VIEW RULE IN DATADOG VIEW MISCONFIGURATIONS

Description

A Service Control Policy (SCP) should deny the account:EnableRegion and account:DisableRegion actions to prevent unauthorized changes to the set of enabled AWS regions. Restricting region enablement ensures that workloads are only deployed in approved regions, supporting data residency and compliance requirements.

This rule also flags SCPs that use NotAction to exempt region management actions from a deny statement. A NotAction-based exemption creates a gap that could be exploited if the corresponding explicit deny is ever removed.

Remediation

Create an SCP that explicitly denies account:EnableRegion and account:DisableRegion using Action (not NotAction) and attach it to the organization root. Remove any NotAction-based deny statements that exempt account actions. Refer to the SCP syntax documentation for guidance.