Region Restriction

Policy Description

What this SCP does

This Service Control Policy (SCP) denies all operations outside of specified AWS regions, helping enforce geographic data boundaries and regulatory compliance. This is essential for organizations with data residency requirements.

The policy allows operations only in us-east-1 (N. Virginia) and eu-west-1 (Ireland), while denying access to all other AWS regions. This helps organizations maintain control over where their data is stored and processed.

Validation Strategy

How to test this SCP works

To validate this SCP, attempt to perform AWS operations in both allowed and disallowed regions.

Valid test: Create an EC2 instance in us-east-1 (should succeed)
Valid test: Create an S3 bucket in eu-west-1 (should succeed)
Invalid test: Try to launch an EC2 instance in ap-southeast-1 (should be denied)
Invalid test: Attempt to create an RDS database in us-west-2 (should be denied)

This testing approach verifies that operations are only allowed in the specified regions (us-east-1 and eu-west-1) while being denied in all other regions.

SCP Policy & Validation Scenarios

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": [
            "us-east-1",
            "eu-west-1"
          ]
        }
      }
    }
  ]
}

# Try an operation in an allowed region (this should succeed)
aws ec2 describe-instances --region us-east-1

# Try an operation in a disallowed region (this should be denied)
aws ec2 describe-instances --region eu-west-2

# Try to create an S3 bucket in a disallowed region
aws s3api create-bucket \
    --bucket test-scp-region-bucket-$(date +%s) \
    --region eu-west-2 \
    --create-bucket-configuration LocationConstraint=eu-west-2

import boto3
import time

# Try an operation in an allowed region
allowed_region = 'us-east-1'
try:
  ec2_client = boto3.client('ec2', region_name=allowed_region)
  response = ec2_client.describe_instances()
  print(f"Successfully performed operation in allowed region {allowed_region}")
except Exception as e:
  print(f"Unexpected error in allowed region: {e}")

# Try an operation in a disallowed region (this should be denied)
disallowed_region = 'eu-west-2'
try:
  ec2_client = boto3.client('ec2', region_name=disallowed_region)
  response = ec2_client.describe_instances()
  print(f"WARNING: Successfully performed operation in disallowed region {disallowed_region}")
  print("This means the SCP is NOT restricting as expected")
except Exception as e:
  print(f"Expected error in disallowed region if SCP is working: {e}")

# Try to create an S3 bucket in a disallowed region
try:
  bucket_name = f"test-scp-region-bucket-{int(time.time())}"
  s3_client = boto3.client('s3', region_name=disallowed_region)
  
  # Note: For regions other than us-east-1, you need LocationConstraint
  response = s3_client.create_bucket(
    Bucket=bucket_name,
    CreateBucketConfiguration={'LocationConstraint': disallowed_region}
  )
  print(f"WARNING: Successfully created bucket {bucket_name} in disallowed region {disallowed_region}")
  print("This means the SCP is NOT restricting as expected")
  
  # Clean up the test bucket if created
  s3_client.delete_bucket(Bucket=bucket_name)
except Exception as e:
  print(f"Expected error for bucket creation in disallowed region if SCP is working: {e}")