AWS: Denies access to AWS based on the requested Region
This example shows how you might create an identity-based policy that denies access to any actions outside the Regions specified using the
aws:RequestedRegion
condition key, except for actions in the services specified using
NotAction
. This policy defines permissions for programmatic and console access. To use this policy, replace the italicized placeholder text
in the example policy with your own information.
Then, follow the directions in create a policy or edit a policy.
This policy uses the NotAction
element with the Deny
effect,
which explicitly denies access to all of the actions not
listed in the statement. Actions in the CloudFront, IAM, RouteĀ 53, and AWS Support services should not be
denied because these are popular AWS global services with a single endpoint that is
physically located in the us-east-1
Region. Because all requests to these
services are made to the us-east-1
Region, the requests would be denied without
the NotAction
element. Edit this element to include actions for other AWS
global services that you use, such as budgets
, globalaccelerator
,
importexport
, organizations
, or waf
.
Some other global
services, such as AWS Chatbot and AWS Device Farm, are global services with endpoints that are
physically located in the us-west-2
region. To learn about all of the services
that have a single global endpoint, see AWS Regions and
Endpoints in the AWS General Reference. For more
information about using the NotAction
element with the Deny
effect, see IAM JSON policy elements:
NotAction.
Important
This policy does not allow any actions. Use this policy in combination with other policies that allow specific actions.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAllOutsideRequestedRegions", "Effect": "Deny", "NotAction": [
"cloudfront:*", "iam:*", "route53:*", "support:*"
], "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": ["eu-central-1", "eu-west-1", "eu-west-2", "eu-west-3"
] } } } ] }