Specifically allow (enable list) what AWS services you want your teams to use in that account. Otherwise teams will use everything and your cyber / arch / support risk footprints are huge and even more difficult to manage. Also, if you don't do this, when AWS releases a new service, everyone gets it whether you want folks using it then or not. Even if the service isn't targeted at your company type for the implementation.

Account setup

AWS Services / AWS IAM

Medium

AWS

Mark Andersen