Our goal at Temporal is to develop a flexible and scalable access-control mechanism for securing our cloud environment. We've decided on a Biba-style model, segmenting our AWS accounts into smaller "perimeters" with each account forming a hard boundary. This approach provides isolation guarantees to customers and ourselves, but also presents challenges in managing the relationships between these accounts. To mitigate this, we plan to use AWS Service Control Policies (SCPs) as guardrails around our accounts, applying them to all principals within an account, including the root user. However, we've encountered limitations with SCPs, particularly when it comes to specifying which outer-ring accounts can accept commands from inner-ring accounts. We're currently working on a solution that involves verifying the trustworthiness of AWS account numbers, as this is essential for defining the trust relationship between accounts. Our ultimate goal is to have AWS provide a verified account number service, making it easier for us to know who we can trust and apply those trust relationships across all our accounts.