 5,120-character limit per SCP.

Technical Prerequisites (if you want to participate hands-on):
AWS Account Setup:
Management Account:

• Ensure you have access to the AWS management account. You might want to have a sandbox AWS organization with full access to the management account and at least one additional AWS account you can make breaking changes to.
  AWS Organizations (Management Account):

• You need to have AWS Organizations enabled in the root account.

• Verify that you have permissions to create and manage SCPs organizations:*
  Sandbox Account:

• Create or have access to an additional AWS account to use as a sandbox environment using AWS Organizations. This will be used for testing the SCPs you create
  Service Control Policies (SCPs):

• Familiarize yourself with the SCPs we're going to work with.
  AWS Console:

• We're working out of the AWS Console.

The takeaway:
Participants will leave with a functional set of SCPs and a repeatable workflow for governing permissions at the organizational level.