diff --git a/blueprints/data-solutions/shielded-folder/README.md b/blueprints/data-solutions/shielded-folder/README.md
index 503fa1da..fb91f4b2 100644
--- a/blueprints/data-solutions/shielded-folder/README.md
+++ b/blueprints/data-solutions/shielded-folder/README.md
@@ -1 +1,11 @@
-#TODO
\ No newline at end of file
+#TODO Proper README (after deciding if this is a blueprint or a FAST stage)
+
+# Implemented
+- Use of Scoped Policies (create or inherit)
+- VPC SC adding all Folder's project into the perimeter
+- Org policies
+- Hierarchical firewall rules
+
+# TODO
+- Log sync
+- KMS
\ No newline at end of file
diff --git a/blueprints/data-solutions/shielded-folder/data/vpc-sc/accessible-services.yaml b/blueprints/data-solutions/shielded-folder/data/vpc-sc/accessible-services.yaml
new file mode 100644
index 00000000..85e8835a
--- /dev/null
+++ b/blueprints/data-solutions/shielded-folder/data/vpc-sc/accessible-services.yaml
@@ -0,0 +1,117 @@
+- accessapproval.googleapis.com
+- adsdatahub.googleapis.com
+- aiplatform.googleapis.com
+- alloydb.googleapis.com
+- alpha-documentai.googleapis.com
+- analyticshub.googleapis.com
+- apigee.googleapis.com
+- apigeeconnect.googleapis.com
+- artifactregistry.googleapis.com
+- assuredworkloads.googleapis.com
+- automl.googleapis.com
+- baremetalsolution.googleapis.com
+- batch.googleapis.com
+- beyondcorp.googleapis.com
+- bigquery.googleapis.com
+- bigquerydatapolicy.googleapis.com
+- bigquerydatatransfer.googleapis.com
+- bigquerymigration.googleapis.com
+- bigqueryreservation.googleapis.com
+- bigtable.googleapis.com
+- binaryauthorization.googleapis.com
+- cloudasset.googleapis.com
+- cloudbuild.googleapis.com
+- clouddebugger.googleapis.com
+- clouderrorreporting.googleapis.com
+- cloudfunctions.googleapis.com
+- cloudkms.googleapis.com
+- cloudprofiler.googleapis.com
+- cloudresourcemanager.googleapis.com
+- cloudsearch.googleapis.com
+- cloudtrace.googleapis.com
+- composer.googleapis.com
+- compute.googleapis.com
+- connectgateway.googleapis.com
+- contactcenterinsights.googleapis.com
+- container.googleapis.com
+- containeranalysis.googleapis.com
+- containerfilesystem.googleapis.com
+- containerregistry.googleapis.com
+- containerthreatdetection.googleapis.com
+- contentwarehouse.googleapis.com
+- datacatalog.googleapis.com
+- dataflow.googleapis.com
+- datafusion.googleapis.com
+- datalineage.googleapis.com
+- datamigration.googleapis.com
+- datapipelines.googleapis.com
+- dataplex.googleapis.com
+- dataproc.googleapis.com
+- datastream.googleapis.com
+- dialogflow.googleapis.com
+- dlp.googleapis.com
+- dns.googleapis.com
+- documentai.googleapis.com
+- domains.googleapis.com
+- essentialcontacts.googleapis.com
+- eventarc.googleapis.com
+- file.googleapis.com
+- firebaseappcheck.googleapis.com
+- firebaserules.googleapis.com
+- firestore.googleapis.com
+- gameservices.googleapis.com
+- gkebackup.googleapis.com
+- gkeconnect.googleapis.com
+- gkehub.googleapis.com
+- gkemulticloud.googleapis.com
+- healthcare.googleapis.com
+- iam.googleapis.com
+- iamcredentials.googleapis.com
+- iaptunnel.googleapis.com
+- ids.googleapis.com
+- integrations.googleapis.com
+- language.googleapis.com
+- lifesciences.googleapis.com
+- logging.googleapis.com
+- managedidentities.googleapis.com
+- memcache.googleapis.com
+- meshca.googleapis.com
+- metastore.googleapis.com
+- ml.googleapis.com
+- monitoring.googleapis.com
+- networkconnectivity.googleapis.com
+- networkmanagement.googleapis.com
+- networksecurity.googleapis.com
+- networkservices.googleapis.com
+- notebooks.googleapis.com
+- opsconfigmonitoring.googleapis.com
+- osconfig.googleapis.com
+- oslogin.googleapis.com
+- policytroubleshooter.googleapis.com
+- privateca.googleapis.com
+- pubsub.googleapis.com
+- pubsublite.googleapis.com
+- recaptchaenterprise.googleapis.com
+- recommender.googleapis.com
+- redis.googleapis.com
+- retail.googleapis.com
+- run.googleapis.com
+- secretmanager.googleapis.com
+- servicecontrol.googleapis.com
+- servicedirectory.googleapis.com
+- spanner.googleapis.com
+- speakerid.googleapis.com
+- speech.googleapis.com
+- sqladmin.googleapis.com
+- storage.googleapis.com
+- storagetransfer.googleapis.com
+- texttospeech.googleapis.com
+- tpu.googleapis.com
+- trafficdirector.googleapis.com
+- transcoder.googleapis.com
+- translate.googleapis.com
+- videointelligence.googleapis.com
+- vision.googleapis.com
+- visionai.googleapis.com
+- vpcaccess.googleapis.com
+- workstations.googleapis.com
\ No newline at end of file
diff --git a/blueprints/data-solutions/shielded-folder/data/vpc-sc/restricted-services.yaml b/blueprints/data-solutions/shielded-folder/data/vpc-sc/restricted-services.yaml
new file mode 100644
index 00000000..85e8835a
--- /dev/null
+++ b/blueprints/data-solutions/shielded-folder/data/vpc-sc/restricted-services.yaml
@@ -0,0 +1,117 @@
+- accessapproval.googleapis.com
+- adsdatahub.googleapis.com
+- aiplatform.googleapis.com
+- alloydb.googleapis.com
+- alpha-documentai.googleapis.com
+- analyticshub.googleapis.com
+- apigee.googleapis.com
+- apigeeconnect.googleapis.com
+- artifactregistry.googleapis.com
+- assuredworkloads.googleapis.com
+- automl.googleapis.com
+- baremetalsolution.googleapis.com
+- batch.googleapis.com
+- beyondcorp.googleapis.com
+- bigquery.googleapis.com
+- bigquerydatapolicy.googleapis.com
+- bigquerydatatransfer.googleapis.com
+- bigquerymigration.googleapis.com
+- bigqueryreservation.googleapis.com
+- bigtable.googleapis.com
+- binaryauthorization.googleapis.com
+- cloudasset.googleapis.com
+- cloudbuild.googleapis.com
+- clouddebugger.googleapis.com
+- clouderrorreporting.googleapis.com
+- cloudfunctions.googleapis.com
+- cloudkms.googleapis.com
+- cloudprofiler.googleapis.com
+- cloudresourcemanager.googleapis.com
+- cloudsearch.googleapis.com
+- cloudtrace.googleapis.com
+- composer.googleapis.com
+- compute.googleapis.com
+- connectgateway.googleapis.com
+- contactcenterinsights.googleapis.com
+- container.googleapis.com
+- containeranalysis.googleapis.com
+- containerfilesystem.googleapis.com
+- containerregistry.googleapis.com
+- containerthreatdetection.googleapis.com
+- contentwarehouse.googleapis.com
+- datacatalog.googleapis.com
+- dataflow.googleapis.com
+- datafusion.googleapis.com
+- datalineage.googleapis.com
+- datamigration.googleapis.com
+- datapipelines.googleapis.com
+- dataplex.googleapis.com
+- dataproc.googleapis.com
+- datastream.googleapis.com
+- dialogflow.googleapis.com
+- dlp.googleapis.com
+- dns.googleapis.com
+- documentai.googleapis.com
+- domains.googleapis.com
+- essentialcontacts.googleapis.com
+- eventarc.googleapis.com
+- file.googleapis.com
+- firebaseappcheck.googleapis.com
+- firebaserules.googleapis.com
+- firestore.googleapis.com
+- gameservices.googleapis.com
+- gkebackup.googleapis.com
+- gkeconnect.googleapis.com
+- gkehub.googleapis.com
+- gkemulticloud.googleapis.com
+- healthcare.googleapis.com
+- iam.googleapis.com
+- iamcredentials.googleapis.com
+- iaptunnel.googleapis.com
+- ids.googleapis.com
+- integrations.googleapis.com
+- language.googleapis.com
+- lifesciences.googleapis.com
+- logging.googleapis.com
+- managedidentities.googleapis.com
+- memcache.googleapis.com
+- meshca.googleapis.com
+- metastore.googleapis.com
+- ml.googleapis.com
+- monitoring.googleapis.com
+- networkconnectivity.googleapis.com
+- networkmanagement.googleapis.com
+- networksecurity.googleapis.com
+- networkservices.googleapis.com
+- notebooks.googleapis.com
+- opsconfigmonitoring.googleapis.com
+- osconfig.googleapis.com
+- oslogin.googleapis.com
+- policytroubleshooter.googleapis.com
+- privateca.googleapis.com
+- pubsub.googleapis.com
+- pubsublite.googleapis.com
+- recaptchaenterprise.googleapis.com
+- recommender.googleapis.com
+- redis.googleapis.com
+- retail.googleapis.com
+- run.googleapis.com
+- secretmanager.googleapis.com
+- servicecontrol.googleapis.com
+- servicedirectory.googleapis.com
+- spanner.googleapis.com
+- speakerid.googleapis.com
+- speech.googleapis.com
+- sqladmin.googleapis.com
+- storage.googleapis.com
+- storagetransfer.googleapis.com
+- texttospeech.googleapis.com
+- tpu.googleapis.com
+- trafficdirector.googleapis.com
+- transcoder.googleapis.com
+- translate.googleapis.com
+- videointelligence.googleapis.com
+- vision.googleapis.com
+- visionai.googleapis.com
+- vpcaccess.googleapis.com
+- workstations.googleapis.com
\ No newline at end of file
diff --git a/blueprints/data-solutions/shielded-folder/maint.tf b/blueprints/data-solutions/shielded-folder/main.tf
similarity index 87%
rename from blueprints/data-solutions/shielded-folder/maint.tf
rename to blueprints/data-solutions/shielded-folder/main.tf
index 33774d43..410931e8 100644
--- a/blueprints/data-solutions/shielded-folder/maint.tf
+++ b/blueprints/data-solutions/shielded-folder/main.tf
@@ -15,6 +15,13 @@
 # tfdoc:file:description Folder resources.
 
 locals {
+  _vpc_sc_vpc_accessible_services = yamldecode(
+    file("${var.data_dir}/vpc-sc/restricted-services.yaml")
+  )
+  _vpc_sc_restricted_services = yamldecode(
+    file("${var.data_dir}/vpc-sc/restricted-services.yaml")
+  )
+
   groups = {
     for k, v in var.groups : k => "${v}@${var.organization_domain}"
   }
@@ -66,11 +73,11 @@ module "vpc-sc" {
       status = {
         access_levels       = keys(var.vpc_sc_access_levels)
         resources           = local.vpc_sc_resources
-        restricted_services = var.vpc_sc_restricted_services
+        restricted_services = local._vpc_sc_restricted_services
         egress_policies     = keys(var.vpc_sc_egress_policies)
         ingress_policies    = keys(var.vpc_sc_ingress_policies)
         vpc_accessible_services = {
-          allowed_services   = var.vpc_sc_accessible_services
+          allowed_services   = local._vpc_sc_vpc_accessible_services
           enable_restriction = true
         }
       }
diff --git a/blueprints/data-solutions/shielded-folder/variables.tf b/blueprints/data-solutions/shielded-folder/variables.tf
index 4990abfa..77b68a4e 100644
--- a/blueprints/data-solutions/shielded-folder/variables.tf
+++ b/blueprints/data-solutions/shielded-folder/variables.tf
@@ -25,6 +25,7 @@ variable "access_policy_create" {
   type = object({
     parent = string
     title  = string
+    scopes = optional(list(string))
   })
   default = null
 }
@@ -94,18 +95,6 @@ variable "vpc_sc_access_levels" {
   nullable = false
 }
 
-variable "vpc_sc_accessible_services" {
-  description = "VPC SC accessible services."
-  type        = list(string)
-  default     = ["storage.googleapis.com"]
-}
-
-variable "vpc_sc_restricted_services" {
-  description = "VPC SC restricted services."
-  type        = list(string)
-  default     = ["storage.googleapis.com"]
-}
-
 variable "vpc_sc_egress_policies" {
   description = "VPC SC egress policy defnitions."
   type = map(object({