Restrict Access to Regions

How to block regions via Service Control Policies

Task: Block service usage in all regions except Ireland (eu-west-1)

In the AWS console, go to AWS Organizations and create a new Service Control Policy (SCP).

Check the documentation to get started. Make sure to exclude the Control Tower IAM roles!!!

Note: Control Tower is planning to support this natively in future (roadmap item).


    "Version": "2012-10-17",
    "Statement": [
            "Sid": "DenyAllOutsideIreland",
            "Effect": "Deny",
            "NotAction": [
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                "ArnNotLike": {
                    "aws:PrincipalARN": [

Assign it to one test account or OU for testing.

For clean up just detach the SCP again from your OU/Accounts!