Service Deny List
The Data Landing Zone allows organizations to define a list of IAM actions (services) to be denied across all accounts and regions. This feature is particularly useful for enforcing compliance with internal policies or regulatory requirements by restricting access to specific services.
To add a service to the denyServiceList
property of the configuration, provide the service name in the format
<service>:<action>
. For example, to deny all the Default
actions and the complete ECS service, use ecs:*
.
Defaults
The Defaults.denyServiceList
function is used to create a list of services that should be denied across all accounts
and regions. This function currently returns the following list of services: