Service Control Policies

What are the scp for top level OU?

None, we want to be able to add a first level business OU with no prior scp.

What are the scp for the first level business OU?

These are control tower policies required We probably shouldn't do any of these manually if we intend to use control tower. If we don't intend to use control tower we should pick ones with similar effect to ensure:

• Encryption at Rest for Log Archive
• Access Logging for Log Archive
• Disallow Changes to CloudWatch Logs Log Groups
• Disallow Deletion of AWS Config Aggregation Authorization
• Disallow Deletion of Log Archive
• Disallow Policy Changes to Log Archive
• Disallow Public Read Access to Log Archive
• Disallow Public Write Access to Log Archive
• Set a Retention Policy for Log Archive of 1000 days (what is our log retention policy?)
• Disallow Configuration Changes to CloudTrail
• Integrate CloudTrail Events with CloudWatch Logs
• Enable CloudTrail in All Available Regions
• Enable Integrity Validation for CloudTrail Log File
• Disallow Changes to CloudWatch Set Up
• Disallow Changes to AWS Config Aggregation Set Up
• Disallow Configuration Changes to AWS Config
• Enable AWS Config in All Available Regions
• Disallow Changes to AWS Config Rules Set Up
• Disallow Changes to IAM Roles
• Disallow Changes to Lambda Functions
• Disallow Changes to Amazon SNS
• Disallow Changes to Amazon SNS Subscriptions

What are the scp for the second level dev/build/test/product OUs?

TBD