Specifying which AWS Regions your account can use - AWS Account Management

Specifying which AWS Regions your account can use

AWS originally enabled all new AWS Regions by default, which enabled your users to create resources in any Region. Now, when AWS adds a Region, the new Region is disabled by default. If you want your users to be able to create resources in a new Region, you enable the Region.

Important

AWS recommends that you use regional AWS Security Token Service (AWS STS) endpoints instead of the global endpoint to reduce latency. Session tokens from regional AWS STS endpoints are valid in all AWS Regions. If you use regional AWS STS endpoints, you don't need to make any changes.

However, session tokens from the global AWS STS endpoint (https://sts.amazonaws.com) are valid only in AWS Regions that you enable, or that are enabled by default. If you intend to enable a new Region for your account, you can either use session tokens from regional AWS STS endpoints or activate the global AWS STS endpoint to issue session tokens that are valid in all AWS Regions. Session tokens that are valid in all Regions are larger. If you store session tokens, these larger tokens might affect your systems.

For more information about how AWS STS endpoints work with AWS Regions, see Managing AWS STS in an AWS Region.

Considerations about enabling and disabling AWS Regions

  • You can use IAM permissions to control access to Regions

    AWS Identity and Access Management (IAM) includes three permissions that let you control which users can enable, disable, and list Regions. For more information, see Billing and Cost Management actions policies in the AWS Billing and Cost Management User Guide.

  • Enabling a Region is free

    There is no charge to enable a Region. You're charged only for resources that you create in the new Region.

  • Disabling a Region disables access to resources in the Region

    If you disable a Region that still contains AWS resources, such as Amazon Elastic Compute Cloud (Amazon EC2) instances, you lose access to the resources in that Region. For example, you can't use the AWS Management Console or any programmatic method to view or change the configuration of any EC2 instances in a disabled Region.

  • Charges for active resources continue if you disable a Region

    If you disable a Region that still contains AWS resources, charges for those resources (if any) continue to accrue at the standard rate. For example, if you disable a Region that contains Amazon EC2 instances, you still have to pay the charges for those instances even though the instances are inaccessible.

  • Disabling a Region isn't always immediately visible

    If you disable a Region, the change takes time to become visible in all possible endpoints. Disabling a Region can take between a few seconds to minutes to take effect.

  • Original Regions are enabled by default

    The original AWS Regions (the Regions that existed before we added the ability to enable and disable Regions) are all enabled by default and can't be disabled. For more information, see Managing AWS Regions in the AWS General Reference.

  • Enabling a Region takes a few minutes for most accounts

    Enabling a Region generally takes effect in a few minutes, although it can take longer for some accounts. If enabling a Region takes longer than nine hours, sign in to the AWS Support Center and open a case with AWS Support.

Use the following procedure to enable or disable the AWS Regions for the users in an AWS account.

AWS Management Console

To modify which AWS Regions can be accessed by the AWS account

Minimum permissions

To perform the steps in the following procedure, an IAM user or role must have the following permissions:

  • aws-portal:ViewAccount (needed to view the account details page)

  • account:ListRegions (needed to view the list of AWS Regions and whether they are currently enabled or disabled).

  • account:EnableRegion

  • account:DisableRegion

  1. Sign in to the AWS Management Console as either the AWS account root user or as an IAM user or role that has the minimum permissions.

  2. Choose your account name on the top right of the window, and then choose My Account.

  3. On the Account Settings page, scroll down to the section AWS Regions.

    Note

    You might be prompted to approve your access to this information. AWS sends a request to the email address associated with the account and to the primary contact phone number. Choose the link in the request to open it in your browser, and approve the access.

  4. Next to each AWS Region with an option in the Action column, choose either Enable or Disable, depending on whether you want the users in your account to be able to create and access resources in that Region.

  5. If prompted, confirm your choice.

  6. After you have made all of your changes, choose Update.

AWS CLI & SDKs

This task isn't supported in the AWS CLI or by an API operation from one of the AWS SDKs. You can perform this task only by using the AWS Management Console.