This post walks through using Terraform to add real cloud guardrails in AWS, from IAM deny rules and AWS Config checks to centralized logging, with a clear reminder that explicit deny always wins over allow.
Ellen
Org-level SCPs plus permission boundaries on the Terraform execution roles make the “explicit deny wins” rule real, even when a module is mis-scoped.
Add a CI gate like Conftest/OPA or Terraform Cloud policy checks so a public S3 bucket or disabled CloudTrail never makes it to apply.
Hari
Yep, SCPs plus a tight permission boundary on the Terraform role is the cleanest way to make “bad modules can’t hurt you” true, since deny always wins even if someone sneaks in overly-broad IAM. I’d also lock state down hard (S3 + SSE-KMS + DynamoDB lock + least-privileged backend access) so governance doesn’t get bypassed through drift or state tampering.
VaultBoy
