Data Perimeter Implementation Strategies: Lessons Learned Rolling Out SCPs/RCPs
Agnel Amodia, Ben Joyce
fwd:cloudsec North America 2025 · Day 1 · Track 1 - Crystal
Agnel Amodia and Ben Joyce from Vanguard presented a detailed account of how one of the world's largest investment management companies implemented a comprehensive **data perimeter program** across its AWS cloud environment. With more than 50 million investors, 20,000 employees, and over 80% of workloads in AWS, the stakes for getting cloud security right at Vanguard are enormous. This talk moved beyond theoretical frameworks and delivered a practitioner's guide to rolling out **Service Control Policies (SCPs)** and **Resource Control Policies (RCPs)** at genuine enterprise scale -- 500+ AWS accounts, 10,000+ human identities, and 16,000+ application identities spread across 700+ VPCs.
AI review
A well-structured operational lessons-learned talk from Vanguard's data perimeter rollout across 500+ AWS accounts. No novel attacks or exploits, but genuinely useful practitioner-grade detail on the pain of deploying SCPs/RCPs at scale, including real AWS limitations like the missing ResourceTag support on S3 buckets and policy size constraints.