AWS: Denies access to AWS based on the requested Region - AWS Identity and Access Management

AWS: Denies access to AWS based on the requested Region

This example shows how you might create an identity-based policy that denies access to any actions outside the Regions specified using the aws:RequestedRegion condition key, except for actions in the services specified using NotAction. This policy defines permissions for programmatic and console access. To use this policy, replace the italicized placeholder text in the example policy with your own information. Then, follow the directions in create a policy or edit a policy.

This policy uses the NotAction element with the Deny effect, which explicitly denies access to all of the actions not listed in the statement. Actions in the CloudFront, IAM, RouteĀ 53, and AWS Support services should not be denied because these are popular AWS global services with a single endpoint that is physically located in the us-east-1 Region. Because all requests to these services are made to the us-east-1 Region, the requests would be denied without the NotAction element. Edit this element to include actions for other AWS global services that you use, such as budgets, globalaccelerator, importexport, organizations, or waf. Some other global services, such as AWS Chatbot and AWS Device Farm, are global services with endpoints that are physically located in the us-west-2 region. To learn about all of the services that have a single global endpoint, see AWS Regions and Endpoints in the AWS General Reference. For more information about using the NotAction element with the Deny effect, see IAM JSON policy elements: NotAction.


This policy does not allow any actions. Use this policy in combination with other policies that allow specific actions.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAllOutsideRequestedRegions", "Effect": "Deny", "NotAction": [ "cloudfront:*", "iam:*", "route53:*", "support:*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": [ "eu-central-1", "eu-west-1", "eu-west-2", "eu-west-3" ] } } } ] }