Specifying which AWS Regions your account can use

Important

The following AWS Identity and Access Management (IAM) actions will reach the end of standard support on July 2023: aws-portal:ModifyAccount and aws-portal:ViewAccount. See the Using fine-grained AWS Billing actions to replace these actions with fine-grained actions so you have access to AWS Billing, AWS Cost Management, and AWS accounts consoles.

If you created your AWS account or AWS Organizations Management account before March 6, 2023, the fine-grained actions will be effective starting July 2023. We recommend you to add the fine-grained actions, but not remove your existing permissions with aws-portal or purchase-orders prefixes.

If you created your AWS account or AWS Organizations Management account on or after March 6, 2023, the fine-grained actions are effective immediately.

AWS originally enabled all new AWS Regions by default, which enabled your users to create resources in any Region. Now, when AWS adds a Region, the new Region is disabled by default. If you want your users to be able to create resources in a new Region, you enable the Region.

Important

AWS recommends that you use regional AWS Security Token Service (AWS STS) endpoints instead of the global endpoint to reduce latency. Session tokens from regional AWS STS endpoints are valid in all AWS Regions. If you use regional AWS STS endpoints, you don't need to make any changes.

However, session tokens from the global AWS STS endpoint (https://sts.amazonaws.com) are valid only in AWS Regions that you enable, or that are enabled by default. If you intend to enable a new Region for your account, you can either use session tokens from regional AWS STS endpoints or activate the global AWS STS endpoint to issue session tokens that are valid in all AWS Regions. Session tokens that are valid in all Regions are larger. If you store session tokens, these larger tokens might affect your systems.

For more information about how AWS STS endpoints work with AWS Regions, see Managing AWS STS in an AWS Region.

Considerations about enabling and disabling AWS Regions

• You can use IAM permissions to control access to Regions

  AWS Identity and Access Management (IAM) includes four permissions that let you control which users can enable, disable, get, and list Regions. For more information, see Billing and Cost Management actions policies in the AWS Billing and Cost Management User Guide.

• Enabling a Region is free

  There is no charge to enable a Region. You're charged only for resources that you create in the new Region.

• Disabling a Region disables access to resources in the Region

  If you disable a Region that still contains AWS resources, such as Amazon Elastic Compute Cloud (Amazon EC2) instances, you lose access to the resources in that Region. For example, you can't use the AWS Management Console or any programmatic method to view or change the configuration of any EC2 instances in a disabled Region.

• Charges for active resources continue if you disable a Region

  If you disable a Region that still contains AWS resources, charges for those resources (if any) continue to accrue at the standard rate. For example, if you disable a Region that contains Amazon EC2 instances, you still have to pay the charges for those instances even though the instances are inaccessible.

• Disabling a Region isn't always immediately visible

  Services and consoles might be temporarily visible after disabling a region. Disabling a Region can takes a few minutes to several hours to take effect.

• Original Regions are enabled by default

  Regions introduced prior to March 20, 2019 are all enabled by default and can’t be disabled. For more information, see Managing AWS Regions in the AWS General Reference.

• Enabling a Region takes a few minutes to several hours in some cases

  Depending on several factors, such as the size of your organization, enabling a region can take up to several hours.

• Organizations can have 20 region-opt requests open at a given time across an AWS organization

  The management account can at any point in time have 20 open requests pending completion for its organization. One request is equal to either an enable or disable of one particular region for one account.

• A single account can have 6 region-opt requests in progress at any given time

  One request is equal to either an enable or disable of one particular region for one account.

• Amazon EventBridge integration

  Customers can subscribe to region-opt status update notifications in EventBridge. An EventBridge notification will be created for each status change, allowing customers to automate work flows.

• Expressive Region-opt status

  Due to the asynchronous nature of enabling/disabling an opt-in region, there are four potential statuses for a region-opt request:

  • ENABLING

  • DISABLING

  • ENABLED

  • DISABLED

  You cannot cancel an opt-in or opt-out when it is in either ENABLING or DISABLING status. Otherwise, a ConflictException will be thrown. A completed (Enabled/Disabled) region-opt request is dependent on the provisioning of key underlying AWS services. There might be some AWS services that will not be immediately usable despite the status being ENABLED.

• Full integration with AWS Organizations

  A management account can modify or read region-opt for any member account of that AWS organization. A member account is able to read/write their region state as well.

Enable or disable a Region for standalone accounts

To update which Regions your AWS account has access to, perform the steps in the following procedure. The AWS Management Console procedure below always works only in the standalone context. You can use the AWS Management Console to view or update only the available Regions in the account you used to call the operation.

AWS Management Console

To enable or disable a Region for a standalone AWS account

Minimum permissions

To perform the steps in the following procedure, an IAM user or role must have the following permissions:

• aws-portal:ViewAccount (needed to view the account details page)

• account:ListRegions (needed to view the list of AWS Regions and whether they are currently enabled or disabled).

• account:EnableRegion

• account:DisableRegion

1. Sign in to the AWS Management Console as either the AWS account root user or as an IAM user or role that has the minimum permissions.

2. Choose your account name on the top right of the window, and then choose My Account.

3. On the Account Settings page, scroll down to the section AWS Regions.

   Note

   You might be prompted to approve your access to this information. AWS sends a request to the email address associated with the account and to the primary contact phone number. Choose the link in the request to open it in your browser, and approve the access.

4. Next to each AWS Region with an option in the Action column, choose either Enable or Disable, depending on whether you want the users in your account to be able to create and access resources in that Region.

5. If prompted, confirm your choice.

6. After you have made all of your changes, choose Update.

AWS CLI & SDKs

You can enable, disable, read and list region opt status by using the following AWS CLI commands or their AWS SDK equivalent operations:

• EnableRegion

• DisableRegion

• GetRegionOptStatus

• ListRegions

Minimum permissions

To perform the following steps, you must have the permission that maps to that operation:

• account:EnableRegion

• account:DisableRegion

• account:GetRegionOptStatus

• account:ListRegions

If you use these individual permissions, you can grant some users the ability to only read region opt information, and grant others the ability to both read and write.

The following example enables a region for the specified member account in an organization. The credentials used must be from either the organization’s management account, or from the Account Management’s delegated admin account.

Note that you can also disable a region using the same command and then replacing enable-region with disable-region.

aws account enable-region --region-name af-south-1

This command produces no output if it's successful.

The operation is asynchronous. The following command will allow you to see the latest status of the request.

aws account get-region-opt-status --region-name af-south-1
  {
    "RegionName": "af-south-1",
    "RegionOptStatus": "ENABLING"
  }

Enable or disable a Region in your organization

To update the enabled Regions for member accounts of your AWS Organizations, perform the steps in the following procedure.

Note

Before you can perform these operations from the management account or a delegated admin account in an organization for use with member accounts, you must:

• Enable all features in your organization to manage settings on your member accounts. This allows admin control over the member accounts. This is set by default when you create your organization. If your organization is set to consolidated billing only, and you want to enable all features, see Enabling all features in your organization.

• Enable trusted access for the AWS Account Management service. To set this up, see Enabling trusted access for AWS Account Management.

Note

The AWS Organizations managed policies AWSOrganizationsReadOnlyAccess or AWSOrganizationsFullAccess are updated to provide permission to access the AWS Account Management APIs so you can access account data from the AWS Organizations console. To view the updated managed policies, see Updates to Organizations AWS managed policies.

AWS Management Console

To enable or disable a Region in your organization

1. Sign in to the AWS Organizations console with your organization's management account credentials.

2. On the AWS accounts page, select the account that you want to update.

3. Choose the Account settings tab.

4. Under Regions, select the Region you want to enable or disable.

5. Choose Actions, and then choose either Enable or Disable option.

6. If you chose the Enable option, review the displayed text and then choose Enable region.

7. If you chose the Disable option, review the displayed text, type disable to confirm, and then choose Disable region.

AWS CLI & SDKs

You can enable, disable, read and list region opt status for organization member accounts by using the following AWS CLI commands or their AWS SDK equivalent operations:

• EnableRegion

• DisableRegion

• GetRegionOptStatus

• ListRegions

Minimum permissions

To perform the following steps, you must have the permission that maps to that operation:

• account:EnableRegion

• account:DisableRegion

• account:GetRegionOptStatus

• account:ListRegions

If you use these individual permissions, you can grant some users the ability to only read region opt information, and grant others the ability to both read and write.

The following example enables a region for the specified member account in an organization. The credentials used must be from either the organization’s management account, or from the Account Management’s delegated admin account.

Note that you can also disable a region using the same command and then replacing enable-region with disable-region.

aws account enable-region --account-id 123456789012 --region-name af-south-1 

This command produces no output if it's successful.

Note

An organization can only have up to 20 region requests at a given time. Otherwise, you will receive a TooManyRequestsException.

The operation is asynchronous. The following command will allow you to see the latest status of the request.

aws account get-region-opt-status --account-id 123456789012 --region-name af-south-1
  {
    "RegionName": "af-south-1",
    "RegionOptStatus": "ENABLING"
  }