{{ }} Substitute variables
Adjust the variable values according to your preference.
Policy Code
Referenced from: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region
1{
2 "Version": "2012-10-17",
3 "Statement": [
4 {
5 "Effect": "Deny",
6 "NotAction": [
7 "a4b:*",
8 "acm:*",
9 "aws-marketplace-management:*",
10 "aws-marketplace:*",
11 "aws-portal:*",
12 "budgets:*",
13 "ce:*",
14 "chime:*",
15 "cloudfront:*",
16 "config:*",
17 "cur:*",
18 "directconnect:*",
19 "ec2:DescribeRegions",
20 "ec2:DescribeTransitGateways",
21 "ec2:DescribeVpnGateways",
22 "fms:*",
23 "globalaccelerator:*",
24 "health:*",
25 "iam:*",
26 "importexport:*",
27 "kms:*",
28 "mobileanalytics:*",
29 "networkmanager:*",
30 "organizations:*",
31 "pricing:*",
32 "route53:*",
33 "route53domains:*",
34 "s3:GetAccountPublic*",
35 "s3:ListAllMyBuckets",
36 "s3:PutAccountPublic*",
37 "shield:*",
38 "sts:*",
39 "support:*",
40 "trustedadvisor:*",
41 "waf-regional:*",
42 "waf:*",
43 "wafv2:*",
44 "wellarchitected:*"
45 ],
46 "Resource": "*",
47 "Condition": {
48 "StringNotEquals": {
49 "aws:RequestedRegion": [
50 "{{region1}}",
51 "{{region2}}"
52 ]
53 }
54 }
55 }
56 ]
57}
DOC
Replace the {{regionN}} variables with any regions you wish to restrict access to.