Modifying Service Control Policies (SCPs)
We use the following SCPs for the Modernisation Platform to restrict certain actions at an account level.
| Policy | Type | Location | Description |
|---|---|---|---|
| Modernisation Platform Member OU SCP | SCP | aws-root-account/management-account/terraform/organizations-policy-service-control.tf |
Baseline SCP attached to the Modernisation Platform Member OU. |
| Modernisation Platform RDS Guardrails SCP | SCP | aws-root-account/management-account/terraform/organizations-policy-service-control-modernisation-platform.tf |
Prevents publicly accessible RDS, unencrypted RDS, and public snapshot sharing (Modernisation Platform Member OU scope). |
| Modernisation Platform S3 Block Public Access | S3 org policy | aws-root-account/management-account/terraform/organizations-policy-service-control-modernisation-platform.tf |
Enforces S3 Block Public Access for accounts in the Modernisation Platform Member OU. |
| Modernisation Platform Deny CloudTrail Delete Stop Update | SCP | aws-root-account/management-account/terraform/organizations-policy-service-control-modernisation-platform.tf |
Denies DeleteTrail and StopLogging on the cloudtrail trail, and denies UpdateTrail except for ModernisationPlatformAccess (Modernisation Platform OU scope). |
| Modernisation Platform Protect Core S3 Buckets | SCP | aws-root-account/management-account/terraform/organizations-policy-service-control-modernisation-platform.tf |
Denies deletion and policy/lifecycle tampering for core S3 buckets (state + core logging) (Modernisation Platform OU scope). |
| Modernisation Platform Protect Secure Baselines | SCP | aws-root-account/management-account/terraform/organizations-policy-service-control-modernisation-platform.tf |
Denies deletion/disabling of secure-baselines tagged resources, except AWS SSO admin roles (Modernisation Platform OU scope). |
The SCPs and organization policies above are modified in the management-account Terraform of the aws-root-account repository.
Alerting
Changes to Modernisation Platform SCPs are monitored via EventBridge rules that publish to an SNS topic:
Alerts are sent to the #modernisation-platform-low-priority-alarms Slack channel.
To make changes to these SCPs please raise a pull request against the aws-root-account repository.
This page was last reviewed on 19 March 2026.
It needs to be reviewed again on 19 September 2026
by the page owner #modernisation-platform
.
This page was set to be reviewed before 19 September 2026
by the page owner #modernisation-platform.
This might mean the content is out of date.