Hello. I created an OU, moved my AWS root account to it and created a sub account with CloudTrail rights.
I created a SCP policy and attached it to my OU with deny to all actions on CloudTrail, but the created sub account is still having permissions to modify CloudTrail. What Am I doing wrong? Should I atach my SCP policy to all accounts that I want to control inside an OU?
Glad to hear you got it working! Thanks for coming back and letting us know how you solved it!