Specifying which AWS Regions your account can use
AWS originally enabled all new AWS Regions by default, which enabled your users to create resources in any Region. Now, when AWS adds a Region, the new Region is disabled by default. If you want your users to be able to create resources in a new Region, you enable the Region.
AWS recommends that you use regional AWS Security Token Service (AWS STS) endpoints instead of the global endpoint to reduce latency. Session tokens from regional AWS STS endpoints are valid in all AWS Regions. If you use regional AWS STS endpoints, you don't need to make any changes.
However, session tokens from the global AWS STS endpoint (https://sts.amazonaws.com) are valid only in AWS Regions that you enable, or that are enabled by default. If you intend to enable a new Region for your account, you can either use session tokens from regional AWS STS endpoints or activate the global AWS STS endpoint to issue session tokens that are valid in all AWS Regions. Session tokens that are valid in all Regions are larger. If you store session tokens, these larger tokens might affect your systems.
For more information about how AWS STS endpoints work with AWS Regions, see Managing AWS STS in an AWS Region.
Considerations about enabling and disabling AWS Regions
-
You can use IAM permissions to control access to Regions
AWS Identity and Access Management (IAM) includes three permissions that let you control which users can enable, disable, and list Regions. For more information, see Billing and Cost Management actions policies in the AWS Billing and Cost Management User Guide.
-
Enabling a Region is free
There is no charge to enable a Region. You're charged only for resources that you create in the new Region.
-
Disabling a Region disables access to resources in the Region
If you disable a Region that still contains AWS resources, such as Amazon Elastic Compute Cloud (Amazon EC2) instances, you lose access to the resources in that Region. For example, you can't use the AWS Management Console or any programmatic method to view or change the configuration of any EC2 instances in a disabled Region.
-
Charges for active resources continue if you disable a Region
If you disable a Region that still contains AWS resources, charges for those resources (if any) continue to accrue at the standard rate. For example, if you disable a Region that contains Amazon EC2 instances, you still have to pay the charges for those instances even though the instances are inaccessible.
-
Disabling a Region isn't always immediately visible
If you disable a Region, the change takes time to become visible in all possible endpoints. Disabling a Region can take between a few seconds to minutes to take effect.
-
Original Regions are enabled by default
The original AWS Regions (the Regions that existed before we added the ability to enable and disable Regions) are all enabled by default and can't be disabled. For more information, see Managing AWS Regions in the AWS General Reference.
-
Enabling a Region takes a few minutes for most accounts
Enabling a Region generally takes effect in a few minutes, although it can take longer for some accounts. If enabling a Region takes longer than nine hours, sign in to the AWS Support Center
and open a case with AWS Support.
Use the following procedure to enable or disable the AWS Regions for the users in an AWS account.