A detailed walkthrough of a real AWS multi-account organization setup managed with Terraform. Covers four security and cost-control layers: Service Control Policies (SCPs) to block dangerous actions like expensive instance types, non-approved regions, and root user activity; Resource Control Policies (RCPs) to enforce TLS and block public S3 access from any caller; an organization-wide CloudTrail audit pipeline with EventBridge rules routing alerts to email and Slack via Lambda; and a budget-driven kill switch that automatically attaches a deny SCP to sandbox OUs when spending hits 80% of a $50 monthly cap. Includes honest caveats about AWS Budgets' 8-12 hour data delay and why the kill switch is a backstop, not a hard guarantee.
Table of contents
Why a Multi-Account SetupThe Account LayoutSCPs: Identity-Side GuardrailsRCPs: Resource-Side GuardrailsCloudTrail: The Audit TrailReal-Time Alerts: EventBridge to Lambda to Email and SlackSpending GuardrailsSummarySort: