Data Perimeter Implementation Strategies - Lessons Learned Rolling Out SCPs/RCPs

Learn practical strategies for implementing AWS Service Control Policies (SCPs) and Resource Control Policies (RCPs) at enterprise scale through real-world lessons from Vanguard Group's deployment across hundreds of AWS accounts. Discover how to navigate the increasing complexity of AWS IAM, including permissions policies, permission boundaries, session policies, resource-based policies, and the latest Resource Control Policies, while maintaining security without impeding business operations. Explore the challenges of defining security boundaries on paper versus implementing them in production environments running critical financial applications, and understand how to position cloud security as an enabler rather than a blocker. Address common implementation hurdles including managing dynamic VPC IDs and corporate CIDR ranges in SCPs, working around Resource Control Policy limitations with S3 bucket service global condition keys, integrating defense-in-depth CI/CD pipeline controls with data perimeter controls, and protecting identities and resources from unauthorized console tagging. Master techniques for verifying control effectiveness despite inconsistent access denied patterns, and learn how to build and deploy layered data perimeter controls that maintain tight security while supporting business continuity at scale.