SCP should restrict region enablement

iam
Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Description

A Service Control Policy (SCP) should deny the account:EnableRegion and account:DisableRegion actions to prevent unauthorized changes to the set of enabled AWS regions. Restricting region enablement ensures that workloads are only deployed in approved regions, supporting data residency and compliance requirements.

This rule also flags SCPs that use NotAction to exempt region management actions from a deny statement. A NotAction-based exemption creates a gap that could be exploited if the corresponding explicit deny is ever removed.

Remediation

Create an SCP that explicitly denies account:EnableRegion and account:DisableRegion using Action (not NotAction) and attach it to the organization root. Remove any NotAction-based deny statements that exempt account actions. Refer to the SCP syntax documentation for guidance.