# Policy layering decision matrix

Use this **after** the landing zone exists. For mechanism details (RAM, Route 53 Profiles,
RCP syntax), see the [cross-account patterns post](https://www.factualminds.com/blog/aws-cross-account-patterns-beyond-landing-zone-2026/).

| Job | Right tool | Wrong tool (common mistake) | Verify in docs |
|-----|------------|----------------------------|----------------|
| Cap what **identities in your org** can do | **SCP** | RCP (RCP bounds resources, not caller capability) | Organizations SCP |
| Cap what **anyone** can do **to your resources** (data perimeter) | **RCP** | SCP alone (external principal + permissive bucket policy bypasses identity caps) | RCP supported services list — expanded through **Feb 2026** (e.g. DynamoDB) |
| Enforce **configuration end state** (VPC public access blocked) | **Declarative policy** | SCP denying one API (breaks when AWS ships new API) | EC2/VPC/EBS declarative — GA **Dec 2024**; Control Tower managed controls |
| Require **tags** on create | **Tag policy** (Organizations) | SCP (cannot enforce tag values on all resource types) | Tag policies |
| Detect **drift after the fact** | **AWS Config** rules / conformance packs | SCP (preventive only) | Config |
| Block **non-compliant resource at create** | **Proactive Control Tower hook** | Detective Config rule only | Control Tower proactive controls |
| Share subnets / TGW / DNS to new accounts automatically | **RAM share to OU** | Per-account share list | RAM + Organizations |

## Layering order (attach broad → narrow)

1. **Root / Security OU:** org-wide SCPs (deny leave org, deny disabling security services)
2. **Workload OUs:** region allow-list SCP + data-perimeter **RCP**
3. **Same OUs:** **declarative policies** for VPC BPA / serial console / public AMI/snapshot blocks
4. **Account level:** tag policies + Config conformance packs
5. **Resource level:** bucket policies, KMS keys, security groups (least privilege)

SCP + RCP + declarative are **complementary**. Replacing declarative with "one more SCP" is how teams get false confidence.

## Opinionated defaults for enterprise prod OU

| Control | Tool | Notes |
|---------|------|-------|
| No public S3 buckets org-wide | SCP + RCP | Belt and suspenders for data perimeter |
| VPC cannot expose IGW paths to internet | Declarative (VPC BPA) | Survives new EC2 APIs |
| Only approved regions | SCP | Keep list short (3–5 regions) |
| Required cost allocation tags | Tag policy | Pair with [tagging/chargeback guide](https://www.factualminds.com/blog/aws-tagging-chargeback-finops-ownership-2026/) |