AWS Control Tower uses guardrails to help you establish a compliant environment where all the subordinate accounts follow your company's best practices. Guardrails fall into one of two broad categories:

• Detective
• Preventative

Detective controls make use of AWS Config Rules to alert you to resources that are out of compliance within provisioned accounts. You can take manual action to correct the problems, or you can use AWS Lambda to automate your response.

Preventative controls use Service Control Policies (SCP) to make certain actions impossible within provisioned accounts, even to the root user! You must take great care with SCPs since they can have drastic effects on a large number of child accounts.