# Recommended Best Practices

* **Use Service Control Policies (SCPs):**\
  SCPs let you set permission guardrails for all (or a subset of) accounts in your AWS Organization. For your Savings Pods, set an SCP that explicitly *denies* all actions except those required for cost and usage reporting. This helps enforce “read-only” and blocks creation/modification of workloads or network changes in the pod accounts. [Read more about SCPs](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html).
* **Monitor Pod Activity Regularly:**\
  North.Cloud continuously self-monitors all savings pods for unauthorized actions or unexpected spend spikes. You can review this monitoring data directly in your North.Cloud app for additional transparency and auditing.
* **Review Audit Logs:**\
  Enable CloudTrail or AWS account activity monitoring to view all actions performed within your organization. Regularly review for unexpected changes or access patterns.

Following these practices, along with North's built-in monitoring and least-permissive configuration, maximizes your security and control.