This document discusses approaches to implementing mandatory access control (MAC) on AWS. It describes how SELinux implements MAC on Linux instances on AWS. It also discusses the Glacier Vault Lock service, which applies a fixed policy that cannot be changed by any user, including the account owner. The document then discusses ways to apply similar controls to other AWS services, such as writing logs to S3 in a way that prevents reading or listing the contents.