Introduction to Deny and Allow List Strategies in Managing Accounts in AWS Organizations
Maxat Akbanov
In AWS Organizations, Deny list and Allow list strategies are approaches to managing access control for accounts within an organization. These strategies are implemented using Service Control Policies (SCPs), which are applied to Organizational Units (OUs) or individual accounts.
Image credits: AWS
Deny List Strategy
The Deny list strategy explicitly blocks specific actions or services while allowing all other actions that are not explicitly denied.
Characteristics:
By default, all services and actions are allowed unless explicitly denied.
SCPs are used to define actions or services that are not permitted.
Use Cases:
Blocking access to sensitive services (e.g., IAM, billing) for specific accounts.
Preventing use of specific regions (e.g., denying access to regions not in use by your organization).
Example:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "ec2:*", "Resource": "*" } ] }This SCP denies all EC2 actions across all accounts to which the policy is attached, while allowing other services unless explicitly denied elsewhere.
Allow List Strategy
The Allow list strategy explicitly permits certain actions or services while denying everything else by default.
Characteristics:
By default, all services and actions are denied unless explicitly allowed.
SCPs define only the actions or services that are permitted.
Use Cases:
Ensuring accounts can only use approved services or actions.
Restricting accounts to specific services, regions, or actions for compliance and security.
Example:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*", "ec2:Describe*" ], "Resource": "*" } ] }This SCP allows only S3 actions and EC2 "Describe" actions for the accounts it is applied to. All other actions and services are implicitly denied.
Comparison of Deny List vs. Allow List
| Feature | Deny List Strategy | Allow List Strategy |
| Default Behavior | Allow all unless explicitly denied | Deny all unless explicitly allowed |
| Flexibility | Easier to manage initially but riskier if new services are introduced. | More secure, but requires more effort to maintain. |
| Security Posture | Moderate (risk of allowing unintended actions). | Strong (only intended actions are allowed). |
| Implementation Use | Blocking specific risky actions or services. | Enforcing tight compliance and control. |
Best Practices
Use Deny list for broad access management:
Ideal when accounts need broad access to AWS services but with a few restrictions.
Example: Blocking access to sensitive services (e.g., IAM).
Use Allow list for strict compliance:
Suitable for environments with stringent security and compliance requirements.
Example: Allowing only whitelisted services for regulated workloads.
Combine with other AWS mechanisms:
Use SCPs with IAM policies and resource-based policies for layered security.
Monitor and audit access using AWS CloudTrail and AWS Config.
By choosing the appropriate strategy based on your organizational needs, you can enforce robust governance and security in AWS Organizations.
References
Subscribe to my newsletter
Read articles from Maxat Akbanov directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Maxat Akbanov
Maxat Akbanov
Hey, I'm a postgraduate in Cyber Security with practical experience in Software Engineering and DevOps Operations. The top player on TryHackMe platform, multilingual speaker (Kazakh, Russian, English, Spanish, and Turkish), curios person, bookworm, geek, sports lover, and just a good guy to speak with!