Skip to main content

Restricting Actions to Approved AWS Regions

Policy Overview

This AWS Service Control Policy (SCP) prevents local administrators from performing actions outside of approved regions. The policy includes a NotAction clause to exclude global services and certain read-only events, which helps in avoiding unnecessary errors in the AWS Console. This SCP should be applied to specific Workload OUs or on a per-account basis where actions in other regions are not required.

Policy JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "NotAction": [
        "a4b:*",
        "acm:*",
        "aws-marketplace-management:*",
        "aws-marketplace:*",
        "aws-portal:*",
        "awsbillingconsole:*",
        "budgets:*",
        "ce:*",
        "chime:*",
        "cloudfront:*",
        "config:*",
        "cur:*",
        "directconnect:*",
        "ec2:DescribeRegions",
        "ec2:DescribeTransitGateways",
        "ec2:DescribeVpnGateways",
        "fms:*",
        "globalaccelerator:*",
        "health:*",
        "iam:*",
        "importexport:*",
        "kms:*",
        "mobileanalytics:*",
        "networkmanager:*",
        "organizations:*",
        "pricing:*",
        "route53:*",
        "route53domains:*",
        "route53-recovery-control-config:*",
        "route53-recovery-readiness:*",
        "s3:GetAccountPublic*",
        "s3:ListAllMyBuckets",
        "s3:PutAccountPublic*",
        "shield:*",
        "sts:*",
        "support:*",
        "trustedadvisor:*",
        "waf-regional:*",
        "waf:*",
        "wafv2:*",
        "wellarchitected:*"
      ],
      "Resource": "*",
      "Effect": "Deny",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": [
            "us-east-1",
            "us-west-2"
          ]
        },
        "ArnNotLike": {
          "aws:PrincipalArn": [
            "arn:*:iam::*:role/security-audit",
            "arn:*:iam::*:role/OrganizationAccountAccessRole",
            "arn:*:iam::*:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO*",
            "arn:*:iam::*:role/stacksets-exec-*",
            "arn:*:iam::*:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
          ]
        }
      }
    }
  ]
}

Explanation

Policy Elements

  • Version: Specifies the version of the policy language.
  • Statement: Contains the individual statement that defines the policy.
Statement: Deny Actions Outside Approved Regions
  • NotAction:
    • Lists the global services and read-only actions that are excluded from the deny rule. This helps in avoiding unnecessary errors in the AWS Console.
  • Resource: ["*"]
    • The policy applies to all resources.
  • Effect: Deny
    • This statement denies all actions except those specified in NotAction unless conditions are met.
  • Condition:
    • StringNotEquals: Denies actions unless they are requested in the approved regions ("us-east-1" and "us-west-2").
    • ArnNotLike: Allows exceptions for specific IAM roles, ensuring that authorized roles can perform actions in any region.

Conditions and Exceptions

  • StringNotEquals: Ensures that actions are only allowed in the specified regions ("us-east-1" and "us-west-2").
  • ArnNotLike: Lists the IAM roles that are exempt from the regional restrictions, such as roles for security audits, organizational access, reserved SSO roles, stack sets execution roles, and the service role for AWS Config.

When to Use This Policy

  • Use Case: Apply this policy to enforce regional restrictions on actions performed by local administrators, ensuring that operations are confined to approved regions.
  • Ideal For: Organizations that want to ensure compliance with regional policies and avoid unexpected costs or compliance issues arising from using resources in unauthorized regions.

Benefits

  • Enhanced Security and Compliance: Ensures that actions are performed only in approved regions, reducing the risk of non-compliance with regional policies.
  • Cost Management: Prevents unauthorized use of resources in unapproved regions, helping to control costs.
  • Operational Consistency: Helps maintain operational consistency by limiting the regions in which actions can be performed.

Potential Drawbacks

  • Operational Constraints: Restricting actions to specific regions might limit the flexibility to quickly deploy resources in other regions if needed.
  • Management Overhead: Requires careful management of IAM roles and policies to ensure the right balance between security, compliance, and operational flexibility.

Conclusion

Implementing this Service Control Policy helps organizations enforce regional restrictions on AWS actions, ensuring compliance and controlling costs. By allowing exceptions for specific IAM roles, the policy maintains necessary flexibility for authorized personnel. Regular review and updates of the policy are recommended to adapt to the evolving needs and structure of the organization.

Sources