Service Control Policy (SCP) to restrict important services and configurations, e.g. CloudTrail etc.

DenyDisruptingAWS

{
	"Version": "2012-10-17",
	"Statement": [
	    {
		"Effect": "Deny",
		"Action": [
			"organizations:LeaveOrganization",
		        "guardduty:DeleteDetector",
                	"guardduty:DisassociateFromMasterAccount",
                	"guardduty:UpdateDetector",
                	"guardduty:CreateFilter",
                	"guardduty:CreateIPSet",
                	"config:DeleteConfigRule",
                	"config:DeleteConfigurationRecorder",
                	"config:DeleteDeliveryChannel",
                	"config:StopConfigurationRecorder",
                	"events:DeleteRule",
                	"events:DisableRule",
                	"events:RemoveTargets"
            	],
		"Resource": "*"
	    }
	]
}