Overview

This SCP denies access to any operations outside of the specified AWS Region, except for actions in the listed services (These are global services that cannot be whitelisted based on region).

The following AWS services are exlcuded (global services): AWS IAM, AWS Organizations, AWS Route53, AWS Budgets, AWS WAF, AWS CloudFront, AWS Global Accelrator, AWS Snowball (Import/Export), AWS Support, AWS Health Dashboard, and Route53 Domain Registrations.

See Related Configuration Items for a Configuration Package to deploy multiple SCPs to an AWS Account.

Configuration template includes a CloudFormation custom resource to deploy into an AWS account.

Configuration Templates

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "NotAction": [
                "a4b:*",
                "acm:*",
                "aws-marketplace-management:*",
                "aws-marketplace:*",
                "aws-portal:*",
                "awsbillingconsole:*",
                "budgets:*",
                "ce:*",
                "chime:*",
                "cloudfront:*",
                "config:*",
                "cur:*",
                "directconnect:*",
                "ec2:DescribeRegions",
                "ec2:DescribeTransitGateways",
                "ec2:DescribeVpnGateways",
                "fms:*",
                "globalaccelerator:*",
                "health:*",
                "iam:*",
                "importexport:*",
                "kms:*",
                "mobileanalytics:*",
                "networkmanager:*",
                "organizations:*",
                "pricing:*",
                "route53:*",
                "route53domains:*",
                "s3:GetAccountPublic*",
                "s3:ListAllMyBuckets",
                "s3:PutAccountPublic*",
                "shield:*",
                "sts:*",
                "support:*",
                "trustedadvisor:*",
                "waf-regional:*",
                "waf:*",
                "wafv2:*",
                "wellarchitected:*"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                        "us-east-1",
                        "us-west-1"
                    ]
                }
            }
        }
    ]
}

Actions



Customize Template

Policy Parameters

* Required field

Sources and Documentation

Configuration Source: AWS Documentation: Example Service Control Policies

Additional Documentation:

© 2020 asecurecloud Inc. All Rights Reserved.