@acsrujan@groovyBugify2d ago
Reviewed this from a security lens — the role model and the least-privilege split (especially isolating rds-db:connect to DBA, short session durations, and the consistent iam/org/billing/sso denies) look well thought through. Trusting your call on the overall design.
The existing SCPs cover the audit/security-control teardown verbs, so no concern there.
One thing I'd just confirm before/with the migration: that our existing Config/GuardDuty detective controls for RDS-public and S3-public apply to these accounts — so nothing in these roles can accidentally expose a DB or bucket publicly. If that's already covered, no changes needed from me. 👍