Defining Boundaries for Regional Services Access
As a customer, you maintain ownership of your content, and you select which AWS services can process, store, and host your content. You can choose to store your customer data in any one or more of our European Regions, including EU Regions in France, Germany, Ireland, Italy, Spain, and Sweden. You can also choose to store your customer data in our Regions in Switzerland and in the United Kingdom. Both Switzerland and the United Kingdom have current adequacy decisions under GDPR for the transfer of personal data. You can also use AWS services with the confidence that customer data stays in the AWS Region you select. AWS prohibits - and our systems are designed to prevent - remote access by AWS personnel to customer data for any purpose, including service maintenance, unless that access is requested by you or unless access is required to prevent fraud and abuse, or to comply with law.
IAM policies provide a simple mechanism to limit access to services in specific Regions.
You can add a global condition (aws:RequestedRegion
) to the IAM policies attached to your IAM
Principals to enforce this for all AWS services. For example, the following policy uses the NotAction
element with the
Deny
effect, which explicitly denies access to all of the actions not listed in
the statement if the requested Region is not European. Actions in the CloudFront, IAM, Amazon Route 53
{ “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “DenyAllOutsideRequestedRegions”, “Effect”: “Deny”, “NotAction”: [ “cloudfront:*”, “iam:*”, ”route53:*”, “support:*” ], “Resource”: “*”, “Condition”: { “StringNotLike”: { “aws:RequestedRegion”: [ “eu-*” ] } } } ] }
This sample IAM policy can also be implemented as a Service Control Policy (SCP) in AWS Organizations, which defines the permission boundaries applied to specific AWS accounts or Organizational Units (OUs) within an organization. This enables you to control user access to regional services in complex multi-account environments.
Geo-limiting capabilities exist for newly launched Regions. Regions introduced after March 20, 2019 are disabled by default. You must enable these Regions before you can use them. If an AWS Region is disabled by default, you can use the AWS Management Console to enable and disable the Region. Enabling and disabling AWS Regions enables you to control whether users in your AWS account can access resources in that Region. For more information, see Managing AWS Regions.
Using AWS Control Tower, you can configure region deny control which is an elective control with preventive guidance and apply region restrictions to all registered OUs in the Organization.