| AWS Organization, OUs, accounts | Management account |
| Trusted service access enablement | Management account (organization phase) |
| Organization policy type enablement (SCP, resource control, tag, backup, Inspector, Security Hub) | Management account (organization phase) |
| Service Control Policies | Root, OUs, accounts |
| Delegated admin registration (Config, IAM, IAM Access Analyzer, StackSets, CloudTrail, GuardDuty, Security Hub, Inspector, Macie) | Management account (organization phase) |
| GitHub Actions OIDC provider and deploy role | Management + landing zone accounts |
| Alternate contacts | All accounts |
| Marketing email unsubscribe | All accounts |
| Organization stack output publishing | Management account |
| StackSet IAM roles | Landing zone account |
| Regional landing-zone asset buckets | Landing zone account, all regions |
| Log archive CloudTrail S3 buckets | Log archive account |
| Central CloudTrail SNS topic | Security account |
| Organization CloudTrail trail (covers every account) | Security account, primary region |
| IAM centralized root access (organization-wide) | Security account (all member accounts) |
| IAM Access Analyzer organization external access analyzer | Security account, all configured regions |
| Management-account secure defaults | Management account |
| Account closure automation | Management account (organization phase) |
| CloudFormation drift detection | Management + landing zone accounts |
| Secure defaults (delete default VPC, EBS encryption, default SG hardening, SSM service settings, password policy, S3 block public access) | All member accounts, all configured regions |
| Organization trail with CIS alarms | Security account, primary region |
| Cost budgets and anomaly detection | All member accounts, primary region |
| CDK bootstrap and asset cleaner | Development and Production OUs, all configured regions |
| Service quota increases | Development, Production, and Security OUs, all regions |
| Security Hub, GuardDuty, Inspector, and Macie organization configuration | Security account |