7.4. Phase 7 Reflection Checkpoint

Key Takeaways:

1. AWS Organizations provides the structural foundation; Control Tower automates governance; delegated administrators manage security services
2. RCPs (new in C03) control what happens to your resources from external principals — complementing SCPs which control what your principals can do
3. Declarative policies (new in C03) enforce service configurations rather than just restricting actions
4. Root user management: centralized root access, hardware MFA, break-glass procedures, CloudWatch monitoring
5. Compliance is continuous: Config rules detect, auto-remediation fixes, Security Hub scores, Audit Manager collects evidence

Connecting Forward: Phase 8 prepares you for exam day with practical strategies for tackling scenario-based questions and managing time under pressure.

Self-Check Questions:

• Can you explain the difference between SCPs, RCPs, and declarative policies?
• Can you describe why the management account should never run workloads?
• Can you trace the compliance automation pipeline from detection through remediation to verification?