Example SCP: Deny access to AWS in unsupported regions

Photo by Towfiqu barbhuiya on Unsplash

Example SCP: Deny access to AWS in unsupported regions

Service Control Policy example that restricts the use of AWS services in unsupported AWS Regions.

Danny Steenman's photo
Danny Steenman
ยท

2 min read

Service Control Policy example: Deny access to AWS services in unsupported AWS Regions

This SCP restricts the use of AWS services in unsupported AWS Regions. This is very useful if you only deploy to a single AWS region. By revoking access to other AWS regions you'll effectively limit the blast radius in the event of a security breach.

As you can see in the example below, if the AWS API call doesn't match with the eu-west-1 regions then deny all actions on all resources except for the aws services in the NotAction element.

If you look closer to the NotAction element, the services that are listed there are global services and are hosted in the us-east-1 region by default. Be aware, that blocking the services that are whitelisted in this action might cause issues in your active region.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": ["eu-west-1"]
        }
      },
      "Resource": "*",
      "Effect": "Deny",
      "NotAction": [
        "a4b:*",
        "acm:*",
        "aws-marketplace-management:*",
        "aws-marketplace:*",
        "aws-portal:*",
        "budgets:*",
        "ce:*",
        "chime:*",
        "cloudfront:*",
        "config:*",
        "cur:*",
        "directconnect:*",
        "ec2:DescribeRegions",
        "ec2:DescribeTransitGateways",
        "ec2:DescribeVpnGateways",
        "fms:*",
        "globalaccelerator:*",
        "health:*",
        "iam:*",
        "importexport:*",
        "kms:*",
        "mobileanalytics:*",
        "networkmanager:*",
        "organizations:*",
        "pricing:*",
        "route53:*",
        "route53domains:*",
        "s3:GetAccountPublic*",
        "s3:ListAllMyBuckets",
        "s3:PutAccountPublic*",
        "shield:*",
        "sts:*",
        "support:*",
        "trustedadvisor:*",
        "waf-regional:*",
        "waf:*",
        "wafv2:*",
        "wellarchitected:*"
      ],
      "Sid": "DenyUnsupportedRegions"
    }
  ]
}

How to create the AWS Service Control Policy

Log in to the AWS console and then go to the Service control policies tab under the AWS Organizations service where you can create the new policy. Note: make sure to have AWS Organizations enabled.

Learn more about AWS Service Control Policies

If you are in a position where you have responsibility for the AWS Cloud infrastructure, then have a look at The complete guide to AWS Service Control Policies.

Originally posted on Towards the Cloud

If you liked this post, then you can subscribe to my newsletter

THW Cloud ComputingAWSjsonTutorial