SCP should restrict region enablement

iam
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

A Service Control Policy (SCP) should deny the account:EnableRegion and account:DisableRegion actions to prevent unauthorized changes to the set of enabled AWS regions. Restricting region enablement ensures that workloads are only deployed in approved regions, supporting data residency and compliance requirements.

This rule also flags SCPs that use NotAction to exempt region management actions from a deny statement. A NotAction-based exemption creates a gap that could be exploited if the corresponding explicit deny is ever removed.

Remediation

Create an SCP that explicitly denies account:EnableRegion and account:DisableRegion using Action (not NotAction) and attach it to the organization root. Remove any NotAction-based deny statements that exempt account actions. Refer to the SCP syntax documentation for guidance.