Restrict Access to Regions

How to block regions via Service Control Policies

Task: Block service usage in all regions except Ireland (eu-west-1)

In the AWS console, go to AWS Organizations and create a new Service Control Policy (SCP).

Check the documentation to get started. Make sure to exclude the Control Tower IAM roles!!!

Note: Control Tower is planning to support this natively in future (roadmap item).

Solution:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyAllOutsideIreland",
            "Effect": "Deny",
            "NotAction": [
                "a4b:*",
                "acm:*",
                "aws-marketplace-management:*",
                "aws-marketplace:*",
                "aws-portal:*",
                "awsbillingconsole:*",
                "budgets:*",
                "ce:*",
                "chime:*",
                "cloudfront:*",
                "config:*",
                "cur:*",
                "directconnect:*",
                "ec2:DescribeRegions",
                "ec2:DescribeTransitGateways",
                "ec2:DescribeVpnGateways",
                "fms:*",
                "globalaccelerator:*",
                "health:*",
                "iam:*",
                "importexport:*",
                "kms:*",
                "mobileanalytics:*",
                "networkmanager:*",
                "organizations:*",
                "pricing:*",
                "route53:*",
                "route53domains:*",
                "s3:GetAccountPublic*",
                "s3:ListAllMyBuckets",
                "s3:ListBuckets",
                "s3:PutAccountPublic*",
                "shield:*",
                "sts:*",
                "support:*",
                "trustedadvisor:*",
                "waf-regional:*",
                "waf:*",
                "wafv2:*",
                "wellarchitected:*"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                        "eu-west-1"
                    ]
                },
                "ArnNotLike": {
                    "aws:PrincipalARN": [
                        "arn:aws:iam::*:role/AWSControlTowerAdmin",
                        "arn:aws:iam::*:role/AWSControlTowerCloudTrailRole",
                        "arn:aws:iam::*:role/AWSControlTowerStackSetRole",
						"arn:aws:iam::*:role/*ControlTower*",
						"arn:aws:iam::*:role/*controltower*"
                    ]
                }
            }
        }
    ]
}

Assign it to one test account or OU for testing.

For clean up just detach the SCP again from your OU/Accounts!