The Organizations SCP Deny List That Saves You

SCPs deny dangerous actions across accounts. The deny list that protects against accidental and malicious damage.

Critical denies

Cannot disable CloudTrail.

Cannot delete the audit S3 bucket.

Cannot leave the organisation.

Cannot create root access keys.

Scope

Apply at OU level. Production OU has tighter denies than dev OU.

Test in dev OU first; apply to production after validation.

Escape valves

Break-glass account: outside the organisation; tightly controlled access.

For genuine emergencies; use logged.