SCP should restrict region enablement
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Description
A Service Control Policy (SCP) should deny the account:EnableRegion and account:DisableRegion actions to prevent unauthorized changes to the set of enabled AWS regions. Restricting region enablement ensures that workloads are only deployed in approved regions, supporting data residency and compliance requirements.
This rule also flags SCPs that use NotAction to exempt region management actions from a deny statement. A NotAction-based exemption creates a gap that could be exploited if the corresponding explicit deny is ever removed.
Create an SCP that explicitly denies account:EnableRegion and account:DisableRegion using Action (not NotAction) and attach it to the organization root. Remove any NotAction-based deny statements that exempt account actions. Refer to the SCP syntax documentation for guidance.
