Skip to content

Service Deny List

The Data Landing Zone allows organizations to define a list of IAM actions (services) to be denied across all accounts and regions. This feature is particularly useful for enforcing compliance with internal policies or regulatory requirements by restricting access to specific services.

To add a service to the denyServiceList property of the configuration, provide the service name in the format <service>:<action>. For example, to deny all the Default actions and the complete ECS service, use ecs:*.

import {App} from 'aws-cdk-lib';
import { DataLandingZone } from 'aws-data-landing-zone';
const app = new App();
const dlz = new DataLandingZone(app, {
denyServiceList: [
...Defaults.denyServiceList(),
'ecs:*',
],
...
});

Defaults

The Defaults.denyServiceList function is used to create a list of services that should be denied across all accounts and regions. This function currently returns the following list of services:

'eks:*',

API References