Guardrails

Use Service Control Policies to block unapproved instance types, services, and regions before they create cost risk.

Why it matters

Budgets and alerts tell you when something expensive has already happened. Guardrails prevent many of those problems from happening in the first place.

Service Control Policies (SCPs) in AWS Organizations let you define what is allowed anywhere in your organization, regardless of individual IAM permissions. They’re a key tool for keeping cost risk under control at scale, and they also improve security posture by blocking risky actions, services, and Regions by default.

Block very large or unapproved instance types

Without guardrails, anyone with permission to launch EC2 instances can choose any size or family, including very large or non-standard instances that don’t fit your cost or architecture guidelines.

SCPs can:

  • Deny ec2:RunInstances for specific instance families or sizes (for example, p*, u-*, or sizes above a certain threshold)
  • Allow only approved instance families that the organization has standardized on

This keeps accidental or ad‑hoc use of high-cost instance types from showing up as surprise spend.

Block unused or unapproved services

Some services might be out of scope for your organization (for example, due to compliance, security, or cost control).

With SCPs you can:

  • Deny actions for entire services that are not allowed (for example, deny sagemaker:* if not in use)
  • Restrict experimental or high‑cost services to specific accounts or OUs

This focuses spend on the services you’ve intentionally chosen to support.

Block regions that are not in use

Running resources in unexpected Regions makes costs harder to track and can create data residency issues.

SCPs can:

  • Deny actions in all Regions except a small approved set (for example, us-east-1 and eu-west-1)
  • Prevent accidental creation of resources in Regions you don’t monitor or intend to use

This keeps workloads and spend concentrated in the Regions your teams actually manage.

Learn more

For examples of SCPs you can adapt, see: