scp-fallback-revisit: smoke-test account is OUTSIDE sandboxOu (no ProtectISB)

[chrisns]

Why

Phase 1b of the scenario-regression smoke-pack tech-spec (PR #233) deployed the smoke-test AWS account 464453619983 under the fallback placement branch (per ADR-1).

The Step 7 canary failed: ProtectISB (p-gn4fu3co) explicitly denies iam:CreateRole on arn:aws:iam:::role/InnovationSandbox- even from OrganizationAccountAccessRole. The runbook fallback moved the account out of the ndx_InnovationSandboxAccountPool OU and attached InnovationSandboxRestrictions + InnovationSandboxAwsNukeSupportedServices directly.

Faithfulness loss

The smoke account does NOT reproduce ProtectISB-driven failure modes: role-name-prefix denials against InnovationSandbox-* resources, Secrets Manager protections on ISB-named resources, StackSets denial against ISB-named StackSets.

The smoke pack therefore gets an approximation of an Active sandbox SCP profile, not a literal one.

Action

By 2026-11-12 (6 months from setup), retry the Step 7 canary:

1. Move the smoke account back under ndx_InnovationSandboxAccountPool temporarily
2. Re-run the canary (aws iam create-role --role-name InnovationSandbox-ndx-CanaryDeleteMe ...)
3. If it passes (ProtectISB has been loosened to allow this prefix), keep the account there and detach the directly-attached SCPs (they are now inherited). Update docs/smoke-test-account-config.yml smoke_test_ou_placement_branch: child-of-sandboxOu.
4. If it still fails, leave the fallback in place and re-open this issue with a new 6-month review date.

References

• Tech-spec: _bmad-output/implementation-artifacts/tech-spec-scenario-regression-smoke-pack.md ADR-1
• Runbook: docs/smoke-test-account-setup.md Step 7-fallback
• Config: docs/smoke-test-account-config.yml smoke_test_ou_placement_branch
• Phase 1b PR: docs: populate smoke-test-account-config.yml (Phase 1b complete) #233