denied_actions
Explicitly denied actions that should never be performed, regardless of other permissions (e.g., iam:CreateUser, organizations:*).
Action Deny-listing
Explicitly deny dangerous or sensitive actions that should never be performed, regardless of other permissions.
denied_actions = [
"iam:CreateUser",
"iam:DeleteUser",
"organizations:*"
]
Common Denied Actions
Identity Management
denied_actions = [
"iam:CreateUser",
"iam:DeleteUser",
"iam:CreateAccessKey",
"iam:UpdateLoginProfile",
"iam:AttachUserPolicy"
]
Organization Actions
denied_actions = [
"organizations:LeaveOrganization",
"organizations:DeleteOrganization",
"organizations:RemoveAccountFromOrganization"
]
Security Critical Actions
denied_actions = [
"cloudtrail:DeleteTrail",
"cloudtrail:StopLogging",
"config:DeleteConfigRule",
"guardduty:DeleteDetector"
]
Cost Protection
denied_actions = [
"ec2:RunInstances",
"rds:CreateDBInstance",
"elasticache:CreateCacheCluster"
]
Best Practices
- Deny actions that could compromise security posture
- Deny actions that could incur unexpected costs
- Deny actions that circumvent compliance controls
- Use wildcard patterns sparingly (
service:*)
Full Module Example
module "access_policy" {
source = "registry.patterneddesigns.ca/governance/access-policy/aws"
version = "0.1.0"
# denied_actions
denied_actions = "..."
# Other required inputs
policy_name = "..."
}