diff --git a/terragrunt/org_account/organization/organizations.tf b/terragrunt/org_account/organization/organizations.tf
index 58787e57..54ca9bac 100644
--- a/terragrunt/org_account/organization/organizations.tf
+++ b/terragrunt/org_account/organization/organizations.tf
@@ -112,6 +112,11 @@ resource "aws_organizations_policy_attachment" "Test-cds_snc_universal_guardrail
   target_id = aws_organizations_organizational_unit.Test.id
 }
 
+resource "aws_organizations_policy_attachment" "Test-aws_nuke_guardrails" {
+  policy_id = aws_organizations_policy.aws_nuke_guardrails.id
+  target_id = aws_organizations_organizational_unit.Test.id
+}
+
 resource "aws_organizations_policy_attachment" "DumpsterFire-qurantine_deny_all_policy" {
   policy_id = aws_organizations_policy.qurantine_deny_all_policy.id
   target_id = aws_organizations_organizational_unit.DumpsterFire.id
diff --git a/terragrunt/org_account/organization/scp.tf b/terragrunt/org_account/organization/scp.tf
index 865e45f5..1d4baa83 100644
--- a/terragrunt/org_account/organization/scp.tf
+++ b/terragrunt/org_account/organization/scp.tf
@@ -180,3 +180,92 @@ resource "aws_organizations_policy" "qurantine_deny_all_policy" {
   type    = "SERVICE_CONTROL_POLICY"
   content = data.aws_iam_policy_document.qurantine_deny_all_policy.json
 }
+
+
+data "aws_iam_policy_document" "aws_nuke_guardrails" {
+  statement {
+
+    sid    = "ProtectAWSControlTowerRoles"
+    effect = "Deny"
+    actions = [
+      "iam:DeleteRole",
+      "iam:DetachRolePolicy",
+      "iam:DeleteRolePolicy"
+    ]
+    resources = [
+      "arn:aws:iam::*:role/AWSControlTower*",
+      "arn:aws:iam::*:role/aws-service-role/*"
+    ]
+    condition {
+      test     = "ArnNotLike"
+      variable = "aws:PrincipalArn"
+      values = [
+        "arn:aws:iam::*:role/AWSAFTExecution",
+      ]
+    }
+  }
+
+  statement {
+    sid    = "ProtectSAMLProvider"
+    effect = "Deny"
+    actions = [
+      "iam:DeleteSAMLProvider"
+    ]
+    resources = [
+      "arn:aws:iam::*:saml-provider/AWSSSO_*_DO_NOT_DELETE"
+    ]
+    condition {
+      test     = "ArnNotLike"
+      variable = "aws:PrincipalArn"
+      values = [
+        "arn:aws:iam::*:role/AWSAFTExecution",
+      ]
+    }
+  }
+
+
+  statement {
+    sid    = "ProtectSSORoles"
+    effect = "Deny"
+    actions = [
+      "iam:DeleteRole",
+      "iam:DeleteRolePolicy",
+      "iam:DetachRolePolicy"
+    ]
+    resources = [
+      "arn:aws:iam::*:role/AWSReservedSSO_*"
+    ]
+    condition {
+      test     = "ArnNotLike"
+      variable = "aws:PrincipalArn"
+      values = [
+        "arn:aws:iam::*:role/AWSAFTExecution",
+      ]
+    }
+  }
+
+  statement {
+    sid    = "ProtectSSORolePolicies"
+    effect = "Deny"
+    actions = [
+      "iam:DetachRolePolicy",
+      "iam:DeletePolicy"
+    ]
+    resources = [
+      "arn:aws:iam::*:policy/AWSReservedSSO_*"
+    ]
+    condition {
+      test     = "ArnNotLike"
+      variable = "aws:PrincipalArn"
+      values = [
+        "arn:aws:iam::*:role/AWSAFTExecution",
+      ]
+    }
+  }
+}
+
+resource "aws_organizations_policy" "aws_nuke_guardrails" {
+  name    = "Control Tower Guardrails"
+  type    = "SERVICE_CONTROL_POLICY"
+  content = data.aws_iam_policy_document.aws_nuke_guardrails.json
+}
\ No newline at end of file