Skip to main content

Limit Region Enablement

Service Control Policy: Restrict Enabling/Disabling AWS Opt-in Regions

Policy Overview

This AWS Service Control Policy (SCP) is designed to prevent local account administrators from enabling or disabling AWS Opt-in Regions. In a well-governed organization, enabling new regions requires coordination with Cloud Engineering and Security to ensure all necessary security tooling and monitoring are enabled. This SCP ensures that only administrators from the Organizational Management Account can make such changes, promoting better oversight and coordination.

Policy JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PreventAccountRegionChanges",
      "Effect": "Deny",
      "Action": [
        "account:EnableRegion",
        "account:DisableRegion"
      ],
      "Resource": ["*"],
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalArn": [
            "arn:*:iam::*:role/OrganizationAccountAccessRole"
          ]
        }
      }
    }
  ]
}

Explanation

Policy Elements

  • Sid: PreventAccountRegionChanges
    • A unique identifier for the statement to help with policy management.
  • Effect: Deny
    • This specifies that the actions listed under this policy will be denied.
  • Action: ["account:EnableRegion", "account:DisableRegion"]
    • These actions are related to enabling and disabling AWS regions.
  • Resource: ["*"]
    • The policy applies to all resources in the account.
  • Condition:
    • StringNotLike: Ensures that the actions are denied for all principals except those specified.
    • aws:PrincipalArn: Lists the IAM role that is allowed to perform the actions.

Conditions and Exceptions

  • The StringNotLike condition allows exceptions for the IAM role specified in the aws:PrincipalArn list. This ensures that only the OrganizationAccountAccessRole from the Organizational Management Account can enable or disable AWS regions.

When to Use This Policy

  • Use Case: Apply this policy to prevent local account administrators from enabling or disabling AWS Opt-in Regions without proper coordination.
  • Ideal For: Organizations that require strict governance over region enablement to ensure all security and monitoring tools are in place before enabling new regions.

Benefits

  • Enhanced Security: Prevents unauthorized enabling or disabling of regions, ensuring all security protocols are followed.
  • Improved Coordination: Ensures that any changes to region availability are coordinated with relevant teams, promoting better governance.
  • Operational Stability: Helps maintain consistent and stable operations by ensuring all necessary preparations are made before new regions are enabled.

Potential Drawbacks

  • Operational Delays: The requirement for coordination with the Organizational Management Account might introduce delays in enabling new regions.
  • Dependency on Central Team: Relying on a central team for region changes might create bottlenecks, especially if the central team is not responsive.

Conclusion

Implementing this Service Control Policy enhances security and operational control by ensuring that only authorized administrators from the Organizational Management Account can enable or disable AWS Opt-in Regions. This policy helps maintain a well-governed environment where all security measures and monitoring tools are in place before new regions are made available. Regular review and updates of the IAM roles specified in the policy are recommended to adapt to the evolving needs and structure of the organization.

Sources