diff --git a/Makefile b/Makefile
index 6aa0ff9..ba7a14b 100644
--- a/Makefile
+++ b/Makefile
@@ -21,3 +21,8 @@ image: fetch-sdk
 .PHONY: fetch-sdk
 fetch-sdk: # fetches and loads the image we use to build the updater docker image
 	scripts/load-bottlerocket-sdk.sh --site ${BOTTLEROCKET_SDK_SITE} --image ${BUILDER_IMAGE}
+
+.PHONY: check-licenses
+check-licenses:
+	cd updater && cargo deny check licenses
+	cd integ && cargo deny check licenses
diff --git a/integ/deny.toml b/integ/deny.toml
new file mode 100644
index 0000000..076b573
--- /dev/null
+++ b/integ/deny.toml
@@ -0,0 +1,38 @@
+[licenses]
+unlicensed = "deny"
+
+# Deny licenses unless they are specifically listed here
+copyleft = "deny"
+allow-osi-fsf-free = "neither"
+default = "deny"
+
+# We want really high confidence when inferring licenses from text
+confidence-threshold = 0.93
+
+# Licenses that are allowed but unused are commented out to silence warnings
+allow = [
+    "Apache-2.0",
+    #"BSD-2-Clause",
+    "BSD-3-Clause",
+    "BSL-1.0",
+    #"CC0-1.0",
+    #"ISC",
+    "MIT",
+    # OpenSSL",
+    "Unlicense",
+    "Zlib"
+]
+
+[[licenses.clarify]]
+name = "ring"
+expression = "MIT AND ISC AND OpenSSL"
+license-files = [
+    { path = "LICENSE", hash = 0xbd0eed23 },
+]
+
+[[licenses.clarify]]
+name = "webpki"
+expression = "ISC"
+license-files = [
+    { path = "LICENSE", hash = 0x001c7e6c },
+]
diff --git a/updater/deny.toml b/updater/deny.toml
new file mode 100644
index 0000000..14ebcbf
--- /dev/null
+++ b/updater/deny.toml
@@ -0,0 +1,38 @@
+[licenses]
+unlicensed = "deny"
+
+# Deny licenses unless they are specifically listed here
+copyleft = "deny"
+allow-osi-fsf-free = "neither"
+default = "deny"
+
+# We want really high confidence when inferring licenses from text
+confidence-threshold = 0.93
+
+# Licenses that are allowed but unused are commented out to silence warnings
+allow = [
+    "Apache-2.0",
+    #"BSD-2-Clause",
+    "BSD-3-Clause",
+    "BSL-1.0",
+    #"CC0-1.0",
+    "ISC",
+    "MIT",
+    "OpenSSL",
+    "Unlicense",
+    "Zlib"
+]
+
+[[licenses.clarify]]
+name = "ring"
+expression = "MIT AND ISC AND OpenSSL"
+license-files = [
+    { path = "LICENSE", hash = 0xbd0eed23 },
+]
+
+[[licenses.clarify]]
+name = "webpki"
+expression = "ISC"
+license-files = [
+    { path = "LICENSE", hash = 0x001c7e6c },
+]