Configure the Region deny control - AWS Control Tower

Configure the Region deny control

AWS Control Tower offers two Region deny controls. One control, GRREGIONDENY, when activated, applies to the entire landing zone. Another control, CTMULTISERVICEPV1, when activated, can apply to specific OUs that you specify. For more information see Deny access to AWS based on the requested AWS Region and Region deny control applied to the OU.

Considerations about the Region deny control for the landing zone

The Region deny control, GRREGIONDENY is unique, because it applies to the landing zone as a whole, rather than to any specific OU. To configure the Region deny control, go to the Landing zone settings page and select Modify settings.

  • This setting can be changed at a later time.

  • When enabled, this control applies to all registered OUs.

  • This control cannot be configured for individual OUs.

Note

Before you enable the Region deny control, be sure that you do not have existing resources in these Regions, because you will not have access to your resources after you apply the control. While the control is enabled, you will not be able to deploy resources in the denied Regions.

When you enable the control, it applies to all registered, top-level OUs in your hierarchy, and it is inherited by OUs lower in the chain. When you remove the control, it is removed on all registered OUs, all non-governed Regions in AWS Control Tower remain in a Not governed status, and you can deploy resources in Regions outside of AWS Control Tower availability.

Exceptions

You cannot deny access to your home Region. Certain global AWS services, such as IAM and AWS Organizations, are exempt from the Region deny control. To learn more, see Deny access to AWS based on the requested AWS Region.

  • Full control name: Deny access to AWS based on the requested AWS Region

  • Control description: Disallows access to unlisted operations in global and regional services outside of the specified Regions.

  • This is an elective control with preventive guidance.

To view the template for the Region deny control SCP, see Deny access to AWS based on the requested AWS Region in the AWS Control Tower Control reference. The AWS Control Tower SCP is similar to the SCP for AWS Organizations, but not identical.

You can determine Regional service endpoints on the Regional services page.