## You can choose your own strategy. By default an Organization will have the '''FullAWSAccess''' SCP attached to it and every OU and account. This is the 'Deny List Strategy' because you must override the 'default' allow full access with deny rules. On the other hand, you can remove (delete) this SCP and then you would have an 'Allow List Strategy' because you would need to specifically list each service you want to allow in the Organizations, OUs and Accounts.
## AWS Control Tower allows you to setup and govern multi-account environments.
# [[Identity Management and Permissions including RBAC, ABAC and permissions boundaries## Roles are '''assumed''' by users, applications and services.## Policies are JSON and may be either Identity based, or Resource based.## Authentication methods: password + optional MFA token; Access Key + Secret Access Key; X-509 Certificate## AWS Security Token Service (STS) sts:AssumeRole returns temporary security credentials.## Multi-Factor Authentication ;Something you '''know''';Something you ''' have''';Something you '''are'''A Trust Policy is also an example of a resource-based policy.A Permissions Policy is an identity-based policy.]]
# AWS Directory Services and Federation including Identity Federation, AWS SSO, and Cognito
# Advanced Amazon VPC including a routing deep dive and multi-account VPC configurations