SCP: Deny access to AWS based on the requested AWS Region

Aug 09, 2022

0

Share this article

{{ }} Substitute variables

Adjust the variable values according to your preference.

Policy Code

1{
2    "Version": "2012-10-17",
3    "Statement": [
4        {
5            "Effect": "Deny",
6            "NotAction": [
7                "a4b:*",
8                "acm:*",
9                "aws-marketplace-management:*",
10                "aws-marketplace:*",
11                "aws-portal:*",
12                "budgets:*",
13                "ce:*",
14                "chime:*",
15                "cloudfront:*",
16                "config:*",
17                "cur:*",
18                "directconnect:*",
19                "ec2:DescribeRegions",
20                "ec2:DescribeTransitGateways",
21                "ec2:DescribeVpnGateways",
22                "fms:*",
23                "globalaccelerator:*",
24                "health:*",
25                "iam:*",
26                "importexport:*",
27                "kms:*",
28                "mobileanalytics:*",
29                "networkmanager:*",
30                "organizations:*",
31                "pricing:*",
32                "route53:*",
33                "route53domains:*",
34                "s3:GetAccountPublic*",
35                "s3:ListAllMyBuckets",
36                "s3:PutAccountPublic*",
37                "shield:*",
38                "sts:*",
39                "support:*",
40                "trustedadvisor:*",
41                "waf-regional:*",
42                "waf:*",
43                "wafv2:*",
44                "wellarchitected:*"
45            ],
46            "Resource": "*",
47            "Condition": {
48                "StringNotEquals": {
49                    "aws:RequestedRegion": [
50                        "{{region1}}",
51                        "{{region2}}"
52                    ]
53                }
54            }
55        }
56    ]
57}
DOC

Replace the {{regionN}} variables with any regions you wish to restrict access to.

    img

    Related Policies

    POLICY

    SCP: Prevent users from deleting Amazon VPC flow logs

    This policy prevents principals from deleting EC2 flow logs or CloudWatch log gr...

    Aug 09, 2022

    0
    POLICY

    SCP: Require a tag on specified created resources

    This policy prevents principals from creating certain resource types if the requ...

    Aug 09, 2022

    0
    POLICY

    SCP: Prevent users from disabling Amazon GuardDuty

    This policy prevents principals from disabling GuardDuty or altering its configu...

    Aug 09, 2022

    0
    img

    Join the beta waitlist

    Enter your email to get notified when our product becomes available to try.

    Sign Up for the community

    Create your member profile to get involved with our content, programs, and events.