A PSU Achieves Governance and Compliance through SCP Enforcement and Regional Access Limitations Reduce Risks by Over 75%

Solutions

• The client’s AWS Organisations have implemented a multi-account structure using Organisational Units (OUs) to simplify cost tracking, enable hierarchical organization for improved policy enforcement, and ease account administration. 
• Their organization has set up SCP (Service Control Policy) in AWS Control Tower to enforce certain tagging standards, guaranteeing uniform tagging procedures for cost allocation and resource management.  
• By applying the concept of least privilege and establishing SSO in their AWS organization through the AWS IAM identity center, permission provisioning enables organizations to regulate and protect access to resources precisely, minimizing the risk of unauthorized access and mitigating security threats.  
• Instead of keeping track of different bills for every AWS account, consolidated billing has been used in the client’s account to expedite their billing process with a single payment from the payer account. As a result, the payer account gets a single, all-inclusive bill that contains the whole amount of all connected accounts’ expenses. 
• Logs Archive in AWS Control Tower has been leveraged so that their AWS organizations can easily access and analyze logs from a single location to multiple accounts, enabling efficient monitoring and troubleshooting.